mobbdev 1.0.101 → 1.0.103

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.mjs +1663 -1524
  2. package/package.json +2 -2
package/dist/index.mjs CHANGED
@@ -280,7 +280,10 @@ var RepoNoTokenAccessError = class extends Error {
280
280
  }
281
281
  };
282
282
 
283
- // src/features/analysis/scm/shared/src/types/fix.ts
283
+ // src/features/analysis/scm/utils/index.ts
284
+ import { z as z14 } from "zod";
285
+
286
+ // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
284
287
  import { z as z2 } from "zod";
285
288
 
286
289
  // src/features/analysis/scm/generates/client_generates.ts
@@ -498,6 +501,7 @@ var Vulnerability_Report_Issue_Tag_Enum = /* @__PURE__ */ ((Vulnerability_Report
498
501
  Vulnerability_Report_Issue_Tag_Enum3["AutogeneratedCode"] = "AUTOGENERATED_CODE";
499
502
  Vulnerability_Report_Issue_Tag_Enum3["AuxiliaryCode"] = "AUXILIARY_CODE";
500
503
  Vulnerability_Report_Issue_Tag_Enum3["FalsePositive"] = "FALSE_POSITIVE";
504
+ Vulnerability_Report_Issue_Tag_Enum3["Suppressed"] = "SUPPRESSED";
501
505
  Vulnerability_Report_Issue_Tag_Enum3["TestCode"] = "TEST_CODE";
502
506
  Vulnerability_Report_Issue_Tag_Enum3["Unfixable"] = "UNFIXABLE";
503
507
  Vulnerability_Report_Issue_Tag_Enum3["VendorCode"] = "VENDOR_CODE";
@@ -552,6 +556,80 @@ var FixDetailsFragmentDoc = `
552
556
  }
553
557
  }
554
558
  `;
559
+ var FixReportSummaryFieldsFragmentDoc = `
560
+ fragment FixReportSummaryFields on fixReport {
561
+ id
562
+ createdOn
563
+ repo {
564
+ originalUrl
565
+ }
566
+ issueTypes
567
+ CRITICAL: fixes_aggregate(
568
+ where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "critical"}}]}
569
+ ) {
570
+ aggregate {
571
+ count
572
+ }
573
+ }
574
+ HIGH: fixes_aggregate(
575
+ where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "high"}}]}
576
+ ) {
577
+ aggregate {
578
+ count
579
+ }
580
+ }
581
+ MEDIUM: fixes_aggregate(
582
+ where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "medium"}}]}
583
+ ) {
584
+ aggregate {
585
+ count
586
+ }
587
+ }
588
+ LOW: fixes_aggregate(
589
+ where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "low"}}]}
590
+ ) {
591
+ aggregate {
592
+ count
593
+ }
594
+ }
595
+ fixes(
596
+ where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, $filters]}
597
+ order_by: {severityValue: desc}
598
+ limit: $limit
599
+ offset: $offset
600
+ ) {
601
+ ...FixDetails
602
+ }
603
+ filteredFixesCount: fixes_aggregate(
604
+ where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, $filters]}
605
+ ) {
606
+ aggregate {
607
+ count
608
+ }
609
+ }
610
+ totalFixesCount: fixes_aggregate {
611
+ aggregate {
612
+ count
613
+ }
614
+ }
615
+ vulnerabilityReport {
616
+ scanDate
617
+ vendor
618
+ totalVulnerabilityReportIssuesCount: vulnerabilityReportIssues_aggregate {
619
+ aggregate {
620
+ count
621
+ }
622
+ }
623
+ notFixableVulnerabilityReportIssuesCount: vulnerabilityReportIssues_aggregate(
624
+ where: {category: {_neq: "Fixable"}}
625
+ ) {
626
+ aggregate {
627
+ count
628
+ }
629
+ }
630
+ }
631
+ }
632
+ ${FixDetailsFragmentDoc}`;
555
633
  var MeDocument = `
556
634
  query Me {
557
635
  me {
@@ -981,80 +1059,24 @@ var AutoPrAnalysisDocument = `
981
1059
  }
982
1060
  }
983
1061
  `;
984
- var GetMcpFixesDocument = `
985
- query GetMCPFixes($fixReportId: uuid!) {
986
- fix(where: {fixReportId: {_eq: $fixReportId}}) {
987
- ...FixDetails
988
- }
989
- }
990
- ${FixDetailsFragmentDoc}`;
991
1062
  var GetLatestReportByRepoUrlDocument = `
992
- query GetLatestReportByRepoUrl($repoUrl: String!, $limit: Int = 3) {
1063
+ query GetLatestReportByRepoUrl($repoUrl: String!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!) {
993
1064
  fixReport(
994
1065
  where: {repo: {originalUrl: {_eq: $repoUrl}}}
995
1066
  order_by: {createdOn: desc}
996
1067
  limit: 1
997
1068
  ) {
998
- id
999
- createdOn
1000
- repo {
1001
- originalUrl
1002
- }
1003
- issueTypes
1004
- fixes_aggregate(
1005
- where: {vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}
1006
- ) {
1007
- aggregate {
1008
- count
1009
- }
1010
- }
1011
- CRITICAL: fixes_aggregate(
1012
- where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "critical"}}]}
1013
- ) {
1014
- aggregate {
1015
- count
1016
- }
1017
- }
1018
- HIGH: fixes_aggregate(
1019
- where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "high"}}]}
1020
- ) {
1021
- aggregate {
1022
- count
1023
- }
1024
- }
1025
- MEDIUM: fixes_aggregate(
1026
- where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "medium"}}]}
1027
- ) {
1028
- aggregate {
1029
- count
1030
- }
1031
- }
1032
- LOW: fixes_aggregate(
1033
- where: {_and: [{vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}, {severityText: {_eq: "low"}}]}
1034
- ) {
1035
- aggregate {
1036
- count
1037
- }
1038
- }
1039
- fixes(
1040
- where: {vulnerabilityReportIssues: {category: {_eq: "Fixable"}}}
1041
- order_by: {severityValue: desc}
1042
- limit: $limit
1043
- ) {
1044
- ...FixDetails
1045
- }
1046
- vulnerabilityReport {
1047
- scanDate
1048
- vendor
1049
- vulnerabilityReportIssues_aggregate(where: {category: {_eq: "Fixable"}}) {
1050
- aggregate {
1051
- count
1052
- }
1053
- }
1054
- }
1069
+ ...FixReportSummaryFields
1055
1070
  }
1056
1071
  }
1057
- ${FixDetailsFragmentDoc}`;
1072
+ ${FixReportSummaryFieldsFragmentDoc}`;
1073
+ var GetReportFixesDocument = `
1074
+ query GetReportFixes($reportId: uuid!, $filters: fix_bool_exp = {}, $limit: Int!, $offset: Int!) {
1075
+ fixReport(where: {id: {_eq: $reportId}}) {
1076
+ ...FixReportSummaryFields
1077
+ }
1078
+ }
1079
+ ${FixReportSummaryFieldsFragmentDoc}`;
1058
1080
  var defaultWrapper = (action, _operationName, _operationType, _variables) => action();
1059
1081
  function getSdk(client, withWrapper = defaultWrapper) {
1060
1082
  return {
@@ -1121,943 +1143,15 @@ function getSdk(client, withWrapper = defaultWrapper) {
1121
1143
  autoPrAnalysis(variables, requestHeaders, signal) {
1122
1144
  return withWrapper((wrappedRequestHeaders) => client.request({ document: AutoPrAnalysisDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "autoPrAnalysis", "mutation", variables);
1123
1145
  },
1124
- GetMCPFixes(variables, requestHeaders, signal) {
1125
- return withWrapper((wrappedRequestHeaders) => client.request({ document: GetMcpFixesDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetMCPFixes", "query", variables);
1126
- },
1127
1146
  GetLatestReportByRepoUrl(variables, requestHeaders, signal) {
1128
1147
  return withWrapper((wrappedRequestHeaders) => client.request({ document: GetLatestReportByRepoUrlDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetLatestReportByRepoUrl", "query", variables);
1148
+ },
1149
+ GetReportFixes(variables, requestHeaders, signal) {
1150
+ return withWrapper((wrappedRequestHeaders) => client.request({ document: GetReportFixesDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "GetReportFixes", "query", variables);
1129
1151
  }
1130
1152
  };
1131
1153
  }
1132
1154
 
