mobbdev 1.0.58 → 1.0.60

package/dist/index.mjs

@@ -145,6 +145,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["InsecureBinderConfiguration"] = "INSECURE_BINDER_CONFIGURATION";
   IssueType_Enum2["InsecureCookie"] = "INSECURE_COOKIE";
   IssueType_Enum2["InsecureRandomness"] = "INSECURE_RANDOMNESS";
+  IssueType_Enum2["InsecureUuidVersion"] = "INSECURE_UUID_VERSION";
   IssueType_Enum2["InsufficientLogging"] = "INSUFFICIENT_LOGGING";
   IssueType_Enum2["JqueryDeprecatedSymbols"] = "JQUERY_DEPRECATED_SYMBOLS";
   IssueType_Enum2["LeftoverDebugCode"] = "LEFTOVER_DEBUG_CODE";
@@ -222,19 +223,20 @@ var Vulnerability_Report_Issue_State_Enum = /* @__PURE__ */ ((Vulnerability_Repo
   Vulnerability_Report_Issue_State_Enum2["Unsupported"] = "Unsupported";
   return Vulnerability_Report_Issue_State_Enum2;
 })(Vulnerability_Report_Issue_State_Enum || {});
-var Vulnerability_Report_Issue_Tag_Enum = /* @__PURE__ */ ((Vulnerability_Report_Issue_Tag_Enum2) => {
-  Vulnerability_Report_Issue_Tag_Enum2["AutogeneratedCode"] = "AUTOGENERATED_CODE";
-  Vulnerability_Report_Issue_Tag_Enum2["AuxiliaryCode"] = "AUXILIARY_CODE";
-  Vulnerability_Report_Issue_Tag_Enum2["FalsePositive"] = "FALSE_POSITIVE";
-  Vulnerability_Report_Issue_Tag_Enum2["TestCode"] = "TEST_CODE";
-  Vulnerability_Report_Issue_Tag_Enum2["VendorCode"] = "VENDOR_CODE";
-  return Vulnerability_Report_Issue_Tag_Enum2;
+var Vulnerability_Report_Issue_Tag_Enum = /* @__PURE__ */ ((Vulnerability_Report_Issue_Tag_Enum3) => {
+  Vulnerability_Report_Issue_Tag_Enum3["AutogeneratedCode"] = "AUTOGENERATED_CODE";
+  Vulnerability_Report_Issue_Tag_Enum3["AuxiliaryCode"] = "AUXILIARY_CODE";
+  Vulnerability_Report_Issue_Tag_Enum3["FalsePositive"] = "FALSE_POSITIVE";
+  Vulnerability_Report_Issue_Tag_Enum3["TestCode"] = "TEST_CODE";
+  Vulnerability_Report_Issue_Tag_Enum3["VendorCode"] = "VENDOR_CODE";
+  return Vulnerability_Report_Issue_Tag_Enum3;
 })(Vulnerability_Report_Issue_Tag_Enum || {});
 var Vulnerability_Report_Vendor_Enum = /* @__PURE__ */ ((Vulnerability_Report_Vendor_Enum3) => {
   Vulnerability_Report_Vendor_Enum3["Checkmarx"] = "checkmarx";
   Vulnerability_Report_Vendor_Enum3["CheckmarxXml"] = "checkmarxXml";
   Vulnerability_Report_Vendor_Enum3["Codeql"] = "codeql";
   Vulnerability_Report_Vendor_Enum3["Fortify"] = "fortify";
+  Vulnerability_Report_Vendor_Enum3["Opengrep"] = "opengrep";
   Vulnerability_Report_Vendor_Enum3["Semgrep"] = "semgrep";
   Vulnerability_Report_Vendor_Enum3["Snyk"] = "snyk";
   Vulnerability_Report_Vendor_Enum3["Sonarqube"] = "sonarqube";
@@ -412,8 +414,12 @@ var GetVulByNodesMetadataDocument = `
     path
     startLine
     vulnerabilityReportIssue {
-      issueType
+      safeIssueType
       fixId
+      category
+      vulnerabilityReportIssueTags {
+        tag: vulnerability_report_issue_tag_value
+      }
     }
   }
   fixablePrVuls: vulnerability_report_issue_aggregate(
@@ -437,6 +443,25 @@ var GetVulByNodesMetadataDocument = `
       count
     }
   }
+  irrelevantVulnerabilityReportIssue: vulnerability_report(
+    where: {id: {_eq: $vulnerabilityReportId}}
+  ) {
+    vulnerabilityReportIssues(
+      where: {fixId: {_is_null: true}, _or: [{category: {_eq: "Irrelevant"}}, {category: {_eq: "FalsePositive"}}]}
+    ) {
+      id
+      safeIssueType
+      fixId
+      category
+      vulnerabilityReportIssueTags {
+        tag: vulnerability_report_issue_tag_value
+      }
+      codeNodes(order_by: {index: desc}, where: {_or: $filters}) {
+        path
+        startLine
+      }
+    }
+  }
 }
     `;
 var UpdateScmTokenDocument = `
@@ -899,7 +924,7 @@ var FixPageFixReportZ = z3.object({
 
 // src/features/analysis/scm/shared/src/types/issue.ts
 var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES = 1e5;
-var category = {
+var CATEGORY = {
   NoFix: "NoFix",
   Unsupported: "Unsupported",
   Irrelevant: "Irrelevant",
@@ -907,11 +932,11 @@ var category = {
   Fixable: "Fixable"
 };
 var ValidCategoriesZ = z4.union([
-  z4.literal(category.NoFix),
-  z4.literal(category.Unsupported),
-  z4.literal(category.Irrelevant),
-  z4.literal(category.FalsePositive),
-  z4.literal(category.Fixable)
+  z4.literal(CATEGORY.NoFix),
+  z4.literal(CATEGORY.Unsupported),
+  z4.literal(CATEGORY.Irrelevant),
+  z4.literal(CATEGORY.FalsePositive),
+  z4.literal(CATEGORY.Fixable)
 ]);
 var BaseIssuePartsZ = z4.object({
   id: z4.string().uuid(),
@@ -972,13 +997,13 @@ var FalsePositivePartsZ = z4.object({
 });
 var IssuePartsWithFixZ = BaseIssuePartsZ.merge(
   z4.object({
-    category: z4.literal(category.Irrelevant),
+    category: z4.literal(CATEGORY.Irrelevant),
     fix: FixPartsForFixScreenZ.nullish()
   })
 );
 var IssuePartsFpZ = BaseIssuePartsZ.merge(
   z4.object({
-    category: z4.literal(category.FalsePositive),
+    category: z4.literal(CATEGORY.FalsePositive),
     fpId: z4.string().uuid(),
     getFalsePositive: FalsePositivePartsZ
   })
@@ -986,9 +1011,9 @@ var IssuePartsFpZ = BaseIssuePartsZ.merge(
 var GeneralIssueZ = BaseIssuePartsZ.merge(
   z4.object({
     category: z4.union([
-      z4.literal(category.NoFix),
-      z4.literal(category.Unsupported),
-      z4.literal(category.Fixable)
+      z4.literal(CATEGORY.NoFix),
+      z4.literal(CATEGORY.Unsupported),
+      z4.literal(CATEGORY.Fixable)
     ])
   })
 );
@@ -1013,6 +1038,13 @@ var GetIssueScreenDataZ = z4.object({
   issueIndexes: GetIssueIndexesZ
 });
 var IssueBucketZ = z4.enum(["fixable", "irrelevant", "remaining"]);
+var mapCategoryToBucket = {
+  FalsePositive: "irrelevant",
+  Irrelevant: "irrelevant",
+  NoFix: "remaining",
+  Unsupported: "remaining",
+  Fixable: "fixable"
+};
 
