npm - mobbdev - Versions diffs - 1.4.21 → 1.4.23 - Mend

mobbdev 1.4.21 → 1.4.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/args/commands/upload_ai_blame.mjs +133 -38
package/dist/index.mjs +613 -354
package/package.json +1 -1

package/dist/args/commands/upload_ai_blame.mjs CHANGED Viewed

@@ -417,6 +417,7 @@ var init_client_generates = __esm({
       return Vulnerability_Report_Issue_State_Enum2;
     })(Vulnerability_Report_Issue_State_Enum || {});
     Vulnerability_Report_Issue_Tag_Enum = /* @__PURE__ */ ((Vulnerability_Report_Issue_Tag_Enum3) => {
+      Vulnerability_Report_Issue_Tag_Enum3["AgenticRemediationInProgress"] = "AGENTIC_REMEDIATION_IN_PROGRESS";
       Vulnerability_Report_Issue_Tag_Enum3["AutogeneratedCode"] = "AUTOGENERATED_CODE";
       Vulnerability_Report_Issue_Tag_Enum3["AuxiliaryCode"] = "AUXILIARY_CODE";
       Vulnerability_Report_Issue_Tag_Enum3["FalsePositive"] = "FALSE_POSITIVE";
@@ -1926,7 +1927,8 @@ var init_getIssueType = __esm({
       ["TEST_CODE" /* TestCode */]: "The flagged code resides in a test-specific path or context. This categorization indicates that **it supports testing scenarios and is isolated from production use**.",
       ["UNFIXABLE" /* Unfixable */]: "The flagged code cannot be fixed",
       ["VENDOR_CODE" /* VendorCode */]: "The flagged code originates from a third-party library or dependency maintained externally. This categorization suggests that **the issue lies outside the application's direct control** and should be addressed by the vendor if necessary.",
-      ["SUPPRESSED" /* Suppressed */]: "Suppressed in the scan report."
+      ["SUPPRESSED" /* Suppressed */]: "Suppressed in the scan report.",
+      ["AGENTIC_REMEDIATION_IN_PROGRESS" /* AgenticRemediationInProgress */]: "Mobb is currently retrying remediation on this issue. The state will refresh automatically once the run finishes."
     };
   }
 });
@@ -4352,7 +4354,7 @@ import z27 from "zod";
 // src/commands/handleMobbLogin.ts
 import chalk2 from "chalk";
-import Debug10 from "debug";
+import Debug11 from "debug";
 // src/utils/dirname.ts
 import fs from "fs";
@@ -4493,7 +4495,7 @@ var CliError = class extends Error {
 // src/commands/AuthManager.ts
 import crypto from "crypto";
 import os from "os";
-import Debug9 from "debug";
+import Debug10 from "debug";
 import open from "open";
 // src/constants.ts
@@ -5439,6 +5441,48 @@ var languages = {
 init_client_generates();
 import { z as z11 } from "zod";
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+init_client_generates();
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
+var commandInjection = {
+  isUnixShellCommandPart: {
+    content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
+    description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
+- \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
+- \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
+Answer **no** (the input is not plain data) when the input is:
+1. The program/executable itself:
+  - \`system(input);\`
+  - \`sprintf(cmd, "%s -x", input);\`
+2. A command after a pipe or redirect:
+  - \`sprintf(cmd, "cat file.txt | %s", input);\`
+3. A part of a non-Unix or cross-platform shell command.
