mobbdev 1.4.34 → 1.4.35
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/args/commands/upload_ai_blame.mjs +25 -93
- package/dist/index.mjs +47 -98
- package/package.json +4 -4
|
@@ -346,6 +346,9 @@ var init_client_generates = __esm({
|
|
|
346
346
|
key
|
|
347
347
|
value
|
|
348
348
|
}
|
|
349
|
+
content
|
|
350
|
+
description
|
|
351
|
+
guidance
|
|
349
352
|
}
|
|
350
353
|
extraContext {
|
|
351
354
|
extraContext {
|
|
@@ -590,6 +593,9 @@ var init_client_generates = __esm({
|
|
|
590
593
|
name
|
|
591
594
|
options
|
|
592
595
|
value
|
|
596
|
+
content
|
|
597
|
+
description
|
|
598
|
+
guidance
|
|
593
599
|
__typename
|
|
594
600
|
}
|
|
595
601
|
extraContext {
|
|
@@ -599,6 +605,7 @@ var init_client_generates = __esm({
|
|
|
599
605
|
__typename
|
|
600
606
|
}
|
|
601
607
|
fixDescription
|
|
608
|
+
guidances
|
|
602
609
|
manifestActionsRequired {
|
|
603
610
|
action
|
|
604
611
|
lib {
|
|
@@ -1087,6 +1094,9 @@ var init_client_generates = __esm({
|
|
|
1087
1094
|
key
|
|
1088
1095
|
value
|
|
1089
1096
|
}
|
|
1097
|
+
content
|
|
1098
|
+
description
|
|
1099
|
+
guidance
|
|
1090
1100
|
}
|
|
1091
1101
|
extraContext {
|
|
1092
1102
|
extraContext {
|
|
@@ -1324,7 +1334,11 @@ var init_fix = __esm({
|
|
|
1324
1334
|
FixExtraContextZ = z2.object({
|
|
1325
1335
|
fixDescription: z2.string(),
|
|
1326
1336
|
manifestActionsRequired: z2.array(ManifestActionRequiredZ),
|
|
1327
|
-
extraContext: z2.array(ExtraContextInternalZ)
|
|
1337
|
+
extraContext: z2.array(ExtraContextInternalZ),
|
|
1338
|
+
// E-2015 PR5c: analyzer-served fix-level guidance. default([]) so a query that
|
|
1339
|
+
// omits it still parses, while the output type is a required string[] to match
|
|
1340
|
+
// the non-null GraphQL field. getFixGuidances prefers served then falls back.
|
|
1341
|
+
guidances: z2.array(z2.string()).default([])
|
|
1328
1342
|
});
|
|
1329
1343
|
PatchAndQuestionsZ = z2.object({
|
|
1330
1344
|
__typename: z2.literal("FixData"),
|
|
@@ -1339,7 +1353,14 @@ var init_fix = __esm({
|
|
|
1339
1353
|
value: z2.string().nullable(),
|
|
1340
1354
|
extraContext: z2.array(ExtraContextInternalZ),
|
|
1341
1355
|
inputType: z2.nativeEnum(FixQuestionInputType),
|
|
1342
|
-
options: z2.array(z2.string())
|
|
1356
|
+
options: z2.array(z2.string()),
|
|
1357
|
+
// E-2015 PR5: analyzer-served question copy. default('') so a query that
|
|
1358
|
+
// omits these still parses (-> '' -> FE falls back to its own copy), while
|
|
1359
|
+
// the output type stays a required `string` to match the non-null GraphQL
|
|
1360
|
+
// fields. Consumers use `served || storedQuestionData`.