 // src/features/analysis/scm/shared/src/types/types.ts
 import { z as z7 } from "zod";
@@ -1108,7 +1140,8 @@ var issueTypeMap = {
   ["USE_OF_HARD_CODED_CRYPTOGRAPHIC_KEY" /* UseOfHardCodedCryptographicKey */]: "Use of Hardcoded Cryptographic Key",
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: "Missing SSL MinVersion",
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: "Missing Websocket Origin Check",
-  ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: "String Literals Should not Be Duplicated"
+  ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: "String Literals Should not Be Duplicated",
+  ["INSECURE_UUID_VERSION" /* InsecureUuidVersion */]: "Insecure UUID Version"
 };
 var issueTypeZ = z5.nativeEnum(IssueType_Enum);
 var getIssueTypeFriendlyString = (issueType) => {
@@ -1118,6 +1151,29 @@ var getIssueTypeFriendlyString = (issueType) => {
   }
   return issueTypeMap[issueTypeZParseRes.data];
 };
+function getTagTooltip(tag) {
+  switch (tag) {
+    case "FALSE_POSITIVE":
+      return "Issue was found to be a false positive";
+    case "TEST_CODE":
+      return "Issue found in test files, not production code";
+    case "VENDOR_CODE":
+      return "Issue is in external libraries or dependencies not owned or maintained by your team";
+    case "AUTOGENERATED_CODE":
+      return "Code created by tools or frameworks, not manually written";
+    case "AUXILIARY_CODE":
+      return "Issue found in supporting files that don\u2019t impact core functionality";
+    default:
+      return tag;
+  }
+}
+var issueDescription = {
+  ["AUTOGENERATED_CODE" /* AutogeneratedCode */]: "The flagged code is generated automatically by tools or frameworks as part of the build or runtime process. This categorization highlights that **the issue resides in non-manual code**, which often requires tool-specific solutions or exemptions.",
+  ["AUXILIARY_CODE" /* AuxiliaryCode */]: "The flagged code is auxiliary or supporting code, such as configuration files, build scripts, or other non-application logic. This categorization indicates that the issue is not directly related to the application\u2019s core functionality.",
+  ["FALSE_POSITIVE" /* FalsePositive */]: "The flagged code **does not represent an actual vulnerability within the application\u2019s context.** This categorization indicates that the issue is either misidentified by the scanner or deemed irrelevant to the application\u2019s functionality.",
+  ["TEST_CODE" /* TestCode */]: "The flagged code resides in a test-specific path or context. This categorization indicates that **it supports testing scenarios and is isolated from production use**.",
+  ["VENDOR_CODE" /* VendorCode */]: "The flagged code originates from a third-party library or dependency maintained externally. This categorization suggests that **the issue lies outside the application\u2019s direct control** and should be addressed by the vendor if necessary."
+};
 
 // src/features/analysis/scm/shared/src/validations.ts
 var IssueTypeSettingZ = z6.object({
@@ -1733,12 +1789,8 @@ import { z as z29 } from "zod";
 // src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
 import Debug8 from "debug";
 
-// src/features/analysis/scm/github/github.ts
-import { RequestError } from "@octokit/request-error";
-
-// src/features/analysis/scm/constants.ts
-var MOBB_ICON_IMG = "https://app.mobb.ai/gh-action/Logo_Rounded_Icon.svg";
-var MAX_BRANCHES_FETCH = 1e3;
+// src/features/analysis/scm/github/GithubSCMLib.ts
+import { z as z24 } from "zod";
 
 // src/features/analysis/scm/errors.ts
 var InvalidRepoUrlError = class extends Error {
@@ -1768,6 +1820,21 @@ var RepoNoTokenAccessError = class extends Error {
   }
 };
 
+// src/features/analysis/scm/scmSubmit/index.ts
+import { simpleGit } from "simple-git";
+var isValidBranchName = async (branchName) => {
+  const git = simpleGit();
+  try {
+    const res = await git.raw(["check-ref-format", "--branch", branchName]);
+    if (res) {
+      return true;
+    }
+    return false;
+  } catch (e) {
+    return false;
+  }
+};
+
 // src/features/analysis/scm/types.ts
 import { z as z14 } from "zod";
 
@@ -2014,13 +2081,19 @@ var fixDetailsData = {
   ["USE_OF_HARD_CODED_CRYPTOGRAPHIC_KEY" /* UseOfHardCodedCryptographicKey */]: void 0,
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: void 0,
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: void 0,
-  ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: void 0
+  ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: void 0,
+  ["INSECURE_UUID_VERSION" /* InsecureUuidVersion */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
 function capitalizeFirstLetter(str) {
   return str?.length ? str[0].toUpperCase() + str.slice(1) : "";
 }
+function lowercaseFirstLetter(str) {
+  if (!str)
+    return str;
+  return `${str.charAt(0).toLowerCase()}${str.slice(1)}`;
+}
 var severityToEmoji = {
   ["critical" /* Critical */]: "\u{1F6A8}",
   ["high" /* High */]: "\u{1F6A9}",
@@ -2032,7 +2105,8 @@ var getCommitDescription = ({
   issueType,
   severity,
   guidances,
-  fixUrl
+  fixUrl,
+  irrelevantIssueWithTags
 }) => {
   const issueTypeString = getIssueTypeFriendlyString(issueType);
   let description = `This change fixes a **${severity} severity** (${severityToEmoji[severity]}) **${issueTypeString}** issue reported by **${capitalizeFirstLetter(
@@ -2042,6 +2116,17 @@ var getCommitDescription = ({
 `;
   const parseIssueTypeRes = z9.nativeEnum(IssueType_Enum).safeParse(issueType);
   if (issueType && parseIssueTypeRes.success) {
+    if (irrelevantIssueWithTags?.[0]?.tag) {
+      description += `
+> [!tip]
+> This issue was found to be irrelevant to your project - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
+> Mobb recommends to ignore this issue, however fix is available if you think differently. 
+
+
+## Justification
+${issueDescription[irrelevantIssueWithTags[0].tag]}
+`;
+    }
     const staticData = fixDetailsData[parseIssueTypeRes.data];
     if (staticData) {
       description += `## Issue description
@@ -2063,6 +2148,36 @@ ${guidances.map(({ guidance }) => `## Additional actions required
   }
   return description;
 };
+var getCommitIssueDescription = ({
+  vendor,
+  issueType,
+  irrelevantIssueWithTags
+}) => {
+  const issueTypeString = getIssueTypeFriendlyString(issueType);
+  let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
+`;
+  const parseIssueTypeRes = z9.nativeEnum(IssueType_Enum).safeParse(issueType);
+  if (issueType && parseIssueTypeRes.success) {
+    if (irrelevantIssueWithTags?.[0]?.tag) {
+      description += `
+> [!tip]
+> ${issueTypeString} - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
+> Mobb recommends to ignore this issue, however fix is available if you think differently. 
+
+
+## Justification
+${issueDescription[irrelevantIssueWithTags[0].tag]}
+`;
+    }
+    const staticData = fixDetailsData[parseIssueTypeRes.data];
+    if (staticData) {
+      description += `## Issue description
+${staticData.issueDescription}
+`;
+    }
+  }
+  return description;
+};
 
 // src/features/analysis/scm/shared/src/guidances.ts
 import { z as z12 } from "zod";
@@ -3766,6 +3881,15 @@ function getFixUrl({
 }) {
   return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
 }
+function getIssueUrl({
+  appBaseUrl,
+  issueId,
+  projectId,
+  organizationId,
+  analysisId
+}) {
+  return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/issue/${issueId}`;
+}
 
 // src/features/analysis/scm/types.ts
 var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
@@ -3805,92 +3929,8 @@ var GetRefererenceResultZ = z14.object({
   type: z14.nativeEnum(ReferenceType)
 });
 
