mobbdev 0.0.66 → 0.0.68

package/dist/index.mjs

@@ -163,7 +163,7 @@ import fetch3 from "node-fetch";
 import open2 from "open";
 import semver from "semver";
 import tmp2 from "tmp";
-import { z as z7 } from "zod";
+import { z as z9 } from "zod";
 
 // src/features/analysis/git.ts
 import Debug2 from "debug";
@@ -762,6 +762,7 @@ var GQLClient = class {
     const filters = hunks.map((hunk) => {
       const filter = {
         path: { _eq: hunk.path },
+        vulnerabilityReportIssue: { fixId: { _is_null: false } },
         _or: hunk.ranges.map(({ endLine, startLine }) => ({
           startLine: { _gte: startLine, _lte: endLine },
           endLine: { _gte: startLine, _lte: endLine }
@@ -897,15 +898,30 @@ var GQLClient = class {
 // src/features/analysis/handle_finished_analysis.ts
 import Debug4 from "debug";
 import parseDiff from "parse-diff";
-import { z as z6 } from "zod";
+import { z as z8 } from "zod";
+
+// src/features/analysis/scm/constants.ts
+var MOBB_ICON_IMG = "https://app.mobb.ai/mobb.png";
+var COMMIT_FIX_SVG = `https://app.mobb.ai/gh-action/commit-button.svg`;
 
 // src/features/analysis/scm/gitlab.ts
 import querystring from "node:querystring";
 import { Gitlab } from "@gitbeaker/rest";
-import { z as z5 } from "zod";
+import { z as z7 } from "zod";
 
 // src/features/analysis/scm/scm.ts
 import { Octokit as Octokit2 } from "@octokit/core";
+import { z as z6 } from "zod";
+
+// src/features/analysis/scm/github/encryptSecret.ts
+import sodium from "libsodium-wrappers";
+async function encryptSecret(secret, key) {
+  await sodium.ready;
+  const binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL);
+  const binsec = sodium.from_string(secret);
+  const encBytes = sodium.crypto_box_seal(binsec, binkey);
+  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
+}
 
 // src/features/analysis/scm/github/github.ts
 import { RequestError } from "@octokit/request-error";
@@ -1137,6 +1153,16 @@ async function createPullRequest(options) {
   });
   return res.data.number;
 }
+async function forkRepo(options) {
+  const { owner, repo } = parseOwnerAndRepo(options.repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
+  const res = await oktoKit.rest.repos.createFork({
+    owner,
+    repo,
+    default_branch_only: false
+  });
+  return { url: res.data.html_url ? String(res.data.html_url) : null };
+}
 async function getRepos(oktoKit) {
   const res = await oktoKit.request("GET /user/repos?sort=updated", {
     headers: {
@@ -1290,8 +1316,11 @@ async function getGithubBlameRanges({ ref, gitHubUrl, path: path8 }, options) {
 var POST_COMMENT_PATH = "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments";
 var DELETE_COMMENT_PATH = "DELETE /repos/{owner}/{repo}/pulls/comments/{comment_id}";
 var UPDATE_COMMENT_PATH = "PATCH /repos/{owner}/{repo}/pulls/comments/{comment_id}";
-var GET_PR_COMMENTS_PATH = "GET /repos/{owner}/{repo}/pulls/comments";
+var GET_PR_COMMENTS_PATH = "GET /repos/{owner}/{repo}/pulls/{pull_number}/comments";
+var GET_PR_COMMENT_PATH = "GET /repos/{owner}/{repo}/pulls/comments/{comment_id}";
 var GET_PR = "GET /repos/{owner}/{repo}/pulls/{pull_number}";
+var CREATE_OR_UPDATE_A_REPOSITORY_SECRET = "PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}";
+var GET_A_REPOSITORY_PUBLIC_KEY = "GET /repos/{owner}/{repo}/actions/secrets/public-key";
 
