mobbdev 0.0.38 → 0.0.46

package/dist/index.mjs

@@ -13,7 +13,7 @@ var __publicField = (obj, key, value) => {
 import { hideBin } from "yargs/helpers";
 
 // src/args/yargs.ts
-import chalk7 from "chalk";
+import chalk8 from "chalk";
 import yargs from "yargs/yargs";
 
 // src/args/commands/analyze.ts
@@ -35,7 +35,6 @@ var SCANNERS = {
   Snyk: "snyk"
 };
 var envVariablesSchema = z.object({
-  WEB_LOGIN_URL: z.string(),
   WEB_APP_URL: z.string(),
   API_URL: z.string()
 }).required();
@@ -69,7 +68,6 @@ var mobbAscii = `
                 ...............................             
                        .................                    
 `;
-var WEB_LOGIN_URL = envVariables.WEB_LOGIN_URL;
 var WEB_APP_URL = envVariables.WEB_APP_URL;
 var API_URL = envVariables.API_URL;
 
@@ -77,7 +75,7 @@ var API_URL = envVariables.API_URL;
 import crypto from "node:crypto";
 import fs3 from "node:fs";
 import os2 from "node:os";
-import path5 from "node:path";
+import path6 from "node:path";
 import { pipeline } from "node:stream/promises";
 
 // src/utils/index.ts
@@ -141,9 +139,9 @@ var CliError = class extends Error {
 };
 
 // src/features/analysis/index.ts
-import chalk2 from "chalk";
+import chalk3 from "chalk";
 import Configstore from "configstore";
-import Debug7 from "debug";
+import Debug9 from "debug";
 import extract from "extract-zip";
 import fetch3 from "node-fetch";
 import open2 from "open";
@@ -220,6 +218,50 @@ var UPLOAD_S3_BUCKET_INFO = gql`
     }
   }
 `;
+var DIGEST_VULNERABILITY_REPORT = gql`
+  mutation DigestVulnerabilityReport(
+    $vulnerabilityReportFileName: String!
+    $fixReportId: String!
+    $projectId: String!
+    $repoUrl: String!
+    $reference: String!
+    $sha: String
+  ) {
+    digestVulnerabilityReport(
+      fixReportId: $fixReportId
+      vulnerabilityReportFileName: $vulnerabilityReportFileName
+      projectId: $projectId
+      repoUrl: $repoUrl
+      reference: $reference
+      sha: $sha
+    ) {
+      __typename
+      ... on VulnerabilityReport {
+        vulnerabilityReportId
+        fixReportId
+      }
+      ... on RabbitSendError {
+        status
+        error
+      }
+      ... on ReportValidationError {
+        status
+        error
+      }
+      ... on ReferenceNotFoundError {
+        status
+        error
+      }
+    }
+  }
+`;
+var INITIALIZE_VULNERABILITY_REPORT = gql`
+  mutation InitializeVulnerabilityReport($fixReportId: String!) {
+    initializeVulnerabilityReport(fixReportId: $fixReportId) {
+      __typename
+    }
+  }
+`;
 var SUBMIT_VULNERABILITY_REPORT = gql`
   mutation SubmitVulnerabilityReport(
     $vulnerabilityReportFileName: String!
@@ -298,6 +340,22 @@ var GET_ENCRYPTED_API_TOKEN = gql2`
     }
   }
 `;
+var GET_FIX_REPORT_STATE = gql2`
+  query FixReportState($id: uuid!) {
+    fixReport_by_pk(id: $id) {
+      state
+    }
+  }
+`;
+var GET_VULNERABILITY_REPORT_PATHS = gql2`
+  query GetVulnerabilityReportPaths($vulnerabilityReportId: uuid!) {
+    vulnerability_report_path(
+      where: { vulnerabilityReportId: { _eq: $vulnerabilityReportId } }
+    ) {
+      path
+    }
+  }
+`;
 
 // src/features/analysis/graphql/types.ts
 import { z as z2 } from "zod";
@@ -361,10 +419,28 @@ var GetEncryptedApiTokenZ = z2.object({
     encryptedApiToken: z2.string().nullable()
   })
 });
+var DigestVulnerabilityReportZ = z2.object({
+  digestVulnerabilityReport: z2.object({
+    vulnerabilityReportId: z2.string()
+  })
+});
+var GetFixReportZ = z2.object({
+  fixReport_by_pk: z2.object({
+    state: z2.string()
+  })
+});
+var GetVulnerabilityReportPathsZ = z2.object({
+  vulnerability_report_path: z2.array(
+    z2.object({
+      path: z2.string()
+    })
+  )
+});
 
 // src/features/analysis/graphql/gql.ts
 var debug3 = Debug3("mobbdev:gql");
 var API_KEY_HEADER_NAME = "x-mobb-key";
+var REPORT_STATE_CHECK_DELAY = 5 * 1e3;
 var GQLClient = class {
   constructor(args) {
     __publicField(this, "_client");
@@ -438,6 +514,33 @@ var GQLClient = class {
     });
     return UploadS3BucketInfoZ.parse(uploadS3BucketInfoResult);
   }
+  async digestVulnerabilityReport({
+    fixReportId,
+    projectId,
+    repoUrl,
+    reference,
+    sha
+  }) {
+    const res = await this._client.request(
+      DIGEST_VULNERABILITY_REPORT,
+      {
+        fixReportId,
+        vulnerabilityReportFileName: "report.json",
+        projectId,
+        repoUrl,
+        reference,
+        sha
+      }
+    );
+    return DigestVulnerabilityReportZ.parse(res).digestVulnerabilityReport;
+  }
+  async initializeVulnerabilityReport({
+    fixReportId
+  }) {
+    await this._client.request(INITIALIZE_VULNERABILITY_REPORT, {
+      fixReportId
+    });
+  }
   async submitVulnerabilityReport({
     fixReportId,
     repoUrl,
@@ -454,6 +557,38 @@ var GQLClient = class {
       sha: sha || ""
     });
   }
+  async getFixReportState(fixReportId) {
+    const res = await this._client.request(
+      GET_FIX_REPORT_STATE,
+      { id: fixReportId }
+    );
+    return GetFixReportZ.parse(res).fixReport_by_pk.state;
+  }
+  async waitFixReportInit(fixReportId, includeDigested = false) {
+    const FINAL_STATES = ["Finished", "Failed"];
+    let lastState = "Created";
+    let attempts = 100;
+    if (includeDigested) {
+      FINAL_STATES.push("Digested");
+    }
+    do {
+      await sleep(REPORT_STATE_CHECK_DELAY);
+      lastState = await this.getFixReportState(fixReportId);
+    } while (!FINAL_STATES.includes(
+      lastState
+      // wait for final the state of the fix report
+    ) && attempts-- > 0);
+    return lastState;
+  }
+  async getVulnerabilityReportPaths(vulnerabilityReportId) {
+    const res = await this._client.request(
+      GET_VULNERABILITY_REPORT_PATHS,
+      { vulnerabilityReportId }
+    );
+    return GetVulnerabilityReportPathsZ.parse(
+      res
+    ).vulnerability_report_path.map((p) => p.path);
+  }
 };
 