-// src/features/analysis/scm/github/consts.ts
-var POST_COMMENT_PATH = "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments";
-var DELETE_COMMENT_PATH = "DELETE /repos/{owner}/{repo}/pulls/comments/{comment_id}";
-var UPDATE_COMMENT_PATH = "PATCH /repos/{owner}/{repo}/pulls/comments/{comment_id}";
-var GET_PR_COMMENTS_PATH = "GET /repos/{owner}/{repo}/pulls/{pull_number}/comments";
-var GET_PR_COMMENT_PATH = "GET /repos/{owner}/{repo}/pulls/comments/{comment_id}";
-var REPLY_TO_CODE_REVIEW_COMMENT_PATH = "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments/{comment_id}/replies";
-var GET_PR = "GET /repos/{owner}/{repo}/pulls/{pull_number}";
-var POST_GENERAL_PR_COMMENT = "POST /repos/{owner}/{repo}/issues/{issue_number}/comments";
-var GET_GENERAL_PR_COMMENTS = "GET /repos/{owner}/{repo}/issues/{issue_number}/comments";
-var DELETE_GENERAL_PR_COMMENT = "DELETE /repos/{owner}/{repo}/issues/comments/{comment_id}";
-var CREATE_OR_UPDATE_A_REPOSITORY_SECRET = "PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}";
-var GET_A_REPOSITORY_PUBLIC_KEY = "GET /repos/{owner}/{repo}/actions/secrets/public-key";
-var GET_USER = "GET /user";
-var GET_USER_REPOS = "GET /user/repos";
-var GET_REPO_BRANCHES = "GET /repos/{owner}/{repo}/branches";
-var GET_BLAME_DOCUMENT = `
-      query GetBlame(
-        $owner: String!
-        $repo: String!
-        $ref: String!
-        $path: String!
-      ) {
-        repository(name: $repo, owner: $owner) {
-          # branch name
-          object(expression: $ref) {
-            # cast Target to a Commit
-            ... on Commit {
-              # full repo-relative path to blame file
-              blame(path: $path) {
-                ranges {
-                  commit {
-                    author {
-                      user {
-                        name
-                        login
-                      }
-                    }
-                    authoredDate
-                  }
-                  startingLine
-                  endingLine
-                  age
-                }
-              }
-            }
-            
-          }
-        }
-      }
-    `;
-
-// src/features/analysis/scm/github/utils/encrypt_secret.ts
-import sodium from "libsodium-wrappers";
-async function encryptSecret(secret, key) {
-  await sodium.ready;
-  const binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL);
-  const binsec = sodium.from_string(secret);
-  const encBytes = sodium.crypto_box_seal(binsec, binkey);
-  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
-}
-
-// src/features/analysis/scm/github/utils/utils.ts
-import { Octokit } from "octokit";
-import { fetch as fetch2, ProxyAgent as ProxyAgent2 } from "undici";
-
-// src/features/analysis/scm/ado/constants.ts
-var DEFUALT_ADO_ORIGIN = scmCloudUrl.Ado;
-
-// src/features/analysis/scm/ado/utils.ts
-import querystring from "node:querystring";
-import * as api from "azure-devops-node-api";
-import Debug2 from "debug";
-import { z as z18 } from "zod";
-
-// src/features/analysis/scm/env.ts
-import { z as z15 } from "zod";
-var EnvVariablesZod = z15.object({
-  GITLAB_API_TOKEN: z15.string().optional(),
-  GITHUB_API_TOKEN: z15.string().optional(),
-  GIT_PROXY_HOST: z15.string()
-});
-var { GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST } = EnvVariablesZod.parse(process.env);
-
 // src/features/analysis/scm/utils/index.ts
-import { z as z16 } from "zod";
+import { z as z15 } from "zod";
 function getFixUrlWithRedirect(params) {
   const {
     fixId,
@@ -3912,6 +3952,27 @@ function getFixUrlWithRedirect(params) {
     analysisId
   })}?${searchParams.toString()}`;
 }
+function getIssueUrlWithRedirect(params) {
+  const {
+    issueId,
+    projectId,
+    organizationId,
+    analysisId,
+    redirectUrl,
+    appBaseUrl,
+    commentId
+  } = params;
+  const searchParams = new URLSearchParams();
+  searchParams.append("commit_redirect_url", redirectUrl);
+  searchParams.append("comment_id", commentId.toString());
+  return `${getIssueUrl({
+    appBaseUrl,
+    issueId,
+    projectId,
+    organizationId,
+    analysisId
+  })}?${searchParams.toString()}`;
+}
 function getCommitUrl(params) {
   const {
     fixId,
@@ -3933,6 +3994,27 @@ function getCommitUrl(params) {
     analysisId
   })}/commit?${searchParams.toString()}`;
 }
+function getCommitIssueUrl(params) {
+  const {
+    issueId,
+    projectId,
+    organizationId,
+    analysisId,
+    redirectUrl,
+    appBaseUrl,
+    commentId
+  } = params;
+  const searchParams = new URLSearchParams();
+  searchParams.append("redirect_url", redirectUrl);
+  searchParams.append("comment_id", commentId.toString());
+  return `${getIssueUrl({
+    appBaseUrl,
+    issueId,
+    projectId,
+    organizationId,
+    analysisId
+  })}/commit?${searchParams.toString()}`;
+}
 var userNamePattern = /^(https?:\/\/)([^@]+@)?([^/]+\/.+)$/;
 var sshPattern = /^git@([\w.-]+):([\w./-]+)$/;
 function normalizeUrl(repoUrl) {
@@ -3959,7 +4041,7 @@ function shouldValidateUrl(repoUrl) {
   return repoUrl && isUrlHasPath(repoUrl);
 }
 function isBrokerUrl(url) {
-  return z16.string().uuid().safeParse(new URL(url).host).success;
+  return z15.string().uuid().safeParse(new URL(url).host).success;
 }
 function buildAuthorizedRepoUrl(args) {
   const { url, username, password } = args;
@@ -3995,7 +4077,7 @@ function getCloudScmLibTypeFromUrl(url) {
   return void 0;
 }
 function getScmLibTypeFromScmType(scmType) {
-  const parsedScmType = z16.nativeEnum(ScmType).parse(scmType);
+  const parsedScmType = z15.nativeEnum(ScmType).parse(scmType);
   return scmTypeToScmLibScmType[parsedScmType];
 }
 function getScmConfig({
@@ -4061,70 +4143,226 @@ function getScmConfig({
   };
 }
 
