mobbdev 0.0.65 → 0.0.67

package/dist/index.mjs

@@ -163,7 +163,7 @@ import fetch3 from "node-fetch";
 import open2 from "open";
 import semver from "semver";
 import tmp2 from "tmp";
-import { z as z8 } from "zod";
+import { z as z7 } from "zod";
 
 // src/features/analysis/git.ts
 import Debug2 from "debug";
@@ -385,16 +385,7 @@ var GET_ANALYSIS = gql2`
         commitSha
         pullRequest
       }
-      fixes {
-        id
-        issueType
-        vulnerabilityReportIssues {
-          issueLanguage
-          state
-          issueType
-          vendorIssueId
-        }
-      }
+      vulnerabilityReportId
       vulnerabilityReport {
         projectId
         project {
@@ -412,12 +403,38 @@ var GET_ANALYSIS = gql2`
 var GET_FIX = gql2`
   query getFix($fixId: uuid!) {
     fix_by_pk(id: $fixId) {
+      issueType
+      id
       patchAndQuestions {
         patch
       }
     }
   }
 `;
+var GET_VUL_BY_NODES_METADATA = gql2`
+  query getVulByNodesMetadata(
+    $filters: [vulnerability_report_issue_code_node_bool_exp!]
+    $vulnerabilityReportId: uuid!
+  ) {
+    vulnerabilityReportIssueCodeNodes: vulnerability_report_issue_code_node(
+      order_by: { index: desc }
+      where: {
+        _or: $filters
+        vulnerabilityReportIssue: {
+          vulnerabilityReportId: { _eq: $vulnerabilityReportId }
+        }
+      }
+    ) {
+      vulnerabilityReportIssueId
+      path
+      startLine
+      vulnerabilityReportIssue {
+        issueType
+        fixId
+      }
+    }
+  }
+`;
 
 // src/features/analysis/graphql/subscirbe.ts
 import { createClient } from "graphql-ws";
@@ -610,20 +627,7 @@ var GetAnalysisQueryZ = z2.object({
       commitSha: z2.string(),
       pullRequest: z2.number()
     }),
-    fixes: z2.array(
-      z2.object({
-        id: z2.string(),
-        issueType: z2.string(),
-        vulnerabilityReportIssues: z2.array(
-          z2.object({
-            issueLanguage: z2.string(),
-            state: z2.string(),
-            issueType: z2.string(),
-            vendorIssueId: z2.string()
-          })
-        )
-      })
-    ),
+    vulnerabilityReportId: z2.string(),
     vulnerabilityReport: z2.object({
       projectId: z2.string(),
       project: z2.object({
@@ -639,11 +643,24 @@ var GetAnalysisQueryZ = z2.object({
 });
 var GetFixQueryZ = z2.object({
   fix_by_pk: z2.object({
+    issueType: z2.string(),
+    id: z2.string(),
     patchAndQuestions: z2.object({
       patch: z2.string()
     })
   })
 });
+var VulnerabilityReportIssueCodeNodeZ = z2.object({
+  vulnerabilityReportIssueId: z2.string(),
+  path: z2.string(),
+  startLine: z2.number(),
+  vulnerabilityReportIssue: z2.object({
+    fixId: z2.string()
+  })
+});
+var GetVulByNodesMetadataZ = z2.object({
+  vulnerabilityReportIssueCodeNodes: z2.array(VulnerabilityReportIssueCodeNodeZ)
+});
 
