npm - mobbdev - Versions diffs - 1.0.13 → 1.0.15 - Mend

mobbdev 1.0.13 → 1.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.mjs +100 -21
package/package.json +8 -8

package/dist/index.mjs CHANGED Viewed

@@ -592,8 +592,8 @@ var GitReferenceDocument = `
 }
     `;
 var AutoPrAnalysisDocument = `
-    mutation autoPrAnalysis($analysisId: String!) {
-  autoPrAnalysis(analysisId: $analysisId) {
+    mutation autoPrAnalysis($analysisId: String!, $commitDirectly: Boolean) {
+  autoPrAnalysis(analysisId: $analysisId, sameBranchCommit: $commitDirectly) {
     __typename
     ... on AutoPrSuccess {
       status
@@ -1742,7 +1742,10 @@ var fixDetailsData = {
   },
   ["STRING_FORMAT_MISUSE" /* StringFormatMisuse */]: void 0,
   ["NON_READONLY_FIELD" /* NonReadonlyField */]: void 0,
-  ["CSRF" /* Csrf */]: void 0,
+  ["CSRF" /* Csrf */]: {
+    issueDescription: "Cross Site Request Forgery is an attack that forces an end user to execute unwanted actions on a web application in which they\u2019re currently authenticated.",
+    fixInstructions: "Configure a CSRF protection mechanism, such as a CSRF token, in your application."
+  },
   ["WEAK_ENCRYPTION" /* WeakEncryption */]: void 0,
   ["CODE_IN_COMMENT" /* CodeInComment */]: void 0,
   ["REGEX_MISSING_TIMEOUT" /* RegexMissingTimeout */]: void 0
@@ -1873,6 +1876,17 @@ var vulnerabilities2 = {
 };
 var java_default = vulnerabilities2;
+// src/features/analysis/scm/shared/src/storedFixData/python/csrf.ts
+var csrf = {
+  guidance: () => `Please make sure the CSRF middleware is activated by default in the MIDDLEWARE setting. If you override that setting, remember that \`django.middleware.csrf.CsrfViewMiddleware\` should come before any view middleware that assume that CSRF attacks have been dealt with.
+If you disabled it, which is not recommended, you can use [\`csrf_protect()\`](https://docs.djangoproject.com/en/5.1/ref/csrf/#django.views.decorators.csrf.csrf_protect) annotation on this particular view.
+See more information [here](https://docs.djangoproject.com/en/5.1/howto/csrf/).`
+};
 // src/features/analysis/scm/shared/src/storedFixData/javascript/hardcodedSecrets.ts
 var hardcodedSecrets = {
   guidance: ({ questions }) => {
@@ -1907,7 +1921,8 @@ var vulnerabilities3 = {
   ["SSRF" /* Ssrf */]: ssrf,
   ["HARDCODED_SECRETS" /* HardcodedSecrets */]: hardcodedSecrets,
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
-  ["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: noLimitsOrThrottling
+  ["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: noLimitsOrThrottling,
+  ["CSRF" /* Csrf */]: csrf
 };
 var javascript_default = vulnerabilities3;
@@ -1936,7 +1951,8 @@ See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates
 // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
 var vulnerabilities5 = {
-  ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: autoEscapeFalse
+  ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: autoEscapeFalse,
+  ["CSRF" /* Csrf */]: csrf
 };
 var python_default = vulnerabilities5;
@@ -2740,6 +2756,15 @@ var vulnerabilities9 = {
 };
 var java_default2 = vulnerabilities9;
+// src/features/analysis/scm/shared/src/storedQuestionData/python/csrf.ts
+var csrf2 = {
+  isPythonDjangoTemplate: {
+    content: () => "Is the reported file Python Django template?",
+    description: () => "",
+    guidance: () => ""
+  }
+};
 // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
 var commandInjection2 = {
   isCommandExecutable: {
@@ -3046,10 +3071,44 @@ var vulnerabilities10 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition2,
   ["NO_LIMITS_OR_THROTTLING" /* NoLimitsOrThrottling */]: noLimitsOrThrottling2,
   ["MISSING_CSP_HEADER" /* MissingCspHeader */]: cspHeaderValue,
-  ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml
+  ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
+  ["CSRF" /* Csrf */]: csrf2
 };
 var js_default = vulnerabilities10;
+// src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
+var logForging4 = {
+  isHtmlDisplay: {