-// src/features/analysis/scm/ado/validation.ts
-import { z as z17 } from "zod";
-var ValidPullRequestStatusZ = z17.union([
-  z17.literal(1 /* Active */),
-  z17.literal(2 /* Abandoned */),
-  z17.literal(3 /* Completed */)
-]);
-var AdoAuthResultZ = z17.object({
-  access_token: z17.string().min(1),
-  token_type: z17.string().min(1),
-  refresh_token: z17.string().min(1)
-});
-var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
-  scmOrgs: z17.array(z17.string())
-});
-var profileZ = z17.object({
-  displayName: z17.string(),
-  publicAlias: z17.string().min(1),
-  emailAddress: z17.string(),
-  coreRevision: z17.number(),
-  timeStamp: z17.string(),
-  id: z17.string(),
-  revision: z17.number()
-});
-var accountsZ = z17.object({
-  count: z17.number(),
-  value: z17.array(
-    z17.object({
-      accountId: z17.string(),
-      accountUri: z17.string(),
-      accountName: z17.string()
-    })
-  )
-});
-
-// src/features/analysis/scm/ado/utils.ts
-var debug2 = Debug2("mobbdev:scm:ado");
-function _getPublicAdoClient({
-  orgName,
-  origin: origin2
-}) {
-  const orgUrl = `${origin2}/${orgName}`;
-  const authHandler = api.getPersonalAccessTokenHandler("");
-  authHandler.canHandleAuthentication = () => false;
-  authHandler.prepareRequest = (_options) => {
-    return;
-  };
-  const connection = new api.WebApi(orgUrl, authHandler);
-  return connection;
-}
-function removeTrailingSlash(str) {
-  return str.trim().replace(/\/+$/, "");
-}
-function parseAdoOwnerAndRepo(adoUrl) {
-  adoUrl = removeTrailingSlash(adoUrl);
-  const parsingResult = parseScmURL(adoUrl, "Ado" /* Ado */);
-  if (!parsingResult || parsingResult.scmType !== "Ado" /* Ado */) {
-    throw new InvalidUrlPatternError(`
-      : ${adoUrl}`);
+// src/features/analysis/scm/scm.ts
+var SCMLib = class {
+  constructor(url, accessToken, scmOrg) {
+    __publicField(this, "url");
+    __publicField(this, "accessToken");
+    __publicField(this, "scmOrg");
+    this.accessToken = accessToken;
+    this.url = url;
+    this.scmOrg = scmOrg;
   }
-  const {
-    organization,
-    repoName,
-    projectName,
+  async getUrlWithCredentials() {
+    if (!this.url) {
+      console.error("no url for getUrlWithCredentials()");
+      throw new Error("no url");
+    }
+    const trimmedUrl = this.url.trim().replace(/\/$/, "");
+    const accessToken = this.getAccessToken();
+    if (!accessToken) {
+      return trimmedUrl;
+    }
+    if (this.scmLibType === "ADO" /* ADO */) {
+      const { host, protocol, pathname } = new URL(trimmedUrl);
+      return `${protocol}//${accessToken}@${host}${pathname}`;
+    }
+    const finalUrl = this.scmLibType === "GITLAB" /* GITLAB */ ? `${trimmedUrl}.git` : trimmedUrl;
+    const username = await this._getUsernameForAuthUrl();
+    return buildAuthorizedRepoUrl({
+      url: finalUrl,
+      username,
+      password: accessToken
+    });
+  }
+  getAccessToken() {
+    return this.accessToken || "";
+  }
+  getUrl() {
+    return this.url;
+  }
+  getName() {
+    if (!this.url) {
+      return "";
+    }
+    return this.url.split("/").at(-1) || "";
+  }
+  _validateAccessToken() {
+    if (!this.accessToken) {
+      console.error("no access token");
+      throw new Error("no access token");
+    }
+  }
+  static async getIsValidBranchName(branchName) {
+    return isValidBranchName(branchName);
+  }
+  _validateAccessTokenAndUrl() {
+    this._validateAccessToken();
+    this._validateUrl();
+  }
+  _validateUrl() {
+    if (!this.url) {
+      console.error("no url");
+      throw new InvalidRepoUrlError("no url");
+    }
+  }
+};
+
+// src/features/analysis/scm/github/github.ts
+import { RequestError } from "@octokit/request-error";
+
+// src/features/analysis/scm/constants.ts
+var MOBB_ICON_IMG = "https://app.mobb.ai/gh-action/Logo_Rounded_Icon.svg";
+var MAX_BRANCHES_FETCH = 1e3;
+
+// src/features/analysis/scm/github/consts.ts
+var POST_COMMENT_PATH = "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments";
+var DELETE_COMMENT_PATH = "DELETE /repos/{owner}/{repo}/pulls/comments/{comment_id}";
+var UPDATE_COMMENT_PATH = "PATCH /repos/{owner}/{repo}/pulls/comments/{comment_id}";
+var GET_PR_COMMENTS_PATH = "GET /repos/{owner}/{repo}/pulls/{pull_number}/comments";
+var GET_PR_COMMENT_PATH = "GET /repos/{owner}/{repo}/pulls/comments/{comment_id}";
+var REPLY_TO_CODE_REVIEW_COMMENT_PATH = "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments/{comment_id}/replies";
+var GET_PR = "GET /repos/{owner}/{repo}/pulls/{pull_number}";
+var POST_GENERAL_PR_COMMENT = "POST /repos/{owner}/{repo}/issues/{issue_number}/comments";
+var GET_GENERAL_PR_COMMENTS = "GET /repos/{owner}/{repo}/issues/{issue_number}/comments";
+var DELETE_GENERAL_PR_COMMENT = "DELETE /repos/{owner}/{repo}/issues/comments/{comment_id}";
+var CREATE_OR_UPDATE_A_REPOSITORY_SECRET = "PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}";
+var GET_A_REPOSITORY_PUBLIC_KEY = "GET /repos/{owner}/{repo}/actions/secrets/public-key";
+var GET_USER = "GET /user";
+var GET_USER_REPOS = "GET /user/repos";
+var GET_REPO_BRANCHES = "GET /repos/{owner}/{repo}/branches";
+var GET_BLAME_DOCUMENT = `
+      query GetBlame(
+        $owner: String!
+        $repo: String!
+        $ref: String!
+        $path: String!
+      ) {
+        repository(name: $repo, owner: $owner) {
+          # branch name
+          object(expression: $ref) {
+            # cast Target to a Commit
+            ... on Commit {
+              # full repo-relative path to blame file
+              blame(path: $path) {
+                ranges {
+                  commit {
+                    author {
+                      user {
+                        name
+                        login
+                      }
+                    }
+                    authoredDate
+                  }
+                  startingLine
+                  endingLine
+                  age
+                }
+              }
+            }
+            
+          }
+        }
+      }
+    `;
+
+// src/features/analysis/scm/github/utils/encrypt_secret.ts
+import sodium from "libsodium-wrappers";
+async function encryptSecret(secret, key) {
+  await sodium.ready;
+  const binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL);
+  const binsec = sodium.from_string(secret);
+  const encBytes = sodium.crypto_box_seal(binsec, binkey);
+  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
+}
+
+// src/features/analysis/scm/github/utils/utils.ts
+import { Octokit } from "octokit";
+import { fetch as fetch2, ProxyAgent as ProxyAgent2 } from "undici";
+
+// src/features/analysis/scm/ado/constants.ts
+var DEFUALT_ADO_ORIGIN = scmCloudUrl.Ado;
+
+// src/features/analysis/scm/ado/utils.ts
+import querystring from "node:querystring";
+import * as api from "azure-devops-node-api";
+import Debug2 from "debug";
+import { z as z18 } from "zod";
+
+// src/features/analysis/scm/env.ts
+import { z as z16 } from "zod";
+var EnvVariablesZod = z16.object({
+  GITLAB_API_TOKEN: z16.string().optional(),
+  GITHUB_API_TOKEN: z16.string().optional(),
+  GIT_PROXY_HOST: z16.string()
+});
+var { GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST } = EnvVariablesZod.parse(process.env);
+
+// src/features/analysis/scm/ado/validation.ts
+import { z as z17 } from "zod";
+var ValidPullRequestStatusZ = z17.union([
+  z17.literal(1 /* Active */),
+  z17.literal(2 /* Abandoned */),
+  z17.literal(3 /* Completed */)
+]);
+var AdoAuthResultZ = z17.object({
+  access_token: z17.string().min(1),
+  token_type: z17.string().min(1),
+  refresh_token: z17.string().min(1)
+});
+var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
+  scmOrgs: z17.array(z17.string())
+});
+var profileZ = z17.object({
+  displayName: z17.string(),
+  publicAlias: z17.string().min(1),
+  emailAddress: z17.string(),
+  coreRevision: z17.number(),
+  timeStamp: z17.string(),
+  id: z17.string(),
+  revision: z17.number()
+});
+var accountsZ = z17.object({
+  count: z17.number(),
+  value: z17.array(
+    z17.object({
+      accountId: z17.string(),
+      accountUri: z17.string(),
+      accountName: z17.string()
+    })
+  )
+});
+
+// src/features/analysis/scm/ado/utils.ts
+var debug2 = Debug2("mobbdev:scm:ado");
+function _getPublicAdoClient({
+  orgName,
+  origin: origin2
+}) {
+  const orgUrl = `${origin2}/${orgName}`;
+  const authHandler = api.getPersonalAccessTokenHandler("");
+  authHandler.canHandleAuthentication = () => false;
+  authHandler.prepareRequest = (_options) => {
+    return;
+  };
+  const connection = new api.WebApi(orgUrl, authHandler);
+  return connection;
+}
+function removeTrailingSlash(str) {
+  return str.trim().replace(/\/+$/, "");
+}
+function parseAdoOwnerAndRepo(adoUrl) {
+  adoUrl = removeTrailingSlash(adoUrl);
+  const parsingResult = parseScmURL(adoUrl, "Ado" /* Ado */);
+  if (!parsingResult || parsingResult.scmType !== "Ado" /* Ado */) {
+    throw new InvalidUrlPatternError(`
+      : ${adoUrl}`);
+  }
+  const {
+    organization,
+    repoName,
+    projectName,
     projectPath,
     pathElements,
     hostname,
@@ -4671,88 +4909,6 @@ async function getAdoRepoList({
 