|
|
1361
|
+
content: z2.string().default(""),
|
|
1362
|
+
description: z2.string().default(""),
|
|
1363
|
+
guidance: z2.string().default("")
|
|
1343
1364
|
})
|
|
1344
1365
|
),
|
|
1345
1366
|
extraContext: FixExtraContextZ
|
|
@@ -4701,18 +4722,6 @@ Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/
|
|
|
4701
4722
|
This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
|
|
4702
4723
|
};
|
|
4703
4724
|
|
|
4704
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/sqlInjection.ts
|
|
4705
|
-
var sqlInjection = {
|
|
4706
|
-
guidance: ({
|
|
4707
|
-
hasQuestionMarksAfterTaintVar
|
|
4708
|
-
}) => {
|
|
4709
|
-
if (hasQuestionMarksAfterTaintVar) {
|
|
4710
|
-
return "Please make sure to correct the following indices of the setInt()/setString() calls after the new parameter is added.";
|
|
4711
|
-
}
|
|
4712
|
-
return "";
|
|
4713
|
-
}
|
|
4714
|
-
};
|
|
4715
|
-
|
|
4716
4725
|
// src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
|
|
4717
4726
|
var systemInformationLeak = {
|
|
4718
4727
|
guidance: ({
|
|
@@ -4730,7 +4739,6 @@ var vulnerabilities5 = {
|
|
|
4730
4739
|
["PASSWORD_IN_COMMENT"]: passwordInComment,
|
|
4731
4740
|
["INSECURE_DESERIALIZATION"]: insecureDeserialization,
|
|
4732
4741
|
["J2EE_GET_CONNECTION"]: j2eeGetConnection,
|
|
4733
|
-
["SQL_Injection"]: sqlInjection,
|
|
4734
4742
|
["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
|
|
4735
4743
|
};
|
|
4736
4744
|
var java_default = vulnerabilities5;
|
|
@@ -5073,7 +5081,7 @@ var requestParametersBoundViaInput = {
|
|
|
5073
5081
|
};
|
|
5074
5082
|
|
|
5075
5083
|
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
|
|
5076
|
-
var
|
|
5084
|
+
var sqlInjection = {
|
|
5077
5085
|
databaseProvider: {
|
|
5078
5086
|
content: () => "Select the database provider",
|
|
5079
5087
|
description: () => "",
|
|
@@ -5227,7 +5235,7 @@ var vulnerabilities12 = {
|
|
|
5227
5235
|
["VALUE_SHADOWING"]: valueShadowing,
|
|
5228
5236
|
["INSECURE_RANDOMNESS"]: insecureRandomness,
|
|
5229
5237
|
["INSUFFICIENT_LOGGING"]: insufficientLogging,
|
|
5230
|
-
["SQL_Injection"]:
|
|
5238
|
+
["SQL_Injection"]: sqlInjection,
|
|
5231
5239
|
["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
|
|
5232
5240
|
};
|
|
5233
5241
|
var csharp_default2 = vulnerabilities12;
|
|
@@ -5522,81 +5530,6 @@ var relativePathCommand = {
|
|
|
5522
5530
|
}
|
|
5523
5531
|
};
|
|
5524
5532
|
|
|
5525
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/sqlInjection.ts
|
|
5526
|
-
function capitalizeFirstLetter(item) {
|
|
5527
|
-
return item.charAt(0).toUpperCase() + item.slice(1);
|
|
5528
|
-
}
|
|
5529
|
-
var typeToSetMethod = {
|
|
5530
|
-
integer: "setInt",
|
|
5531
|
-
date: "setDate",
|
|
5532
|
-
string: "setString"
|
|
5533
|
-
};
|
|
5534
|
-
var sqlInjection3 = {
|
|
5535
|
-
parameterType: {
|
|
5536
|
-
content: ({ tainted_term }) => `What is the SQL Data Type of the \`${tainted_term}\` parameter?`,
|
|
5537
|
-
description: () => "In order to make sure the statement is built correctly, we must ensure we use the same type that is defined for this parameter in the SQL table. If you are unsure of this type, please consult with your team.",
