mobbdev 1.4.34 → 1.4.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -346,6 +346,9 @@ var init_client_generates = __esm({
346
346
  key
347
347
  value
348
348
  }
349
+ content
350
+ description
351
+ guidance
349
352
  }
350
353
  extraContext {
351
354
  extraContext {
@@ -590,6 +593,9 @@ var init_client_generates = __esm({
590
593
  name
591
594
  options
592
595
  value
596
+ content
597
+ description
598
+ guidance
593
599
  __typename
594
600
  }
595
601
  extraContext {
@@ -599,6 +605,7 @@ var init_client_generates = __esm({
599
605
  __typename
600
606
  }
601
607
  fixDescription
608
+ guidances
602
609
  manifestActionsRequired {
603
610
  action
604
611
  lib {
@@ -1087,6 +1094,9 @@ var init_client_generates = __esm({
1087
1094
  key
1088
1095
  value
1089
1096
  }
1097
+ content
1098
+ description
1099
+ guidance
1090
1100
  }
1091
1101
  extraContext {
1092
1102
  extraContext {
@@ -1324,7 +1334,12 @@ var init_fix = __esm({
1324
1334
  FixExtraContextZ = z2.object({
1325
1335
  fixDescription: z2.string(),
1326
1336
  manifestActionsRequired: z2.array(ManifestActionRequiredZ),
1327
- extraContext: z2.array(ExtraContextInternalZ)
1337
+ extraContext: z2.array(ExtraContextInternalZ),
1338
+ // E-2015: analyzer-served fix-level guidance. default([]) so a query that
1339
+ // omits it still parses, while the output type is a required string[] to match
1340
+ // the non-null GraphQL field. The analyzer is the sole source; getFixGuidances
1341
+ // uses the served value directly (no fallback).
1342
+ guidances: z2.array(z2.string()).default([])
1328
1343
  });
1329
1344
  PatchAndQuestionsZ = z2.object({
1330
1345
  __typename: z2.literal("FixData"),
@@ -1339,7 +1354,14 @@ var init_fix = __esm({
1339
1354
  value: z2.string().nullable(),
1340
1355
  extraContext: z2.array(ExtraContextInternalZ),
1341
1356
  inputType: z2.nativeEnum(FixQuestionInputType),
1342
- options: z2.array(z2.string())
1357
+ options: z2.array(z2.string()),
1358
+ // E-2015: analyzer-served question text. default('') so a query that
1359
+ // omits these still parses (-> ''), while the output type stays a required
1360
+ // `string` to match the non-null GraphQL fields. The analyzer is the sole
1361
+ // source; consumers use the served value directly (no fallback).
1362
+ content: z2.string().default(""),
1363
+ description: z2.string().default(""),
1364
+ guidance: z2.string().default("")
1343
1365
  })
1344
1366
  ),
1345
1367
  extraContext: FixExtraContextZ
@@ -2187,7 +2209,7 @@ var init_types2 = __esm({
2187
2209
  });
2188
2210
 
2189
2211
  // src/features/analysis/scm/shared/src/urlParser/urlParser.ts
2190
- import { z as z12 } from "zod";
2212
+ import { z as z9 } from "zod";
2191
2213
  function computeCanonicalUrl(data) {
2192
2214
  const {
2193
2215
  scmType,
@@ -2229,7 +2251,7 @@ function detectAdoUrl(args) {
2229
2251
  scmType: "Ado" /* Ado */,
2230
2252
  organization,
2231
2253
  // project has single repo - repoName === projectName
2232
- projectName: z12.string().parse(projectName),
2254
+ projectName: z9.string().parse(projectName),
2233
2255
  repoName: projectName,
2234
2256
  prefixPath
2235
2257
  };
@@ -2240,7 +2262,7 @@ function detectAdoUrl(args) {
2240
2262
  return {
2241
2263
  scmType: "Ado" /* Ado */,
2242
2264
  organization,
2243
- projectName: z12.string().parse(projectName),
2265
+ projectName: z9.string().parse(projectName),
2244
2266
  repoName,
2245
2267
  prefixPath
2246
2268
  };
@@ -2254,7 +2276,7 @@ function detectAdoUrl(args) {
2254
2276