 // src/features/analysis/scm/ado/AdoSCMLib.ts
 import { setTimeout as setTimeout2 } from "node:timers/promises";
-
-// src/features/analysis/scm/scmSubmit/index.ts
-import { simpleGit } from "simple-git";
-var isValidBranchName = async (branchName) => {
-  const git = simpleGit();
-  try {
-    const res = await git.raw(["check-ref-format", "--branch", branchName]);
-    if (res) {
-      return true;
-    }
-    return false;
-  } catch (e) {
-    return false;
-  }
-};
-
-// src/features/analysis/scm/scm.ts
-var SCMLib = class {
-  constructor(url, accessToken, scmOrg) {
-    __publicField(this, "url");
-    __publicField(this, "accessToken");
-    __publicField(this, "scmOrg");
-    this.accessToken = accessToken;
-    this.url = url;
-    this.scmOrg = scmOrg;
-  }
-  async getUrlWithCredentials() {
-    if (!this.url) {
-      console.error("no url for getUrlWithCredentials()");
-      throw new Error("no url");
-    }
-    const trimmedUrl = this.url.trim().replace(/\/$/, "");
-    const accessToken = this.getAccessToken();
-    if (!accessToken) {
-      return trimmedUrl;
-    }
-    if (this.scmLibType === "ADO" /* ADO */) {
-      const { host, protocol, pathname } = new URL(trimmedUrl);
-      return `${protocol}//${accessToken}@${host}${pathname}`;
-    }
-    const finalUrl = this.scmLibType === "GITLAB" /* GITLAB */ ? `${trimmedUrl}.git` : trimmedUrl;
-    const username = await this._getUsernameForAuthUrl();
-    return buildAuthorizedRepoUrl({
-      url: finalUrl,
-      username,
-      password: accessToken
-    });
-  }
-  getAccessToken() {
-    return this.accessToken || "";
-  }
-  getUrl() {
-    return this.url;
-  }
-  getName() {
-    if (!this.url) {
-      return "";
-    }
-    return this.url.split("/").at(-1) || "";
-  }
-  _validateAccessToken() {
-    if (!this.accessToken) {
-      console.error("no access token");
-      throw new Error("no access token");
-    }
-  }
-  static async getIsValidBranchName(branchName) {
-    return isValidBranchName(branchName);
-  }
-  _validateAccessTokenAndUrl() {
-    this._validateAccessToken();
-    this._validateUrl();
-  }
-  _validateUrl() {
-    if (!this.url) {
-      console.error("no url");
-      throw new InvalidRepoUrlError("no url");
-    }
-  }
-};
-
-// src/features/analysis/scm/ado/AdoSCMLib.ts
 async function initAdoSdk(params) {
   const { url, accessToken, scmOrg } = params;
   const adoClientParams = await getAdoClientParams({
@@ -5395,353 +5551,104 @@ var BitbucketSCMLib = class extends SCMLib {
       case "public":
         return {};
       case "token":
-        return { authorization: `Bearer ${this.accessToken}` };
-      case "basic": {
-        this._validateAccessToken();
-        const { username, password } = getUserAndPassword(this.accessToken);
-        return {
-          authorization: `Basic ${Buffer.from(
-            username + ":" + password
-          ).toString("base64")}`
-        };
-      }
-    }
-  }
-  async getDownloadUrl(sha) {
-    this._validateUrl();
-    return this.bitbucketSdk.getDownloadUrl({ url: this.url, sha });
-  }
-  async _getUsernameForAuthUrl() {
-    this._validateAccessTokenAndUrl();
-    const user = await this.bitbucketSdk.getUser();
-    if (!user.username) {
-      throw new Error("no username found");
-    }
-    return user.username;
-  }
-  async getIsRemoteBranch(branch) {
-    this._validateAccessTokenAndUrl();
-    try {
-      const res = await this.bitbucketSdk.getBranch({
-        branchName: branch,
-        repoUrl: this.url
-      });
-      return res.name === branch;
-    } catch (e) {
-      return false;
-    }
-  }
-  async getUserHasAccessToRepo() {
-    this._validateAccessTokenAndUrl();
-    return this.bitbucketSdk.getIsUserCollaborator({ repoUrl: this.url });
-  }
-  async getUsername() {
-    this._validateAccessToken();
-    const res = await this.bitbucketSdk.getUser();
-    return z21.string().parse(res.username);
-  }
-  async getSubmitRequestStatus(_scmSubmitRequestId) {
-    this._validateAccessTokenAndUrl();
-    const pullRequestRes = await this.bitbucketSdk.getPullRequest({
-      prNumber: Number(_scmSubmitRequestId),
-      url: this.url
-    });
-    switch (pullRequestRes.state) {
-      case "OPEN":
-        return "open";
-      case "MERGED":
-        return "merged";
-      case "DECLINED":
-        return "closed";
-      default:
-        throw new Error(`unknown state ${pullRequestRes.state} `);
-    }
-  }
-  async getRepoBlameRanges(_ref, _path) {
-    return [];
-  }
-  async getReferenceData(ref) {
-    this._validateUrl();
-    return this.bitbucketSdk.getReferenceData({ url: this.url, ref });
-  }
-  async getRepoDefaultBranch() {
-    this._validateUrl();
-    const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
-    return z21.string().parse(repoRes.mainbranch?.name);
-  }
-  getSubmitRequestUrl(submitRequestId) {
-    this._validateUrl();
-    const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(this.url);
-    return Promise.resolve(
-      `https://bitbucket.org/${workspace}/${repo_slug}/pull-requests/${submitRequestId}`
-    );
-  }
-  async getSubmitRequestId(submitRequestUrl) {
-    const match = submitRequestUrl.match(/\/pull-requests\/(\d+)/);
-    return match?.[1] || "";
-  }
-  getCommitUrl(commitId) {
-    this._validateUrl();
-    const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(this.url);
-    return Promise.resolve(
-      `https://bitbucket.org/${workspace}/${repo_slug}/commits/${commitId}`
-    );
-  }
-  async addCommentToSubmitRequest(submitRequestId, comment) {
-    this._validateUrl();
-    await this.bitbucketSdk.addCommentToPullRequest({
-      prNumber: Number(submitRequestId),
-      url: this.url,
-      markdownComment: comment
-    });
-  }
-};
-
-// src/features/analysis/scm/github/GithubSCMLib.ts
-import { z as z22 } from "zod";
-var GithubSCMLib = class extends SCMLib {
-  // we don't always need a url, what's important is that we have an access token
-  constructor(url, accessToken, scmOrg) {
-    super(url, accessToken, scmOrg);
-    __publicField(this, "githubSdk");
-    this.githubSdk = getGithubSdk({
-      auth: accessToken,
-      url
-    });
-  }
-  async createSubmitRequest(params) {
-    this._validateAccessTokenAndUrl();
-    const { targetBranchName, sourceBranchName, title, body } = params;
-    const pullRequestResult = await this.githubSdk.createPullRequest({
-      title,
-      body,
-      targetBranchName,
-      sourceBranchName,
-      repoUrl: this.url
-    });
-    return String(pullRequestResult.data.number);
-  }
-  async forkRepo(repoUrl) {
-    this._validateAccessToken();
-    return this.githubSdk.forkRepo({
-      repoUrl
-    });
-  }
-  async createOrUpdateRepositorySecret(params) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    const { data: repositoryPublicKeyResponse } = await this.githubSdk.getRepositoryPublicKey({ owner, repo });
-    const { key_id, key } = repositoryPublicKeyResponse;
-    const encryptedValue = await encryptSecret(params.value, key);
-    return this.githubSdk.createOrUpdateRepositorySecret({
-      encrypted_value: encryptedValue,
-      secret_name: params.name,
-      key_id,
-      owner,
-      repo
-    });
-  }
-  async createPullRequestWithNewFile(sourceRepoUrl, filesPaths, userRepoUrl, title, body) {
-    const { pull_request_url } = await this.githubSdk.createPr({
-      sourceRepoUrl,
-      filesPaths,
-      userRepoUrl,
-      title,
-      body
-    });
-    return { pull_request_url };
-  }
-  async validateParams() {
-    return githubValidateParams(this.url, this.accessToken);
-  }
-  async postPrComment(params) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return this.githubSdk.postPrComment({
-      ...params,