|
|
5538
|
-
guidance: ({
|
|
5539
|
-
tainted_term,
|
|
5540
|
-
taint_var_type_guidance_required,
|
|
5541
|
-
userInputValue
|
|
5542
|
-
}) => {
|
|
5543
|
-
if (!taint_var_type_guidance_required || !userInputValue) {
|
|
5544
|
-
return "";
|
|
5545
|
-
}
|
|
5546
|
-
if (!taint_var_type_guidance_required[userInputValue]) {
|
|
5547
|
-
return "";
|
|
5548
|
-
}
|
|
5549
|
-
return `Make sure to convert \`${tainted_term}\` to \`${capitalizeFirstLetter(
|
|
5550
|
-
userInputValue
|
|
5551
|
-
)}\` which is the type expected by the new setter method: \`${typeToSetMethod[userInputValue]}\``;
|
|
5552
|
-
}
|
|
5553
|
-
},
|
|
5554
|
-
varName: {
|
|
5555
|
-
content: () => "Name the new PreparedStatement variable",
|
|
5556
|
-
description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
|
|
5557
|
-
guidance: () => ""
|
|
5558
|
-
},
|
|
5559
|
-
taintIndex: {
|
|
5560
|
-
content: ({ tainted_term }) => `What is the index of \`\`\`${tainted_term}\`\`\` in the query?`,
|
|
5561
|
-
description: () => "When constructing a query, we need to know exactly where to insert this parameter. If the query has more than one parameter, the index gives us this information. Leave the value as 1 if there is only one parameter.",
|
|
5562
|
-
guidance: () => ""
|
|
5563
|
-
},
|
|
5564
|
-
statementAfterQuery: {
|
|
5565
|
-
content: ({ var_name }) => `Is the \`Statement\` variable \`${var_name}\` declared after constructing the query string?`,
|
|
5566
|
-
description: () => "When creating the `PreparedStatement` parameter, we need to give it the constructed query. Currently, Mobb doesn't support the case where the query string is defined after the statement in your code.",
|
|
5567
|
-
guidance: ({ userInputValue }) => userInputValue === "no" ? "You should move the code creating the query so it is executed before being used by the prepared statement" : ""
|
|
5568
|
-
},
|
|
5569
|
-
statementBeforeQuery: {
|
|
5570
|
-
content: ({ var_name }) => `Is the query string variable declared after the \`Statement\` variable \`${var_name}\`?`,
|
|
5571
|
-
description: ({ enquote_func_name }) => `We need to have the \`Statement\` object defined before using the \`${enquote_func_name}()\` method. Currently, Mobb doesn't support the case where the query string is defined before the statement in your code.`,
|
|
5572
|
-
guidance: ({
|
|
5573
|
-
userInputValue,
|
|
5574
|
-
enquote_func_name
|
|
5575
|
-
}) => userInputValue === "no" ? `You should move the code creating the query so it is executed after creating the \`Statement\` object as we need to have the \`Statement\` object defined before using the \`${enquote_func_name}()\` method.` : ""
|
|
5576
|
-
},
|
|
5577
|
-
containsControlCharacters: {
|
|
5578
|
-
content: ({ tainted_term }) => `Does \`\`\`${tainted_term}\`\`\` represent a single SQL parameter value?`,
|
|
5579
|
-
description: () => `This should be 'no' only in the rare cases where the input variable itself does not represent a single SQL parameter value but rather other parts of a SQL query such as a table name, a column name, a list of values, a complete or partial inner SQL statement, etc.
