mobbdev 1.0.116 → 1.0.118

package/dist/index.mjs

@@ -392,6 +392,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["HeapInspection"] = "HEAP_INSPECTION";
   IssueType_Enum2["HtmlCommentInJsp"] = "HTML_COMMENT_IN_JSP";
   IssueType_Enum2["HttpOnlyCookie"] = "HTTP_ONLY_COOKIE";
+  IssueType_Enum2["HttpParameterPollution"] = "HTTP_PARAMETER_POLLUTION";
   IssueType_Enum2["HttpResponseSplitting"] = "HTTP_RESPONSE_SPLITTING";
   IssueType_Enum2["IframeWithoutSandbox"] = "IFRAME_WITHOUT_SANDBOX";
   IssueType_Enum2["ImproperExceptionHandling"] = "IMPROPER_EXCEPTION_HANDLING";
@@ -1464,6 +1465,10 @@ var fixDetailsData = {
   ["STRING_TERMINATION_ERROR" /* StringTerminationError */]: {
     issueDescription: "String Termination Error occurs when a string is not properly terminated, leading to unexpected behavior or security vulnerabilities.",
     fixInstructions: "Implement proper input validation and bounds checking to prevent string termination errors. Use safe string manipulation functions and ensure that the buffer size is properly managed."
+  },
+  ["HTTP_PARAMETER_POLLUTION" /* HttpParameterPollution */]: {
+    issueDescription: "HTTP Parameter Pollution occurs when an attacker can manipulate the parameters of an HTTP request to change the behavior of the server.",
+    fixInstructions: "Implement proper input validation and bounds checking to prevent HTTP parameter pollution. Use safe string manipulation functions and ensure that the buffer size is properly managed."
   }
 };
 
@@ -1580,7 +1585,8 @@ var issueTypeMap = {
   ["REDOS" /* Redos */]: "Regular Expression Denial of Service",
   ["DO_NOT_THROW_GENERIC_EXCEPTION" /* DoNotThrowGenericException */]: "Do Not Throw Generic Exception",
   ["BUFFER_OVERFLOW" /* BufferOverflow */]: "Buffer Overflow",
-  ["STRING_TERMINATION_ERROR" /* StringTerminationError */]: "String Termination Error"
+  ["STRING_TERMINATION_ERROR" /* StringTerminationError */]: "String Termination Error",
+  ["HTTP_PARAMETER_POLLUTION" /* HttpParameterPollution */]: "HTTP Parameter Pollution"
 };
 var issueTypeZ = z.nativeEnum(IssueType_Enum);
 var getIssueTypeFriendlyString = (issueType) => {
@@ -5171,9 +5177,7 @@ var MCP_PERIODIC_CHECK_INTERVAL = 15 * 60 * 1e3;
 var MCP_DEFAULT_MAX_FILES_TO_SCAN = 10;
 var MCP_REPORT_ID_EXPIRATION_MS = 2 * 60 * 60 * 1e3;
 var MCP_TOOLS_BROWSER_COOLDOWN_MS = 24 * 60 * 60 * 1e3;
-var MCP_TOOL_CHECK_FOR_NEW_AVAILABLE_FIXES = "check_for_new_available_fixes";
-var MCP_TOOL_FETCH_AVAILABLE_FIXES = "fetch_available_fixes";
-var MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES = "scan_and_fix_vulnerabilities";
+var MCP_DEFAULT_LIMIT = 3;
 
