mobbdev 1.0.76 → 1.0.80

package/dist/index.mjs

@@ -10,32 +10,253 @@ var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "sy
 import Debug20 from "debug";
 import { hideBin } from "yargs/helpers";
 
-// src/types.ts
-var mobbCliCommand = {
-  addScmToken: "add-scm-token",
-  scan: "scan",
-  analyze: "analyze",
-  review: "review"
-};
+// src/args/commands/convert_to_sarif.ts
+import fs4 from "node:fs";
 
-// src/args/yargs.ts
-import chalk10 from "chalk";
-import yargs from "yargs/yargs";
+// src/commands/convert_to_sarif.ts
+import fs3 from "node:fs";
+import path3 from "node:path";
 
-// src/args/commands/analyze.ts
-import fs4 from "node:fs";
+// src/commands/fpr_stream_parser.ts
+import fs from "node:fs";
+import sax from "sax";
+var BaseStreamParser = class {
+  constructor(parser) {
+    __publicField(this, "currentPath", []);
+    parser.on("opentag", (tag) => this.onOpenTag(tag));
+    parser.on("closetag", () => this.onCloseTag());
+    parser.on("text", (text) => this.onText(text));
+  }
+  getPathString() {
+    return this.currentPath.join(" > ");
+  }
+  onOpenTag(tag) {
+    this.currentPath.push(tag.name);
+  }
+  onCloseTag() {
+    this.currentPath.pop();
+  }
+  onText(_text) {
+  }
+};
+var AuditMetadataParser = class extends BaseStreamParser {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "suppressedMap", {});
+  }
+  onOpenTag(tag) {
+    super.onOpenTag(tag);
+    switch (this.getPathString()) {
+      case "Audit > IssueList > Issue":
+        this.suppressedMap[String(tag.attributes["instanceId"] ?? "")] = String(
+          tag.attributes["suppressed"] ?? ""
+        );
+        break;
+    }
+  }
+  getAuditMetadata() {
+    return this.suppressedMap;
+  }
+};
+var ReportMetadataParser = class extends BaseStreamParser {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "uuid", "");
+    __publicField(this, "createdTSDate", "");
+    __publicField(this, "createdTSTime", "");
+    __publicField(this, "rules", {});
+    __publicField(this, "ruleId", "");
+    __publicField(this, "groupName", "");
+  }
+  onOpenTag(tag) {
+    super.onOpenTag(tag);
+    switch (this.getPathString()) {
+      case "FVDL > EngineData > RuleInfo > Rule":
+        this.ruleId = String(tag.attributes["id"] ?? "");
+        break;
+      case "FVDL > EngineData > RuleInfo > Rule > MetaInfo > Group":
+        this.groupName = String(tag.attributes["name"] ?? "");
+        break;
+      case "FVDL > CreatedTS":
+        this.createdTSDate = String(tag.attributes["date"] ?? "");
+        this.createdTSTime = String(tag.attributes["time"] ?? "");
+        break;
+    }
+  }
+  onText(text) {
+    super.onText(text);
+    switch (this.getPathString()) {
+      case "FVDL > UUID":
+        this.uuid = text;
+        break;
+      case "FVDL > EngineData > RuleInfo > Rule > MetaInfo > Group": {
+        const ruleMeta = this.rules[this.ruleId] ?? {};
+        ruleMeta[this.groupName] = text;
+        this.rules[this.ruleId] = ruleMeta;
+        break;
+      }
+    }
+  }
+  getReportMetadata() {
+    return {
+      createdTSDate: this.createdTSDate,
+      createdTSTime: this.createdTSTime,
+      uuid: this.uuid,
+      rules: this.rules
+    };
+  }
+};
+var UnifiedNodePoolParser = class extends BaseStreamParser {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "codePoints", {});
+    __publicField(this, "nodeId", "");
+  }
+  onOpenTag(tag) {
+    super.onOpenTag(tag);
+    switch (this.getPathString()) {
+      case "FVDL > UnifiedNodePool > Node":
+        this.nodeId = String(tag.attributes["id"] ?? "");
+        break;
+      case "FVDL > UnifiedNodePool > Node > SourceLocation":
+        this.codePoints[this.nodeId] = {
+          path: String(tag.attributes["path"] ?? ""),
+          colStart: String(tag.attributes["colStart"] ?? ""),
+          colEnd: String(tag.attributes["colEnd"] ?? ""),
+          line: String(tag.attributes["line"] ?? ""),
+          lineEnd: String(tag.attributes["lineEnd"] ?? "")
+        };
+        break;
+    }
+  }
+  getNodesPull() {
+    return this.codePoints;
+  }
+};
+var VulnerabilityParser = class extends BaseStreamParser {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "vulnerabilities", []);
+    __publicField(this, "isInVulnerability", false);
+    __publicField(this, "codePoints", []);
+    __publicField(this, "metadata", {});
+    __publicField(this, "metaInfo", {});
+    __publicField(this, "groupName", "");
+  }
+  onOpenTag(tag) {
+    super.onOpenTag(tag);
+    switch (this.getPathString()) {
+      case "FVDL > Vulnerabilities > Vulnerability":
+        this.isInVulnerability = true;
+        this.metadata = {};
+        this.metaInfo = {};
+        this.codePoints = [];
+        break;
+      case "FVDL > Vulnerabilities > Vulnerability > InstanceInfo > MetaInfo > Group":
+        this.groupName = String(tag.attributes["name"] ?? "");
+        break;
+    }
+    if (this.isInVulnerability) {
+      if (this.getPathString().endsWith(" > Entry > Node > SourceLocation")) {
+        this.codePoints.push({
+          path: String(tag.attributes["path"] ?? ""),
+          colStart: String(tag.attributes["colStart"] ?? ""),
+          colEnd: String(tag.attributes["colEnd"] ?? ""),
+          line: String(tag.attributes["line"] ?? ""),
+          lineEnd: String(tag.attributes["lineEnd"] ?? "")
+        });
+      } else if (this.getPathString().endsWith(" > Entry > NodeRef")) {
+        this.codePoints.push({
+          id: String(tag.attributes["id"] ?? "")
+        });
+      }
+    }
+  }
+  onText(text) {
+    super.onText(text);
+    const lastPathSegment = this.currentPath.at(-1);
+    if (!this.isInVulnerability || !lastPathSegment) {
+      return;
+    }
+    switch (this.getPathString()) {
+      case "FVDL > Vulnerabilities > Vulnerability > InstanceInfo > InstanceID":
+      case "FVDL > Vulnerabilities > Vulnerability > InstanceInfo > InstanceSeverity":
+      case "FVDL > Vulnerabilities > Vulnerability > InstanceInfo > Confidence":
+      case "FVDL > Vulnerabilities > Vulnerability > ClassInfo > ClassID":
+      case "FVDL > Vulnerabilities > Vulnerability > ClassInfo > Type":
+      case "FVDL > Vulnerabilities > Vulnerability > ClassInfo > Subtype":
+        this.metadata[lastPathSegment] = text;
+        break;
+      case "FVDL > Vulnerabilities > Vulnerability > InstanceInfo > MetaInfo > Group":
+        this.metaInfo[this.groupName] = text;
+        break;
+    }
+  }
+  onCloseTag() {
+    if (this.getPathString() === "FVDL > Vulnerabilities > Vulnerability") {
+      this.isInVulnerability = false;
+      this.vulnerabilities.push({
+        nodes: this.codePoints,
+        instanceID: this.metadata["InstanceID"] ?? "",
+        instanceSeverity: this.metadata["InstanceSeverity"] ?? "",
+        confidence: this.metadata["Confidence"] ?? "",
+        classID: this.metadata["ClassID"] ?? "",
+        type: this.metadata["Type"] ?? "",
+        subtype: this.metadata["Subtype"] ?? "",
+        metaInfo: this.metaInfo
+      });
+    }
+    super.onCloseTag();
+  }
+  getVulnerabilities() {
+    return this.vulnerabilities;
+  }
+};
+function initSaxParser(filepath) {
+  const parser = sax.createStream(true);
+  const awaiter = new Promise((resolve, reject) => {
+    parser.on("end", () => resolve(true));
+    parser.on("error", (e) => reject(e));
+  });
+  return {
+    parser,
+    parse: async () => {
+      fs.createReadStream(filepath).pipe(parser);
+      await awaiter;
+    }
+  };
+}
 
-// src/commands/index.ts
-import crypto from "node:crypto";
-import os from "node:os";
+// src/features/analysis/scm/errors.ts
+var InvalidRepoUrlError = class extends Error {
+  constructor(m) {
+    super(m);
+  }
+};
+var InvalidAccessTokenError = class extends Error {
+  constructor(m) {
+    super(m);
+  }
+};
+var InvalidUrlPatternError = class extends Error {
+  constructor(m) {
+    super(m);
+  }
+};
+var RefNotFoundError = class extends Error {
+  constructor(m) {
+    super(m);
+  }
+};
+var RepoNoTokenAccessError = class extends Error {
+  constructor(m, scmType) {
+    super(m);
+    this.scmType = scmType;
+  }
+};
 
-// src/constants.ts
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-import chalk from "chalk";
-import Debug from "debug";
-import * as dotenv from "dotenv";
-import { z as z8 } from "zod";
+// src/features/analysis/scm/shared/src/types/fix.ts
+import { z as z2 } from "zod";
 
 // src/features/analysis/scm/generates/client_generates.ts
 var FixQuestionInputType = /* @__PURE__ */ ((FixQuestionInputType2) => {
@@ -111,6 +332,7 @@ var IssueLanguage_Enum = /* @__PURE__ */ ((IssueLanguage_Enum2) => {
 })(IssueLanguage_Enum || {});
 var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["AutoEscapeFalse"] = "AUTO_ESCAPE_FALSE";
+  IssueType_Enum2["AvoidBuiltinShadowing"] = "AVOID_BUILTIN_SHADOWING";
   IssueType_Enum2["AvoidIdentityComparisonCachedTypes"] = "AVOID_IDENTITY_COMPARISON_CACHED_TYPES";
   IssueType_Enum2["ClientDomStoredCodeInjection"] = "CLIENT_DOM_STORED_CODE_INJECTION";
   IssueType_Enum2["CmDi"] = "CMDi";
@@ -140,6 +362,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["IframeWithoutSandbox"] = "IFRAME_WITHOUT_SANDBOX";
   IssueType_Enum2["ImproperExceptionHandling"] = "IMPROPER_EXCEPTION_HANDLING";
   IssueType_Enum2["ImproperResourceShutdownOrRelease"] = "IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE";
+  IssueType_Enum2["ImproperStringFormatting"] = "IMPROPER_STRING_FORMATTING";
   IssueType_Enum2["IncompleteHostnameRegex"] = "INCOMPLETE_HOSTNAME_REGEX";
   IssueType_Enum2["IncompleteUrlSanitization"] = "INCOMPLETE_URL_SANITIZATION";
   IssueType_Enum2["IncompleteUrlSchemeCheck"] = "INCOMPLETE_URL_SCHEME_CHECK";
@@ -246,6 +469,7 @@ var Vulnerability_Report_Vendor_Enum = /* @__PURE__ */ ((Vulnerability_Report_Ve
   Vulnerability_Report_Vendor_Enum3["Codeql"] = "codeql";
   Vulnerability_Report_Vendor_Enum3["Datadog"] = "datadog";
   Vulnerability_Report_Vendor_Enum3["Fortify"] = "fortify";
+  Vulnerability_Report_Vendor_Enum3["FortifyMobbSarif"] = "fortifyMobbSarif";
   Vulnerability_Report_Vendor_Enum3["Opengrep"] = "opengrep";
   Vulnerability_Report_Vendor_Enum3["Semgrep"] = "semgrep";
   Vulnerability_Report_Vendor_Enum3["Snyk"] = "snyk";
@@ -753,9 +977,6 @@ function getSdk(client, withWrapper = defaultWrapper) {
   };
 }
 