|
|
5580
|
-
|
|
5581
|
-
It may be confusing a bit, so here are some examples:
|
|
5582
|
-
|
|
5583
|
-
* A SQL identifier \`\`\`(SELECT * FROM \${tableName})\`\`\`
|
|
5584
|
-
|
|
5585
|
-
* A SQL statement \`\`\`(SELECT * FROM users ORDER BY id \${order})\`\`\``,
|
|
5586
|
-
guidance: () => ""
|
|
5587
|
-
},
|
|
5588
|
-
javaVersionGreaterOrEqual19: {
|
|
5589
|
-
content: ({ enquote_func_name }) => `Is \`java.sql.Statement.${enquote_func_name}\` method available in your runtime?`,
|
|
5590
|
-
description: ({ enquote_func_name }) => `\`java.sql.Statement.${enquote_func_name}\` is supported in Java 1.9 or greater.`,
|
|
5591
|
-
guidance: () => ""
|
|
5592
|
-
},
|
|
5593
|
-
queryParameterName: {
|
|
5594
|
-
content: () => "What should be the name of the query parameter?",
|
|
5595
|
-
description: () => "",
|
|
5596
|
-
guidance: () => ""
|
|
5597
|
-
}
|
|
5598
|
-
};
|
|
5599
|
-
|
|
5600
5533
|
// src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
|
|
5601
5534
|
var ssrf3 = {
|
|
5602
5535
|
domainsAllowlist: {
|
|
@@ -5723,7 +5656,6 @@ var xxe2 = {
|
|
|
5723
5656
|
|
|
5724
5657
|
// src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
|
|
5725
5658
|
var vulnerabilities14 = {
|
|
5726
|
-
["SQL_Injection"]: sqlInjection3,
|
|
5727
5659
|
["CMDi_relative_path_command"]: relativePathCommand,
|
|
5728
5660
|
["CMDi"]: commandInjection2,
|
|
5729
5661
|
["CONFUSING_NAMING"]: confusingNaming,
|
package/dist/index.mjs
CHANGED
|
@@ -346,6 +346,9 @@ var init_client_generates = __esm({
|
|
|
346
346
|
key
|
|
347
347
|
value
|
|
348
348
|
}
|
|
349
|
+
content
|
|
350
|
+
description
|
|
351
|
+
guidance
|
|
349
352
|
}
|
|
350
353
|
extraContext {
|
|
351
354
|
extraContext {
|
|
@@ -590,6 +593,9 @@ var init_client_generates = __esm({
|
|
|
590
593
|
name
|
|
591
594
|
options
|
|
592
595
|
value
|
|
596
|
+
content
|
|
597
|
+
description
|
|
598
|
+
guidance
|
|
593
599
|
__typename
|
|
594
600
|
}
|
|
595
601
|
extraContext {
|
|
@@ -599,6 +605,7 @@ var init_client_generates = __esm({
|
|
|
599
605
|
__typename
|
|
600
606
|
}
|
|
601
607
|
fixDescription
|
|
608
|
+
guidances
|
|
602
609
|
manifestActionsRequired {
|
|
603
610
|
action
|
|
604
611
|
lib {
|
|
@@ -1087,6 +1094,9 @@ var init_client_generates = __esm({
|
|
|
1087
1094
|
key
|
|
1088
1095
|
value
|
|
1089
1096
|
}
|
|
1097
|
+
content
|
|
1098
|
+
description
|
|
1099
|
+
guidance
|
|
1090
1100
|
}
|
|
1091
1101
|
extraContext {
|
|
1092
1102
|
extraContext {
|
|
@@ -1426,7 +1436,11 @@ var init_fix = __esm({
|
|
|
1426
1436
|
FixExtraContextZ = z6.object({
|
|
1427
1437
|
fixDescription: z6.string(),
|
|
1428
1438
|
manifestActionsRequired: z6.array(ManifestActionRequiredZ),
|
|
1429
|
-
extraContext: z6.array(ExtraContextInternalZ)
|
|
1439
|
+
extraContext: z6.array(ExtraContextInternalZ),
|
|
1440
|
+
// E-2015 PR5c: analyzer-served fix-level guidance. default([]) so a query that
|
|
1441
|
+
// omits it still parses, while the output type is a required string[] to match
|
|
1442
|
+
// the non-null GraphQL field. getFixGuidances prefers served then falls back.
|
|
1443
|
+
guidances: z6.array(z6.string()).default([])
|
|
1430
1444
|
});
|
|
1431
1445
|
PatchAndQuestionsZ = z6.object({
|
|
1432
1446
|
__typename: z6.literal("FixData"),
|
|
@@ -1441,7 +1455,14 @@ var init_fix = __esm({
|
|
|
1441
1455
|
value: z6.string().nullable(),
|
|
1442
1456
|
extraContext: z6.array(ExtraContextInternalZ),
|
|
1443
1457
|
inputType: z6.nativeEnum(FixQuestionInputType),
|
|
1444
|
-
options: z6.array(z6.string())
|
|
1458
|
+
options: z6.array(z6.string()),
|
|
1459
|
+
// E-2015 PR5: analyzer-served question copy. default('') so a query that
|
|
1460
|
+
// omits these still parses (-> '' -> FE falls back to its own copy), while
|
|
1461
|
+
// the output type stays a required `string` to match the non-null GraphQL
|
|
1462
|
+
// fields. Consumers use `served || storedQuestionData`.