 // src/features/analysis/pack.ts
@@ -465,7 +600,7 @@ import { globby } from "globby";
 import { isBinary } from "istextorbinary";
 var debug4 = Debug4("mobbdev:pack");
 var MAX_FILE_SIZE = 1024 * 1024 * 5;
-async function pack(srcDirPath) {
+async function pack(srcDirPath, vulnFiles) {
   debug4("pack folder %s", srcDirPath);
   const filepaths = await globby("**", {
     gitignore: true,
@@ -478,6 +613,10 @@ async function pack(srcDirPath) {
   debug4("compressing files");
   for (const filepath of filepaths) {
     const absFilepath = path3.join(srcDirPath, filepath.toString());
+    if (!vulnFiles.includes(filepath.toString())) {
+      debug4("ignoring %s because it is not a vulnerability file", filepath);
+      continue;
+    }
     if (fs.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
       debug4("ignoring %s because the size is > 5MB", filepath);
       continue;
@@ -511,6 +650,25 @@ async function choseScanner() {
   });
   return scanner;
 }
+async function tryCheckmarxConfiguarationAgain() {
+  console.log(
+    "\u{1F513} Oops, seems like checkmarx does not accept the current configuration"
+  );
+  const { confirmCheckmarxRetryConfigrations } = await inquirer.prompt({
+    name: "confirmCheckmarxRetryConfigrations",
+    type: "confirm",
+    message: "Would like to try to configure them again? ",
+    default: true
+  });
+  return confirmCheckmarxRetryConfigrations;
+}
+async function startCheckmarxConfigationPrompt() {
+  const checkmarxConfigreSpinner = createSpinner(
+    "\u{1F513} Checkmarx needs to be configured before we start, press any key to continue"
+  ).start();
+  await keypress();
+  checkmarxConfigreSpinner.success();
+}
 async function scmIntegrationPrompt(scmName) {
   const answers = await inquirer.prompt({
     name: "scmConfirm",
@@ -536,6 +694,245 @@ async function snykArticlePrompt() {
   return snykArticleConfirm;
 }
 