+4. A part of embedded code in another language:
+  - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
+  - \`sprintf(cmd, "awk '%s' file", input);\`
+5. A flag/option that controls a tool's behaviour:
+  - \`sprintf(cmd, "git --upload-pack %s", input);\``,
+    guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
+  },
+  executableLocationPath: {
+    content: () => "What is the absolute path of the directory containing the executable?",
+    description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
+Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
+    guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
+  }
+};
+// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
+var vulnerabilities11 = {
+  ["CMDi" /* CmDi */]: commandInjection
+};
+var cpp_default = vulnerabilities11;
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
 init_client_generates();
@@ -5735,7 +5779,7 @@ var xxe = {
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
-var vulnerabilities11 = {
+var vulnerabilities12 = {
   ["LOG_FORGING" /* LogForging */]: logForging,
   ["SSRF" /* Ssrf */]: ssrf2,
   ["XXE" /* Xxe */]: xxe,
@@ -5756,7 +5800,7 @@ var vulnerabilities11 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection2,
   ["REQUEST_PARAMETERS_BOUND_VIA_INPUT" /* RequestParametersBoundViaInput */]: requestParametersBoundViaInput
 };
-var csharp_default2 = vulnerabilities11;
+var csharp_default2 = vulnerabilities12;
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
 init_client_generates();
@@ -5789,18 +5833,18 @@ var websocketMissingOriginCheck = {
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
-var vulnerabilities12 = {
+var vulnerabilities13 = {
   ["LOG_FORGING" /* LogForging */]: logForging2,
   ["MISSING_SSL_MINVERSION" /* MissingSslMinversion */]: missingSslMinversion,
   ["WEBSOCKET_MISSING_ORIGIN_CHECK" /* WebsocketMissingOriginCheck */]: websocketMissingOriginCheck
 };
-var go_default2 = vulnerabilities12;
+var go_default2 = vulnerabilities13;
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
 init_client_generates();
 // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
-var commandInjection = {
+var commandInjection2 = {
   isUnixShellCommandPart: {
     content: () => "Is the input part of Unix shell command?",
     description: () => `For example:
@@ -6254,10 +6298,10 @@ var xxe2 = {
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
-var vulnerabilities13 = {
+var vulnerabilities14 = {
   ["SQL_Injection" /* SqlInjection */]: sqlInjection3,
   ["CMDi_relative_path_command" /* CmDiRelativePathCommand */]: relativePathCommand,
-  ["CMDi" /* CmDi */]: commandInjection,
+  ["CMDi" /* CmDi */]: commandInjection2,
   ["CONFUSING_NAMING" /* ConfusingNaming */]: confusingNaming,
   ["ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */]: errorConditionWithoutAction,
   ["XXE" /* Xxe */]: xxe2,
@@ -6282,7 +6326,7 @@ var vulnerabilities13 = {
   ["ERRONEOUS_STRING_COMPARE" /* ErroneousStringCompare */]: erroneousStringCompare,
   ["DUPLICATED_STRINGS" /* DuplicatedStrings */]: duplicatedStrings
 };
-var java_default2 = vulnerabilities13;
+var java_default2 = vulnerabilities14;
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
 init_client_generates();
@@ -6297,7 +6341,7 @@ var csrf2 = {
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
-var commandInjection2 = {
+var commandInjection3 = {
   isCommandExecutable: {
     content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
     description: () => `Does the command fall into one of the following categories:
@@ -6611,8 +6655,8 @@ var xss3 = {
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
-var vulnerabilities14 = {
-  ["CMDi" /* CmDi */]: commandInjection2,
+var vulnerabilities15 = {
+  ["CMDi" /* CmDi */]: commandInjection3,
   ["GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */]: graphqlDepthLimit,
   ["INSECURE_RANDOMNESS" /* InsecureRandomness */]: insecureRandomness2,
   ["SSRF" /* Ssrf */]: ssrf4,
@@ -6634,7 +6678,7 @@ var vulnerabilities14 = {
   ["HARDCODED_DOMAIN_IN_HTML" /* HardcodedDomainInHtml */]: hardcodedDomainInHtml,