|
|
1463
|
+
content: z6.string().default(""),
|
|
1464
|
+
description: z6.string().default(""),
|
|
1465
|
+
guidance: z6.string().default("")
|
|
1445
1466
|
})
|
|
1446
1467
|
),
|
|
1447
1468
|
extraContext: FixExtraContextZ
|
|
@@ -4495,18 +4516,6 @@ Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/
|
|
|
4495
4516
|
This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
|
|
4496
4517
|
};
|
|
4497
4518
|
|
|
4498
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/sqlInjection.ts
|
|
4499
|
-
var sqlInjection = {
|
|
4500
|
-
guidance: ({
|
|
4501
|
-
hasQuestionMarksAfterTaintVar
|
|
4502
|
-
}) => {
|
|
4503
|
-
if (hasQuestionMarksAfterTaintVar) {
|
|
4504
|
-
return "Please make sure to correct the following indices of the setInt()/setString() calls after the new parameter is added.";
|
|
4505
|
-
}
|
|
4506
|
-
return "";
|
|
4507
|
-
}
|
|
4508
|
-
};
|
|
4509
|
-
|
|
4510
4519
|
// src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
|
|
4511
4520
|
var systemInformationLeak = {
|
|
4512
4521
|
guidance: ({
|
|
@@ -4524,7 +4533,6 @@ var vulnerabilities5 = {
|
|
|
4524
4533
|
["PASSWORD_IN_COMMENT"]: passwordInComment,
|
|
4525
4534
|
["INSECURE_DESERIALIZATION"]: insecureDeserialization,
|
|
4526
4535
|
["J2EE_GET_CONNECTION"]: j2eeGetConnection,
|
|
4527
|
-
["SQL_Injection"]: sqlInjection,
|
|
4528
4536
|
["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
|
|
4529
4537
|
};
|
|
4530
4538
|
var java_default = vulnerabilities5;
|
|
@@ -4867,7 +4875,7 @@ var requestParametersBoundViaInput = {
|
|
|
4867
4875
|
};
|
|
4868
4876
|
|
|
4869
4877
|
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
|
|
4870
|
-
var
|
|
4878
|
+
var sqlInjection = {
|
|
4871
4879
|
databaseProvider: {
|
|
4872
4880
|
content: () => "Select the database provider",
|
|
4873
4881
|
description: () => "",
|
|
@@ -5021,7 +5029,7 @@ var vulnerabilities12 = {
|
|
|
5021
5029
|
["VALUE_SHADOWING"]: valueShadowing,
|
|
5022
5030
|
["INSECURE_RANDOMNESS"]: insecureRandomness,
|
|
5023
5031
|
["INSUFFICIENT_LOGGING"]: insufficientLogging,
|
|
5024
|
-
["SQL_Injection"]:
|
|
5032
|
+
["SQL_Injection"]: sqlInjection,
|
|
5025
5033
|
["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
|
|
5026
5034
|
};
|
|
5027
5035
|
var csharp_default2 = vulnerabilities12;
|
|
@@ -5316,81 +5324,6 @@ var relativePathCommand = {
|
|
|
5316
5324
|
}
|
|
5317
5325
|
};
|
|
5318
5326
|
|
|
5319
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/sqlInjection.ts
|
|
5320
|
-
function capitalizeFirstLetter2(item) {
|
|
5321
|
-
return item.charAt(0).toUpperCase() + item.slice(1);
|
|
5322
|
-
}
|
|
5323
|
-
var typeToSetMethod = {
|
|
5324
|
-
integer: "setInt",
|
|
5325
|
-
date: "setDate",
|
|
5326
|
-
string: "setString"
|
|
5327
|
-
};
|
|
5328
|
-
var sqlInjection3 = {
|
|
5329
|
-
parameterType: {
|
|
5330
|
-
content: ({ tainted_term }) => `What is the SQL Data Type of the \`${tainted_term}\` parameter?`,
|
|
5331
|
-
description: () => "In order to make sure the statement is built correctly, we must ensure we use the same type that is defined for this parameter in the SQL table. If you are unsure of this type, please consult with your team.",