+// src/features/analysis/scanners/checkmarx.ts
+import { createRequire } from "node:module";
+
+// src/post_install/constants.mjs
+var cxOperatingSystemSupportMessage = `Your operating system does not support checkmarx.
+  You can see the list of supported operating systems here: https://github.com/Checkmarx/ast-cli#releases`;
+
+// src/utils/child_process.ts
+import cp from "node:child_process";
+import Debug5 from "debug";
+import * as process2 from "process";
+import supportsColor from "supports-color";
+var { stdout: stdout2 } = supportsColor;
+function createFork({ args, processPath, name }, options) {
+  const child = cp.fork(processPath, args, {
+    stdio: ["inherit", "pipe", "pipe", "ipc"],
+    env: { FORCE_COLOR: stdout2 ? "1" : "0" }
+  });
+  return createChildProcess({ childProcess: child, name }, options);
+}
+function createSpwan({ args, processPath, name }, options) {
+  const child = cp.spawn(processPath, args, {
+    stdio: ["inherit", "pipe", "pipe", "ipc"],
+    env: { FORCE_COLOR: stdout2 ? "1" : "0" }
+  });
+  return createChildProcess({ childProcess: child, name }, options);
+}
+function createChildProcess({ childProcess, name }, options) {
+  const debug9 = Debug5(`mobbdev:${name}`);
+  const { display } = options;
+  return new Promise((resolve, reject) => {
+    let out = "";
+    const onData = (chunk) => {
+      debug9(`chunk received from ${name} std ${chunk}`);
+      out += chunk;
+    };
+    if (!childProcess || !childProcess?.stdout || !childProcess?.stderr) {
+      debug9(`unable to fork ${name}`);
+      reject(new Error(`unable to fork ${name}`));
+    }
+    childProcess.stdout?.on("data", onData);
+    childProcess.stderr?.on("data", onData);
+    if (display) {
+      childProcess.stdout?.pipe(process2.stdout);
+      childProcess.stderr?.pipe(process2.stderr);
+    }
+    childProcess.on("exit", (code) => {
+      debug9(`${name} exit code ${code}`);
+      resolve({ message: out, code });
+    });
+    childProcess.on("error", (err) => {
+      debug9(`${name} error %o`, err);
+      reject(err);
+    });
+  });
+}
+
+// src/features/analysis/scanners/checkmarx.ts
+import chalk from "chalk";
+import Debug6 from "debug";
+import { existsSync } from "fs";
+import { createSpinner as createSpinner2 } from "nanospinner";
+import path4 from "path";
+var debug5 = Debug6("mobbdev:checkmarx");
+var require2 = createRequire(import.meta.url);
+var getCheckmarxPath = () => {
+  try {
+    return require2.resolve(".bin/cx");
+  } catch (e) {
+    throw new CliError(cxOperatingSystemSupportMessage);
+  }
+};
+var getCheckmarxCommandArgs = ({
+  repoPath,
+  branch,
+  fileName,
+  filePath,
+  projectName
+}) => [
+  "--project-name",
+  projectName,
+  "-s",
+  repoPath,
+  "--branch",
+  branch,
+  "--scan-types",
+  "sast",
+  "--output-path",
+  filePath,
+  "--output-name",
+  fileName,
+  "--report-format",
+  "json"
+];
+var VALIDATE_COMMAND = ["auth", "validate"];
+var CONFIGURE_COMMAND = ["configure"];
+var SCAN_COMMAND = ["scan", "create"];
+var CHECKMARX_SUCCESS_CODE = 0;
+function validateCheckmarxInstallation() {
+  existsSync(getCheckmarxPath());
+}
+async function forkCheckmarx(args, { display }) {
+  debug5("fork checkmarx with args %o %s", args.join(" "), display);
+  return createSpwan(
+    { args, processPath: getCheckmarxPath(), name: "checkmarx" },
+    { display }
+  );
+}
+async function getCheckmarxReport({ reportPath, repositoryRoot, branch }, { skipPrompts = false }) {
+  debug5("get checkmarx report start %s %s", reportPath, repositoryRoot);
+  const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
+    display: false
+  });
+  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
+    if (skipPrompts) {
+      await throwCheckmarxConfigError();
+    }
+    await startCheckmarxConfigationPrompt();
+    await validateCheckamxCredentials();
+  }
+  const extension = path4.extname(reportPath);
+  const filePath = path4.dirname(reportPath);
+  const fileName = path4.basename(reportPath, extension);
+  const checkmarxCommandArgs = getCheckmarxCommandArgs({
+    repoPath: repositoryRoot,
+    branch,
+    filePath,
+    fileName,
+    projectName: "mobb_dev"
+  });
+  console.log("\u280B \u{1F50D} Initiating Checkmarx Scan ");
+  const { code: scanCode } = await forkCheckmarx(
+    [...SCAN_COMMAND, ...checkmarxCommandArgs],
+    {
+      display: true
+    }
+  );
+  if (scanCode !== CHECKMARX_SUCCESS_CODE) {
+    createSpinner2("\u{1F50D} Something went wrong with the checkmarx scan").start().error();
+    throw new CliError();
+  }
+  await createSpinner2("\u{1F50D} Checkmarx Scan completed").start().success();
+  return true;
+}
+async function throwCheckmarxConfigError() {
+  await createSpinner2("\u{1F513} Checkmarx is not configued correctly").start().error();
+  throw new CliError(
+    `Checkmarx is not configued correctly
+ you can configure it by using the ${chalk.bold(
+      "cx configure"
+    )} command`
+  );
+}
+async function validateCheckamxCredentials() {
+  console.log(`
+        Here's a suggestion for checkmarx configuation: 
+          ${chalk.bold("AST Base URI:")} https://ast.checkmarx.net
+          ${chalk.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
+      `);
+  await forkCheckmarx(CONFIGURE_COMMAND, { display: true });
+  const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
+    display: false
+  });
+  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
+    const tryAgain = await tryCheckmarxConfiguarationAgain();
+    if (!tryAgain) {
+      await throwCheckmarxConfigError();
+    }
+    if (await tryCheckmarxConfiguarationAgain()) {
+      validateCheckamxCredentials();
+    }
+  }
+  await createSpinner2("\u{1F513} Checkmarx configured successfully!").start().success();
+}
+
+// src/features/analysis/scanners/snyk.ts
+import { createRequire as createRequire2 } from "node:module";
+import chalk2 from "chalk";
+import Debug7 from "debug";
+import { createSpinner as createSpinner3 } from "nanospinner";
+import open from "open";
+var debug6 = Debug7("mobbdev:snyk");
+var require3 = createRequire2(import.meta.url);
+var SNYK_PATH = require3.resolve("snyk/bin/snyk");
+var SNYK_ARTICLE_URL = "https://docs.snyk.io/scan-application-code/snyk-code/getting-started-with-snyk-code/activating-snyk-code-using-the-web-ui/step-1-enabling-the-snyk-code-option";
+debug6("snyk executable path %s", SNYK_PATH);
+async function forkSnyk(args, { display }) {
+  debug6("fork snyk with args %o %s", args, display);
+  return createFork(
+    { args, processPath: SNYK_PATH, name: "checkmarx" },
+    { display }
+  );
+}
+async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
+  debug6("get snyk report start %s %s", reportPath, repoRoot);
+  const config3 = await forkSnyk(["config"], { display: false });
+  const { message: configMessage } = config3;
+  if (!configMessage.includes("api: ")) {
+    const snykLoginSpinner = createSpinner3().start();
+    if (!skipPrompts) {
+      snykLoginSpinner.update({
+        text: "\u{1F513} Login to Snyk is required, press any key to continue"
+      });
+      await keypress();
+    }
+    snykLoginSpinner.update({
+      text: "\u{1F513} Waiting for Snyk login to complete"
+    });
+    debug6("no token in the config %s", config3);
+    await forkSnyk(["auth"], { display: true });
+    snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
+  }
+  const snykSpinner = createSpinner3("\u{1F50D} Scanning your repo with Snyk ").start();
+  const { message: scanOutput } = await forkSnyk(
+    ["code", "test", `--sarif-file-output=${reportPath}`, repoRoot],
+    { display: true }
+  );
+  if (scanOutput.includes(
+    "Snyk Code is not supported for org: enable in Settings > Snyk Code"
+  )) {
+    debug6("snyk code is not enabled %s", scanOutput);
+    snykSpinner.error({ text: "\u{1F50D} Snyk configuration needed" });
+    const answer = await snykArticlePrompt();
+    debug6("answer %s", answer);
+    if (answer) {
+      debug6("opening the browser");
+      await open(SNYK_ARTICLE_URL);
+    }
+    console.log(
+      chalk2.bgBlue(
+        "\nPlease enable Snyk Code in your Snyk account and try again."
+      )
+    );
+    throw Error("snyk is not enbabled");
+  }
+  snykSpinner.success({ text: "\u{1F50D} Snyk code scan completed" });
+  return true;
+}
+
 // src/features/analysis/scm/gitlab.ts
 import querystring from "node:querystring";
 import { Gitlab } from "@gitbeaker/rest";
@@ -848,12 +1245,12 @@ async function queryGithubGraphql(query, variables, options) {
     throw e;
   }
 }
-async function getGithubBlameRanges({ ref, gitHubUrl, path: path7 }, options) {
+async function getGithubBlameRanges({ ref, gitHubUrl, path: path8 }, options) {
   const { owner, repo } = parseOwnerAndRepo(gitHubUrl);
   const variables = {
     owner,
     repo,
-    path: path7,
+    path: path8,
     ref
   };
   const res = await queryGithubGraphql(
@@ -876,7 +1273,7 @@ async function getGithubBlameRanges({ ref, gitHubUrl, path: path7 }, options) {
 // src/features/analysis/scm/scmSubmit.ts
 import fs2 from "node:fs/promises";
 import os from "os";
-import path4 from "path";
+import path5 from "path";
 import { simpleGit as simpleGit2 } from "simple-git";
 import { z as z4 } from "zod";
 var isValidBranchName = async (branchName) => {
@@ -1167,13 +1564,13 @@ var GitlabSCMLib = class extends SCMLib {
         throw new Error(`unknown state ${state}`);
     }
   }
-  async getRepoBlameRanges(ref, path7) {
+  async getRepoBlameRanges(ref, path8) {
     if (!this.url) {
       console.error("no url");
       throw new Error("no url");
     }
     return await getGitlabBlameRanges(
-      { ref, path: path7, gitlabUrl: this.url },
+      { ref, path: path8, gitlabUrl: this.url },
       {
         gitlabAuthToken: this.accessToken
       }
@@ -1293,13 +1690,13 @@ var GithubSCMLib = class extends SCMLib {
     }
     throw new Error(`unknown state ${state}`);
   }
-  async getRepoBlameRanges(ref, path7) {
+  async getRepoBlameRanges(ref, path8) {
     if (!this.url) {
       console.error("no url");
       throw new Error("no url");
     }
     return await getGithubBlameRanges(
-      { ref, path: path7, gitHubUrl: this.url },
+      { ref, path: path8, gitHubUrl: this.url },
       {
         githubAuthToken: this.accessToken
       }
@@ -1492,7 +1889,6 @@ async function getGitlabRepoList(accessToken) {
     //directly with fetch()
     sort: "asc",
     orderBy: "updated_at",
-    pagination: "keyset",
     perPage: 100
   });
   return Promise.all(
@@ -1604,10 +2000,10 @@ function parseOwnerAndRepo2(gitlabUrl) {
   const projectPath = `${groups[0]}${repo}`;
   return { owner, repo, projectPath };
 }
-async function getGitlabBlameRanges({ ref, gitlabUrl, path: path7 }, options) {
+async function getGitlabBlameRanges({ ref, gitlabUrl, path: path8 }, options) {
   const { projectPath } = parseOwnerAndRepo2(gitlabUrl);
   const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
-  const resp = await api.RepositoryFiles.allFileBlames(projectPath, path7, ref);
+  const resp = await api.RepositoryFiles.allFileBlames(projectPath, path8, ref);
   let lineNumber = 1;
   return resp.filter((range) => range.lines).map((range) => {
     const oldLineNumber = lineNumber;
@@ -1630,121 +2026,29 @@ var GitlabAuthResultZ = z5.object({
   refresh_token: z5.string()
 });
 