 // src/features/analysis/graphql/gql.ts
 var debug3 = Debug3("mobbdev:gql");
@@ -738,6 +755,42 @@ var GQLClient = class {
     });
     return UploadS3BucketInfoZ.parse(uploadS3BucketInfoResult);
   }
+  async getVulByNodesMetadata({
+    hunks,
+    vulnerabilityReportId
+  }) {
+    const filters = hunks.map((hunk) => {
+      const filter = {
+        path: { _eq: hunk.path },
+        _or: hunk.ranges.map(({ endLine, startLine }) => ({
+          startLine: { _gte: startLine, _lte: endLine },
+          endLine: { _gte: startLine, _lte: endLine }
+        }))
+      };
+      return filter;
+    });
+    const getVulByNodesMetadataRes = await this._client.request(GET_VUL_BY_NODES_METADATA, {
+      filters: { _or: filters },
+      vulnerabilityReportId
+    });
+    const parsedGetVulByNodesMetadataRes = GetVulByNodesMetadataZ.parse(
+      getVulByNodesMetadataRes
+    );
+    const uniqueVulByNodesMetadata = parsedGetVulByNodesMetadataRes.vulnerabilityReportIssueCodeNodes.reduce((acc, vulnerabilityReportIssueCodeNode) => {
+      if (acc[vulnerabilityReportIssueCodeNode.vulnerabilityReportIssueId]) {
+        return acc;
+      }
+      return {
+        ...acc,
+        [vulnerabilityReportIssueCodeNode.vulnerabilityReportIssueId]: vulnerabilityReportIssueCodeNode
+      };
+    }, {});
+    return {
+      vulnerabilityReportIssueCodeNodes: Object.values(
+        uniqueVulByNodesMetadata
+      )
+    };
+  }
   async digestVulnerabilityReport({
     fixReportId,
     projectId
@@ -831,16 +884,20 @@ var GQLClient = class {
     return GetAnalysisQueryZ.parse(res);
   }
   async getFix(fixId) {
-    const res = await this._client.request(GET_FIX, {
-      fixId
-    });
+    const res = await this._client.request(
+      GET_FIX,
+      {
+        fixId
+      }
+    );
     return GetFixQueryZ.parse(res);
   }
 };
 
 // src/features/analysis/handle_finished_analysis.ts
 import Debug4 from "debug";
-import { z as z7 } from "zod";
+import parseDiff from "parse-diff";
+import { z as z6 } from "zod";
 
 // src/features/analysis/scm/gitlab.ts
 import querystring from "node:querystring";
@@ -1234,6 +1291,7 @@ var POST_COMMENT_PATH = "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments
 var DELETE_COMMENT_PATH = "DELETE /repos/{owner}/{repo}/pulls/comments/{comment_id}";
 var UPDATE_COMMENT_PATH = "PATCH /repos/{owner}/{repo}/pulls/comments/{comment_id}";
 var GET_PR_COMMENTS_PATH = "GET /repos/{owner}/{repo}/pulls/comments";
+var GET_PR = "GET /repos/{owner}/{repo}/pulls/{pull_number}";
 
 // src/features/analysis/scm/github/github-v2.ts
 function postPrComment(client, params) {
@@ -1248,6 +1306,9 @@ function getPrComments(client, params) {
 function deleteComment(client, params) {
   return client.request(DELETE_COMMENT_PATH, params);
 }
+function getPr(client, params) {
+  return client.request(GET_PR, params);
+}
 
 // src/features/analysis/scm/scmSubmit.ts
 import fs from "node:fs/promises";
@@ -1286,7 +1347,9 @@ var submitToScmMessageType = {
 var CommitToSameBranchParamsZ = BaseSubmitToScmMessageZ.merge(
   z4.object({
     type: z4.literal(submitToScmMessageType.commitToSameBranch),
-    branch: z4.string()
+    branch: z4.string(),
+    commitMessage: z4.string(),
+    commitDescription: z4.string().nullish()
   })
 );
 var SubmitFixesToDifferentBranchParamsZ = z4.object({
@@ -1671,6 +1734,19 @@ var GithubSCMLib = class extends SCMLib {
       repo
     });
   }
+  async getPrDiff(params) {
+    if (!this.accessToken || !this.url) {
+      throw new Error("cannot get Pr Comments without access token or url");
+    }
+    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const prRes = await getPr(this.oktokit, {
+      ...params,
+      owner,
+      repo
+    });
+    const diffUrl = prRes.data.diff_url;
+    return this.oktokit.request("GET " + diffUrl);
+  }
   async getRepoList() {
     if (!this.accessToken) {
       console.error("no access token");
@@ -2076,22 +2152,30 @@ var GitlabAuthResultZ = z5.object({
   refresh_token: z5.string()
 });
 