1133
- // src/features/analysis/scm/shared/src/types/shared.ts
1134
- import { z } from "zod";
1135
- var ParsedSeverityZ = z.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
1136
- var ScmSubmitFixRequestsZ = z.array(
1137
- z.object({
1138
- scmSubmitFixRequest: z.object({
1139
- submitFixRequest: z.object({
1140
- createdByUser: z.object({
1141
- email: z.string()
1142
- }),
1143
- targetBranchName: z.string().default("")
1144
- }),
1145
- prUrl: z.string().nullable(),
1146
- prStatus: z.nativeEnum(Pr_Status_Enum).nullable(),
1147
- commitUrl: z.string().nullable(),
1148
- scmId: z.string()
1149
- })
1150
- })
1151
- );
1152
-
1153
- // src/features/analysis/scm/shared/src/types/fix.ts
1154
- var PackageInfoZ = z2.object({
1155
- name: z2.string(),
1156
- version: z2.string(),
1157
- envName: z2.string().nullable()
1158
- });
1159
- var ManifestActionRequiredZ = z2.object({
1160
- action: z2.nativeEnum(ManifestAction),
1161
- language: z2.nativeEnum(Language),
1162
- lib: PackageInfoZ,
1163
- typesLib: PackageInfoZ.nullable()
1164
- });
1165
- var ExtraContextInternalZ = z2.object({
1166
- key: z2.string(),
1167
- value: z2.string().or(z2.boolean()).or(
1168
- z2.object({
1169
- int: z2.boolean(),
1170
- integer: z2.boolean(),
1171
- string: z2.boolean(),
1172
- date: z2.boolean()
1173
- })
1174
- )
1175
- });
1176
- var FixExtraContextZ = z2.object({
1177
- fixDescription: z2.string(),
1178
- manifestActionsRequired: z2.array(ManifestActionRequiredZ),
1179
- extraContext: z2.array(ExtraContextInternalZ)
1180
- });
1181
- var PatchAndQuestionsZ = z2.object({
1182
- __typename: z2.literal("FixData"),
1183
- patch: z2.string(),
1184
- patchOriginalEncodingBase64: z2.string(),
1185
- questions: z2.array(
1186
- z2.object({
1187
- name: z2.string(),
1188
- key: z2.string(),
1189
- index: z2.number(),
1190
- defaultValue: z2.string(),
1191
- value: z2.string().nullable(),
1192
- extraContext: z2.array(ExtraContextInternalZ),
1193
- inputType: z2.nativeEnum(FixQuestionInputType),
1194
- options: z2.array(z2.string())
1195
- })
1196
- ),
1197
- extraContext: FixExtraContextZ
1198
- });
1199
- var FixRatingZ = z2.object({
1200
- voteScore: z2.number(),
1201
- fixRatingTag: z2.nativeEnum(Fix_Rating_Tag_Enum).nullable().default(null),
1202
- comment: z2.string().nullable().default(null),
1203
- updatedDate: z2.string().nullable(),
1204
- user: z2.object({
1205
- email: z2.string(),
1206
- name: z2.string()
1207
- })
1208
- });
1209
- var FixSharedStateZ = z2.object({
1210
- state: z2.nativeEnum(Fix_State_Enum),
1211
- isArchived: z2.boolean(),
1212
- scmSubmitFixRequests: ScmSubmitFixRequestsZ,
1213
- fixRatings: z2.array(FixRatingZ).default([])
1214
- }).nullish().transform(
1215
- (data) => data ? data : {
1216
- state: "Ready" /* Ready */,
1217
- isArchived: false,
1218
- scmSubmitFixRequests: [],
1219
- fixRatings: []
1220
- }
1221
- );
1222
- var FixQueryZ = z2.object({
1223
- __typename: z2.literal("fix").optional(),
1224
- id: z2.string().uuid(),
1225
- sharedState: FixSharedStateZ,
1226
- modifiedBy: z2.string().nullable(),
1227
- gitBlameLogin: z2.string().nullable(),
1228
- safeIssueLanguage: z2.string(),
1229
- safeIssueType: z2.string(),
1230
- confidence: z2.number(),
1231
- fixReportId: z2.string().uuid(),
1232
- isExpired: z2.boolean().default(false),
1233
- fixFiles: z2.array(
1234
- z2.object({
1235
- fileRepoRelativePath: z2.string()
1236
- })
1237
- ),
1238
- numberOfVulnerabilityIssues: z2.number(),
1239
- severityText: z2.nativeEnum(Vulnerability_Severity_Enum),
1240
- vulnerabilityReportIssues: z2.array(
1241
- z2.object({
1242
- vendorIssueId: z2.string(),
1243
- issueLanguage: z2.string(),
1244
- parsedSeverity: ParsedSeverityZ
1245
- })
1246
- ),
1247
- patchAndQuestions: PatchAndQuestionsZ,
1248
- effortToApplyFix: z2.nativeEnum(Effort_To_Apply_Fix_Enum).nullable()
1249
- });
1250
- var FixPartsForFixScreenZ = FixQueryZ.merge(
1251
- z2.object({
1252
- vulnerabilityReportIssues: z2.array(
1253
- z2.object({
1254
- vendorIssueId: z2.string(),
1255
- issueType: z2.string(),
1256
- issueLanguage: z2.string()
1257
- })
1258
- )
1259
- })
1260
- );
1261
-
1262
- // src/features/analysis/scm/shared/src/types/issue.ts
1263
- import { z as z4 } from "zod";
1264
-
1265
- // src/features/analysis/scm/shared/src/types/analysis.ts
1266
- import { z as z3 } from "zod";
1267
- var FixPageFixReportZ = z3.object({
1268
- id: z3.string().uuid(),
1269
- analysisUrl: z3.string(),
1270
- expirationOn: z3.string(),
1271
- createdOn: z3.string(),
1272
- state: z3.nativeEnum(Fix_Report_State_Enum),
1273
- repo: z3.object({
1274
- name: z3.string().nullable(),
1275
- originalUrl: z3.string(),
1276
- reference: z3.string(),
1277
- commitSha: z3.string(),
1278
- isKnownBranch: z3.boolean().nullable()
1279
- }),
1280
- vulnerabilityReport: z3.object({
1281
- vendor: z3.nativeEnum(Vulnerability_Report_Vendor_Enum),
1282
- vendorReportId: z3.string().uuid().nullable(),
1283
- projectId: z3.string().uuid(),
1284
- project: z3.object({
1285
- organizationId: z3.string().uuid()
1286
- }),
1287
- file: z3.object({
1288
- id: z3.string().uuid(),
1289
- path: z3.string()
1290
- }),
1291
- pending: z3.object({
1292
- aggregate: z3.object({
1293
- count: z3.number()
1294
- })
1295
- }),
1296
- supported: z3.object({
1297
- aggregate: z3.object({
1298
- count: z3.number()
1299
- })
1300
- }),
1301
- all: z3.object({
1302
- aggregate: z3.object({
1303
- count: z3.number()
1304
- })
1305
- }),
1306
- fixable: z3.object({
1307
- aggregate: z3.object({
1308
- count: z3.number()
1309
- })
1310
- }),
1311
- errors: z3.object({
1312
- aggregate: z3.object({
1313
- count: z3.number()
1314
- })
1315
- }),
1316
- vulnerabilityReportIssues: z3.object({
1317
- extraData: z3.object({
1318
- missing_files: z3.string().array().nullish(),
1319
- large_files: z3.string().array().nullish(),
1320
- error_files: z3.string().array().nullish()
1321
- })
1322
- }).array()
1323
- })
1324
- });
1325
-
1326
- // src/features/analysis/scm/shared/src/types/issue.ts
1327
- var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES = 1e5;
1328
- var CATEGORY = {
1329
- NoFix: "NoFix",
1330
- Unsupported: "Unsupported",
1331
- Irrelevant: "Irrelevant",
1332
- FalsePositive: "FalsePositive",
1333
- Fixable: "Fixable",
1334
- Filtered: "Filtered"
1335
- };
1336
- var ValidCategoriesZ = z4.union([
1337
- z4.literal(CATEGORY.NoFix),
1338
- z4.literal(CATEGORY.Unsupported),
1339
- z4.literal(CATEGORY.Irrelevant),
1340
- z4.literal(CATEGORY.FalsePositive),
1341
- z4.literal(CATEGORY.Fixable),
1342
- z4.literal(CATEGORY.Filtered)
1343
- ]);
1344
- var VulnerabilityReportIssueSharedStateZ = z4.object({
1345
- id: z4.string().uuid(),
1346
- isArchived: z4.boolean()
1347
- }).nullish();
1348
- var BaseIssuePartsZ = z4.object({
1349
- id: z4.string().uuid(),
1350
- safeIssueType: z4.string(),
1351
- safeIssueLanguage: z4.string(),
1352
- createdAt: z4.string(),
1353
- parsedSeverity: ParsedSeverityZ,
1354
- category: ValidCategoriesZ,
1355
- extraData: z4.object({
1356
- missing_files: z4.string().array().nullish(),
1357
- error_files: z4.string().array().nullish()
1358
- }),
1359
- vulnerabilityReportIssueTags: z4.array(
1360
- z4.object({
1361
- tag: z4.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
1362
- })
1363
- ),
1364
- codeNodes: z4.array(
1365
- z4.object({
1366
- path: z4.string(),
1367
- line: z4.number(),
1368
- index: z4.number()
1369
- })
1370
- ).transform((nodes) => nodes.sort((a, b) => b.index - a.index)),
1371
- sourceCodeNodes: z4.array(
1372
- z4.object({
1373
- sourceCodeFile: z4.object({
1374
- path: z4.string(),
1375
- signedFile: z4.object({
1376
- url: z4.string()
1377
- })
1378
- })
1379
- }).transform(async ({ sourceCodeFile }) => {
1380
- const { url } = sourceCodeFile.signedFile;
1381
- const sourceCodeRes = await fetch(url);
1382
- if (Number(sourceCodeRes.headers.get("Content-Length")) > MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES) {
1383
- return null;
1384
- }
1385
- return {
1386
- path: sourceCodeFile.path,
1387
- fileContent: await sourceCodeRes.text()
1388
- };
1389
- })
1390
- ).transform((nodes) => nodes.filter((node) => node !== null)),
1391
- fix: FixPartsForFixScreenZ.nullish(),
1392
- vulnerabilityReportIssueNodeDiffFile: z4.object({
1393
- signedFile: z4.object({
1394
- url: z4.string()
1395
- }).transform(async ({ url }) => {
1396
- const codeDiff = await fetch(url).then((res) => res.text());
1397
- return { codeDiff };
1398
- })
1399
- }).nullish(),
1400
- sharedState: VulnerabilityReportIssueSharedStateZ
1401
- });
1402
- var FalsePositivePartsZ = z4.object({
1403
- extraContext: z4.array(z4.object({ key: z4.string(), value: z4.string() })),
1404
- fixDescription: z4.string()
1405
- });
1406
- var IssuePartsWithFixZ = BaseIssuePartsZ.merge(
1407
- z4.object({
1408
- category: z4.literal(CATEGORY.Irrelevant),
1409
- fix: FixPartsForFixScreenZ.nullish()
1410
- })
1411
- );
1412
- var IssuePartsFpZ = BaseIssuePartsZ.merge(
1413
- z4.object({
1414
- category: z4.literal(CATEGORY.FalsePositive),
1415
- fpId: z4.string().uuid(),
1416
- getFalsePositive: FalsePositivePartsZ
1417
- })
1418
- );
1419
- var GeneralIssueZ = BaseIssuePartsZ.merge(
1420
- z4.object({
1421
- category: z4.union([
1422
- z4.literal(CATEGORY.NoFix),
1423
- z4.literal(CATEGORY.Unsupported),
1424
- z4.literal(CATEGORY.Fixable),
1425
- z4.literal(CATEGORY.Filtered)
1426
- ])
1427
- })
1428
- );
1429
- var IssuePartsZ = z4.union([
1430
- IssuePartsFpZ,
1431
- IssuePartsWithFixZ,
1432
- GeneralIssueZ
1433
- ]);
1434
- var GetIssueIndexesZ = z4.object({
1435
- currentIndex: z4.number(),
1436
- totalIssues: z4.number(),
1437
- nextIssue: z4.object({
1438
- id: z4.string().uuid()
1439
- }).nullish(),
1440
- prevIssue: z4.object({
1441
- id: z4.string().uuid()
1442
- }).nullish()
1443
- });
1444
- var GetIssueScreenDataZ = z4.object({
1445
- fixReport_by_pk: FixPageFixReportZ,
1446
- vulnerability_report_issue_by_pk: IssuePartsZ,
1447
- issueIndexes: GetIssueIndexesZ
1448
- });
1449
- var IssueBucketZ = z4.enum(["fixable", "irrelevant", "remaining"]);
1450
- var mapCategoryToBucket = {
1451
- FalsePositive: "irrelevant",
1452
- Irrelevant: "irrelevant",
1453
- NoFix: "remaining",
1454
- Unsupported: "remaining",
1455
- Fixable: "fixable",
1456
- Filtered: "remaining"
1457
- };
1458
-
1459
- // src/features/analysis/scm/shared/src/types/types.ts
1460
- import { z as z7 } from "zod";
1461
-
1462
- // src/features/analysis/scm/shared/src/validations.ts
1463
- import { z as z6 } from "zod";
1464
-
1465
- // src/features/analysis/scm/shared/src/getIssueType.ts
1466
- import { z as z5 } from "zod";
1467
- var issueTypeMap = {
1468
- ["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: "Missing Rate Limiting",
1469
- ["SQL_Injection" /* SqlInjection */]: "SQL Injection",
1470
- ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: "Relative Path Command Injection",
1471
- ["CMDi" /* CmDi */]: "Command Injection",
1472
- ["CONFUSING_NAMING" /* ConfusingNaming */]: "Confusing Naming",
1473
- ["XXE" /* Xxe */]: "XXE",
1474
- ["XSS" /* Xss */]: "XSS",
1475
- ["PT" /* Pt */]: "Path Traversal",
1476
- ["ZIP_SLIP" /* ZipSlip */]: "Zip Slip",
1477
- ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: "Insecure Randomness",
1478
- ["SSRF" /* Ssrf */]: "Server Side Request Forgery",
1479
- ["TYPE_CONFUSION" /* TypeConfusion */]: "Type Confusion",
1480
- ["REGEX_INJECTION" /* RegexInjection */]: "Regular Expression Injection",
1481
- ["INCOMPLETE_URL_SANITIZATION" /* IncompleteUrlSanitization */]: "Incomplete URL Sanitization",
1482
- ["LOCALE_DEPENDENT_COMPARISON" /* LocaleDependentComparison */]: "Locale Dependent Comparison",
1483
- ["LOG_FORGING" /* LogForging */]: "Log Forging",
1484
- ["MISSING_CHECK_AGAINST_NULL" /* MissingCheckAgainstNull */]: "Missing Check against Null",
1485
- ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: "Password in Comment",
1486
- ["OVERLY_BROAD_CATCH" /* OverlyBroadCatch */]: "Poor Error Handling: Overly Broad Catch",
1487
- ["USE_OF_SYSTEM_OUTPUT_STREAM" /* UseOfSystemOutputStream */]: "Use of System.out/System.err",
1488
- ["DANGEROUS_FUNCTION_OVERFLOW" /* DangerousFunctionOverflow */]: "Use of dangerous function",
1489
- ["DOS_STRING_BUILDER" /* DosStringBuilder */]: "Denial of Service: StringBuilder",
1490
- ["OPEN_REDIRECT" /* OpenRedirect */]: "Open Redirect",
1491
- ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: "Weak XML Schema: Unbounded Occurrences",
1492
- ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: "System Information Leak",
1493
- ["SYSTEM_INFORMATION_LEAK_EXTERNAL" /* SystemInformationLeakExternal */]: "External System Information Leak",
1494
- ["HTTP_RESPONSE_SPLITTING" /* HttpResponseSplitting */]: "HTTP response splitting",
1495
- ["HTTP_ONLY_COOKIE" /* HttpOnlyCookie */]: "Cookie is not HttpOnly",
1496
- ["INSECURE_COOKIE" /* InsecureCookie */]: "Insecure Cookie",
1497
- ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: "Trust Boundary Violation",
1498
- ["NULL_DEREFERENCE" /* NullDereference */]: "Null Dereference",
1499
- ["UNSAFE_DESERIALIZATION" /* UnsafeDeserialization */]: "Unsafe deserialization",
1500
- ["INSECURE_BINDER_CONFIGURATION" /* InsecureBinderConfiguration */]: "Insecure Binder Configuration",
1501
- ["UNSAFE_TARGET_BLANK" /* UnsafeTargetBlank */]: "Unsafe use of target blank",
1502
- ["IFRAME_WITHOUT_SANDBOX" /* IframeWithoutSandbox */]: "Client use of iframe without sandbox",
1503
- ["JQUERY_DEPRECATED_SYMBOLS" /* JqueryDeprecatedSymbols */]: "jQuery deprecated symbols",
1504
- ["MISSING_ANTIFORGERY_VALIDATION" /* MissingAntiforgeryValidation */]: "Missing Anti-Forgery Validation",
1505
- ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: "GraphQL Depth Limit",
1506
- ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: "Unchecked Loop Condition",
1507
- ["IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE" /* ImproperResourceShutdownOrRelease */]: "Improper Resource Shutdown or Release",
1508
- ["IMPROPER_EXCEPTION_HANDLING" /* ImproperExceptionHandling */]: "Improper Exception Handling",
1509
- ["DEFAULT_RIGHTS_IN_OBJ_DEFINITION" /* DefaultRightsInObjDefinition */]: "Default Definer Rights in Package or Object Definition",
1510
- ["HTML_COMMENT_IN_JSP" /* HtmlCommentInJsp */]: "HTML Comment in JSP",
1511
- ["ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */]: "Error Condition Without Action",
1512
- ["DEPRECATED_FUNCTION" /* DeprecatedFunction */]: "Deprecated Function",
1513
- ["HARDCODED_SECRETS" /* HardcodedSecrets */]: "Hardcoded Secrets",
1514
- ["PROTOTYPE_POLLUTION" /* PrototypePollution */]: "Prototype Pollution",
1515
- ["RACE_CONDITION_FORMAT_FLAW" /* RaceConditionFormatFlaw */]: "Race Condition Format Flaw",
1516
- ["NON_FINAL_PUBLIC_STATIC_FIELD" /* NonFinalPublicStaticField */]: "Non-final Public Static Field",
1517
- ["MISSING_HSTS_HEADER" /* MissingHstsHeader */]: "Missing HSTS Header",
1518
- ["DEAD_CODE_UNUSED_FIELD" /* DeadCodeUnusedField */]: "Dead Code: Unused Field",
1519
- ["HEADER_MANIPULATION" /* HeaderManipulation */]: "Header Manipulation",
1520
- ["MISSING_EQUALS_OR_HASHCODE" /* MissingEqualsOrHashcode */]: "Missing equals or hashcode method",
1521
- ["WCF_MISCONFIGURATION_INSUFFICIENT_LOGGING" /* WcfMisconfigurationInsufficientLogging */]: "WCF Misconfiguration: Insufficient Logging",
1522
- ["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED" /* WcfMisconfigurationThrottlingNotEnabled */]: "WCF Misconfiguration: Throttling Not Enabled",
1523
- ["USELESS_REGEXP_CHAR_ESCAPE" /* UselessRegexpCharEscape */]: "Useless regular-expression character escape",
1524
- ["INCOMPLETE_HOSTNAME_REGEX" /* IncompleteHostnameRegex */]: "Incomplete Hostname Regex",
1525
- ["OVERLY_LARGE_RANGE" /* OverlyLargeRange */]: "Regex: Overly Large Range",
1526
- ["INSUFFICIENT_LOGGING" /* InsufficientLogging */]: "Insufficient Logging of Sensitive Operations",
1527
- ["PRIVACY_VIOLATION" /* PrivacyViolation */]: "Privacy Violation",
1528
- ["INCOMPLETE_URL_SCHEME_CHECK" /* IncompleteUrlSchemeCheck */]: "Incomplete URL Scheme Check",
1529
- ["VALUE_NEVER_READ" /* ValueNeverRead */]: "Value Never Read",
1530
- ["VALUE_SHADOWING" /* ValueShadowing */]: "Value Shadowing",
1531
- ["NO_EQUIVALENCE_METHOD" /* NoEquivalenceMethod */]: "Class Does Not Implement Equivalence Method",
1532
- ["INFORMATION_EXPOSURE_VIA_HEADERS" /* InformationExposureViaHeaders */]: "Information Exposure via Headers",
1533
- ["DEBUG_ENABLED" /* DebugEnabled */]: "Debug Enabled",
1534
- ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: "Leftover Debug Code",
1535
- ["POOR_ERROR_HANDLING_EMPTY_CATCH_BLOCK" /* PoorErrorHandlingEmptyCatchBlock */]: "Poor Error Handling: Empty Catch Block",
1536
- ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: "Erroneous String Compare",
1537
- ["UNVALIDATED_PUBLIC_METHOD_ARGUMENT" /* UnvalidatedPublicMethodArgument */]: "Unvalidated Public Method Argument",
1538
- ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: "Auto-escape False",
1539
- ["MISSING_CSP_HEADER" /* MissingCspHeader */]: "Missing CSP Header",
1540
- ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: "Hardcoded Domain in HTML",
1541
- ["HEAP_INSPECTION" /* HeapInspection */]: "Heap Inspection",
1542
- ["CLIENT_DOM_STORED_CODE_INJECTION" /* ClientDomStoredCodeInjection */]: "Client Code Injection",
1543
- ["STRING_FORMAT_MISUSE" /* StringFormatMisuse */]: "String Format Misuse",
1544
- ["NON_READONLY_FIELD" /* NonReadonlyField */]: "Non Readonly Field",
1545
- ["CSRF" /* Csrf */]: "Cross-Site Request Forgery (CSRF)",
1546
- ["WEAK_ENCRYPTION" /* WeakEncryption */]: "Weak Encryption Mechanism",
1547
- ["CODE_IN_COMMENT" /* CodeInComment */]: "Code in Comment",
1548
- ["REGEX_MISSING_TIMEOUT" /* RegexMissingTimeout */]: "Regex Missing Timeout",
1549
- ["FRAMEABLE_LOGIN_PAGE" /* FrameableLoginPage */]: "Frameable Login Page",
1550
- ["USE_OF_HARD_CODED_CRYPTOGRAPHIC_KEY" /* UseOfHardCodedCryptographicKey */]: "Use of Hardcoded Cryptographic Key",
1551
- ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: "Missing SSL MinVersion",
1552
- ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: "Missing Websocket Origin Check",
1553
- ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: "String Literals Should not Be Duplicated",
1554
- ["INSECURE_UUID_VERSION" /* InsecureUuidVersion */]: "Insecure UUID Version",
1555
- ["GH_ACTIONS_SHELL_INJECTION" /* GhActionsShellInjection */]: "GitHub Actions Shell Injection",
1556
- ["MODIFIED_DEFAULT_PARAM" /* ModifiedDefaultParam */]: "Modified Default Param",
1557
- ["UNSAFE_WEB_THREAD" /* UnsafeWebThread */]: "Unsafe Web Thread",
1558
- ["NO_VAR" /* NoVar */]: 'Prefer "let" or "const"',
1559
- ["INSECURE_TMP_FILE" /* InsecureTmpFile */]: "Insecure Temporary File",
1560
- ["RETURN_SHOULD_NOT_BE_INVARIANT" /* ReturnShouldNotBeInvariant */]: "Return Should Not Be Invariant",
1561
- ["SYSTEM_EXIT_SHOULD_RERAISE" /* SystemExitShouldReraise */]: "SystemExit Should Reraise",
1562
- ["NO_RETURN_IN_FINALLY" /* NoReturnInFinally */]: "No Return in Finally Block",
1563
- ["WILDCARD_IMPORTS" /* WildcardImports */]: "Wildcard Imports should not be used",
1564
- ["AVOID_IDENTITY_COMPARISON_CACHED_TYPES" /* AvoidIdentityComparisonCachedTypes */]: "Avoid Identity Comparison of Cached Types",
1565
- ["AVOID_BUILTIN_SHADOWING" /* AvoidBuiltinShadowing */]: "Avoid Builtin Shadowing",
1566
- ["IMPROPER_STRING_FORMATTING" /* ImproperStringFormatting */]: "Improper String Formatting",
1567
- ["TAR_SLIP" /* TarSlip */]: "Tar Slip",
1568
- ["MISSING_WHITESPACE" /* MissingWhitespace */]: "Missing Whitespace",
1569
- ["NO_PRINT_STATEMENT" /* NoPrintStatement */]: 'Python 2 "print" Statement Is Obsolete',
1570
- ["NO_OP_OVERHEAD" /* NoOpOverhead */]: "Expensive Arguments in Conditional Methods",
1571
- ["DO_NOT_RAISE_EXCEPTION" /* DoNotRaiseException */]: "Do Not Raise Exception",
1572
- ["DECLARE_VARIABLE_EXPLICITLY" /* DeclareVariableExplicitly */]: "Declare Variable Explicitly",
1573
- ["NO_NESTED_TRY" /* NoNestedTry */]: "No Nested Try",
1574
- ["UNNECESSARY_IMPORTS" /* UnnecessaryImports */]: "Unnecessary Imports",
1575
- ["REDOS" /* Redos */]: "Regular Expression Denial of Service",
1576
- ["DO_NOT_THROW_GENERIC_EXCEPTION" /* DoNotThrowGenericException */]: "Do Not Throw Generic Exception"
1577
- };
1578
- var issueTypeZ = z5.nativeEnum(IssueType_Enum);
1579
- var getIssueTypeFriendlyString = (issueType) => {
1580
- const issueTypeZParseRes = issueTypeZ.safeParse(issueType);
1581
- if (!issueTypeZParseRes.success) {
1582
- return issueType ? issueType.replaceAll("_", " ") : "Other";
1583
- }
1584
- return issueTypeMap[issueTypeZParseRes.data];
1585
- };
1586
- function getTagTooltip(tag) {
1587
- switch (tag) {
1588
- case "FALSE_POSITIVE":
1589
- return "Issue was found to be a false positive";
1590
- case "TEST_CODE":
1591
- return "Issue found in test files, not production code";
1592
- case "VENDOR_CODE":
1593
- return "Issue is in external libraries or dependencies not owned or maintained by your team";
1594
- case "AUTOGENERATED_CODE":
1595
- return "Code created by tools or frameworks, not manually written";
1596
- case "AUXILIARY_CODE":
1597
- return "Issue found in supporting files that don't impact core functionality";
1598
- case "Filtered":
1599
- return "Issue was filtered by user in the Fix Policy";
1600
- default:
1601
- return tag;
1602
- }
1603
- }
1604
- var issueDescription = {
1605
- ["AUTOGENERATED_CODE" /* AutogeneratedCode */]: "The flagged code is generated automatically by tools or frameworks as part of the build or runtime process. This categorization highlights that **the issue resides in non-manual code**, which often requires tool-specific solutions or exemptions.",
1606
- ["AUXILIARY_CODE" /* AuxiliaryCode */]: "The flagged code is auxiliary or supporting code, such as configuration files, build scripts, or other non-application logic. This categorization indicates that the issue is not directly related to the application's core functionality.",
1607
- ["FALSE_POSITIVE" /* FalsePositive */]: "The flagged code **does not represent an actual vulnerability within the application's context.** This categorization indicates that the issue is either misidentified by the scanner or deemed irrelevant to the application's functionality.",
1608
- ["TEST_CODE" /* TestCode */]: "The flagged code resides in a test-specific path or context. This categorization indicates that **it supports testing scenarios and is isolated from production use**.",
1609
- ["UNFIXABLE" /* Unfixable */]: "The flagged code cannot be fixed",
1610
- ["VENDOR_CODE" /* VendorCode */]: "The flagged code originates from a third-party library or dependency maintained externally. This categorization suggests that **the issue lies outside the application's direct control** and should be addressed by the vendor if necessary."
1611
- };
1612
- function replaceKeysWithValues(fixDescription, extraContext) {
1613
- let result = fixDescription;
1614
- extraContext.forEach(({ key, value }) => {
1615
- result = result.replace(`\${${key}}`, value);
1616
- });
1617
- return result;
1618
- }
1619
- function getParsedFalsePositiveMessage(data) {
1620
- const { fixDescription, extraContext } = data;
1621
- const containsTemplate = extraContext.some(
1622
- (context) => fixDescription.includes(`\${${context.key}}`)
1623
- );
1624
- const description2 = containsTemplate ? replaceKeysWithValues(fixDescription, extraContext) : fixDescription;
1625
- const contextString = containsTemplate ? null : `\`\`\`${extraContext.map(({ value }) => value).join(" ")} \`\`\``;
1626
- return { description: description2, contextString };
1627
- }
1628
-
1629
- // src/features/analysis/scm/shared/src/validations.ts
1630
- var IssueTypeSettingZ = z6.object({
1631
- autoPrEnabled: z6.boolean(),
1632
- enabled: z6.boolean(),
1633
- issueType: z6.nativeEnum(IssueType_Enum)
1634
- });
1635
- var IssueTypeSettingsZ = z6.array(IssueTypeSettingZ).transform((issueTypeSettings) => {
1636
- return Object.values(IssueType_Enum).map((issueTypeEnum) => {
1637
- const existingIssueTypeSetting = issueTypeSettings.find(
1638
- ({ issueType: dbIssueType }) => dbIssueType === issueTypeEnum
1639
- );
1640
- if (existingIssueTypeSetting) {
1641
- return existingIssueTypeSetting;
1642
- }
1643
- return {
1644
- autoPrEnabled: false,
1645
- enabled: true,
1646
- issueType: issueTypeEnum
1647
- };
1648
- }).sort((a, b) => {
1649
- return getIssueTypeFriendlyString(a.issueType).localeCompare(
1650
- getIssueTypeFriendlyString(b.issueType)
1651
- );
1652
- });
1653
- });
1654
-
1655
- // src/features/analysis/scm/shared/src/types/types.ts
1656
- var OrganizationScreenQueryParamsZ = z7.object({
1657
- organizationId: z7.string().uuid()
1658
- });
1659
- var ProjectPageQueryParamsZ = z7.object({
1660
- organizationId: z7.string().uuid(),
1661
- projectId: z7.string().uuid()
1662
- });
1663
- var AnalysisPageQueryParamsZ = ProjectPageQueryParamsZ.extend({
1664
- reportId: z7.string().uuid()
1665
- });
1666
- var FixPageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
1667
- fixId: z7.string().uuid()
1668
- });
1669
- var IssuePageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
1670
- issueId: z7.string().uuid()
1671
- });
1672
- var CliLoginPageQueryParamsZ = z7.object({
1673
- loginId: z7.string().uuid()
1674
- });
1675
- var AnalysisReportDigestedZ = z7.object({
1676
- id: z7.string().uuid(),
1677
- state: z7.nativeEnum(Fix_Report_State_Enum),
1678
- vulnerabilityReport: z7.object({
1679
- reportSummaryUrl: z7.string().url().nullish(),
1680
- scanDate: z7.string().nullable(),
1681
- supported: z7.object({
1682
- aggregate: z7.object({
1683
- count: z7.number()
1684
- })
1685
- }),
1686
- all: z7.object({
1687
- aggregate: z7.object({
1688
- count: z7.number()
1689
- })
1690
- }),
1691
- vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum),
1692
- project: z7.object({
1693
- organizationId: z7.string().uuid()
1694
- })
1695
- })
1696
- });
1697
- var ReportQueryResultZ = z7.object({
1698
- fixReport_by_pk: z7.object({
1699
- id: z7.string().uuid(),
1700
- analysisUrl: z7.string(),
1701
- fixesCommitted: z7.object({
1702
- aggregate: z7.object({ count: z7.number() })
1703
- }),
1704
- fixesDownloaded: z7.object({
1705
- aggregate: z7.object({ count: z7.number() })
1706
- }),
1707
- fixesDoneCount: z7.number(),
1708
- fixesInprogressCount: z7.number(),
1709
- fixesReadyCount: z7.object({
1710
- aggregate: z7.object({ count: z7.number() })
1711
- }),
1712
- issueTypes: z7.record(z7.string(), z7.number()).nullable(),
1713
- issueLanguages: z7.record(z7.string(), z7.number()).nullable(),
1714
- fixesCountByEffort: z7.record(z7.string(), z7.number()).nullable(),
1715
- vulnerabilitySeverities: z7.record(z7.string(), z7.number()).nullable(),
1716
- createdOn: z7.string(),
1717
- expirationOn: z7.string().nullable(),
1718
- state: z7.nativeEnum(Fix_Report_State_Enum),
1719
- fixes: z7.array(
1720
- z7.object({
1721
- id: z7.string().uuid(),
1722
- safeIssueLanguage: z7.string(),
1723
- safeIssueType: z7.string(),
1724
- confidence: z7.number(),
1725
- effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
1726
- modifiedBy: z7.string().nullable(),
1727
- gitBlameLogin: z7.string().nullable(),
1728
- fixReportId: z7.string().uuid(),
1729
- filePaths: z7.array(
1730
- z7.object({
1731
- fileRepoRelativePath: z7.string()
1732
- })
1733
- ),
1734
- sharedState: FixSharedStateZ,
1735
- numberOfVulnerabilityIssues: z7.number(),
1736
- severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
1737
- vulnerabilityReportIssues: z7.array(
1738
- z7.object({
1739
- id: z7.string().uuid(),
1740
- issueType: z7.string(),
1741
- issueLanguage: z7.string(),
1742
- category: z7.string()
1743
- })
1744
- )
1745
- // scmSubmitFixRequests: ScmSubmitFixRequestsZ,
1746
- })
1747
- ),
1748
- repo: z7.object({
1749
- name: z7.string().nullable(),
1750
- originalUrl: z7.string(),
1751
- reference: z7.string(),
1752
- commitSha: z7.string(),
1753
- isKnownBranch: z7.boolean().nullish().default(true)
1754
- }),
1755
- vulnerabilityReportIssuesFixedCount: z7.object({
1756
- vulnerabilityReportIssues_aggregate: z7.object({
1757
- aggregate: z7.object({ count: z7.number() })
1758
- })
1759
- }),
1760
- vulnerabilityReport: z7.object({
1761
- id: z7.string().uuid(),
1762
- reportSummaryUrl: z7.string().url().nullish(),
1763
- vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1764
- issuesWithKnownLanguage: z7.number().nullable(),
1765
- scanDate: z7.string().nullable(),
1766
- vendorReportId: z7.string().uuid().nullable(),
1767
- projectId: z7.string().uuid(),
1768
- project: z7.object({
1769
- organizationId: z7.string().uuid()
1770
- }),
1771
- file: z7.object({
1772
- id: z7.string().uuid(),
1773
- path: z7.string()
1774
- }),
1775
- pending: z7.object({
1776
- aggregate: z7.object({
1777
- count: z7.number()
1778
- })
1779
- }),
1780
- irrelevant: z7.object({
1781
- aggregate: z7.object({
1782
- count: z7.number()
1783
- })
1784
- }),
1785
- remaining: z7.object({
1786
- aggregate: z7.object({
1787
- count: z7.number()
1788
- })
1789
- }),
1790
- digested: z7.object({
1791
- aggregate: z7.object({
1792
- count: z7.number()
1793
- })
1794
- }),
1795
- supported: z7.object({
1796
- aggregate: z7.object({
1797
- count: z7.number()
1798
- })
1799
- }),
1800
- all: z7.object({
1801
- aggregate: z7.object({
1802
- count: z7.number()
1803
- })
1804
- }),
1805
- fixable: z7.object({
1806
- aggregate: z7.object({
1807
- count: z7.number()
1808
- })
1809
- }),
1810
- errors: z7.object({
1811
- aggregate: z7.object({
1812
- count: z7.number()
1813
- })
1814
- }),
1815
- vulnerabilityReportIssues: z7.object({
1816
- id: z7.string().uuid(),
1817
- extraData: z7.object({
1818
- missing_files: z7.string().array().nullish(),
1819
- large_files: z7.string().array().nullish(),
1820
- error_files: z7.string().array().nullish()
1821
- })
1822
- }).array()
1823
- })
1824
- })
1825
- });
1826
- var ReportFixesQueryFixZ = z7.object({
1827
- id: z7.string().uuid(),
1828
- sharedState: FixSharedStateZ,
1829
- confidence: z7.number(),
1830
- gitBlameLogin: z7.string().nullable(),
1831
- effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
1832
- safeIssueLanguage: z7.string(),
1833
- safeIssueType: z7.string(),
1834
- fixReportId: z7.string().uuid(),
1835
- filePaths: z7.array(
1836
- z7.object({
1837
- fileRepoRelativePath: z7.string()
1838
- })
1839
- ),
1840
- numberOfVulnerabilityIssues: z7.number(),
1841
- severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
1842
- vulnerabilityReportIssues: z7.array(
1843
- z7.object({
1844
- issueType: z7.string(),
1845
- issueLanguage: z7.string()
1846
- })
1847
- ).min(1)
1848
- });
1849
- var VulnerabilityReportIssueZ = z7.object({
1850
- id: z7.string().uuid(),
1851
- createdAt: z7.string(),
1852
- state: z7.nativeEnum(Vulnerability_Report_Issue_State_Enum),
1853
- safeIssueType: z7.string(),
1854
- safeIssueLanguage: z7.string(),
1855
- extraData: z7.object({
1856
- missing_files: z7.string().array().nullish(),
1857
- large_files: z7.string().array().nullish(),
1858
- error_files: z7.string().array().nullish()
1859
- }),
1860
- fix: ReportFixesQueryFixZ.nullable(),
1861
- falsePositive: z7.object({
1862
- id: z7.string().uuid()
1863
- }).nullable(),
1864
- parsedSeverity: ParsedSeverityZ,
1865
- severity: z7.string(),
1866
- severityValue: z7.number(),
1867
- category: z7.string(),
1868
- codeNodes: z7.array(z7.object({ path: z7.string() })),
1869
- vulnerabilityReportIssueTags: z7.array(
1870
- z7.object({
1871
- vulnerability_report_issue_tag_value: z7.string()
1872
- })
1873
- ),
1874
- sharedState: VulnerabilityReportIssueSharedStateZ
1875
- });
1876
- var GetReportIssuesQueryZ = z7.object({
1877
- fixReport: z7.object({
1878
- vulnerabilityReport: z7.object({
1879
- id: z7.string().uuid(),
1880
- lastIssueUpdatedAt: z7.string(),
1881
- vulnerabilityReportIssues_aggregate: z7.object({
1882
- aggregate: z7.object({ count: z7.number() })
1883
- }),
1884
- vulnerabilityReportIssues: z7.array(VulnerabilityReportIssueZ)
1885
- })
1886
- }).array()
1887
- }).nullish();
1888
- var FixReportByProjectZ = z7.object({
1889
- project_by_pk: z7.object({
1890
- vulnerabilityReports: z7.array(
1891
- z7.object({
1892
- fixReport: z7.object({ id: z7.string().uuid() }).nullable()
1893
- })
1894
- )
1895
- })
1896
- });
1897
- var FixScreenQueryResultZ = z7.object({
1898
- fixReport_by_pk: FixPageFixReportZ,
1899
- fix_by_pk: FixPartsForFixScreenZ,
1900
- fixesWithSameIssueType: z7.array(
1901
- z7.object({
1902
- id: z7.string().uuid(),
1903
- sharedState: z7.object({ state: z7.nativeEnum(Fix_State_Enum) }).nullable().default({ state: "Ready" /* Ready */ })
1904
- })
1905
- ),
1906
- relevantIssue: IssuePartsZ.nullish()
1907
- });
1908
- var FixPageQueryZ = z7.object({
1909
- data: FixScreenQueryResultZ
1910
- });
1911
- var GetReportFixesQueryZ = z7.object({
1912
- fixReport: z7.array(
1913
- z7.object({
1914
- fixes: z7.array(ReportFixesQueryFixZ),
1915
- vulnerabilityReportIssuesTotalCount: z7.object({
1916
- vulnerabilityReportIssues_aggregate: z7.object({
1917
- aggregate: z7.object({ count: z7.number() })
1918
- })
1919
- }),
1920
- vulnerabilityReportIssuesFixedCount: z7.object({
1921
- vulnerabilityReportIssues_aggregate: z7.object({
1922
- aggregate: z7.object({ count: z7.number() })
1923
- })
1924
- }),
1925
- vulnerabilityReportIssuesIrrelevantCount: z7.object({
1926
- vulnerabilityReportIssues_aggregate: z7.object({
1927
- aggregate: z7.object({ count: z7.number() })
1928
- })
1929
- }),
1930
- vulnerabilityReportIssuesRemainingCount: z7.object({
1931
- vulnerabilityReportIssues_aggregate: z7.object({
1932
- aggregate: z7.object({ count: z7.number() })
1933
- })
1934
- })
1935
- })
1936
- )
1937
- }).nullish();
1938
- var ProjectVulnerabilityReport = z7.object({
1939
- id: z7.string().uuid(),
1940
- name: z7.string().nullable(),
1941
- vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1942
- fixReport: z7.object({
1943
- id: z7.string().uuid(),
1944
- createdOn: z7.string(),
1945
- vulnerabilityReportIssuesFixedCount: z7.object({
1946
- vulnerabilityReportIssues_aggregate: z7.object({
1947
- aggregate: z7.object({ count: z7.number() })
1948
- })
1949
- }),
1950
- issueTypes: z7.record(z7.string(), z7.number()).nullable(),
1951
- issueLanguages: z7.record(z7.nativeEnum(IssueLanguage_Enum), z7.number()).nullable(),
1952
- fixesCountByEffort: z7.record(z7.nativeEnum(Effort_To_Apply_Fix_Enum), z7.number()).nullable(),
1953
- vulnerabilitySeverities: z7.record(z7.nativeEnum(Vulnerability_Severity_Enum), z7.number()).nullable(),
1954
- fixesDoneCount: z7.number(),
1955
- fixesInprogressCount: z7.number(),
1956
- fixesReadyCount: z7.number(),
1957
- repo: z7.object({
1958
- originalUrl: z7.string(),
1959
- reference: z7.string(),
1960
- name: z7.string()
1961
- }),
1962
- createdByUser: z7.object({
1963
- email: z7.string()
1964
- }).nullable(),
1965
- state: z7.nativeEnum(Fix_Report_State_Enum),
1966
- expirationOn: z7.string()
1967
- })
1968
- });
1969
- var ProjectGetProjectZ = z7.object({
1970
- id: z7.string().uuid(),
1971
- name: z7.string(),
1972
- vulnerabilityReports: z7.object({
1973
- vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1974
- fixReport: z7.object({
1975
- issueLanguages: z7.record(z7.nativeEnum(IssueLanguage_Enum), z7.number()).nullable(),
1976
- state: z7.nativeEnum(Fix_Report_State_Enum),
1977
- repo: z7.object({
1978
- originalUrl: z7.string(),
1979
- reference: z7.string()
1980
- }),
1981
- expirationOn: z7.string()
1982
- })
1983
- }).array()
1984
- });
1985
- var GetProjectsQueryZ = z7.array(ProjectGetProjectZ);
1986
- var ProjectPageQueryResultZ = z7.object({
1987
- name: z7.string(),
1988
- id: z7.string().uuid(),
1989
- isDefault: z7.boolean().default(false),
1990
- organizationId: z7.string().uuid(),
1991
- vulnerabilityReports: z7.array(ProjectVulnerabilityReport),
1992
- projectIssueTypeSettings: z7.array(
1993
- IssueTypeSettingZ.merge(z7.object({ id: z7.string() }))
1994
- )
1995
- });
1996
- var GetProjectMembersDataZ = z7.object({
1997
- project_by_pk: z7.object({
1998
- name: z7.string(),
1999
- id: z7.string(),
2000
- projectUsers: z7.array(
2001
- z7.object({
2002
- projectToRole: z7.object({
2003
- projectRole: z7.object({
2004
- type: z7.nativeEnum(Project_Role_Type_Enum)
2005
- })
2006
- }),
2007
- user: z7.object({
2008
- id: z7.string().uuid(),
2009
- picture: z7.string().optional(),
2010
- name: z7.string().nullish(),
2011
- email: z7.string().email()
2012
- })
2013
- })
2014
- )
2015
- })
2016
- });
2017
- var RepoArgsZ = z7.object({
2018
- originalUrl: z7.string().url(),
2019
- branch: z7.string(),
2020
- commitSha: z7.string()
2021
- });
2022
- var scmCloudUrl = {
2023
- GitLab: "https://gitlab.com",
2024
- GitHub: "https://github.com",
2025
- Ado: "https://dev.azure.com",
2026
- Bitbucket: "https://bitbucket.org"
2027
- };
2028
- var ScmType = /* @__PURE__ */ ((ScmType2) => {
2029
- ScmType2["GitHub"] = "GitHub";
2030
- ScmType2["GitLab"] = "GitLab";
2031
- ScmType2["Ado"] = "Ado";
2032
- ScmType2["Bitbucket"] = "Bitbucket";
2033
- return ScmType2;
2034
- })(ScmType || {});
2035
- var ConvertToSarifInputFileFormat = /* @__PURE__ */ ((ConvertToSarifInputFileFormat2) => {
2036
- ConvertToSarifInputFileFormat2["FortifyFPR"] = "FortifyFPR";
2037
- return ConvertToSarifInputFileFormat2;
2038
- })(ConvertToSarifInputFileFormat || {});
2039
-
2040
- // src/features/analysis/scm/ado/constants.ts
2041
- var DEFUALT_ADO_ORIGIN = scmCloudUrl.Ado;
2042
-
2043
- // src/features/analysis/scm/ado/utils.ts
2044
- import querystring from "querystring";
2045
- import * as api from "azure-devops-node-api";
2046
- import Debug from "debug";
2047
- import { z as z17 } from "zod";
2048
-
2049
- // src/features/analysis/scm/env.ts
2050
- import { z as z8 } from "zod";
2051
- var EnvVariablesZod = z8.object({
2052
- GITLAB_API_TOKEN: z8.string().optional(),
2053
- GITHUB_API_TOKEN: z8.string().optional(),
2054
- GIT_PROXY_HOST: z8.string().optional().default("http://tinyproxy:8888")
2055
- });
2056
- var { GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST } = EnvVariablesZod.parse(process.env);
2057
-
2058
- // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
2059
- import { z as z9 } from "zod";
2060
-
2061
1155
  // src/features/analysis/scm/shared/src/fixDetailsData.ts
2062
1156
  var fixDetailsData = {
2063
1157
  ["PT" /* Pt */]: {
@@ -2324,6 +1418,173 @@ var fixDetailsData = {
2324
1418
  ["DO_NOT_THROW_GENERIC_EXCEPTION" /* DoNotThrowGenericException */]: void 0
2325
1419
  };
2326
1420
 