|
|
5332
|
-
guidance: ({
|
|
5333
|
-
tainted_term,
|
|
5334
|
-
taint_var_type_guidance_required,
|
|
5335
|
-
userInputValue
|
|
5336
|
-
}) => {
|
|
5337
|
-
if (!taint_var_type_guidance_required || !userInputValue) {
|
|
5338
|
-
return "";
|
|
5339
|
-
}
|
|
5340
|
-
if (!taint_var_type_guidance_required[userInputValue]) {
|
|
5341
|
-
return "";
|
|
5342
|
-
}
|
|
5343
|
-
return `Make sure to convert \`${tainted_term}\` to \`${capitalizeFirstLetter2(
|
|
5344
|
-
userInputValue
|
|
5345
|
-
)}\` which is the type expected by the new setter method: \`${typeToSetMethod[userInputValue]}\``;
|
|
5346
|
-
}
|
|
5347
|
-
},
|
|
5348
|
-
varName: {
|
|
5349
|
-
content: () => "Name the new PreparedStatement variable",
|
|
5350
|
-
description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
|
|
5351
|
-
guidance: () => ""
|
|
5352
|
-
},
|
|
5353
|
-
taintIndex: {
|
|
5354
|
-
content: ({ tainted_term }) => `What is the index of \`\`\`${tainted_term}\`\`\` in the query?`,
|
|
5355
|
-
description: () => "When constructing a query, we need to know exactly where to insert this parameter. If the query has more than one parameter, the index gives us this information. Leave the value as 1 if there is only one parameter.",
|
|
5356
|
-
guidance: () => ""
|
|
5357
|
-
},
|
|
5358
|
-
statementAfterQuery: {
|
|
5359
|
-
content: ({ var_name }) => `Is the \`Statement\` variable \`${var_name}\` declared after constructing the query string?`,
|
|
5360
|
-
description: () => "When creating the `PreparedStatement` parameter, we need to give it the constructed query. Currently, Mobb doesn't support the case where the query string is defined after the statement in your code.",
|
|
5361
|
-
guidance: ({ userInputValue }) => userInputValue === "no" ? "You should move the code creating the query so it is executed before being used by the prepared statement" : ""
|
|
5362
|
-
},
|
|
5363
|
-
statementBeforeQuery: {
|
|
5364
|
-
content: ({ var_name }) => `Is the query string variable declared after the \`Statement\` variable \`${var_name}\`?`,
|
|
5365
|
-
description: ({ enquote_func_name }) => `We need to have the \`Statement\` object defined before using the \`${enquote_func_name}()\` method. Currently, Mobb doesn't support the case where the query string is defined before the statement in your code.`,
|
|
5366
|
-
guidance: ({
|
|
5367
|
-
userInputValue,
|
|
5368
|
-
enquote_func_name
|
|
5369
|
-
}) => userInputValue === "no" ? `You should move the code creating the query so it is executed after creating the \`Statement\` object as we need to have the \`Statement\` object defined before using the \`${enquote_func_name}()\` method.` : ""
|
|
5370
|
-
},
|
|
5371
|
-
containsControlCharacters: {
|
|
5372
|
-
content: ({ tainted_term }) => `Does \`\`\`${tainted_term}\`\`\` represent a single SQL parameter value?`,
|
|
5373
|
-
description: () => `This should be 'no' only in the rare cases where the input variable itself does not represent a single SQL parameter value but rather other parts of a SQL query such as a table name, a column name, a list of values, a complete or partial inner SQL statement, etc.