 // src/features/analysis/scm/github/github-v2.ts
 function postPrComment(client, params) {
@@ -1303,32 +1332,32 @@ function updatePrComment(client, params) {
 function getPrComments(client, params) {
   return client.request(GET_PR_COMMENTS_PATH, params);
 }
+function getPrComment(client, params) {
+  return client.request(GET_PR_COMMENT_PATH, params);
+}
 function deleteComment(client, params) {
   return client.request(DELETE_COMMENT_PATH, params);
 }
-function getPr(client, params) {
-  return client.request(GET_PR, params);
+function getPrDiff(client, params) {
+  return client.request(GET_PR, { ...params, mediaType: { format: "diff" } });
+}
+function createOrUpdateRepositorySecret(client, params) {
+  return client.request(CREATE_OR_UPDATE_A_REPOSITORY_SECRET, params);
+}
+function getARepositoryPublicKey(client, params) {
+  return client.request(GET_A_REPOSITORY_PUBLIC_KEY, params);
 }
 
-// src/features/analysis/scm/scmSubmit.ts
+// src/features/analysis/scm/scmSubmit/index.ts
 import fs from "node:fs/promises";
 import os from "os";
 import path3 from "path";
 import { simpleGit as simpleGit2 } from "simple-git";
 import tmp from "tmp";
+import { z as z5 } from "zod";
+
+// src/features/analysis/scm/scmSubmit/types.ts
 import { z as z4 } from "zod";
-var isValidBranchName = async (branchName) => {
-  const git = simpleGit2();
-  try {
-    const res = await git.raw(["check-ref-format", "--branch", branchName]);
-    if (res) {
-      return true;
-    }
-    return false;
-  } catch (e) {
-    return false;
-  }
-};
 var BaseSubmitToScmMessageZ = z4.object({
   submitFixRequestId: z4.string().uuid(),
   fixes: z4.array(
@@ -1349,7 +1378,8 @@ var CommitToSameBranchParamsZ = BaseSubmitToScmMessageZ.merge(
     type: z4.literal(submitToScmMessageType.commitToSameBranch),
     branch: z4.string(),
     commitMessage: z4.string(),
-    commitDescription: z4.string().nullish()
+    commitDescription: z4.string().nullish(),
+    githubCommentId: z4.number().nullish()
   })
 );
 var SubmitFixesToDifferentBranchParamsZ = z4.object({
@@ -1366,8 +1396,7 @@ var FixResponseArrayZ = z4.array(
     fixId: z4.string().uuid()
   })
 );
-var SubmitFixesResponseMessageZ = z4.object({
-  type: z4.nativeEnum(submitToScmMessageType),
+var SubmitFixesBaseResponseMessageZ = z4.object({
   submitFixRequestId: z4.string().uuid(),
   submitBranches: z4.array(
     z4.object({
@@ -1387,7 +1416,33 @@ var SubmitFixesResponseMessageZ = z4.object({
     })
   }).optional()
 });
-var FixesZ = z4.array(z4.object({ fixId: z4.string(), diff: z4.string() })).nonempty();
+var SubmitFixesToSameBranchResponseMessageZ = z4.object({
+  type: z4.literal(submitToScmMessageType.commitToSameBranch),
+  githubCommentId: z4.number().nullish()
+}).merge(SubmitFixesBaseResponseMessageZ);
+var SubmitFixesToDifferentBranchResponseMessageZ = z4.object({
+  type: z4.literal(submitToScmMessageType.submitFixesForDifferentBranch),
+  githubCommentId: z4.number().optional()
+}).merge(SubmitFixesBaseResponseMessageZ);
+var SubmitFixeResponseMessageZ = z4.discriminatedUnion("type", [
+  SubmitFixesToSameBranchResponseMessageZ,
+  SubmitFixesToDifferentBranchResponseMessageZ
+]);
+
+// src/features/analysis/scm/scmSubmit/index.ts
+var isValidBranchName = async (branchName) => {
+  const git = simpleGit2();
+  try {
+    const res = await git.raw(["check-ref-format", "--branch", branchName]);
+    if (res) {
+      return true;
+    }
+    return false;
+  } catch (e) {
+    return false;
+  }
+};
+var FixesZ = z5.array(z5.object({ fixId: z5.string(), diff: z5.string() })).nonempty();
 