1421
+ // src/features/analysis/scm/shared/src/getIssueType.ts
1422
+ import { z } from "zod";
1423
+ var issueTypeMap = {
1424
+ ["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: "Missing Rate Limiting",
1425
+ ["SQL_Injection" /* SqlInjection */]: "SQL Injection",
1426
+ ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: "Relative Path Command Injection",
1427
+ ["CMDi" /* CmDi */]: "Command Injection",
1428
+ ["CONFUSING_NAMING" /* ConfusingNaming */]: "Confusing Naming",
1429
+ ["XXE" /* Xxe */]: "XXE",
1430
+ ["XSS" /* Xss */]: "XSS",
1431
+ ["PT" /* Pt */]: "Path Traversal",
1432
+ ["ZIP_SLIP" /* ZipSlip */]: "Zip Slip",
1433
+ ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: "Insecure Randomness",
1434
+ ["SSRF" /* Ssrf */]: "Server Side Request Forgery",
1435
+ ["TYPE_CONFUSION" /* TypeConfusion */]: "Type Confusion",
1436
+ ["REGEX_INJECTION" /* RegexInjection */]: "Regular Expression Injection",
1437
+ ["INCOMPLETE_URL_SANITIZATION" /* IncompleteUrlSanitization */]: "Incomplete URL Sanitization",
1438
+ ["LOCALE_DEPENDENT_COMPARISON" /* LocaleDependentComparison */]: "Locale Dependent Comparison",
1439
+ ["LOG_FORGING" /* LogForging */]: "Log Forging",
1440
+ ["MISSING_CHECK_AGAINST_NULL" /* MissingCheckAgainstNull */]: "Missing Check against Null",
1441
+ ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: "Password in Comment",
1442
+ ["OVERLY_BROAD_CATCH" /* OverlyBroadCatch */]: "Poor Error Handling: Overly Broad Catch",
1443
+ ["USE_OF_SYSTEM_OUTPUT_STREAM" /* UseOfSystemOutputStream */]: "Use of System.out/System.err",
1444
+ ["DANGEROUS_FUNCTION_OVERFLOW" /* DangerousFunctionOverflow */]: "Use of dangerous function",
1445
+ ["DOS_STRING_BUILDER" /* DosStringBuilder */]: "Denial of Service: StringBuilder",
1446
+ ["OPEN_REDIRECT" /* OpenRedirect */]: "Open Redirect",
1447
+ ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: "Weak XML Schema: Unbounded Occurrences",
1448
+ ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: "System Information Leak",
1449
+ ["SYSTEM_INFORMATION_LEAK_EXTERNAL" /* SystemInformationLeakExternal */]: "External System Information Leak",
1450
+ ["HTTP_RESPONSE_SPLITTING" /* HttpResponseSplitting */]: "HTTP response splitting",
1451
+ ["HTTP_ONLY_COOKIE" /* HttpOnlyCookie */]: "Cookie is not HttpOnly",
1452
+ ["INSECURE_COOKIE" /* InsecureCookie */]: "Insecure Cookie",
1453
+ ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: "Trust Boundary Violation",
1454
+ ["NULL_DEREFERENCE" /* NullDereference */]: "Null Dereference",
1455
+ ["UNSAFE_DESERIALIZATION" /* UnsafeDeserialization */]: "Unsafe deserialization",
1456
+ ["INSECURE_BINDER_CONFIGURATION" /* InsecureBinderConfiguration */]: "Insecure Binder Configuration",
1457
+ ["UNSAFE_TARGET_BLANK" /* UnsafeTargetBlank */]: "Unsafe use of target blank",
1458
+ ["IFRAME_WITHOUT_SANDBOX" /* IframeWithoutSandbox */]: "Client use of iframe without sandbox",
1459
+ ["JQUERY_DEPRECATED_SYMBOLS" /* JqueryDeprecatedSymbols */]: "jQuery deprecated symbols",
1460
+ ["MISSING_ANTIFORGERY_VALIDATION" /* MissingAntiforgeryValidation */]: "Missing Anti-Forgery Validation",
1461
+ ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: "GraphQL Depth Limit",
1462
+ ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: "Unchecked Loop Condition",
1463
+ ["IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE" /* ImproperResourceShutdownOrRelease */]: "Improper Resource Shutdown or Release",
1464
+ ["IMPROPER_EXCEPTION_HANDLING" /* ImproperExceptionHandling */]: "Improper Exception Handling",
1465
+ ["DEFAULT_RIGHTS_IN_OBJ_DEFINITION" /* DefaultRightsInObjDefinition */]: "Default Definer Rights in Package or Object Definition",
1466
+ ["HTML_COMMENT_IN_JSP" /* HtmlCommentInJsp */]: "HTML Comment in JSP",
1467
+ ["ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */]: "Error Condition Without Action",
1468
+ ["DEPRECATED_FUNCTION" /* DeprecatedFunction */]: "Deprecated Function",
1469
+ ["HARDCODED_SECRETS" /* HardcodedSecrets */]: "Hardcoded Secrets",
1470
+ ["PROTOTYPE_POLLUTION" /* PrototypePollution */]: "Prototype Pollution",
1471
+ ["RACE_CONDITION_FORMAT_FLAW" /* RaceConditionFormatFlaw */]: "Race Condition Format Flaw",
1472
+ ["NON_FINAL_PUBLIC_STATIC_FIELD" /* NonFinalPublicStaticField */]: "Non-final Public Static Field",
1473
+ ["MISSING_HSTS_HEADER" /* MissingHstsHeader */]: "Missing HSTS Header",
1474
+ ["DEAD_CODE_UNUSED_FIELD" /* DeadCodeUnusedField */]: "Dead Code: Unused Field",
1475
+ ["HEADER_MANIPULATION" /* HeaderManipulation */]: "Header Manipulation",
1476
+ ["MISSING_EQUALS_OR_HASHCODE" /* MissingEqualsOrHashcode */]: "Missing equals or hashcode method",
1477
+ ["WCF_MISCONFIGURATION_INSUFFICIENT_LOGGING" /* WcfMisconfigurationInsufficientLogging */]: "WCF Misconfiguration: Insufficient Logging",
1478
+ ["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED" /* WcfMisconfigurationThrottlingNotEnabled */]: "WCF Misconfiguration: Throttling Not Enabled",
1479
+ ["USELESS_REGEXP_CHAR_ESCAPE" /* UselessRegexpCharEscape */]: "Useless regular-expression character escape",
1480
+ ["INCOMPLETE_HOSTNAME_REGEX" /* IncompleteHostnameRegex */]: "Incomplete Hostname Regex",
1481
+ ["OVERLY_LARGE_RANGE" /* OverlyLargeRange */]: "Regex: Overly Large Range",
1482
+ ["INSUFFICIENT_LOGGING" /* InsufficientLogging */]: "Insufficient Logging of Sensitive Operations",
1483
+ ["PRIVACY_VIOLATION" /* PrivacyViolation */]: "Privacy Violation",
1484
+ ["INCOMPLETE_URL_SCHEME_CHECK" /* IncompleteUrlSchemeCheck */]: "Incomplete URL Scheme Check",
1485
+ ["VALUE_NEVER_READ" /* ValueNeverRead */]: "Value Never Read",
1486
+ ["VALUE_SHADOWING" /* ValueShadowing */]: "Value Shadowing",
1487
+ ["NO_EQUIVALENCE_METHOD" /* NoEquivalenceMethod */]: "Class Does Not Implement Equivalence Method",
1488
+ ["INFORMATION_EXPOSURE_VIA_HEADERS" /* InformationExposureViaHeaders */]: "Information Exposure via Headers",
1489
+ ["DEBUG_ENABLED" /* DebugEnabled */]: "Debug Enabled",
1490
+ ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: "Leftover Debug Code",
1491
+ ["POOR_ERROR_HANDLING_EMPTY_CATCH_BLOCK" /* PoorErrorHandlingEmptyCatchBlock */]: "Poor Error Handling: Empty Catch Block",
1492
+ ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: "Erroneous String Compare",
1493
+ ["UNVALIDATED_PUBLIC_METHOD_ARGUMENT" /* UnvalidatedPublicMethodArgument */]: "Unvalidated Public Method Argument",
1494
+ ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: "Auto-escape False",
1495
+ ["MISSING_CSP_HEADER" /* MissingCspHeader */]: "Missing CSP Header",
1496
+ ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: "Hardcoded Domain in HTML",
1497
+ ["HEAP_INSPECTION" /* HeapInspection */]: "Heap Inspection",
1498
+ ["CLIENT_DOM_STORED_CODE_INJECTION" /* ClientDomStoredCodeInjection */]: "Client Code Injection",
1499
+ ["STRING_FORMAT_MISUSE" /* StringFormatMisuse */]: "String Format Misuse",
1500
+ ["NON_READONLY_FIELD" /* NonReadonlyField */]: "Non Readonly Field",
1501
+ ["CSRF" /* Csrf */]: "Cross-Site Request Forgery (CSRF)",
1502
+ ["WEAK_ENCRYPTION" /* WeakEncryption */]: "Weak Encryption Mechanism",
1503
+ ["CODE_IN_COMMENT" /* CodeInComment */]: "Code in Comment",
1504
+ ["REGEX_MISSING_TIMEOUT" /* RegexMissingTimeout */]: "Regex Missing Timeout",
1505
+ ["FRAMEABLE_LOGIN_PAGE" /* FrameableLoginPage */]: "Frameable Login Page",
1506
+ ["USE_OF_HARD_CODED_CRYPTOGRAPHIC_KEY" /* UseOfHardCodedCryptographicKey */]: "Use of Hardcoded Cryptographic Key",
1507
+ ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: "Missing SSL MinVersion",
1508
+ ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: "Missing Websocket Origin Check",
1509
+ ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: "String Literals Should not Be Duplicated",
1510
+ ["INSECURE_UUID_VERSION" /* InsecureUuidVersion */]: "Insecure UUID Version",
1511
+ ["GH_ACTIONS_SHELL_INJECTION" /* GhActionsShellInjection */]: "GitHub Actions Shell Injection",
1512
+ ["MODIFIED_DEFAULT_PARAM" /* ModifiedDefaultParam */]: "Modified Default Param",
1513
+ ["UNSAFE_WEB_THREAD" /* UnsafeWebThread */]: "Unsafe Web Thread",
1514
+ ["NO_VAR" /* NoVar */]: 'Prefer "let" or "const"',
1515
+ ["INSECURE_TMP_FILE" /* InsecureTmpFile */]: "Insecure Temporary File",
1516
+ ["RETURN_SHOULD_NOT_BE_INVARIANT" /* ReturnShouldNotBeInvariant */]: "Return Should Not Be Invariant",
1517
+ ["SYSTEM_EXIT_SHOULD_RERAISE" /* SystemExitShouldReraise */]: "SystemExit Should Reraise",
1518
+ ["NO_RETURN_IN_FINALLY" /* NoReturnInFinally */]: "No Return in Finally Block",
1519
+ ["WILDCARD_IMPORTS" /* WildcardImports */]: "Wildcard Imports should not be used",
1520
+ ["AVOID_IDENTITY_COMPARISON_CACHED_TYPES" /* AvoidIdentityComparisonCachedTypes */]: "Avoid Identity Comparison of Cached Types",
1521
+ ["AVOID_BUILTIN_SHADOWING" /* AvoidBuiltinShadowing */]: "Avoid Builtin Shadowing",
1522
+ ["IMPROPER_STRING_FORMATTING" /* ImproperStringFormatting */]: "Improper String Formatting",
1523
+ ["TAR_SLIP" /* TarSlip */]: "Tar Slip",
1524
+ ["MISSING_WHITESPACE" /* MissingWhitespace */]: "Missing Whitespace",
1525
+ ["NO_PRINT_STATEMENT" /* NoPrintStatement */]: 'Python 2 "print" Statement Is Obsolete',
1526
+ ["NO_OP_OVERHEAD" /* NoOpOverhead */]: "Expensive Arguments in Conditional Methods",
1527
+ ["DO_NOT_RAISE_EXCEPTION" /* DoNotRaiseException */]: "Do Not Raise Exception",
1528
+ ["DECLARE_VARIABLE_EXPLICITLY" /* DeclareVariableExplicitly */]: "Declare Variable Explicitly",
1529
+ ["NO_NESTED_TRY" /* NoNestedTry */]: "No Nested Try",
1530
+ ["UNNECESSARY_IMPORTS" /* UnnecessaryImports */]: "Unnecessary Imports",
1531
+ ["REDOS" /* Redos */]: "Regular Expression Denial of Service",
1532
+ ["DO_NOT_THROW_GENERIC_EXCEPTION" /* DoNotThrowGenericException */]: "Do Not Throw Generic Exception"
1533
+ };
1534
+ var issueTypeZ = z.nativeEnum(IssueType_Enum);
1535
+ var getIssueTypeFriendlyString = (issueType) => {
1536
+ const issueTypeZParseRes = issueTypeZ.safeParse(issueType);
1537
+ if (!issueTypeZParseRes.success) {
1538
+ return issueType ? issueType.replaceAll("_", " ") : "Other";
1539
+ }
1540
+ return issueTypeMap[issueTypeZParseRes.data];
1541
+ };
1542
+ function getTagTooltip(tag) {
1543
+ switch (tag) {
1544
+ case "FALSE_POSITIVE":
1545
+ return "Issue was found to be a false positive";
1546
+ case "TEST_CODE":
1547
+ return "Issue found in test files, not production code";
1548
+ case "VENDOR_CODE":
1549
+ return "Issue is in external libraries or dependencies not owned or maintained by your team";
1550
+ case "AUTOGENERATED_CODE":
1551
+ return "Code created by tools or frameworks, not manually written";
1552
+ case "AUXILIARY_CODE":
1553
+ return "Issue found in supporting files that don't impact core functionality";
1554
+ case "Filtered":
1555
+ return "Issue was filtered by user in the Fix Policy";
1556
+ case "SUPPRESSED":
1557
+ return "Suppressed in the scan report";
1558
+ default:
1559
+ return tag;
1560
+ }
1561
+ }
1562
+ var issueDescription = {
1563
+ ["AUTOGENERATED_CODE" /* AutogeneratedCode */]: "The flagged code is generated automatically by tools or frameworks as part of the build or runtime process. This categorization highlights that **the issue resides in non-manual code**, which often requires tool-specific solutions or exemptions.",
1564
+ ["AUXILIARY_CODE" /* AuxiliaryCode */]: "The flagged code is auxiliary or supporting code, such as configuration files, build scripts, or other non-application logic. This categorization indicates that the issue is not directly related to the application's core functionality.",
1565
+ ["FALSE_POSITIVE" /* FalsePositive */]: "The flagged code **does not represent an actual vulnerability within the application's context.** This categorization indicates that the issue is either misidentified by the scanner or deemed irrelevant to the application's functionality.",
1566
+ ["TEST_CODE" /* TestCode */]: "The flagged code resides in a test-specific path or context. This categorization indicates that **it supports testing scenarios and is isolated from production use**.",
1567
+ ["UNFIXABLE" /* Unfixable */]: "The flagged code cannot be fixed",
1568
+ ["VENDOR_CODE" /* VendorCode */]: "The flagged code originates from a third-party library or dependency maintained externally. This categorization suggests that **the issue lies outside the application's direct control** and should be addressed by the vendor if necessary.",
1569
+ ["SUPPRESSED" /* Suppressed */]: "Suppressed in the scan report."
1570
+ };
1571
+ function replaceKeysWithValues(fixDescription, extraContext) {
1572
+ let result = fixDescription;
1573
+ extraContext.forEach(({ key, value }) => {
1574
+ result = result.replace(`\${${key}}`, value);
1575
+ });
1576
+ return result;
1577
+ }
1578
+ function getParsedFalsePositiveMessage(data) {
1579
+ const { fixDescription, extraContext } = data;
1580
+ const containsTemplate = extraContext.some(
1581
+ (context) => fixDescription.includes(`\${${context.key}}`)
1582
+ );
1583
+ const description2 = containsTemplate ? replaceKeysWithValues(fixDescription, extraContext) : fixDescription;
1584
+ const contextString = containsTemplate ? null : `\`\`\`${extraContext.map(({ value }) => value).join(" ")} \`\`\``;
1585
+ return { description: description2, contextString };
1586
+ }
1587
+
2327
1588
  // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
2328
1589
  function capitalizeFirstLetter(str) {
2329
1590
  return str?.length ? str[0].toUpperCase() + str.slice(1) : "";
@@ -2352,7 +1613,7 @@ var getCommitDescription = ({
2352
1613
  )}**.
2353
1614
 