|
|
5374
|
-
|
|
5375
|
-
It may be confusing a bit, so here are some examples:
|
|
5376
|
-
|
|
5377
|
-
* A SQL identifier \`\`\`(SELECT * FROM \${tableName})\`\`\`
|
|
5378
|
-
|
|
5379
|
-
* A SQL statement \`\`\`(SELECT * FROM users ORDER BY id \${order})\`\`\``,
|
|
5380
|
-
guidance: () => ""
|
|
5381
|
-
},
|
|
5382
|
-
javaVersionGreaterOrEqual19: {
|
|
5383
|
-
content: ({ enquote_func_name }) => `Is \`java.sql.Statement.${enquote_func_name}\` method available in your runtime?`,
|
|
5384
|
-
description: ({ enquote_func_name }) => `\`java.sql.Statement.${enquote_func_name}\` is supported in Java 1.9 or greater.`,
|
|
5385
|
-
guidance: () => ""
|
|
5386
|
-
},
|
|
5387
|
-
queryParameterName: {
|
|
5388
|
-
content: () => "What should be the name of the query parameter?",
|
|
5389
|
-
description: () => "",
|
|
5390
|
-
guidance: () => ""
|
|
5391
|
-
}
|
|
5392
|
-
};
|
|
5393
|
-
|
|
5394
5327
|
// src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
|
|
5395
5328
|
var ssrf3 = {
|
|
5396
5329
|
domainsAllowlist: {
|
|
@@ -5517,7 +5450,6 @@ var xxe2 = {
|
|
|
5517
5450
|
|
|
5518
5451
|
// src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
|
|
5519
5452
|
var vulnerabilities14 = {
|
|
5520
|
-
["SQL_Injection"]: sqlInjection3,
|
|
5521
5453
|
["CMDi_relative_path_command"]: relativePathCommand,
|
|
5522
5454
|
["CMDi"]: commandInjection2,
|
|
5523
5455
|
["CONFUSING_NAMING"]: confusingNaming,
|
|
@@ -6056,13 +5988,18 @@ function getQuestionInformation({
|
|
|
6056
5988
|
issueType,
|
|
6057
5989
|
language
|
|
6058
5990
|
}) {
|
|
6059
|
-
const { name } = fixQuestionData;
|
|
5991
|
+
const { name, content, description, guidance } = fixQuestionData;
|
|
6060
5992
|
const storedQuestionDataItem = storedQuestionData_default[language]?.[issueType]?.[name] ?? {
|
|
6061
5993
|
content: () => "",
|
|
6062
5994
|
description: () => "",
|
|
6063
5995
|
guidance: () => ""
|
|
6064
5996
|
};
|
|
6065
|
-
|
|
5997
|
+
const stored = StoredQuestionDataItemZ.parse(storedQuestionDataItem);
|
|
5998
|
+
return {
|
|
5999
|
+
content: (args) => content || stored.content(args),
|
|
6000
|
+
description: (args) => description || stored.description(args),
|
|
6001
|
+
guidance: (args) => guidance || stored.guidance(args)
|
|
6002
|
+
};
|
|
6066
6003
|
}
|
|
6067
6004
|
function curriedQuestionInformationByQuestion({
|
|
6068
6005
|
issueType,
|
|
@@ -6125,7 +6062,8 @@ function getFixGuidances({
|
|
|
6125
6062
|
},
|
|
6126
6063
|
{}
|
|
6127
6064
|
);
|
|
6128
|
-
const
|
|
6065
|
+
const servedFixGuidances = fixExtraContext.guidances ?? [];
|
|
6066
|
+
const fixGuidance = servedFixGuidances.length > 0 ? servedFixGuidances : storeFixResult.success ? [storeFixResult.data.guidance({ questions, ...extraContext })] : [];
|
|
6129
6067
|
return libGuidances.concat(fixGuidance).filter((guidance) => !!guidance);
|
|
6130
6068
|
}
|
|
6131
6069
|
var IssueTypeAndLanguageZ = z4.object({
|
|
@@ -19416,7 +19354,7 @@ function createLogger(config2) {
|
|
|
19416
19354
|
|
|
19417
19355
|
// src/features/claude_code/hook_logger.ts
|
|
19418
19356
|
var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
|
|
19419
|
-
var CLI_VERSION = true ? "1.4.