 // src/features/analysis/scm/scm.ts
 function getScmLibTypeFromUrl(url) {
@@ -1538,6 +1593,20 @@ var GitlabSCMLib = class extends SCMLib {
       accessToken: this.accessToken
     });
   }
+  async forkRepo() {
+    if (!this.accessToken) {
+      console.error("no access token");
+      throw new Error("no access token");
+    }
+    throw new Error("not supported yet");
+  }
+  async createOrUpdateRepositorySecret() {
+    if (!this.accessToken) {
+      console.error("no access token");
+      throw new Error("no access token");
+    }
+    throw new Error("not supported yet");
+  }
   async getRepoList() {
     if (!this.accessToken) {
       console.error("no access token");
@@ -1659,8 +1728,15 @@ var GitlabSCMLib = class extends SCMLib {
       gitlabAuthToken: this.accessToken
     });
   }
+  getPrComment(_commentId) {
+    throw new Error("getPrComment not implemented.");
+  }
+  updatePrComment(_params, _oktokit) {
+    throw new Error("updatePrComment not implemented.");
+  }
 };
 var GithubSCMLib = class extends SCMLib {
+  // we don't always need a url, what's important is that we have an access token
   constructor(url, accessToken) {
     super(url, accessToken);
     __publicField(this, "oktokit");
@@ -1682,6 +1758,39 @@ var GithubSCMLib = class extends SCMLib {
       })
     );
   }
+  async forkRepo(repoUrl) {
+    if (!this.accessToken) {
+      console.error("no access token");
+      throw new Error("no access token");
+    }
+    return forkRepo({
+      repoUrl,
+      accessToken: this.accessToken
+    });
+  }
+  async createOrUpdateRepositorySecret(params, _oktokit) {
+    if (!_oktokit && !this.accessToken || !this.url) {
+      throw new Error("cannot delete comment without access token or url");
+    }
+    const oktokit = _oktokit || this.oktokit;
+    const { owner, repo } = parseOwnerAndRepo(this.url);
+    const { data: repositoryPublicKeyResponse } = await getARepositoryPublicKey(
+      oktokit,
+      {
+        owner,
+        repo
+      }
+    );
+    const { key_id, key } = repositoryPublicKeyResponse;
+    const encryptedValue = await encryptSecret(params.value, key);
+    return createOrUpdateRepositorySecret(oktokit, {
+      encrypted_value: encryptedValue,
+      secret_name: params.name,
+      key_id,
+      owner,
+      repo
+    });
+  }
   async validateParams() {
     return githubValidateParams(this.url, this.accessToken);
   }
@@ -1739,13 +1848,12 @@ var GithubSCMLib = class extends SCMLib {
       throw new Error("cannot get Pr Comments without access token or url");
     }
     const { owner, repo } = parseOwnerAndRepo(this.url);
-    const prRes = await getPr(this.oktokit, {
+    const prRes = await getPrDiff(this.oktokit, {
       ...params,
       owner,
       repo
     });
-    const diffUrl = prRes.data.diff_url;
-    return this.oktokit.request("GET " + diffUrl);
+    return z6.string().parse(prRes.data);
   }
   async getRepoList() {
     if (!this.accessToken) {
@@ -1843,6 +1951,18 @@ var GithubSCMLib = class extends SCMLib {
       }
     );
   }
+  async getPrComment(commentId) {
+    if (!this.url) {
+      console.error("no url");
+      throw new Error("no url");
+    }
+    const { owner, repo } = parseOwnerAndRepo(this.url);
+    return await getPrComment(this.oktokit, {
+      repo,
+      owner,
+      comment_id: commentId
+    });
+  }
   async getRepoDefaultBranch() {
     if (!this.url) {
       console.error("no url");
@@ -1878,6 +1998,14 @@ var StubSCMLib = class extends SCMLib {
     console.error("validateParams() not implemented");
     throw new Error("validateParams() not implemented");
   }
+  async forkRepo() {
+    console.error("forkRepo() not implemented");
+    throw new Error("forkRepo() not implemented");
+  }
+  async createOrUpdateRepositorySecret() {
+    console.error("forkRepo() not implemented");
+    throw new Error("forkRepo() not implemented");
+  }
   async getRepoList() {
     console.error("getBranchList() not implemented");
     throw new Error("getBranchList() not implemented");
@@ -1910,14 +2038,22 @@ var StubSCMLib = class extends SCMLib {
     console.error("getRepoDefaultBranch() not implemented");
     throw new Error("getRepoDefaultBranch() not implemented");
   }
+  async getPrComment(_commentId) {
+    console.error("getPrComment() not implemented");
+    throw new Error("getPrComment() not implemented");
+  }
+  async updatePrComment() {
+    console.error("updatePrComment() not implemented");
+    throw new Error("updatePrComment() not implemented");
+  }
 };
 
