mobbdev 1.4.2 → 1.4.9

package/dist/args/commands/upload_ai_blame.mjs

@@ -94,6 +94,9 @@ function getSdk(client, withWrapper = defaultWrapper) {
     performCliLogin(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: PerformCliLoginDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "performCliLogin", "mutation", variables);
     },
+    SetQuarantineEnabled(variables, requestHeaders, signal) {
+      return withWrapper((wrappedRequestHeaders) => client.request({ document: SetQuarantineEnabledDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "SetQuarantineEnabled", "mutation", variables);
+    },
     CreateProject(variables, requestHeaders, signal) {
       return withWrapper((wrappedRequestHeaders) => client.request({ document: CreateProjectDocument, variables, requestHeaders: { ...requestHeaders, ...wrappedRequestHeaders }, signal }), "CreateProject", "mutation", variables);
     },
@@ -135,7 +138,7 @@ function getSdk(client, withWrapper = defaultWrapper) {
     }
   };
 }
-var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
+var AiBlameInferenceType, FixQuestionInputType, Language, ManifestAction, Effort_To_Apply_Fix_Enum, Fix_Rating_Tag_Enum, Fix_Report_State_Enum, Fix_State_Enum, IssueLanguage_Enum, IssueType_Enum, Pr_Status_Enum, Project_Role_Type_Enum, Vulnerability_Report_Issue_Category_Enum, Vulnerability_Report_Issue_State_Enum, Vulnerability_Report_Issue_Tag_Enum, Vulnerability_Report_Vendor_Enum, Vulnerability_Severity_Enum, FixDetailsFragmentDoc, FixReportSummaryFieldsFragmentDoc, MeDocument, GetLastOrgAndNamedProjectDocument, GetLastOrgDocument, GetEncryptedApiTokenDocument, FixReportStateDocument, GetVulnerabilityReportPathsDocument, GetAnalysisSubscriptionDocument, GetAnalysisDocument, GetFixesDocument, GetVulByNodesMetadataDocument, GetFalsePositiveDocument, UpdateScmTokenDocument, UploadS3BucketInfoDocument, GetTracyDiffUploadUrlDocument, AnalyzeCommitForExtensionAiBlameDocument, GetAiBlameInferenceDocument, GetAiBlameAttributionPromptDocument, GetPromptSummaryDocument, UploadAiBlameInferencesInitDocument, FinalizeAiBlameInferencesUploadDocument, UploadTracyRecordsDocument, GetTracyRawDataUploadUrlDocument, DigestVulnerabilityReportDocument, SubmitVulnerabilityReportDocument, CreateCommunityUserDocument, CreateCliLoginDocument, PerformCliLoginDocument, SetQuarantineEnabledDocument, CreateProjectDocument, ValidateRepoUrlDocument, GitReferenceDocument, AutoPrAnalysisDocument, GetFixReportsByRepoUrlDocument, GetReportFixesDocument, GetLatestReportByRepoUrlDocument, UpdateDownloadedFixDataDocument, GetUserMvsAutoFixDocument, StreamBlameAiAnalysisRequestsDocument, StreamCommitBlameRequestsDocument, ScanSkillDocument, SkillVerdictsByMd5Document, defaultWrapper;
 var init_client_generates = __esm({
   "src/features/analysis/scm/generates/client_generates.ts"() {
     "use strict";
@@ -260,6 +263,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["HttpParameterPollution"] = "HTTP_PARAMETER_POLLUTION";
       IssueType_Enum2["HttpResponseSplitting"] = "HTTP_RESPONSE_SPLITTING";
       IssueType_Enum2["IframeWithoutSandbox"] = "IFRAME_WITHOUT_SANDBOX";
+      IssueType_Enum2["ImproperCertificateValidation"] = "IMPROPER_CERTIFICATE_VALIDATION";
       IssueType_Enum2["ImproperExceptionHandling"] = "IMPROPER_EXCEPTION_HANDLING";
       IssueType_Enum2["ImproperResourceShutdownOrRelease"] = "IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE";
       IssueType_Enum2["ImproperStringFormatting"] = "IMPROPER_STRING_FORMATTING";
@@ -278,6 +282,7 @@ var init_client_generates = __esm({
       IssueType_Enum2["InsecureTmpFile"] = "INSECURE_TMP_FILE";
       IssueType_Enum2["InsecureUuidVersion"] = "INSECURE_UUID_VERSION";
       IssueType_Enum2["InsufficientLogging"] = "INSUFFICIENT_LOGGING";
+      IssueType_Enum2["J2EeGetConnection"] = "J2EE_GET_CONNECTION";
       IssueType_Enum2["JqueryDeprecatedSymbols"] = "JQUERY_DEPRECATED_SYMBOLS";
       IssueType_Enum2["LeftoverDebugCode"] = "LEFTOVER_DEBUG_CODE";
       IssueType_Enum2["LocaleDependentComparison"] = "LOCALE_DEPENDENT_COMPARISON";
@@ -593,6 +598,7 @@ var init_client_generates = __esm({
       id
       organization {
         id
+        enableV2Fixes
         projects(where: {name: {_eq: $projectName}}) {
           name
           id
@@ -611,6 +617,7 @@ var init_client_generates = __esm({
       id
       organization {
         id
+        enableV2Fixes
       }
     }
   }
@@ -941,6 +948,12 @@ var init_client_generates = __esm({
           level
           justification
         }
+        appliedSkills
+        mcpCalls {
+          mcpServer
+          mcpTool
+          callCount
+        }
       }
     }
     ... on PromptSummaryProcessing {
@@ -1092,6 +1105,13 @@ var init_client_generates = __esm({
   performCliLogin(loginId: $loginId) {
     status
   }
+}
+    `;
+    SetQuarantineEnabledDocument = `