  scmType: "Ado" /* Ado */,
2255
2277
  organization,
2256
2278
  // project has only one repo - repoName === projectName
2257
- projectName: z12.string().parse(repoName),
2279
+ projectName: z9.string().parse(repoName),
2258
2280
  repoName,
2259
2281
  prefixPath
2260
2282
  };
@@ -2264,7 +2286,7 @@ function detectAdoUrl(args) {
2264
2286
  return {
2265
2287
  scmType: "Ado" /* Ado */,
2266
2288
  organization,
2267
- projectName: z12.string().parse(projectName),
2289
+ projectName: z9.string().parse(projectName),
2268
2290
  repoName,
2269
2291
  prefixPath
2270
2292
  };
@@ -2340,7 +2362,7 @@ function parseSshUrl(scmURL, scmType) {
2340
2362
  if (pathElements.length === 3) {
2341
2363
  const [organization2, projectName, repoName2] = pathElements;
2342
2364
  if (organization2?.match(NAME_REGEX) && projectName && repoName2?.match(NAME_REGEX)) {
2343
- const parsedProjectName = z12.string().parse(projectName);
2365
+ const parsedProjectName = z9.string().parse(projectName);
2344
2366
  return {
2345
2367
  scmType: "Ado" /* Ado */,
2346
2368
  hostname: normalizedHostname,
@@ -2568,17 +2590,17 @@ var init_urlParser2 = __esm({
2568
2590
  });
2569
2591
 
2570
2592
  // src/features/analysis/scm/env.ts
2571
- import { z as z15 } from "zod";
2593
+ import { z as z12 } from "zod";
2572
2594
  var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB, GITHUB_API_CONCURRENCY;
2573
2595
  var init_env = __esm({
2574
2596
  "src/features/analysis/scm/env.ts"() {
2575
2597
  "use strict";
2576
- EnvVariablesZod = z15.object({
2577
- GITLAB_API_TOKEN: z15.string().optional(),
2578
- GITHUB_API_TOKEN: z15.string().optional(),
2579
- GIT_PROXY_HOST: z15.string().optional().default("http://tinyproxy:8888"),
2580
- MAX_UPLOAD_FILE_SIZE_MB: z15.coerce.number().gt(0).default(2),
2581
- GITHUB_API_CONCURRENCY: z15.coerce.number().gt(0).optional().default(10)
2598
+ EnvVariablesZod = z12.object({
2599
+ GITLAB_API_TOKEN: z12.string().optional(),
2600
+ GITHUB_API_TOKEN: z12.string().optional(),
2601
+ GIT_PROXY_HOST: z12.string().optional().default("http://tinyproxy:8888"),
2602
+ MAX_UPLOAD_FILE_SIZE_MB: z12.coerce.number().gt(0).default(2),
2603
+ GITHUB_API_CONCURRENCY: z12.coerce.number().gt(0).optional().default(10)
2582
2604
  });
2583
2605
  ({
2584
2606
  GITLAB_API_TOKEN,
@@ -2612,7 +2634,7 @@ var init_configs = __esm({
2612
2634
  });
2613
2635
 
2614
2636
  // src/utils/blame/gitBlameTypes.ts
2615
- import { z as z18 } from "zod";
2637
+ import { z as z15 } from "zod";
2616
2638
  function parseCoAuthorValue(raw) {
2617
2639
  const trimmed = raw.trim();
2618
2640
  if (!trimmed) {
@@ -2648,9 +2670,9 @@ var PrepareGitBlameMessageZ, PrepareGitBlameResponseMessageZ, CommitMetadataZ, L
2648
2670
  var init_gitBlameTypes = __esm({
2649
2671
  "src/utils/blame/gitBlameTypes.ts"() {
2650
2672
  "use strict";
2651
- PrepareGitBlameMessageZ = z18.object({
2652
- reportId: z18.string(),
2653
- repoArchivePath: z18.string(),
2673
+ PrepareGitBlameMessageZ = z15.object({
2674
+ reportId: z15.string(),
2675
+ repoArchivePath: z15.string(),
2654
2676
  // Optional list of file paths to blame. Producers must pick one of two modes:
2655
2677
  //
2656
2678
  // - **Omit `filePaths`** = "blame every file in the archive". Used by the
@@ -2666,132 +2688,132 @@ var init_gitBlameTypes = __esm({
2666
2688
  // "Login.java" when the actual file is "src/main/java/Login.java") are
2667
2689
  // tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
2668
2690
  // strings are filtered out defensively.