-      owner,
-      repo
-    });
-  }
-  async updatePrComment(params) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return this.githubSdk.updatePrComment({
-      ...params,
-      owner,
-      repo
-    });
-  }
-  async deleteComment(params) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return this.githubSdk.deleteComment({
-      ...params,
-      owner,
-      repo
-    });
-  }
-  async getPrComments(params) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return this.githubSdk.getPrComments({
-      per_page: 100,
-      ...params,
-      owner,
-      repo
-    });
-  }
-  async getPrDiff(params) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    const prRes = await this.githubSdk.getPrDiff({
-      ...params,
-      owner,
-      repo
-    });
-    return z22.string().parse(prRes.data);
-  }
-  async getRepoList(_scmOrg) {
-    this._validateAccessToken();
-    return this.githubSdk.getGithubRepoList();
-  }
-  async getBranchList() {
-    this._validateAccessTokenAndUrl();
-    const branches = await this.githubSdk.getGithubBranchList(this.url);
-    return branches.data.map((branch) => branch.name);
-  }
-  get scmLibType() {
-    return "GITHUB" /* GITHUB */;
-  }
-  getAuthHeaders() {
-    if (this.accessToken) {
-      return { authorization: `Bearer ${this.accessToken}` };
+        return { authorization: `Bearer ${this.accessToken}` };
+      case "basic": {
+        this._validateAccessToken();
+        const { username, password } = getUserAndPassword(this.accessToken);
+        return {
+          authorization: `Basic ${Buffer.from(
+            username + ":" + password
+          ).toString("base64")}`
+        };
+      }
     }
-    return {};
   }
-  getDownloadUrl(sha) {
+  async getDownloadUrl(sha) {
     this._validateUrl();
-    const res = parseScmURL(this.url, "GitHub" /* GitHub */);
-    if (!res) {
-      throw new InvalidRepoUrlError("invalid repo url");
-    }
-    const { protocol, hostname, organization, repoName } = res;
-    const downloadUrl = isGithubOnPrem(this.url) ? `${protocol}//${hostname}/api/v3/repos/${organization}/${repoName}/zipball/${sha}` : `https://api.${hostname}/repos/${organization}/${repoName}/zipball/${sha}`;
-    return Promise.resolve(downloadUrl);
+    return this.bitbucketSdk.getDownloadUrl({ url: this.url, sha });
   }
   async _getUsernameForAuthUrl() {
-    return this.getUsername();
+    this._validateAccessTokenAndUrl();
+    const user = await this.bitbucketSdk.getUser();
+    if (!user.username) {
+      throw new Error("no username found");
+    }
+    return user.username;
   }
   async getIsRemoteBranch(branch) {
-    this._validateUrl();
-    return this.githubSdk.getGithubIsRemoteBranch({ branch, repoUrl: this.url });
+    this._validateAccessTokenAndUrl();
+    try {
+      const res = await this.bitbucketSdk.getBranch({
+        branchName: branch,
+        repoUrl: this.url
+      });
+      return res.name === branch;
+    } catch (e) {
+      return false;
+    }
   }
   async getUserHasAccessToRepo() {
     this._validateAccessTokenAndUrl();
-    const username = await this.getUsername();
-    return this.githubSdk.getGithubIsUserCollaborator({
-      repoUrl: this.url,
-      username
-    });
+    return this.bitbucketSdk.getIsUserCollaborator({ repoUrl: this.url });
   }
   async getUsername() {
     this._validateAccessToken();
-    return this.githubSdk.getGithubUsername();
-  }
-  async getSubmitRequestStatus(scmSubmitRequestId) {
-    this._validateAccessTokenAndUrl();
-    return this.githubSdk.getGithubPullRequestStatus({
-      repoUrl: this.url,
-      prNumber: Number(scmSubmitRequestId)
-    });
+    const res = await this.bitbucketSdk.getUser();
+    return z21.string().parse(res.username);
   }
-  async addCommentToSubmitRequest(submitRequestId, comment) {
+  async getSubmitRequestStatus(_scmSubmitRequestId) {
     this._validateAccessTokenAndUrl();
-    await this.githubSdk.createMarkdownCommentOnPullRequest({
-      repoUrl: this.url,
-      prNumber: Number(submitRequestId),
-      markdownComment: comment
+    const pullRequestRes = await this.bitbucketSdk.getPullRequest({
+      prNumber: Number(_scmSubmitRequestId),
+      url: this.url
     });
+    switch (pullRequestRes.state) {
+      case "OPEN":
+        return "open";
+      case "MERGED":
+        return "merged";
+      case "DECLINED":
+        return "closed";
+      default:
+        throw new Error(`unknown state ${pullRequestRes.state} `);
+    }
   }
-  async getRepoBlameRanges(ref, path8) {
-    this._validateUrl();
-    return await this.githubSdk.getGithubBlameRanges({
-      ref,
-      path: path8,
-      gitHubUrl: this.url
-    });
+  async getRepoBlameRanges(_ref, _path) {
+    return [];
   }
   async getReferenceData(ref) {
     this._validateUrl();
-    return this.githubSdk.getGithubReferenceData({ ref, gitHubUrl: this.url });
-  }
-  async getPrComment(commentId) {
-    this._validateUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return await this.githubSdk.getPrComment({
-      repo,
-      owner,
-      comment_id: commentId
-    });
+    return this.bitbucketSdk.getReferenceData({ url: this.url, ref });
   }
   async getRepoDefaultBranch() {
     this._validateUrl();
-    return await this.githubSdk.getGithubRepoDefaultBranch(this.url);
+    const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
+    return z21.string().parse(repoRes.mainbranch?.name);
   }
-  async getSubmitRequestUrl(submitRequestUrl) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    const getPrRes = await this.githubSdk.getPr({
-      owner,
-      repo,
-      pull_number: submitRequestUrl
-    });
-    return getPrRes.data.html_url;
+  getSubmitRequestUrl(submitRequestId) {
+    this._validateUrl();
+    const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(this.url);
+    return Promise.resolve(
+      `https://bitbucket.org/${workspace}/${repo_slug}/pull-requests/${submitRequestId}`
+    );
   }
   async getSubmitRequestId(submitRequestUrl) {
-    const match = submitRequestUrl.match(/\/pull\/(\d+)/);
+    const match = submitRequestUrl.match(/\/pull-requests\/(\d+)/);
     return match?.[1] || "";
   }
-  async getCommitUrl(commitId) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    const getCommitRes = await this.githubSdk.getCommit({
-      owner,
-      repo,
-      commitSha: commitId
-    });
-    return getCommitRes.data.html_url;
-  }
-  async postGeneralPrComment(params) {
-    const { prNumber, body } = params;
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return await this.githubSdk.postGeneralPrComment({
-      issue_number: prNumber,
-      owner,
-      repo,
-      body
-    });
-  }
-  async getGeneralPrComments(params) {
-    const { prNumber } = params;
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return await this.githubSdk.getGeneralPrComments({
-      issue_number: prNumber,
-      owner,
-      repo
-    });
+  getCommitUrl(commitId) {
+    this._validateUrl();
+    const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(this.url);
+    return Promise.resolve(
+      `https://bitbucket.org/${workspace}/${repo_slug}/commits/${commitId}`
+    );
   }
-  async deleteGeneralPrComment({
-    commentId
-  }) {
-    this._validateAccessTokenAndUrl();
-    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return this.githubSdk.deleteGeneralPrComment({
-      owner,
-      repo,
-      comment_id: commentId
+  async addCommentToSubmitRequest(submitRequestId, comment) {
+    this._validateUrl();
+    await this.bitbucketSdk.addCommentToPullRequest({
+      prNumber: Number(submitRequestId),
+      url: this.url,
+      markdownComment: comment
     });
   }
 };
@@ -5761,11 +5668,11 @@ import {
 } from "undici";
 