-// src/features/analysis/scm/shared/src/types/fix.ts
-import { z as z2 } from "zod";
-
 // src/features/analysis/scm/shared/src/types/shared.ts
 import { z } from "zod";
 var ParsedSeverityZ = z.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
@@ -1177,7 +1398,9 @@ var issueTypeMap = {
   ["RETURN_SHOULD_NOT_BE_INVARIANT" /* ReturnShouldNotBeInvariant */]: "Return Should Not Be Invariant",
   ["SYSTEM_EXIT_SHOULD_RERAISE" /* SystemExitShouldReraise */]: "SystemExit Should Reraise",
   ["NO_RETURN_IN_FINALLY" /* NoReturnInFinally */]: "No Return in Finally Block",
-  ["AVOID_IDENTITY_COMPARISON_CACHED_TYPES" /* AvoidIdentityComparisonCachedTypes */]: "Avoid Identity Comparison of Cached Types"
+  ["AVOID_IDENTITY_COMPARISON_CACHED_TYPES" /* AvoidIdentityComparisonCachedTypes */]: "Avoid Identity Comparison of Cached Types",
+  ["AVOID_BUILTIN_SHADOWING" /* AvoidBuiltinShadowing */]: "Avoid Builtin Shadowing",
+  ["IMPROPER_STRING_FORMATTING" /* ImproperStringFormatting */]: "Improper String Formatting"
 };
 var issueTypeZ = z5.nativeEnum(IssueType_Enum);
 var getIssueTypeFriendlyString = (issueType) => {
@@ -1630,290 +1853,49 @@ var ScmType = /* @__PURE__ */ ((ScmType2) => {
   ScmType2["Bitbucket"] = "Bitbucket";
   return ScmType2;
 })(ScmType || {});
+var ConvertToSarifInputFileFormat = /* @__PURE__ */ ((ConvertToSarifInputFileFormat2) => {
+  ConvertToSarifInputFileFormat2["FortifyFPR"] = "FortifyFPR";
+  return ConvertToSarifInputFileFormat2;
+})(ConvertToSarifInputFileFormat || {});
 
-// src/constants.ts
-var debug = Debug("mobbdev:constants");
-var __dirname = path.dirname(fileURLToPath(import.meta.url));
-dotenv.config({ path: path.join(__dirname, "../.env") });
-var scmFriendlyText = {
-  ["Ado" /* Ado */]: "Azure DevOps",
-  ["Bitbucket" /* Bitbucket */]: "Bitbucket",
-  ["GitHub" /* GitHub */]: "GitGub",
-  ["GitLab" /* GitLab */]: "GitLab"
-};
-var SCANNERS = {
-  Checkmarx: "checkmarx",
-  Codeql: "codeql",
-  Fortify: "fortify",
-  Snyk: "snyk",
-  Sonarqube: "sonarqube",
-  Semgrep: "semgrep",
-  Datadog: "datadog"
-};
-var scannerToVulnerability_Report_Vendor_Enum = {
-  [SCANNERS.Checkmarx]: "checkmarx" /* Checkmarx */,
-  [SCANNERS.Snyk]: "snyk" /* Snyk */,
-  [SCANNERS.Sonarqube]: "sonarqube" /* Sonarqube */,
-  [SCANNERS.Codeql]: "codeql" /* Codeql */,
-  [SCANNERS.Fortify]: "fortify" /* Fortify */,
-  [SCANNERS.Semgrep]: "semgrep" /* Semgrep */,
-  [SCANNERS.Datadog]: "datadog" /* Datadog */
-};
-var SupportedScannersZ = z8.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
-var envVariablesSchema = z8.object({
-  WEB_APP_URL: z8.string(),
-  API_URL: z8.string(),
-  HASURA_ACCESS_KEY: z8.string(),
-  LOCAL_GRAPHQL_ENDPOINT: z8.string(),
-  HTTP_PROXY: z8.string().optional().default(""),
-  HTTPS_PROXY: z8.string().optional().default("")
-}).required();
-var envVariables = envVariablesSchema.parse(process.env);
-debug("config %o", envVariables);
-var mobbAscii = `
-                                   ..                       
-                             ..........                     
-                        .................                   
-               ...........................                  
-              ..............................                
-             ................................               
-             ..................................             
-            ....................................            
-            .....................................           
-            .............................................   
-          ................................................. 
-     ...............................       .................
-  ..................................           ............ 
-..................    .............            ..........   
-......... ........      .........             ......        
-  ...............                          ....             
-         .... ..                                            
-                                                            
-                                      . ...                 
-                              ..............                
-                       ......................               
-                   ...........................              
-               ................................             
-           ......................................           
-                ...............................             
-                       .................                    
-`;
-var PROJECT_DEFAULT_NAME = "My first project";
-var WEB_APP_URL = envVariables.WEB_APP_URL;
-var API_URL = envVariables.API_URL;
-var HASURA_ACCESS_KEY = envVariables.HASURA_ACCESS_KEY;
-var LOCAL_GRAPHQL_ENDPOINT = envVariables.LOCAL_GRAPHQL_ENDPOINT;
-var HTTPS_PROXY = envVariables.HTTPS_PROXY;
-var HTTP_PROXY = envVariables.HTTP_PROXY;
-var errorMessages = {
-  missingCxProjectName: `project name ${chalk.bold(
-    "(--cx-project-name)"
-  )} is needed if you're using checkmarx`,
-  missingUrl: `url ${chalk.bold(
-    "(--url)"
-  )} is needed if you're adding an SCM token`,
-  invalidScmType: `SCM type ${chalk.bold(
-    "(--scm-type)"
-  )} is invalid, please use one of: ${Object.values(ScmType).join(", ")}`,
-  missingToken: `SCM token ${chalk.bold(
-    "(--token)"
-  )} is needed if you're adding an SCM token`
-};
-var progressMassages = {
-  processingVulnerabilityReportSuccess: "\u2699\uFE0F  Vulnerability report proccessed successfully",
-  processingVulnerabilityReport: "\u2699\uFE0F  Proccessing vulnerability report",
-  processingVulnerabilityReportFailed: "\u2699\uFE0F  Error Proccessing vulnerability report"
-};
-var VUL_REPORT_DIGEST_TIMEOUT_MS = 1e3 * 60 * 30;
+// src/features/analysis/scm/ado/constants.ts
+var DEFUALT_ADO_ORIGIN = scmCloudUrl.Ado;
 
-// src/features/analysis/index.ts
-import fs3 from "node:fs";
-import fsPromises from "node:fs/promises";
-import path6 from "node:path";
-import { env as env2 } from "node:process";
-import { pipeline } from "node:stream/promises";
+// src/features/analysis/scm/ado/utils.ts
+import querystring from "node:querystring";
+import * as api from "azure-devops-node-api";
+import Debug from "debug";
+import { z as z17 } from "zod";
 
-// src/utils/index.ts
-var utils_exports = {};
-__export(utils_exports, {
-  CliError: () => CliError,
-  Spinner: () => Spinner,
-  getDirName: () => getDirName,
-  getTopLevelDirName: () => getTopLevelDirName,
-  keypress: () => keypress,
-  packageJson: () => packageJson,
-  sleep: () => sleep
+// src/features/analysis/scm/env.ts
+import { z as z8 } from "zod";
+var EnvVariablesZod = z8.object({
+  GITLAB_API_TOKEN: z8.string().optional(),
+  GITHUB_API_TOKEN: z8.string().optional(),
+  GIT_PROXY_HOST: z8.string().optional().default("http://tinyproxy:8888")
 });
+var { GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST } = EnvVariablesZod.parse(process.env);
 
-// src/utils/dirname.ts
-import path2 from "node:path";
-import { fileURLToPath as fileURLToPath2 } from "node:url";
-function getDirName() {
-  return path2.dirname(fileURLToPath2(import.meta.url));
-}
-function getTopLevelDirName(fullPath) {
-  return path2.parse(fullPath).name;
-}
-
-// src/utils/keypress.ts
-import readline from "node:readline";
-async function keypress() {
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout
-  });
-  return new Promise((resolve) => {
-    rl.question("", (answer) => {
-      rl.close();
-      process.stderr.moveCursor(0, -1);
-      process.stderr.clearLine(1);
-      resolve(answer);
-    });
-  });
-}
+// src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
+import { z as z9 } from "zod";
 