2669
- filePaths: z18.array(z18.string()).optional()
2691
+ filePaths: z15.array(z15.string()).optional()
2670
2692
  });
2671
- PrepareGitBlameResponseMessageZ = z18.object({
2672
- reportId: z18.string()
2693
+ PrepareGitBlameResponseMessageZ = z15.object({
2694
+ reportId: z15.string()
2673
2695
  });
2674
- CommitMetadataZ = z18.object({
2675
- author: z18.string().optional(),
2676
- "author-mail": z18.string().optional(),
2677
- "author-time": z18.string().optional(),
2678
- "author-tz": z18.string().optional(),
2679
- committer: z18.string().optional(),
2680
- "committer-mail": z18.string().optional(),
2681
- "committer-time": z18.string().optional(),
2682
- "committer-tz": z18.string().optional(),
2683
- summary: z18.string().optional(),
2684
- filename: z18.string().optional()
2696
+ CommitMetadataZ = z15.object({
2697
+ author: z15.string().optional(),
2698
+ "author-mail": z15.string().optional(),
2699
+ "author-time": z15.string().optional(),
2700
+ "author-tz": z15.string().optional(),
2701
+ committer: z15.string().optional(),
2702
+ "committer-mail": z15.string().optional(),
2703
+ "committer-time": z15.string().optional(),
2704
+ "committer-tz": z15.string().optional(),
2705
+ summary: z15.string().optional(),
2706
+ filename: z15.string().optional()
2685
2707
  });
2686
- LineToCommitMapZ = z18.record(z18.string(), z18.string());
2687
- CommitMetadataMapZ = z18.record(z18.string(), CommitMetadataZ);
2688
- BlameInfoZ = z18.object({
2708
+ LineToCommitMapZ = z15.record(z15.string(), z15.string());
2709
+ CommitMetadataMapZ = z15.record(z15.string(), CommitMetadataZ);
2710
+ BlameInfoZ = z15.object({
2689
2711
  lineToCommit: LineToCommitMapZ,
2690
2712
  commitMetadata: CommitMetadataMapZ
2691
2713
  });
2692
- LineRangeZ = z18.object({
2714
+ LineRangeZ = z15.object({
2693
2715
  /** First line in chunk (1-indexed) */
2694
- start: z18.number(),
2716
+ start: z15.number(),
2695
2717
  /** Last line in chunk (inclusive) */
2696
- end: z18.number()
2718
+ end: z15.number()
2697
2719
  });
2698
- PrContextZ = z18.object({
2699
- prNumber: z18.number(),
2700
- repositoryUrl: z18.string(),
2701
- organizationId: z18.string(),
2702
- userEmail: z18.string(),
2703
- source: z18.enum(["pr", "github"]),
2704
- githubContext: z18.object({
2705
- prNumber: z18.number(),
2706
- installationId: z18.number(),
2707
- repositoryURL: z18.string()
2720
+ PrContextZ = z15.object({
2721
+ prNumber: z15.number(),
2722
+ repositoryUrl: z15.string(),
2723
+ organizationId: z15.string(),
2724
+ userEmail: z15.string(),
2725
+ source: z15.enum(["pr", "github"]),
2726
+ githubContext: z15.object({
2727
+ prNumber: z15.number(),
2728
+ installationId: z15.number(),
2729
+ repositoryURL: z15.string()
2708
2730
  }).optional()
2709
2731
  });
2710
- PrepareCommitBlameMessageZ = z18.object({
2732
+ PrepareCommitBlameMessageZ = z15.object({
