mobbdev 1.0.51 → 1.0.58

package/dist/index.mjs

@@ -25,7 +25,7 @@ import chalk10 from "chalk";
 import yargs from "yargs/yargs";
 
 // src/args/commands/analyze.ts
-import fs5 from "node:fs";
+import fs4 from "node:fs";
 
 // src/commands/index.ts
 import crypto from "node:crypto";
@@ -123,6 +123,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["DefaultRightsInObjDefinition"] = "DEFAULT_RIGHTS_IN_OBJ_DEFINITION";
   IssueType_Enum2["DeprecatedFunction"] = "DEPRECATED_FUNCTION";
   IssueType_Enum2["DosStringBuilder"] = "DOS_STRING_BUILDER";
+  IssueType_Enum2["DuplicatedStrings"] = "DUPLICATED_STRINGS";
   IssueType_Enum2["ErroneousStringCompare"] = "ERRONEOUS_STRING_COMPARE";
   IssueType_Enum2["ErrorCondtionWithoutAction"] = "ERROR_CONDTION_WITHOUT_ACTION";
   IssueType_Enum2["FrameableLoginPage"] = "FRAMEABLE_LOGIN_PAGE";
@@ -191,6 +192,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["WcfMisconfigurationThrottlingNotEnabled"] = "WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED";
   IssueType_Enum2["WeakEncryption"] = "WEAK_ENCRYPTION";
   IssueType_Enum2["WeakXmlSchemaUnboundedOccurrences"] = "WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES";
+  IssueType_Enum2["WebsocketMissingOriginCheck"] = "WEBSOCKET_MISSING_ORIGIN_CHECK";
   IssueType_Enum2["Xss"] = "XSS";
   IssueType_Enum2["Xxe"] = "XXE";
   IssueType_Enum2["ZipSlip"] = "ZIP_SLIP";
@@ -896,6 +898,7 @@ var FixPageFixReportZ = z3.object({
 });
 
 // src/features/analysis/scm/shared/src/types/issue.ts
+var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES = 1e5;
 var category = {
   NoFix: "NoFix",
   Unsupported: "Unsupported",
@@ -917,6 +920,10 @@ var BaseIssuePartsZ = z4.object({
   createdAt: z4.string(),
   parsedSeverity: ParsedSeverityZ,
   category: ValidCategoriesZ,
+  extraData: z4.object({
+    missing_files: z4.string().array().nullish(),
+    error_files: z4.string().array().nullish()
+  }),
   vulnerabilityReportIssueTags: z4.array(
     z4.object({
       tag: z4.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
@@ -929,7 +936,35 @@ var BaseIssuePartsZ = z4.object({
       index: z4.number()
     })
   ).transform((nodes) => nodes.sort((a, b) => b.index - a.index)),
-  fix: FixPartsForFixScreenZ.nullish()
+  sourceCodeNodes: z4.array(
+    z4.object({
+      sourceCodeFile: z4.object({
+        path: z4.string(),
+        signedFile: z4.object({
+          url: z4.string()
+        })
+      })
+    }).transform(async ({ sourceCodeFile }) => {
+      const { url } = sourceCodeFile.signedFile;
+      const sourceCodeRes = await fetch(url);
+      if (Number(sourceCodeRes.headers.get("Content-Length")) > MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES) {
+        return null;
+      }
+      return {
+        path: sourceCodeFile.path,
+        fileContent: await sourceCodeRes.text()
+      };
+    })
+  ).transform((nodes) => nodes.filter((node) => node !== null)),
+  fix: FixPartsForFixScreenZ.nullish(),
+  vulnerabilityReportIssueNodeDiffFile: z4.object({
+    signedFile: z4.object({
+      url: z4.string()
+    }).transform(async ({ url }) => {
+      const codeDiff = await fetch(url).then((res) => res.text());
+      return { codeDiff };
+    })
+  }).nullish()
 });
 var FalsePositivePartsZ = z4.object({
   extraContext: z4.array(z4.object({ key: z4.string(), value: z4.string() })),
@@ -1071,7 +1106,9 @@ var issueTypeMap = {
   ["REGEX_MISSING_TIMEOUT" /* RegexMissingTimeout */]: "Regex Missing Timeout",
   ["FRAMEABLE_LOGIN_PAGE" /* FrameableLoginPage */]: "Frameable Login Page",
   ["USE_OF_HARD_CODED_CRYPTOGRAPHIC_KEY" /* UseOfHardCodedCryptographicKey */]: "Use of Hardcoded Cryptographic Key",
-  ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: "Missing SSL MinVersion"
+  ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: "Missing SSL MinVersion",
+  ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: "Missing Websocket Origin Check",
+  ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: "String Literals Should not Be Duplicated"
 };
 var issueTypeZ = z5.nativeEnum(IssueType_Enum);
 var getIssueTypeFriendlyString = (issueType) => {
@@ -1574,9 +1611,9 @@ var progressMassages = {
 var VUL_REPORT_DIGEST_TIMEOUT_MS = 1e3 * 60 * 30;
 
 // src/features/analysis/index.ts
-import fs4 from "node:fs";
+import fs3 from "node:fs";
 import fsPromises from "node:fs/promises";
-import path7 from "node:path";
+import path6 from "node:path";
 import { env as env2 } from "node:process";
 import { pipeline } from "node:stream/promises";
 