-// src/features/analysis/snyk.ts
-import cp from "node:child_process";
-import { createRequire } from "node:module";
-import chalk from "chalk";
-import Debug5 from "debug";
-import { createSpinner as createSpinner2 } from "nanospinner";
-import open from "open";
-import * as process2 from "process";
-import supportsColor from "supports-color";
-var { stdout: stdout2 } = supportsColor;
-var debug5 = Debug5("mobbdev:snyk");
-var require2 = createRequire(import.meta.url);
-var SNYK_PATH = require2.resolve("snyk/bin/snyk");
-var SNYK_ARTICLE_URL = "https://docs.snyk.io/scan-application-code/snyk-code/getting-started-with-snyk-code/activating-snyk-code-using-the-web-ui/step-1-enabling-the-snyk-code-option";
-debug5("snyk executable path %s", SNYK_PATH);
-async function forkSnyk(args, { display }) {
-  debug5("fork snyk with args %o %s", args, display);
-  return new Promise((resolve, reject) => {
-    const child = cp.fork(SNYK_PATH, args, {
-      stdio: ["inherit", "pipe", "pipe", "ipc"],
-      env: { FORCE_COLOR: stdout2 ? "1" : "0" }
-    });
-    let out = "";
-    const onData = (chunk) => {
-      debug5("chunk received from snyk std %s", chunk);
-      out += chunk;
-    };
-    if (!child || !child?.stdout || !child?.stderr) {
-      debug5("unable to fork snyk");
-      reject(new Error("unable to fork snyk"));
-    }
-    child.stdout?.on("data", onData);
-    child.stderr?.on("data", onData);
-    if (display) {
-      child.stdout?.pipe(process2.stdout);
-      child.stderr?.pipe(process2.stderr);
-    }
-    child.on("exit", () => {
-      debug5("snyk exit");
-      resolve(out);
-    });
-    child.on("error", (err) => {
-      debug5("snyk error %o", err);
-      reject(err);
-    });
-  });
-}
-async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
-  debug5("get snyk report start %s %s", reportPath, repoRoot);
-  const config3 = await forkSnyk(["config"], { display: false });
-  if (!config3.includes("api: ")) {
-    const snykLoginSpinner = createSpinner2().start();
-    if (!skipPrompts) {
-      snykLoginSpinner.update({
-        text: "\u{1F513} Login to Snyk is required, press any key to continue"
-      });
-      await keypress();
-    }
-    snykLoginSpinner.update({
-      text: "\u{1F513} Waiting for Snyk login to complete"
-    });
-    debug5("no token in the config %s", config3);
-    await forkSnyk(["auth"], { display: true });
-    snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
-  }
-  const snykSpinner = createSpinner2("\u{1F50D} Scanning your repo with Snyk ").start();
-  const out = await forkSnyk(
-    ["code", "test", `--sarif-file-output=${reportPath}`, repoRoot],
-    { display: true }
-  );
-  if (out.includes(
-    "Snyk Code is not supported for org: enable in Settings > Snyk Code"
-  )) {
-    debug5("snyk code is not enabled %s", out);
-    snykSpinner.error({ text: "\u{1F50D} Snyk configuration needed" });
-    const answer = await snykArticlePrompt();
-    debug5("answer %s", answer);
-    if (answer) {
-      debug5("opening the browser");
-      await open(SNYK_ARTICLE_URL);
-    }
-    console.log(
-      chalk.bgBlue(
-        "\nPlease enable Snyk Code in your Snyk account and try again."
-      )
-    );
-    return false;
-  }
-  snykSpinner.success({ text: "\u{1F50D} Snyk code scan completed" });
-  return true;
-}
-
 // src/features/analysis/upload-file.ts
-import Debug6 from "debug";
+import Debug8 from "debug";
 import fetch2, { File, fileFrom, FormData } from "node-fetch";
-var debug6 = Debug6("mobbdev:upload-file");
+var debug7 = Debug8("mobbdev:upload-file");
 async function uploadFile({
   file,
   url,
   uploadKey,
   uploadFields
 }) {
-  debug6("upload file start %s", url);
-  debug6("upload fields %o", uploadFields);
-  debug6("upload key %s", uploadKey);
+  debug7("upload file start %s", url);
+  debug7("upload fields %o", uploadFields);
+  debug7("upload key %s", uploadKey);
   const form = new FormData();
   Object.entries(uploadFields).forEach(([key, value]) => {
     form.append(key, value);
   });
   form.append("key", uploadKey);
   if (typeof file === "string") {
-    debug6("upload file from path %s", file);
+    debug7("upload file from path %s", file);
     form.append("file", await fileFrom(file));
   } else {
-    debug6("upload file from buffer");
+    debug7("upload file from buffer");
     form.append("file", new File([file], "file"));
   }
   const response = await fetch2(url, {
@@ -1752,10 +2056,10 @@ async function uploadFile({
     body: form
   });
   if (!response.ok) {
-    debug6("error from S3 %s %s", response.body, response.status);
+    debug7("error from S3 %s %s", response.body, response.status);
     throw new Error(`Failed to upload the file: ${response.status}`);
   }
-  debug6("upload file done");
+  debug7("upload file done");
 }
 
