mobbdev 1.0.82 → 1.0.84

package/dist/index.mjs

@@ -761,12 +761,15 @@ var UploadS3BucketInfoDocument = `
 }
     `;
 var DigestVulnerabilityReportDocument = `
-    mutation DigestVulnerabilityReport($vulnerabilityReportFileName: String!, $fixReportId: String!, $projectId: String!, $scanSource: String!) {
+    mutation DigestVulnerabilityReport($vulnerabilityReportFileName: String, $fixReportId: String!, $projectId: String!, $scanSource: String!, $repoUrl: String, $reference: String, $sha: String) {
   digestVulnerabilityReport(
     fixReportId: $fixReportId
     vulnerabilityReportFileName: $vulnerabilityReportFileName
     projectId: $projectId
     scanSource: $scanSource
+    repoUrl: $repoUrl
+    reference: $reference
+    sha: $sha
   ) {
     __typename
     ... on VulnerabilityReport {
@@ -1188,6 +1191,10 @@ var ValidCategoriesZ = z4.union([
   z4.literal(CATEGORY.FalsePositive),
   z4.literal(CATEGORY.Fixable)
 ]);
+var VulnerabilityReportIssueSharedStateZ = z4.object({
+  id: z4.string().uuid(),
+  isArchived: z4.boolean()
+}).nullish();
 var BaseIssuePartsZ = z4.object({
   id: z4.string().uuid(),
   safeIssueType: z4.string(),
@@ -1239,7 +1246,8 @@ var BaseIssuePartsZ = z4.object({
       const codeDiff = await fetch(url).then((res) => res.text());
       return { codeDiff };
     })
-  }).nullish()
+  }).nullish(),
+  sharedState: VulnerabilityReportIssueSharedStateZ
 });
 var FalsePositivePartsZ = z4.object({
   extraContext: z4.array(z4.object({ key: z4.string(), value: z4.string() })),
@@ -1695,7 +1703,8 @@ var VulnerabilityReportIssueZ = z7.object({
     z7.object({
       vulnerability_report_issue_tag_value: z7.string()
     })
-  )
+  ),
+  sharedState: VulnerabilityReportIssueSharedStateZ
 });
 var GetReportIssuesQueryZ = z7.object({
   fixReport: z7.object({
@@ -5664,6 +5673,7 @@ var BitbucketSCMLib = class extends SCMLib {
 // src/features/analysis/scm/constants.ts
 var MOBB_ICON_IMG = "https://app.mobb.ai/gh-action/Logo_Rounded_Icon.svg";
 var MAX_BRANCHES_FETCH = 1e3;
+var REPORT_DEFAULT_FILE_NAME = "report.json";
 
 // src/features/analysis/scm/github/GithubSCMLib.ts
 import { z as z21 } from "zod";
@@ -7319,16 +7329,17 @@ async function convertFprToSarif(inputFilePath, outputFilePath, codePathPatterns
     "results": [
 `
     );
-    vulnerabilityParser.getVulnerabilities().map(
+    const filteredVulns = vulnerabilityParser.getVulnerabilities().map(
       (vulnerability) => fortifyVulnerabilityToSarifResult(
         vulnerability,
         auditMetadataParser,
         reportMetadataParser,
         unifiedNodePoolParser
       )
-    ).filter((sarifResult) => filterSarifResult(sarifResult, codePathPatterns)).forEach((sarifResult, index) => {
+    ).filter((sarifResult) => filterSarifResult(sarifResult, codePathPatterns));
+    filteredVulns.forEach((sarifResult, index) => {
       fs3.appendFileSync(outputFilePath, JSON.stringify(sarifResult, null, 2));
-      if (index !== vulnerabilityParser.getVulnerabilities().length - 1) {
+      if (index !== filteredVulns.length - 1) {
         fs3.appendFileSync(outputFilePath, ",\n");
       }
     });
@@ -8663,7 +8674,7 @@ var GQLClient = class {
   }
   async uploadS3BucketInfo() {
     const uploadS3BucketInfoResult = await this._clientSdk.uploadS3BucketInfo({
-      fileName: "report.json"
+      fileName: REPORT_DEFAULT_FILE_NAME
     });
     return uploadS3BucketInfoResult;
   }
@@ -8720,13 +8731,20 @@ var GQLClient = class {
   async digestVulnerabilityReport({
     fixReportId,
     projectId,
-    scanSource
+    scanSource,
+    repoUrl,
+    reference,
+    sha,
+    shouldScan
   }) {
     const res = await this._clientSdk.DigestVulnerabilityReport({
       fixReportId,
-      vulnerabilityReportFileName: "report.json",
+      vulnerabilityReportFileName: shouldScan ? void 0 : REPORT_DEFAULT_FILE_NAME,
       projectId,
-      scanSource
+      scanSource,
+      repoUrl,
+      reference,
+      sha
     });