 // src/features/analysis/scm/gitlab.ts
 function removeTrailingSlash2(str) {
   return str.trim().replace(/\/+$/, "");
 }
-var EnvVariablesZod2 = z5.object({
-  GITLAB_API_TOKEN: z5.string().optional()
+var EnvVariablesZod2 = z7.object({
+  GITLAB_API_TOKEN: z7.string().optional()
 });
 var { GITLAB_API_TOKEN } = EnvVariablesZod2.parse(process.env);
 function getGitBeaker(options) {
@@ -2146,38 +2282,13 @@ async function getGitlabBlameRanges({ ref, gitlabUrl, path: path8 }, options) {
     };
   });
 }
-var GitlabAuthResultZ = z5.object({
-  access_token: z5.string(),
-  token_type: z5.string(),
-  refresh_token: z5.string()
+var GitlabAuthResultZ = z7.object({
+  access_token: z7.string(),
+  token_type: z7.string(),
+  refresh_token: z7.string()
 });
 
-// src/features/analysis/utils/calculate_ranges.ts
-function calculateRanges(integers) {
-  if (integers.length === 0) {
-    return [];
-  }
-  integers.sort((a, b) => a - b);
-  const ranges = integers.reduce(
-    (result, current, index) => {
-      if (index === 0) {
-        return [...result, [current, current]];
-      }
-      const currentRange = result[result.length - 1];
-      const [_start, end] = currentRange;
-      if (current === end + 1) {
-        currentRange[1] = current;
-      } else {
-        result.push([current, current]);
-      }
-      return result;
-    },
-    []
-  );
-  return ranges;
-}
-
-// src/features/analysis/utils/get_issue_type.ts
+// src/features/analysis/scm/utils/get_issue_type.ts
 var getIssueType = (issueType) => {
   switch (issueType) {
     case "SQL_Injection" /* SqlInjection */:
@@ -2228,54 +2339,94 @@ var getIssueType = (issueType) => {
       return "Cookie is not HttpOnly";
     case "INSECURE_COOKIE" /* InsecureCookie */:
       return "Insecure Cookie";
+    case "TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */:
+      return "Trust Boundary Violation";
     default: {
       return issueType ? issueType.replaceAll("_", " ") : "Other";
     }
   }
 };
 