@@ -1690,8 +1727,8 @@ import extract from "extract-zip";
 import { createSpinner as createSpinner4 } from "nanospinner";
 import fetch4 from "node-fetch";
 import open2 from "open";
-import tmp2 from "tmp";
-import { z as z31 } from "zod";
+import tmp from "tmp";
+import { z as z29 } from "zod";
 
 // src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
 import Debug8 from "debug";
@@ -1975,7 +2012,9 @@ var fixDetailsData = {
   ["REGEX_MISSING_TIMEOUT" /* RegexMissingTimeout */]: void 0,
   ["FRAMEABLE_LOGIN_PAGE" /* FrameableLoginPage */]: void 0,
   ["USE_OF_HARD_CODED_CRYPTOGRAPHIC_KEY" /* UseOfHardCodedCryptographicKey */]: void 0,
-  ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: void 0
+  ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: void 0,
+  ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: void 0,
+  ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -2546,10 +2585,20 @@ var missingSslMinversion = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/go/websocketMissingOriginCheck.ts
+var websocketMissingOriginCheck = {
+  minTlsVersion: {
+    content: () => "Please provide a comma-separated list of valid hosts. This list will serve as an allow list to check the connection `Origin` header.",
+    description: () => "",
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
 var vulnerabilities10 = {
   ["LOG_FORGING" /* LogForging */]: logForging2,
-  ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion
+  ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion,
+  ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: websocketMissingOriginCheck
 };
 var go_default2 = vulnerabilities10;
 
@@ -2613,6 +2662,15 @@ var confusingNaming = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/java/duplicatedStrings.ts
+var duplicatedStrings = {
+  constantName: {
+    content: () => "New constant name",
+    description: () => "",
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/java/erroneousStringCompare.ts
 var erroneousStringCompare = {
   javaVersionGreaterOrEqual17: {
@@ -3009,7 +3067,8 @@ var vulnerabilities11 = {
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie2,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation2,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: leftoverDebugCode,
-  ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare
+  ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
+  ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
 };
 var java_default2 = vulnerabilities11;
 
@@ -3826,17 +3885,9 @@ import { z as z15 } from "zod";
 var EnvVariablesZod = z15.object({
   GITLAB_API_TOKEN: z15.string().optional(),
   GITHUB_API_TOKEN: z15.string().optional(),
-  GIT_COMMITTER_EMAIL: z15.string().optional(),
-  GIT_COMMITTER_NAME: z15.string().optional(),
   GIT_PROXY_HOST: z15.string()
 });
-var {
-  GITLAB_API_TOKEN,
-  GITHUB_API_TOKEN,
-  GIT_PROXY_HOST,
-  GIT_COMMITTER_EMAIL,
-  GIT_COMMITTER_NAME
-} = EnvVariablesZod.parse(process.env);
+var { GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST } = EnvVariablesZod.parse(process.env);
 
 // src/features/analysis/scm/utils/index.ts
 import { z as z16 } from "zod";
@@ -4387,7 +4438,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin2 = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path9 = [
+      const path8 = [
         prefixPath,
         owner,
         projectName,
@@ -4398,7 +4449,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path9}?${params2}`, origin2).toString();
+      return new URL(`${path8}?${params2}`, origin2).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -4622,112 +4673,7 @@ async function getAdoRepoList({
 import { setTimeout as setTimeout2 } from "node:timers/promises";
 