     if (res.digestVulnerabilityReport.__typename !== "VulnerabilityReport") {
       throw new Error("Digesting vulnerability report failed");
@@ -8882,7 +8900,7 @@ function endsWithAny(str, suffixes) {
 function _get_manifest_files_suffixes() {
   return ["package.json", "pom.xml"];
 }
-async function pack(srcDirPath, vulnFiles) {
+async function pack(srcDirPath, vulnFiles, isIncludeAllFiles = false) {
   debug13("pack folder %s", srcDirPath);
   let git = void 0;
   try {
@@ -8919,13 +8937,15 @@ async function pack(srcDirPath, vulnFiles) {
   debug13("compressing files");
   for (const filepath of filepaths) {
     const absFilepath = path5.join(srcDirPath, filepath.toString());
-    vulnFiles = vulnFiles.concat(_get_manifest_files_suffixes());
-    if (!endsWithAny(
-      absFilepath.toString().replaceAll(path5.win32.sep, path5.posix.sep),
-      vulnFiles
-    )) {
-      debug13("ignoring %s because it is not a vulnerability file", filepath);
-      continue;
+    if (!isIncludeAllFiles) {
+      vulnFiles = vulnFiles.concat(_get_manifest_files_suffixes());
+      if (!endsWithAny(
+        absFilepath.toString().replaceAll(path5.win32.sep, path5.posix.sep),
+        vulnFiles
+      )) {
+        debug13("ignoring %s because it is not a vulnerability file", filepath);
+        continue;
+      }
     }
     if (fs5.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
       debug13("ignoring %s because the size is > 5MB", filepath);
@@ -9036,19 +9056,18 @@ var cxOperatingSystemSupportMessage = `Your operating system does not support ch
 import cp from "node:child_process";
 import Debug14 from "debug";
 import * as process2 from "process";
-import supportsColor from "supports-color";
-var { stdout: stdout2 } = supportsColor;
 function createFork({ args, processPath, name }, options) {
   const child = cp.fork(processPath, args, {
     stdio: ["inherit", "pipe", "pipe", "ipc"],
-    env: { ...process2.env, FORCE_COLOR: stdout2 ? "1" : "0" }
+    env: { ...process2.env }
   });
   return createChildProcess({ childProcess: child, name }, options);
 }
-function createSpwan({ args, processPath, name }, options) {
+function createSpawn({ args, processPath, name, cwd }, options) {
   const child = cp.spawn(processPath, args, {
     stdio: ["inherit", "pipe", "pipe", "ipc"],
-    env: { ...process2.env, FORCE_COLOR: stdout2 ? "1" : "0" }
+    env: { ...process2.env },
+    cwd
   });
   return createChildProcess({ childProcess: child, name }, options);
 }
@@ -9131,7 +9150,7 @@ function validateCheckmarxInstallation() {
 }
 async function forkCheckmarx(args, { display }) {
   debug14("fork checkmarx with args %o %s", args.join(" "), display);
-  return createSpwan(
+  return createSpawn(
     { args, processPath: getCheckmarxPath(), name: "checkmarx" },
     { display }
   );
@@ -9468,7 +9487,7 @@ async function getReport(params, { skipPrompts }) {
     authHeaders: scm.getAuthHeaders(),
     downloadUrl
   });
-  const reportPath = path7.join(dirname, "report.json");
+  const reportPath = path7.join(dirname, REPORT_DEFAULT_FILE_NAME);
   switch (scanner) {
     case "snyk":
       await getSnykReport(reportPath, repositoryRoot, { skipPrompts });
@@ -9600,17 +9619,17 @@ async function _scan(params, { skipPrompts = false } = {}) {
       { skipPrompts }
     );
   }
-  if (!reportPath) {
-    throw new Error("reportPath is null");
-  }
+  const shouldScan = !reportPath;
   const uploadReportSpinner = createSpinner5("\u{1F4C1} Uploading Report").start();
   try {
-    await uploadFile({
-      file: reportPath,
-      url: reportUploadInfo.url,
-      uploadFields: JSON.parse(reportUploadInfo.uploadFieldsJSON),
-      uploadKey: reportUploadInfo.uploadKey
-    });
+    if (reportPath) {
+      await uploadFile({
+        file: reportPath,
+        url: reportUploadInfo.url,
+        uploadFields: JSON.parse(reportUploadInfo.uploadFieldsJSON),
+        uploadKey: reportUploadInfo.uploadKey
+      });
+    }
   } catch (e) {