-// src/utils/spinner.ts
-import {
-  createSpinner as _createSpinner
-} from "nanospinner";
-function printToStdError(opts) {
-  if (opts?.text) console.error(opts.text);
-}
-var mockSpinner = {
-  success: (opts) => {
-    printToStdError(opts);
-    return mockSpinner;
+// src/features/analysis/scm/shared/src/fixDetailsData.ts
+var fixDetailsData = {
+  ["PT" /* Pt */]: {
+    issueDescription: "Path Traversal AKA Directory Traversal occurs when a path coming from user input is not properly sanitized, allowing an attacker to navigate through directories beyond the intended scope. Attackers can exploit this to access sensitive files or execute arbitrary code.",
+    fixInstructions: "Sanitize user-supplied paths, ensuring that they are restricted to a predefined directory structure."
   },
-  error: (opts) => {
-    printToStdError(opts);
-    return mockSpinner;
+  ["ZIP_SLIP" /* ZipSlip */]: {
+    issueDescription: "Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. Attackers can manipulate archive files to overwrite sensitive files or execute arbitrary code.",
+    fixInstructions: "Ensure that extracted files are relative and within the intended directory structure."
   },
-  warn: (opts) => {
-    printToStdError(opts);
-    return mockSpinner;
+  ["XSS" /* Xss */]: {
+    issueDescription: "Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to theft of session cookies, redirection to malicious websites, or defacement of the webpage.",
+    fixInstructions: "Implement input validation and output encoding. This includes sanitizing user input and escaping special characters to prevent execution of injected scripts."
   },
-  stop: (opts) => {
-    printToStdError(opts);
-    return mockSpinner;
-  },
-  start: (opts) => {
-    printToStdError(opts);
-    return mockSpinner;
-  },
-  update: (opts) => {
-    printToStdError(opts);
-    return mockSpinner;
-  },
-  reset: () => mockSpinner,
-  clear: () => mockSpinner,
-  spin: () => mockSpinner
-};
-function Spinner({ ci = false } = {}) {
-  return {
-    createSpinner: (text, options) => ci ? mockSpinner : _createSpinner(text, options)
-  };
-}
-
-// src/utils/check_node_version.ts
-import fs from "node:fs";
-import path3 from "node:path";
-import semver from "semver";
-var packageJson = JSON.parse(
-  fs.readFileSync(path3.join(getDirName(), "../package.json"), "utf8")
-);
-if (!semver.satisfies(process.version, packageJson.engines.node)) {
-  console.error(
-    `
-\u26A0\uFE0F ${packageJson.name} requires node version ${packageJson.engines.node}, but running ${process.version}.`
-  );
-  process.exit(1);
-}
-
-// src/utils/index.ts
-var sleep = (ms = 2e3) => new Promise((r) => setTimeout(r, ms));
-var CliError = class extends Error {
-};
-
-// src/features/analysis/index.ts
-import chalk4 from "chalk";
-import Configstore from "configstore";
-import Debug18 from "debug";
-import extract from "extract-zip";
-import { createSpinner as createSpinner4 } from "nanospinner";
-import fetch4 from "node-fetch";
-import open2 from "open";
-import tmp from "tmp";
-import { z as z29 } from "zod";
-
-// src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
-import Debug8 from "debug";
-
-// src/features/analysis/scm/errors.ts
-var InvalidRepoUrlError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var InvalidAccessTokenError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var InvalidUrlPatternError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var RefNotFoundError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var RepoNoTokenAccessError = class extends Error {
-  constructor(m, scmType) {
-    super(m);
-    this.scmType = scmType;
-  }
-};
-
-// src/features/analysis/scm/ado/constants.ts
-var DEFUALT_ADO_ORIGIN = scmCloudUrl.Ado;
-
-// src/features/analysis/scm/ado/utils.ts
-import querystring from "node:querystring";
-import * as api from "azure-devops-node-api";
-import Debug2 from "debug";
-import { z as z18 } from "zod";
-
-// src/features/analysis/scm/env.ts
-import { z as z9 } from "zod";
-var EnvVariablesZod = z9.object({
-  GITLAB_API_TOKEN: z9.string().optional(),
-  GITHUB_API_TOKEN: z9.string().optional(),
-  GIT_PROXY_HOST: z9.string()
-});
-var { GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST } = EnvVariablesZod.parse(process.env);
-
-// src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
-import { z as z10 } from "zod";
-
-// src/features/analysis/scm/shared/src/fixDetailsData.ts
-var fixDetailsData = {
-  ["PT" /* Pt */]: {
-    issueDescription: "Path Traversal AKA Directory Traversal occurs when a path coming from user input is not properly sanitized, allowing an attacker to navigate through directories beyond the intended scope. Attackers can exploit this to access sensitive files or execute arbitrary code.",
-    fixInstructions: "Sanitize user-supplied paths, ensuring that they are restricted to a predefined directory structure."
-  },
-  ["ZIP_SLIP" /* ZipSlip */]: {
-    issueDescription: "Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. Attackers can manipulate archive files to overwrite sensitive files or execute arbitrary code.",
-    fixInstructions: "Ensure that extracted files are relative and within the intended directory structure."
-  },
-  ["XSS" /* Xss */]: {
-    issueDescription: "Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to theft of session cookies, redirection to malicious websites, or defacement of the webpage.",
-    fixInstructions: "Implement input validation and output encoding. This includes sanitizing user input and escaping special characters to prevent execution of injected scripts."
-  },
-  ["XXE" /* Xxe */]: {
-    issueDescription: "XML External Entity (XXE) allows attackers to exploit vulnerable XML processors by including external entities, leading to disclosure of confidential data, denial of service, or server-side request forgery.",
-    fixInstructions: "Disable external entity processing in XML parsers or update to versions that mitigate XXE vulnerabilities. Input validation should be implemented to ensure that XML input does not contain external entity references."
+  ["XXE" /* Xxe */]: {
+    issueDescription: "XML External Entity (XXE) allows attackers to exploit vulnerable XML processors by including external entities, leading to disclosure of confidential data, denial of service, or server-side request forgery.",
+    fixInstructions: "Disable external entity processing in XML parsers or update to versions that mitigate XXE vulnerabilities. Input validation should be implemented to ensure that XML input does not contain external entity references."
   },
   ["CMDi" /* CmDi */]: {
     issueDescription: "Command Injection (CMDI) allows attackers inject malicious commands into vulnerable applications, that can result in execution of arbitrary commands on the underlying operating system.",
@@ -2147,7 +2129,9 @@ var fixDetailsData = {
   ["RETURN_SHOULD_NOT_BE_INVARIANT" /* ReturnShouldNotBeInvariant */]: void 0,
   ["SYSTEM_EXIT_SHOULD_RERAISE" /* SystemExitShouldReraise */]: void 0,
   ["NO_RETURN_IN_FINALLY" /* NoReturnInFinally */]: void 0,
-  ["AVOID_IDENTITY_COMPARISON_CACHED_TYPES" /* AvoidIdentityComparisonCachedTypes */]: void 0
+  ["AVOID_IDENTITY_COMPARISON_CACHED_TYPES" /* AvoidIdentityComparisonCachedTypes */]: void 0,
+  ["AVOID_BUILTIN_SHADOWING" /* AvoidBuiltinShadowing */]: void 0,
+  ["IMPROPER_STRING_FORMATTING" /* ImproperStringFormatting */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -2178,7 +2162,7 @@ var getCommitDescription = ({
   )}**.
 
 `;
-  const parseIssueTypeRes = z10.nativeEnum(IssueType_Enum).safeParse(issueType);
+  const parseIssueTypeRes = z9.nativeEnum(IssueType_Enum).safeParse(issueType);
   if (issueType && parseIssueTypeRes.success) {
     if (irrelevantIssueWithTags?.[0]?.tag) {
       description += `
@@ -2221,7 +2205,7 @@ var getCommitIssueDescription = ({
   const issueTypeString = getIssueTypeFriendlyString(issueType);
   let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
 `;
-  const parseIssueTypeRes = z10.nativeEnum(IssueType_Enum).safeParse(issueType);
+  const parseIssueTypeRes = z9.nativeEnum(IssueType_Enum).safeParse(issueType);
   if (issueType && parseIssueTypeRes.success) {
     if (irrelevantIssueWithTags?.[0]?.tag) {
       description = `
@@ -2246,10 +2230,10 @@ ${staticData.issueDescription}
 };
 
 // src/features/analysis/scm/shared/src/guidances.ts
-import { z as z13 } from "zod";
+import { z as z12 } from "zod";
 
 // src/features/analysis/scm/shared/src/storedFixData/index.ts
-import { z as z11 } from "zod";
+import { z as z10 } from "zod";
 
 // src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
 var passwordInComment = {
@@ -2425,8 +2409,8 @@ var vulnerabilities8 = {
 var xml_default = vulnerabilities8;
 
 // src/features/analysis/scm/shared/src/storedFixData/index.ts
-var StoredFixDataItemZ = z11.object({
-  guidance: z11.function().returns(z11.string())
+var StoredFixDataItemZ = z10.object({
+  guidance: z10.function().returns(z10.string())
 });
 var languages = {
   ["Java" /* Java */]: java_default,
@@ -2440,7 +2424,7 @@ var languages = {
 };
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
-import { z as z12 } from "zod";
+import { z as z11 } from "zod";
 
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
 var httpOnlyCookie = {
@@ -3639,10 +3623,10 @@ var vulnerabilities14 = {
 var xml_default2 = vulnerabilities14;
 
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
-var StoredQuestionDataItemZ = z12.object({
-  content: z12.function().args(z12.any()).returns(z12.string()),
-  description: z12.function().args(z12.any()).returns(z12.string()),
-  guidance: z12.function().args(z12.any()).returns(z12.string())
+var StoredQuestionDataItemZ = z11.object({
+  content: z11.function().args(z11.any()).returns(z11.string()),
+  description: z11.function().args(z11.any()).returns(z11.string()),
+  guidance: z11.function().args(z11.any()).returns(z11.string())
 });
 var languages2 = {
   ["Java" /* Java */]: java_default2,
@@ -3737,9 +3721,9 @@ function getFixGuidances({
   const fixGuidance = storeFixResult.success ? [storeFixResult.data.guidance({ questions, ...extraContext })] : [];
   return libGuidances.concat(fixGuidance).filter((guidance) => !!guidance);
 }
-var IssueTypeAndLanguageZ = z13.object({
-  issueType: z13.nativeEnum(IssueType_Enum),
-  issueLanguage: z13.nativeEnum(IssueLanguage_Enum)
+var IssueTypeAndLanguageZ = z12.object({
+  issueType: z12.nativeEnum(IssueType_Enum),
+  issueLanguage: z12.nativeEnum(IssueLanguage_Enum)
 });
 function getGuidances(args) {
   const safeIssueTypeAndLanguage = IssueTypeAndLanguageZ.safeParse({
@@ -3777,7 +3761,7 @@ function getGuidances(args) {
 }
 
 // src/features/analysis/scm/shared/src/urlParser/urlParser.ts
-import { z as z14 } from "zod";
+import { z as z13 } from "zod";
 var ADO_PREFIX_PATH = "tfs";
 var NAME_REGEX = /[a-z0-9\-_.+]+/i;
 function detectAdoUrl(args) {
@@ -3794,7 +3778,7 @@ function detectAdoUrl(args) {
         scmType: "Ado" /* Ado */,
         organization,
         // project has single repo - repoName === projectName
-        projectName: z14.string().parse(projectName),
+        projectName: z13.string().parse(projectName),
         repoName: projectName,
         prefixPath
       };
@@ -3805,7 +3789,7 @@ function detectAdoUrl(args) {
       return {
         scmType: "Ado" /* Ado */,
         organization,
-        projectName: z14.string().parse(projectName),
+        projectName: z13.string().parse(projectName),
         repoName,
         prefixPath
       };
@@ -3819,7 +3803,7 @@ function detectAdoUrl(args) {
           scmType: "Ado" /* Ado */,
           organization,
           // project has only one repo - repoName === projectName
-          projectName: z14.string().parse(repoName),
+          projectName: z13.string().parse(repoName),
           repoName,
           prefixPath
         };
@@ -3829,7 +3813,7 @@ function detectAdoUrl(args) {
         return {
           scmType: "Ado" /* Ado */,
           organization,
-          projectName: z14.string().parse(projectName),
+          projectName: z13.string().parse(projectName),
           repoName,
           prefixPath
         };
@@ -3956,10 +3940,10 @@ function getIssueUrl({
 }
 
 // src/features/analysis/scm/utils/index.ts
-import { z as z16 } from "zod";
+import { z as z15 } from "zod";
 
 // src/features/analysis/scm/types.ts
-import { z as z15 } from "zod";
+import { z as z14 } from "zod";
 var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
   ReferenceType2["BRANCH"] = "BRANCH";
   ReferenceType2["COMMIT"] = "COMMIT";
@@ -3991,10 +3975,10 @@ var scmTypeToScmLibScmType = {
   ["Ado" /* Ado */]: "ADO" /* ADO */,
   ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
 };
-var GetRefererenceResultZ = z15.object({
-  date: z15.date().optional(),
-  sha: z15.string(),
-  type: z15.nativeEnum(ReferenceType)
+var GetRefererenceResultZ = z14.object({
+  date: z14.date().optional(),
+  sha: z14.string(),
+  type: z14.nativeEnum(ReferenceType)
 });
 
 // src/features/analysis/scm/utils/index.ts
@@ -4108,7 +4092,7 @@ function shouldValidateUrl(repoUrl) {
   return repoUrl && isUrlHasPath(repoUrl);
 }
 function isBrokerUrl(url) {
-  return z16.string().uuid().safeParse(new URL(url).host).success;
+  return z15.string().uuid().safeParse(new URL(url).host).success;
 }
 function buildAuthorizedRepoUrl(args) {
   const { url, username, password } = args;
@@ -4144,7 +4128,7 @@ function getCloudScmLibTypeFromUrl(url) {
   return void 0;
 }
 function getScmLibTypeFromScmType(scmType) {
-  const parsedScmType = z16.nativeEnum(ScmType).parse(scmType);
+  const parsedScmType = z15.nativeEnum(ScmType).parse(scmType);
   return scmTypeToScmLibScmType[parsedScmType];
 }
 function getScmConfig({
@@ -4211,42 +4195,42 @@ function getScmConfig({
 }
 