 // src/features/analysis/scm/scmSubmit/index.ts
-import fs2 from "node:fs/promises";
-import parseDiff from "parse-diff";
-import path4 from "path";
 import { simpleGit } from "simple-git";
-import tmp from "tmp";
-import { z as z20 } from "zod";
-
-// src/features/analysis/scm/scmSubmit/types.ts
-import { z as z19 } from "zod";
-var BaseSubmitToScmMessageZ = z19.object({
-  submitFixRequestId: z19.string().uuid(),
-  fixes: z19.array(
-    z19.object({
-      fixId: z19.string().uuid(),
-      patchesOriginalEncodingBase64: z19.array(z19.string()),
-      patches: z19.array(z19.string())
-    })
-  ),
-  commitHash: z19.string(),
-  repoUrl: z19.string(),
-  mobbUserEmail: z19.string(),
-  extraHeaders: z19.record(z19.string(), z19.string()).default({})
-});
-var submitToScmMessageType = {
-  commitToSameBranch: "commitToSameBranch",
-  submitFixesForDifferentBranch: "submitFixesForDifferentBranch"
-};
-var CommitToSameBranchParamsZ = BaseSubmitToScmMessageZ.merge(
-  z19.object({
-    type: z19.literal(submitToScmMessageType.commitToSameBranch),
-    branch: z19.string(),
-    commitMessages: z19.array(z19.string()),
-    commitDescriptions: z19.array(z19.string().nullish()),
-    githubCommentId: z19.number().nullish(),
-    prId: z19.number().nullish()
-  })
-);
-var SubmitFixesToDifferentBranchParamsZ = z19.object({
-  type: z19.literal(submitToScmMessageType.submitFixesForDifferentBranch),
-  submitBranch: z19.string(),
-  baseBranch: z19.string()
-}).merge(BaseSubmitToScmMessageZ);
-var SubmitFixesMessageZ = z19.union([
-  CommitToSameBranchParamsZ,
-  SubmitFixesToDifferentBranchParamsZ
-]);
-var FixResponseArrayZ = z19.array(
-  z19.object({
-    fixId: z19.string().uuid()
-  })
-);
-var SubmitFixesBaseResponseMessageZ = z19.object({
-  mobbUserEmail: z19.string(),
-  submitFixRequestId: z19.string().uuid(),
-  submitBranches: z19.array(
-    z19.object({
-      branchName: z19.string(),
-      fixes: FixResponseArrayZ
-    })
-  ),
-  error: z19.object({
-    type: z19.enum([
-      "InitialRepoAccessError",
-      "PushBranchError",
-      "AllFixesConflictWithTargetBranchError",
-      "InternalFixConflictError",
-      "UnknownError"
-    ]),
-    info: z19.object({
-      message: z19.string(),
-      pushBranchName: z19.string().optional()
-    })
-  }).optional()
-});
-var authorSchemaZ = z19.object({
-  email: z19.string(),
-  name: z19.string()
-}).nullable();
-var summarySchemaZ = z19.object({
-  changes: z19.number(),
-  insertions: z19.number(),
-  deletions: z19.number()
-});
-var GitCommitZ = z19.object({
-  author: authorSchemaZ,
-  branch: z19.string(),
-  commit: z19.string(),
-  root: z19.boolean(),
-  summary: summarySchemaZ
-});
-var SubmitFixesToSameBranchResponseMessageZ = z19.object({
-  type: z19.literal(submitToScmMessageType.commitToSameBranch),
-  githubCommentId: z19.number().nullish(),
-  commits: z19.array(GitCommitZ),
-  prId: z19.number().nullish()
-}).merge(SubmitFixesBaseResponseMessageZ);
-var SubmitFixesToDifferentBranchResponseMessageZ = z19.object({
-  type: z19.literal(submitToScmMessageType.submitFixesForDifferentBranch),
-  githubCommentId: z19.number().optional()
-}).merge(SubmitFixesBaseResponseMessageZ);
-var SubmitFixesResponseMessageZ = z19.discriminatedUnion("type", [
-  SubmitFixesToSameBranchResponseMessageZ,
-  SubmitFixesToDifferentBranchResponseMessageZ
-]);
-
-// src/features/analysis/scm/scmSubmit/index.ts
 var isValidBranchName = async (branchName) => {
   const git = simpleGit();
   try {
@@ -4740,12 +4686,6 @@ var isValidBranchName = async (branchName) => {
     return false;
   }
 };
-var FixesZ = z20.array(
-  z20.object({
-    fixId: z20.string(),
-    patchesOriginalEncodingBase64: z20.array(z20.string())
-  })
-).nonempty();
 
 // src/features/analysis/scm/scm.ts
 var SCMLib = class {
@@ -5007,33 +4947,33 @@ import querystring2 from "node:querystring";
 import * as bitbucketPkgNode from "bitbucket";
 import bitbucketPkg from "bitbucket";
 import Debug3 from "debug";
-import { z as z22 } from "zod";
+import { z as z20 } from "zod";
 
 // src/features/analysis/scm/bitbucket/validation.ts
-import { z as z21 } from "zod";
-var BitbucketAuthResultZ = z21.object({
-  access_token: z21.string(),
-  token_type: z21.string(),
-  refresh_token: z21.string()
+import { z as z19 } from "zod";
+var BitbucketAuthResultZ = z19.object({
+  access_token: z19.string(),
+  token_type: z19.string(),
+  refresh_token: z19.string()
 });
 