 // src/features/analysis/index.ts
@@ -1770,10 +2074,10 @@ async function downloadRepo({
   dirname,
   ci
 }) {
-  const { createSpinner: createSpinner3 } = Spinner2({ ci });
-  const repoSpinner = createSpinner3("\u{1F4BE} Downloading Repo").start();
-  debug7("download repo %s %s %s", repoUrl, dirname);
-  const zipFilePath = path5.join(dirname, "repo.zip");
+  const { createSpinner: createSpinner4 } = Spinner2({ ci });
+  const repoSpinner = createSpinner4("\u{1F4BE} Downloading Repo").start();
+  debug8("download repo %s %s %s", repoUrl, dirname);
+  const zipFilePath = path6.join(dirname, "repo.zip");
   const response = await fetch3(downloadUrl, {
     method: "GET",
     headers: {
@@ -1781,9 +2085,9 @@ async function downloadRepo({
     }
   });
   if (!response.ok) {
-    debug7("SCM zipball request failed %s %s", response.body, response.status);
+    debug8("SCM zipball request failed %s %s", response.body, response.status);
     repoSpinner.error({ text: "\u{1F4BE} Repo download failed" });
-    throw new Error(`Can't access ${chalk2.bold(repoUrl)}`);
+    throw new Error(`Can't access ${chalk3.bold(repoUrl)}`);
   }
   const fileWriterStream = fs3.createWriteStream(zipFilePath);
   if (!response.body) {
@@ -1795,13 +2099,13 @@ async function downloadRepo({
   if (!repoRoot) {
     throw new Error("Repo root not found");
   }
-  debug7("repo root %s", repoRoot);
+  debug8("repo root %s", repoRoot);
   repoSpinner.success({ text: "\u{1F4BE} Repo downloaded successfully" });
-  return path5.join(dirname, repoRoot);
+  return path6.join(dirname, repoRoot);
 }
 var LOGIN_MAX_WAIT = 10 * 60 * 1e3;
 var LOGIN_CHECK_DELAY = 5 * 1e3;
-var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk2.bgBlue(
+var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk3.bgBlue(
   "press any key to continue"
 )};`;
 var tmpObj = tmp.dirSync({
@@ -1812,9 +2116,9 @@ var getReportUrl = ({
   projectId,
   fixReportId
 }) => `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${fixReportId}`;
-var debug7 = Debug7("mobbdev:index");
+var debug8 = Debug9("mobbdev:index");
 var packageJson = JSON.parse(
-  fs3.readFileSync(path5.join(getDirName2(), "../package.json"), "utf8")
+  fs3.readFileSync(path6.join(getDirName2(), "../package.json"), "utf8")
 );
 if (!semver.satisfies(process.version, packageJson.engines.node)) {
   throw new CliError2(
@@ -1822,7 +2126,7 @@ if (!semver.satisfies(process.version, packageJson.engines.node)) {
   );
 }
 var config2 = new Configstore(packageJson.name, { apiToken: "" });
-debug7("config %o", config2);
+debug8("config %o", config2);
 async function runAnalysis(params, options) {
   try {
     await _scan(
@@ -1844,10 +2148,11 @@ async function _scan({
   ci,
   srcPath,
   commitHash,
-  ref
+  ref,
+  scanner
 }, { skipPrompts = false } = {}) {
-  debug7("start %s %s", dirname, repo);
-  const { createSpinner: createSpinner3 } = Spinner2({ ci });
+  debug8("start %s %s", dirname, repo);
+  const { createSpinner: createSpinner4 } = Spinner2({ ci });
   skipPrompts = skipPrompts || ci;
   let gqlClient = new GQLClient({
     apiKey: apiKey || config2.get("apiToken")
@@ -1900,9 +2205,9 @@ async function _scan({
   });
   const reference = ref ?? await scm.getRepoDefaultBranch();
   const { sha } = await scm.getReferenceData(reference);
-  debug7("org id %s", organizationId);
-  debug7("project id %s", projectId);
-  debug7("default branch %s", reference);
+  debug8("org id %s", organizationId);
+  debug8("project id %s", projectId);
+  debug8("default branch %s", reference);
   const repositoryRoot = await downloadRepo({
     repoUrl: repo,
     dirname,
@@ -1910,10 +2215,13 @@ async function _scan({
     authHeaders: scm.getAuthHeaders(),
     downloadUrl: scm.getDownloadUrl(sha)
   });
+  if (scanner) {
+    reportPath = await getReport(scanner);
+  }
   if (!reportPath) {
-    reportPath = await getReportFromSnyk();
+    throw new Error("reportPath is null");
   }
-  const uploadReportSpinner = createSpinner3("\u{1F4C1} Uploading Report").start();
+  const uploadReportSpinner = createSpinner4("\u{1F4C1} Uploading Report").start();
   try {
     await uploadFile({
       file: reportPath,
@@ -1926,7 +2234,7 @@ async function _scan({
     throw e;
   }
   uploadReportSpinner.success({ text: "\u{1F4C1} Report uploaded successfully" });
-  const mobbSpinner = createSpinner3("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
+  const mobbSpinner = createSpinner4("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
   try {
     await gqlClient.submitVulnerabilityReport({
       fixReportId: reportUploadInfo.fixReportId,
@@ -1942,11 +2250,18 @@ async function _scan({
     text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Generating fixes..."
   });
   await askToOpenAnalysis();
-  async function getReportFromSnyk() {
-    const reportPath2 = path5.join(dirname, "report.json");
-    if (!await getSnykReport(reportPath2, repositoryRoot, { skipPrompts })) {
-      debug7("snyk code is not enabled");
-      throw new CliError2("Snyk code is not enabled");
+  async function getReport(scanner2) {
+    const reportPath2 = path6.join(dirname, "report.json");
+    switch (scanner2) {
+      case "snyk":
+        await getSnykReport(reportPath2, repositoryRoot, { skipPrompts });
+        break;
+      case "checkmarx":
+        await getCheckmarxReport(
+          { reportPath: reportPath2, repositoryRoot, branch: reference },
+          { skipPrompts }
+        );
+        break;
     }
     return reportPath2;
   }
@@ -1956,27 +2271,27 @@ async function _scan({
       projectId,
       fixReportId: reportUploadInfo.fixReportId
     });
-    !ci && console.log("You can access the report at: \n");
-    console.log(chalk2.bold(reportUrl));
+    !ci && console.log("You can access the analysis at: \n");
+    console.log(chalk3.bold(reportUrl));
     !skipPrompts && await mobbAnalysisPrompt();
     !ci && open2(reportUrl);
     !ci && console.log(
-      chalk2.bgBlue("\n\n  My work here is done for now, see you soon! \u{1F575}\uFE0F\u200D\u2642\uFE0F  ")
+      chalk3.bgBlue("\n\n  My work here is done for now, see you soon! \u{1F575}\uFE0F\u200D\u2642\uFE0F  ")