+    mutation SetQuarantineEnabled($enabled: Boolean!) {
+  update_organization(where: {}, _set: {quarantineEnabled: $enabled}) {
+    affected_rows
+  }
 }
     `;
     CreateProjectDocument = `
@@ -1277,12 +1297,15 @@ var init_client_generates = __esm({
     SkillVerdictsByMd5Document = `
     query SkillVerdictsByMd5($md5s: [String!]!) {
   skillVerdictsByMd5(md5s: $md5s) {
-    md5
-    verdict
-    summary
-    scannerName
-    scannerVersion
-    scannedAt
+    quarantineEnabled
+    verdicts {
+      md5
+      verdict
+      summary
+      scannerName
+      scannerVersion
+      scannedAt
+    }
   }
 }
     `;
@@ -1708,6 +1731,7 @@ var init_getIssueType = __esm({
       ["NO_EQUIVALENCE_METHOD" /* NoEquivalenceMethod */]: "Class Does Not Implement Equivalence Method",
       ["INFORMATION_EXPOSURE_VIA_HEADERS" /* InformationExposureViaHeaders */]: "Information Exposure via Headers",
       ["DEBUG_ENABLED" /* DebugEnabled */]: "Debug Enabled",
+      ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: "J2EE Bad Practices: getConnection()",
       ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: "Leftover Debug Code",
       ["POOR_ERROR_HANDLING_EMPTY_CATCH_BLOCK" /* PoorErrorHandlingEmptyCatchBlock */]: "Poor Error Handling: Empty Catch Block",
       ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: "Erroneous String Compare",
@@ -1782,7 +1806,8 @@ var init_getIssueType = __esm({
       ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: "Tainted Numeric Cast",
       ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: "Missing X-Frame-Options Header",
       ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: "Improper Validation of Array Index",
-      ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion"
+      ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: "Incorrect Integer Conversion",
+      ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: "Improper Certificate Validation"
     };
     issueTypeZ = z5.nativeEnum(IssueType_Enum);
     getIssueTypeFriendlyString = (issueType) => {
@@ -2684,7 +2709,7 @@ var init_env = __esm({
       GITLAB_API_TOKEN: z16.string().optional(),
       GITHUB_API_TOKEN: z16.string().optional(),
       GIT_PROXY_HOST: z16.string().optional().default("http://tinyproxy:8888"),
-      MAX_UPLOAD_FILE_SIZE_MB: z16.coerce.number().gt(0).default(5),
+      MAX_UPLOAD_FILE_SIZE_MB: z16.coerce.number().gt(0).default(2),
       GITHUB_API_CONCURRENCY: z16.coerce.number().gt(0).optional().default(10)
     });
     ({
@@ -3546,7 +3571,13 @@ var init_FileUtils = __esm({
         const results = [];
         const filePromises = [];
         for (const item of items) {
-          const fullPath = path4.join(dir, item);
+          const safeInput = path4.resolve(
+            path4.sep,
+            path4.normalize(
+              String(dir || "").replace("\0", "").replace(/^(\.\.(\/|\\$))+/, "")
+            )
+          );
+          const fullPath = path4.join(safeInput, item);
           try {
             await fsPromises.access(fullPath, fs4.constants.R_OK);
             const stat = await fsPromises.stat(fullPath);
@@ -3584,7 +3615,9 @@ var init_FileUtils = __esm({
       }) {
         try {
           const stats = fs4.statSync(dir);
-          if (!stats.isDirectory()) return [];
+          if (!stats.isDirectory()) {
+            return [];
+          }
         } catch {
           return [];
         }
@@ -3593,7 +3626,7 @@ var init_FileUtils = __esm({
           const { GitService: GitService2 } = await Promise.resolve().then(() => (init_GitService(), GitService_exports));
           const gitService = new GitService2(dir);
           gitMatcher = await gitService.getGitignoreMatcher();
-        } catch (e) {
+        } catch {
         }
         const allFiles = await this.processRootDirectory(dir, EXCLUDED_DIRS);
         const filteredFiles = allFiles.filter(
@@ -4852,6 +4885,7 @@ var fixDetailsData = {
     issueDescription: "A data member and a function have the same name which can be confusing to the developer.",
     fixInstructions: "Rename the data member to avoid confusion."
   },
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: void 0,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: void 0,
   ["UNVALIDATED_PUBLIC_METHOD_ARGUMENT" /* UnvalidatedPublicMethodArgument */]: void 0,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: void 0,
@@ -4954,7 +4988,8 @@ var fixDetailsData = {
   ["TAINTED_NUMERIC_CAST" /* TaintedNumericCast */]: void 0,
   ["MISSING_X_FRAME_OPTIONS" /* MissingXFrameOptions */]: void 0,
   ["IMPROPER_VALIDATION_OF_ARRAY_INDEX" /* ImproperValidationOfArrayIndex */]: void 0,
-  ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0
+  ["INCORRECT_INTEGER_CONVERSION" /* IncorrectIntegerConversion */]: void 0,
+  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: void 0
 };
 
 // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
@@ -5031,6 +5066,31 @@ var go_default = vulnerabilities3;
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 init_client_generates();
 
+// src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
+var j2eeGetConnection = {
+  guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
+
+
+ 
+
+***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
+
+- **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
+- **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
+- **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
+- **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
+
+
+&nbsp;
+
+Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
+
+
+&nbsp;
+
+This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/java/sqlInjection.ts
 var sqlInjection = {
   guidance: ({
@@ -5058,6 +5118,7 @@ var systemInformationLeak = {
 // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
 var vulnerabilities4 = {
   ["PASSWORD_IN_COMMENT" /* PasswordInComment */]: passwordInComment,
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection,
   ["SQL_Injection" /* SqlInjection */]: sqlInjection,
   ["SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */]: systemInformationLeak
 };
@@ -5142,10 +5203,24 @@ See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates
 ***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
 };
 
+// src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
+var improperCertificateValidation = {
+  guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
+
+&nbsp;
+
+***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
+
+&nbsp;
+
+See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
+};
+
 // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
 var vulnerabilities7 = {
   ["AUTO_ESCAPE_FALSE" /* AutoEscapeFalse */]: autoEscapeFalse,
-  ["CSRF" /* Csrf */]: csrf
+  ["CSRF" /* Csrf */]: csrf,
+  ["IMPROPER_CERTIFICATE_VALIDATION" /* ImproperCertificateValidation */]: improperCertificateValidation
 };
 var python_default = vulnerabilities7;
 
@@ -5681,6 +5756,15 @@ var insecureCookie2 = {
   }
 };
 
+// src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
+var j2eeGetConnection2 = {
+  jndiResourceName: {
+    content: () => "What JNDI name is the database connection pool registered under?",
+    description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
+    guidance: () => ""
+  }
+};
+
 // src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
 var leftoverDebugCode = {
   isCodeUsed: {
@@ -6009,6 +6093,7 @@ var vulnerabilities12 = {
   ["UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */]: uncheckedLoopCondition,
   ["INSECURE_COOKIE" /* InsecureCookie */]: insecureCookie2,
   ["TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */]: trustBoundaryViolation2,
+  ["J2EE_GET_CONNECTION" /* J2EeGetConnection */]: j2eeGetConnection2,
   ["LEFTOVER_DEBUG_CODE" /* LeftoverDebugCode */]: leftoverDebugCode,
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
@@ -6870,7 +6955,8 @@ var GQLClient = class {
     const getLastOrgRes = await this._clientSdk.getLastOrg({ email });
     return {
       organizationId: getLastOrgRes?.user?.[0]?.userOrganizationsAndUserOrganizationRoles?.[0]?.organization?.id,
-      userName: getLastOrgRes?.user?.[0]?.name ?? ""
+      userName: getLastOrgRes?.user?.[0]?.name ?? "",
+      enableV2Fixes: getLastOrgRes?.user?.[0]?.userOrganizationsAndUserOrganizationRoles?.[0]?.organization?.enableV2Fixes === true
     };
   }
   async createCliLogin(variables) {
@@ -6952,7 +7038,8 @@ var GQLClient = class {
     }
     return {
       organizationId: organization.id,
-      projectId
+      projectId,
+      enableV2Fixes: organization.enableV2Fixes === true
     };
   }
   async getEncryptedApiToken(variables) {
@@ -7282,6 +7369,7 @@ var GQLClient = class {
     return await this._clientSdk.ScanSkill(variables);
   }
   // T-467 — batched verdict lookup for the client-side quarantine check.
+  // T-493 — response is the envelope `{ quarantineEnabled, verdicts }`.
   async skillVerdictsByMd5(md5s) {
     return await this._clientSdk.SkillVerdictsByMd5({ md5s });
   }
@@ -7428,7 +7516,11 @@ async function sanitizeDataWithCounts(obj, options) {
     if (typeof data === "string") {
       return sanitizeString(data);
     } else if (Array.isArray(data)) {
-      return Promise.all(data.map((item) => sanitizeRecursive(item)));
+      const results = [];
+      for (const item of data) {
+        results.push(await sanitizeRecursive(item));
+      }
+      return results;
     } else if (data instanceof Error) {
       return data;
     } else if (data instanceof Date) {