+    content: () => "Is the text written to the log going to be displayed as HTML?",
+    description: () => "",
+    guidance: ({ userInputValue }) => {
+      switch (userInputValue) {
+        case "yes":
+          return "We use `html.escape` to decode the HTML";
+        default:
+          return "";
+      }
+    }
+  }
+};
+// src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
+var openRedirect2 = {
+  allowed_hosts: {
+    content: () => "Allowed domains/paths",
+    description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
+    guidance: () => ""
+  }
+};
+// src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
+var vulnerabilities11 = {
+  ["CSRF" /* Csrf */]: csrf2,
+  ["LOG_FORGING" /* LogForging */]: logForging4,
+  ["LOG_FORGING" /* LogForging */]: openRedirect2
+};
+var python_default2 = vulnerabilities11;
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
 var unboundedOccurrences = {
   maxOccursLimit: {
@@ -3062,10 +3121,10 @@ A value too high will cause performance issues up to and including denial of ser
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
-var vulnerabilities11 = {
+var vulnerabilities12 = {
   ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
 };
-var xml_default2 = vulnerabilities11;
+var xml_default2 = vulnerabilities12;
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
 var StoredQuestionDataItemZ = z7.object({
@@ -3077,7 +3136,8 @@ var languages2 = {
   ["Java" /* Java */]: java_default2,
   ["JavaScript" /* JavaScript */]: js_default,
   ["XML" /* Xml */]: xml_default2,
-  ["CSharp" /* CSharp */]: csharp_default2
+  ["CSharp" /* CSharp */]: csharp_default2,
+  ["Python" /* Python */]: python_default2
 };
 var storedQuestionData_default = languages2;
@@ -3205,6 +3265,8 @@ function getGuidances(args) {
 // src/features/analysis/scm/shared/src/urlParser/urlParser.ts
 import { z as z9 } from "zod";
+var ADO_PREFIX_PATH = "tfs";
+var NAME_REGEX = /[a-z0-9\-_.+]+/i;
 function detectAdoUrl(args) {
   const { pathname, hostname, scmType } = args;
   const hostnameParts = hostname.split(".");
@@ -3373,10 +3435,6 @@ function getFixUrl({
   return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
 }
-// src/features/analysis/scm/shared/src/index.ts
-var NAME_REGEX = /[a-z0-9\-_.+]+/i;
-var ADO_PREFIX_PATH = "tfs";
 // src/features/analysis/scm/types.ts
 var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
   ReferenceType2["BRANCH"] = "BRANCH";
@@ -6959,7 +7017,7 @@ async function addFixCommentsForPr({
 import Debug8 from "debug";
 var debug8 = Debug8("mobbdev:handleAutoPr");
 async function handleAutoPr(params) {
-  const { gqlClient, analysisId, createSpinner: createSpinner5 } = params;
+  const { gqlClient, analysisId, commitDirectly, createSpinner: createSpinner5 } = params;
   const createAutoPrSpinner = createSpinner5(
     "\u{1F504} Waiting for the analysis to finish before initiating automatic pull request creation"
   ).start();
@@ -6968,7 +7026,10 @@ async function handleAutoPr(params) {
       analysisId
     },
     callback: async (analysisId2) => {
-      const autoPrAnalysisRes = await gqlClient.autoPrAnalysis(analysisId2);
+      const autoPrAnalysisRes = await gqlClient.autoPrAnalysis(
+        analysisId2,
+        commitDirectly
+      );
       debug8("auto pr analysis res %o", autoPrAnalysisRes);
       if (autoPrAnalysisRes.autoPrAnalysis?.__typename === "AutoPrError") {
         createAutoPrSpinner.error({
@@ -7424,9 +7485,10 @@ var GQLClient = class {
     }
     return res.analysis;
   }
-  async autoPrAnalysis(analysisId) {
+  async autoPrAnalysis(analysisId, commitDirectly) {
     return this._clientSdk.autoPrAnalysis({
-      analysisId
+      analysisId,
+      commitDirectly
     });
   }
   async getFixes(fixIds) {
@@ -8050,7 +8112,8 @@ async function _scan(params, { skipPrompts = false } = {}) {
     githubToken: githubActionToken,
     command,
     organizationId: userOrganizationId,
-    autoPr
+    autoPr,
+    commitDirectly
   } = params;
   debug15("start %s %s", dirname, repo);
   const { createSpinner: createSpinner5 } = Spinner2({ ci });