 // src/features/analysis/scm/ado/validation.ts
-import { z as z17 } from "zod";
-var ValidPullRequestStatusZ = z17.union([
-  z17.literal(1 /* Active */),
-  z17.literal(2 /* Abandoned */),
-  z17.literal(3 /* Completed */)
+import { z as z16 } from "zod";
+var ValidPullRequestStatusZ = z16.union([
+  z16.literal(1 /* Active */),
+  z16.literal(2 /* Abandoned */),
+  z16.literal(3 /* Completed */)
 ]);
-var AdoAuthResultZ = z17.object({
-  access_token: z17.string().min(1),
-  token_type: z17.string().min(1),
-  refresh_token: z17.string().min(1)
+var AdoAuthResultZ = z16.object({
+  access_token: z16.string().min(1),
+  token_type: z16.string().min(1),
+  refresh_token: z16.string().min(1)
 });
 var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
-  scmOrgs: z17.array(z17.string())
+  scmOrgs: z16.array(z16.string())
 });
-var profileZ = z17.object({
-  displayName: z17.string(),
-  publicAlias: z17.string().min(1),
-  emailAddress: z17.string(),
-  coreRevision: z17.number(),
-  timeStamp: z17.string(),
-  id: z17.string(),
-  revision: z17.number()
+var profileZ = z16.object({
+  displayName: z16.string(),
+  publicAlias: z16.string().min(1),
+  emailAddress: z16.string(),
+  coreRevision: z16.number(),
+  timeStamp: z16.string(),
+  id: z16.string(),
+  revision: z16.number()
 });
-var accountsZ = z17.object({
-  count: z17.number(),
-  value: z17.array(
-    z17.object({
-      accountId: z17.string(),
-      accountUri: z17.string(),
-      accountName: z17.string()
+var accountsZ = z16.object({
+  count: z16.number(),
+  value: z16.array(
+    z16.object({
+      accountId: z16.string(),
+      accountUri: z16.string(),
+      accountName: z16.string()
     })
   )
 });
 
 // src/features/analysis/scm/ado/utils.ts
-var debug2 = Debug2("mobbdev:scm:ado");
+var debug = Debug("mobbdev:scm:ado");
 function _getPublicAdoClient({
   orgName,
   origin: origin2
@@ -4325,7 +4309,7 @@ async function getAdoConnectData({
         oauthToken: adoTokenInfo.accessToken
       });
       return {
-        org: z18.string().parse(org),
+        org: z17.string().parse(org),
         origin: DEFUALT_ADO_ORIGIN
       };
     }
@@ -4411,7 +4395,7 @@ async function getAdoClientParams(params) {
       return {
         tokenType: "PAT" /* PAT */,
         accessToken: adoTokenInfo.accessToken,
-        patTokenOrg: z18.string().parse(tokenOrg).toLowerCase(),
+        patTokenOrg: z17.string().parse(tokenOrg).toLowerCase(),
         origin: origin2,
         orgName: org.toLowerCase()
       };
@@ -4579,6 +4563,18 @@ async function getAdoSdk(params) {
       );
       return `${getRepositoryRes.webUrl}/commit/${commitId}`;
     },
+    async getAdoBranchCommitsUrl({
+      repoUrl,
+      branch
+    }) {
+      const { repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+      const git = await api2.getGitApi();
+      const getRepositoryRes = await git.getRepository(
+        decodeURI(repo),
+        projectName ? decodeURI(projectName) : void 0
+      );
+      return `${getRepositoryRes.webUrl}/commits?itemVersion=${branch}`;
+    },
     getAdoDownloadUrl({
       repoUrl,
       branch
@@ -4587,7 +4583,7 @@ async function getAdoSdk(params) {
       const url = new URL(repoUrl);
       const origin2 = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
       const params2 = `path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
-      const path8 = [
+      const path9 = [
         prefixPath,
         owner,
         projectName,
@@ -4598,7 +4594,7 @@ async function getAdoSdk(params) {
         "items",
         "items"
       ].filter(Boolean).join("/");
-      return new URL(`${path8}?${params2}`, origin2).toString();
+      return new URL(`${path9}?${params2}`, origin2).toString();
     },
     async getAdoBranchList({ repoUrl }) {
       try {
@@ -5080,6 +5076,14 @@ var AdoSCMLib = class extends SCMLib {
       commitId
     });
   }
+  async getBranchCommitsUrl(branchName) {
+    this._validateUrl();
+    const adoSdk = await this.getAdoSdk();
+    return adoSdk.getAdoBranchCommitsUrl({
+      repoUrl: this.url,
+      branch: branchName
+    });
+  }
   async addCommentToSubmitRequest(scmSubmitRequestId, comment) {
     this._validateAccessTokenAndUrl();
     const adoSdk = await this.getAdoSdk();
@@ -5095,34 +5099,34 @@ var AdoSCMLib = class extends SCMLib {
 import querystring2 from "node:querystring";
 import * as bitbucketPkgNode from "bitbucket";
 import bitbucketPkg from "bitbucket";
-import Debug3 from "debug";
-import { z as z20 } from "zod";
+import Debug2 from "debug";
+import { z as z19 } from "zod";
 
 // src/features/analysis/scm/bitbucket/validation.ts
-import { z as z19 } from "zod";
-var BitbucketAuthResultZ = z19.object({
-  access_token: z19.string(),
-  token_type: z19.string(),
-  refresh_token: z19.string()
+import { z as z18 } from "zod";
+var BitbucketAuthResultZ = z18.object({
+  access_token: z18.string(),
+  token_type: z18.string(),
+  refresh_token: z18.string()
 });
 
 // src/features/analysis/scm/bitbucket/bitbucket.ts
-var debug3 = Debug3("scm:bitbucket");
+var debug2 = Debug2("scm:bitbucket");
 var BITBUCKET_HOSTNAME = "bitbucket.org";
-var TokenExpiredErrorZ = z20.object({
-  status: z20.number(),
-  error: z20.object({
-    type: z20.string(),
-    error: z20.object({
-      message: z20.string()
+var TokenExpiredErrorZ = z19.object({
+  status: z19.number(),
+  error: z19.object({
+    type: z19.string(),
+    error: z19.object({
+      message: z19.string()
     })
   })
 });
 var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
-var BitbucketParseResultZ = z20.object({
-  organization: z20.string(),
-  repoName: z20.string(),
-  hostname: z20.literal(BITBUCKET_HOSTNAME)
+var BitbucketParseResultZ = z19.object({
+  organization: z19.string(),
+  repoName: z19.string(),
+  hostname: z19.literal(BITBUCKET_HOSTNAME)
 });
 function parseBitbucketOrganizationAndRepo(bitbucketUrl) {
   const parsedGitHubUrl = normalizeUrl(bitbucketUrl);
@@ -5183,7 +5187,7 @@ function getBitbucketSdk(params) {
       if (!res.data.values) {
         return [];
       }
-      return res.data.values.filter((branch) => !!branch.name).map((branch) => z20.string().parse(branch.name));
+      return res.data.values.filter((branch) => !!branch.name).map((branch) => z19.string().parse(branch.name));
     },
     async getIsUserCollaborator(params2) {
       const { repoUrl } = params2;
@@ -5298,7 +5302,7 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: tagRes.data.target?.hash,
         type: "TAG" /* TAG */,
-        date: new Date(z20.string().parse(tagRes.data.target?.date))
+        date: new Date(z19.string().parse(tagRes.data.target?.date))
       });
     },
     async getBranchRef(params2) {
@@ -5306,7 +5310,7 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: getBranchRes.target?.hash,
         type: "BRANCH" /* BRANCH */,
-        date: new Date(z20.string().parse(getBranchRes.target?.date))
+        date: new Date(z19.string().parse(getBranchRes.target?.date))
       });
     },
     async getCommitRef(params2) {
@@ -5314,13 +5318,13 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: getCommitRes.hash,
         type: "COMMIT" /* COMMIT */,
-        date: new Date(z20.string().parse(getCommitRes.date))
+        date: new Date(z19.string().parse(getCommitRes.date))
       });
     },
     async getDownloadUrl({ url, sha }) {
       this.getReferenceData({ ref: sha, url });
       const repoRes = await this.getRepo({ repoUrl: url });
-      const parsedRepoUrl = z20.string().url().parse(repoRes.links?.html?.href);
+      const parsedRepoUrl = z19.string().url().parse(repoRes.links?.html?.href);
       return `${parsedRepoUrl}/get/${sha}.zip`;
     },
     async getPullRequest(params2) {
@@ -5385,7 +5389,7 @@ async function validateBitbucketParams(params) {
 }
 async function getUsersworkspacesSlugs(bitbucketClient) {
   const res = await bitbucketClient.workspaces.getWorkspaces({});
-  return res.data.values?.map((v) => z20.string().parse(v.slug));
+  return res.data.values?.map((v) => z19.string().parse(v.slug));
 }
 async function getllUsersrepositories(bitbucketClient) {
   const userWorspacesSlugs = await getUsersworkspacesSlugs(bitbucketClient);
@@ -5413,10 +5417,10 @@ async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
 
 // src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
 import { setTimeout as setTimeout3 } from "node:timers/promises";
-import { z as z21 } from "zod";
+import { z as z20 } from "zod";
 function getUserAndPassword(token) {
   const [username, password] = token.split(":");
-  const safePasswordAndUsername = z21.object({ username: z21.string(), password: z21.string() }).parse({ username, password });
+  const safePasswordAndUsername = z20.object({ username: z20.string(), password: z20.string() }).parse({ username, password });
   return {
     username: safePasswordAndUsername.username,
     password: safePasswordAndUsername.password
@@ -5488,7 +5492,7 @@ var BitbucketSCMLib = class extends SCMLib {
         return { username, password, authType };
       }
       case "token": {
-        return { authType, token: z21.string().parse(this.accessToken) };
+        return { authType, token: z20.string().parse(this.accessToken) };
       }
       case "public":
         return { authType };
@@ -5502,7 +5506,7 @@ var BitbucketSCMLib = class extends SCMLib {
           ...params,
           repoUrl: this.url
         });
-        return String(z21.number().parse(pullRequestRes.id));
+        return String(z20.number().parse(pullRequestRes.id));
       } catch (e) {
         console.warn(
           `error creating pull request for BB. Try number ${i + 1}`,
@@ -5587,7 +5591,7 @@ var BitbucketSCMLib = class extends SCMLib {
   async getUsername() {
     this._validateAccessToken();
     const res = await this.bitbucketSdk.getUser();
-    return z21.string().parse(res.username);
+    return z20.string().parse(res.username);
   }
   async getSubmitRequestStatus(_scmSubmitRequestId) {
     this._validateAccessTokenAndUrl();
@@ -5616,7 +5620,7 @@ var BitbucketSCMLib = class extends SCMLib {
   async getRepoDefaultBranch() {
     this._validateUrl();
     const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
-    return z21.string().parse(repoRes.mainbranch?.name);
+    return z20.string().parse(repoRes.mainbranch?.name);
   }
   getSubmitRequestUrl(submitRequestId) {
     this._validateUrl();
@@ -5636,6 +5640,13 @@ var BitbucketSCMLib = class extends SCMLib {
       `https://bitbucket.org/${workspace}/${repo_slug}/commits/${commitId}`
     );
   }
+  getBranchCommitsUrl(branchName) {
+    this._validateUrl();
+    const { repo_slug, workspace } = parseBitbucketOrganizationAndRepo(this.url);
+    return Promise.resolve(
+      `https://bitbucket.org/${workspace}/${repo_slug}/branch/${branchName}`
+    );
+  }
   async addCommentToSubmitRequest(submitRequestId, comment) {
     this._validateUrl();
     await this.bitbucketSdk.addCommentToPullRequest({
@@ -5651,7 +5662,7 @@ var MOBB_ICON_IMG = "https://app.mobb.ai/gh-action/Logo_Rounded_Icon.svg";
 var MAX_BRANCHES_FETCH = 1e3;
 
 // src/features/analysis/scm/github/GithubSCMLib.ts
-import { z as z22 } from "zod";
+import { z as z21 } from "zod";
 