 // src/features/analysis/scm/bitbucket/bitbucket.ts
 var debug3 = Debug3("scm:bitbucket");
 var BITBUCKET_HOSTNAME = "bitbucket.org";
-var TokenExpiredErrorZ = z22.object({
-  status: z22.number(),
-  error: z22.object({
-    type: z22.string(),
-    error: z22.object({
-      message: z22.string()
+var TokenExpiredErrorZ = z20.object({
+  status: z20.number(),
+  error: z20.object({
+    type: z20.string(),
+    error: z20.object({
+      message: z20.string()
     })
   })
 });
 var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
-var BitbucketParseResultZ = z22.object({
-  organization: z22.string(),
-  repoName: z22.string(),
-  hostname: z22.literal(BITBUCKET_HOSTNAME)
+var BitbucketParseResultZ = z20.object({
+  organization: z20.string(),
+  repoName: z20.string(),
+  hostname: z20.literal(BITBUCKET_HOSTNAME)
 });
 function parseBitbucketOrganizationAndRepo(bitbucketUrl) {
   const parsedGitHubUrl = normalizeUrl(bitbucketUrl);
@@ -5094,7 +5034,7 @@ function getBitbucketSdk(params) {
       if (!res.data.values) {
         return [];
       }
-      return res.data.values.filter((branch) => !!branch.name).map((branch) => z22.string().parse(branch.name));
+      return res.data.values.filter((branch) => !!branch.name).map((branch) => z20.string().parse(branch.name));
     },
     async getIsUserCollaborator(params2) {
       const { repoUrl } = params2;
@@ -5209,7 +5149,7 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: tagRes.data.target?.hash,
         type: "TAG" /* TAG */,
-        date: new Date(z22.string().parse(tagRes.data.target?.date))
+        date: new Date(z20.string().parse(tagRes.data.target?.date))
       });
     },
     async getBranchRef(params2) {
@@ -5217,7 +5157,7 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: getBranchRes.target?.hash,
         type: "BRANCH" /* BRANCH */,
-        date: new Date(z22.string().parse(getBranchRes.target?.date))
+        date: new Date(z20.string().parse(getBranchRes.target?.date))
       });
     },
     async getCommitRef(params2) {
@@ -5225,13 +5165,13 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: getCommitRes.hash,
         type: "COMMIT" /* COMMIT */,
-        date: new Date(z22.string().parse(getCommitRes.date))
+        date: new Date(z20.string().parse(getCommitRes.date))
       });
     },
     async getDownloadUrl({ url, sha }) {
       this.getReferenceData({ ref: sha, url });
       const repoRes = await this.getRepo({ repoUrl: url });
-      const parsedRepoUrl = z22.string().url().parse(repoRes.links?.html?.href);
+      const parsedRepoUrl = z20.string().url().parse(repoRes.links?.html?.href);
       return `${parsedRepoUrl}/get/${sha}.zip`;
     },
     async getPullRequest(params2) {
@@ -5296,7 +5236,7 @@ async function validateBitbucketParams(params) {
 }
 async function getUsersworkspacesSlugs(bitbucketClient) {
   const res = await bitbucketClient.workspaces.getWorkspaces({});
-  return res.data.values?.map((v) => z22.string().parse(v.slug));
+  return res.data.values?.map((v) => z20.string().parse(v.slug));
 }
 async function getllUsersrepositories(bitbucketClient) {
   const userWorspacesSlugs = await getUsersworkspacesSlugs(bitbucketClient);
@@ -5324,10 +5264,10 @@ async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
 
 // src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
 import { setTimeout as setTimeout3 } from "node:timers/promises";
-import { z as z23 } from "zod";
+import { z as z21 } from "zod";
 function getUserAndPassword(token) {
   const [username, password] = token.split(":");
-  const safePasswordAndUsername = z23.object({ username: z23.string(), password: z23.string() }).parse({ username, password });
+  const safePasswordAndUsername = z21.object({ username: z21.string(), password: z21.string() }).parse({ username, password });
   return {
     username: safePasswordAndUsername.username,
     password: safePasswordAndUsername.password
@@ -5399,7 +5339,7 @@ var BitbucketSCMLib = class extends SCMLib {
         return { username, password, authType };
       }
       case "token": {
-        return { authType, token: z23.string().parse(this.accessToken) };
+        return { authType, token: z21.string().parse(this.accessToken) };
       }
       case "public":
         return { authType };
@@ -5413,7 +5353,7 @@ var BitbucketSCMLib = class extends SCMLib {
           ...params,
           repoUrl: this.url
         });
-        return String(z23.number().parse(pullRequestRes.id));
+        return String(z21.number().parse(pullRequestRes.id));
       } catch (e) {
         console.warn(
           `error creating pull request for BB. Try number ${i + 1}`,
@@ -5498,7 +5438,7 @@ var BitbucketSCMLib = class extends SCMLib {
   async getUsername() {
     this._validateAccessToken();
     const res = await this.bitbucketSdk.getUser();
-    return z23.string().parse(res.username);
+    return z21.string().parse(res.username);
   }
   async getSubmitRequestStatus(_scmSubmitRequestId) {
     this._validateAccessTokenAndUrl();
@@ -5527,7 +5467,7 @@ var BitbucketSCMLib = class extends SCMLib {
   async getRepoDefaultBranch() {
     this._validateUrl();
     const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
-    return z23.string().parse(repoRes.mainbranch?.name);
+    return z21.string().parse(repoRes.mainbranch?.name);
   }
   getSubmitRequestUrl(submitRequestId) {
     this._validateUrl();
@@ -5558,7 +5498,7 @@ var BitbucketSCMLib = class extends SCMLib {
 };
 
 // src/features/analysis/scm/github/GithubSCMLib.ts
-import { z as z24 } from "zod";
+import { z as z22 } from "zod";
 var GithubSCMLib = class extends SCMLib {
   // we don't always need a url, what's important is that we have an access token
   constructor(url, accessToken, scmOrg) {
@@ -5659,7 +5599,7 @@ var GithubSCMLib = class extends SCMLib {
       owner,
       repo
     });
-    return z24.string().parse(prRes.data);
+    return z22.string().parse(prRes.data);
   }
   async getRepoList(_scmOrg) {
     this._validateAccessToken();
@@ -5723,11 +5663,11 @@ var GithubSCMLib = class extends SCMLib {
       markdownComment: comment
     });
   }
-  async getRepoBlameRanges(ref, path9) {
+  async getRepoBlameRanges(ref, path8) {
     this._validateUrl();
     return await this.githubSdk.getGithubBlameRanges({
       ref,
-      path: path9,
+      path: path8,
       gitHubUrl: this.url
     });
   }
@@ -5821,11 +5761,11 @@ import {
 } from "undici";
 