     );
   }
   async function handleMobbLogin() {
     if (await gqlClient.verifyToken()) {
-      createSpinner3().start().success({
+      createSpinner4().start().success({
         text: "\u{1F513} Logged in to Mobb successfully"
       });
       return;
     } else if (apiKey) {
-      createSpinner3().start().error({
+      createSpinner4().start().error({
         text: "\u{1F513} Logged in to Mobb failed - check your api-key"
       });
       throw new CliError2();
     }
-    const loginSpinner = createSpinner3().start();
+    const loginSpinner = createSpinner4().start();
     if (!skipPrompts) {
       loginSpinner.update({ text: MOBB_LOGIN_REQUIRED_MSG });
       await keypress2();
@@ -2002,9 +2317,9 @@ async function _scan({
       });
       loginSpinner.spin();
       if (encryptedApiToken) {
-        debug7("encrypted API token received %s", encryptedApiToken);
+        debug8("encrypted API token received %s", encryptedApiToken);
         newApiToken = crypto.privateDecrypt(privateKey, Buffer.from(encryptedApiToken, "base64")).toString("utf-8");
-        debug7("API token decrypted");
+        debug8("API token decrypted");
         break;
       }
       await sleep(LOGIN_CHECK_DELAY);
@@ -2017,7 +2332,7 @@ async function _scan({
     }
     gqlClient = new GQLClient({ apiKey: newApiToken });
     if (await gqlClient.verifyToken()) {
-      debug7("set api token %s", newApiToken);
+      debug8("set api token %s", newApiToken);
       config2.set("apiToken", newApiToken);
       loginSpinner.success({ text: "\u{1F513} Login to Mobb successful!" });
     } else {
@@ -2030,7 +2345,7 @@ async function _scan({
   async function handleScmIntegration(oldToken, scmLibType2, scmAuthUrl2) {
     const scmName = scmLibType2 === "GITHUB" /* GITHUB */ ? "Github" : scmLibType2 === "GITLAB" /* GITLAB */ ? "Gitlab" : "";
     const addScmIntegration = skipPrompts ? true : await scmIntegrationPrompt(scmName);
-    const scmSpinner = createSpinner3(
+    const scmSpinner = createSpinner4(
       `\u{1F517} Waiting for ${scmName} integration...`
     ).start();
     if (!addScmIntegration) {
@@ -2063,11 +2378,7 @@ async function _scan({
     if (!srcPath || !reportPath) {
       throw new Error("src path and reportPath is required");
     }
-    const gitInfo = await getGitInfo(srcPath);
-    const zippingSpinner = createSpinner3("\u{1F4E6} Zipping repo").start();
-    const zipBuffer = await pack(srcPath);
-    zippingSpinner.success({ text: "\u{1F4E6} Zipping repo successful!" });
-    const uploadReportSpinner2 = createSpinner3("\u{1F4C1} Uploading Report").start();
+    const uploadReportSpinner2 = createSpinner4("\u{1F4C1} Uploading Report").start();
     try {
       await uploadFile({
         file: reportPath,
@@ -2082,7 +2393,38 @@ async function _scan({
     uploadReportSpinner2.success({
       text: "\u{1F4C1} Uploading Report successful!"
     });
-    const uploadRepoSpinner = createSpinner3("\u{1F4C1} Uploading Repo").start();
+    const digestSpinner = createSpinner4("\u{1F575}\uFE0F\u200D\u2642\uFE0F Digesting report").start();
+    let vulnFiles = [];
+    try {
+      const gitInfo = await getGitInfo(srcPath);
+      const { vulnerabilityReportId } = await gqlClient.digestVulnerabilityReport({
+        fixReportId: reportUploadInfo.fixReportId,
+        projectId,
+        repoUrl: repo || gitInfo.repoUrl,
+        reference: gitInfo.reference,
+        sha: commitHash || gitInfo.hash
+      });
+      const finalState = await gqlClient.waitFixReportInit(
+        reportUploadInfo.fixReportId,
+        true
+      );
+      if (finalState !== "Digested") {
+        throw new Error("Digesting report failed");
+      }
+      vulnFiles = await gqlClient.getVulnerabilityReportPaths(
+        vulnerabilityReportId
+      );
+    } catch (e) {
+      digestSpinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Digesting report failed" });
+      throw e;
+    }
+    digestSpinner.success({
+      text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Digesting report successful!"
+    });
+    const zippingSpinner = createSpinner4("\u{1F4E6} Zipping repo").start();
+    const zipBuffer = await pack(srcPath, vulnFiles);
+    zippingSpinner.success({ text: "\u{1F4E6} Zipping repo successful!" });
+    const uploadRepoSpinner = createSpinner4("\u{1F4C1} Uploading Repo").start();
     try {
       await uploadFile({
         file: zipBuffer,
@@ -2095,14 +2437,10 @@ async function _scan({
       throw e;
     }
     uploadRepoSpinner.success({ text: "\u{1F4C1} Uploading Repo successful!" });
-    const mobbSpinner2 = createSpinner3("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
+    const mobbSpinner2 = createSpinner4("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
     try {
-      await gqlClient.submitVulnerabilityReport({
-        fixReportId: reportUploadInfo.fixReportId,
-        repoUrl: repo || gitInfo.repoUrl,
-        reference: gitInfo.reference,
-        sha: commitHash || gitInfo.hash,
-        projectId
+      await gqlClient.initializeVulnerabilityReport({
+        fixReportId: reportUploadInfo.fixReportId
       });
     } catch (e) {
       mobbSpinner2.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
@@ -2136,11 +2474,15 @@ async function scan(scanOptions, { skipPrompts = false } = {}) {
   const { scanner, ci } = scanOptions;
   !ci && await showWelcomeMessage(skipPrompts);
   const selectedScanner = scanner || await choseScanner();
-  if (selectedScanner !== SCANNERS.Snyk) {
+  if (selectedScanner !== SCANNERS.Checkmarx && selectedScanner !== SCANNERS.Snyk) {
     throw new CliError(
       "Vulnerability scanning via Bugsy is available only with Snyk at the moment. Additional scanners will follow soon."
     );
   }
+  selectedScanner === SCANNERS.Checkmarx && validateCheckmarxInstallation();
+  if (selectedScanner === SCANNERS.Checkmarx && !scanOptions.cxProjectName) {
+    throw new CliError("Project name is needed if you're using checkmarx");
+  }
   await runAnalysis(
     { ...scanOptions, scanner: selectedScanner },
     { skipPrompts }
@@ -2154,28 +2496,32 @@ async function showWelcomeMessage(skipPrompts = false) {
 }
 