 // src/features/analysis/scm/github/github.ts
 import { RequestError } from "@octokit/request-error";
@@ -6040,14 +6051,14 @@ function getGithubSdk(params = {}) {
       };
     },
     async getGithubBlameRanges(params2) {
-      const { ref, gitHubUrl, path: path8 } = params2;
+      const { ref, gitHubUrl, path: path9 } = params2;
       const { owner, repo } = parseGithubOwnerAndRepo(gitHubUrl);
       const res = await octokit.graphql(
         GET_BLAME_DOCUMENT,
         {
           owner,
           repo,
-          path: path8,
+          path: path9,
           ref
         }
       );
@@ -6289,7 +6300,7 @@ var GithubSCMLib = class extends SCMLib {
       owner,
       repo
     });
-    return z22.string().parse(prRes.data);
+    return z21.string().parse(prRes.data);
   }
   async getRepoList(_scmOrg) {
     this._validateAccessToken();
@@ -6353,11 +6364,11 @@ var GithubSCMLib = class extends SCMLib {
       markdownComment: comment
     });
   }
-  async getRepoBlameRanges(ref, path8) {
+  async getRepoBlameRanges(ref, path9) {
     this._validateUrl();
     return await this.githubSdk.getGithubBlameRanges({
       ref,
-      path: path8,
+      path: path9,
       gitHubUrl: this.url
     });
   }
@@ -6402,6 +6413,10 @@ var GithubSCMLib = class extends SCMLib {
     });
     return getCommitRes.data.html_url;
   }
+  async getBranchCommitsUrl(branchName) {
+    this._validateAccessTokenAndUrl();
+    return `${this.url}/commits/${branchName}`;
+  }
   async postGeneralPrComment(params) {
     const { prNumber, body } = params;
     this._validateAccessTokenAndUrl();
@@ -6445,22 +6460,22 @@ import {
   AccessLevel,
   Gitlab
 } from "@gitbeaker/rest";
-import Debug4 from "debug";
+import Debug3 from "debug";
 import {
   fetch as undiciFetch,
   ProxyAgent as ProxyAgent2
 } from "undici";
 
 // src/features/analysis/scm/gitlab/types.ts
-import { z as z23 } from "zod";
-var GitlabAuthResultZ = z23.object({
-  access_token: z23.string(),
-  token_type: z23.string(),
-  refresh_token: z23.string()
+import { z as z22 } from "zod";
+var GitlabAuthResultZ = z22.object({
+  access_token: z22.string(),
+  token_type: z22.string(),
+  refresh_token: z22.string()
 });
 