|
|
19357
|
+
var CLI_VERSION = true ? "1.4.35" : "unknown";
|
|
19420
19358
|
var NAMESPACE = "mobbdev-claude-code-hook-logs";
|
|
19421
19359
|
var claudeCodeVersion;
|
|
19422
19360
|
function buildDdTags() {
|
|
@@ -20988,7 +20926,12 @@ var FixQuestionSchema = z32.object({
|
|
|
20988
20926
|
inputType: z32.nativeEnum(FixQuestionInputType),
|
|
20989
20927
|
options: z32.array(z32.string()),
|
|
20990
20928
|
index: z32.number(),
|
|
20991
|
-
extraContext: z32.array(UnstructuredFixExtraContextSchema)
|
|
20929
|
+
extraContext: z32.array(UnstructuredFixExtraContextSchema),
|
|
20930
|
+
// E-2015 PR5: analyzer-served question copy. default('') -> FE falls back when
|
|
20931
|
+
// a query omits it, while the output type stays a required string.
|
|
20932
|
+
content: z32.string().default(""),
|
|
20933
|
+
description: z32.string().default(""),
|
|
20934
|
+
guidance: z32.string().default("")
|
|
20992
20935
|
});
|
|
20993
20936
|
var FixDataSchema = z32.object({
|
|
20994
20937
|
__typename: z32.literal("FixData"),
|
|
@@ -24718,6 +24661,12 @@ var resolveQuestionText = ({
|
|
|
24718
24661
|
fix,
|
|
24719
24662
|
question
|
|
24720
24663
|
}) => {
|
|
24664
|
+
if (question.content || question.description) {
|
|
24665
|
+
return {
|
|
24666
|
+
content: question.content || question.name,
|
|
24667
|
+
description: question.description ?? ""
|
|
24668
|
+
};
|
|
24669
|
+
}
|
|
24721
24670
|
const language = fix.safeIssueLanguage ?? void 0;
|
|
24722
24671
|
const issueType = fix.safeIssueType ?? void 0;
|
|
24723
24672
|
if (!language || !issueType) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "mobbdev",
|
|
3
|
-
"version": "1.4.
|
|
3
|
+
"version": "1.4.35",
|
|
4
4
|
"description": "Automated secure code remediation tool",
|
|
5
5
|
"repository": "git+https://github.com/mobb-dev/bugsy.git",
|
|
6
6
|
"main": "dist/index.mjs",
|
|
@@ -62,7 +62,7 @@
|
|
|
62
62
|
"@octokit/request-error": "5.1.1",
|
|
63
63
|
"@openredaction/openredaction": "1.0.4",
|
|
64
64
|
"adm-zip": "0.5.17",
|
|
65
|
-
"axios": "1.
|
|
65
|
+
"axios": "1.18.1",
|
|
66
66
|
"azure-devops-node-api": "15.1.2",
|
|
67
67
|
"bitbucket": "2.12.0",
|
|
68
68
|
"chalk": "5.6.2",
|
|
@@ -101,9 +101,9 @@
|
|
|
101
101
|
"simple-git": "3.36.0",
|
|
102
102
|
"snyk": "1.1305.0",
|
|
103
103
|
"tar": "7.5.15",
|
|
104
|
-
"tmp": "0.2.
|
|
104
|
+
"tmp": "0.2.7",
|
|
105
105
|
"tmp-promise": "3.0.3",
|
|
106
|
-
"undici": "6.
|
|
106
|
+
"undici": "6.27.0",
|
|
107
107
|
"uuid": "11.1.1",
|
|
108
108
|
"ws": "8.20.1",
|
|
109
109
|
"xml2js": "0.6.2",
|