npm - mobbdev - Versions diffs - 1.4.19 → 1.4.21 - Mend

mobbdev 1.4.19 → 1.4.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/args/commands/upload_ai_blame.mjs +21 -1
package/dist/index.mjs +22 -2
package/package.json +13 -13

package/dist/args/commands/upload_ai_blame.mjs CHANGED Viewed

@@ -291,6 +291,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InsufficientLogging"] = "INSUFFICIENT_LOGGING";
       IssueType_Enum2["J2EeGetConnection"] = "J2EE_GET_CONNECTION";
       IssueType_Enum2["JqueryDeprecatedSymbols"] = "JQUERY_DEPRECATED_SYMBOLS";
+      IssueType_Enum2["JwtDecodeWithoutVerify"] = "JWT_DECODE_WITHOUT_VERIFY";
       IssueType_Enum2["LeftoverDebugCode"] = "LEFTOVER_DEBUG_CODE";
       IssueType_Enum2["LocaleDependentComparison"] = "LOCALE_DEPENDENT_COMPARISON";
       IssueType_Enum2["LogForging"] = "LOG_FORGING";
@@ -353,6 +354,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["UnencryptedAwsSqsQueue"] = "UNENCRYPTED_AWS_SQS_QUEUE";
       IssueType_Enum2["UnnecessaryImports"] = "UNNECESSARY_IMPORTS";
       IssueType_Enum2["UnsafeDeserialization"] = "UNSAFE_DESERIALIZATION";
+      IssueType_Enum2["UnsafeReflection"] = "UNSAFE_REFLECTION";
       IssueType_Enum2["UnsafeTargetBlank"] = "UNSAFE_TARGET_BLANK";
       IssueType_Enum2["UnsafeWebThread"] = "UNSAFE_WEB_THREAD";
       IssueType_Enum2["UnvalidatedPublicMethodArgument"] = "UNVALIDATED_PUBLIC_METHOD_ARGUMENT";
@@ -1778,6 +1780,7 @@ var init_getIssueType = __esm({
       ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: "Trust Boundary Violation",
       ["NULL_DEREFERENCE" /* NullDereference */]: "Null Dereference",
       ["UNSAFE_DESERIALIZATION" /* UnsafeDeserialization */]: "Unsafe deserialization",
+      ["UNSAFE_REFLECTION" /* UnsafeReflection */]: "Unsafe Reflection",
       ["INSECURE_BINDER_CONFIGURATION" /* InsecureBinderConfiguration */]: "Insecure Binder Configuration",
       ["UNSAFE_TARGET_BLANK" /* UnsafeTargetBlank */]: "Unsafe use of target blank",
       ["IFRAME_WITHOUT_SANDBOX" /* IframeWithoutSandbox */]: "Client use of iframe without sandbox",
@@ -1892,7 +1895,8 @@ var init_getIssueType = __esm({
       ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()",
       ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted",
       ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: "Insecure Deserialization",
-      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled"
+      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled",
+      ["JWT_DECODE_WITHOUT_VERIFY" /* JwtDecodeWithoutVerify */]: "JWT Decoded Without Signature Verification"
     };
     issueTypeZ = z5.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2049,6 +2053,7 @@ var init_types = __esm({
         expirationOn: z7.string().nullable(),
         state: z7.nativeEnum(Fix_Report_State_Enum),
         failReason: z7.string().nullable(),
+        candidateToRerun: z7.boolean(),
         fixes: z7.array(
           z7.object({
             id: z7.string().uuid(),
@@ -5134,6 +5139,7 @@ var fixDetailsData = {
   ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
   ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0,
   ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0,
+  ["UNSAFE_REFLECTION" /* UnsafeReflection */]: void 0,
   ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: {
     issueDescription: "AWS SQS queue contents are unencrypted; data could be read if the queue is compromised.",
     fixInstructions: "Enable server-side encryption by setting sqs_managed_sse_enabled = true, or supply a KMS key via kms_master_key_id."
@@ -5142,6 +5148,10 @@ var fixDetailsData = {
   ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: {
     issueDescription: "AWS DynamoDB table has point-in-time recovery disabled; accidental or malicious writes/deletes cannot be rolled back from a known-good snapshot.",
     fixInstructions: "Enable point-in-time recovery by adding `point_in_time_recovery { enabled = true }` to the aws_dynamodb_table resource."
+  },
+  ["JWT_DECODE_WITHOUT_VERIFY" /* JwtDecodeWithoutVerify */]: {
+    issueDescription: "Decoding a JWT with `JWT.decode()` only base64-decodes the token without checking its signature, so an attacker can forge a token with arbitrary claims (identity, roles, expiration) and have it trusted. CWE-345, OWASP A08:2021 Software and Data Integrity Failures.",
+    fixInstructions: "Verify the signature before trusting any claims: build a verifier with the expected algorithm and secret/key (e.g. `JWT.require(Algorithm.HMAC256(secret)).build().verify(token)`) instead of calling `JWT.decode(token)`. After merging, confirm the verifier is configured with the same algorithm and secret/key used to sign your tokens \u2014 an incorrect or placeholder secret will make verification throw `JWTVerificationException` at runtime and reject legitimate tokens."
   }
 };
@@ -6172,6 +6182,15 @@ var uncheckedLoopCondition = {
   }
 };
+// src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
+var unsafeReflection = {
+  classAllowlist: {
+    content: () => "Allowed class names for reflection",
+    description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
+    guidance: () => ""
+  }
+};
 // src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
 var useOfSystemOutputStream2 = {
   noLoggerAction: {
@@ -6257,6 +6276,7 @@ var vulnerabilities13 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition,
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie2,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation2,
+  ["UNSAFE_REFLECTION" /* UnsafeReflection */]: unsafeReflection,
   ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection2,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: leftoverDebugCode,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,