2711
2733
  /** Commit blame request ID from database (for tracking and updating status) */
2712
- commitBlameRequestId: z18.string(),
2734
+ commitBlameRequestId: z15.string(),
2713
2735
  /** Organization ID (for org-scoped caching) */
2714
- organizationId: z18.string(),
2736
+ organizationId: z15.string(),
2715
2737
  /** Full repository URL (e.g., https://github.com/org/repo) */
2716
- repositoryUrl: z18.string(),
2738
+ repositoryUrl: z15.string(),
2717
2739
  /** Commit SHA to analyze (typically PR head commit) */
2718
- commitSha: z18.string(),
2740
+ commitSha: z15.string(),
2719
2741
  /** Authentication headers for repository access (e.g., GitHub token) */
2720
- extraHeaders: z18.record(z18.string(), z18.string()).default({}),
2742
+ extraHeaders: z15.record(z15.string(), z15.string()).default({}),
2721
2743
  // --- PR analysis fields ---
2722
2744
  /** Target branch name (from getPr() base.ref). When set, enables PR analysis mode. */
2723
- targetBranch: z18.string().optional(),
2745
+ targetBranch: z15.string().optional(),
2724
2746
  /** Context for triggering blame attribution analysis after SCM agent completes. */
2725
2747
  prContext: PrContextZ.optional(),
2726
2748
  /** User email for blame attribution analysis trigger context (used for both PR and single commit flows). */
2727
- userEmail: z18.string().optional()
2749
+ userEmail: z15.string().optional()
2728
2750
  });
2729
- BlameLineInfoZ = z18.object({
2751
+ BlameLineInfoZ = z15.object({
2730
2752
  /** Line number as it appeared in the introducing commit */
2731
- originalLineNumber: z18.number(),
2753
+ originalLineNumber: z15.number(),
2732
2754
  /** Commit SHA that introduced this line */
2733
- commitSha: z18.string(),
2755
+ commitSha: z15.string(),
2734
2756
  /** Author name for this line */
2735
- authorName: z18.string().optional(),
2757
+ authorName: z15.string().optional(),
2736
2758
  /** Author email for this line */
2737
- authorEmail: z18.string().optional()
2759
+ authorEmail: z15.string().optional()
2738
2760
  }).nullable();
2739
- FileBlameDataZ = z18.array(BlameLineInfoZ);
2740
- ChunkFetchResultZ = z18.object({
2741
- filePath: z18.string(),
2742
- lines: z18.array(z18.number()),
2761
+ FileBlameDataZ = z15.array(BlameLineInfoZ);
2762
+ ChunkFetchResultZ = z15.object({
2763
+ filePath: z15.string(),
2764
+ lines: z15.array(z15.number()),
2743
2765
  data: FileBlameDataZ.nullable()
2744
2766
  });
2745
- FileBlameResponseEntryZ = z18.object({
2767
+ FileBlameResponseEntryZ = z15.object({
2746
2768
  /** Chunk index (0 for small files, 0-N for large file chunks) */
2747
- chunkIndex: z18.number(),
2769
+ chunkIndex: z15.number(),
2748
2770
  /** Blame data array (1-indexed, index 0 is null) */
2749
2771
  blameData: FileBlameDataZ
2750
2772
  });
2751
- CommitBlameDataZ = z18.record(
2752
- z18.string(),
2773