-// src/features/analysis/types.ts
-import { z as z6 } from "zod";
-var VulReportLocationZ = z6.object({
-  physicalLocation: z6.object({
-    artifactLocation: z6.object({
-      uri: z6.string(),
-      uriBaseId: z6.string(),
-      index: z6.number()
-    }),
-    region: z6.object({
-      startLine: z6.number(),
-      startColumn: z6.number(),
-      endColumn: z6.number()
-    })
-  })
-});
+// src/features/analysis/utils/calculate_ranges.ts
+function calculateRanges(integers) {
+  if (integers.length === 0) {
+    return [];
+  }
+  integers.sort((a, b) => a - b);
+  const ranges = integers.reduce(
+    (result, current, index) => {
+      if (index === 0) {
+        return [...result, [current, current]];
+      }
+      const currentRange = result[result.length - 1];
+      const [_start, end] = currentRange;
+      if (current === end + 1) {
+        currentRange[1] = current;
+      } else {
+        result.push([current, current]);
+      }
+      return result;
+    },
+    []
+  );
+  return ranges;
+}
 
 // src/features/analysis/utils/get_issue_type.ts
 var getIssueType = (issueType) => {
@@ -2144,6 +2228,8 @@ var getIssueType = (issueType) => {
       return "Cookie is not HttpOnly";
     case "INSECURE_COOKIE" /* InsecureCookie */:
       return "Insecure Cookie";
+    case "TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */:
+      return "Trust Boundary Violation";
     default: {
       return issueType ? issueType.replaceAll("_", " ") : "Other";
     }
@@ -2151,6 +2237,20 @@ var getIssueType = (issueType) => {
 };
 