package/dist/index.mjs CHANGED Viewed

@@ -291,6 +291,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InsufficientLogging"] = "INSUFFICIENT_LOGGING";
       IssueType_Enum2["J2EeGetConnection"] = "J2EE_GET_CONNECTION";
       IssueType_Enum2["JqueryDeprecatedSymbols"] = "JQUERY_DEPRECATED_SYMBOLS";
+      IssueType_Enum2["JwtDecodeWithoutVerify"] = "JWT_DECODE_WITHOUT_VERIFY";
       IssueType_Enum2["LeftoverDebugCode"] = "LEFTOVER_DEBUG_CODE";
       IssueType_Enum2["LocaleDependentComparison"] = "LOCALE_DEPENDENT_COMPARISON";
       IssueType_Enum2["LogForging"] = "LOG_FORGING";
@@ -353,6 +354,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["UnencryptedAwsSqsQueue"] = "UNENCRYPTED_AWS_SQS_QUEUE";
       IssueType_Enum2["UnnecessaryImports"] = "UNNECESSARY_IMPORTS";
       IssueType_Enum2["UnsafeDeserialization"] = "UNSAFE_DESERIALIZATION";
+      IssueType_Enum2["UnsafeReflection"] = "UNSAFE_REFLECTION";
       IssueType_Enum2["UnsafeTargetBlank"] = "UNSAFE_TARGET_BLANK";
       IssueType_Enum2["UnsafeWebThread"] = "UNSAFE_WEB_THREAD";
       IssueType_Enum2["UnvalidatedPublicMethodArgument"] = "UNVALIDATED_PUBLIC_METHOD_ARGUMENT";
@@ -1444,6 +1446,7 @@ var init_getIssueType = __esm({
       ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: "Trust Boundary Violation",
       ["NULL_DEREFERENCE" /* NullDereference */]: "Null Dereference",
       ["UNSAFE_DESERIALIZATION" /* UnsafeDeserialization */]: "Unsafe deserialization",
+      ["UNSAFE_REFLECTION" /* UnsafeReflection */]: "Unsafe Reflection",
       ["INSECURE_BINDER_CONFIGURATION" /* InsecureBinderConfiguration */]: "Insecure Binder Configuration",
       ["UNSAFE_TARGET_BLANK" /* UnsafeTargetBlank */]: "Unsafe use of target blank",
       ["IFRAME_WITHOUT_SANDBOX" /* IframeWithoutSandbox */]: "Client use of iframe without sandbox",
@@ -1558,7 +1561,8 @@ var init_getIssueType = __esm({
       ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: "Often Misused: Boolean.getBoolean()",
       ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: "AWS SQS Queue Unencrypted",
       ["INSECURE_DESERIALIZATION" /* InsecureDeserialization */]: "Insecure Deserialization",
-      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled"
+      ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: "AWS DynamoDB Point-in-Time Recovery Disabled",
+      ["JWT_DECODE_WITHOUT_VERIFY" /* JwtDecodeWithoutVerify */]: "JWT Decoded Without Signature Verification"
     };
     issueTypeZ = z.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2094,6 +2098,7 @@ var init_types = __esm({
         expirationOn: z11.string().nullable(),
         state: z11.nativeEnum(Fix_Report_State_Enum),
         failReason: z11.string().nullable(),
+        candidateToRerun: z11.boolean(),
         fixes: z11.array(
           z11.object({
             id: z11.string().uuid(),
@@ -4838,6 +4843,7 @@ var fixDetailsData = {
   ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
   ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0,
   ["OFTEN_MISUSED_BOOLEAN_GET_BOOLEAN" /* OftenMisusedBooleanGetBoolean */]: void 0,
+  ["UNSAFE_REFLECTION" /* UnsafeReflection */]: void 0,
   ["UNENCRYPTED_AWS_SQS_QUEUE" /* UnencryptedAwsSqsQueue */]: {
     issueDescription: "AWS SQS queue contents are unencrypted; data could be read if the queue is compromised.",
     fixInstructions: "Enable server-side encryption by setting sqs_managed_sse_enabled = true, or supply a KMS key via kms_master_key_id."
@@ -4846,6 +4852,10 @@ var fixDetailsData = {
   ["AWS_DYNAMODB_POINT_IN_TIME_RECOVERY_DISABLED" /* AwsDynamodbPointInTimeRecoveryDisabled */]: {
     issueDescription: "AWS DynamoDB table has point-in-time recovery disabled; accidental or malicious writes/deletes cannot be rolled back from a known-good snapshot.",
     fixInstructions: "Enable point-in-time recovery by adding `point_in_time_recovery { enabled = true }` to the aws_dynamodb_table resource."
+  },
+  ["JWT_DECODE_WITHOUT_VERIFY" /* JwtDecodeWithoutVerify */]: {