 // src/features/analysis/scm/gitlab/gitlab.ts
-var debug4 = Debug4("scm:gitlab");
+var debug3 = Debug3("scm:gitlab");
 function removeTrailingSlash2(str) {
   return str.trim().replace(/\/+$/, "");
 }
@@ -6755,13 +6770,13 @@ function parseGitlabOwnerAndRepo(gitlabUrl) {
   const { organization, repoName, projectPath } = parsingResult;
   return { owner: organization, repo: repoName, projectPath };
 }
-async function getGitlabBlameRanges({ ref, gitlabUrl, path: path8 }, options) {
+async function getGitlabBlameRanges({ ref, gitlabUrl, path: path9 }, options) {
   const { projectPath } = parseGitlabOwnerAndRepo(gitlabUrl);
   const api2 = getGitBeaker({
     url: gitlabUrl,
     gitlabAuthToken: options?.gitlabAuthToken
   });
-  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path8, ref);
+  const resp = await api2.RepositoryFiles.allFileBlames(projectPath, path9, ref);
   let lineNumber = 1;
   return resp.filter((range) => range.lines).map((range) => {
     const oldLineNumber = lineNumber;
@@ -6937,10 +6952,10 @@ var GitlabSCMLib = class extends SCMLib {
       markdownComment: comment
     });
   }
-  async getRepoBlameRanges(ref, path8) {
+  async getRepoBlameRanges(ref, path9) {
     this._validateUrl();
     return await getGitlabBlameRanges(
-      { ref, path: path8, gitlabUrl: this.url },
+      { ref, path: path9, gitlabUrl: this.url },
       {
         url: this.url,
         gitlabAuthToken: this.accessToken
@@ -6986,141 +7001,677 @@ var GitlabSCMLib = class extends SCMLib {
     });
     return res.web_url;
   }
+  async getBranchCommitsUrl(branchName) {
+    this._validateAccessTokenAndUrl();
+    return `${this.url}/-/commits/${branchName}`;
+  }
+};
+
+// src/features/analysis/scm/scmFactory.ts
+import { z as z23 } from "zod";
+
+// src/features/analysis/scm/StubSCMLib.ts
+var StubSCMLib = class extends SCMLib {
+  constructor(url, accessToken, scmOrg) {
+    super(url, accessToken, scmOrg);
+  }
+  async getUrlWithCredentials() {
+    console.warn("getUrlWithCredentials() returning empty string");
+    return "";
+  }
+  async createSubmitRequest(_params) {
+    console.warn("createSubmitRequest() returning empty string");
+    return "";
+  }
+  get scmLibType() {
+    console.warn("scmLibType returning GITHUB as default");
+    return "GITHUB" /* GITHUB */;
+  }
+  getAuthHeaders() {
+    console.warn("getAuthHeaders() returning empty object");
+    return {};
+  }
+  async getDownloadUrl(_sha) {
+    console.warn("getDownloadUrl() returning empty string");
+    return "";
+  }
+  async getIsRemoteBranch(_branch) {
+    console.warn("getIsRemoteBranch() returning false");
+    return false;
+  }
+  async validateParams() {
+    console.warn("validateParams() no-op");
+  }
+  async getRepoList(_scmOrg) {
+    console.warn("getRepoList() returning empty array");
+    return [];
+  }
+  async getBranchList() {
+    console.warn("getBranchList() returning empty array");
+    return [];
+  }
+  async getUsername() {
+    console.warn("getUsername() returning empty string");
+    return "";
+  }
+  async getSubmitRequestStatus(_scmSubmitRequestId) {
+    console.warn("getSubmitRequestStatus() returning ERROR");
+    return "error";
+  }
+  async getUserHasAccessToRepo() {
+    console.warn("getUserHasAccessToRepo() returning false");
+    return false;
+  }
+  async getRepoBlameRanges(_ref, _path) {
+    console.warn("getRepoBlameRanges() returning empty array");
+    return [];
+  }
+  async getReferenceData(_ref) {
+    console.warn("getReferenceData() returning null/empty defaults");
+    return {
+      type: "BRANCH" /* BRANCH */,
+      sha: "",
+      date: void 0
+    };
+  }
+  async getRepoDefaultBranch() {
+    console.warn("getRepoDefaultBranch() returning empty string");
+    return "";
+  }
+  async getSubmitRequestUrl(_submitRequestIdNumber) {
+    console.warn("getSubmitRequestUrl() returning empty string");
+    return "";
+  }
+  async getSubmitRequestId(_submitRequestUrl) {
+    console.warn("getSubmitRequestId() returning empty string");
+    return "";
+  }
+  async getCommitUrl(_commitId) {
+    console.warn("getCommitUrl() returning empty string");
+    return "";
+  }
+  async getBranchCommitsUrl(_branchName) {
+    console.warn("getBranchCommitsUrl() returning empty string");
+    return "";
+  }
+  async _getUsernameForAuthUrl() {
+    console.warn("_getUsernameForAuthUrl() returning empty string");
+    return "";
+  }
+  async addCommentToSubmitRequest(_submitRequestId, _comment) {
+    console.warn("addCommentToSubmitRequest() no-op");
+  }
+};
+
+// src/features/analysis/scm/scmFactory.ts
+async function createScmLib({ url, accessToken, scmType, scmOrg }, { propagateExceptions = false } = {}) {
+  const trimmedUrl = url ? url.trim().replace(/\/$/, "").replace(/.git$/i, "") : void 0;
+  try {
+    switch (scmType) {
+      case "GITHUB" /* GITHUB */: {
+        const scm = new GithubSCMLib(trimmedUrl, accessToken, scmOrg);
+        await scm.validateParams();
+        return scm;
+      }
+      case "GITLAB" /* GITLAB */: {
+        const scm = new GitlabSCMLib(trimmedUrl, accessToken, scmOrg);
+        await scm.validateParams();
+        return scm;
+      }
+      case "ADO" /* ADO */: {
+        const scm = new AdoSCMLib(trimmedUrl, accessToken, scmOrg);
+        await scm.getAdoSdk();
+        await scm.validateParams();
+        return scm;
+      }
+      case "BITBUCKET" /* BITBUCKET */: {
+        const scm = new BitbucketSCMLib(trimmedUrl, accessToken, scmOrg);
+        await scm.validateParams();
+        return scm;
+      }
+    }
+  } catch (e) {
+    if (e instanceof InvalidRepoUrlError && url) {
+      throw new RepoNoTokenAccessError(
+        "no access to repo",
+        scmLibScmTypeToScmType[z23.nativeEnum(ScmLibScmType).parse(scmType)]
+      );
+    }
+    console.error(`error validating scm: ${scmType} `, e);
+    if (propagateExceptions) {
+      throw e;
+    }
+  }
+  return new StubSCMLib(trimmedUrl, void 0, void 0);
+}
+
+// src/utils/index.ts
+var utils_exports = {};
+__export(utils_exports, {
+  CliError: () => CliError,
+  Spinner: () => Spinner,
+  getDirName: () => getDirName,
+  getTopLevelDirName: () => getTopLevelDirName,
+  keypress: () => keypress,
+  packageJson: () => packageJson,
+  sleep: () => sleep
+});
+
+// src/utils/dirname.ts
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+function getDirName() {
+  return path.dirname(fileURLToPath(import.meta.url));
+}
+function getTopLevelDirName(fullPath) {
+  return path.parse(fullPath).name;
+}
+
+// src/utils/keypress.ts
+import readline from "node:readline";
+async function keypress() {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve) => {
+    rl.question("", (answer) => {
+      rl.close();
+      process.stderr.moveCursor(0, -1);
+      process.stderr.clearLine(1);
+      resolve(answer);
+    });
+  });
+}
+
+// src/utils/spinner.ts
+import {
+  createSpinner as _createSpinner
+} from "nanospinner";
+function printToStdError(opts) {
+  if (opts?.text) console.error(opts.text);
+}
+var mockSpinner = {
+  success: (opts) => {
+    printToStdError(opts);
+    return mockSpinner;
+  },
+  error: (opts) => {
+    printToStdError(opts);
+    return mockSpinner;
+  },
+  warn: (opts) => {
+    printToStdError(opts);
+    return mockSpinner;
+  },
+  stop: (opts) => {
+    printToStdError(opts);
+    return mockSpinner;
+  },
+  start: (opts) => {
+    printToStdError(opts);
+    return mockSpinner;
+  },
+  update: (opts) => {
+    printToStdError(opts);
+    return mockSpinner;
+  },
+  reset: () => mockSpinner,
+  clear: () => mockSpinner,
+  spin: () => mockSpinner
+};
+function Spinner({ ci = false } = {}) {
+  return {
+    createSpinner: (text, options) => ci ? mockSpinner : _createSpinner(text, options)
+  };
+}
+
+// src/utils/check_node_version.ts
+import fs2 from "node:fs";
+import path2 from "node:path";
+import semver from "semver";
+function getPackageJson() {
+  let manifestPath = path2.join(getDirName(), "../package.json");
+  if (!fs2.existsSync(manifestPath)) {
+    manifestPath = path2.join(getDirName(), "../../package.json");
+  }
+  return JSON.parse(fs2.readFileSync(manifestPath, "utf8"));
+}
+var packageJson = getPackageJson();
+if (!semver.satisfies(process.version, packageJson.engines.node)) {
+  console.error(
+    `
+\u26A0\uFE0F ${packageJson.name} requires node version ${packageJson.engines.node}, but running ${process.version}.`
+  );
+  process.exit(1);
+}
+
+// src/utils/index.ts
+var sleep = (ms = 2e3) => new Promise((r) => setTimeout(r, ms));
+var CliError = class extends Error {
+};
+
+// src/commands/convert_to_sarif.ts
+import AdmZip from "adm-zip";
+import multimatch from "multimatch";
+import tmp from "tmp";
+async function convertToSarif(options) {
+  switch (options.inputFileFormat) {
+    case "FortifyFPR" /* FortifyFPR */:
+      await convertFprToSarif(
+        options.inputFilePath,
+        options.outputFilePath,
+        options.codePathPatterns ?? ["**", "*"]
+      );
+      break;
+  }
+}
+async function convertFprToSarif(inputFilePath, outputFilePath, codePathPatterns) {
+  const zipIn = new AdmZip(inputFilePath);
+  if (!zipIn.getEntry("audit.fvdl")) {
+    throw new CliError(
+      "\nError: the input file should be in a valid Fortify FPR format."
+    );
+  }
+  const tmpObj = tmp.dirSync({
+    unsafeCleanup: true
+  });
+  try {
+    zipIn.extractEntryTo("audit.fvdl", tmpObj.name);
+    const auditFvdlSaxParser = initSaxParser(
+      path3.join(tmpObj.name, "audit.fvdl")
+    );
+    const vulnerabilityParser = new VulnerabilityParser(
+      auditFvdlSaxParser.parser
+    );
+    const unifiedNodePoolParser = new UnifiedNodePoolParser(
+      auditFvdlSaxParser.parser
+    );
+    const reportMetadataParser = new ReportMetadataParser(
+      auditFvdlSaxParser.parser
+    );
+    let auditMetadataParser = null;
+    await auditFvdlSaxParser.parse();
+    if (zipIn.getEntry("audit.xml")) {
+      zipIn.extractEntryTo("audit.xml", tmpObj.name);
+      const auditXmlSaxParser = initSaxParser(
+        path3.join(tmpObj.name, "audit.xml")
+      );
+      auditMetadataParser = new AuditMetadataParser(auditXmlSaxParser.parser);
+      await auditXmlSaxParser.parse();
+    }
+    fs3.writeFileSync(
+      outputFilePath,
+      `{
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+  {
+    "tool": {
+      "driver": {
+        "name": "Fortify Mobb Converter"
+      }
+    },
+    "results": [
+`
+    );
+    vulnerabilityParser.getVulnerabilities().map(
+      (vulnerability) => fortifyVulnerabilityToSarifResult(
+        vulnerability,
+        auditMetadataParser,
+        reportMetadataParser,
+        unifiedNodePoolParser
+      )
+    ).filter((sarifResult) => filterSarifResult(sarifResult, codePathPatterns)).forEach((sarifResult, index) => {
+      fs3.appendFileSync(outputFilePath, JSON.stringify(sarifResult, null, 2));
+      if (index !== vulnerabilityParser.getVulnerabilities().length - 1) {
+        fs3.appendFileSync(outputFilePath, ",\n");
+      }
+    });
+    fs3.appendFileSync(outputFilePath, "\n]}]}");
+  } finally {
+    tmpObj.removeCallback();
+  }
+}
+function filterSarifResult(sarifResult, codePathPatterns) {
+  const paths = sarifResult.locations.map(
+    (l) => l.physicalLocation.artifactLocation.uri
+  );
+  const matchPaths = multimatch(paths, codePathPatterns, {
+    dot: true
+  });
+  return matchPaths.length > 0;
+}
+function fortifyVulnerabilityToSarifResult(vulnerability, auditMetadataParser, reportMetadataParser, unifiedNodePoolParser) {
+  const suppressed = auditMetadataParser?.getAuditMetadata()[vulnerability.instanceID] || "false";
+  const ruleMeta = reportMetadataParser.getReportMetadata().rules[vulnerability.classID] ?? {};
+  return {
+    ruleId: vulnerability.type + (vulnerability.subtype ? `: ${vulnerability.subtype}` : ""),
+    properties: {
+      package: ruleMeta["package"] ?? "",
+      probability: vulnerability.metaInfo["Probability"] ?? ruleMeta["Probability"] ?? "",
+      impact: vulnerability.metaInfo["Impact"] ?? ruleMeta["Impact"] ?? "",
+      accuracy: vulnerability.metaInfo["Accuracy"] ?? ruleMeta["Accuracy"] ?? "",
+      confidence: vulnerability.confidence,
+      instanceID: vulnerability.instanceID,
+      instanceSeverity: vulnerability.instanceSeverity,
+      suppressed
+    },
+    locations: fortifyNodesToSarifLocations(
+      vulnerability.nodes,
+      unifiedNodePoolParser
+    ),
+    message: {
+      text: "no message"
+    }
+  };
+}
+function fortifyNodesToSarifLocations(nodes, unifiedNodePoolParser) {
+  return nodes.map((node) => {
+    let sourceLocation;
+    if ("id" in node) {
+      const poolNode = unifiedNodePoolParser.getNodesPull()[node.id];
+      if (poolNode) {
+        sourceLocation = poolNode;
+      } else {
+        throw new CliError(
+          "\nError: the input file should be in a valid Fortify FPR format (broken unified node pool)."
+        );
+      }
+    } else {
+      sourceLocation = node;
+    }
+    return {
+      physicalLocation: {
+        artifactLocation: {
+          uri: sourceLocation.path
+        },
+        region: {
+          startLine: parseInt(sourceLocation.line || "0", 10),
+          endLine: sourceLocation.lineEnd ? parseInt(sourceLocation.lineEnd, 10) : void 0,
+          startColumn: parseInt(sourceLocation.colStart || "0", 10),
+          endColumn: sourceLocation.colEnd ? parseInt(sourceLocation.colEnd, 10) : void 0
+        }
+      }
+    };
+  });
+}
+
+// src/args/options.ts
+import chalk2 from "chalk";
+
+// src/constants.ts
+import path4 from "node:path";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+import chalk from "chalk";
+import Debug4 from "debug";
+import * as dotenv from "dotenv";
+import { z as z24 } from "zod";
+var debug4 = Debug4("mobbdev:constants");
+var __dirname = path4.dirname(fileURLToPath2(import.meta.url));
+dotenv.config({ path: path4.join(__dirname, "../.env") });
+var scmFriendlyText = {
+  ["Ado" /* Ado */]: "Azure DevOps",
+  ["Bitbucket" /* Bitbucket */]: "Bitbucket",
+  ["GitHub" /* GitHub */]: "GitGub",
+  ["GitLab" /* GitLab */]: "GitLab"
+};
+var SCANNERS = {
+  Checkmarx: "checkmarx",
+  Codeql: "codeql",
+  Fortify: "fortify",
+  Snyk: "snyk",
+  Sonarqube: "sonarqube",
+  Semgrep: "semgrep",
+  Datadog: "datadog"
+};
+var scannerToVulnerability_Report_Vendor_Enum = {
+  [SCANNERS.Checkmarx]: "checkmarx" /* Checkmarx */,
+  [SCANNERS.Snyk]: "snyk" /* Snyk */,
+  [SCANNERS.Sonarqube]: "sonarqube" /* Sonarqube */,
+  [SCANNERS.Codeql]: "codeql" /* Codeql */,
+  [SCANNERS.Fortify]: "fortify" /* Fortify */,
+  [SCANNERS.Semgrep]: "semgrep" /* Semgrep */,
+  [SCANNERS.Datadog]: "datadog" /* Datadog */
+};
+var SupportedScannersZ = z24.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
+var envVariablesSchema = z24.object({
+  WEB_APP_URL: z24.string(),
+  API_URL: z24.string(),
+  HASURA_ACCESS_KEY: z24.string(),
+  LOCAL_GRAPHQL_ENDPOINT: z24.string(),
+  HTTP_PROXY: z24.string().optional().default(""),
+  HTTPS_PROXY: z24.string().optional().default("")
+}).required();
+var envVariables = envVariablesSchema.parse(process.env);
+debug4("config %o", envVariables);
+var mobbAscii = `
+                                   ..                       
+                             ..........                     
+                        .................                   
+               ...........................                  
+              ..............................                
+             ................................               
+             ..................................             
+            ....................................            
+            .....................................           
+            .............................................   
+          ................................................. 
+     ...............................       .................
+  ..................................           ............ 
+..................    .............            ..........   
+......... ........      .........             ......        
+  ...............                          ....             
+         .... ..                                            
+                                                            
+                                      . ...                 
+                              ..............                
+                       ......................               
+                   ...........................              
+               ................................             
+           ......................................           
+                ...............................             
+                       .................                    
+`;
+var PROJECT_DEFAULT_NAME = "My first project";
+var WEB_APP_URL = envVariables.WEB_APP_URL;
+var API_URL = envVariables.API_URL;
+var HASURA_ACCESS_KEY = envVariables.HASURA_ACCESS_KEY;
+var LOCAL_GRAPHQL_ENDPOINT = envVariables.LOCAL_GRAPHQL_ENDPOINT;
+var HTTPS_PROXY = envVariables.HTTPS_PROXY;
+var HTTP_PROXY = envVariables.HTTP_PROXY;
+var errorMessages = {
+  missingCxProjectName: `project name ${chalk.bold(
+    "(--cx-project-name)"
+  )} is needed if you're using checkmarx`,
+  missingUrl: `url ${chalk.bold(
+    "(--url)"
+  )} is needed if you're adding an SCM token`,
+  invalidScmType: `SCM type ${chalk.bold(
+    "(--scm-type)"
+  )} is invalid, please use one of: ${Object.values(ScmType).join(", ")}`,
+  missingToken: `SCM token ${chalk.bold(
+    "(--token)"
+  )} is needed if you're adding an SCM token`
+};
+var progressMassages = {
+  processingVulnerabilityReportSuccess: "\u2699\uFE0F  Vulnerability report proccessed successfully",
+  processingVulnerabilityReport: "\u2699\uFE0F  Proccessing vulnerability report",
+  processingVulnerabilityReportFailed: "\u2699\uFE0F  Error Proccessing vulnerability report"
+};
+var VUL_REPORT_DIGEST_TIMEOUT_MS = 1e3 * 60 * 30;
+
+// src/args/options.ts
+var repoOption = {
+  alias: "r",
+  demandOption: true,
+  type: "string",
+  describe: chalk2.bold("Github / GitLab / Azure DevOps repository URL")
+};
+var projectNameOption = {
+  type: "string",
+  describe: chalk2.bold("Checkmarx project name (when scanning with Checkmarx)")
+};
+var yesOption = {
+  alias: "yes",
+  type: "boolean",
+  describe: chalk2.bold("Skip prompts and use default values")
+};
+var refOption = {
+  describe: chalk2.bold("Reference of the repository (branch, tag, commit)"),
+  type: "string",
+  demandOption: false
+};
+var organizationIdOptions = {
+  describe: chalk2.bold("Organization id"),
+  alias: "organization-id",
+  type: "string",
+  demandOption: false
+};
+var scannerOptions = {
+  alias: "s",
+  choices: Object.values(SCANNERS),
+  describe: chalk2.bold("Select the scanner to use")
+};
+var mobbProjectNameOption = {
+  type: "string",
+  describe: chalk2.bold("Mobb project name"),
+  default: PROJECT_DEFAULT_NAME
+};
+var ciOption = {
+  describe: chalk2.bold(
+    "Run in CI mode, prompts and browser will not be opened"
+  ),
+  type: "boolean",
+  default: false
+};
+var apiKeyOption = {
+  type: "string",
+  describe: chalk2.bold("Mobb authentication api-key")
+};
+var commitHashOption = {
+  alias: "ch",
+  describe: chalk2.bold("Hash of the commit"),
+  type: "string"
+};
+var autoPrOption = {
+  describe: chalk2.bold("Enable automatic pull requests for new fixes"),
+  type: "boolean",
+  default: false
+};
+var commitDirectlyOption = {
+  describe: chalk2.bold(
+    "Commit directly to the scanned branch instead of creating a pull request"
+  ),
+  type: "boolean",
+  default: false
+};
+var scmTypeOption = {
+  demandOption: true,
+  describe: chalk2.bold("SCM type"),
+  choices: Object.values(ScmType)
+};
+var urlOption = {
+  describe: chalk2.bold(
+    `URL of the repository (used in ${Object.values(ScmType).join(", ")})`
+  ),
+  type: "string",
+  demandOption: true
+};
+var scmOrgOption = {
+  describe: chalk2.bold("Organization name in SCM (used in Azure DevOps)"),
+  type: "string"
+};
+var scmRefreshTokenOption = {
+  describe: chalk2.bold("SCM refresh token (used in GitLab)"),
+  type: "string"
+};
+var scmTokenOption = {
+  describe: chalk2.bold("SCM API token"),
+  type: "string",
+  demandOption: true
+};
+var convertToSarifInputFilePathOption = {
+  demandOption: true,
+  describe: chalk2.bold("Original SAST report file path"),
+  type: "string"
+};
+var convertToSarifOutputFilePathOption = {
+  demandOption: true,
+  describe: chalk2.bold("Output SARIF report file path"),
+  type: "string"
+};
+var convertToSarifInputFileFormatOption = {
+  demandOption: true,
+  choices: Object.values(ConvertToSarifInputFileFormat),
+  describe: chalk2.bold("SAST report file type")
 };
-
-// src/features/analysis/scm/scmFactory.ts
-import { z as z24 } from "zod";
-
-// src/features/analysis/scm/StubSCMLib.ts
-var StubSCMLib = class extends SCMLib {
-  constructor(url, accessToken, scmOrg) {
-    super(url, accessToken, scmOrg);
-  }
-  async getUrlWithCredentials() {
-    console.warn("getUrlWithCredentials() returning empty string");
-    return "";
-  }
-  async createSubmitRequest(_params) {
-    console.warn("createSubmitRequest() returning empty string");
-    return "";
-  }
-  get scmLibType() {
-    console.warn("scmLibType returning GITHUB as default");
-    return "GITHUB" /* GITHUB */;
-  }
-  getAuthHeaders() {
-    console.warn("getAuthHeaders() returning empty object");
-    return {};
-  }
-  async getDownloadUrl(_sha) {
-    console.warn("getDownloadUrl() returning empty string");
-    return "";
-  }
-  async getIsRemoteBranch(_branch) {
-    console.warn("getIsRemoteBranch() returning false");
-    return false;
-  }
-  async validateParams() {
-    console.warn("validateParams() no-op");
-  }
-  async getRepoList(_scmOrg) {
-    console.warn("getRepoList() returning empty array");
-    return [];
-  }
-  async getBranchList() {
-    console.warn("getBranchList() returning empty array");
-    return [];
-  }
-  async getUsername() {
-    console.warn("getUsername() returning empty string");
-    return "";
-  }
-  async getSubmitRequestStatus(_scmSubmitRequestId) {
-    console.warn("getSubmitRequestStatus() returning ERROR");
-    return "error";
-  }
-  async getUserHasAccessToRepo() {
-    console.warn("getUserHasAccessToRepo() returning false");
-    return false;
-  }
-  async getRepoBlameRanges(_ref, _path) {
-    console.warn("getRepoBlameRanges() returning empty array");
-    return [];
-  }
-  async getReferenceData(_ref) {
-    console.warn("getReferenceData() returning null/empty defaults");
-    return {
-      type: "BRANCH" /* BRANCH */,
-      sha: "",
-      date: void 0
-    };
-  }
-  async getRepoDefaultBranch() {
-    console.warn("getRepoDefaultBranch() returning empty string");
-    return "";
-  }
-  async getSubmitRequestUrl(_submitRequestIdNumber) {
-    console.warn("getSubmitRequestUrl() returning empty string");
-    return "";
-  }
-  async getSubmitRequestId(_submitRequestUrl) {
-    console.warn("getSubmitRequestId() returning empty string");
-    return "";
-  }
-  async getCommitUrl(_commitId) {
-    console.warn("getCommitUrl() returning empty string");
-    return "";
-  }
-  async _getUsernameForAuthUrl() {
-    console.warn("_getUsernameForAuthUrl() returning empty string");
-    return "";
-  }
-  async addCommentToSubmitRequest(_submitRequestId, _comment) {
-    console.warn("addCommentToSubmitRequest() no-op");
-  }
+var convertToSarifCodePathPatternsOption = {
+  demandOption: false,
+  describe: chalk2.bold(
+    "Glob-like patterns. Any code node with this pattern makes the issue be included."
+  ),
+  type: "string",
+  array: true
 };
 