2354
1615
  `;
2355
- const parseIssueTypeRes = z9.nativeEnum(IssueType_Enum).safeParse(issueType);
1616
+ const parseIssueTypeRes = z2.nativeEnum(IssueType_Enum).safeParse(issueType);
2356
1617
  if (issueType && parseIssueTypeRes.success) {
2357
1618
  if (irrelevantIssueWithTags?.[0]?.tag) {
2358
1619
  description2 += `
@@ -2395,7 +1656,7 @@ var getCommitIssueDescription = ({
2395
1656
  const issueTypeString = getIssueTypeFriendlyString(issueType);
2396
1657
  let description2 = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
2397
1658
  `;
2398
- const parseIssueTypeRes = z9.nativeEnum(IssueType_Enum).safeParse(issueType);
1659
+ const parseIssueTypeRes = z2.nativeEnum(IssueType_Enum).safeParse(issueType);
2399
1660
  if (issueType && parseIssueTypeRes.success) {
2400
1661
  if (irrelevantIssueWithTags?.[0]?.tag) {
2401
1662
  description2 = `
@@ -2420,10 +1681,10 @@ ${staticData.issueDescription}
2420
1681
  };
2421
1682
 
2422
1683
  // src/features/analysis/scm/shared/src/guidances.ts
2423
- import { z as z12 } from "zod";
1684
+ import { z as z5 } from "zod";
2424
1685
 
2425
1686
  // src/features/analysis/scm/shared/src/storedFixData/index.ts
2426
- import { z as z10 } from "zod";
1687
+ import { z as z3 } from "zod";
2427
1688
 
2428
1689
  // src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
2429
1690
  var passwordInComment = {
@@ -2599,8 +1860,8 @@ var vulnerabilities8 = {
2599
1860
  var xml_default = vulnerabilities8;
2600
1861
 
2601
1862
  // src/features/analysis/scm/shared/src/storedFixData/index.ts
2602
- var StoredFixDataItemZ = z10.object({
2603
- guidance: z10.function().returns(z10.string())
1863
+ var StoredFixDataItemZ = z3.object({
1864
+ guidance: z3.function().returns(z3.string())
2604
1865
  });
2605
1866
  var languages = {
2606
1867
  ["Java" /* Java */]: java_default,
@@ -2614,7 +1875,7 @@ var languages = {
2614
1875
  };
2615
1876
 
2616
1877
  // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
2617
- import { z as z11 } from "zod";
1878
+ import { z as z4 } from "zod";
2618
1879
 
2619
1880
  // src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
2620
1881
  var httpOnlyCookie = {
@@ -3767,214 +3028,958 @@ var duplicatedStrings2 = {
3767
3028
  description: () => "",
3768
3029
  guidance: () => ""
3769
3030
  }
3770
- };
3771
-
3772
- // src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
3773
- var logForging5 = {
3774
- isHtmlDisplay: {
3775
- content: () => "Is the text written to the log going to be displayed as HTML?",
3776
- description: () => "",
3777
- guidance: ({ userInputValue }) => {
3778
- switch (userInputValue) {
3779
- case "yes":
3780
- return "We use `html.escape` to decode the HTML";
3781
- default:
3782
- return "";
3783
- }
3031
+ };
3032
+
3033
+ // src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
3034
+ var logForging5 = {
3035
+ isHtmlDisplay: {
3036
+ content: () => "Is the text written to the log going to be displayed as HTML?",
3037
+ description: () => "",
3038
+ guidance: ({ userInputValue }) => {
3039
+ switch (userInputValue) {
3040
+ case "yes":
3041
+ return "We use `html.escape` to decode the HTML";
3042
+ default:
3043
+ return "";
3044
+ }
3045
+ }
3046
+ }
3047
+ };
3048
+
3049
+ // src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
3050
+ var openRedirect3 = {
3051
+ allowed_hosts: {
3052
+ content: () => "Allowed domains/paths",
3053
+ description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
3054
+ guidance: () => ""
3055
+ }
3056
+ };
3057
+
3058
+ // src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
3059
+ var uncheckedLoopCondition3 = {
3060
+ loopLimit: {
3061
+ content: () => "Please define a maximum loop limit",
3062
+ description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
3063
+ guidance: () => ""
3064
+ },
3065
+ varName: {
3066
+ content: () => "Please define a variable name",
3067
+ description: () => `We need to define a variable to be used as a counter to limit the loop`,
3068
+ guidance: () => ""
3069
+ }
3070
+ };
3071
+
3072
+ // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
3073
+ var vulnerabilities13 = {
3074
+ ["CSRF" /* Csrf */]: csrf2,
3075
+ ["LOG_FORGING" /* LogForging */]: logForging5,
3076
+ ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
3077
+ ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition3,
3078
+ ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings2
3079
+ };
3080
+ var python_default2 = vulnerabilities13;
3081
+
3082
+ // src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
3083
+ var unboundedOccurrences = {
3084
+ maxOccursLimit: {
3085
+ content: () => "The number of allowed repetitions of the element.",
3086
+ description: () => "",
3087
+ guidance: () => `Setting this number to a reasonable value will prevent the attack.
3088
+ A value too low will prevent valid XMLs from being processed.
3089
+ A value too high will cause performance issues up to and including denial of service.`
3090
+ }
3091
+ };
3092
+
3093
+ // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
3094
+ var vulnerabilities14 = {
3095
+ ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
3096
+ };
3097
+ var xml_default2 = vulnerabilities14;
3098
+
3099
+ // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
3100
+ var StoredQuestionDataItemZ = z4.object({
3101
+ content: z4.function().args(z4.any()).returns(z4.string()),
3102
+ description: z4.function().args(z4.any()).returns(z4.string()),
3103
+ guidance: z4.function().args(z4.any()).returns(z4.string())
3104
+ });
3105
+ var languages2 = {
3106
+ ["Java" /* Java */]: java_default2,
3107
+ ["JavaScript" /* JavaScript */]: js_default,
3108
+ ["XML" /* Xml */]: xml_default2,
3109
+ ["CSharp" /* CSharp */]: csharp_default2,
3110
+ ["Python" /* Python */]: python_default2,
3111
+ ["Go" /* Go */]: go_default2
3112
+ };
3113
+ var storedQuestionData_default = languages2;
3114
+
3115
+ // src/features/analysis/scm/shared/src/guidances.ts
3116
+ function toQuestion(userInput) {
3117
+ const { key, defaultValue } = userInput;
3118
+ const value = userInput.value || defaultValue;
3119
+ return { ...userInput, defaultValue, value, key, error: false };
3120
+ }
3121
+ function getQuestionInformation({
3122
+ fixQuestionData,
3123
+ issueType,
3124
+ language
3125
+ }) {
3126
+ const { name } = fixQuestionData;
3127
+ const storedQuestionDataItem = storedQuestionData_default[language]?.[issueType]?.[name] ?? {
3128
+ content: () => "",
3129
+ description: () => "",
3130
+ guidance: () => ""
3131
+ };
3132
+ return StoredQuestionDataItemZ.parse(storedQuestionDataItem);
3133
+ }
3134
+ function curriedQuestionInformationByQuestion({
3135
+ issueType,
3136
+ language
3137
+ }) {
3138
+ return (fixQuestionData) => getQuestionInformation({
3139
+ issueType,
3140
+ language,
3141
+ fixQuestionData
3142
+ });
3143
+ }
3144
+ function getPackageFixGuidance(actionsRequired) {
3145
+ const actionRequiredStrings = actionsRequired.map((action) => {
3146
+ if (action.language === "JS" /* Js */) {
3147
+ if (action.action === "add" /* Add */) {
3148
+ let actionRequired = `We use \`${action.lib.name}\` package to sanitize user input. Please make sure you add the latest [\`${action.lib.name}\`](https://www.npmjs.com/package/${action.lib.name}) to your \`package.json\` file.`;
3149
+ if (action.typesLib) {
3150
+ actionRequired += ` For TypeScript users, consider adding [\`${action.typesLib.name}\`](https://www.npmjs.com/package/${action.typesLib.name}) to your \`package.json\` as well`;
3151
+ }
3152
+ return actionRequired;
3153
+ }
3154
+ if (action.action === "relock" /* Relock */) {
3155
+ const actionRequired = `A lock file was detected, please make sure to relock the lock file using your package manager.`;
3156
+ return actionRequired;
3157
+ }
3158
+ if (action.action === "upgrade" /* Upgrade */) {
3159
+ return `We use \`${action.lib.name}\` package to sanitize user input. Please make sure you upgrade the package [\`${action.lib.name}\`](https://www.npmjs.com/package/${action.lib.name}) to the latest version in your \`package.json\` file.`;
3160
+ }
3161
+ }
3162
+ if (action.language === "JAVA" /* Java */) {
3163
+ const names = action.lib.name.split(":");
3164
+ const groupId = names[0];
3165
+ const artifactId = names[1];
3166
+ if (action.action === "add" /* Add */) {
3167
+ return `We use \`${artifactId}\` package in the fix. Please make sure you add the latest [\`${artifactId}\`](https://mvnrepository.com/artifact/${groupId}/${artifactId}) to your pom file.`;
3168
+ }
3169
+ if (action.action === "upgrade" /* Upgrade */) {
3170
+ return `We use \`${artifactId}\` package in the fix. Please make sure you upgrade the package [\`${artifactId}\`](https://mvnrepository.com/artifact/${groupId}/${artifactId}) to the latest version in your pom file.`;
3171
+ }
3172
+ }
3173
+ return void 0;
3174
+ });
3175
+ return actionRequiredStrings.filter((action) => !!action);
3176
+ }
3177
+ function getFixGuidances({
3178
+ issueType,
3179
+ issueLanguage,
3180
+ fixExtraContext,
3181
+ questions
3182
+ }) {
3183
+ const storedFixGuidanceDataItem = languages[issueLanguage || ""]?.[issueType || ""] ?? {};
3184
+ const storeFixResult = StoredFixDataItemZ.safeParse(storedFixGuidanceDataItem);
3185
+ const libGuidances = getPackageFixGuidance(
3186
+ fixExtraContext.manifestActionsRequired
3187
+ );
3188
+ const extraContext = fixExtraContext.extraContext.reduce(
3189
+ (acc, obj) => {
3190
+ acc[obj.key] = obj.value;
3191
+ return acc;
3192
+ },
3193
+ {}
3194
+ );
3195
+ const fixGuidance = storeFixResult.success ? [storeFixResult.data.guidance({ questions, ...extraContext })] : [];
3196
+ return libGuidances.concat(fixGuidance).filter((guidance) => !!guidance);
3197
+ }
3198
+ var IssueTypeAndLanguageZ = z5.object({
3199
+ issueType: z5.nativeEnum(IssueType_Enum),
3200
+ issueLanguage: z5.nativeEnum(IssueLanguage_Enum)
3201
+ });
3202
+ function getGuidances(args) {
3203
+ const safeIssueTypeAndLanguage = IssueTypeAndLanguageZ.safeParse({
3204
+ issueType: args.issueType,
3205
+ issueLanguage: args.issueLanguage
3206
+ });
3207
+ if (!safeIssueTypeAndLanguage.success) {
3208
+ return [];
3209
+ }
3210
+ const { questions, fixExtraContext } = args;
3211
+ const { issueType, issueLanguage } = safeIssueTypeAndLanguage.data;
3212
+ const fixGuidances = getFixGuidances({
3213
+ issueType,
3214
+ issueLanguage,
3215
+ fixExtraContext,
3216
+ questions
3217
+ }).map((guidance, index) => ({ guidance, key: `fixGuidance_index_${index}` }));
3218
+ return questions.map((question) => {
3219
+ let questionGuidance = question.guidance;
3220
+ if (!questionGuidance && issueType && issueLanguage) {
3221
+ const getFixInformation = curriedQuestionInformationByQuestion({
3222
+ issueType,
3223
+ language: issueLanguage
3224
+ });
3225
+ const { guidance } = getFixInformation(question);
3226
+ questionGuidance = guidance({
3227
+ userInputValue: question.value
3228
+ });
3784
3229
  }
3785
- }
3786
- };
3230
+ return {
3231
+ ...question,
3232
+ guidance: questionGuidance
3233
+ };
3234
+ }).filter(({ guidance }) => !!guidance).map(({ guidance, key }) => ({ guidance, key })).concat(fixGuidances);
3235
+ }
3787
3236
 
3788
- // src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
3789
- var openRedirect3 = {
3790
- allowed_hosts: {
3791
- content: () => "Allowed domains/paths",
3792
- description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
3793
- guidance: () => ""
3794
- }
3795
- };
3237
+ // src/features/analysis/scm/shared/src/types/fix.ts
3238
+ import { z as z7 } from "zod";
3796
3239
 
3797
- // src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
3798
- var uncheckedLoopCondition3 = {
3799
- loopLimit: {
3800
- content: () => "Please define a maximum loop limit",
3801
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
3802
- guidance: () => ""
3803
- },
3804
- varName: {
3805
- content: () => "Please define a variable name",
3806
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
3807
- guidance: () => ""
3240
+ // src/features/analysis/scm/shared/src/types/shared.ts
3241
+ import { z as z6 } from "zod";
3242
+ var ParsedSeverityZ = z6.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
3243
+ var ScmSubmitFixRequestsZ = z6.array(
3244
+ z6.object({
3245
+ scmSubmitFixRequest: z6.object({
3246
+ submitFixRequest: z6.object({
3247
+ createdByUser: z6.object({
3248
+ email: z6.string()
3249
+ }),
3250
+ targetBranchName: z6.string().default("")
3251
+ }),
3252
+ prUrl: z6.string().nullable(),
3253
+ prStatus: z6.nativeEnum(Pr_Status_Enum).nullable(),
3254
+ commitUrl: z6.string().nullable(),
3255
+ scmId: z6.string()
3256
+ })
3257
+ })
3258
+ );
3259
+
3260
+ // src/features/analysis/scm/shared/src/types/fix.ts
3261
+ var PackageInfoZ = z7.object({
3262
+ name: z7.string(),
3263
+ version: z7.string(),
3264
+ envName: z7.string().nullable()
3265
+ });
3266
+ var ManifestActionRequiredZ = z7.object({
3267
+ action: z7.nativeEnum(ManifestAction),
3268
+ language: z7.nativeEnum(Language),
3269
+ lib: PackageInfoZ,
3270
+ typesLib: PackageInfoZ.nullable()
3271
+ });
3272
+ var ExtraContextInternalZ = z7.object({
3273
+ key: z7.string(),
3274
+ value: z7.string().or(z7.boolean()).or(
3275
+ z7.object({
3276
+ int: z7.boolean(),
3277
+ integer: z7.boolean(),
3278
+ string: z7.boolean(),
3279
+ date: z7.boolean()
3280
+ })
3281
+ )
3282
+ });
3283
+ var FixExtraContextZ = z7.object({
3284
+ fixDescription: z7.string(),
3285
+ manifestActionsRequired: z7.array(ManifestActionRequiredZ),
3286
+ extraContext: z7.array(ExtraContextInternalZ)
3287
+ });
3288
+ var PatchAndQuestionsZ = z7.object({
3289
+ __typename: z7.literal("FixData"),
3290
+ patch: z7.string(),
3291
+ patchOriginalEncodingBase64: z7.string(),
3292
+ questions: z7.array(
3293
+ z7.object({
3294
+ name: z7.string(),
3295
+ key: z7.string(),
3296
+ index: z7.number(),
3297
+ defaultValue: z7.string(),
3298
+ value: z7.string().nullable(),
3299
+ extraContext: z7.array(ExtraContextInternalZ),
3300
+ inputType: z7.nativeEnum(FixQuestionInputType),
3301
+ options: z7.array(z7.string())
3302
+ })
3303
+ ),
3304
+ extraContext: FixExtraContextZ
3305
+ });
3306
+ var FixRatingZ = z7.object({
3307
+ voteScore: z7.number(),
3308
+ fixRatingTag: z7.nativeEnum(Fix_Rating_Tag_Enum).nullable().default(null),
3309
+ comment: z7.string().nullable().default(null),
3310
+ updatedDate: z7.string().nullable(),
3311
+ user: z7.object({
3312
+ email: z7.string(),
3313
+ name: z7.string()
3314
+ })
3315
+ });
3316
+ var FixSharedStateZ = z7.object({
3317
+ state: z7.nativeEnum(Fix_State_Enum),
3318
+ isArchived: z7.boolean(),
3319
+ scmSubmitFixRequests: ScmSubmitFixRequestsZ,
3320
+ fixRatings: z7.array(FixRatingZ).default([])
3321
+ }).nullish().transform(
3322
+ (data) => data ? data : {
3323
+ state: "Ready" /* Ready */,
3324
+ isArchived: false,
3325
+ scmSubmitFixRequests: [],
3326
+ fixRatings: []
3808
3327
  }
3809
- };
3328
+ );
3329
+ var FixQueryZ = z7.object({
3330
+ __typename: z7.literal("fix").optional(),
3331
+ id: z7.string().uuid(),
3332
+ sharedState: FixSharedStateZ,
3333
+ modifiedBy: z7.string().nullable(),
3334
+ gitBlameLogin: z7.string().nullable(),
3335
+ safeIssueLanguage: z7.string(),
3336
+ safeIssueType: z7.string(),
3337
+ confidence: z7.number(),
3338
+ fixReportId: z7.string().uuid(),
3339
+ isExpired: z7.boolean().default(false),
3340
+ fixFiles: z7.array(
3341
+ z7.object({
3342
+ fileRepoRelativePath: z7.string()
3343
+ })
3344
+ ),
3345
+ numberOfVulnerabilityIssues: z7.number(),
3346
+ severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
3347
+ vulnerabilityReportIssues: z7.array(
3348
+ z7.object({
3349
+ vendorIssueId: z7.string(),
3350
+ issueLanguage: z7.string(),
3351
+ parsedSeverity: ParsedSeverityZ
3352
+ })
3353
+ ),
3354
+ patchAndQuestions: PatchAndQuestionsZ,
3355
+ effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable()
3356
+ });
3357
+ var FixPartsForFixScreenZ = FixQueryZ.merge(
3358
+ z7.object({
3359
+ vulnerabilityReportIssues: z7.array(
3360
+ z7.object({
3361
+ vendorIssueId: z7.string(),
3362
+ issueType: z7.string(),
3363
+ issueLanguage: z7.string()
3364
+ })
3365
+ )
3366
+ })
3367
+ );
3810
3368
 