-// src/features/analysis/utils/index.ts
-function getFixUrlWithRedirect({
-  fixId,
-  projectId,
-  organizationId,
-  analysisId,
-  redirectUrl
-}) {
+// src/features/analysis/scm/utils/index.ts
+function getFixUrlWithRedirect(params) {
+  const {
+    fixId,
+    projectId,
+    organizationId,
+    analysisId,
+    redirectUrl,
+    appBaseUrl,
+    commentId
+  } = params;
+  const searchParams = new URLSearchParams();
+  searchParams.append("commit_redirect_url", redirectUrl);
+  searchParams.append("comment_id", commentId.toString());
   return `${getFixUrl({
+    appBaseUrl,
     fixId,
     projectId,
     organizationId,
     analysisId
-  })}?commit_redirect_url=${encodeURIComponent(redirectUrl)}`;
+  })}?${searchParams.toString()}`;
 }
 function getFixUrl({
+  appBaseUrl,
   fixId,
   projectId,
   organizationId,
   analysisId
 }) {
-  return `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
+  return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
 }
-function getCommitUrl({
-  fixId,
-  projectId,
-  organizationId,
-  analysisId,
-  redirectUrl
-}) {
+function getCommitUrl(params) {
+  const {
+    fixId,
+    projectId,
+    organizationId,
+    analysisId,
+    redirectUrl,
+    appBaseUrl,
+    commentId
+  } = params;
+  const searchParams = new URLSearchParams();
+  searchParams.append("redirect_url", redirectUrl);
+  searchParams.append("comment_id", commentId.toString());
   return `${getFixUrl({
+    appBaseUrl,
     fixId,
     projectId,
     organizationId,
     analysisId
-  })}/commit?redirect_url=${encodeURIComponent(redirectUrl)}`;
+  })}/commit?${searchParams.toString()}`;
+}
+
+// src/features/analysis/utils/calculate_ranges.ts
+function calculateRanges(integers) {
+  if (integers.length === 0) {
+    return [];
+  }
+  integers.sort((a, b) => a - b);
+  const ranges = integers.reduce(
+    (result, current, index) => {
+      if (index === 0) {
+        return [...result, [current, current]];
+      }
+      const currentRange = result[result.length - 1];
+      const [_start, end] = currentRange;
+      if (current === end + 1) {
+        currentRange[1] = current;
+      } else {
+        result.push([current, current]);
+      }
+      return result;
+    },
+    []
+  );
+  return ranges;
 }
 