 // src/features/analysis/scm/gitlab/types.ts
-import { z as z23 } from "zod";
-var GitlabAuthResultZ = z23.object({
-  access_token: z23.string(),
-  token_type: z23.string(),
-  refresh_token: z23.string()
+import { z as z22 } from "zod";
+var GitlabAuthResultZ = z22.object({
+  access_token: z22.string(),
+  token_type: z22.string(),
+  refresh_token: z22.string()
 });
 
 // src/features/analysis/scm/gitlab/gitlab.ts
@@ -6307,7 +6214,7 @@ var GitlabSCMLib = class extends SCMLib {
 };
 
 // src/features/analysis/scm/scmFactory.ts
-import { z as z24 } from "zod";
+import { z as z23 } from "zod";
 
 // src/features/analysis/scm/StubSCMLib.ts
 var StubSCMLib = class extends SCMLib {
@@ -6429,7 +6336,7 @@ async function createScmLib({ url, accessToken, scmType, scmOrg }, { propagateEx
     if (e instanceof InvalidRepoUrlError && url) {
       throw new RepoNoTokenAccessError(
         "no access to repo",
-        scmLibScmTypeToScmType[z24.nativeEnum(ScmLibScmType).parse(scmType)]
+        scmLibScmTypeToScmType[z23.nativeEnum(ScmLibScmType).parse(scmType)]
       );
     }
     console.error(`error validating scm: ${scmType} `, e);
@@ -6905,8 +6812,256 @@ function getGithubSdk(params = {}) {
     async getUserInfo() {
       return octokit.request(GET_USER);
     }
-  };
-}
+  };
+}
+
+// src/features/analysis/scm/github/GithubSCMLib.ts
+var GithubSCMLib = class extends SCMLib {
+  // we don't always need a url, what's important is that we have an access token
+  constructor(url, accessToken, scmOrg) {
+    super(url, accessToken, scmOrg);
+    __publicField(this, "githubSdk");
+    this.githubSdk = getGithubSdk({
+      auth: accessToken,
+      url
+    });
+  }
+  async createSubmitRequest(params) {
+    this._validateAccessTokenAndUrl();
+    const { targetBranchName, sourceBranchName, title, body } = params;
+    const pullRequestResult = await this.githubSdk.createPullRequest({
+      title,
+      body,
+      targetBranchName,
+      sourceBranchName,
+      repoUrl: this.url
+    });
+    return String(pullRequestResult.data.number);
+  }
+  async forkRepo(repoUrl) {
+    this._validateAccessToken();
+    return this.githubSdk.forkRepo({
+      repoUrl
+    });
+  }
+  async createOrUpdateRepositorySecret(params) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    const { data: repositoryPublicKeyResponse } = await this.githubSdk.getRepositoryPublicKey({ owner, repo });
+    const { key_id, key } = repositoryPublicKeyResponse;
+    const encryptedValue = await encryptSecret(params.value, key);
+    return this.githubSdk.createOrUpdateRepositorySecret({
+      encrypted_value: encryptedValue,
+      secret_name: params.name,
+      key_id,
+      owner,
+      repo
+    });
+  }
+  async createPullRequestWithNewFile(sourceRepoUrl, filesPaths, userRepoUrl, title, body) {
+    const { pull_request_url } = await this.githubSdk.createPr({
+      sourceRepoUrl,
+      filesPaths,
+      userRepoUrl,
+      title,
+      body
+    });
+    return { pull_request_url };
+  }
+  async validateParams() {
+    return githubValidateParams(this.url, this.accessToken);
+  }
+  async postPrComment(params) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    return this.githubSdk.postPrComment({
+      ...params,
+      owner,
+      repo
+    });
+  }
+  async updatePrComment(params) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    return this.githubSdk.updatePrComment({
+      ...params,
+      owner,
+      repo
+    });
+  }
+  async deleteComment(params) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    return this.githubSdk.deleteComment({
+      ...params,
+      owner,
+      repo
+    });
+  }
+  async getPrComments(params) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    return this.githubSdk.getPrComments({
+      per_page: 100,
+      ...params,
+      owner,
+      repo
+    });
+  }
+  async getPrDiff(params) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    const prRes = await this.githubSdk.getPrDiff({
+      ...params,
+      owner,
+      repo
+    });
+    return z24.string().parse(prRes.data);
+  }
+  async getRepoList(_scmOrg) {
+    this._validateAccessToken();
+    return this.githubSdk.getGithubRepoList();
+  }
+  async getBranchList() {
+    this._validateAccessTokenAndUrl();
+    const branches = await this.githubSdk.getGithubBranchList(this.url);
+    return branches.data.map((branch) => branch.name);
+  }
+  get scmLibType() {
+    return "GITHUB" /* GITHUB */;
+  }
+  getAuthHeaders() {
+    if (this.accessToken) {
+      return { authorization: `Bearer ${this.accessToken}` };
+    }
+    return {};
+  }
+  getDownloadUrl(sha) {
+    this._validateUrl();
+    const res = parseScmURL(this.url, "GitHub" /* GitHub */);
+    if (!res) {
+      throw new InvalidRepoUrlError("invalid repo url");
+    }
+    const { protocol, hostname, organization, repoName } = res;
+    const downloadUrl = isGithubOnPrem(this.url) ? `${protocol}//${hostname}/api/v3/repos/${organization}/${repoName}/zipball/${sha}` : `https://api.${hostname}/repos/${organization}/${repoName}/zipball/${sha}`;
+    return Promise.resolve(downloadUrl);
+  }
+  async _getUsernameForAuthUrl() {
+    return this.getUsername();
+  }
+  async getIsRemoteBranch(branch) {
+    this._validateUrl();
+    return this.githubSdk.getGithubIsRemoteBranch({ branch, repoUrl: this.url });
+  }
+  async getUserHasAccessToRepo() {
+    this._validateAccessTokenAndUrl();
+    const username = await this.getUsername();
+    return this.githubSdk.getGithubIsUserCollaborator({
+      repoUrl: this.url,
+      username
+    });
+  }
+  async getUsername() {
+    this._validateAccessToken();
+    return this.githubSdk.getGithubUsername();
+  }
+  async getSubmitRequestStatus(scmSubmitRequestId) {
+    this._validateAccessTokenAndUrl();
+    return this.githubSdk.getGithubPullRequestStatus({
+      repoUrl: this.url,
+      prNumber: Number(scmSubmitRequestId)
+    });
+  }
+  async addCommentToSubmitRequest(submitRequestId, comment) {
+    this._validateAccessTokenAndUrl();
+    await this.githubSdk.createMarkdownCommentOnPullRequest({
+      repoUrl: this.url,
+      prNumber: Number(submitRequestId),
+      markdownComment: comment
+    });
+  }
+  async getRepoBlameRanges(ref, path8) {
+    this._validateUrl();
+    return await this.githubSdk.getGithubBlameRanges({
+      ref,
+      path: path8,
+      gitHubUrl: this.url
+    });
+  }
+  async getReferenceData(ref) {
+    this._validateUrl();
+    return this.githubSdk.getGithubReferenceData({ ref, gitHubUrl: this.url });
+  }
+  async getPrComment(commentId) {
+    this._validateUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    return await this.githubSdk.getPrComment({
+      repo,
+      owner,
+      comment_id: commentId
+    });
+  }
+  async getRepoDefaultBranch() {
+    this._validateUrl();
+    return await this.githubSdk.getGithubRepoDefaultBranch(this.url);
+  }
+  async getSubmitRequestUrl(submitRequestUrl) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    const getPrRes = await this.githubSdk.getPr({
+      owner,
+      repo,
+      pull_number: submitRequestUrl
+    });
+    return getPrRes.data.html_url;
+  }
+  async getSubmitRequestId(submitRequestUrl) {
+    const match = submitRequestUrl.match(/\/pull\/(\d+)/);
+    return match?.[1] || "";
+  }
+  async getCommitUrl(commitId) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    const getCommitRes = await this.githubSdk.getCommit({
+      owner,
+      repo,
+      commitSha: commitId
+    });
+    return getCommitRes.data.html_url;
+  }
+  async postGeneralPrComment(params) {
+    const { prNumber, body } = params;
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    return await this.githubSdk.postGeneralPrComment({
+      issue_number: prNumber,
+      owner,
+      repo,
+      body
+    });
+  }
+  async getGeneralPrComments(params) {
+    const { prNumber } = params;
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    return await this.githubSdk.getGeneralPrComments({
+      issue_number: prNumber,
+      owner,
+      repo
+    });
+  }
+  async deleteGeneralPrComment({
+    commentId
+  }) {
+    this._validateAccessTokenAndUrl();
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    return this.githubSdk.deleteGeneralPrComment({
+      owner,
+      repo,
+      comment_id: commentId
+    });
+  }
+};
 
 // src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
 import Debug7 from "debug";
@@ -6986,8 +7141,9 @@ import Debug6 from "debug";
 import { z as z25 } from "zod";
 var debug6 = Debug6("mobbdev:handle-finished-analysis");
 var getCommitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
-function buildCommentBody({
+function buildFixCommentBody({
   fix,
+  issueId,
   commentId,
   commentUrl,
   scanner,
@@ -6995,9 +7151,19 @@ function buildCommentBody({
   projectId,
   analysisId,
   organizationId,
-  patch
+  patch,
+  irrelevantIssueWithTags
 }) {
-  const commitUrl = getCommitUrl({
+  const isIrrelevantIssueWithTags = irrelevantIssueWithTags?.[0]?.tag;
+  const commitUrl = isIrrelevantIssueWithTags ? getCommitIssueUrl({
+    appBaseUrl: WEB_APP_URL,
+    issueId,
+    projectId,
+    analysisId,
+    organizationId,
+    redirectUrl: commentUrl,
+    commentId
+  }) : getCommitUrl({
     appBaseUrl: WEB_APP_URL,
     fixId,
     projectId,
@@ -7006,7 +7172,15 @@ function buildCommentBody({
     redirectUrl: commentUrl,
     commentId
   });
-  const fixUrl = getFixUrlWithRedirect({
+  const fixUrl = isIrrelevantIssueWithTags ? getIssueUrlWithRedirect({
+    appBaseUrl: WEB_APP_URL,
+    issueId,
+    projectId,
+    analysisId,
+    organizationId,
+    redirectUrl: commentUrl,
+    commentId
+  }) : getFixUrlWithRedirect({
     appBaseUrl: WEB_APP_URL,
     fixId,
     projectId,
@@ -7038,7 +7212,8 @@ function buildCommentBody({
       issueType: validFixParseRes.data.safeIssueType,
       issueLanguage: validFixParseRes.data.safeIssueLanguage,
       fixExtraContext: validFixParseRes.data.patchAndQuestions.extraContext
-    })
+    }),
+    irrelevantIssueWithTags
   }) : "";
   const diff = `\`\`\`diff
 ${patch} 
@@ -7052,6 +7227,37 @@ ${getCommitFixButton(
   )}
 ${fixPageLink}`;
 }
+function buildIssueCommentBody({
+  issueId,
+  commentId,
+  commentUrl,
+  scanner,
+  issueType,
+  projectId,
+  analysisId,
+  organizationId,
+  irrelevantIssueWithTags
+}) {
+  const issueUrl = getIssueUrlWithRedirect({
+    appBaseUrl: WEB_APP_URL,
+    issueId,
+    projectId,
+    analysisId,
+    organizationId,
+    redirectUrl: commentUrl,
+    commentId
+  });
+  const title = `# ${MobbIconMarkdown} Irrelevant issues were spotted - no action required \u{1F9F9}`;
+  const subTitle = getCommitIssueDescription({
+    issueType,
+    vendor: scannerToVulnerability_Report_Vendor_Enum[scanner],
+    irrelevantIssueWithTags
+  });
+  const issuePageLink = `[Learn more and fine tune the issue](${issueUrl})`;
+  return `${title}
+${subTitle}
+${issuePageLink}`;
+}
 