3811
- // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
3812
- var vulnerabilities13 = {
3813
- ["CSRF" /* Csrf */]: csrf2,
3814
- ["LOG_FORGING" /* LogForging */]: logForging5,
3815
- ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
3816
- ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition3,
3817
- ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings2
3818
- };
3819
- var python_default2 = vulnerabilities13;
3369
+ // src/features/analysis/scm/shared/src/types/issue.ts
3370
+ import { z as z9 } from "zod";
3820
3371
 
3821
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
3822
- var unboundedOccurrences = {
3823
- maxOccursLimit: {
3824
- content: () => "The number of allowed repetitions of the element.",
3825
- description: () => "",
3826
- guidance: () => `Setting this number to a reasonable value will prevent the attack.
3827
- A value too low will prevent valid XMLs from being processed.
3828
- A value too high will cause performance issues up to and including denial of service.`
3829
- }
3830
- };
3372
+ // src/features/analysis/scm/shared/src/types/analysis.ts
3373
+ import { z as z8 } from "zod";
3374
+ var FixPageFixReportZ = z8.object({
3375
+ id: z8.string().uuid(),
3376
+ analysisUrl: z8.string(),
3377
+ expirationOn: z8.string(),
3378
+ createdOn: z8.string(),
3379
+ state: z8.nativeEnum(Fix_Report_State_Enum),
3380
+ repo: z8.object({
3381
+ name: z8.string().nullable(),
3382
+ originalUrl: z8.string(),
3383
+ reference: z8.string(),
3384
+ commitSha: z8.string(),
3385
+ isKnownBranch: z8.boolean().nullable()
3386
+ }),
3387
+ vulnerabilityReport: z8.object({
3388
+ vendor: z8.nativeEnum(Vulnerability_Report_Vendor_Enum),
3389
+ vendorReportId: z8.string().uuid().nullable(),
3390
+ projectId: z8.string().uuid(),
3391
+ project: z8.object({
3392
+ organizationId: z8.string().uuid()
3393
+ }),
3394
+ file: z8.object({
3395
+ id: z8.string().uuid(),
3396
+ path: z8.string()
3397
+ }),
3398
+ pending: z8.object({
3399
+ aggregate: z8.object({
3400
+ count: z8.number()
3401
+ })
3402
+ }),
3403
+ supported: z8.object({
3404
+ aggregate: z8.object({
3405
+ count: z8.number()
3406
+ })
3407
+ }),
3408
+ all: z8.object({
3409
+ aggregate: z8.object({
3410
+ count: z8.number()
3411
+ })
3412
+ }),
3413
+ fixable: z8.object({
3414
+ aggregate: z8.object({
3415
+ count: z8.number()
3416
+ })
3417
+ }),
3418
+ errors: z8.object({
3419
+ aggregate: z8.object({
3420
+ count: z8.number()
3421
+ })
3422
+ }),
3423
+ vulnerabilityReportIssues: z8.object({
3424
+ extraData: z8.object({
3425
+ missing_files: z8.string().array().nullish(),
3426
+ large_files: z8.string().array().nullish(),
3427
+ error_files: z8.string().array().nullish()
3428
+ })
3429
+ }).array()
3430
+ })
3431
+ });
3831
3432
 
3832
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
3833
- var vulnerabilities14 = {
3834
- ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
3433
+ // src/features/analysis/scm/shared/src/types/issue.ts
3434
+ var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES = 1e5;
3435
+ var CATEGORY = {
3436
+ NoFix: "NoFix",
3437
+ Unsupported: "Unsupported",
3438
+ Irrelevant: "Irrelevant",
3439
+ FalsePositive: "FalsePositive",
3440
+ Fixable: "Fixable",
3441
+ Filtered: "Filtered"
3835
3442
  };
3836
- var xml_default2 = vulnerabilities14;
3837
-
3838
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
3839
- var StoredQuestionDataItemZ = z11.object({
3840
- content: z11.function().args(z11.any()).returns(z11.string()),
3841
- description: z11.function().args(z11.any()).returns(z11.string()),
3842
- guidance: z11.function().args(z11.any()).returns(z11.string())
3443
+ var ValidCategoriesZ = z9.union([
3444
+ z9.literal(CATEGORY.NoFix),
3445
+ z9.literal(CATEGORY.Unsupported),
3446
+ z9.literal(CATEGORY.Irrelevant),
3447
+ z9.literal(CATEGORY.FalsePositive),
3448
+ z9.literal(CATEGORY.Fixable),
3449
+ z9.literal(CATEGORY.Filtered)
3450
+ ]);
3451
+ var VulnerabilityReportIssueSharedStateZ = z9.object({
3452
+ id: z9.string().uuid(),
3453
+ isArchived: z9.boolean()
3454
+ }).nullish();
3455
+ var BaseIssuePartsZ = z9.object({
3456
+ id: z9.string().uuid(),
3457
+ safeIssueType: z9.string(),
3458
+ safeIssueLanguage: z9.string(),
3459
+ createdAt: z9.string(),
3460
+ parsedSeverity: ParsedSeverityZ,
3461
+ category: ValidCategoriesZ,
3462
+ extraData: z9.object({
3463
+ missing_files: z9.string().array().nullish(),
3464
+ error_files: z9.string().array().nullish()
3465
+ }),
3466
+ vulnerabilityReportIssueTags: z9.array(
3467
+ z9.object({
3468
+ tag: z9.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
3469
+ })
3470
+ ),
3471
+ codeNodes: z9.array(
3472
+ z9.object({
3473
+ path: z9.string(),
3474
+ line: z9.number(),
3475
+ index: z9.number()
3476
+ })
3477
+ ).transform((nodes) => nodes.sort((a, b) => b.index - a.index)),
3478
+ sourceCodeNodes: z9.array(
3479
+ z9.object({
3480
+ sourceCodeFile: z9.object({
3481
+ path: z9.string(),
3482
+ signedFile: z9.object({
3483
+ url: z9.string()
3484
+ })
3485
+ })
3486
+ }).transform(async ({ sourceCodeFile }) => {
3487
+ const { url } = sourceCodeFile.signedFile;
3488
+ const sourceCodeRes = await fetch(url);
3489
+ if (Number(sourceCodeRes.headers.get("Content-Length")) > MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES) {
3490
+ return null;
3491
+ }
3492
+ return {
3493
+ path: sourceCodeFile.path,
3494
+ fileContent: await sourceCodeRes.text()
3495
+ };
3496
+ })
3497
+ ).transform((nodes) => nodes.filter((node) => node !== null)),
3498
+ fix: FixPartsForFixScreenZ.nullish(),
3499
+ vulnerabilityReportIssueNodeDiffFile: z9.object({
3500
+ signedFile: z9.object({
3501
+ url: z9.string()
3502
+ }).transform(async ({ url }) => {
3503
+ const codeDiff = await fetch(url).then((res) => res.text());
3504
+ return { codeDiff };
3505
+ })
3506
+ }).nullish(),
3507
+ sharedState: VulnerabilityReportIssueSharedStateZ
3843
3508
  });
3844
- var languages2 = {
3845
- ["Java" /* Java */]: java_default2,
3846
- ["JavaScript" /* JavaScript */]: js_default,
3847
- ["XML" /* Xml */]: xml_default2,
3848
- ["CSharp" /* CSharp */]: csharp_default2,
3849
- ["Python" /* Python */]: python_default2,
3850
- ["Go" /* Go */]: go_default2
3509
+ var FalsePositivePartsZ = z9.object({
3510
+ extraContext: z9.array(z9.object({ key: z9.string(), value: z9.string() })),
3511
+ fixDescription: z9.string()
3512
+ });
3513
+ var IssuePartsWithFixZ = BaseIssuePartsZ.merge(
3514
+ z9.object({
3515
+ category: z9.literal(CATEGORY.Irrelevant),
3516
+ fix: FixPartsForFixScreenZ.nullish()
3517
+ })
3518
+ );
3519
+ var IssuePartsFpZ = BaseIssuePartsZ.merge(
3520
+ z9.object({
3521
+ category: z9.literal(CATEGORY.FalsePositive),
3522
+ fpId: z9.string().uuid(),
3523
+ getFalsePositive: FalsePositivePartsZ
3524
+ })
3525
+ );
3526
+ var GeneralIssueZ = BaseIssuePartsZ.merge(
3527
+ z9.object({
3528
+ category: z9.union([
3529
+ z9.literal(CATEGORY.NoFix),
3530
+ z9.literal(CATEGORY.Unsupported),
3531
+ z9.literal(CATEGORY.Fixable),
3532
+ z9.literal(CATEGORY.Filtered)
3533
+ ])
3534
+ })
3535
+ );
3536
+ var IssuePartsZ = z9.union([
3537
+ IssuePartsFpZ,
3538
+ IssuePartsWithFixZ,
3539
+ GeneralIssueZ
3540
+ ]);
3541
+ var GetIssueIndexesZ = z9.object({
3542
+ currentIndex: z9.number(),
3543
+ totalIssues: z9.number(),
3544
+ nextIssue: z9.object({
3545
+ id: z9.string().uuid()
3546
+ }).nullish(),
3547
+ prevIssue: z9.object({
3548
+ id: z9.string().uuid()
3549
+ }).nullish()
3550
+ });
3551
+ var GetIssueScreenDataZ = z9.object({
3552
+ fixReport_by_pk: FixPageFixReportZ,
3553
+ vulnerability_report_issue_by_pk: IssuePartsZ,
3554
+ issueIndexes: GetIssueIndexesZ
3555
+ });
3556
+ var IssueBucketZ = z9.enum(["fixable", "irrelevant", "remaining"]);
3557
+ var mapCategoryToBucket = {
3558
+ FalsePositive: "irrelevant",
3559
+ Irrelevant: "irrelevant",
3560
+ NoFix: "remaining",
3561
+ Unsupported: "remaining",
3562
+ Fixable: "fixable",
3563
+ Filtered: "remaining"
3851
3564
  };
3852
- var storedQuestionData_default = languages2;
3853
3565
 
3854
- // src/features/analysis/scm/shared/src/guidances.ts
3855
- function toQuestion(userInput) {
3856
- const { key, defaultValue } = userInput;
3857
- const value = userInput.value || defaultValue;
3858
- return { ...userInput, defaultValue, value, key, error: false };
3859
- }
3860
- function getQuestionInformation({
3861
- fixQuestionData,
3862
- issueType,
3863
- language
3864
- }) {
3865
- const { name } = fixQuestionData;
3866
- const storedQuestionDataItem = storedQuestionData_default[language]?.[issueType]?.[name] ?? {
3867
- content: () => "",
3868
- description: () => "",
3869
- guidance: () => ""
3870
- };
3871
- return StoredQuestionDataItemZ.parse(storedQuestionDataItem);
3872
- }
3873
- function curriedQuestionInformationByQuestion({
3874
- issueType,
3875
- language
3876
- }) {
3877
- return (fixQuestionData) => getQuestionInformation({
3878
- issueType,
3879
- language,
3880
- fixQuestionData
3881
- });
3882
- }
3883
- function getPackageFixGuidance(actionsRequired) {
3884
- const actionRequiredStrings = actionsRequired.map((action) => {
3885
- if (action.language === "JS" /* Js */) {
3886
- if (action.action === "add" /* Add */) {
3887
- let actionRequired = `We use \`${action.lib.name}\` package to sanitize user input. Please make sure you add the latest [\`${action.lib.name}\`](https://www.npmjs.com/package/${action.lib.name}) to your \`package.json\` file.`;
3888
- if (action.typesLib) {
3889
- actionRequired += ` For TypeScript users, consider adding [\`${action.typesLib.name}\`](https://www.npmjs.com/package/${action.typesLib.name}) to your \`package.json\` as well`;
3890
- }
3891
- return actionRequired;
3892
- }
3893
- if (action.action === "relock" /* Relock */) {
3894
- const actionRequired = `A lock file was detected, please make sure to relock the lock file using your package manager.`;
3895
- return actionRequired;
3896
- }
3897
- if (action.action === "upgrade" /* Upgrade */) {
3898
- return `We use \`${action.lib.name}\` package to sanitize user input. Please make sure you upgrade the package [\`${action.lib.name}\`](https://www.npmjs.com/package/${action.lib.name}) to the latest version in your \`package.json\` file.`;
3899
- }
3900
- }
3901
- if (action.language === "JAVA" /* Java */) {
3902
- const names = action.lib.name.split(":");
3903
- const groupId = names[0];
3904
- const artifactId = names[1];
3905
- if (action.action === "add" /* Add */) {
3906
- return `We use \`${artifactId}\` package in the fix. Please make sure you add the latest [\`${artifactId}\`](https://mvnrepository.com/artifact/${groupId}/${artifactId}) to your pom file.`;
3907
- }
3908
- if (action.action === "upgrade" /* Upgrade */) {
3909
- return `We use \`${artifactId}\` package in the fix. Please make sure you upgrade the package [\`${artifactId}\`](https://mvnrepository.com/artifact/${groupId}/${artifactId}) to the latest version in your pom file.`;
3910
- }
3911
- }
3912
- return void 0;
3913
- });
3914
- return actionRequiredStrings.filter((action) => !!action);
3915
- }
3916
- function getFixGuidances({
3917
- issueType,
3918
- issueLanguage,
3919
- fixExtraContext,
3920
- questions
3921
- }) {
3922
- const storedFixGuidanceDataItem = languages[issueLanguage || ""]?.[issueType || ""] ?? {};
3923
- const storeFixResult = StoredFixDataItemZ.safeParse(storedFixGuidanceDataItem);
3924
- const libGuidances = getPackageFixGuidance(
3925
- fixExtraContext.manifestActionsRequired
3926
- );
3927
- const extraContext = fixExtraContext.extraContext.reduce(
3928
- (acc, obj) => {
3929
- acc[obj.key] = obj.value;
3930
- return acc;
3931
- },
3932
- {}
3933
- );
3934
- const fixGuidance = storeFixResult.success ? [storeFixResult.data.guidance({ questions, ...extraContext })] : [];
3935
- return libGuidances.concat(fixGuidance).filter((guidance) => !!guidance);
3936
- }
3937
- var IssueTypeAndLanguageZ = z12.object({
3938
- issueType: z12.nativeEnum(IssueType_Enum),
3939
- issueLanguage: z12.nativeEnum(IssueLanguage_Enum)
3566
+ // src/features/analysis/scm/shared/src/types/types.ts
3567
+ import { z as z11 } from "zod";
3568
+
3569
+ // src/features/analysis/scm/shared/src/validations.ts
3570
+ import { z as z10 } from "zod";
3571
+ var IssueTypeSettingZ = z10.object({
3572
+ autoPrEnabled: z10.boolean(),
3573
+ enabled: z10.boolean(),
3574
+ issueType: z10.nativeEnum(IssueType_Enum)
3940
3575
  });
3941
- function getGuidances(args) {
3942
- const safeIssueTypeAndLanguage = IssueTypeAndLanguageZ.safeParse({
3943
- issueType: args.issueType,
3944
- issueLanguage: args.issueLanguage
3945
- });
3946
- if (!safeIssueTypeAndLanguage.success) {
3947
- return [];
3948
- }
3949
- const { questions, fixExtraContext } = args;
3950
- const { issueType, issueLanguage } = safeIssueTypeAndLanguage.data;
3951
- const fixGuidances = getFixGuidances({
3952
- issueType,
3953
- issueLanguage,
3954
- fixExtraContext,
3955
- questions
3956
- }).map((guidance, index) => ({ guidance, key: `fixGuidance_index_${index}` }));
3957
- return questions.map((question) => {
3958
- let questionGuidance = question.guidance;
3959
- if (!questionGuidance && issueType && issueLanguage) {
3960
- const getFixInformation = curriedQuestionInformationByQuestion({
3961
- issueType,
3962
- language: issueLanguage
3963
- });
3964
- const { guidance } = getFixInformation(question);
3965
- questionGuidance = guidance({
3966
- userInputValue: question.value
3967
- });
3576
+ var IssueTypeSettingsZ = z10.array(IssueTypeSettingZ).transform((issueTypeSettings) => {
3577
+ return Object.values(IssueType_Enum).map((issueTypeEnum) => {
3578
+ const existingIssueTypeSetting = issueTypeSettings.find(
3579
+ ({ issueType: dbIssueType }) => dbIssueType === issueTypeEnum
3580
+ );
3581
+ if (existingIssueTypeSetting) {
3582
+ return existingIssueTypeSetting;
3968
3583
  }
3969
3584
  return {
3970
- ...question,
3971
- guidance: questionGuidance
3585
+ autoPrEnabled: false,
3586
+ enabled: true,
3587
+ issueType: issueTypeEnum
3972
3588
  };
3973
- }).filter(({ guidance }) => !!guidance).map(({ guidance, key }) => ({ guidance, key })).concat(fixGuidances);
3974
- }
3589
+ }).sort((a, b) => {
3590
+ return getIssueTypeFriendlyString(a.issueType).localeCompare(
3591
+ getIssueTypeFriendlyString(b.issueType)
3592
+ );
3593
+ });
3594
+ });
3595
+
3596
+ // src/features/analysis/scm/shared/src/types/types.ts
3597
+ var OrganizationScreenQueryParamsZ = z11.object({
3598
+ organizationId: z11.string().uuid()
3599
+ });
3600
+ var ProjectPageQueryParamsZ = z11.object({
3601
+ organizationId: z11.string().uuid(),
3602
+ projectId: z11.string().uuid()
3603
+ });
3604
+ var AnalysisPageQueryParamsZ = ProjectPageQueryParamsZ.extend({
3605
+ reportId: z11.string().uuid()
3606
+ });
3607
+ var FixPageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
3608
+ fixId: z11.string().uuid()
3609
+ });
3610
+ var IssuePageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
3611
+ issueId: z11.string().uuid()
3612
+ });
3613
+ var CliLoginPageQueryParamsZ = z11.object({
3614
+ loginId: z11.string().uuid()
3615
+ });
3616
+ var AnalysisReportDigestedZ = z11.object({
3617
+ id: z11.string().uuid(),
3618
+ state: z11.nativeEnum(Fix_Report_State_Enum),
3619
+ vulnerabilityReport: z11.object({
3620
+ reportSummaryUrl: z11.string().url().nullish(),
3621
+ scanDate: z11.string().nullable(),
3622
+ supported: z11.object({
3623
+ aggregate: z11.object({
3624
+ count: z11.number()
3625
+ })
3626
+ }),
3627
+ all: z11.object({
3628
+ aggregate: z11.object({
3629
+ count: z11.number()
3630
+ })
3631
+ }),
3632
+ vendor: z11.nativeEnum(Vulnerability_Report_Vendor_Enum),
3633
+ project: z11.object({
3634
+ organizationId: z11.string().uuid()
3635
+ })
3636
+ })
3637
+ });
3638
+ var ReportQueryResultZ = z11.object({
3639
+ fixReport_by_pk: z11.object({
3640
+ id: z11.string().uuid(),
3641
+ analysisUrl: z11.string(),
3642
+ fixesCommitted: z11.object({
3643
+ aggregate: z11.object({ count: z11.number() })
3644
+ }),
3645
+ fixesDownloaded: z11.object({
3646
+ aggregate: z11.object({ count: z11.number() })
3647
+ }),
3648
+ fixesDoneCount: z11.number(),
3649
+ fixesInprogressCount: z11.number(),
3650
+ fixesReadyCount: z11.object({
3651
+ aggregate: z11.object({ count: z11.number() })
3652
+ }),
3653
+ issueTypes: z11.record(z11.string(), z11.number()).nullable(),
3654
+ issueLanguages: z11.record(z11.string(), z11.number()).nullable(),
3655
+ fixesCountByEffort: z11.record(z11.string(), z11.number()).nullable(),
3656
+ vulnerabilitySeverities: z11.record(z11.string(), z11.number()).nullable(),
3657
+ createdOn: z11.string(),
3658
+ expirationOn: z11.string().nullable(),
3659
+ state: z11.nativeEnum(Fix_Report_State_Enum),
3660
+ fixes: z11.array(
3661
+ z11.object({
3662
+ id: z11.string().uuid(),
3663
+ safeIssueLanguage: z11.string(),
3664
+ safeIssueType: z11.string(),
3665
+ confidence: z11.number(),
3666
+ effortToApplyFix: z11.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
3667
+ modifiedBy: z11.string().nullable(),
3668
+ gitBlameLogin: z11.string().nullable(),
3669
+ fixReportId: z11.string().uuid(),
3670
+ filePaths: z11.array(
3671
+ z11.object({
3672
+ fileRepoRelativePath: z11.string()
3673
+ })
3674
+ ),
3675
+ sharedState: FixSharedStateZ,
3676
+ numberOfVulnerabilityIssues: z11.number(),
3677
+ severityText: z11.nativeEnum(Vulnerability_Severity_Enum),
3678
+ vulnerabilityReportIssues: z11.array(
3679
+ z11.object({
3680
+ id: z11.string().uuid(),
3681
+ issueType: z11.string(),
3682
+ issueLanguage: z11.string(),
3683
+ category: z11.string()
3684
+ })
3685
+ )
3686
+ // scmSubmitFixRequests: ScmSubmitFixRequestsZ,
3687
+ })
3688
+ ),
3689
+ repo: z11.object({
3690
+ name: z11.string().nullable(),
3691
+ originalUrl: z11.string(),
3692
+ reference: z11.string(),
3693
+ commitSha: z11.string(),
3694
+ isKnownBranch: z11.boolean().nullish().default(true)
3695
+ }),
3696
+ vulnerabilityReportIssuesFixedCount: z11.object({
3697
+ vulnerabilityReportIssues_aggregate: z11.object({
3698
+ aggregate: z11.object({ count: z11.number() })
3699
+ })
3700
+ }),
3701
+ vulnerabilityReport: z11.object({
3702
+ id: z11.string().uuid(),
3703
+ reportSummaryUrl: z11.string().url().nullish(),
3704
+ vendor: z11.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
3705
+ issuesWithKnownLanguage: z11.number().nullable(),
3706
+ scanDate: z11.string().nullable(),
3707
+ vendorReportId: z11.string().uuid().nullable(),
3708
+ projectId: z11.string().uuid(),
3709
+ project: z11.object({
3710
+ organizationId: z11.string().uuid()
3711
+ }),
3712
+ file: z11.object({
3713
+ id: z11.string().uuid(),
3714
+ path: z11.string()
3715
+ }),
3716
+ pending: z11.object({
3717
+ aggregate: z11.object({
3718
+ count: z11.number()
3719
+ })
3720
+ }),
3721
+ irrelevant: z11.object({
3722
+ aggregate: z11.object({
3723
+ count: z11.number()
3724
+ })
3725
+ }),
3726
+ remaining: z11.object({
3727
+ aggregate: z11.object({
3728
+ count: z11.number()
3729
+ })
3730
+ }),
3731
+ digested: z11.object({
3732
+ aggregate: z11.object({
3733
+ count: z11.number()
3734
+ })
3735
+ }),
3736
+ supported: z11.object({
3737
+ aggregate: z11.object({
3738
+ count: z11.number()
3739
+ })
3740
+ }),
3741
+ all: z11.object({
3742
+ aggregate: z11.object({
3743
+ count: z11.number()
3744
+ })
3745
+ }),
3746
+ fixable: z11.object({
3747
+ aggregate: z11.object({
3748
+ count: z11.number()
3749
+ })
3750
+ }),
3751
+ errors: z11.object({
3752
+ aggregate: z11.object({
3753
+ count: z11.number()
3754
+ })
3755
+ }),
3756
+ vulnerabilityReportIssues: z11.object({
3757
+ id: z11.string().uuid(),
3758
+ extraData: z11.object({
3759
+ missing_files: z11.string().array().nullish(),
3760
+ large_files: z11.string().array().nullish(),
3761
+ error_files: z11.string().array().nullish()
3762
+ })
3763
+ }).array()
3764
+ })
3765
+ })
3766
+ });
3767
+ var ReportFixesQueryFixZ = z11.object({
3768
+ id: z11.string().uuid(),
3769
+ sharedState: FixSharedStateZ,
3770
+ confidence: z11.number(),
3771
+ gitBlameLogin: z11.string().nullable(),
3772
+ effortToApplyFix: z11.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
3773
+ safeIssueLanguage: z11.string(),
3774
+ safeIssueType: z11.string(),
3775
+ fixReportId: z11.string().uuid(),
3776
+ filePaths: z11.array(
3777
+ z11.object({
3778
+ fileRepoRelativePath: z11.string()
3779
+ })
3780
+ ),
3781
+ numberOfVulnerabilityIssues: z11.number(),
3782
+ severityText: z11.nativeEnum(Vulnerability_Severity_Enum),
3783
+ vulnerabilityReportIssues: z11.array(
3784
+ z11.object({
3785
+ issueType: z11.string(),
3786
+ issueLanguage: z11.string()
3787
+ })
3788
+ ).min(1)
3789
+ });
3790
+ var VulnerabilityReportIssueZ = z11.object({
3791
+ id: z11.string().uuid(),
3792
+ createdAt: z11.string(),
3793
+ state: z11.nativeEnum(Vulnerability_Report_Issue_State_Enum),
3794
+ safeIssueType: z11.string(),
3795
+ safeIssueLanguage: z11.string(),
3796
+ extraData: z11.object({
3797
+ missing_files: z11.string().array().nullish(),
3798
+ large_files: z11.string().array().nullish(),
3799
+ error_files: z11.string().array().nullish()
3800
+ }),
3801
+ fix: ReportFixesQueryFixZ.nullable(),
3802
+ falsePositive: z11.object({
3803
+ id: z11.string().uuid()
3804
+ }).nullable(),
3805
+ parsedSeverity: ParsedSeverityZ,
3806
+ severity: z11.string(),
3807
+ severityValue: z11.number(),
3808
+ category: z11.string(),
3809
+ codeNodes: z11.array(z11.object({ path: z11.string() })),
3810
+ vulnerabilityReportIssueTags: z11.array(
3811
+ z11.object({
3812
+ vulnerability_report_issue_tag_value: z11.string()
3813
+ })
3814
+ ),
3815
+ sharedState: VulnerabilityReportIssueSharedStateZ
3816
+ });
3817
+ var GetReportIssuesQueryZ = z11.object({
3818
+ fixReport: z11.object({
3819
+ vulnerabilityReport: z11.object({
3820
+ id: z11.string().uuid(),
3821
+ lastIssueUpdatedAt: z11.string(),
3822
+ vulnerabilityReportIssues_aggregate: z11.object({
3823
+ aggregate: z11.object({ count: z11.number() })
3824
+ }),
3825
+ vulnerabilityReportIssues: z11.array(VulnerabilityReportIssueZ)
3826
+ })
3827
+ }).array()
3828
+ }).nullish();
3829
+ var FixReportByProjectZ = z11.object({
3830
+ project_by_pk: z11.object({
3831
+ vulnerabilityReports: z11.array(
3832
+ z11.object({
3833
+ fixReport: z11.object({ id: z11.string().uuid() }).nullable()
3834
+ })
3835
+ )
3836
+ })
3837
+ });
3838
+ var FixScreenQueryResultZ = z11.object({
3839
+ fixReport_by_pk: FixPageFixReportZ,
3840
+ fix_by_pk: FixPartsForFixScreenZ,
3841
+ fixesWithSameIssueType: z11.array(
3842
+ z11.object({
3843
+ id: z11.string().uuid(),
3844
+ sharedState: z11.object({ state: z11.nativeEnum(Fix_State_Enum) }).nullable().default({ state: "Ready" /* Ready */ })
3845
+ })
3846
+ ),
3847
+ relevantIssue: IssuePartsZ.nullish()
3848
+ });
3849
+ var FixPageQueryZ = z11.object({
3850
+ data: FixScreenQueryResultZ
3851
+ });
3852
+ var GetReportFixesQueryZ = z11.object({
3853
+ fixReport: z11.array(
3854
+ z11.object({
3855
+ fixes: z11.array(ReportFixesQueryFixZ),
3856
+ vulnerabilityReportIssuesTotalCount: z11.object({
3857
+ vulnerabilityReportIssues_aggregate: z11.object({
3858
+ aggregate: z11.object({ count: z11.number() })
3859
+ })
3860
+ }),
3861
+ vulnerabilityReportIssuesFixedCount: z11.object({
3862
+ vulnerabilityReportIssues_aggregate: z11.object({
3863
+ aggregate: z11.object({ count: z11.number() })
3864
+ })
3865
+ }),
3866
+ vulnerabilityReportIssuesIrrelevantCount: z11.object({
3867
+ vulnerabilityReportIssues_aggregate: z11.object({
3868
+ aggregate: z11.object({ count: z11.number() })
3869
+ })
3870
+ }),
3871
+ vulnerabilityReportIssuesRemainingCount: z11.object({
3872
+ vulnerabilityReportIssues_aggregate: z11.object({
3873
+ aggregate: z11.object({ count: z11.number() })
3874
+ })
3875
+ })
3876
+ })
3877
+ )
3878
+ }).nullish();
3879
+ var ProjectVulnerabilityReport = z11.object({
3880
+ id: z11.string().uuid(),
3881
+ name: z11.string().nullable(),
3882
+ vendor: z11.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
3883
+ fixReport: z11.object({
3884
+ id: z11.string().uuid(),
3885
+ createdOn: z11.string(),
3886
+ vulnerabilityReportIssuesFixedCount: z11.object({
3887
+ vulnerabilityReportIssues_aggregate: z11.object({
3888
+ aggregate: z11.object({ count: z11.number() })
3889
+ })
3890
+ }),
3891
+ issueTypes: z11.record(z11.string(), z11.number()).nullable(),
3892
+ issueLanguages: z11.record(z11.nativeEnum(IssueLanguage_Enum), z11.number()).nullable(),
3893
+ fixesCountByEffort: z11.record(z11.nativeEnum(Effort_To_Apply_Fix_Enum), z11.number()).nullable(),
3894
+ vulnerabilitySeverities: z11.record(z11.nativeEnum(Vulnerability_Severity_Enum), z11.number()).nullable(),
3895
+ fixesDoneCount: z11.number(),
3896
+ fixesInprogressCount: z11.number(),
3897
+ fixesReadyCount: z11.number(),
3898
+ repo: z11.object({
3899
+ originalUrl: z11.string(),
3900
+ reference: z11.string(),
3901
+ name: z11.string()
3902
+ }),
3903
+ createdByUser: z11.object({
3904
+ email: z11.string()
3905
+ }).nullable(),
3906
+ state: z11.nativeEnum(Fix_Report_State_Enum),
3907
+ expirationOn: z11.string()
3908
+ })
3909
+ });
3910
+ var ProjectGetProjectZ = z11.object({
3911
+ id: z11.string().uuid(),
3912
+ name: z11.string(),
3913
+ vulnerabilityReports: z11.object({
3914
+ vendor: z11.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
3915
+ fixReport: z11.object({
3916
+ issueLanguages: z11.record(z11.nativeEnum(IssueLanguage_Enum), z11.number()).nullable(),
3917
+ state: z11.nativeEnum(Fix_Report_State_Enum),
3918
+ repo: z11.object({
3919
+ originalUrl: z11.string(),
3920
+ reference: z11.string()
3921
+ }),
3922
+ expirationOn: z11.string()
3923
+ })
3924
+ }).array()
3925
+ });
3926
+ var GetProjectsQueryZ = z11.array(ProjectGetProjectZ);
3927
+ var ProjectPageQueryResultZ = z11.object({
3928
+ name: z11.string(),
3929
+ id: z11.string().uuid(),
3930
+ isDefault: z11.boolean().default(false),
3931
+ organizationId: z11.string().uuid(),
3932
+ vulnerabilityReports: z11.array(ProjectVulnerabilityReport),
3933
+ projectIssueTypeSettings: z11.array(
3934
+ IssueTypeSettingZ.merge(z11.object({ id: z11.string() }))
3935
+ )
3936
+ });
3937
+ var GetProjectMembersDataZ = z11.object({
3938
+ project_by_pk: z11.object({
3939
+ name: z11.string(),
3940
+ id: z11.string(),
3941
+ projectUsers: z11.array(
3942
+ z11.object({
3943
+ projectToRole: z11.object({
3944
+ projectRole: z11.object({
3945
+ type: z11.nativeEnum(Project_Role_Type_Enum)
3946
+ })
3947
+ }),
3948
+ user: z11.object({
3949
+ id: z11.string().uuid(),
3950
+ picture: z11.string().optional(),
3951
+ name: z11.string().nullish(),
3952
+ email: z11.string().email()
3953
+ })
3954
+ })
3955
+ )
3956
+ })
3957
+ });
3958
+ var RepoArgsZ = z11.object({
3959
+ originalUrl: z11.string().url(),
3960
+ branch: z11.string(),
3961
+ commitSha: z11.string()
3962
+ });
3963
+ var scmCloudUrl = {
3964
+ GitLab: "https://gitlab.com",
3965
+ GitHub: "https://github.com",
3966
+ Ado: "https://dev.azure.com",
3967
+ Bitbucket: "https://bitbucket.org"
3968
+ };
3969
+ var ScmType = /* @__PURE__ */ ((ScmType2) => {
3970
+ ScmType2["GitHub"] = "GitHub";
3971
+ ScmType2["GitLab"] = "GitLab";
3972
+ ScmType2["Ado"] = "Ado";
3973
+ ScmType2["Bitbucket"] = "Bitbucket";
3974
+ return ScmType2;
3975
+ })(ScmType || {});
3976
+ var ConvertToSarifInputFileFormat = /* @__PURE__ */ ((ConvertToSarifInputFileFormat2) => {
3977
+ ConvertToSarifInputFileFormat2["FortifyFPR"] = "FortifyFPR";
3978
+ return ConvertToSarifInputFileFormat2;
3979
+ })(ConvertToSarifInputFileFormat || {});
3975
3980
 