 // src/features/analysis/utils/index.ts
+function getFixUrlWithRedirect({
+  fixId,
+  projectId,
+  organizationId,
+  analysisId,
+  redirectUrl
+}) {
+  return `${getFixUrl({
+    fixId,
+    projectId,
+    organizationId,
+    analysisId
+  })}?commit_redirect_url=${encodeURIComponent(redirectUrl)}`;
+}
 function getFixUrl({
   fixId,
   projectId,
@@ -2191,6 +2291,29 @@ function scannerToFriendlyString(scanner) {
       return "Snyk";
   }
 }
+async function getFixesFromDiff(params) {
+  const { gqlClient, diff, vulnerabilityReportId } = params;
+  const parsedDiff = parseDiff(diff);
+  const fileHunks = parsedDiff.map((file) => {
+    const fileNumbers = file.chunks.flatMap((chunk) => chunk.changes).filter((change) => change.type === "add").map((_change) => {
+      const change = _change;
+      return change.ln;
+    });
+    const lineAddedRanges = calculateRanges(fileNumbers);
+    const fileFilter = {
+      path: z6.string().parse(file.to),
+      ranges: lineAddedRanges.map(([startLine, endLine]) => ({
+        endLine,
+        startLine
+      }))
+    };
+    return fileFilter;
+  });
+  return gqlClient.getVulByNodesMetadata({
+    hunks: fileHunks,
+    vulnerabilityReportId
+  });
+}
 async function handleFinishedAnalysis({
   analysisId,
   scm: _scm,
@@ -2202,7 +2325,20 @@ async function handleFinishedAnalysis({
     return;
   }
   const scm = _scm;
-  const res = await gqlClient.getAnalysis(analysisId);
+  const getAnalysis = await gqlClient.getAnalysis(analysisId);
+  const {
+    vulnerabilityReport: {
+      projectId,
+      project: { organizationId }
+    }
+  } = getAnalysis.analysis;
+  const { commitSha, pullRequest } = getAnalysis.analysis.repo;
+  const getPrDiff = await scm.getPrDiff({ pull_number: pullRequest });
+  const { vulnerabilityReportIssueCodeNodes } = await getFixesFromDiff({
+    diff: getPrDiff.data,
+    gqlClient,
+    vulnerabilityReportId: getAnalysis.analysis.vulnerabilityReportId
+  });
   const comments = await scm.getPrComments({}, githubActionOctokit);
   await Promise.all(
     comments.data.filter((comment) => {
@@ -2219,97 +2355,62 @@ async function handleFinishedAnalysis({
       }
     })
   );
-  const {
-    vulnerabilityReport: {
-      file: {
-        signedFile: { url: vulReportUrl }
-      }
-    },
-    repo: { commitSha, pullRequest }
-  } = res.analysis;
-  const {
-    projectId,
-    project: { organizationId }
-  } = res.analysis.vulnerabilityReport;
-  const vulReportRes = await fetch(vulReportUrl);
-  const vulReport = await vulReportRes.json();
   return Promise.all(
-    res.analysis.fixes.map((fix) => {
-      const [vulnerabilityReportIssue] = fix.vulnerabilityReportIssues;
-      const issueIndex = parseInt(
-        z7.string().parse(vulnerabilityReportIssue?.vendorIssueId)
-      );
-      const results = vulReport.runs[0]?.results || [];
-      const ruleId = results[issueIndex]?.ruleId;
-      const location = VulReportLocationZ.parse(
-        results[issueIndex]?.locations[0]
-      );
-      const { uri: filePath } = location.physicalLocation.artifactLocation;
-      const { startLine, startColumn, endColumn } = location.physicalLocation.region;
-      const fixLocation = {
-        filePath,
-        startLine,
-        startColumn,
-        endColumn,
-        ruleId
-      };
-      return {
-        fix,
-        fixLocation
-      };
-    }).map(async ({ fix, fixLocation }) => {
-      const { filePath, startLine } = fixLocation;
-      const getFixContent = await gqlClient.getFix(fix.id);
-      const {
-        fix_by_pk: {
+    vulnerabilityReportIssueCodeNodes.map(
+      async (vulnerabilityReportIssueCodeNodes2) => {
+        const { path: path8, startLine, vulnerabilityReportIssue } = vulnerabilityReportIssueCodeNodes2;
+        const { fixId } = vulnerabilityReportIssue;
+        const { fix_by_pk } = await gqlClient.getFix(fixId);
+        const {
           patchAndQuestions: { patch }
-        }
-      } = getFixContent;
-      const commentRes = await scm.postPrComment(
-        {
-          body: "empty",
-          pull_number: pullRequest,
-          commit_id: commitSha,
-          path: filePath,
-          line: startLine
-        },
-        githubActionOctokit
-      );
-      const commitUrl = getCommitUrl({
-        fixId: fix.id,
-        projectId,
-        analysisId,
-        organizationId,
-        redirectUrl: commentRes.data.html_url
-      });
-      const fixUrl = getFixUrl({
-        fixId: fix.id,
-        projectId,
-        analysisId,
-        organizationId
-      });
-      const scanerString = scannerToFriendlyString(scanner);
-      const issueType = getIssueType(fix.issueType);
-      const title = `# ${MOBB_ICON_IMG} ${issueType} fix by Mobb is ready`;
-      const subTitle = `### Apply the following code change to fix ${issueType} issue detected by ${scanerString}:`;
-      const diff = `\`\`\`diff
+        } = fix_by_pk;
+        const commentRes = await scm.postPrComment(
+          {
+            body: "empty",
+            pull_number: pullRequest,
+            commit_id: commitSha,
+            path: path8,
+            line: startLine
+          },
+          githubActionOctokit
+        );
+        const commitUrl = getCommitUrl({
+          fixId: fix_by_pk.id,
+          projectId,
+          analysisId,
+          organizationId,
+          redirectUrl: commentRes.data.html_url
+        });
+        const fixUrl = getFixUrlWithRedirect({
+          fixId: fix_by_pk.id,
+          projectId,
+          analysisId,
+          organizationId,
+          redirectUrl: commentRes.data.html_url
+        });
+        const scanerString = scannerToFriendlyString(scanner);
+        const issueType = getIssueType(fix_by_pk.issueType);
+        const title = `# ${MOBB_ICON_IMG} ${issueType} fix by Mobb is ready`;
+        const subTitle = `### Apply the following code change to fix ${issueType} issue detected by ${scanerString}:`;
+        const diff = `\`\`\`diff
 ${patch} 
 \`\`\``;
-      const fixPageLink = `[Learn more and fine tune the fix](${fixUrl})`;
-      await scm.updatePrComment(
-        {
-          body: `${title}
+        const fixPageLink = `[Learn more and fine tune the fix](${fixUrl})`;
+        await scm.updatePrComment(
+          {
+            body: `${title}
 ${subTitle}
 ${diff}
 ${commitFixButton(
-            commitUrl
-          )}
+              commitUrl
+            )}
 ${fixPageLink}`,
-          comment_id: commentRes.data.id
-        },
-        githubActionOctokit
-      );
-    })
+            comment_id: commentRes.data.id
+          },
+          githubActionOctokit
+        );
+      }
+    )
   );
 }
 