 // src/features/analysis/scm/FileUtils.ts
 import fs2 from "fs";
@@ -5572,6 +5576,27 @@ var GitService = class {
       throw new Error(errorMessage);
     }
   }
+  /**
+   * Gets both the current commit hash and current branch name
+   */
+  async getCurrentCommitAndBranch() {
+    this.log("Getting current commit hash and branch", "debug");
+    try {
+      const [hash, branch] = await Promise.all([
+        this.git.revparse(["HEAD"]),
+        this.git.revparse(["--abbrev-ref", "HEAD"])
+      ]);
+      this.log("Current commit hash and branch retrieved", "debug", {
+        hash,
+        branch
+      });
+      return { hash, branch };
+    } catch (error) {
+      const errorMessage = `Failed to get current commit hash and branch: ${error.message}`;
+      this.log(errorMessage, "error", { error });
+      return { hash: "", branch: "" };
+    }
+  }
   /**
    * Gets the remote repository URL
    */
@@ -5601,24 +5626,37 @@ var GitService = class {
     }
   }
   /**
-   * Gets the maxFiles most recently changed files based on commit history
+   * Gets the maxFiles most recently changed files, starting with current changes and then from commit history
    */
   async getRecentlyChangedFiles({
     maxFiles = MCP_DEFAULT_MAX_FILES_TO_SCAN
   }) {
     this.log(
-      `Getting the ${maxFiles} most recently changed files from commit history`,
+      `Getting the ${maxFiles} most recently changed files, starting with current changes`,
       "debug"
     );
     try {
+      const currentChanges = await this.getChangedFiles();
       const gitRoot = await this.git.revparse(["--show-toplevel"]);
       const relativePathFromGitRoot = path2.relative(
         gitRoot,
         this.repositoryPath
       );
       const fileSet = /* @__PURE__ */ new Set();
-      const files = [];
       let commitsProcessed = 0;
+      for (const file of currentChanges.files) {
+        if (fileSet.size >= maxFiles) {
+          break;
+        }
+        const fullPath = path2.join(this.repositoryPath, file);
+        if (FileUtils.shouldPackFile(fullPath) && !file.startsWith("..")) {
+          fileSet.add(file);
+        }
+      }
+      this.log(`Added ${fileSet.size} files from current changes`, "debug", {
+        filesFromCurrentChanges: fileSet.size,
+        currentChangesTotal: currentChanges.files.length
+      });
       const logResult = await this.git.log({
         maxCount: maxFiles * 5,
         // 5 times the max files to scan to ensure we find enough files
@@ -5631,7 +5669,7 @@ var GitService = class {
         }
       });
       for (const commit of logResult.all) {
-        if (files.length >= maxFiles) {
+        if (fileSet.size >= maxFiles) {
           break;
         }
         commitsProcessed++;
@@ -5643,7 +5681,7 @@ var GitService = class {
           ]);
           const commitFiles = filesOutput.split("\n").filter((file) => file.trim() !== "");
           for (const file of commitFiles) {
-            if (files.length >= maxFiles) {
+            if (fileSet.size >= maxFiles) {
               break;
             }
             const gitRelativePath = file.trim();
@@ -5663,7 +5701,6 @@ var GitService = class {
             this.log(`Considering file: ${adjustedPath}`, "debug");
             if (!fileSet.has(adjustedPath) && FileUtils.shouldPackFile(path2.join(gitRoot, gitRelativePath)) && !adjustedPath.startsWith("..")) {
               fileSet.add(adjustedPath);
-              files.push(adjustedPath);
             }
           }
         } catch (showError) {
@@ -5672,6 +5709,7 @@ var GitService = class {
           });
         }
       }
+      const files = Array.from(fileSet);
       this.log("Recently changed files retrieved", "info", {
         fileCount: files.length,
         commitsProcessed,
@@ -11547,7 +11585,7 @@ var McpAuthService = class {
       throw new CliLoginError("Error: createCliLogin failed");
     }
     logDebug(`cli login created ${loginId}`);
-    const webLoginUrl2 = `${WEB_APP_URL}/cli-login`;
+    const webLoginUrl2 = `${WEB_APP_URL}/mvs-login`;
     const browserUrl = `${webLoginUrl2}/${loginId}?hostname=${os2.hostname()}`;
     await this.openBrowser(browserUrl, isBackgoundCall);
     logDebug(`waiting for login to complete`);
@@ -11871,7 +11909,7 @@ var McpGQLClient = class {
   }
   async getLatestReportByRepoUrl({
     repoUrl,
-    limit = 3,
+    limit = MCP_DEFAULT_LIMIT,
     offset = 0
   }) {
     try {
@@ -11922,7 +11960,7 @@ var McpGQLClient = class {
   }
   async getReportFixesPaginated({
     reportId,
-    limit = 3,
+    limit = MCP_DEFAULT_LIMIT,
     offset = 0,
     issueType,
     severity
@@ -12012,6 +12050,11 @@ async function createAuthenticatedMcpGQLClient({
   return new McpGQLClient({ apiKey: newApiToken, type: "apiKey" });
 }
 