     uploadReportSpinner.error({ text: "\u{1F4C1} Report upload failed" });
     throw e;
@@ -9620,7 +9639,11 @@ async function _scan(params, { skipPrompts = false } = {}) {
     fixReportId: reportUploadInfo.fixReportId,
     projectId,
     command,
-    ci
+    ci,
+    repoUrl: repo,
+    sha,
+    reference,
+    shouldScan
   });
   uploadReportSpinner.success({ text: "\u{1F4C1} Report uploaded successfully" });
   const mobbSpinner = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
@@ -9632,7 +9655,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
       repoUrl: z29.string().parse(repo),
       reference,
       projectId,
-      vulnerabilityReportFileName: "report.json",
+      vulnerabilityReportFileName: shouldScan ? void 0 : REPORT_DEFAULT_FILE_NAME,
       sha,
       experimentalEnabled: !!experimentalEnabled,
       pullRequest: params.pullRequest,
@@ -9729,55 +9752,61 @@ async function _scan(params, { skipPrompts = false } = {}) {
     if (!repoUploadInfo || !reportUploadInfo) {
       throw new Error("uploadS3BucketInfo is null");
     }
-    if (!srcPath || !reportPath) {
-      throw new Error("src path and reportPath is required");
+    if (!srcPath) {
+      throw new Error("src path is required");
     }
-    const uploadReportSpinner2 = createSpinner5("\u{1F4C1} Uploading Report").start();
-    try {
-      await uploadFile({
-        file: reportPath,
-        url: reportUploadInfo.url,
-        uploadFields: JSON.parse(reportUploadInfo.uploadFieldsJSON),
-        uploadKey: reportUploadInfo.uploadKey
+    const shouldScan2 = !reportPath;
+    if (reportPath) {
+      const uploadReportSpinner2 = createSpinner5("\u{1F4C1} Uploading Report").start();
+      try {
+        await uploadFile({
+          file: reportPath,
+          url: reportUploadInfo.url,
+          uploadFields: JSON.parse(reportUploadInfo.uploadFieldsJSON),
+          uploadKey: reportUploadInfo.uploadKey
+        });
+      } catch (e) {
+        uploadReportSpinner2.error({ text: "\u{1F4C1} Report upload failed" });
+        throw e;
+      }
+      uploadReportSpinner2.success({
+        text: "\u{1F4C1} Uploading Report successful!"
       });
-    } catch (e) {
-      uploadReportSpinner2.error({ text: "\u{1F4C1} Report upload failed" });
-      throw e;
     }
-    uploadReportSpinner2.success({
-      text: "\u{1F4C1} Uploading Report successful!"
-    });
-    const vulnFiles = await _digestReport({
-      gqlClient,
-      fixReportId: reportUploadInfo.fixReportId,
-      projectId,
-      command,
-      ci
-    });
-    const srcFileStatus = await fsPromises.lstat(srcPath);
-    const zippingSpinner = createSpinner5("\u{1F4E6} Zipping repo").start();
-    let zipBuffer;
     let gitInfo = { success: false };
-    if (srcFileStatus.isFile() && path7.extname(srcPath).toLowerCase() === ".fpr") {
-      zipBuffer = await repackFpr(srcPath);
+    if (reportPath) {
+      const vulnFiles = await _digestReport({
+        gqlClient,
+        fixReportId: reportUploadInfo.fixReportId,
+        projectId,
+        command,
+        ci,
+        shouldScan: shouldScan2
+      });
+      const res = await _zipAndUploadRepo({
+        srcPath,
+        vulnFiles,
+        repoUploadInfo,
+        isIncludeAllFiles: false
+      });
+      gitInfo = res.gitInfo;
     } else {
-      gitInfo = await getGitInfo(srcPath);
-      zipBuffer = await pack(srcPath, vulnFiles);
-    }
-    zippingSpinner.success({ text: "\u{1F4E6} Zipping repo successful!" });
-    const uploadRepoSpinner = createSpinner5("\u{1F4C1} Uploading Repo").start();
-    try {
-      await uploadFile({
-        file: zipBuffer,
-        url: repoUploadInfo.url,
-        uploadFields: JSON.parse(repoUploadInfo.uploadFieldsJSON),
-        uploadKey: repoUploadInfo.uploadKey
+      const res = await _zipAndUploadRepo({
+        srcPath,
+        vulnFiles: [],
+        repoUploadInfo,
+        isIncludeAllFiles: true
+      });
+      gitInfo = res.gitInfo;
+      await _digestReport({