@@ -2595,9 +2696,8 @@ async function validateCheckamxCredentials() {
     if (!tryAgain) {
       await throwCheckmarxConfigError();
     }
-    if (await tryCheckmarxConfiguarationAgain()) {
-      validateCheckamxCredentials();
-    }
+    await validateCheckamxCredentials();
+    return;
   }
   await createSpinner2("\u{1F513} Checkmarx configured successfully!").start().success();
 }
@@ -2893,7 +2993,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
         gqlClient,
         scm,
         githubActionOctokit: new Octokit3({ auth: githubActionToken }),
-        scanner: z8.nativeEnum(SCANNERS).parse(scanner)
+        scanner: z7.nativeEnum(SCANNERS).parse(scanner)
       })
     );
   }
@@ -2905,7 +3005,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     try {
       const sumbitRes = await gqlClient.submitVulnerabilityReport({
         fixReportId: reportUploadInfo.fixReportId,
-        repoUrl: z8.string().parse(repo),
+        repoUrl: z7.string().parse(repo),
         reference,
         projectId,
         vulnerabilityReportFileName: "report.json",
@@ -3270,7 +3370,7 @@ var commitHashOption = {
 // src/args/validation.ts
 import chalk6 from "chalk";
 import path7 from "path";
-import { z as z9 } from "zod";
+import { z as z8 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
   repoUrl,
@@ -3287,7 +3387,7 @@ Example:
   )}`;
   throw new CliError(formattedErrorMessage);
 }
-var UrlZ = z9.string({
+var UrlZ = z8.string({
   invalid_type_error: "is not a valid GitHub / GitLab URL"
 }).refine((data) => !!parseScmURL(data), {
   message: "is not a valid GitHub / GitLab URL"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "0.0.65",
+  "version": "0.0.67",
   "description": "Automated secure code remediation tool",
   "repository": "https://github.com/mobb-dev/bugsy",
   "main": "dist/index.js",
@@ -46,6 +46,7 @@
     "node-fetch": "3.3.1",
     "octokit": "2.0.14",
     "open": "8.4.2",
+    "parse-diff": "0.11.1",
     "semver": "7.5.0",
     "simple-git": "3.19.1",
     "snyk": "1.1118.0",