+// src/mcp/tools/toolNames.ts
+var MCP_TOOL_CHECK_FOR_NEW_AVAILABLE_FIXES = "check_for_new_available_fixes";
+var MCP_TOOL_FETCH_AVAILABLE_FIXES = "fetch_available_fixes";
+var MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES = "scan_and_fix_vulnerabilities";
+
 // src/mcp/core/ToolRegistry.ts
 var ToolRegistry = class {
   constructor() {
@@ -12383,6 +12426,47 @@ function friendlyType(s) {
 }
 var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
 `;
+var noFixesReturnedForParametersWithGuidance = ({
+  offset,
+  limit,
+  totalCount,
+  currentTool
+}) => `## No Fixes Returned for Current Parameters
+
+**\u{1F4C4} Current Request:**
+- **Page:** ${Math.floor(offset / limit) + 1}
+- **Offset:** ${offset}
+- **Limit:** ${limit}
+
+**\u274C Result:** No fixes returned for the given offset and limit parameters.
+
+**\u2139\uFE0F Available Fixes:** ${totalCount} total fixes are available, but your current offset (${offset}) is beyond the available range.
+
+**\u2705 How to Get the Fixes:**
+
+To retrieve the available fixes, use one of these approaches:
+
+1. **Start from the beginning:**
+   \`\`\`
+   offset: 0
+   \`\`\`
+
+2. **Go to the first page:**
+   \`\`\`
+   offset: 0
+   limit: ${limit}
+   \`\`\`
+
+3. **Get all fixes at once:**
+   \`\`\`
+   offset: 0
+   limit: ${totalCount}
+   \`\`\`
+
+**\u{1F4CB} Valid offset range:** 0 to ${Math.max(0, totalCount - 1)}
+
+To fetch the fixes, run the \`${currentTool}\` tool again with the corrected parameters.
+`;
 var applyFixesPrompt = ({
   fixes,
   hasMore,
@@ -12390,11 +12474,22 @@ var applyFixesPrompt = ({
   nextOffset,
   shownCount,
   currentTool,
-  offset = 0
+  offset,
+  limit
 }) => {
   if (fixes.length === 0) {
+    if (totalCount > 0) {
+      return noFixesReturnedForParametersWithGuidance({
+        offset,
+        limit,
+        totalCount,
+        currentTool
+      });
+    }
     return noFixesReturnedForParameters;
   }
+  const currentPage = Math.floor(offset / limit) + 1;
+  const totalPages = Math.ceil(totalCount / limit);
   const fixList = fixes.map((fix) => {
     const vulnerabilityType = friendlyType(fix.safeIssueType);
     const vulnerabilityDescription = fix.patchAndQuestions?.__typename === "FixData" ? fix.patchAndQuestions.extraContext?.fixDescription : void 0;
@@ -12448,6 +12543,12 @@ If you cannot apply a patch:
 
 # SECURITY FIXES TO APPLY
 
+## \u{1F4C4} Pagination Info
+- **Page:** ${currentPage} of ${totalPages}
+- **Offset:** ${offset}
+- **Limit:** ${limit}
+- **Showing:** ${shownCount} of ${totalCount} total fixes
+
 ${fixList.map(
     (fix, index) => `
 ## Fix ${offset + index + 1}: ${fix.vulnerabilityType}
@@ -12485,9 +12586,9 @@ You have viewed ${shownCount} out of ${totalCount} available fixes.
 To fetch additional fixes, run the \`${currentTool}\` tool again with the following parameters:
 
 - **offset**: ${nextOffset}  _(start index for the next batch)_
-- **limit**:  <number_of_fixes_to_return>  _(optional \u2013 default is 3)_
+- **limit**:  <number_of_fixes_to_return>  _(optional \u2013 default is ${MCP_DEFAULT_LIMIT})_
 