3976
3981
  // src/features/analysis/scm/shared/src/urlParser/urlParser.ts
3977
- import { z as z13 } from "zod";
3982
+ import { z as z12 } from "zod";
3978
3983
  var ADO_PREFIX_PATH = "tfs";
3979
3984
  var NAME_REGEX = /[a-z0-9\-_.+]+/i;
3980
3985
  function detectAdoUrl(args) {
@@ -3991,7 +3996,7 @@ function detectAdoUrl(args) {
3991
3996
  scmType: "Ado" /* Ado */,
3992
3997
  organization,
3993
3998
  // project has single repo - repoName === projectName
3994
- projectName: z13.string().parse(projectName),
3999
+ projectName: z12.string().parse(projectName),
3995
4000
  repoName: projectName,
3996
4001
  prefixPath
3997
4002
  };
@@ -4002,7 +4007,7 @@ function detectAdoUrl(args) {
4002
4007
  return {
4003
4008
  scmType: "Ado" /* Ado */,
4004
4009
  organization,
4005
- projectName: z13.string().parse(projectName),
4010
+ projectName: z12.string().parse(projectName),
4006
4011
  repoName,
4007
4012
  prefixPath
4008
4013
  };
@@ -4016,7 +4021,7 @@ function detectAdoUrl(args) {
4016
4021
  scmType: "Ado" /* Ado */,
4017
4022
  organization,
4018
4023
  // project has only one repo - repoName === projectName
4019
- projectName: z13.string().parse(repoName),
4024
+ projectName: z12.string().parse(repoName),
4020
4025
  repoName,
4021
4026
  prefixPath
4022
4027
  };
@@ -4026,7 +4031,7 @@ function detectAdoUrl(args) {
4026
4031
  return {
4027
4032
  scmType: "Ado" /* Ado */,
4028
4033
  organization,
4029
- projectName: z13.string().parse(projectName),
4034
+ projectName: z12.string().parse(projectName),
4030
4035
  repoName,
4031
4036
  prefixPath
4032
4037
  };
@@ -4152,11 +4157,8 @@ function getIssueUrl({
4152
4157
  return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/issue/${issueId}`;
4153
4158
  }
4154
4159
 
4155
- // src/features/analysis/scm/utils/index.ts
4156
- import { z as z15 } from "zod";
4157
-
4158
4160
  // src/features/analysis/scm/types.ts
4159
- import { z as z14 } from "zod";
4161
+ import { z as z13 } from "zod";
4160
4162
  var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
4161
4163
  ReferenceType2["BRANCH"] = "BRANCH";
4162
4164
  ReferenceType2["COMMIT"] = "COMMIT";
@@ -4188,12 +4190,19 @@ var scmTypeToScmLibScmType = {
4188
4190
  ["Ado" /* Ado */]: "ADO" /* ADO */,
4189
4191
  ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
4190
4192
  };
4191
- var GetRefererenceResultZ = z14.object({
4192
- date: z14.date().optional(),
4193
- sha: z14.string(),
4194
- type: z14.nativeEnum(ReferenceType)
4193
+ var GetRefererenceResultZ = z13.object({
4194
+ date: z13.date().optional(),
4195
+ sha: z13.string(),
4196
+ type: z13.nativeEnum(ReferenceType)
4195
4197
  });
4196
4198
 
4199
+ // src/features/analysis/scm/utils/scm.ts
4200
+ var safeBody = (body, maxBodyLength) => {
4201
+ const truncationNotice = "\n\n... Message was cut here because it is too long";
4202
+ const maxBodyContentLength = maxBodyLength - truncationNotice.length;
4203
+ return body.length > maxBodyLength ? body.slice(0, maxBodyContentLength) + truncationNotice : body;
4204
+ };
4205
+
4197
4206
  // src/features/analysis/scm/utils/index.ts
4198
4207
  function getFixUrlWithRedirect(params) {
4199
4208
  const {
@@ -4305,7 +4314,7 @@ function shouldValidateUrl(repoUrl) {
4305
4314
  return repoUrl && isUrlHasPath(repoUrl);
4306
4315
  }
4307
4316
  function isBrokerUrl(url) {
4308
- return z15.string().uuid().safeParse(new URL(url).host).success;
4317
+ return z14.string().uuid().safeParse(new URL(url).host).success;
4309
4318
  }
4310
4319
  function buildAuthorizedRepoUrl(args) {
4311
4320
  const { url, username, password } = args;
@@ -4341,7 +4350,7 @@ function getCloudScmLibTypeFromUrl(url) {
4341
4350
  return void 0;
4342
4351
  }
4343
4352
  function getScmLibTypeFromScmType(scmType) {
4344
- const parsedScmType = z15.nativeEnum(ScmType).parse(scmType);
4353
+ const parsedScmType = z14.nativeEnum(ScmType).parse(scmType);
4345
4354
  return scmTypeToScmLibScmType[parsedScmType];
4346
4355
  }
4347
4356
  function getScmConfig({
@@ -4407,6 +4416,24 @@ function getScmConfig({
4407
4416
  };
4408
4417
  }
4409
4418
 
4419
+ // src/features/analysis/scm/ado/constants.ts
4420
+ var DEFUALT_ADO_ORIGIN = scmCloudUrl.Ado;
4421
+
4422
+ // src/features/analysis/scm/ado/utils.ts
4423
+ import querystring from "querystring";
4424
+ import * as api from "azure-devops-node-api";
4425
+ import Debug from "debug";
4426
+ import { z as z17 } from "zod";
4427
+
4428
+ // src/features/analysis/scm/env.ts
4429
+ import { z as z15 } from "zod";
4430
+ var EnvVariablesZod = z15.object({
4431
+ GITLAB_API_TOKEN: z15.string().optional(),
4432
+ GITHUB_API_TOKEN: z15.string().optional(),
4433
+ GIT_PROXY_HOST: z15.string().optional().default("http://tinyproxy:8888")
4434
+ });
4435
+ var { GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST } = EnvVariablesZod.parse(process.env);
4436
+
4410
4437
  // src/features/analysis/scm/ado/validation.ts
4411
4438
  import { z as z16 } from "zod";
4412
4439
  var ValidPullRequestStatusZ = z16.union([
@@ -4690,6 +4717,7 @@ async function validateAdoRepo({
4690
4717
  }
4691
4718
 
4692
4719
  // src/features/analysis/scm/ado/ado.ts
4720
+ var MAX_ADO_PR_BODY_LENGTH = 15e4;
4693
4721
  async function getAdoSdk(params) {
4694
4722
  const api2 = await getAdoApiClient(params);
4695
4723
  return {
@@ -4840,7 +4868,7 @@ async function getAdoSdk(params) {
4840
4868
  sourceRefName: `refs/heads/${sourceBranchName}`,
4841
4869
  targetRefName: `refs/heads/${targetBranchName}`,
4842
4870
  title,
4843
- description: body
4871
+ description: safeBody(body, MAX_ADO_PR_BODY_LENGTH)
4844
4872
  },
4845
4873
  repo,
4846
4874
  projectName
@@ -5915,6 +5943,7 @@ var TokenExpiredErrorZ = z19.object({
5915
5943
  })
5916
5944
  });
5917
5945
  var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
5946
+ var MAX_BITBUCKET_PR_BODY_LENGTH = 32768;
5918
5947
  var BitbucketParseResultZ = z19.object({
5919
5948
  organization: z19.string(),
5920
5949
  repoName: z19.string(),
@@ -6003,7 +6032,7 @@ function getBitbucketSdk(params) {
6003
6032
  type: "pullrequest",
6004
6033
  title: params2.title,
6005
6034
  summary: {
6006
- raw: params2.body
6035
+ raw: safeBody(params2.body, MAX_BITBUCKET_PR_BODY_LENGTH)
6007
6036
  },
6008
6037
  source: {
6009
6038
  branch: {
@@ -6623,6 +6652,7 @@ async function githubValidateParams(url, accessToken) {
6623
6652
  }
6624
6653
 