   ["CSRF" /* Csrf */]: csrf2
 };
-var js_default = vulnerabilities14;
+var js_default = vulnerabilities15;
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
 init_client_generates();
@@ -6708,7 +6752,7 @@ var uncheckedLoopCondition3 = {
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
-var vulnerabilities15 = {
+var vulnerabilities16 = {
   ["CSRF" /* Csrf */]: csrf2,
   ["LOG_FORGING" /* LogForging */]: logForging5,
   ["OPEN_REDIRECT" /* OpenRedirect */]: openRedirect3,
@@ -6717,7 +6761,7 @@ var vulnerabilities15 = {
   ["MISSING_ENCODING_FILE_OPEN" /* MissingEncodingFileOpen */]: missingEncoding,
   ["SSRF" /* Ssrf */]: ssrf5
 };
-var python_default2 = vulnerabilities15;
+var python_default2 = vulnerabilities16;
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
 init_client_generates();
@@ -6734,10 +6778,10 @@ A value too high will cause performance issues up to and including denial of ser
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
-var vulnerabilities16 = {
+var vulnerabilities17 = {
   ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */]: unboundedOccurrences
 };
-var xml_default2 = vulnerabilities16;
+var xml_default2 = vulnerabilities17;
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
 init_client_generates();
@@ -6770,12 +6814,12 @@ var writableFilesystemService = {
 };
 // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
-var vulnerabilities17 = {
+var vulnerabilities18 = {
   ["PORT_ALL_INTERFACES" /* PortAllInterfaces */]: portAllInterfaces,
   ["WRITABLE_FILESYSTEM_SERVICE" /* WritableFilesystemService */]: writableFilesystemService,
   ["NO_NEW_PRIVILEGES" /* NoNewPrivileges */]: noNewPrivileges
 };
-var yaml_default = vulnerabilities17;
+var yaml_default = vulnerabilities18;
 // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
 var StoredQuestionDataItemZ = z11.object({
@@ -6790,6 +6834,7 @@ var languages2 = {
   ["CSharp" /* CSharp */]: csharp_default2,
   ["Python" /* Python */]: python_default2,
   ["Go" /* Go */]: go_default2,
+  ["Cpp" /* Cpp */]: cpp_default,
   ["YAML" /* Yaml */]: yaml_default
 };
@@ -7562,7 +7607,7 @@ var GQLClient = class {
 };
 // src/features/analysis/graphql/tracy-batch-upload.ts
-import Debug8 from "debug";
+import Debug9 from "debug";
 // src/utils/sanitize-sensitive-data.ts
 import { OpenRedaction } from "@openredaction/openredaction";
@@ -7738,16 +7783,36 @@ async function sanitizeDataWithCounts(obj, options) {
 // src/utils/with-timeout.ts
 import { setTimeout as delay } from "timers/promises";
+// src/features/analysis/graphql/s3-raw-data-upload.ts
+import { setTimeout as sleep2 } from "timers/promises";
+import Debug8 from "debug";
 // src/features/analysis/upload-file.ts
 import Debug7 from "debug";
 import fetch3, { File, fileFrom, FormData } from "node-fetch";
 var debug8 = Debug7("mobbdev:upload-file");
+var S3UploadError = class extends Error {
+  constructor(status, s3Code, s3Message) {
+    super(`Failed to upload the file: ${status}`);
+    this.status = status;
+    this.s3Code = s3Code;
+    this.s3Message = s3Message;
+    this.name = "S3UploadError";
+  }
+};
+function parseS3ErrorBody(body) {
+  return {
+    code: body.match(/<Code>([^<]+)<\/Code>/)?.[1],
+    message: body.match(/<Message>([^<]+)<\/Message>/)?.[1]
+  };
+}
 async function uploadFile({
   file,
   url,
   uploadKey,
   uploadFields,
-  logger
+  logger,
+  signal
 }) {
   const logInfo = logger || ((_message, _data) => {
   });
@@ -7769,25 +7834,55 @@ async function uploadFile({
   } else {
     debug8("upload file from buffer");
     logInfo(`FileUpload: upload file from buffer`);
-    form.append("file", new File([new Uint8Array(file)], "file"));
+    form.append(
+      "file",
+      new File(
+        [
+          new Uint8Array(
+            file.buffer,
+            file.byteOffset,
+            file.byteLength
+          )
+        ],
+        "file"
+      )
+    );
   }
   const agent = getProxyAgent(url);
   const response = await fetch3(url, {
     method: "POST",
     body: form,