+    issueDescription: "Decoding a JWT with `JWT.decode()` only base64-decodes the token without checking its signature, so an attacker can forge a token with arbitrary claims (identity, roles, expiration) and have it trusted. CWE-345, OWASP A08:2021 Software and Data Integrity Failures.",
+    fixInstructions: "Verify the signature before trusting any claims: build a verifier with the expected algorithm and secret/key (e.g. `JWT.require(Algorithm.HMAC256(secret)).build().verify(token)`) instead of calling `JWT.decode(token)`. After merging, confirm the verifier is configured with the same algorithm and secret/key used to sign your tokens \u2014 an incorrect or placeholder secret will make verification throw `JWTVerificationException` at runtime and reject legitimate tokens."
   }
 };
@@ -5964,6 +5974,15 @@ var uncheckedLoopCondition = {
   }
 };
+// src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
+var unsafeReflection = {
+  classAllowlist: {
+    content: () => "Allowed class names for reflection",
+    description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
+    guidance: () => ""
+  }
+};
 // src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
 var useOfSystemOutputStream2 = {
   noLoggerAction: {
@@ -6049,6 +6068,7 @@ var vulnerabilities13 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition,
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie2,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation2,
+  ["UNSAFE_REFLECTION" /* UnsafeReflection */]: unsafeReflection,
   ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection2,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: leftoverDebugCode,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
@@ -19448,7 +19468,7 @@ function createLogger(config2) {
 // src/features/claude_code/hook_logger.ts
 var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
-var CLI_VERSION = true ? "1.4.19" : "unknown";
+var CLI_VERSION = true ? "1.4.21" : "unknown";
 var NAMESPACE = "mobbdev-claude-code-hook-logs";
 var claudeCodeVersion;
 function buildDdTags() {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.4.19",
+  "version": "1.4.21",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",
@@ -55,14 +55,14 @@
   "dependencies": {
     "@gitbeaker/requester-utils": "43.8.0",
     "@gitbeaker/rest": "43.8.0",
-    "@grpc/grpc-js": "1.14.3",
+    "@grpc/grpc-js": "1.14.4",
     "@grpc/proto-loader": "0.8.0",
     "@modelcontextprotocol/sdk": "1.29.0",
     "@octokit/core": "5.2.0",
     "@octokit/request-error": "5.1.1",
     "@openredaction/openredaction": "1.0.4",
     "adm-zip": "0.5.17",
-    "axios": "1.16.0",
+    "axios": "1.16.1",
     "azure-devops-node-api": "15.1.2",
     "bitbucket": "2.12.0",
     "chalk": "5.6.2",
@@ -72,9 +72,9 @@
     "debug": "4.4.3",
     "dotenv": "16.6.1",
     "extract-zip": "2.0.1",
-    "fs-extra": "11.3.4",
+    "fs-extra": "11.3.5",
     "globby": "14.1.0",
-    "graphql": "16.13.2",
+    "graphql": "16.14.0",
     "graphql-request": "6.1.0",
     "graphql-ws": "5.16.2",
     "hash-wasm": "4.12.0",
@@ -96,16 +96,16 @@
     "parse-diff": "0.11.1",
     "pino": "9.7.0",
     "sax": "1.6.0",
-    "semver": "7.7.4",
-    "shell-quote": "1.8.3",
+    "semver": "7.8.1",
+    "shell-quote": "1.8.4",
     "simple-git": "3.36.0",
-    "snyk": "1.1304.1",
-    "tar": "7.5.13",
-    "tmp": "0.2.5",
+    "snyk": "1.1305.0",
+    "tar": "7.5.15",
+    "tmp": "0.2.6",
     "tmp-promise": "3.0.3",
     "undici": "6.24.0",
     "uuid": "11.1.1",
-    "ws": "8.20.0",
+    "ws": "8.20.1",
     "xml2js": "0.6.2",
     "yargs": "17.7.2",
     "zod": "3.25.76"
@@ -141,10 +141,10 @@
     "eslint": "8.57.0",
     "eslint-plugin-graphql": "4.0.0",
     "eslint-plugin-import": "2.32.0",
-    "eslint-plugin-prettier": "5.5.5",
+    "eslint-plugin-prettier": "5.5.6",
     "eslint-plugin-simple-import-sort": "12.1.1",
     "msw": "2.10.5",
-    "nock": "14.0.14",
+    "nock": "14.0.15",
     "prettier": "3.8.3",
     "tsup": "8.5.1",
     "typescript": "5.9.3",