+ CommitBlameDataZ = z15.record(
2774
+ z15.string(),
2753
2775
  // fileName
2754
- z18.array(FileBlameResponseEntryZ)
2776
+ z15.array(FileBlameResponseEntryZ)
2755
2777
  );
2756
- CommitInfoZ = z18.object({
2778
+ CommitInfoZ = z15.object({
2757
2779
  /** Number of parent commits (1 = normal commit, 2+ = merge commit, null = failed to determine) */
2758
- parentCount: z18.number().nullable()
2780
+ parentCount: z15.number().nullable()
2759
2781
  });
2760
- GitIdentityZ = z18.object({
2761
- name: z18.string(),
2762
- email: z18.string()
2782
+ GitIdentityZ = z15.object({
2783
+ name: z15.string(),
2784
+ email: z15.string()
2763
2785
  });
2764
2786
  COMMIT_LOG_FORMAT = "%H%x00%ae%x00%an%x00%ce%x00%cn%x00%at%x00%s%x00%(trailers:key=Co-authored-by,valueonly,separator=%x00)";
2765
- CommitDataZ = z18.object({
2766
- diff: z18.string(),
2787
+ CommitDataZ = z15.object({
2788
+ diff: z15.string(),
2767
2789
  author: GitIdentityZ,
2768
2790
  committer: GitIdentityZ,
2769
- coAuthors: z18.array(GitIdentityZ),
2770
- timestamp: z18.number(),
2791
+ coAuthors: z15.array(GitIdentityZ),
2792
+ timestamp: z15.number(),
2771
2793
  // Unix timestamp in seconds
2772
- message: z18.string().optional(),
2773
- parentCount: z18.number().nullable()
2794
+ message: z15.string().optional(),
2795
+ parentCount: z15.number().nullable()
2774
2796
  });
2775
- PrDiffDataZ = z18.object({
2776
- diff: z18.string()
2797
+ PrDiffDataZ = z15.object({
2798
+ diff: z15.string()
2777
2799
  });
2778
- PrStatsZ = z18.object({
2779
- additions: z18.number(),
2780
- deletions: z18.number()
2800
+ PrStatsZ = z15.object({
2801
+ additions: z15.number(),
2802
+ deletions: z15.number()
2781
2803
  });
2782
- CommitsManifestZ = z18.object({
2783
- commits: z18.array(z18.string())
2804
+ CommitsManifestZ = z15.object({
2805
+ commits: z15.array(z15.string())
2784
2806
  // Array of commit SHAs in order
2785
2807
  });
2786
- BlameLineEntryZ = z18.object({
2808
+ BlameLineEntryZ = z15.object({
2787
2809
  /** Current file path in the PR head (what git blame was invoked on). */
2788
- file: z18.string(),
2810
+ file: z15.string(),
2789
2811
  /** Current line number in the PR head. */
2790
- line: z18.number(),
2812
+ line: z15.number(),
2791
2813
  /** SHA of the commit that originally authored this line. */
2792
- originalCommitSha: z18.string(),
2814
+ originalCommitSha: z15.string(),
2793
2815
  /** Line number as it was in `originalCommitSha`. */
2794
- originalLineNumber: z18.number(),
2816
+ originalLineNumber: z15.number(),
2795
2817
  /**
2796
2818
  * File path as it was in `originalCommitSha` at the time that commit
2797
2819
  * authored this line. When a file has been renamed since, this differs
@@ -2804,24 +2826,24 @@ var init_gitBlameTypes = __esm({
2804
2826
  * must treat empty as "fall back to `file`" (see enrichDiffLines,
2805
2827
  * targetedBlame).