-If you omit both **offset** and **limit**, the command will automatically return the next 3 fixes.
+If you omit both **offset** and **limit**, the command will automatically return the next ${MCP_DEFAULT_LIMIT} fixes.
 ` : ""}
 `;
 };
@@ -12544,7 +12645,8 @@ var noFixesAvailablePrompt = `There are no fixes available for this repository a
 `;
 var fixesFoundPrompt = ({
   fixReport,
-  offset
+  offset,
+  limit
 }) => {
   const totalFixes = fixReport.filteredFixesCount.aggregate?.count || 0;
   if (totalFixes === 0) {
@@ -12585,10 +12687,11 @@ ${applyFixesPrompt({
     fixes: fixReport.fixes,
     totalCount: totalFixes,
     hasMore,
-    nextOffset: 0,
+    nextOffset,
     shownCount: fixReport.fixes.length,
     currentTool: MCP_TOOL_FETCH_AVAILABLE_FIXES,
-    offset
+    offset,
+    limit
   })}`;
 };
 var nextStepsPrompt = ({ scannedFiles }) => `
@@ -12625,7 +12728,8 @@ var fixesPrompt = ({
   fixes,
   totalCount,
   offset,
-  scannedFiles
+  scannedFiles,
+  limit
 }) => {
   if (totalCount === 0) {
     return noFixesFoundPrompt({ scannedFiles });
@@ -12642,7 +12746,8 @@ ${applyFixesPrompt({
     nextOffset,
     shownCount,
     currentTool: MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES,
-    offset
+    offset,
+    limit
   })}
 
 ${nextStepsPrompt({ scannedFiles })}
@@ -12650,7 +12755,10 @@ ${nextStepsPrompt({ scannedFiles })}
 };
 var noFreshFixesPrompt = `No fresh fixes available for this repository at this time. No user message needed. Do not show any comments to the user.`;
 var initialScanInProgressPrompt = `Initial scan is still in progress. No user message needed. Do not show any comments to the user.`;
-var freshFixesPrompt = ({ fixes }) => {
+var freshFixesPrompt = ({
+  fixes,
+  limit
+}) => {
   return `Here are the fresh fixes to the vulnerabilities discovered by Mobb MCP
 
 ${applyFixesPrompt({
@@ -12660,7 +12768,8 @@ ${applyFixesPrompt({
     nextOffset: 0,
     shownCount: fixes.length,
     currentTool: MCP_TOOL_FETCH_AVAILABLE_FIXES,
-    offset: 0
+    offset: 0,
+    limit
   })}
 `;
 };
@@ -12859,7 +12968,11 @@ var FileOperations = class {
 };
 
