mobbdev 1.0.8 → 1.0.10

package/dist/index.mjs

@@ -110,7 +110,9 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["ClientDomStoredCodeInjection"] = "CLIENT_DOM_STORED_CODE_INJECTION";
   IssueType_Enum2["CmDi"] = "CMDi";
   IssueType_Enum2["CmDiRelativePathCommand"] = "CMDi_relative_path_command";
+  IssueType_Enum2["CodeInComment"] = "CODE_IN_COMMENT";
   IssueType_Enum2["ConfusingNaming"] = "CONFUSING_NAMING";
+  IssueType_Enum2["Csrf"] = "CSRF";
   IssueType_Enum2["DangerousFunctionOverflow"] = "DANGEROUS_FUNCTION_OVERFLOW";
   IssueType_Enum2["DeadCodeUnusedField"] = "DEAD_CODE_UNUSED_FIELD";
   IssueType_Enum2["DebugEnabled"] = "DEBUG_ENABLED";
@@ -162,6 +164,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["Pt"] = "PT";
   IssueType_Enum2["RaceConditionFormatFlaw"] = "RACE_CONDITION_FORMAT_FLAW";
   IssueType_Enum2["RegexInjection"] = "REGEX_INJECTION";
+  IssueType_Enum2["RegexMissingTimeout"] = "REGEX_MISSING_TIMEOUT";
   IssueType_Enum2["SqlInjection"] = "SQL_Injection";
   IssueType_Enum2["Ssrf"] = "SSRF";
   IssueType_Enum2["StringFormatMisuse"] = "STRING_FORMAT_MISUSE";
@@ -179,6 +182,7 @@ var IssueType_Enum = /* @__PURE__ */ ((IssueType_Enum2) => {
   IssueType_Enum2["ValueShadowing"] = "VALUE_SHADOWING";
   IssueType_Enum2["WcfMisconfigurationInsufficientLogging"] = "WCF_MISCONFIGURATION_INSUFFICIENT_LOGGING";
   IssueType_Enum2["WcfMisconfigurationThrottlingNotEnabled"] = "WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED";
+  IssueType_Enum2["WeakEncryption"] = "WEAK_ENCRYPTION";
   IssueType_Enum2["WeakXmlSchemaUnboundedOccurrences"] = "WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES";
   IssueType_Enum2["Xss"] = "XSS";
   IssueType_Enum2["Xxe"] = "XXE";
@@ -201,12 +205,12 @@ var Vulnerability_Report_Vendor_Enum = /* @__PURE__ */ ((Vulnerability_Report_Ve
   Vulnerability_Report_Vendor_Enum3["Sonarqube"] = "sonarqube";
   return Vulnerability_Report_Vendor_Enum3;
 })(Vulnerability_Report_Vendor_Enum || {});
-var Vulnerability_Severity_Enum = /* @__PURE__ */ ((Vulnerability_Severity_Enum2) => {
-  Vulnerability_Severity_Enum2["Critical"] = "critical";
-  Vulnerability_Severity_Enum2["High"] = "high";
-  Vulnerability_Severity_Enum2["Low"] = "low";
-  Vulnerability_Severity_Enum2["Medium"] = "medium";
-  return Vulnerability_Severity_Enum2;
+var Vulnerability_Severity_Enum = /* @__PURE__ */ ((Vulnerability_Severity_Enum3) => {
+  Vulnerability_Severity_Enum3["Critical"] = "critical";
+  Vulnerability_Severity_Enum3["High"] = "high";
+  Vulnerability_Severity_Enum3["Low"] = "low";
+  Vulnerability_Severity_Enum3["Medium"] = "medium";
+  return Vulnerability_Severity_Enum3;
 })(Vulnerability_Severity_Enum || {});
 var MeDocument = `
     query Me {
@@ -314,7 +318,9 @@ var GetFixesDocument = `
   fixes: fix(where: $filters) {
     safeIssueType
     id
-    vulnerabilitySeverity
+    vulnerabilityReportIssues(limit: 1) {
+      parsedSeverity
+    }
     safeIssueLanguage
     patchAndQuestions {
       __typename
@@ -743,7 +749,11 @@ var issueTypeMap = {
   ["HEAP_INSPECTION" /* HeapInspection */]: "Heap Inspection",
   ["CLIENT_DOM_STORED_CODE_INJECTION" /* ClientDomStoredCodeInjection */]: "Client Code Injection",
   ["STRING_FORMAT_MISUSE" /* StringFormatMisuse */]: "String Format Misuse",
-  ["NON_READONLY_FIELD" /* NonReadonlyField */]: "Non Readonly Field"
+  ["NON_READONLY_FIELD" /* NonReadonlyField */]: "Non Readonly Field",
+  ["CSRF" /* Csrf */]: "Cross-Site Request Forgery (CSRF)",