2806
2828
  */
2807
- originalFile: z18.string().default("")
2829
+ originalFile: z15.string().default("")
2808
2830
  });
2809
- BlameLinesDataZ = z18.object({
2810
- lines: z18.array(BlameLineEntryZ)
2831
+ BlameLinesDataZ = z15.object({
2832
+ lines: z15.array(BlameLineEntryZ)
2811
2833
  });
2812
- PrepareCommitBlameResponseMessageZ = z18.object({
2834
+ PrepareCommitBlameResponseMessageZ = z15.object({
2813
2835
  /** Commit blame request ID (matches request, used to update specific DB record) */
2814
- commitBlameRequestId: z18.string(),
2836
+ commitBlameRequestId: z15.string(),
2815
2837
  /** Organization ID (matches request) */
2816
- organizationId: z18.string(),
2838
+ organizationId: z15.string(),
2817
2839
  /** Repository URL (matches request) */
2818
- repositoryUrl: z18.string(),
2840
+ repositoryUrl: z15.string(),
2819
2841
  /** Commit SHA analyzed (matches request) */
2820
- commitSha: z18.string(),
2842
+ commitSha: z15.string(),
2821
2843
  /** Processing status */
2822
- status: z18.enum(["success", "failure"]),
2844
+ status: z15.enum(["success", "failure"]),
2823
2845
  /** Error message (only present if status is 'failure') */
2824
- error: z18.string().optional(),
2846
+ error: z15.string().optional(),
2825
2847
  /**
2826
2848
  * Blame data for all processed files/chunks.
2827
2849
  * Empty dictionary if status is 'failure'.
@@ -2833,29 +2855,29 @@ var init_gitBlameTypes = __esm({
2833
2855
  * Keyed by commit SHA, deduplicated.
2834
2856
  * Empty dictionary if status is 'failure'.
2835
2857
  */
2836
- commits: z18.record(z18.string(), CommitInfoZ).default({}),
2858
+ commits: z15.record(z15.string(), CommitInfoZ).default({}),
2837
2859
  // --- New PR diff computation response fields ---
2838
2860
  /** S3 paths for commit-level data (commitSha → S3 key). Present in PR analysis mode and single commit mode. */
2839
- commitDataS3Paths: z18.record(z18.string(), z18.string()).optional(),
2861
+ commitDataS3Paths: z15.record(z15.string(), z15.string()).optional(),
2840
2862
  /** S3 key for PR diff JSON. Present in PR analysis mode. */
2841
- prDiffS3Path: z18.string().optional(),
2863
+ prDiffS3Path: z15.string().optional(),
2842
2864
  /** S3 key for commits manifest. Present in PR analysis mode. */
2843
- commitsManifestS3Path: z18.string().optional(),
2865
+ commitsManifestS3Path: z15.string().optional(),
2844
2866
  /** S3 key for per-line targeted blame data. Present in PR analysis mode. */
2845
- blameLinesS3Path: z18.string().optional(),
2867
+ blameLinesS3Path: z15.string().optional(),
2846
2868
  /** S3 key for PR stats (additions/deletions). Present in PR analysis mode. */
2847
- prStatsS3Path: z18.string().optional(),
2869
+ prStatsS3Path: z15.string().optional(),
2848
2870
  /** PR context passed through from request for response handler. */
2849
2871
  prContext: PrContextZ.optional(),
2850
2872
  /** PR title from the request metadata (passed through). */
2851
- prTitle: z18.string().optional(),
2873
+ prTitle: z15.string().optional(),
2852
2874
  /** User email passed through from request for single commit blame attribution analysis trigger. */
2853
- userEmail: z18.string().optional()
2875
+ userEmail: z15.string().optional()
2854
2876
  });
2855
- VulnerabilityAttributionMessageZ = z18.object({
2856
- fixReportId: z18.string().uuid(),
2857
- vulnerabilityAttributionRequestId: z18.string().uuid(),
2858
- userEmail: z18.string()
2877
+ VulnerabilityAttributionMessageZ = z15.object({
2878
+ fixReportId: z15.string().uuid(),
2879
+ vulnerabilityAttributionRequestId: z15.string().uuid(),
2880
+ userEmail: z15.string()
2859
2881
  });
2860
2882
  }
2861
2883
  });
@@ -4122,7 +4144,7 @@ import * as os3 from "os";