6625
6654
  // src/features/analysis/scm/github/github.ts
6655
+ var MAX_GH_PR_BODY_LENGTH = 65536;
6626
6656
  function getGithubSdk(params = {}) {
6627
6657
  const octokit = getOctoKit(params);
6628
6658
  return {
@@ -6948,7 +6978,7 @@ function getGithubSdk(params = {}) {
6948
6978
  title,
6949
6979
  head: newBranchName,
6950
6980
  head_repo: sourceRepo,
6951
- body,
6981
+ body: safeBody(body, MAX_GH_PR_BODY_LENGTH),
6952
6982
  base: defaultBranch
6953
6983
  });
6954
6984
  return {
@@ -6970,7 +7000,7 @@ function getGithubSdk(params = {}) {
6970
7000
  owner,
6971
7001
  repo,
6972
7002
  title: options.title,
6973
- body: options.body,
7003
+ body: safeBody(options.body, MAX_GH_PR_BODY_LENGTH),
6974
7004
  head: options.sourceBranchName,
6975
7005
  base: options.targetBranchName,
6976
7006
  draft: false,
@@ -7278,6 +7308,7 @@ var debug3 = Debug3("scm:gitlab");
7278
7308
  function removeTrailingSlash2(str) {
7279
7309
  return str.trim().replace(/\/+$/, "");
7280
7310
  }
7311
+ var MAX_GITLAB_PR_BODY_LENGTH = 1048576;
7281
7312
  function getRandomGitlabCloudAnonToken() {
7282
7313
  if (!GITLAB_API_TOKEN || typeof GITLAB_API_TOKEN !== "string") {
7283
7314
  return void 0;
@@ -7475,7 +7506,7 @@ async function createMergeRequest(options) {
7475
7506
  options.targetBranchName,
7476
7507
  options.title,
7477
7508
  {
7478
- description: options.body
7509
+ description: safeBody(options.body, MAX_GITLAB_PR_BODY_LENGTH)
7479
7510
  }
7480
7511
  );
7481
7512
  return res.iid;
@@ -10978,7 +11009,7 @@ async function handleMobbLogin({
10978
11009
  const newGqlClient = new GQLClient({ apiKey: newApiToken, type: "apiKey" });
10979
11010
  const loginSuccess = await newGqlClient.verifyToken();
10980
11011
  if (loginSuccess) {
10981
- debug18("set api token %s", newApiToken);
11012
+ debug18(`set api token ${newApiToken}`);
10982
11013
  config3.set("apiToken", newApiToken);
10983
11014
  loginSpinner.success({
10984
11015
  text: `\u{1F513} Login to Mobb successful! ${typeof loginSpinner === "string" ? `Logged in as ${loginSuccess}` : ""}`
@@ -11137,24 +11168,96 @@ import {
11137
11168
  // src/mcp/Logger.ts
11138
11169
  var logglerUrl = "http://localhost:4444/log";
11139
11170
  var isTestEnvironment = process.env["VITEST"] || process.env["TEST"];
11171
+ var CIRCUIT_BREAKER_TIME = 5e3;
11172
+ var URL_CHECK_TIMEOUT = 200;
11173
+ var MAX_QUEUE_SIZE = 100;
11140
11174
  var Logger = class {
11175
+ constructor() {
11176
+ __publicField(this, "queue", []);
11177
+ __publicField(this, "isProcessing", false);
11178
+ __publicField(this, "isCircuitBroken", false);
11179
+ __publicField(this, "circuitBreakerTimer", null);
11180
+ }
11141
11181
  log(message, level = "info", data) {
11182
+ if (isTestEnvironment) return;
11183
+ if (this.queue.length >= MAX_QUEUE_SIZE) {
11184
+ this.queue.shift();
11185
+ }
11186
+ this.queue.push({ message, level, data });
11187
+ if (!this.isProcessing && !this.isCircuitBroken) {
11188
+ this.processQueue();
11189
+ }
11190
+ }
11191
+ async isUrlReachable(url) {
11192
+ try {
11193
+ const controller = new AbortController();
11194
+ const timeoutId = setTimeout(() => controller.abort(), URL_CHECK_TIMEOUT);
11195
+ await fetch(url, {
11196
+ method: "HEAD",
11197
+ signal: controller.signal
11198
+ });
11199
+ clearTimeout(timeoutId);
11200
+ return true;
11201
+ } catch (error) {
11202
+ return false;
11203
+ }
11204
+ }
11205
+ async processQueue() {
11206
+ if (this.queue.length === 0 || this.isCircuitBroken) {
11207
+ this.isProcessing = false;
11208
+ return;
11209
+ }
11210
+ this.isProcessing = true;
11211
+ const logEntry = this.queue[0];
11212
+ if (!logEntry) {
11213
+ this.isProcessing = false;
11214
+ return;
11215
+ }
11216
+ const isReachable = await this.isUrlReachable(logglerUrl);
11217
+ if (!isReachable) {
11218
+ this.triggerCircuitBreaker();
11219
+ return;
11220
+ }
11142
11221
  const logMessage = {
11143
11222
  timestamp: (/* @__PURE__ */ new Date()).toISOString(),
11144
- level,
11145
- message,
11146
- data
11223
+ level: logEntry.level,
11224
+ message: logEntry.message,
11225
+ data: logEntry.data
11147
11226
  };
11148
- if (!isTestEnvironment) {
11149
- try {
11150
- fetch(logglerUrl, {
11151
- method: "POST",
11152
- headers: { "Content-Type": "application/json" },
11153
- body: JSON.stringify(logMessage)
11154
- });
11155
- } catch (error) {
11227
+ const controller = new AbortController();
11228
+ const timeoutId = setTimeout(() => {
11229
+ controller.abort();
11230
+ }, 500);
11231
+ fetch(logglerUrl, {
11232
+ method: "POST",
11233
+ headers: { "Content-Type": "application/json" },
11234
+ body: JSON.stringify(logMessage),
11235
+ redirect: "error",
11236
+ // do not follow redirects
11237
+ signal: controller.signal
11238
+ }).then((_response) => {
11239
+ this.queue.shift();
11240
+ setTimeout(() => this.processQueue(), 0);
11241
+ }).catch(() => {
11242
+ this.triggerCircuitBreaker();
11243
+ }).finally(() => {
11244
+ clearTimeout(timeoutId);
11245
+ });
11246
+ }
11247
+ triggerCircuitBreaker() {
11248
+ this.isCircuitBroken = true;
11249
+ this.queue = [];
11250
+ this.isProcessing = false;
11251
+ if (this.circuitBreakerTimer) {
11252
+ clearTimeout(this.circuitBreakerTimer);
11253
+ }
11254
+ this.circuitBreakerTimer = setTimeout(() => {
11255
+ this.isCircuitBroken = false;
11256
+ this.circuitBreakerTimer = null;
11257
+ if (this.queue.length > 0 && !this.isProcessing) {
11258
+ this.processQueue();
11156
11259
  }
11157
- }
11260
+ }, CIRCUIT_BREAKER_TIME);
11158
11261
  }
11159
11262
  };
11160
11263
  var logger = new Logger();
@@ -11162,7 +11265,7 @@ var logInfo = (message, data) => logger.log(message, "info", data);
11162
11265
  var logError = (message, data) => logger.log(message, "error", data);
11163
11266
  var logWarn = (message, data) => logger.log(message, "warn", data);
11164
11267
  var logDebug = (message, data) => logger.log(message, "debug", data);
11165
- var log = logger.log;
11268
+ var log = logger.log.bind(logger);
11166
11269
 
11167
11270
  // src/mcp/services/McpGQLClient.ts
11168
11271
  import crypto2 from "crypto";
@@ -11438,24 +11541,6 @@ var McpGQLClient = class {
11438
11541
  throw e;
11439
11542
  }
11440
11543
  }
11441
- async getReportFixes(fixReportId) {
11442
- try {
11443
- logDebug("GraphQL: Calling GetMCPFixes query", { fixReportId });
11444
- const res = await this.clientSdk.GetMCPFixes({ fixReportId });
11445
- logInfo("GraphQL: GetMCPFixes successful", {
11446
- result: res,
11447
- fixCount: res.fix?.length || 0
11448
- });
11449
- return res.fix;
11450
- } catch (e) {
11451
- logError("GraphQL: GetMCPFixes failed", {
11452
- error: e,
11453
- fixReportId,
11454
- ...this.getErrorContext()
11455
- });
11456
- throw e;
11457
- }
11458
- }
11459
11544
  async getUserInfo() {
11460
11545
  const { me } = await this.clientSdk.Me();
11461
11546
  return me;
@@ -11501,15 +11586,21 @@ var McpGQLClient = class {
11501
11586
  return null;
11502
11587
  }
11503
11588
  }
11504
- async getLatestReportByRepoUrl(repoUrl, limit) {
11589
+ async getLatestReportByRepoUrl({
11590
+ repoUrl,
11591
+ limit = 3,
11592
+ offset = 0
11593
+ }) {
11505
11594
  try {
11506
11595
  logDebug("GraphQL: Calling GetLatestReportByRepoUrl query", {
11507
11596
  repoUrl,
11508
- limit
11597
+ limit,
11598
+ offset
11509
11599
  });
11510
11600
  const res = await this.clientSdk.GetLatestReportByRepoUrl({
11511
11601
  repoUrl,
11512
- limit
11602
+ limit,
11603
+ offset
11513
11604
  });
11514
11605
  logInfo("GraphQL: GetLatestReportByRepoUrl successful", {
11515
11606
  result: res,
@@ -11525,6 +11616,56 @@ var McpGQLClient = class {
11525
11616
  throw e;
11526
11617
  }
11527
11618
  }
11619
+ async getReportFixesPaginated({
11620
+ reportId,
11621
+ limit = 3,
11622
+ offset = 0,
11623
+ issueType,
11624
+ severity
11625
+ }) {
11626
+ try {
11627
+ const filters = {};
11628
+ if (issueType && issueType.length > 0) {
11629
+ filters["safeIssueType"] = { _in: issueType };
11630
+ }
11631
+ if (severity && severity.length > 0) {
11632
+ filters["severityText"] = { _in: severity };
11633
+ }
11634
+ logDebug("GraphQL: Calling GetReportFixes query", {
11635
+ reportId,
11636
+ limit,
11637
+ offset,
11638
+ filters,
11639
+ issueType,
11640
+ severity
11641
+ });
11642
+ const res = await this.clientSdk.GetReportFixes({
11643
+ reportId,
11644
+ limit,
11645
+ offset,
11646
+ filters
11647
+ });
11648
+ logInfo("GraphQL: GetReportFixes successful", {
11649
+ result: res,
11650
+ fixCount: res.fixReport?.[0]?.fixes?.length || 0,
11651
+ totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0
11652
+ });
11653
+ if (res.fixReport.length === 0) {
11654
+ return null;
11655
+ }
11656
+ return {
11657
+ fixes: res.fixReport?.[0]?.fixes || [],
11658
+ totalCount: res.fixReport?.[0]?.filteredFixesCount?.aggregate?.count || 0
11659
+ };
11660
+ } catch (e) {
11661
+ logError("GraphQL: GetReportFixes failed", {
11662
+ error: e,
11663
+ reportId,
11664
+ ...this.getErrorContext()
11665
+ });
11666
+ throw e;
11667
+ }
11668
+ }
11528
11669
  };
11529
11670
  async function openBrowser(url) {
11530
11671
  const now = Date.now();
@@ -11544,7 +11685,7 @@ async function getMcpGQLClient() {
11544
11685
  });
11545
11686
  const isConnected = await inGqlClient.verifyConnection();
11546
11687
  if (!isConnected) {
11547
- throw new ApiConnectionError("Error: failed to connect to the API");
11688
+ throw new ApiConnectionError("Error: failed to connect to Mobb API");
11548
11689
  }
11549
11690
  const userVerify = await inGqlClient.verifyToken();
11550
11691
  if (userVerify) {
@@ -11587,10 +11728,10 @@ async function getMcpGQLClient() {
11587
11728
  const newGqlClient = new McpGQLClient({ apiKey: newApiToken, type: "apiKey" });
11588
11729
  const loginSuccess = await newGqlClient.verifyToken();
11589
11730
  if (loginSuccess) {
11590
- logDebug("set api token %s", newApiToken);
11731
+ logDebug(`set api token ${newApiToken}`);
11591
11732
  config4.set("apiToken", newApiToken);
11592
11733
  } else {
11593
- throw new AuthenticationError("Something went wrong, API token is invalid.");
11734
+ throw new AuthenticationError("Invalid API token");
11594
11735
  }
11595
11736
  return newGqlClient;
11596
11737
  }
@@ -11609,14 +11750,14 @@ var ToolRegistry = class {
11609
11750
  this.tools.set(tool.name, tool);
11610
11751
  logDebug(`Tool registered: ${tool.name}`, {
11611
11752
  toolName: tool.name,
11612
- description: tool.definition.description
11753
+ description: tool.description
11613
11754
  });
11614
11755
  }
11615
11756
  getTool(name) {
11616
11757
  return this.tools.get(name);
11617
11758
  }
11618
11759
  getAllTools() {
11619
- return Array.from(this.tools.values()).map((tool) => tool.definition);
11760
+ return Array.from(this.tools.values()).map((tool) => tool.getDefinition());
11620
11761
  }
11621
11762
  getToolNames() {
11622
11763
  return Array.from(this.tools.keys());
@@ -11697,10 +11838,19 @@ var McpServer = class {
11697
11838
  }
11698
11839
  async handleListToolsRequest(request) {
11699
11840
  logInfo("Received list_tools request", { params: request.params });
11841
+ logInfo("Environment", {
11842
+ env: process.env
11843
+ });
11844
+ logInfo("Request", {
11845
+ request: JSON.parse(JSON.stringify(request))
11846
+ });
11847
+ logInfo("Server", {
11848
+ server: this.server
11849
+ });
11700
11850
  void getMcpGQLClient();
11701
- const tools = this.toolRegistry.getAllTools();
11851
+ const toolsDefinitions = this.toolRegistry.getAllTools();
11702
11852
  const response = {
11703
- tools: tools.map((tool) => ({
11853
+ tools: toolsDefinitions.map((tool) => ({
11704
11854
  name: tool.name,
11705
11855
  display_name: tool.display_name || tool.name,
11706
11856
  description: tool.description || "",
@@ -11717,6 +11867,15 @@ var McpServer = class {
11717
11867
  async handleCallToolRequest(request) {
11718
11868
  const { name, arguments: args } = request.params;
11719
11869
  logInfo(`Received call tool request for ${name}`, { name, args });
11870
+ logInfo("Environment", {
11871
+ env: process.env
11872
+ });
11873
+ logInfo("Request", {
11874
+ request: JSON.parse(JSON.stringify(request))
11875
+ });
11876
+ logInfo("Server", {
11877
+ server: this.server
11878
+ });
11720
11879
  try {
11721
11880
  const tool = this.toolRegistry.getTool(name);
11722
11881
  if (!tool) {
@@ -11757,11 +11916,7 @@ var McpServer = class {
11757
11916
  logDebug("MCP server handlers registered");
11758
11917
  }
11759
11918
  registerTool(tool) {
11760
- this.toolRegistry.registerTool({
11761
- name: tool.name,
11762
- definition: tool.definition,
11763
- execute: tool.execute
11764
- });
11919
+ this.toolRegistry.registerTool(tool);
11765
11920
  logDebug(`Tool registered: ${tool.name}`);
11766
11921
  }
11767
11922
  async start() {
@@ -11839,41 +11994,26 @@ var BaseTool = class {
11839
11994
  name: this.name,
11840
11995
  display_name: this.displayName,
11841
11996
  description: this.description,
11842
- inputSchema: {
11843
- type: "object",
11844
- properties: {
11845
- path: {
11846
- type: "string",
11847
- description: "The path to the local git repository"
11848
- }
11849
- },
11850
- required: ["path"]
11851
- }
11997
+ inputSchema: this.inputSchema
11852
11998
  };
11853
11999
  }
11854
12000
  async execute(args) {
11855
12001
  logInfo(`Executing tool: ${this.name}`, { args });
12002
+ logInfo(`Authenticating tool: ${this.name}`, { args });
12003
+ const mcpGqlClient = await getMcpGQLClient();
12004
+ const userInfo = await mcpGqlClient.getUserInfo();
12005
+ logDebug("Authenticated", { userInfo });
11856
12006
  const validatedArgs = this.validateInput(args);
11857
12007
  logDebug(`Tool ${this.name} input validation successful`, {
11858
12008
  validatedArgs
11859
12009
  });
11860
- await this.validateAdditional(validatedArgs);
11861
- try {
11862
- const result = await this.executeInternal(validatedArgs);
11863
- logInfo(`Tool ${this.name} executed successfully`);
11864
- return result;
11865
- } catch (error) {
11866
- const errorMessage = error instanceof Error ? error.message : String(error);
11867
- logError(`Tool ${this.name} execution failed: ${errorMessage}`, {
11868
- error,
11869
- args
11870
- });
11871
- return this.createErrorResponse(errorMessage);
11872
- }
12010
+ const result = await this.executeInternal(validatedArgs);
12011
+ logInfo(`Tool ${this.name} executed successfully`);
12012
+ return result;
11873
12013
  }
11874
12014
  validateInput(args) {
11875
12015
  try {
11876
- return this.inputSchema.parse(args);
12016
+ return this.inputValidationSchema.parse(args);
11877
12017
  } catch (error) {
11878
12018
  if (error instanceof z31.ZodError) {
11879
12019
  const errorDetails = error.errors.map((e) => {
@@ -11887,12 +12027,6 @@ var BaseTool = class {
11887
12027
  throw error;
11888
12028
  }
11889
12029
  }
11890
- /**
11891
- * Additional validation that should bubble up as MCP errors
11892
- * Override this method in subclasses to add custom validation
11893
- */
11894
- async validateAdditional(_validatedArgs) {
11895
- }
11896
12030
  createSuccessResponse(text) {
11897
12031
  return {
11898
12032
  content: [
@@ -11903,25 +12037,27 @@ var BaseTool = class {
11903
12037
  ]
11904
12038
  };
11905
12039
  }
11906
- createErrorResponse(error) {
11907
- return {
11908
- content: [
11909
- {
11910
- type: "text",
11911
- text: error
11912
- }
11913
- ]
11914
- };
11915
- }
11916
12040
  };
11917
12041
 
11918
- // src/mcp/tools/base/prompts.ts
12042
+ // src/mcp/core/prompts.ts
11919
12043
  function frienlyType(s) {
11920
12044
  const withoutUnderscores = s.replace(/_/g, " ");
11921
12045
  const result = withoutUnderscores.replace(/([a-z])([A-Z])/g, "$1 $2");
11922
12046
  return result.charAt(0).toUpperCase() + result.slice(1);
11923
12047
  }
11924
- var applyFixesPrompt = (fixes) => {
12048
+ var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
12049
+ `;
12050
+ var applyFixesPrompt = ({
12051
+ fixes,
12052
+ hasMore,
12053
+ totalCount,
12054
+ nextOffset,
12055
+ shownCount,
12056
+ currentTool
12057
+ }) => {
12058
+ if (fixes.length === 0) {
12059
+ return noFixesReturnedForParameters;
12060
+ }
11925
12061
  const fixList = fixes.map((fix) => {
11926
12062
  const vulnerabilityType = frienlyType(fix.safeIssueType);
11927
12063
  const vulnerabilityDescription = fix.patchAndQuestions?.__typename === "FixData" ? fix.patchAndQuestions.extraContext?.fixDescription : void 0;
@@ -11998,10 +12134,22 @@ ${fix.patch || "No patch available"}
11998
12134
  - Do NOT ask for permission
11999
12135
  - Explain what you did AFTER applying the patches
12000
12136
  - If any patch fails, continue with the others and report issues at the end
12137
+
12138
+ ${hasMore ? `---
12139
+
12140
+ ## More Fixes Available (${totalCount - nextOffset} remaining)
12141
+
12142
+ You have viewed ${shownCount} out of ${totalCount} available fixes.
12143
+
12144
+ To fetch additional fixes, run the \`${currentTool}\` tool again with the following parameters:
12145
+
12146
+ - **offset**: ${nextOffset} _(start index for the next batch)_
12147
+ - **limit**: <number_of_fixes_to_return> _(optional \u2013 default is 3)_
12148
+
12149
+ If you omit both **offset** and **limit**, the command will automatically return the next 3 fixes.
12150
+ ` : ""}
12001
12151
  `;
12002
12152
  };
12003
-
12004
- // src/mcp/tools/checkForAvailableFixes/helpers/AvailableFixesResponsePrompts.ts
12005
12153
  var noReportFoundPrompt = `\u{1F50D} **MOBB SECURITY SCAN STATUS**
12006
12154
 
12007
12155
  ## No Vulnerability Report Found
@@ -12027,34 +12175,19 @@ We were unable to find a previous vulnerability report for this repository. This
12027
12175
  - Confirm the repository URL matches your remote origin
12028
12176
  - Verify the URL format is correct (e.g., https://github.com/org/repo)
12029
12177
 
12030
- ### \u{1F680} Next Steps
12031
- To get started with security scanning:
12032
- 1. Run \`fix_vulnerabilities\` to perform a new scan
12033
- 2. Review the results and apply any suggested fixes
12034
- 3. Set up regular scanning to maintain security
12035
-
12036
- ### \u{1F4A1} Additional Information
12037
- - New scans typically take a few minutes to complete
12038
- - You'll receive detailed results including:
12039
- - Vulnerability types and severities
12040
- - Specific code locations
12041
- - Recommended fixes
12042
- - Security best practices
12043
-
12044
12178
  For assistance, please:
12045
12179
  - Visit our documentation at https://docs.mobb.ai
12046
12180
  - Contact support at support@mobb.ai`;
12047
- var noFixesFoundPrompt = `\u{1F50D} **MOBB SECURITY SCAN STATUS**
12048
-
12049
- ## No Available Fixes Found
12050
-
12051
- We've analyzed your repository but found no automated fixes available at this time.
12181
+ var noFixesAvailablePrompt = `There are no fixes available for this repository at this time.
12052
12182
  `;
12053
- var fixesFoundPrompt = (fixReport) => {
12054
- if (fixReport.fixes_aggregate.aggregate?.count === 0) {
12055
- return noFixesFoundPrompt;
12183
+ var fixesFoundPrompt = ({
12184
+ fixReport,
12185
+ offset
12186
+ }) => {
12187
+ const totalFixes = fixReport.filteredFixesCount.aggregate?.count || 0;
12188
+ if (totalFixes === 0) {
12189
+ return noFixesAvailablePrompt;
12056
12190
  }
12057
- const totalFixes = fixReport.fixes_aggregate.aggregate?.count || 0;
12058
12191
  const criticalFixes = fixReport.CRITICAL?.aggregate?.count || 0;
12059
12192
  const highFixes = fixReport.HIGH?.aggregate?.count || 0;
12060
12193
  const mediumFixes = fixReport.MEDIUM?.aggregate?.count || 0;
@@ -12064,6 +12197,9 @@ var fixesFoundPrompt = (fixReport) => {
12064
12197
  ).toLocaleString();
12065
12198
  const vendor = fixReport.vulnerabilityReport?.vendor || "Unknown";
12066
12199
  const reportUrl = "";
12200
+ const shownCount = fixReport.fixes.length;
12201
+ const nextOffset = offset + shownCount;
12202
+ const hasMore = nextOffset < totalFixes;
12067
12203
  return `\u{1F50D} **MOBB SECURITY SCAN RESULTS**
12068
12204
 
12069
12205
  ## \u{1F4CA} Scan Report Summary
@@ -12081,15 +12217,61 @@ Total number of fixes available: **${totalFixes}**
12081
12217
  - \u{1F534} Critical: ${criticalFixes}
12082
12218
  - \u{1F7E0} High: ${highFixes}
12083
12219
  - \u{1F7E1} Medium: ${mediumFixes}
12084
- - \uFFFD\uFFFD Low: ${lowFixes}
12220
+ - \u{1F7E2} Low: ${lowFixes}
12221
+
12222
+ ${applyFixesPrompt({
12223
+ fixes: fixReport.fixes,
12224
+ totalCount: totalFixes,
12225
+ hasMore,
12226
+ nextOffset: 0,
12227
+ shownCount: fixReport.fixes.length,
12228
+ currentTool: "check_for_available_fixes"
12229
+ })}`;
12230
+ };
12231
+ var noFixesFoundPrompt = `\u{1F50D} **MOBB SECURITY SCAN COMPLETED**
12232
+
12233
+ Mobb security scan completed successfully but found no automated fixes available at this time.
12234
+ `;
12235
+ var fixesPrompt = ({
12236
+ fixes,
12237
+ totalCount,
12238
+ offset
12239
+ }) => {
12240
+ if (totalCount === 0) {
12241
+ return noFixesFoundPrompt;
12242
+ }
12243
+ const shownCount = fixes.length;
12244
+ const nextOffset = offset + shownCount;
12245
+ const hasMore = nextOffset < totalCount;
12246
+ return `Here are the fixes to the vulnerabilities discovered by Mobb MCP
12247
+
12248
+ ${applyFixesPrompt({
12249
+ fixes,
12250
+ totalCount,
12251
+ hasMore,
12252
+ nextOffset,
12253
+ shownCount,
12254
+ currentTool: "fix_vulnerabilities"
12255
+ })}
12256
+
12257
+ ### \u{1F504} Running a Fresh Scan
12258
+
12259
+ To perform a **rescan** of your repository (fetching a brand-new vulnerability report and updated fixes), include the additional parameter:
12260
+
12261
+ - **isRescan**: true
12262
+
12263
+ This will start a new analysis, discard any cached results.
12085
12264
 