@@ -8189,6 +8252,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     await handleAutoPr({
       gqlClient,
       analysisId: reportUploadInfo.fixReportId,
+      commitDirectly,
       createSpinner: createSpinner5
     });
   }
@@ -8354,6 +8418,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
       await handleAutoPr({
         gqlClient,
         analysisId: reportUploadInfo.fixReportId,
+        commitDirectly,
         createSpinner: createSpinner5
       });
     }
@@ -8459,7 +8524,8 @@ async function analyze({
   srcPath,
   mobbProjectName,
   organizationId,
-  autoPr
+  autoPr,
+  commitDirectly
 }, { skipPrompts = false } = {}) {
   !ci && await showWelcomeMessage(skipPrompts);
   await runAnalysis(
@@ -8474,7 +8540,8 @@ async function analyze({
       srcPath,
       organizationId,
       command: "analyze",
-      autoPr
+      autoPr,
+      commitDirectly
     },
     { skipPrompts }
   );
@@ -8675,6 +8742,13 @@ var autoPrOption = {
   type: "boolean",
   default: false
 };
+var commitDirectlyOption = {
+  describe: chalk6.bold(
+    "Commit directly to the scanned branch instead of creating a pull request"
+  ),
+  type: "boolean",
+  default: false
+};
 var scmTypeOption = {
   demandOption: true,
   describe: chalk6.bold("SCM type"),
@@ -8779,7 +8853,7 @@ function analyzeBuilder(yargs2) {
     alias: "commit-hash",
     describe: chalk8.bold("Hash of the commit"),
     type: "string"
-  }).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("org", organizationIdOptions).option("api-key", apiKeyOption).option("commit-hash", commitHashOption).option("auto-pr", autoPrOption).example(
+  }).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("org", organizationIdOptions).option("api-key", apiKeyOption).option("commit-hash", commitHashOption).option("auto-pr", autoPrOption).option("commit-directly", commitDirectlyOption).example(
     "npx mobbdev@latest analyze -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>",
     "analyze an existing repository"
   ).help();
@@ -8799,6 +8873,11 @@ Can't access ${chalk8.bold(argv.f)}`);
   if (argv.ci && !argv.apiKey) {
     throw new CliError("--ci flag requires --api-key to be provided as well");
   }
+  if (argv.commitDirectly && !argv["auto-pr"]) {
+    throw new CliError(
+      "--commit-directly flag requires --auto-pr to be provided as well"
+    );
+  }
   validateReportFileFormat(argv.f);
 }
 async function analyzeHandler(args) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",
@@ -29,9 +29,9 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "@gitbeaker/core": "41.3.0",
-    "@gitbeaker/requester-utils": "41.3.0",
-    "@gitbeaker/rest": "41.3.0",
+    "@gitbeaker/core": "42.0.2",
+    "@gitbeaker/requester-utils": "42.0.2",
+    "@gitbeaker/rest": "42.0.2",
     "@octokit/core": "5.2.0",
     "@octokit/graphql": "5.0.6",
     "@octokit/plugin-rest-endpoint-methods": "7.2.3",
@@ -51,7 +51,7 @@
     "graphql": "16.10.0",
     "graphql-request": "6.1.0",
     "graphql-tag": "2.12.6",
-    "graphql-ws": "5.16.0",
+    "graphql-ws": "5.16.2",
     "inquirer": "9.2.23",
     "isomorphic-ws": "5.0.0",
     "istextorbinary": "6.0.0",
@@ -63,7 +63,7 @@
     "parse-diff": "0.11.1",
     "semver": "7.6.3",
     "simple-git": "3.27.0",
-    "snyk": "1.1294.3",
+    "snyk": "1.1295.0",
     "supports-color": "9.4.0",
     "tar": "6.2.1",
     "tmp": "0.2.3",
@@ -79,7 +79,7 @@
     "@graphql-codegen/typescript-graphql-request": "6.2.0",
     "@graphql-codegen/typescript-operations": "4.4.0",
     "@octokit/request-error": "3.0.3",
-    "@octokit/types": "13.6.2",
+    "@octokit/types": "13.7.0",
     "@types/adm-zip": "0.5.7",
     "@types/chalk-animation": "1.6.3",
     "@types/configstore": "6.0.2",
@@ -97,7 +97,7 @@
     "@vitest/ui": "2.1.8",
     "eslint": "8.57.0",
     "eslint-plugin-import": "2.31.0",
-    "eslint-plugin-prettier": "5.2.1",
+    "eslint-plugin-prettier": "5.2.2",
     "eslint-plugin-simple-import-sort": "10.0.0",
     "prettier": "3.4.2",
     "tsup": "7.2.0",