mobbdev 0.0.6 → 0.0.8

package/README.md

@@ -1,32 +1,37 @@
-# Mobb CLI (community tool)
+# Bugsy
 
-[Mobb](https://www.mobb.dev) automates security vulnerability remediations.
+Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of [Mobb](https://www.mobb.dev), the first vendor-agnostic automatic security vulnerability remediation tool. Bugsy is designed to help developers easily identify and fix security vulnerabilities in their code.
 
 <img width="750" alt="Screenshot 2023-03-27 at 5 23 19 PM" src="https://user-images.githubusercontent.com/96389636/228070025-2a1c3aae-6b40-427f-a1e9-2b10ef97b5ea.png">
 
 ## What is [Mobb](https://www.mobb.dev)?
 
-[Mobb](https://www.mobb.dev) is the first vendor agnostic automatic security vulnerability remediation tool. It injests SAST results from Checkmarx One, GitHub Advanced Security, and Snyk Code and produces code fixes for the developer to review and commit to their code.
+[Mobb](https://www.mobb.dev) is the first vendor-agnostic automatic security vulnerability remediation tool. It ingests SAST results from Checkmarx, GitHub Advanced Security, and Snyk and produces code fixes for developers to review and commit to their code.
 
-## What does Mobb CLI (Community Tool) do?
+## What does Bugsy do?
 
--   Uses Snyk Code CLI to run a SAST analysis on a given GitHub repo
--   Analyzes the vulnerbilities report to identify issues that can be remediated
--   Produce the code fixes and redirect the user to the fix report page on [mobb.dev](https://www.mobb.dev)
+-   Uses Snyk CLI tool to run a SAST analysis on a given open-source GitHub repo
+-   Analyzes the vulnerability report to identify issues that can be remediated automatically
+-   Produces the code fixes and redirects the user to the fix report page on the Mobb platform
 
 ## Disclaimer
 
-This is an alpha version only capable of analyzing public GitHub repositories. We wrap Snyk Code CLI to produce SAST vulnerabilities report.
+This is a community edition version that only analyzes public GitHub repositories.
+Snyk CLI is used to produce a SAST vulnerability report.
 
 -   Only Java projects are supported at the moment.
--   Only SQLi, CMDi, XSS, and XXE are supported at the moment.
+-   Only SQLi, CMDi, XSS, XXE, and Path Traversal are currently supported.
 
 ## Usage
 
+You can use Bugsy from the command line. To evaluate and remediate a new open-source repository, you can run the following command:
+
 ```shell
 npx mobbdev https://github.com/mobb-dev/simple-vulnerable-java-project
 ```
 
+Bugsy will automatically generate a fix for each supported vulnerability identified in the SAST results, present it to developers for review and commit to their code.
+
 ## Getting support
 
-If you need support using Mobb CLI, or just want to share your thoughts and learn more, you are more than welcome to join our [discord server](https://discord.gg/ks6Nz3H828)
+If you need support using Bugsy or just want to share your thoughts and learn more, you are more than welcome to join our [discord server](https://discord.gg/ks6Nz3H828)