-    agent
+    agent,
+    signal
   });
   if (!response.ok) {
-    debug8("error from S3 %s %s", response.body, response.status);
-    logInfo(`FileUpload: error from S3 ${response.body} ${response.status}`);
-    throw new Error(`Failed to upload the file: ${response.status}`);
+    let bodyText = "";
+    try {
+      bodyText = await response.text();
+    } catch {
+    }
+    const { code, message } = parseS3ErrorBody(bodyText);
+    debug8(
+      "error from S3 status=%d code=%s message=%s",
+      response.status,
+      code,
+      message
+    );
+    logInfo(
+      `FileUpload: error from S3 status=${response.status} code=${code ?? "unknown"}`
+    );
+    throw new S3UploadError(response.status, code, message);
   }
   debug8("upload file done");
   logInfo(`FileUpload: upload file done`);
 }
+// src/features/analysis/graphql/s3-raw-data-upload.ts
+var debug9 = Debug8("mobbdev:tracy-s3-upload");
+var URL_REFRESH_MS = 20 * 60 * 1e3;
 // src/features/analysis/graphql/tracy-batch-upload.ts
-var debug9 = Debug8("mobbdev:tracy-batch-upload");
+var debug10 = Debug9("mobbdev:tracy-batch-upload");
 // src/mcp/services/types.ts
 function buildLoginUrl(baseUrl, loginId, hostname, context) {
@@ -7820,7 +7915,7 @@ function createConfigStore(defaultValues = { apiToken: "" }) {
 var configStore = createConfigStore();
 // src/commands/AuthManager.ts
-var debug10 = Debug9("mobbdev:auth");
+var debug11 = Debug10("mobbdev:auth");
 var LOGIN_MAX_WAIT = 2 * 60 * 1e3;
 var LOGIN_CHECK_DELAY = 2 * 1e3;
 var _AuthManager = class _AuthManager {
@@ -7850,7 +7945,7 @@ var _AuthManager = class _AuthManager {
       return false;
     }
     if (_AuthManager.browserCooldownMs > 0 && Date.now() - _AuthManager.lastBrowserOpenTime < _AuthManager.browserCooldownMs) {
-      debug10("browser cooldown active, skipping open");
+      debug11("browser cooldown active, skipping open");
       return false;
     }
     open(this.currentBrowserUrl);
@@ -7903,7 +7998,7 @@ var _AuthManager = class _AuthManager {
       const result = await this.checkAuthentication();
       this.authenticated = result.isAuthenticated;
       if (!result.isAuthenticated) {
-        debug10("isAuthenticated: false \u2014 %s (%s)", result.message, result.reason);
+        debug11("isAuthenticated: false \u2014 %s (%s)", result.message, result.reason);
       }
     }
     return this.authenticated;
@@ -7991,9 +8086,9 @@ var _AuthManager = class _AuthManager {
       return null;
     } catch (error) {
       if (isTransientError(error)) {
-        debug10("getApiToken: transient error, will retry");
+        debug11("getApiToken: transient error, will retry");
       } else {
-        debug10("getApiToken: unexpected error: %O", error);
+        debug11("getApiToken: unexpected error: %O", error);
       }
       return null;
     }
@@ -8046,7 +8141,7 @@ __publicField(_AuthManager, "lastBrowserOpenTime", 0);
 var AuthManager = _AuthManager;
 // src/commands/handleMobbLogin.ts
-var debug11 = Debug10("mobbdev:commands");
+var debug12 = Debug11("mobbdev:commands");
 var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk2.bgBlue(
   "press any key to continue"
 )};`;
@@ -8056,7 +8151,7 @@ async function getAuthenticatedGQLClient({
   apiUrl,
   webAppUrl
 }) {
-  debug11(
+  debug12(
     "getAuthenticatedGQLClient called with: apiUrl=%s, webAppUrl=%s",
     apiUrl || "undefined",
     webAppUrl || "undefined"
@@ -8080,7 +8175,7 @@ async function handleMobbLogin({
   loginPath,
   authManager
 }) {
-  debug11(
+  debug12(
     "handleMobbLogin: resolved URLs - apiUrl=%s (from param: %s), webAppUrl=%s (from param: %s)",
     apiUrl || "fallback",
     apiUrl || "fallback",
@@ -8096,7 +8191,7 @@ async function handleMobbLogin({
     return authManager.getGQLClient();
   }
   if (authResult.reason === "unknown") {
-    debug11("Auth check returned unknown: %s", authResult.message);
+    debug12("Auth check returned unknown: %s", authResult.message);
     throw new CliError(`Cannot verify authentication: ${authResult.message}`);
   }
   if (apiKey) {