 // src/args/commands/analyze.ts
-import chalk5 from "chalk";
+import chalk6 from "chalk";
 
 // src/args/options.ts
-import chalk3 from "chalk";
+import chalk4 from "chalk";
 var repoOption = {
   alias: "r",
   demandOption: true,
   type: "string",
-  describe: chalk3.bold("Github / GitLab repository URL")
+  describe: chalk4.bold("Github / GitLab repository URL")
+};
+var projectNameOption = {
+  type: "string",
+  describe: chalk4.bold("Checkmarx project name (when scanning with Checkmarx)")
 };
 var yesOption = {
   alias: "yes",
   type: "boolean",
-  describe: chalk3.bold("Skip prompts and use default values")
+  describe: chalk4.bold("Skip prompts and use default values")
 };
 var refOption = {
-  describe: chalk3.bold("reference of the repository (branch, tag, commit)"),
+  describe: chalk4.bold("reference of the repository (branch, tag, commit)"),
   type: "string",
   demandOption: false
 };
 var ciOption = {
-  describe: chalk3.bold(
+  describe: chalk4.bold(
     "Run in CI mode, prompts and browser will not be opened"
   ),
   type: "boolean",
@@ -2183,17 +2529,17 @@ var ciOption = {
 };
 var apiKeyOption = {
   type: "string",
-  describe: chalk3.bold("Mobb authentication api-key")
+  describe: chalk4.bold("Mobb authentication api-key")
 };
 var commitHashOption = {
   alias: "ch",
-  describe: chalk3.bold("Hash of the commit"),
+  describe: chalk4.bold("Hash of the commit"),
   type: "string"
 };
 