 // src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
 var debug7 = Debug7("mobbdev:handle-finished-analysis");
@@ -7109,6 +7315,53 @@ function deleteAllPreviousGeneralPrComments(params) {
     }
   });
 }
+async function postIssueComment(params) {
+  const {
+    vulnerabilityReportIssueCodeNode,
+    projectId,
+    analysisId,
+    organizationId,
+    scm,
+    commitSha,
+    pullRequest,
+    scanner
+  } = params;
+  const {
+    path: path8,
+    startLine,
+    vulnerabilityReportIssue: {
+      vulnerabilityReportIssueTags,
+      category,
+      safeIssueType
+    },
+    vulnerabilityReportIssueId
+  } = vulnerabilityReportIssueCodeNode;
+  const irrelevantIssueWithTags = mapCategoryToBucket[category] === "irrelevant" && vulnerabilityReportIssueTags?.length > 0 ? vulnerabilityReportIssueTags : [];
+  const commentRes = await scm.postPrComment({
+    body: `# ${MobbIconMarkdown} Your fix is ready!
+Refresh the page in order to see the changes.`,
+    pull_number: pullRequest,
+    commit_id: commitSha,
+    path: path8,
+    line: startLine
+  });
+  const commentId = commentRes.data.id;
+  const commentBody = buildIssueCommentBody({
+    issueId: vulnerabilityReportIssueId,
+    issueType: safeIssueType,
+    irrelevantIssueWithTags,
+    commentId,
+    commentUrl: commentRes.data.html_url,
+    scanner,
+    projectId,
+    analysisId,
+    organizationId
+  });
+  return await scm.updatePrComment({
+    body: commentBody,
+    comment_id: commentId
+  });
+}
 async function postFixComment(params) {
   const {
     vulnerabilityReportIssueCodeNode,
@@ -7124,8 +7377,10 @@ async function postFixComment(params) {
   const {
     path: path8,
     startLine,
-    vulnerabilityReportIssue: { fixId }
+    vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
+    vulnerabilityReportIssueId
   } = vulnerabilityReportIssueCodeNode;
+  const irrelevantIssueWithTags = mapCategoryToBucket[category] === "irrelevant" && vulnerabilityReportIssueTags?.length > 0 ? vulnerabilityReportIssueTags : [];
   const fix = fixesById[fixId];
   if (!fix || fix.patchAndQuestions.__typename !== "FixData") {
     throw new Error(`fix ${fixId} not found`);
@@ -7142,8 +7397,10 @@ Refresh the page in order to see the changes.`,
     line: startLine
   });
   const commentId = commentRes.data.id;
-  const commentBody = buildCommentBody({
+  const commentBody = buildFixCommentBody({
     fix,
+    issueId: vulnerabilityReportIssueId,
+    irrelevantIssueWithTags,
     commentId,
     commentUrl: commentRes.data.html_url,
     scanner,
@@ -7297,7 +7554,7 @@ async function addFixCommentsForPr({
   gqlClient,
   scanner
 }) {
-  if (_scm instanceof GithubSCMLib === false) {
+  if (!(_scm instanceof GithubSCMLib)) {
     return;
   }
   const scm = _scm;
@@ -7319,7 +7576,10 @@ async function addFixCommentsForPr({
     gqlClient,
     vulnerabilityReportId: getAnalysisRes.vulnerabilityReportId
   });
-  const { vulnerabilityReportIssueCodeNodes } = prVulenrabilities;
+  const {
+    vulnerabilityReportIssueCodeNodes,
+    irrelevantVulnerabilityReportIssues
+  } = prVulenrabilities;
   const fixesId = vulnerabilityReportIssueCodeNodes.map(
     ({ vulnerabilityReportIssue: { fixId } }) => fixId
   );
@@ -7348,6 +7608,33 @@ async function addFixCommentsForPr({
         });
       }
     ),
+    ...irrelevantVulnerabilityReportIssues.map((vulnerabilityReportIssue) => {
+      return vulnerabilityReportIssue.codeNodes.map(
+        (vulnerabilityReportIssueCodeNode) => {
+          return postIssueComment({
+            vulnerabilityReportIssueCodeNode: {
+              path: vulnerabilityReportIssueCodeNode.path,
+              startLine: vulnerabilityReportIssueCodeNode.startLine,
+              vulnerabilityReportIssue: {
+                fixId: "",
+                safeIssueType: vulnerabilityReportIssue.safeIssueType,
+                vulnerabilityReportIssueTags: vulnerabilityReportIssue.vulnerabilityReportIssueTags,
+                category: vulnerabilityReportIssue.category
+              },
+              vulnerabilityReportIssueId: vulnerabilityReportIssue.id
+            },
+            projectId,
+            analysisId,
+            organizationId,
+            fixesById,
+            scm,
+            pullRequest,
+            scanner,
+            commitSha
+          });
+        }
+      );
+    }),
     postAnalysisInsightComment({
       prVulenrabilities,
       pullRequest,
@@ -7552,9 +7839,37 @@ var VulnerabilityReportIssueCodeNodeZ = z27.object({
   path: z27.string(),
   startLine: z27.number(),
   vulnerabilityReportIssue: z27.object({
-    fixId: z27.string()
+    fixId: z27.string(),
+    category: ValidCategoriesZ,
+    safeIssueType: z27.string(),
+    vulnerabilityReportIssueTags: z27.array(
+      z27.object({
+        tag: z27.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
+      })
+    )
   })
 });
+var VulnerabilityReportIssueNoFixCodeNodeZ = z27.object({
+  vulnerabilityReportIssues: z27.array(
+    z27.object({
+      id: z27.string(),
+      fixId: z27.string().nullable(),
+      category: ValidCategoriesZ,
+      safeIssueType: z27.string(),
+      codeNodes: z27.array(
+        z27.object({
+          path: z27.string(),
+          startLine: z27.number()
+        })
+      ),
+      vulnerabilityReportIssueTags: z27.array(
+        z27.object({
+          tag: z27.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
+        })
+      )
+    })
+  )
+});
 var GetVulByNodesMetadataZ = z27.object({
   vulnerabilityReportIssueCodeNodes: z27.array(VulnerabilityReportIssueCodeNodeZ),
   nonFixablePrVuls: z27.object({
@@ -7571,7 +7886,10 @@ var GetVulByNodesMetadataZ = z27.object({
     aggregate: z27.object({
       count: z27.number()
     })
-  })
+  }),
+  irrelevantVulnerabilityReportIssue: z27.array(
+    VulnerabilityReportIssueNoFixCodeNodeZ
+  )
 });
 
 // src/features/analysis/graphql/gql.ts
@@ -7723,6 +8041,7 @@ var GQLClient = class {
     const totalScanVulnerabilities = parsedGetVulByNodesMetadataRes.totalScanVulnerabilities.aggregate.count;
     const vulnerabilitiesOutsidePr = totalScanVulnerabilities - nonFixablePrVuls - fixablePrVuls;
     const totalPrVulnerabilities = nonFixablePrVuls + fixablePrVuls;
+    const irrelevantVulnerabilityReportIssues = parsedGetVulByNodesMetadataRes.irrelevantVulnerabilityReportIssue?.[0]?.vulnerabilityReportIssues ?? [];
     return {
       vulnerabilityReportIssueCodeNodes: Object.values(
         uniqueVulByNodesMetadata
@@ -7731,7 +8050,8 @@ var GQLClient = class {
       fixablePrVuls,
       totalScanVulnerabilities,
       vulnerabilitiesOutsidePr,
-      totalPrVulnerabilities
+      totalPrVulnerabilities,
+      irrelevantVulnerabilityReportIssues
     };
   }
   async digestVulnerabilityReport({