4122
4144
  import path6 from "path";
4123
4145
  import chalk3 from "chalk";
4124
4146
  import { withFile } from "tmp-promise";
4125
- import z26 from "zod";
4147
+ import z23 from "zod";
4126
4148
 
4127
4149
  // src/commands/handleMobbLogin.ts
4128
4150
  import chalk2 from "chalk";
@@ -4594,7 +4616,7 @@ import debugModule from "debug";
4594
4616
  var debug3 = debugModule("mobb:shared");
4595
4617
 
4596
4618
  // src/features/analysis/scm/utils/index.ts
4597
- import { z as z14 } from "zod";
4619
+ import { z as z11 } from "zod";
4598
4620
 
4599
4621
  // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
4600
4622
  init_client_generates();
@@ -4612,1649 +4634,6 @@ init_getIssueType();
4612
4634
 
4613
4635
  // src/features/analysis/scm/shared/src/guidances.ts
4614
4636
  init_client_generates();
4615
- init_getIssueType();
4616
- import { z as z11 } from "zod";
4617
-
4618
- // src/features/analysis/scm/shared/src/storedFixData/index.ts
4619
- init_client_generates();
4620
- import { z as z9 } from "zod";
4621
-
4622
- // src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
4623
- var passwordInComment = {
4624
- guidance: () => "Removing sensitive information from the comments is not enough. To ensure the security of your data, you have to rotate passwords and tokens and update all places where they were used."
4625
- };
4626
-
4627
- // src/features/analysis/scm/shared/src/storedFixData/csharp/missingAntiForgeryValidation.ts
4628
- var missingAntiForgeryValidation = {
4629
- guidance: () => `The \`ValidateAntiForgeryToken\` attribute helps prevent cross-site request forgery (CSRF) attacks. The token is automatically injected into the view by the [FormTagHelper](https://learn.microsoft.com/en-us/aspnet/core/mvc/views/working-with-forms?view=aspnetcore-8.0#the-form-tag-helper)
4630
- and is included when the form is submitted by the user. The token is validated by the \`ValidateAntiForgeryToken\` attribute. The token could be also generated using the [Html.AntiForgeryToken](https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.htmlhelper.antiforgerytoken?view=aspnet-mvc-5.2) helper.
4631
-
4632
-  
4633
-
4634
-
4635
- ***Make sure this controller's client provides the validation token before approving this change.***
4636
-
4637
-  
4638
-
4639
-
4640
- This is an illustration of how the form will look like:
4641
-
4642
-  
4643
-
4644
- <form method="post" action="/Action">
4645
- <!-- Input and Submit elements -->
4646
- <input name="__RequestVerificationToken"
4647
- type="hidden" value="<removed for brevity>">
4648
- </form>
4649
-
4650
-
4651
- ***Notice the \`__RequestVerificationToken\` parameters.***
4652
- `
4653
- };
4654
-
4655
- // src/features/analysis/scm/shared/src/storedFixData/csharp/index.ts
4656
- var vulnerabilities = {
4657
- ["MISSING_ANTIFORGERY_VALIDATION"]: missingAntiForgeryValidation,
4658
- ["PASSWORD_IN_COMMENT"]: passwordInComment
4659
- };
4660
- var csharp_default = vulnerabilities;
4661
-
4662
- // src/features/analysis/scm/shared/src/storedFixData/dockerfile/index.ts
4663
- var vulnerabilities2 = {};
4664
- var dockerfile_default = vulnerabilities2;
4665
-
4666
- // src/features/analysis/scm/shared/src/storedFixData/go/index.ts
4667
- var vulnerabilities3 = {};
4668
- var go_default = vulnerabilities3;
4669
-
4670
- // src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
4671
- var vulnerabilities4 = {};
4672
- var hcl_default = vulnerabilities4;
4673
-
4674
- // src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
4675
- var insecureDeserialization = {
4676
- guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
4677
- };
4678
-
4679
- // src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