+  ["WEAK_ENCRYPTION" /* WeakEncryption */]: "Weak Encryption Mechanism",
+  ["CODE_IN_COMMENT" /* CodeInComment */]: "Code in Comment",
+  ["REGEX_MISSING_TIMEOUT" /* RegexMissingTimeout */]: "Regex Missing Timeout"
 };
 var issueTypeZ = z.nativeEnum(IssueType_Enum);
 var getIssueTypeFriendlyString = (issueType) => {
@@ -784,6 +794,7 @@ var IssueTypeSettingsZ = z2.array(IssueTypeSettingZ).transform((issueTypeSetting
 var OrganizationScreenQueryParamsZ = z3.object({
   organizationId: z3.string().uuid()
 });
+var ParsedSeverityZ = z3.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
 var ProjectPageQueryParamsZ = z3.object({
   organizationId: z3.string().uuid(),
   projectId: z3.string().uuid()
@@ -876,7 +887,6 @@ var ReportQueryResultZ = z3.object({
         modifiedBy: z3.string().nullable(),
         gitBlameLogin: z3.string().nullable(),
         fixReportId: z3.string().uuid(),
-        vulnerabilitySeverity: z3.nativeEnum(Vulnerability_Severity_Enum).nullable().transform((i) => i ?? "low" /* Low */),
         filePaths: z3.array(
           z3.object({
             fileRepoRelativePath: z3.string()
@@ -887,7 +897,8 @@ var ReportQueryResultZ = z3.object({
         vulnerabilityReportIssues: z3.array(
           z3.object({
             issueType: z3.string(),
-            issueLanguage: z3.string()
+            issueLanguage: z3.string(),
+            parsedSeverity: ParsedSeverityZ
           })
         ),
         scmSubmitFixRequests: ScmSubmitFixRequestsZ,
@@ -966,7 +977,6 @@ var ReportFixesQueryZ = z3.array(
     effortToApplyFix: z3.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
     safeIssueLanguage: z3.string(),
     safeIssueType: z3.string(),
-    vulnerabilitySeverity: z3.nativeEnum(Vulnerability_Severity_Enum).nullable().transform((i) => i ?? "low" /* Low */),
     fixReportId: z3.string().uuid(),
     filePaths: z3.array(
       z3.object({
@@ -977,9 +987,10 @@ var ReportFixesQueryZ = z3.array(
     vulnerabilityReportIssues: z3.array(
       z3.object({
         issueType: z3.string(),
-        issueLanguage: z3.string()
+        issueLanguage: z3.string(),
+        parsedSeverity: ParsedSeverityZ
       })
-    ),
+    ).min(1),
     scmSubmitFixRequests: ScmSubmitFixRequestsZ,
     fixRatings: z3.array(FixRatingZ).default([])
   })
@@ -1041,8 +1052,6 @@ var FixQueryZ = z3.object({
   fixReportId: z3.string().uuid(),
   isExpired: z3.boolean().default(false),
   isArchived: z3.boolean().nullable(),
-  // TODO: remove nullish once the data on the backend is ready
-  vulnerabilitySeverity: z3.nativeEnum(Vulnerability_Severity_Enum).nullable().transform((i) => i ?? "low" /* Low */),
   fixFiles: z3.array(
     z3.object({
       fileRepoRelativePath: z3.string()
@@ -1052,7 +1061,8 @@ var FixQueryZ = z3.object({
   vulnerabilityReportIssues: z3.array(
     z3.object({
       vendorIssueId: z3.string(),
-      issueLanguage: z3.string()
+      issueLanguage: z3.string(),
+      parsedSeverity: ParsedSeverityZ
     })
   ),
   patchAndQuestions: PatchAndQuestionsZ,
@@ -1128,7 +1138,8 @@ var FixScreenQueryResultZ = z3.object({
         z3.object({
           vendorIssueId: z3.string(),
           issueType: z3.string(),
-          issueLanguage: z3.string()
+          issueLanguage: z3.string(),
+          parsedSeverity: ParsedSeverityZ
         })
       )
     })
@@ -1716,7 +1727,11 @@ var fixDetailsData = {
     fixInstructions: "Update the code to avoid the possibility for malicious JavaScript code to get stored in the DOM."