 // src/features/analysis/scm/gitlab/types.ts
-import { z as z25 } from "zod";
-var GitlabAuthResultZ = z25.object({
-  access_token: z25.string(),
-  token_type: z25.string(),
-  refresh_token: z25.string()
+import { z as z23 } from "zod";
+var GitlabAuthResultZ = z23.object({
+  access_token: z23.string(),
+  token_type: z23.string(),
+  refresh_token: z23.string()
 });
 
 // src/features/analysis/scm/gitlab/gitlab.ts
@@ -6123,13 +6063,13 @@ function parseGitlabOwnerAndRepo(gitlabUrl) {
   const { organization, repoName, projectPath } = parsingResult;
   return { owner: organization, repo: repoName, projectPath };
 }
-async function getGitlabBlameRanges({ ref, gitlabUrl, path: path9 }, options) {
+async function getGitlabBlameRanges({ ref, gitlabUrl, path: path8 }, options) {
   const { projectPath } = parseGitlabOwnerAndRepo(gitlabUrl);
   const api2 = getGitBeaker({
     url: gitlabUrl,
     gitlabAuthToken: options?.gitlabAuthToken
   });
-  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path9, ref);
+  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path8, ref);
   let lineNumber = 1;
   return resp.filter((range) => range.lines).map((range) => {
     const oldLineNumber = lineNumber;
@@ -6315,10 +6255,10 @@ var GitlabSCMLib = class extends SCMLib {
       markdownComment: comment
     });
   }
-  async getRepoBlameRanges(ref, path9) {
+  async getRepoBlameRanges(ref, path8) {
     this._validateUrl();
     return await getGitlabBlameRanges(
-      { ref, path: path9, gitlabUrl: this.url },
+      { ref, path: path8, gitlabUrl: this.url },
       {
         url: this.url,
         gitlabAuthToken: this.accessToken
@@ -6367,7 +6307,7 @@ var GitlabSCMLib = class extends SCMLib {
 };
 
 // src/features/analysis/scm/scmFactory.ts
-import { z as z26 } from "zod";
+import { z as z24 } from "zod";
 
 // src/features/analysis/scm/StubSCMLib.ts
 var StubSCMLib = class extends SCMLib {
@@ -6489,7 +6429,7 @@ async function createScmLib({ url, accessToken, scmType, scmOrg }, { propagateEx
     if (e instanceof InvalidRepoUrlError && url) {
       throw new RepoNoTokenAccessError(
         "no access to repo",
-        scmLibScmTypeToScmType[z26.nativeEnum(ScmLibScmType).parse(scmType)]
+        scmLibScmTypeToScmType[z24.nativeEnum(ScmLibScmType).parse(scmType)]
       );
     }
     console.error(`error validating scm: ${scmType} `, e);
@@ -6820,14 +6760,14 @@ function getGithubSdk(params = {}) {
       };
     },
     async getGithubBlameRanges(params2) {
-      const { ref, gitHubUrl, path: path9 } = params2;
+      const { ref, gitHubUrl, path: path8 } = params2;
       const { owner, repo } = parseGithubOwnerAndRepo(gitHubUrl);
       const res = await octokit.graphql(
         GET_BLAME_DOCUMENT,
         {
           owner,
           repo,
-          path: path9,
+          path: path8,
           ref
         }
       );
@@ -6970,8 +6910,8 @@ function getGithubSdk(params = {}) {
 
 // src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
 import Debug7 from "debug";
-import parseDiff2 from "parse-diff";
-import { z as z28 } from "zod";
+import parseDiff from "parse-diff";
+import { z as z26 } from "zod";
 
 // src/features/analysis/utils/by_key.ts
 function keyBy(array, keyBy2) {
@@ -7043,7 +6983,7 @@ var scannerToFriendlyString = {
 
 // src/features/analysis/add_fix_comments_for_pr/utils/buildCommentBody.ts
 import Debug6 from "debug";
-import { z as z27 } from "zod";
+import { z as z25 } from "zod";
 var debug6 = Debug6("mobbdev:handle-finished-analysis");
 var getCommitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
 function buildCommentBody({
@@ -7077,11 +7017,11 @@ function buildCommentBody({
   });
   const issueType = getIssueTypeFriendlyString(fix.safeIssueType);
   const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
-  const validFixParseRes = z27.object({
+  const validFixParseRes = z25.object({
     patchAndQuestions: PatchAndQuestionsZ,
-    safeIssueLanguage: z27.nativeEnum(IssueLanguage_Enum),
-    severityText: z27.nativeEnum(Vulnerability_Severity_Enum),
-    safeIssueType: z27.nativeEnum(IssueType_Enum)
+    safeIssueLanguage: z25.nativeEnum(IssueLanguage_Enum),
+    severityText: z25.nativeEnum(Vulnerability_Severity_Enum),
+    safeIssueType: z25.nativeEnum(IssueType_Enum)
   }).safeParse(fix);
   if (!validFixParseRes.success) {
     debug6(
@@ -7182,7 +7122,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path9,
+    path: path8,
     startLine,
     vulnerabilityReportIssue: { fixId }
   } = vulnerabilityReportIssueCodeNode;
@@ -7198,7 +7138,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path9,
+    path: path8,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -7246,7 +7186,7 @@ ${summary.join("\n")}`;
 }
 async function getRelevantVulenrabilitiesFromDiff(params) {
   const { gqlClient, diff, vulnerabilityReportId } = params;
-  const parsedDiff = parseDiff2(diff);
+  const parsedDiff = parseDiff(diff);
   const fileHunks = parsedDiff.map((file) => {
     const fileNumbers = file.chunks.flatMap((chunk) => chunk.changes).filter((change) => change.type === "add").map((_change) => {
       const change = _change;
@@ -7254,7 +7194,7 @@ async function getRelevantVulenrabilitiesFromDiff(params) {
     });
     const lineAddedRanges = calculateRanges(fileNumbers);
     const fileFilter = {
-      path: z28.string().parse(file.to),
+      path: z26.string().parse(file.to),
       ranges: lineAddedRanges.map(([startLine, endLine]) => ({
         endLine,
         startLine
@@ -7606,30 +7546,30 @@ function subscribe(query, variables, callback, wsClientOptions) {
 }
 