-// src/features/analysis/scm/scmFactory.ts
-async function createScmLib({ url, accessToken, scmType, scmOrg }, { propagateExceptions = false } = {}) {
-  const trimmedUrl = url ? url.trim().replace(/\/$/, "").replace(/.git$/i, "") : void 0;
-  try {
-    switch (scmType) {
-      case "GITHUB" /* GITHUB */: {
-        const scm = new GithubSCMLib(trimmedUrl, accessToken, scmOrg);
-        await scm.validateParams();
-        return scm;
-      }
-      case "GITLAB" /* GITLAB */: {
-        const scm = new GitlabSCMLib(trimmedUrl, accessToken, scmOrg);
-        await scm.validateParams();
-        return scm;
-      }
-      case "ADO" /* ADO */: {
-        const scm = new AdoSCMLib(trimmedUrl, accessToken, scmOrg);
-        await scm.getAdoSdk();
-        await scm.validateParams();
-        return scm;
-      }
-      case "BITBUCKET" /* BITBUCKET */: {
-        const scm = new BitbucketSCMLib(trimmedUrl, accessToken, scmOrg);
-        await scm.validateParams();
-        return scm;
-      }
-    }
-  } catch (e) {
-    if (e instanceof InvalidRepoUrlError && url) {
-      throw new RepoNoTokenAccessError(
-        "no access to repo",
-        scmLibScmTypeToScmType[z24.nativeEnum(ScmLibScmType).parse(scmType)]
-      );
-    }
-    console.error(`error validating scm: ${scmType} `, e);
-    if (propagateExceptions) {
-      throw e;
-    }
+// src/args/commands/convert_to_sarif.ts
+function convertToSarifBuilder(args) {
+  return args.option("input-file-path", convertToSarifInputFilePathOption).option("input-file-format", convertToSarifInputFileFormatOption).option("output-file-path", convertToSarifOutputFilePathOption).option("code-path-patterns", convertToSarifCodePathPatternsOption).example(
+    "npx mobbdev@latest convert-to-sarif --input-file-path /path/to/vuln-report.fpr --input-file-format FortifyFPR --output-file-path /path/to/vuln-report.sarif --code-path-patterns **/*.ts --code-path-patterns **/*.js",
+    "convert an existing SAST report to SARIF format"
+  ).help().demandOption(["input-file-path", "input-file-format", "output-file-path"]);
+}
+async function validateConvertToSarifOptions(args) {
+  if (!fs4.existsSync(args.inputFilePath)) {
+    throw new CliError(
+      "\nError: --input-file-path flag should point to an existing file"
+    );
   }
-  return new StubSCMLib(trimmedUrl, void 0, void 0);
 }
+async function convertToSarifHandler(args) {
+  await validateConvertToSarifOptions(args);
+  await convertToSarif(args);
+}
+
+// src/types.ts
+var mobbCliCommand = {
+  addScmToken: "add-scm-token",
+  scan: "scan",
+  analyze: "analyze",
+  review: "review",
+  convertToSarif: "convert-to-sarif"
+};
+
+// src/args/yargs.ts
+import chalk10 from "chalk";
+import yargs from "yargs/yargs";
+
+// src/args/commands/analyze.ts
+import fs7 from "node:fs";
+
+// src/commands/index.ts
+import crypto from "node:crypto";
+import os from "node:os";
+
+// src/features/analysis/index.ts
+import fs6 from "node:fs";
+import fsPromises from "node:fs/promises";
+import path7 from "node:path";
+import { env as env2 } from "node:process";
+import { pipeline } from "node:stream/promises";
+import chalk5 from "chalk";
+import Configstore from "configstore";
+import Debug18 from "debug";
+import extract from "extract-zip";
+import { createSpinner as createSpinner4 } from "nanospinner";
+import fetch4 from "node-fetch";
+import open2 from "open";
+import tmp2 from "tmp";
+import { z as z29 } from "zod";
+
+// src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
+import Debug8 from "debug";
 
 // src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
 import Debug7 from "debug";
@@ -7390,7 +7941,7 @@ async function postIssueComment(params) {
     fpDescription
   } = params;
   const {
-    path: path8,
+    path: path9,
     startLine,
     vulnerabilityReportIssue: {
       vulnerabilityReportIssueTags,
@@ -7405,7 +7956,7 @@ async function postIssueComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path8,
+    path: path9,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -7439,7 +7990,7 @@ async function postFixComment(params) {
     scanner
   } = params;
   const {
-    path: path8,
+    path: path9,
     startLine,
     vulnerabilityReportIssue: { fixId, vulnerabilityReportIssueTags, category },
     vulnerabilityReportIssueId
@@ -7457,7 +8008,7 @@ async function postFixComment(params) {
 Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
-    path: path8,
+    path: path9,
     line: startLine
   });
   const commentId = commentRes.data.id;
@@ -8275,9 +8826,9 @@ var GQLClient = class {
 };
 
 // src/features/analysis/pack.ts
-import fs2 from "node:fs";
-import path4 from "node:path";
-import AdmZip from "adm-zip";
+import fs5 from "node:fs";
+import path5 from "node:path";
+import AdmZip2 from "adm-zip";
 import Debug13 from "debug";
 import { globby } from "globby";
 import { isBinary } from "istextorbinary";
@@ -8339,23 +8890,23 @@ async function pack(srcDirPath, vulnFiles) {
     dot: true
   });
   debug13("files found %d", filepaths.length);
-  const zip = new AdmZip();
+  const zip = new AdmZip2();
   debug13("compressing files");
   for (const filepath of filepaths) {
-    const absFilepath = path4.join(srcDirPath, filepath.toString());
+    const absFilepath = path5.join(srcDirPath, filepath.toString());
     vulnFiles = vulnFiles.concat(_get_manifest_files_suffixes());
     if (!endsWithAny(
-      absFilepath.toString().replaceAll(path4.win32.sep, path4.posix.sep),
+      absFilepath.toString().replaceAll(path5.win32.sep, path5.posix.sep),
       vulnFiles
     )) {
       debug13("ignoring %s because it is not a vulnerability file", filepath);
       continue;
     }
-    if (fs2.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
+    if (fs5.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
       debug13("ignoring %s because the size is > 5MB", filepath);
       continue;
     }
-    const data = git ? await git.showBuffer([`HEAD:./${filepath}`]) : fs2.readFileSync(absFilepath);
+    const data = git ? await git.showBuffer([`HEAD:./${filepath}`]) : fs5.readFileSync(absFilepath);
     if (isBinary(null, data)) {
       debug13("ignoring %s because is seems to be a binary file", filepath);
       continue;
@@ -8367,8 +8918,8 @@ async function pack(srcDirPath, vulnFiles) {
 }
 async function repackFpr(fprPath) {
   debug13("repack fpr file %s", fprPath);
-  const zipIn = new AdmZip(fprPath);
-  const zipOut = new AdmZip();
+  const zipIn = new AdmZip2(fprPath);
+  const zipOut = new AdmZip2();
   const mappingXML = zipIn.readAsText("src-archive/index.xml", "utf-8");
   const filesMapping = FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA.parse(
     await parseStringPromise(mappingXML)
@@ -8507,12 +9058,12 @@ function createChildProcess({ childProcess, name }, options) {
 }
 