   },
   ["STRING_FORMAT_MISUSE" /* StringFormatMisuse */]: void 0,
-  ["NON_READONLY_FIELD" /* NonReadonlyField */]: void 0
+  ["NON_READONLY_FIELD" /* NonReadonlyField */]: void 0,
+  ["CSRF" /* Csrf */]: void 0,
+  ["WEAK_ENCRYPTION" /* WeakEncryption */]: void 0,
+  ["CODE_IN_COMMENT" /* CodeInComment */]: void 0,
+  ["REGEX_MISSING_TIMEOUT" /* RegexMissingTimeout */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -2068,6 +2083,25 @@ var pt = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/csharp/regexMissingTimeout.ts
+var regexMissingTimeout = {
+  netVersionGreaterOrEqual7: {
+    content: () => "Is your target framework .NET 7 or greater?",
+    description: () => "",
+    guidance: () => ""
+  },
+  timeout: {
+    content: () => "Enter the timeout in milliseconds",
+    description: () => "If the limit is reached a RegexTimeoutException is thrown, this could be caused by excessive backtracking",
+    guidance: () => ""
+  },
+  useBacktrackingOption: {
+    content: () => "Use non backtracking option",
+    description: () => "If the regex does not need to use backtracking we can disable it using regex options",
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
 var sqlInjection2 = {
   databaseProvider: {
@@ -2215,6 +2249,7 @@ var vulnerabilities7 = {
   ["OVERLY_BROAD_CATCH" /* OverlyBroadCatch */]: overlyBroadCatch,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation,
   ["PT" /* Pt */]: pt,
+  ["REGEX_MISSING_TIMEOUT" /* RegexMissingTimeout */]: regexMissingTimeout,
   ["HTTP_ONLY_COOKIE" /* HttpOnlyCookie */]: httpOnlyCookie,
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie,
   ["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED" /* WcfMisconfigurationThrottlingNotEnabled */]: wcfMisconfigurationThrottlingNotEnabled,
@@ -6477,7 +6512,11 @@ function buildCommentBody({
   const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
   const validFixParseRes = z19.object({
     patchAndQuestions: PatchAndQuestionsZ,
-    vulnerabilitySeverity: z19.nativeEnum(Vulnerability_Severity_Enum),
+    vulnerabilityReportIssues: z19.array(
+      z19.object({
+        parsedSeverity: ParsedSeverityZ
+      })
+    ).min(1),
     safeIssueLanguage: z19.nativeEnum(IssueLanguage_Enum),
     safeIssueType: z19.nativeEnum(IssueType_Enum)
   }).safeParse(fix);
@@ -6490,7 +6529,7 @@ function buildCommentBody({
   const subTitle = validFixParseRes.success ? getCommitDescription({
     issueType: validFixParseRes.data.safeIssueType,
     vendor: scannerToVulnerability_Report_Vendor_Enum[scanner],
-    severity: validFixParseRes.data.vulnerabilitySeverity,
+    severity: validFixParseRes.data.vulnerabilityReportIssues[0]?.parsedSeverity,
     guidances: getGuidances({
       questions: validFixParseRes.data.patchAndQuestions.questions.map(toQuestion),
       issueType: validFixParseRes.data.safeIssueType,
@@ -8500,7 +8539,7 @@ var yesOption = {
   describe: chalk6.bold("Skip prompts and use default values")
 };
 var refOption = {
-  describe: chalk6.bold("reference of the repository (branch, tag, commit)"),
+  describe: chalk6.bold("Reference of the repository (branch, tag, commit)"),
   type: "string",
   demandOption: false
 };
@@ -8646,7 +8685,7 @@ function analyzeBuilder(yargs2) {