 // src/features/analysis/graphql/types.ts
-import { z as z29 } from "zod";
-var VulnerabilityReportIssueCodeNodeZ = z29.object({
-  vulnerabilityReportIssueId: z29.string(),
-  path: z29.string(),
-  startLine: z29.number(),
-  vulnerabilityReportIssue: z29.object({
-    fixId: z29.string()
+import { z as z27 } from "zod";
+var VulnerabilityReportIssueCodeNodeZ = z27.object({
+  vulnerabilityReportIssueId: z27.string(),
+  path: z27.string(),
+  startLine: z27.number(),
+  vulnerabilityReportIssue: z27.object({
+    fixId: z27.string()
   })
 });
-var GetVulByNodesMetadataZ = z29.object({
-  vulnerabilityReportIssueCodeNodes: z29.array(VulnerabilityReportIssueCodeNodeZ),
-  nonFixablePrVuls: z29.object({
-    aggregate: z29.object({
-      count: z29.number()
+var GetVulByNodesMetadataZ = z27.object({
+  vulnerabilityReportIssueCodeNodes: z27.array(VulnerabilityReportIssueCodeNodeZ),
+  nonFixablePrVuls: z27.object({
+    aggregate: z27.object({
+      count: z27.number()
     })
   }),
-  fixablePrVuls: z29.object({
-    aggregate: z29.object({
-      count: z29.number()
+  fixablePrVuls: z27.object({
+    aggregate: z27.object({
+      count: z27.number()
     })
   }),
-  totalScanVulnerabilities: z29.object({
-    aggregate: z29.object({
-      count: z29.number()
+  totalScanVulnerabilities: z27.object({
+    aggregate: z27.object({
+      count: z27.number()
     })
   })
 });
@@ -7919,24 +7859,24 @@ var GQLClient = class {
 };
 