 // src/args/validation.ts
-import chalk4 from "chalk";
-import path6 from "path";
+import chalk5 from "chalk";
+import path7 from "path";
 import { z as z6 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
@@ -2202,11 +2548,11 @@ function throwRepoUrlErrorMessage({
 }) {
   const errorMessage = error.issues[error.issues.length - 1]?.message;
   const formattedErrorMessage = `
-Error: ${chalk4.bold(
+Error: ${chalk5.bold(
     repoUrl
   )} is ${errorMessage}
 Example: 
-	mobbdev ${command} -r ${chalk4.bold(
+	mobbdev ${command} -r ${chalk5.bold(
     "https://github.com/WebGoat/WebGoat"
   )}`;
   throw new CliError(formattedErrorMessage);
@@ -2234,12 +2580,12 @@ function validateRepoUrl(args) {
 }
 var supportExtensions = [".json", ".xml", ".fpr", ".sarif"];
 function validateReportFileFormat(reportFile) {
-  if (!supportExtensions.includes(path6.extname(reportFile))) {
+  if (!supportExtensions.includes(path7.extname(reportFile))) {
     throw new CliError(
       `
-${chalk4.bold(
+${chalk5.bold(
         reportFile
-      )} is not a supported file extension. Supported extensions are: ${chalk4.bold(
+      )} is not a supported file extension. Supported extensions are: ${chalk5.bold(
         supportExtensions.join(", ")
       )}
 `
@@ -2253,18 +2599,18 @@ function analyzeBuilder(yargs2) {
     alias: "scan-file",
     demandOption: true,
     type: "string",
-    describe: chalk5.bold(
+    describe: chalk6.bold(
       "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL)"
     )
   }).option("repo", repoOption).option("p", {
     alias: "src-path",
-    describe: chalk5.bold(
+    describe: chalk6.bold(
       "Path to the repository folder with the source code"
     ),
     type: "string"
   }).option("ref", refOption).option("ch", {
     alias: "commit-hash",
-    describe: chalk5.bold("Hash of the commit"),
+    describe: chalk6.bold("Hash of the commit"),
     type: "string"
   }).option("y", yesOption).option("ci", ciOption).option("api-key", apiKeyOption).option("commit-hash", commitHashOption).example(
     "$0 analyze -r https://github.com/WebGoat/WebGoat -f <your_vulirabitliy_report_path>",
@@ -2274,7 +2620,7 @@ function analyzeBuilder(yargs2) {
 function validateAnalyzeOptions(argv) {
   if (!fs4.existsSync(argv.f)) {
     throw new CliError(`
-Can't access ${chalk5.bold(argv.f)}`);
+Can't access ${chalk6.bold(argv.f)}`);
   }
   if (!argv.srcPath && !argv.repo) {
     throw new CliError("You must supply either --src-path or --repo");
@@ -2293,19 +2639,23 @@ async function analyzeHandler(args) {
 }
 
 // src/args/commands/scan.ts
-import chalk6 from "chalk";
+import chalk7 from "chalk";
 function scanBuilder(args) {
   return args.coerce("scanner", (arg) => arg.toLowerCase()).option("repo", repoOption).option("ref", refOption).option("s", {
     alias: "scanner",
     choices: Object.values(SCANNERS),
-    describe: chalk6.bold("Select the scanner to use")
-  }).option("y", yesOption).option("ci", ciOption).option("api-key", apiKeyOption).example(
+    describe: chalk7.bold("Select the scanner to use")
+  }).option("y", yesOption).option("ci", ciOption).option("api-key", apiKeyOption).option("cx-project-name", projectNameOption).example(
     "$0 scan -r https://github.com/WebGoat/WebGoat",
     "Scan an existing repository"
   ).help();
 }
 function validateScanOptions(argv) {
   validateRepoUrl(argv);
+  argv.scanner === SCANNERS.Checkmarx && validateCheckmarxInstallation();
+  if (argv.scanner === SCANNERS.Checkmarx && !argv.cxProjectName) {
+    throw new CliError("project name is needed if you're using checkmarx");
+  }
   if (argv.ci && !argv.apiKey) {
     throw new CliError(
       "\nError: --ci flag requires --api-key to be provided as well"
@@ -2321,28 +2671,28 @@ async function scanHandler(args) {
 var parseArgs = async (args) => {
   const yargsInstance = yargs(args);
   return yargsInstance.updateStrings({
-    "Commands:": chalk7.yellow.underline.bold("Commands:"),
-    "Options:": chalk7.yellow.underline.bold("Options:"),
-    "Examples:": chalk7.yellow.underline.bold("Examples:"),
-    "Show help": chalk7.bold("Show help")
+    "Commands:": chalk8.yellow.underline.bold("Commands:"),
+    "Options:": chalk8.yellow.underline.bold("Options:"),
+    "Examples:": chalk8.yellow.underline.bold("Examples:"),
+    "Show help": chalk8.bold("Show help")
   }).usage(
-    `${chalk7.bold(
+    `${chalk8.bold(
       "\n Bugsy - Trusted, Automatic Vulnerability Fixer \u{1F575}\uFE0F\u200D\u2642\uFE0F\n\n"
-    )} ${chalk7.yellow.underline.bold("Usage:")} 
-  $0 ${chalk7.green(
+    )} ${chalk8.yellow.underline.bold("Usage:")} 
+  $0 ${chalk8.green(
       "<command>"
-    )} ${chalk7.dim("[options]")}
+    )} ${chalk8.dim("[options]")}
             `
   ).version(false).command(
     "scan",
-    chalk7.bold(
+    chalk8.bold(
       "Scan your code for vulnerabilities, get automated fixes right away."
     ),
     scanBuilder,
     scanHandler
   ).command(
     "analyze",
-    chalk7.bold(
+    chalk8.bold(
       "Provide a vulnerability report and relevant code repository, get automated fixes right away."
     ),
     analyzeBuilder,
@@ -2355,7 +2705,7 @@ var parseArgs = async (args) => {
     handler() {
       yargsInstance.showHelp();
     }
-  }).strictOptions().help("h").alias("h", "help").epilog(chalk7.bgBlue("Made with \u2764\uFE0F  by Mobb")).showHelpOnFail(true).wrap(Math.min(120, yargsInstance.terminalWidth())).parse();
+  }).strictOptions().help("h").alias("h", "help").epilog(chalk8.bgBlue("Made with \u2764\uFE0F  by Mobb")).showHelpOnFail(true).wrap(Math.min(120, yargsInstance.terminalWidth())).parse();
 };
 
 // src/index.ts