 // src/mcp/services/ScanFiles.ts
-var scanFiles = async (fileList, repositoryPath, gqlClient) => {
+var scanFiles = async ({
+  fileList,
+  repositoryPath,
+  gqlClient
+}) => {
   const repoUploadInfo = await initializeSecurityReport(gqlClient);
   const fixReportId = repoUploadInfo.fixReportId;
   const fileOperations = new FileOperations();
@@ -12870,7 +12983,17 @@ var scanFiles = async (fileList, repositoryPath, gqlClient) => {
   );
   await uploadSourceCodeArchive(packingResult.archive, repoUploadInfo);
   const projectId = await getProjectId(gqlClient);
-  await executeSecurityScan({ fixReportId, projectId, gqlClient });
+  const gitService = new GitService(repositoryPath);
+  const { branch } = await gitService.getCurrentCommitAndBranch();
+  const repoUrl = await gitService.getRemoteUrl();
+  await executeSecurityScan({
+    fixReportId,
+    projectId,
+    gqlClient,
+    repoUrl: repoUrl || "",
+    branchName: branch || "no-branch",
+    sha: "0123456789abcdef"
+  });
   return {
     fixReportId,
     projectId
@@ -12925,7 +13048,10 @@ var getProjectId = async (gqlClient) => {
 var executeSecurityScan = async ({
   fixReportId,
   projectId,
-  gqlClient
+  gqlClient,
+  repoUrl,
+  branchName,
+  sha
 }) => {
   if (!gqlClient) {
     throw new GqlClientError();
@@ -12934,11 +13060,15 @@ var executeSecurityScan = async ({
   const submitVulnerabilityReportVariables = {
     fixReportId,
     projectId,
-    repoUrl: "",
-    reference: "no-branch",
-    scanSource: "MCP" /* Mcp */
+    repoUrl,
+    reference: branchName,
+    scanSource: "MCP" /* Mcp */,
+    sha
   };
   logInfo("Submitting vulnerability report");
+  logDebug("Submit vulnerability report variables", {
+    submitVulnerabilityReportVariables
+  });
   const submitRes = await gqlClient.submitVulnerabilityReport(
     submitVulnerabilityReportVariables
   );
@@ -13041,11 +13171,11 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
       return;
     }
     logDebug("Files requiring security scan", { filesToScan });
-    const { fixReportId, projectId } = await scanFiles(
-      filesToScan.map((file) => file.relativePath),
-      path13,
-      this.gqlClient
-    );
+    const { fixReportId, projectId } = await scanFiles({
+      fileList: filesToScan.map((file) => file.relativePath),
+      repositoryPath: path13,
+      gqlClient: this.gqlClient
+    });
     logInfo(
       `Security scan completed for ${path13} reportId: ${fixReportId} projectId: ${projectId}`
     );
@@ -13136,10 +13266,10 @@ var _CheckForNewAvailableFixesService = class _CheckForNewAvailableFixesService
     });
   }
   generateFreshFixesResponse() {
-    const freshFixes = this.freshFixes.splice(0, 3);
+    const freshFixes = this.freshFixes.splice(0, MCP_DEFAULT_LIMIT);
     if (freshFixes.length > 0) {
       this.reportedFixes.push(...freshFixes);
-      return freshFixesPrompt({ fixes: freshFixes });
+      return freshFixesPrompt({ fixes: freshFixes, limit: MCP_DEFAULT_LIMIT });
     }
     return noFreshFixesPrompt;
   }
@@ -13238,7 +13368,7 @@ var _FetchAvailableFixesService = class _FetchAvailableFixesService {
   }
   async checkForAvailableFixes({
     repoUrl,
-    limit = 3,
+    limit = MCP_DEFAULT_LIMIT,
     offset
   }) {
     try {
@@ -13270,7 +13400,8 @@ var _FetchAvailableFixesService = class _FetchAvailableFixesService {
       logInfo(`Successfully retrieved available fixes for ${repoUrl}`);
       const prompt = fixesFoundPrompt({
         fixReport,
-        offset: effectiveOffset
+        offset: effectiveOffset,
+        limit
       });
       this.currentOffset = effectiveOffset + (fixReport.fixes?.length || 0);
       return prompt;
@@ -13435,21 +13566,22 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
         logInfo("Scanning files");
         this.reset();
         this.validateFiles(fileList);
-        const scanResult = await scanFiles(
+        const scanResult = await scanFiles({
           fileList,
           repositoryPath,
-          this.gqlClient
-        );
+          gqlClient: this.gqlClient
+        });
         fixReportId = scanResult.fixReportId;
       } else {
         logInfo("Using stored fixReportId");
       }
       const effectiveOffset = offset ?? (this.currentOffset || 0);
+      const effectiveLimit = limit ?? MCP_DEFAULT_LIMIT;
       logDebug("effectiveOffset", { effectiveOffset });
       const fixes = await this.getReportFixes(
         fixReportId,
         effectiveOffset,
-        limit
+        effectiveLimit
       );
       logInfo(`Found ${fixes.totalCount} fixes`);
       if (fixes.totalCount > 0) {
@@ -13462,7 +13594,8 @@ var _ScanAndFixVulnerabilitiesService = class _ScanAndFixVulnerabilitiesService
         fixes: fixes.fixes,
         totalCount: fixes.totalCount,
         offset: effectiveOffset,
-        scannedFiles: [...fileList]
+        scannedFiles: [...fileList],
+        limit: effectiveLimit
       });
       this.currentOffset = effectiveOffset + (fixes.fixes?.length || 0);
       return prompt;
@@ -13625,7 +13758,7 @@ Example payload:
     try {
       const fixResult = await this.vulnerabilityFixService.processVulnerabilities({
         fileList: files.map((file) => file.relativePath),
-        repositoryPath: args.path,
+        repositoryPath: path13,
         offset: args.offset,
         limit: args.limit,
         isRescan: args.rescan || !!args.maxFiles

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.116",
+  "version": "1.0.118",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",