 // src/features/analysis/pack.ts
-import fs3 from "node:fs";
-import path5 from "node:path";
+import fs2 from "node:fs";
+import path4 from "node:path";
 import AdmZip from "adm-zip";
 import Debug12 from "debug";
 import { globby } from "globby";
 import { isBinary } from "istextorbinary";
 import { simpleGit as simpleGit3 } from "simple-git";
 import { parseStringPromise } from "xml2js";
-import { z as z30 } from "zod";
+import { z as z28 } from "zod";
 var debug12 = Debug12("mobbdev:pack");
 var MAX_FILE_SIZE = 1024 * 1024 * 5;
-var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z30.object({
-  properties: z30.object({
-    entry: z30.array(
-      z30.object({
-        _: z30.string(),
-        $: z30.object({
-          key: z30.string()
+var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z28.object({
+  properties: z28.object({
+    entry: z28.array(
+      z28.object({
+        _: z28.string(),
+        $: z28.object({
+          key: z28.string()
         })
       })
     )
@@ -7986,20 +7926,20 @@ async function pack(srcDirPath, vulnFiles) {
   const zip = new AdmZip();
   debug12("compressing files");
   for (const filepath of filepaths) {
-    const absFilepath = path5.join(srcDirPath, filepath.toString());
+    const absFilepath = path4.join(srcDirPath, filepath.toString());
     vulnFiles = vulnFiles.concat(_get_manifest_files_suffixes());
     if (!endsWithAny(
-      absFilepath.toString().replaceAll(path5.win32.sep, path5.posix.sep),
+      absFilepath.toString().replaceAll(path4.win32.sep, path4.posix.sep),
       vulnFiles
     )) {
       debug12("ignoring %s because it is not a vulnerability file", filepath);
       continue;
     }
-    if (fs3.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
+    if (fs2.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
       debug12("ignoring %s because the size is > 5MB", filepath);
       continue;
     }
-    const data = git ? await git.showBuffer([`HEAD:./${filepath}`]) : fs3.readFileSync(absFilepath);
+    const data = git ? await git.showBuffer([`HEAD:./${filepath}`]) : fs2.readFileSync(absFilepath);
     if (isBinary(null, data)) {
       debug12("ignoring %s because is seems to be a binary file", filepath);
       continue;
@@ -8156,7 +8096,7 @@ import Debug14 from "debug";
 import { existsSync } from "fs";
 import { createSpinner as createSpinner2 } from "nanospinner";
 import { type } from "os";
-import path6 from "path";
+import path5 from "path";
 var debug13 = Debug14("mobbdev:checkmarx");
 var require2 = createRequire(import.meta.url);
 var getCheckmarxPath = () => {
@@ -8216,9 +8156,9 @@ async function getCheckmarxReport({ reportPath, repositoryRoot, branch, projectN
     await startCheckmarxConfigationPrompt();
     await validateCheckamxCredentials();
   }
-  const extension = path6.extname(reportPath);
-  const filePath = path6.dirname(reportPath);
-  const fileName = path6.basename(reportPath, extension);
+  const extension = path5.extname(reportPath);
+  const filePath = path5.dirname(reportPath);
+  const fileName = path5.basename(reportPath, extension);
   const checkmarxCommandArgs = getCheckmarxCommandArgs({
     repoPath: repositoryRoot,
     branch,
@@ -8400,7 +8340,7 @@ async function downloadRepo({
   const { createSpinner: createSpinner5 } = Spinner2({ ci });
   const repoSpinner = createSpinner5("\u{1F4BE} Downloading Repo").start();
   debug16("download repo %s %s %s", repoUrl, dirname);
-  const zipFilePath = path7.join(dirname, "repo.zip");
+  const zipFilePath = path6.join(dirname, "repo.zip");
   debug16("download URL: %s auth headers: %o", downloadUrl, authHeaders);
   const response = await fetch4(downloadUrl, {
     method: "GET",
@@ -8413,19 +8353,19 @@ async function downloadRepo({
     repoSpinner.error({ text: "\u{1F4BE} Repo download failed" });
     throw new Error(`Can't access ${chalk4.bold(repoUrl)}`);
   }
-  const fileWriterStream = fs4.createWriteStream(zipFilePath);
+  const fileWriterStream = fs3.createWriteStream(zipFilePath);
   if (!response.body) {
     throw new Error("Response body is empty");
   }
   await pipeline(response.body, fileWriterStream);
   await extract(zipFilePath, { dir: dirname });
-  const repoRoot = fs4.readdirSync(dirname, { withFileTypes: true }).filter((dirent) => dirent.isDirectory()).map((dirent) => dirent.name)[0];
+  const repoRoot = fs3.readdirSync(dirname, { withFileTypes: true }).filter((dirent) => dirent.isDirectory()).map((dirent) => dirent.name)[0];
   if (!repoRoot) {
     throw new Error("Repo root not found");
   }
   debug16("repo root %s", repoRoot);
   repoSpinner.success({ text: "\u{1F4BE} Repo downloaded successfully" });
-  return path7.join(dirname, repoRoot);
+  return path6.join(dirname, repoRoot);
 }
 var getReportUrl = ({
   organizationId,
@@ -8436,7 +8376,7 @@ var debug16 = Debug17("mobbdev:index");
 var config2 = new Configstore(packageJson.name, { apiToken: "" });
 debug16("config %o", config2);
 async function runAnalysis(params, options) {
-  const tmpObj = tmp2.dirSync({
+  const tmpObj = tmp.dirSync({
     unsafeCleanup: true
   });
   try {
@@ -8535,7 +8475,7 @@ async function getReport(params, { skipPrompts }) {
     authHeaders: scm.getAuthHeaders(),
     downloadUrl
   });
-  const reportPath = path7.join(dirname, "report.json");
+  const reportPath = path6.join(dirname, "report.json");
   switch (scanner) {
     case "snyk":
       await getSnykReport(reportPath, repositoryRoot, { skipPrompts });
@@ -8695,7 +8635,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     spinner: mobbSpinner,
     submitVulnerabilityReportVariables: {
       fixReportId: reportUploadInfo.fixReportId,
-      repoUrl: z31.string().parse(repo),
+      repoUrl: z29.string().parse(repo),
       reference,
       projectId,
       vulnerabilityReportFileName: "report.json",
@@ -8722,6 +8662,15 @@ async function _scan(params, { skipPrompts = false } = {}) {
     });
   }
   await askToOpenAnalysis();
+  if (command === "review") {
+    await waitForAnaysisAndReviewPr({
+      repo,
+      githubActionToken,
+      analysisId: reportUploadInfo.fixReportId,
+      scanner,
+      gqlClient
+    });
+  }
   return reportUploadInfo.fixReportId;
   async function askToOpenAnalysis() {
     if (!repoUploadInfo || !reportUploadInfo) {
@@ -8814,7 +8763,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     const zippingSpinner = createSpinner5("\u{1F4E6} Zipping repo").start();
     let zipBuffer;
     let gitInfo = { success: false };
-    if (srcFileStatus.isFile() && path7.extname(srcPath).toLowerCase() === ".fpr") {
+    if (srcFileStatus.isFile() && path6.extname(srcPath).toLowerCase() === ".fpr") {
       zipBuffer = await repackFpr(srcPath);
     } else {
       gitInfo = await getGitInfo(srcPath);
@@ -8850,34 +8799,12 @@ async function _scan(params, { skipPrompts = false } = {}) {
         }
       });
       if (command === "review") {
-        const params2 = z31.object({
-          repo: z31.string().url(),
-          githubActionToken: z31.string()
-        }).parse({ repo, githubActionToken });
-        const scm = await createScmLib(
-          {
-            url: params2.repo,
-            accessToken: params2.githubActionToken,
-            scmOrg: "",
-            scmType: "GITHUB" /* GITHUB */
-          },
-          {
-            propagateExceptions: true
-          }
-        );
-        await gqlClient.subscribeToAnalysis({
-          subscribeToAnalysisParams: {
-            analysisId: reportUploadInfo.fixReportId
-          },
-          callback: (analysisId) => {
-            return addFixCommentsForPr({
-              analysisId,
-              gqlClient,
-              scm,
-              scanner: z31.nativeEnum(SCANNERS).parse(scanner)
-            });
-          },
-          callbackStates: ["Finished" /* Finished */]
+        await waitForAnaysisAndReviewPr({
+          repo,
+          githubActionToken,
+          analysisId: reportUploadInfo.fixReportId,
+          scanner,
+          gqlClient
         });
       }
     } catch (e) {
@@ -8949,6 +8876,43 @@ async function _digestReport({
     throw e;
   }
 }
+async function waitForAnaysisAndReviewPr({
+  repo,
+  githubActionToken,
+  analysisId,
+  scanner,
+  gqlClient
+}) {
+  const params = z29.object({
+    repo: z29.string().url(),
+    githubActionToken: z29.string()
+  }).parse({ repo, githubActionToken });
+  const scm = await createScmLib(
+    {
+      url: params.repo,
+      accessToken: params.githubActionToken,
+      scmOrg: "",
+      scmType: "GITHUB" /* GITHUB */
+    },
+    {
+      propagateExceptions: true
+    }
+  );
+  await gqlClient.subscribeToAnalysis({
+    subscribeToAnalysisParams: {
+      analysisId
+    },
+    callback: (analysisId2) => {
+      return addFixCommentsForPr({
+        analysisId: analysisId2,
+        gqlClient,
+        scm,
+        scanner: z29.nativeEnum(SCANNERS).parse(scanner)
+      });
+    },
+    callbackStates: ["Finished" /* Finished */]
+  });
+}
 