 // src/features/analysis/scanners/checkmarx.ts
-import chalk2 from "chalk";
+import chalk3 from "chalk";
 import Debug15 from "debug";
 import { existsSync } from "fs";
 import { createSpinner as createSpinner2 } from "nanospinner";
 import { type } from "os";
-import path5 from "path";
+import path6 from "path";
 var debug14 = Debug15("mobbdev:checkmarx");
 var require2 = createRequire(import.meta.url);
 var getCheckmarxPath = () => {
@@ -8572,9 +9123,9 @@ async function getCheckmarxReport({ reportPath, repositoryRoot, branch, projectN
     await startCheckmarxConfigationPrompt();
     await validateCheckamxCredentials();
   }
-  const extension = path5.extname(reportPath);
-  const filePath = path5.dirname(reportPath);
-  const fileName = path5.basename(reportPath, extension);
+  const extension = path6.extname(reportPath);
+  const filePath = path6.dirname(reportPath);
+  const fileName = path6.basename(reportPath, extension);
   const checkmarxCommandArgs = getCheckmarxCommandArgs({
     repoPath: repositoryRoot,
     branch,
@@ -8600,7 +9151,7 @@ async function throwCheckmarxConfigError() {
   await createSpinner2("\u{1F513} Checkmarx is not configued correctly").start().error();
   throw new CliError(
     `Checkmarx is not configued correctly
- you can configure it by using the ${chalk2.bold(
+ you can configure it by using the ${chalk3.bold(
       "cx configure"
     )} command`
   );
@@ -8608,8 +9159,8 @@ async function throwCheckmarxConfigError() {
 async function validateCheckamxCredentials() {
   console.log(`
         Here's a suggestion for checkmarx configuation: 
-          ${chalk2.bold("AST Base URI:")} https://ast.checkmarx.net
-          ${chalk2.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
+          ${chalk3.bold("AST Base URI:")} https://ast.checkmarx.net
+          ${chalk3.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
   `);
   await forkCheckmarx(CONFIGURE_COMMAND, { display: true });
   const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
@@ -8628,7 +9179,7 @@ async function validateCheckamxCredentials() {
 
 // src/features/analysis/scanners/snyk.ts
 import { createRequire as createRequire2 } from "node:module";
-import chalk3 from "chalk";
+import chalk4 from "chalk";
 import Debug16 from "debug";
 import { createSpinner as createSpinner3 } from "nanospinner";
 import open from "open";
@@ -8675,7 +9226,7 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
       await open(SNYK_ARTICLE_URL);
     }
     console.log(
-      chalk3.bgBlue(
+      chalk4.bgBlue(
         "\nPlease enable Snyk Code in your Snyk account and try again."
       )
     );
@@ -8757,7 +9308,7 @@ async function downloadRepo({
   const { createSpinner: createSpinner5 } = Spinner2({ ci });
   const repoSpinner = createSpinner5("\u{1F4BE} Downloading Repo").start();
   debug17("download repo %s %s %s", repoUrl, dirname);
-  const zipFilePath = path6.join(dirname, "repo.zip");
+  const zipFilePath = path7.join(dirname, "repo.zip");
   debug17("download URL: %s auth headers: %o", downloadUrl, authHeaders);
   const response = await fetch4(downloadUrl, {
     method: "GET",
@@ -8768,21 +9319,21 @@ async function downloadRepo({
   if (!response.ok) {
     debug17("SCM zipball request failed %s %s", response.body, response.status);
     repoSpinner.error({ text: "\u{1F4BE} Repo download failed" });
-    throw new Error(`Can't access ${chalk4.bold(repoUrl)}`);
+    throw new Error(`Can't access ${chalk5.bold(repoUrl)}`);
   }
-  const fileWriterStream = fs3.createWriteStream(zipFilePath);
+  const fileWriterStream = fs6.createWriteStream(zipFilePath);
   if (!response.body) {
     throw new Error("Response body is empty");
   }
   await pipeline(response.body, fileWriterStream);
   await extract(zipFilePath, { dir: dirname });
-  const repoRoot = fs3.readdirSync(dirname, { withFileTypes: true }).filter((dirent) => dirent.isDirectory()).map((dirent) => dirent.name)[0];
+  const repoRoot = fs6.readdirSync(dirname, { withFileTypes: true }).filter((dirent) => dirent.isDirectory()).map((dirent) => dirent.name)[0];
   if (!repoRoot) {
     throw new Error("Repo root not found");
   }
   debug17("repo root %s", repoRoot);
   repoSpinner.success({ text: "\u{1F4BE} Repo downloaded successfully" });
-  return path6.join(dirname, repoRoot);
+  return path7.join(dirname, repoRoot);
 }
 var getReportUrl = ({
   organizationId,
@@ -8793,7 +9344,7 @@ var debug17 = Debug18("mobbdev:index");
 var config2 = new Configstore(packageJson.name, { apiToken: "" });
 debug17("config %o", config2);
 async function runAnalysis(params, options) {
-  const tmpObj = tmp.dirSync({
+  const tmpObj = tmp2.dirSync({
     unsafeCleanup: true
   });
   try {
@@ -8892,7 +9443,7 @@ async function getReport(params, { skipPrompts }) {
     authHeaders: scm.getAuthHeaders(),
     downloadUrl
   });
-  const reportPath = path6.join(dirname, "report.json");
+  const reportPath = path7.join(dirname, "report.json");
   switch (scanner) {
     case "snyk":
       await getSnykReport(reportPath, repositoryRoot, { skipPrompts });
@@ -9099,11 +9650,11 @@ async function _scan(params, { skipPrompts = false } = {}) {
       fixReportId: reportUploadInfo.fixReportId
     });
     !ci && console.log("You can access the analysis at: \n");
-    console.log(chalk4.bold(reportUrl));
+    console.log(chalk5.bold(reportUrl));
     !skipPrompts && await mobbAnalysisPrompt();
     !ci && open2(reportUrl);
     !ci && console.log(
-      chalk4.bgBlue("\n\n  My work here is done for now, see you soon! \u{1F575}\uFE0F\u200D\u2642\uFE0F  ")
+      chalk5.bgBlue("\n\n  My work here is done for now, see you soon! \u{1F575}\uFE0F\u200D\u2642\uFE0F  ")
     );
   }
   async function handleScmIntegration(oldToken, scmAuthUrl2, repoUrl) {
@@ -9180,7 +9731,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     const zippingSpinner = createSpinner5("\u{1F4E6} Zipping repo").start();
     let zipBuffer;
     let gitInfo = { success: false };
-    if (srcFileStatus.isFile() && path6.extname(srcPath).toLowerCase() === ".fpr") {
+    if (srcFileStatus.isFile() && path7.extname(srcPath).toLowerCase() === ".fpr") {
       zipBuffer = await repackFpr(srcPath);
     } else {
       gitInfo = await getGitInfo(srcPath);
@@ -9333,7 +9884,7 @@ async function waitForAnaysisAndReviewPr({
 }
 
 // src/commands/index.ts
-import chalk5 from "chalk";
+import chalk6 from "chalk";
 import chalkAnimation from "chalk-animation";
 import Configstore2 from "configstore";
 import Debug19 from "debug";
@@ -9466,7 +10017,7 @@ async function showWelcomeMessage(skipPrompts = false) {
 var LOGIN_MAX_WAIT = 10 * 60 * 1e3;
 var LOGIN_CHECK_DELAY = 5 * 1e3;
 var webLoginUrl = `${WEB_APP_URL}/cli-login`;
-var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk5.bgBlue(
+var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk6.bgBlue(
   "press any key to continue"
 )};`;
 async function handleMobbLogin({
@@ -9560,101 +10111,9 @@ async function handleMobbLogin({
 // src/args/commands/analyze.ts
 import chalk8 from "chalk";
 
-// src/args/options.ts
-import chalk6 from "chalk";
-var repoOption = {
-  alias: "r",
-  demandOption: true,
-  type: "string",
-  describe: chalk6.bold("Github / GitLab / Azure DevOps repository URL")
-};
-var projectNameOption = {
-  type: "string",
-  describe: chalk6.bold("Checkmarx project name (when scanning with Checkmarx)")
-};
-var yesOption = {
-  alias: "yes",
-  type: "boolean",
-  describe: chalk6.bold("Skip prompts and use default values")
-};
-var refOption = {
-  describe: chalk6.bold("Reference of the repository (branch, tag, commit)"),
-  type: "string",
-  demandOption: false
-};
-var organizationIdOptions = {
-  describe: chalk6.bold("Organization id"),
-  alias: "organization-id",
-  type: "string",
-  demandOption: false
-};
-var scannerOptions = {
-  alias: "s",
-  choices: Object.values(SCANNERS),
-  describe: chalk6.bold("Select the scanner to use")
-};
-var mobbProjectNameOption = {
-  type: "string",
-  describe: chalk6.bold("Mobb project name"),
-  default: PROJECT_DEFAULT_NAME
-};
-var ciOption = {
-  describe: chalk6.bold(
-    "Run in CI mode, prompts and browser will not be opened"
-  ),
-  type: "boolean",
-  default: false
-};
-var apiKeyOption = {
-  type: "string",
-  describe: chalk6.bold("Mobb authentication api-key")
-};
-var commitHashOption = {
-  alias: "ch",
-  describe: chalk6.bold("Hash of the commit"),
-  type: "string"
-};
-var autoPrOption = {
-  describe: chalk6.bold("Enable automatic pull requests for new fixes"),
-  type: "boolean",
-  default: false
-};
-var commitDirectlyOption = {
-  describe: chalk6.bold(
-    "Commit directly to the scanned branch instead of creating a pull request"
-  ),
-  type: "boolean",
-  default: false
-};
-var scmTypeOption = {
-  demandOption: true,
-  describe: chalk6.bold("SCM type"),
-  choices: Object.values(ScmType)
-};
-var urlOption = {
-  describe: chalk6.bold(
-    `URL of the repository (used in ${Object.values(ScmType).join(", ")})`
-  ),
-  type: "string",
-  demandOption: true
-};
-var scmOrgOption = {
-  describe: chalk6.bold("Organization name in SCM (used in Azure DevOps)"),
-  type: "string"
-};
-var scmRefreshTokenOption = {
-  describe: chalk6.bold("SCM refresh token (used in GitLab)"),
-  type: "string"
-};
-var scmTokenOption = {
-  describe: chalk6.bold("SCM API token"),
-  type: "string",
-  demandOption: true
-};
-
 // src/args/validation.ts
 import chalk7 from "chalk";
-import path7 from "path";
+import path8 from "path";
 import { z as z30 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
@@ -9698,7 +10157,7 @@ function validateRepoUrl(args) {
 }
 var supportExtensions = [".json", ".xml", ".fpr", ".sarif"];
 function validateReportFileFormat(reportFile) {
-  if (!supportExtensions.includes(path7.extname(reportFile))) {
+  if (!supportExtensions.includes(path8.extname(reportFile))) {
     throw new CliError(
       `
 ${chalk7.bold(
@@ -9741,7 +10200,7 @@ function analyzeBuilder(yargs2) {
   ).help();
 }
 function validateAnalyzeOptions(argv) {
-  if (!fs4.existsSync(argv.f)) {
+  if (!fs7.existsSync(argv.f)) {
     throw new CliError(`
 Can't access ${chalk8.bold(argv.f)}`);
   }
@@ -9773,7 +10232,7 @@ async function analyzeHandler(args) {
 }
 
 // src/args/commands/review.ts
-import fs5 from "node:fs";
+import fs8 from "node:fs";
 import chalk9 from "chalk";
 function reviewBuilder(yargs2) {
   return yargs2.option("f", {
@@ -9810,7 +10269,7 @@ function reviewBuilder(yargs2) {
   ).help();
 }
 function validateReviewOptions(argv) {
-  if (!fs5.existsSync(argv.f)) {
+  if (!fs8.existsSync(argv.f)) {
     throw new CliError(`
 Can't access ${chalk9.bold(argv.f)}`);
   }
@@ -9926,6 +10385,11 @@ var parseArgs = async (args) => {
     ),
     addScmTokenBuilder,
     addScmTokenHandler
+  ).command(
+    mobbCliCommand.convertToSarif,
+    chalk10.bold("Convert an existing SAST report to SARIF format."),
+    convertToSarifBuilder,
+    convertToSarifHandler
   ).example(
     "npx mobbdev@latest scan -r https://github.com/WebGoat/WebGoat",
     "Scan an existing repository"