12086
- ${applyFixesPrompt(fixReport.fixes)}`;
12265
+ \u26A0\uFE0F *Note:* A full rescan may take longer to complete than simply fetching additional fixes because your repository is re-uploaded and re-analyzed from scratch.
12266
+
12267
+ `;
12087
12268
  };
12088
12269
 
12089
12270
  // src/mcp/tools/checkForAvailableFixes/AvailableFixesService.ts
12090
12271
  var AvailableFixesService = class {
12091
12272
  constructor() {
12092
12273
  __publicField(this, "gqlClient", null);
12274
+ __publicField(this, "currentOffset", 0);
12093
12275
  }
12094
12276
  async initializeGqlClient() {
12095
12277
  if (!this.gqlClient) {
@@ -12097,13 +12279,30 @@ var AvailableFixesService = class {
12097
12279
  }
12098
12280
  return this.gqlClient;
12099
12281
  }
12100
- async checkForAvailableFixes(repoUrl, limit) {
12282
+ async checkForAvailableFixes({
12283
+ repoUrl,
12284
+ limit = 3,
12285
+ offset = 0
12286
+ }) {
12101
12287
  try {
12102
12288
  logDebug("Checking for available fixes", { repoUrl, limit });
12103
12289
  const gqlClient = await this.initializeGqlClient();
12104
12290
  logDebug("GQL client initialized");
12105
12291
  logDebug("querying for latest report", { repoUrl, limit });
12106
- const result = await gqlClient.getLatestReportByRepoUrl(repoUrl, limit);
12292
+ let effectiveOffset;
12293
+ if (offset !== void 0) {
12294
+ effectiveOffset = offset;
12295
+ } else if (this.currentOffset) {
12296
+ effectiveOffset = this.currentOffset ?? 0;
12297
+ } else {
12298
+ effectiveOffset = 0;
12299
+ }
12300
+ logDebug("effectiveOffset", { test: "j", effectiveOffset });
12301
+ const result = await gqlClient.getLatestReportByRepoUrl({
12302
+ repoUrl,
12303
+ limit,
12304
+ offset: effectiveOffset
12305
+ });
12107
12306
  logDebug("received latest report result", { result });
12108
12307
  if (!result) {
12109
12308
  logInfo("No report found for repository", { repoUrl });
@@ -12112,7 +12311,11 @@ var AvailableFixesService = class {
12112
12311
  logInfo("Successfully retrieved available fixes", {
12113
12312
  reportFound: true
12114
12313
  });
12115
- return fixesFoundPrompt(result);
12314
+ this.currentOffset = effectiveOffset + (result.fixes?.length || 0);
12315
+ return fixesFoundPrompt({
12316
+ fixReport: result,
12317
+ offset: this.currentOffset
12318
+ });
12116
12319
  } catch (error) {
12117
12320
  logError("Failed to check for available fixes", {
12118
12321
  error,
@@ -12130,29 +12333,31 @@ var CheckForAvailableFixesTool = class extends BaseTool {
12130
12333
  __publicField(this, "name", "check_for_available_fixes");
12131
12334
  __publicField(this, "displayName", "Check for Available Fixes");
12132
12335
  __publicField(this, "description", "Checks if there are any available fixes for vulnerabilities in the project");
12133
- __publicField(this, "inputSchema", z32.object({
12134
- path: z32.string().describe("Path to the project directory to check for available fixes"),
12135
- files: z32.array(z32.string()).optional().describe("Optional list of specific files to check"),
12136
- severity: z32.array(z32.string()).optional().describe("Optional list of severity levels to filter by"),
12137
- issueTypes: z32.array(z32.string()).optional().describe("Optional list of issue types to filter by"),
12138
- limit: z32.number().optional().describe("Optional maximum number of results to return")
12139
- }));
12140
- }
12141
- getJsonSchema() {
12142
- return {
12336
+ __publicField(this, "inputSchema", {
12143
12337
  type: "object",
12144
12338
  properties: {
12145
12339
  path: {
12146
12340
  type: "string",
12147
- description: "Path to the project directory to check for available fixes"
12341
+ description: "Path to the local git repository to check for available fixes"
12342
+ },
12343
+ offset: {
12344
+ type: "number",
12345
+ description: "[Optional] offset for pagination"
12148
12346
  },
12149
12347
  limit: {
12150
12348
  type: "number",
12151
- description: "Optional maximum number of results to return"
12349
+ description: "[Optional] maximum number of results to return"
12152
12350
  }
12153
12351
  },
12154
12352
  required: ["path"]
12155
- };
12353
+ });
12354
+ __publicField(this, "inputValidationSchema", z32.object({
12355
+ path: z32.string().describe(
12356
+ "Path to the local git repository to check for available fixes"
12357
+ ),
12358
+ offset: z32.number().optional().describe("Optional offset for pagination"),
12359
+ limit: z32.number().optional().describe("Optional maximum number of fixes to return")
12360
+ }));
12156
12361
  }
12157
12362
  async executeInternal(args) {
12158
12363
  const pathValidation = new PathValidation();
@@ -12176,10 +12381,11 @@ var CheckForAvailableFixesTool = class extends BaseTool {
12176
12381
  throw new Error("No origin URL found for the repository");
12177
12382
  }
12178
12383
  const availableFixesService = new AvailableFixesService();
12179
- const fixResult = await availableFixesService.checkForAvailableFixes(
12180
- originUrl,
12181
- args.limit
12182
- );
12384
+ const fixResult = await availableFixesService.checkForAvailableFixes({
12385
+ repoUrl: originUrl,
12386
+ limit: args.limit,
12387
+ offset: args.offset
12388
+ });
12183
12389
  logInfo("CheckForAvailableFixesTool execution completed successfully", {
12184
12390
  fixResult
12185
12391
  });
@@ -12194,6 +12400,9 @@ var CheckForAvailableFixesTool = class extends BaseTool {
12194
12400
  }
12195
12401
  };
12196
12402
 
12403
+ // src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesTool.ts
12404
+ import z33 from "zod";
12405
+
12197
12406
  // src/mcp/services/FilePacking.ts
12198
12407
  import fs10 from "fs";
12199
12408
  import path12 from "path";
@@ -12234,158 +12443,62 @@ var FilePacking = class {
12234
12443
  }
12235
12444
  };
12236
12445
 
12237
- // src/mcp/tools/fixVulnerabilities/helpers/FixVulnerabilitiesResponsePrompts.ts
12238
- var noFixesFoundPrompt2 = `\u{1F389} **MOBB SECURITY SCAN COMPLETED SUCCESSFULLY** \u{1F389}
12239
-
12240
- ## Congratulations! No Vulnerabilities Found
12241
-
12242
- Your code has been thoroughly analyzed by Mobb's advanced security scanning engine, and we're pleased to report that **no security vulnerabilities were detected** in your codebase.
12243
-
12244
- ### \u{1F6E1}\uFE0F What This Means
12245
- - Your code follows secure coding practices
12246
- - No immediate security risks were identified
12247
- - Your application appears to be well-protected against common vulnerabilities
12248
-
12249
- ### \u2705 Scan Summary
12250
- - **Status:** Complete
12251
- - **Vulnerabilities Found:** 0
12252
- - **Security Rating:** Excellent
12253
- - **Action Required:** None
12254
-
12255
- ### \u{1F680} Next Steps
12256
- While no vulnerabilities were found in this scan:
12257
- 1. **Keep up the great work** with secure coding practices
12258
- 2. **Run regular scans** as your codebase evolves
12259
- 3. **Stay updated** with the latest security best practices
12260
- 4. **Consider periodic security reviews** for ongoing protection
12261
-
12262
- ### \u{1F4CA} Scan Details
12263
- This scan analyzed your code for common security issues including:
12264
- - SQL Injection vulnerabilities
12265
- - Cross-Site Scripting (XSS) flaws
12266
- - Authentication and authorization issues
12267
- - Input validation problems
12268
- - And many other security concerns
12269
-
12270
- **Well done on maintaining a secure codebase!** \u{1F3C6}`;
12271
- var fixesPrompt = (fixes) => {
12272
- const fix = fixes[0];
12273
- if (!fix) {
12274
- return noFixesFoundPrompt2;
12275
- }
12276
- return `Here are the fixes to the vulnerabilities discovered by Mobb MCP
12277
-
12278
- ${applyFixesPrompt(fixes)} `;
12279
- };
12280
- var failedToConnectToApiPrompt = `# CONNECTION ERROR: FAILED TO REACH MOBB API
12281
-
12282
- ## ANALYSIS SUMMARY
12283
- - **Status:** \u274C Failed
12284
- - **Issue Type:** Connection Error
12285
- - **Error Details:** Unable to establish connection to the Mobb API service
12286
-
12287
- ## TROUBLESHOOTING STEPS FOR THE USER
12288
-
12289
- The Mobb security scanning service is currently not reachable. This may be due to:
12290
-
12291
- 1. **Missing or invalid authentication credentials**
12292
- - Ensure the \`API_KEY\` environment variable is properly set with your valid Mobb authentication token
12293
- - Example: \`export API_KEY=your_mobb_api_key_here\`
12294
-
12295
- 2. **Incorrect API endpoint configuration**
12296
- - Check if the \`API_URL\` environment variable needs to be set to the correct Mobb service endpoint
12297
- - Example: \`export API_URL=https://api.mobb.ai/graphql\`
12298
-
12299
- 3. **Network connectivity issues**
12300
- - Verify your internet connection is working properly
12301
- - Check if any firewall or proxy settings might be blocking the connection
12302
-
12303
- 4. **Service outage**
12304
- - The Mobb service might be temporarily unavailable
12305
- - Please try again later or check the Mobb status page
12306
-
12307
- ## NEXT STEPS
12308
-
12309
- Please resolve the connection issue using the steps above and try running the security scan again.
12310
-
12311
- For additional assistance, please:
12312
- - Visit the Mobb documentation at https://docs.mobb.ai
12313
- - Contact Mobb support at support@mobb.ai
12314
-
12315
- `;
12316
- var failedToAuthenticatePrompt = `# AUTHENTICATION ERROR: MOBB LOGIN REQUIRED
12317
-
12318
- ## ANALYSIS SUMMARY
12319
- - **Status:** \u274C Failed
12320
- - **Issue Type:** Authentication Error
12321
- - **Error Details:** Unable to authenticate with the Mobb service
12322
-
12323
- ## AUTHENTICATION REQUIRED
12324
-
12325
- The Mobb security scanning service requires authentication before it can analyze your code for vulnerabilities. You need to:
12326
-
12327
- 1. **Login and authorize access to Mobb**
12328
- - A browser window should have opened to complete the authentication process
12329
- - If no browser window opened, please run the command again
12330
-
12331
- 2. **Create a Mobb account if you don't have one**
12332
- - If you don't already have a Mobb account, you'll need to sign up
12333
- - Visit https://app.mobb.ai/auth/signup to create your free account
12334
- - Use your work email for easier team collaboration
12335
-
12336
- 3. **Authorization flow**
12337
- - After logging in, you'll be asked to authorize the CLI tool
12338
- - This creates a secure token that allows the CLI to access Mobb services
12339
- - You only need to do this once per device
12340
-
12341
- ## TROUBLESHOOTING
12342
-
12343
- If you're experiencing issues with authentication:
12344
-
12345
- - Ensure you have an active internet connection
12346
- - Check that you can access https://app.mobb.ai in your browser
12347
- - Try running the command again with the \`--debug\` flag for more detailed output
12348
- - Make sure your browser isn't blocking pop-ups from the authentication window
12349
-
12350
- ## NEXT STEPS
12351
-
12352
- Please complete the authentication process and try running the security scan again.
12353
-
12354
- For additional assistance, please:
12355
- - Visit the Mobb documentation at https://docs.mobb.ai/cli/authentication
12356
- - Contact Mobb support at support@mobb.ai
12357
-
12358
- `;
12359
-
12360
12446
  // src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesService.ts
12361
12447
  var VUL_REPORT_DIGEST_TIMEOUT_MS2 = 1e3 * 60 * 5;
12362
12448
  var VulnerabilityFixService = class {
12363
12449
  constructor() {
12364
12450
  __publicField(this, "gqlClient");
12365
12451
  __publicField(this, "filePacking");
12452
+ /**
12453
+ * Stores the fix report id that is created on the first run so that subsequent
12454
+ * calls can skip the expensive packing/uploading/scan flow and directly fetch
12455
+ * the analysis results.
12456
+ */
12457
+ __publicField(this, "storedFixReportId");
12458
+ __publicField(this, "currentOffset", 0);
12366
12459
  this.filePacking = new FilePacking();
12367
12460
  }
12368
- async processVulnerabilities(fileList, repositoryPath) {
12461
+ async processVulnerabilities({
12462
+ fileList,
12463
+ repositoryPath,
12464
+ offset,
12465
+ limit,
12466
+ isRescan = false
12467
+ }) {
12369
12468
  try {
12370
- this.validateFiles(fileList);
12371
12469
  this.gqlClient = await this.initializeGqlClient();
12372
- const repoUploadInfo = await this.initializeReport();
12373
- const zipBuffer = await this.packFiles(fileList, repositoryPath);
12374
- await this.uploadFiles(zipBuffer, repoUploadInfo);
12375
- const projectId = await this.getProjectId();
12376
- await this.runScan({
12377
- fixReportId: repoUploadInfo.fixReportId,
12378
- projectId
12379
- });
12380
- const fixes = await this.getReportFixes(repoUploadInfo.fixReportId);
12381
- return fixesPrompt(fixes);
12382
- } catch (error) {
12383
- if (error instanceof ApiConnectionError || error instanceof CliLoginError) {
12384
- return failedToConnectToApiPrompt;
12470
+ let fixReportId = this.storedFixReportId;
12471
+ if (!fixReportId || isRescan) {
12472
+ this.validateFiles(fileList);
12473
+ const repoUploadInfo = await this.initializeReport();
12474
+ fixReportId = repoUploadInfo.fixReportId;
12475
+ this.storedFixReportId = fixReportId;
12476
+ const zipBuffer = await this.packFiles(fileList, repositoryPath);
12477
+ await this.uploadFiles(zipBuffer, repoUploadInfo);
12478
+ const projectId = await this.getProjectId();
12479
+ await this.runScan({ fixReportId, projectId });
12385
12480
  }
12386
- if (error instanceof AuthenticationError || error instanceof FailedToGetApiTokenError) {
12387
- return failedToAuthenticatePrompt;
12481
+ let effectiveOffset;
12482
+ if (offset !== void 0) {
12483
+ effectiveOffset = offset;
12484
+ } else if (fixReportId) {
12485
+ effectiveOffset = this.currentOffset ?? 0;
12486
+ } else {
12487
+ effectiveOffset = 0;
12388
12488
  }
12489
+ logDebug("effectiveOffset", { effectiveOffset });
12490
+ const fixes = await this.getReportFixes(
12491
+ fixReportId,
12492
+ effectiveOffset,
12493
+ limit
12494
+ );
12495
+ this.currentOffset = effectiveOffset + (fixes.fixes?.length || 0);
12496
+ return fixesPrompt({
12497
+ fixes: fixes.fixes,
12498
+ totalCount: fixes.totalCount,
12499
+ offset: effectiveOffset
12500
+ });
12501
+ } catch (error) {
12389
12502
  const message = error.message;
12390
12503
  logError("Vulnerability processing failed", { error: message });
12391
12504
  throw error;
@@ -12474,7 +12587,7 @@ var VulnerabilityFixService = class {
12474
12587
  projectId,
12475
12588
  repoUrl: "",
12476
12589
  reference: "no-branch",
12477
- scanSource: "CLI" /* Cli */
12590
+ scanSource: "MCP" /* Mcp */
12478
12591
  };
12479
12592
  logInfo("Submitting vulnerability report");
12480
12593
  const submitRes = await this.gqlClient.submitVulnerabilityReport(
@@ -12501,34 +12614,63 @@ var VulnerabilityFixService = class {
12501
12614
  });
12502
12615
  logInfo("Analysis subscription completed");
12503
12616
  }
12504
- async getReportFixes(fixReportId) {
12617
+ async getReportFixes(fixReportId, offset, limit) {
12618
+ logDebug("getReportFixes", { fixReportId, offset, limit });
12505
12619
  if (!this.gqlClient) {
12506
12620
  throw new GqlClientError();
12507
12621
  }
12508
- const fixes = await this.gqlClient.getReportFixes(fixReportId);
12509
- logInfo("Fixes retrieved", { fixCount: fixes.length });
12510
- return fixes;
12622
+ const fixes = await this.gqlClient.getReportFixesPaginated({
12623
+ reportId: fixReportId,
12624
+ offset,
12625
+ limit
12626
+ });
12627
+ logInfo("Fixes retrieved", { fixCount: fixes?.fixes?.length });
12628
+ return {
12629
+ fixes: fixes?.fixes || [],
12630
+ totalCount: fixes?.totalCount || 0
12631
+ };
12511
12632
  }
12512
12633
  };
12513
12634
 
12514
12635
  // src/mcp/tools/fixVulnerabilities/FixVulnerabilitiesTool.ts
12515
- var FixVulnerabilitiesTool = class {
12636
+ var FixVulnerabilitiesTool = class extends BaseTool {
12516
12637
  constructor() {
12638
+ super(...arguments);
12517
12639
  __publicField(this, "name", "fix_vulnerabilities");
12518
- __publicField(this, "display_name", "fix_vulnerabilities");
12640
+ __publicField(this, "displayName", "Fix Vulnerabilities");
12519
12641
  __publicField(this, "description", "Scans the current code changes and returns fixes for potential vulnerabilities");
12642
+ __publicField(this, "inputValidationSchema", z33.object({
12643
+ path: z33.string().describe(
12644
+ "Path to the local git repository to check for available fixes"
12645
+ ),
12646
+ offset: z33.number().optional().describe("Optional offset for pagination"),
12647
+ limit: z33.number().optional().describe("Optional maximum number of results to return"),
12648
+ rescan: z33.boolean().optional().describe("Optional whether to rescan the repository")
12649
+ }));
12520
12650
  __publicField(this, "inputSchema", {
12521
12651
  type: "object",
12522
12652
  properties: {
12523
12653
  path: {
12524
12654
  type: "string",
12525
- description: "The path to the local git repository"
12655
+ description: "Path to the project directory to check for available fixes"
12656
+ },
12657
+ offset: {
12658
+ type: "number",
12659
+ description: "[Optional] offset for pagination"
12660
+ },
12661
+ limit: {
12662
+ type: "number",
12663
+ description: "[Optional] maximum number of results to return"
12664
+ },
12665
+ rescan: {
12666
+ type: "boolean",
12667
+ description: "[Optional] whether to rescan the repository"
12526
12668
  }
12527
12669
  },
12528
12670
  required: ["path"]
12529
12671
  });
12530
12672
  }
12531
- async execute(args) {
12673
+ async executeInternal(args) {
12532
12674
  logInfo("Executing tool: fix_vulnerabilities", { path: args.path });
12533
12675
  if (!args.path) {
12534
12676
  throw new Error("Invalid arguments: Missing required parameter 'path'");
@@ -12588,10 +12730,13 @@ var FixVulnerabilitiesTool = class {
12588
12730
  }
12589
12731
  try {
12590
12732
  const vulnerabilityFixService = new VulnerabilityFixService();
12591
- const fixResult = await vulnerabilityFixService.processVulnerabilities(
12592
- files,
12593
- args.path
12594
- );
12733
+ const fixResult = await vulnerabilityFixService.processVulnerabilities({
12734
+ fileList: files,
12735
+ repositoryPath: args.path,
12736
+ offset: args.offset,
12737
+ limit: args.limit,
12738
+ isRescan: args.rescan
12739
+ });
12595
12740
  const result = {
12596
12741
  content: [
12597
12742
  {
@@ -12631,28 +12776,22 @@ function createMcpServer() {
12631
12776
  name: "mobb-mcp",
12632
12777
  version: "1.0.0"
12633
12778
  });
12779
+ const enabledToolsEnv = process.env["TOOLS_ENABLED"];
12780
+ const enabledToolsSet = enabledToolsEnv ? new Set(
12781
+ enabledToolsEnv.split(",").map((t) => t.trim()).filter((t) => t.length > 0)
12782
+ ) : null;
12783
+ const registerIfEnabled = (tool) => {
12784
+ if (!enabledToolsSet || enabledToolsSet.has(tool.name)) {
12785
+ server.registerTool(tool);
12786
+ logDebug(`Registered tool: ${tool.name}`);
12787
+ } else {
12788
+ logDebug(`Skipping tool (disabled): ${tool.name}`);
12789
+ }
12790
+ };
12634
12791
  const fixVulnerabilitiesTool = new FixVulnerabilitiesTool();
12635
12792
  const checkForAvailableFixesTool = new CheckForAvailableFixesTool();
12636
- server.registerTool({
12637
- name: fixVulnerabilitiesTool.name,
12638
- definition: {
12639
- name: fixVulnerabilitiesTool.name,
12640
- display_name: fixVulnerabilitiesTool.display_name,
12641
- description: fixVulnerabilitiesTool.description,
12642
- inputSchema: fixVulnerabilitiesTool.inputSchema
12643
- },
12644
- execute: (args) => fixVulnerabilitiesTool.execute(args)
12645
- });
12646
- server.registerTool({
12647
- name: checkForAvailableFixesTool.name,
12648
- definition: {
12649
- name: checkForAvailableFixesTool.name,
12650
- display_name: checkForAvailableFixesTool.displayName,
12651
- description: checkForAvailableFixesTool.description,
12652
- inputSchema: checkForAvailableFixesTool.getJsonSchema()
12653
- },
12654
- execute: (args) => checkForAvailableFixesTool.execute(args)
12655
- });
12793
+ registerIfEnabled(fixVulnerabilitiesTool);
12794
+ registerIfEnabled(checkForAvailableFixesTool);
12656
12795
  logInfo("MCP server created and configured");
12657
12796
  return server;
12658
12797
  }