 // src/commands/index.ts
 import chalk5 from "chalk";
@@ -9260,8 +9224,8 @@ var scmTokenOption = {
 
 // src/args/validation.ts
 import chalk7 from "chalk";
-import path8 from "path";
-import { z as z32 } from "zod";
+import path7 from "path";
+import { z as z30 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
   repoUrl,
@@ -9278,11 +9242,11 @@ Example:
   )}`;
   throw new CliError(formattedErrorMessage);
 }
-var UrlZ = z32.string({
+var UrlZ = z30.string({
   invalid_type_error: `is not a valid ${Object.values(ScmType).join("/ ")} URL`
 });
 function validateOrganizationId(organizationId) {
-  const orgIdValidation = z32.string().uuid().nullish().safeParse(organizationId);
+  const orgIdValidation = z30.string().uuid().nullish().safeParse(organizationId);
   if (!orgIdValidation.success) {
     throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
   }
@@ -9304,7 +9268,7 @@ function validateRepoUrl(args) {
 }
 var supportExtensions = [".json", ".xml", ".fpr", ".sarif"];
 function validateReportFileFormat(reportFile) {
-  if (!supportExtensions.includes(path8.extname(reportFile))) {
+  if (!supportExtensions.includes(path7.extname(reportFile))) {
     throw new CliError(
       `
 ${chalk7.bold(
@@ -9347,7 +9311,7 @@ function analyzeBuilder(yargs2) {
   ).help();
 }
 function validateAnalyzeOptions(argv) {
-  if (!fs5.existsSync(argv.f)) {
+  if (!fs4.existsSync(argv.f)) {
     throw new CliError(`
 Can't access ${chalk8.bold(argv.f)}`);
   }
@@ -9379,7 +9343,7 @@ async function analyzeHandler(args) {
 }
 
 // src/args/commands/review.ts
-import fs6 from "node:fs";
+import fs5 from "node:fs";
 import chalk9 from "chalk";
 function reviewBuilder(yargs2) {
   return yargs2.option("f", {
@@ -9409,14 +9373,14 @@ function reviewBuilder(yargs2) {
       "Path to the repository folder with the source code"
     ),
     type: "string",
-    demandOption: true
+    demandOption: false
   }).example(
     "npx mobbdev@latest review -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>  --ch <pr_last_commit>   --pr <pr_number> --ref <pr_branch_name>  --api-key <api_key> --src-path <your_repo_path>",
     "add fixes to your pr"
   ).help();
 }
 function validateReviewOptions(argv) {
-  if (!fs6.existsSync(argv.f)) {
+  if (!fs5.existsSync(argv.f)) {
     throw new CliError(`
 Can't access ${chalk9.bold(argv.f)}`);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.51",
+  "version": "1.0.58",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",
@@ -100,6 +100,7 @@
     "eslint-plugin-import": "2.31.0",
     "eslint-plugin-prettier": "5.2.3",
     "eslint-plugin-simple-import-sort": "10.0.0",
+    "nock": "14.0.1",
     "prettier": "3.5.1",
     "tsup": "7.2.0",
     "typescript": "4.9.5",