+        gqlClient,
+        fixReportId: reportUploadInfo.fixReportId,
+        projectId,
+        command,
+        ci,
+        shouldScan: shouldScan2
       });
-    } catch (e) {
-      uploadRepoSpinner.error({ text: "\u{1F4C1} Repo upload failed" });
-      throw e;
     }
-    uploadRepoSpinner.success({ text: "\u{1F4C1} Uploading Repo successful!" });
     const mobbSpinner2 = createSpinner5("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
     try {
       await sendReport({
@@ -9824,12 +9853,48 @@ async function _scan(params, { skipPrompts = false } = {}) {
     return reportUploadInfo.fixReportId;
   }
 }
+async function _zipAndUploadRepo({
+  srcPath,
+  vulnFiles,
+  repoUploadInfo,
+  isIncludeAllFiles
+}) {
+  const srcFileStatus = await fsPromises.lstat(srcPath);
+  const zippingSpinner = createSpinner4("\u{1F4E6} Zipping repo").start();
+  let zipBuffer;
+  let gitInfo = { success: false };
+  if (srcFileStatus.isFile() && path7.extname(srcPath).toLowerCase() === ".fpr") {
+    zipBuffer = await repackFpr(srcPath);
+  } else {
+    gitInfo = await getGitInfo(srcPath);
+    zipBuffer = await pack(srcPath, vulnFiles, isIncludeAllFiles);
+  }
+  zippingSpinner.success({ text: "\u{1F4E6} Zipping repo successful!" });
+  const uploadRepoSpinner = createSpinner4("\u{1F4C1} Uploading Repo").start();
+  try {
+    await uploadFile({
+      file: zipBuffer,
+      url: repoUploadInfo.url,
+      uploadFields: JSON.parse(repoUploadInfo.uploadFieldsJSON),
+      uploadKey: repoUploadInfo.uploadKey
+    });
+  } catch (e) {
+    uploadRepoSpinner.error({ text: "\u{1F4C1} Repo upload failed" });
+    throw e;
+  }
+  uploadRepoSpinner.success({ text: "\u{1F4C1} Uploading Repo successful!" });
+  return { gitInfo };
+}
 async function _digestReport({
   gqlClient,
   fixReportId,
   projectId,
   command,
-  ci
+  ci,
+  repoUrl,
+  sha,
+  reference,
+  shouldScan
 }) {
   const digestSpinner = createSpinner4(
     progressMassages.processingVulnerabilityReport
@@ -9839,7 +9904,11 @@ async function _digestReport({
       {
         fixReportId,
         projectId,
-        scanSource: _getScanSource(command, ci)
+        scanSource: _getScanSource(command, ci),
+        repoUrl,
+        sha,
+        reference,
+        shouldScan
       }
     );
     try {
@@ -10202,7 +10271,6 @@ ${chalk7.bold(
 function analyzeBuilder(yargs2) {
   return yargs2.option("f", {
     alias: "scan-file",
-    demandOption: true,
     type: "string",
     describe: chalk8.bold(
       "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL, Sonarqube, Semgrep, Datadog)"
@@ -10228,8 +10296,7 @@ function analyzeBuilder(yargs2) {
   ).help();
 }
 function validateAnalyzeOptions(argv) {
-  console.log("argv", argv);
-  if (!fs7.existsSync(argv.f)) {
+  if (argv.f && !fs7.existsSync(argv.f)) {
     throw new CliError(`
 Can't access ${chalk8.bold(argv.f)}`);
   }
@@ -10263,7 +10330,9 @@ Can't access ${chalk8.bold(argv.f)}`);
       "--pull-request flag requires --commit-directly to be provided as well"
     );
   }
-  validateReportFileFormat(argv.f);
+  if (argv.f) {
+    validateReportFileFormat(argv.f);
+  }
 }
 async function analyzeHandler(args) {
   validateAnalyzeOptions(args);
@@ -10406,7 +10475,7 @@ var parseArgs = async (args) => {
   ).command(
     mobbCliCommand.analyze,
     chalk10.bold(
-      "Provide a vulnerability report and relevant code repository, get automated fixes right away."
+      "Provide a code repository, get automated fixes right away. You can also provide a vulnerability report to analyze or have Mobb scan the code for you."
     ),
     analyzeBuilder,
     analyzeHandler

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.0.82",
+  "version": "1.0.84",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.js",
@@ -71,7 +71,6 @@
     "semver": "7.7.1",
     "simple-git": "3.27.0",
     "snyk": "1.1296.2",
-    "supports-color": "10.0.0",
     "tar": "6.2.1",
     "tmp": "0.2.3",
     "undici": "6.21.1",