package/package.json

@@ -1,46 +1,46 @@
 {
-    "name": "mobbdev",
-    "version": "0.0.6",
-    "description": "Automated secure code remediation tool",
-    "main": "index.js",
-    "scripts": {
-        "lint": "prettier --check . && eslint **/*.mjs",
-        "lint:fix": "prettier --write . && eslint --fix **/*.mjs",
-        "test": "DOTENV_ME=${ENV_VAULT_CLI} dotenv-vault pull development .env && TOKEN=$(../../scripts/login_auth0.sh) NODE_OPTIONS=--experimental-vm-modules jest",
-        "prepack": "dotenv-vault pull production .env"
-    },
-    "bin": {
-        "mobbdev": "bin/cli.mjs"
-    },
-    "author": "",
-    "license": "MIT",
-    "dependencies": {
-        "configstore": "6.0.0",
-        "dotenv": "16.0.3",
-        "extract-zip": "2.0.1",
-        "form-data": "4.0.0",
-        "got": "12.6.0",
-        "open": "8.4.2",
-        "snyk": "1.1118.0",
-        "tmp": "0.2.1",
-        "zod": "3.21.4"
-    },
-    "devDependencies": {
-        "@jest/globals": "29.5.0",
-        "eslint": "8.36.0",
-        "jest": "29.5.0",
-        "prettier": "2.8.4"
-    },
-    "engines": {
-        "node": ">=8.5.0"
-    },
-    "files": [
-        "bin",
-        "src",
-        "index.mjs",
-        ".env",
-        "README.md",
-        "LICENSE",
-        "package.json"
-    ]
-}
+  "name": "mobbdev",
+  "version": "0.0.8",
+  "description": "Automated secure code remediation tool",
+  "main": "index.js",
+  "bin": {
+    "mobbdev": "bin/cli.mjs"
+  },
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "colors": "1.4.0",
+    "configstore": "6.0.0",
+    "dotenv": "16.0.3",
+    "extract-zip": "2.0.1",
+    "form-data": "4.0.0",
+    "got": "12.6.0",
+    "open": "8.4.2",
+    "snyk": "1.1118.0",
+    "tmp": "0.2.1",
+    "zod": "3.21.4"
+  },
+  "devDependencies": {
+    "@jest/globals": "29.5.0",
+    "eslint": "8.36.0",
+    "jest": "29.5.0",
+    "prettier": "2.8.4"
+  },
+  "engines": {
+    "node": ">=8.5.0"
+  },
+  "files": [
+    "bin",
+    "src",
+    "index.mjs",
+    ".env",
+    "README.md",
+    "LICENSE",
+    "package.json"
+  ],
+  "scripts": {
+    "lint": "prettier --check . && eslint **/*.mjs",
+    "lint:fix": "prettier --write . && eslint --fix **/*.mjs",
+    "test": "DOTENV_ME=${ENV_VAULT_CLI} dotenv-vault pull development .env && TOKEN=$(../../scripts/login_auth0.sh) NODE_OPTIONS=--experimental-vm-modules jest"
+  }
+}

package/src/snyk.mjs

@@ -1,41 +1,82 @@
 import cp from 'node:child_process';
 import { createRequire } from 'node:module';
+import readline from 'node:readline';
+import { stdout } from 'colors/lib/system/supports-colors.js';
+import open from 'open';
+import * as process from 'process';
 
 const require = createRequire(import.meta.url);
 const SNYK_PATH = require.resolve('snyk/bin/snyk');
 
-async function forkSnyk(args, stdio = 'inherit') {
+async function forkSnyk(args, display) {
     return new Promise((resolve, reject) => {
         const child = cp.fork(SNYK_PATH, args, {
-            stdio,
+            stdio: ['inherit', 'pipe', 'pipe', 'ipc'],
+            env: { FORCE_COLOR: stdout.level },
         });
         let out = '';
+        const onData = (chunk) => {
+            out += chunk;
+        };
 
-        if (stdio === 'pipe') {
-            child.stdout.on('data', (chunk) => {
-                out += chunk;
-            });
+        child.stdout.on('data', onData);
+        child.stderr.on('data', onData);
+
+        if (display) {
+            child.stdout.pipe(process.stdout);
+            child.stderr.pipe(process.stderr);
         }
 
         child.on('exit', () => {
             resolve(out);
         });
+        child.on('error', (err) => {
+            reject(err);
+        });
+    });
+}
+
+async function question(questionString) {
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+    });
 
-        child.on('error', reject);
+    return new Promise((resolve) => {
+        rl.question(`${questionString} `, (answer) => {
+            rl.close();
+            resolve(answer);
+        });
     });
 }
 
 export async function getSnykReport(reportPath, repoRoot) {
-    const config = await forkSnyk(['config'], 'pipe');
+    const config = await forkSnyk(['config'], false);
 
     if (!config.includes('api: ')) {
-        await forkSnyk(['auth']);
+        await forkSnyk(['auth'], true);
     }
 
-    await forkSnyk([
-        'code',
-        'test',
-        `--sarif-file-output=${reportPath}`,
-        repoRoot,
-    ]);
+    const out = await forkSnyk(
+        ['code', 'test', `--sarif-file-output=${reportPath}`, repoRoot],
+        true
+    );
+
+    if (
+        out.includes(
+            'Snyk Code is not supported for org: enable in Settings > Snyk Code'
+        )
+    ) {
+        const answer = await question(
+            "Do you want to be taken to the relevant Snyk's online article? (Y/N)"
+        );
+
+        if (['y', 'yes', ''].includes(answer.toLowerCase())) {
+            await open(
+                'https://docs.snyk.io/scan-application-code/snyk-code/getting-started-with-snyk-code/activating-snyk-code-using-the-web-ui/step-1-enabling-the-snyk-code-option'
+            );
+        }
+
+        process.exit(0);
+    }
 }