     describe: chalk8.bold("Hash of the commit"),
     type: "string"
   }).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("org", organizationIdOptions).option("api-key", apiKeyOption).option("commit-hash", commitHashOption).option("auto-pr", autoPrOption).example(
-    "$0 analyze -r https://github.com/WebGoat/WebGoat -f <your_vulirabitliy_report_path>",
+    "npx mobbdev@latest analyze -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>",
     "analyze an existing repository"
   ).help();
 }
@@ -8705,7 +8744,7 @@ function reviewBuilder(yargs2) {
     type: "string",
     demandOption: true
   }).example(
-    "$0 review -r https://github.com/WebGoat/WebGoat -f <your_vulirabitliy_report_path>  --ch <pr_last_commit>   --pr <pr_number> --ref <pr_branch_name>  --api-key <api_key> --src-path <your_repo_path>",
+    "npx mobbdev@latest review -r https://github.com/WebGoat/WebGoat -f <your_vulnerability_report_path>  --ch <pr_last_commit>   --pr <pr_number> --ref <pr_branch_name>  --api-key <api_key> --src-path <your_repo_path>",
     "add fixes to your pr"
   ).help();
 }
@@ -8725,7 +8764,7 @@ async function reviewHandler(args) {
 // src/args/commands/scan.ts
 function scanBuilder(args) {
   return args.coerce("scanner", (arg) => arg.toLowerCase()).option("repo", repoOption).option("ref", refOption).option("scanner", scannerOptions).option("org", organizationIdOptions).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("api-key", apiKeyOption).option("cx-project-name", projectNameOption).option("auto-pr", autoPrOption).example(
-    "$0 scan -r https://github.com/WebGoat/WebGoat",
+    "npx mobbdev@latest scan -r https://github.com/WebGoat/WebGoat",
     "Scan an existing repository"
   ).help();
 }
@@ -8750,7 +8789,7 @@ async function scanHandler(args) {
 // src/args/commands/token.ts
 function addScmTokenBuilder(args) {
   return args.option("scm-type", scmTypeOption).option("url", urlOption).option("token", scmTokenOption).option("organization", scmOrgOption).option("refresh-token", scmRefreshTokenOption).option("api-key", apiKeyOption).option("ci", ciOption).example(
-    "$0 add-scm-token --scm-type Ado --url https://dev.azure.com/adoorg/test/_git/repo --token abcdef0123456 --organization myOrg",
+    "npx mobbdev@latest add-scm-token --scm-type Ado --url https://dev.azure.com/adoorg/test/_git/repo --token abcdef0123456 --organization myOrg",
     `Add your SCM (${Object.values(scmFriendlyText).join(", ")}) token to Mobb to enable automated fixes.`
   ).help().demandOption(["url", "token"]);
 }
@@ -8827,7 +8866,7 @@ var parseArgs = async (args) => {
     addScmTokenBuilder,
     addScmTokenHandler
   ).example(
-    "$0 scan -r https://github.com/WebGoat/WebGoat",
+    "npx mobbdev@latest scan -r https://github.com/WebGoat/WebGoat",
     "Scan an existing repository"
   ).command({
     command: "*",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.8",
+  "version": "1.0.10",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",
@@ -40,7 +40,7 @@
     "axios": "1.7.9",
     "azure-devops-node-api": "12.1.0",
     "bitbucket": "2.11.0",
-    "chalk": "5.3.0",
+    "chalk": "5.4.1",
     "chalk-animation": "2.0.3",
     "configstore": "6.0.0",
     "debug": "4.4.0",