 // src/features/analysis/handle_finished_analysis.ts
 var debug4 = Debug4("mobbdev:handle-finished-analysis");
-var MOBB_ICON_IMG = "![image](https://github.com/yhaggai/GitHub-Fixer-Demo/assets/1255845/30f566df-6544-4612-929e-2ee5e8b9d345)";
-var COMMIT_FIX_SVG = `https://felt-laptop-20190711103614-deployment.s3.us-east-1.amazonaws.com/commit-button.svg`;
 var commitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
 function scannerToFriendlyString(scanner) {
   switch (scanner) {
@@ -2299,7 +2450,7 @@ async function getFixesFromDiff(params) {
     });
     const lineAddedRanges = calculateRanges(fileNumbers);
     const fileFilter = {
-      path: z6.string().parse(file.to),
+      path: z8.string().parse(file.to),
       ranges: lineAddedRanges.map(([startLine, endLine]) => ({
         endLine,
         startLine
@@ -2331,16 +2482,19 @@ async function handleFinishedAnalysis({
     }
   } = getAnalysis.analysis;
   const { commitSha, pullRequest } = getAnalysis.analysis.repo;
-  const getPrDiff = await scm.getPrDiff({ pull_number: pullRequest });
+  const diff = await scm.getPrDiff({ pull_number: pullRequest });
   const { vulnerabilityReportIssueCodeNodes } = await getFixesFromDiff({
-    diff: getPrDiff.data,
+    diff,
     gqlClient,
     vulnerabilityReportId: getAnalysis.analysis.vulnerabilityReportId
   });
-  const comments = await scm.getPrComments({}, githubActionOctokit);
+  const comments = await scm.getPrComments(
+    { pull_number: pullRequest },
+    githubActionOctokit
+  );
   await Promise.all(
     comments.data.filter((comment) => {
-      return comment.body.includes("fix by Mobb is ready");
+      return comment.body.includes(MOBB_ICON_IMG);
     }).map((comment) => {
       try {
         return scm.deleteComment(
@@ -2372,25 +2526,30 @@ async function handleFinishedAnalysis({
           },
           githubActionOctokit
         );
+        const commentId = commentRes.data.id;
         const commitUrl = getCommitUrl({
+          appBaseUrl: WEB_APP_URL,
           fixId: fix_by_pk.id,
           projectId,
           analysisId,
           organizationId,
-          redirectUrl: commentRes.data.html_url
+          redirectUrl: commentRes.data.html_url,
+          commentId
         });
         const fixUrl = getFixUrlWithRedirect({
+          appBaseUrl: WEB_APP_URL,
           fixId: fix_by_pk.id,
           projectId,
           analysisId,
           organizationId,
-          redirectUrl: commentRes.data.html_url
+          redirectUrl: commentRes.data.html_url,
+          commentId
         });
         const scanerString = scannerToFriendlyString(scanner);
         const issueType = getIssueType(fix_by_pk.issueType);
-        const title = `# ${MOBB_ICON_IMG} ${issueType} fix by Mobb is ready`;
+        const title = `# ![image](${MOBB_ICON_IMG}) ${issueType} fix by Mobb is ready`;
         const subTitle = `### Apply the following code change to fix ${issueType} issue detected by ${scanerString}:`;
-        const diff = `\`\`\`diff
+        const diff2 = `\`\`\`diff
 ${patch} 
 \`\`\``;
         const fixPageLink = `[Learn more and fine tune the fix](${fixUrl})`;
@@ -2398,12 +2557,12 @@ ${patch}
           {
             body: `${title}
 ${subTitle}
-${diff}
+${diff2}
 ${commitFixButton(
               commitUrl
             )}
 ${fixPageLink}`,
-            comment_id: commentRes.data.id
+            comment_id: commentId
           },
           githubActionOctokit
         );
@@ -2991,7 +3150,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
         gqlClient,
         scm,
         githubActionOctokit: new Octokit3({ auth: githubActionToken }),
-        scanner: z7.nativeEnum(SCANNERS).parse(scanner)
+        scanner: z9.nativeEnum(SCANNERS).parse(scanner)
       })
     );
   }
@@ -3003,7 +3162,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     try {
       const sumbitRes = await gqlClient.submitVulnerabilityReport({
         fixReportId: reportUploadInfo.fixReportId,
-        repoUrl: z7.string().parse(repo),
+        repoUrl: z9.string().parse(repo),
         reference,
         projectId,
         vulnerabilityReportFileName: "report.json",
@@ -3368,7 +3527,7 @@ var commitHashOption = {
 // src/args/validation.ts
 import chalk6 from "chalk";
 import path7 from "path";
-import { z as z8 } from "zod";
+import { z as z10 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
   repoUrl,
@@ -3385,7 +3544,7 @@ Example:
   )}`;
   throw new CliError(formattedErrorMessage);
 }
-var UrlZ = z8.string({
+var UrlZ = z10.string({
   invalid_type_error: "is not a valid GitHub / GitLab URL"
 }).refine((data) => !!parseScmURL(data), {
   message: "is not a valid GitHub / GitLab URL"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "0.0.66",
+  "version": "0.0.68",
   "description": "Automated secure code remediation tool",
   "repository": "https://github.com/mobb-dev/bugsy",
   "main": "dist/index.js",
@@ -27,6 +27,7 @@
     "@octokit/graphql": "5.0.5",
     "@octokit/plugin-rest-endpoint-methods": "7.0.1",
     "@octokit/request-error": "3.0.3",
+    "@types/libsodium-wrappers": "0.7.13",
     "adm-zip": "0.5.10",
     "axios": "1.5.0",
     "chalk": "5.3.0",
@@ -42,6 +43,7 @@
     "inquirer": "9.2.7",
     "isomorphic-ws": "5.0.0",
     "istextorbinary": "6.0.0",
+    "libsodium-wrappers": "0.7.13",
     "nanospinner": "1.1.0",
     "node-fetch": "3.3.1",
     "octokit": "2.0.14",