4680
- var j2eeGetConnection = {
4681
- guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
4682
-
4683
-
4684
- &nbsp;
4685
-
4686
- ***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
4687
-
4688
- - **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
4689
- - **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
4690
- - **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
4691
- - **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
4692
-
4693
-
4694
- &nbsp;
4695
-
4696
- Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
4697
-
4698
-
4699
- &nbsp;
4700
-
4701
- This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
4702
- };
4703
-
4704
- // src/features/analysis/scm/shared/src/storedFixData/java/sqlInjection.ts
4705
- var sqlInjection = {
4706
- guidance: ({
4707
- hasQuestionMarksAfterTaintVar
4708
- }) => {
4709
- if (hasQuestionMarksAfterTaintVar) {
4710
- return "Please make sure to correct the following indices of the setInt()/setString() calls after the new parameter is added.";
4711
- }
4712
- return "";
4713
- }
4714
- };
4715
-
4716
- // src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
4717
- var systemInformationLeak = {
4718
- guidance: ({
4719
- clientMightBeAffected
4720
- }) => {
4721
- if (clientMightBeAffected) {
4722
- return "You should never expose error details to the client. We removed the error details from the response. Ensure the client application code does not rely on the removed information.";
4723
- }
4724
- return "";
4725
- }
4726
- };
4727
-
4728
- // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
4729
- var vulnerabilities5 = {
4730
- ["PASSWORD_IN_COMMENT"]: passwordInComment,
4731
- ["INSECURE_DESERIALIZATION"]: insecureDeserialization,
4732
- ["J2EE_GET_CONNECTION"]: j2eeGetConnection,
4733
- ["SQL_Injection"]: sqlInjection,
4734
- ["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
4735
- };
4736
- var java_default = vulnerabilities5;
4737
-
4738
- // src/features/analysis/scm/shared/src/storedFixData/python/csrf.ts
4739
- var csrf = {
4740
- guidance: () => `Please make sure the CSRF middleware is activated by default in the MIDDLEWARE setting. If you override that setting, remember that \`django.middleware.csrf.CsrfViewMiddleware\` should come before any view middleware that assume that CSRF attacks have been dealt with.
4741
-
4742
-
4743
- If you disabled it, which is not recommended, you can use [\`csrf_protect()\`](https://docs.djangoproject.com/en/5.1/ref/csrf/#django.views.decorators.csrf.csrf_protect) annotation on this particular view.
4744
-
4745
-
4746
- See more information [here](https://docs.djangoproject.com/en/5.1/howto/csrf/).`
4747
- };
4748
-
4749
- // src/features/analysis/scm/shared/src/storedFixData/javascript/hardcodedSecrets.ts
4750
- var hardcodedSecrets = {
4751
- guidance: ({ questions }) => {
4752
- const envVarName = questions.find((q) => q.key === "env_var_name")?.value || "the";
4753
- const keepAsDefault = questions.find(
4754
- (q) => q.key === "keep_as_default"
4755
- )?.value;
4756
- let additionalText = "";
4757
- if (keepAsDefault === "yes") {
4758
- additionalText = "\n1. Remove the hardcoded secret from the code.\n";
4759
- }
4760
- return `Please follow the steps in this specific order:
4761
-
4762
- 1. Change the secret that was hardcoded. It is essential because even when you commit the changes, the secret will remain in the git history.${additionalText}
4763
- 1. Update the configuration of all your application environments and CI/CD pipelines to set \`${envVarName}\` environment variable.
4764
- 1. Commit the changes.`;
4765
- }
4766
- };
4767
-
4768
- // src/features/analysis/scm/shared/src/storedFixData/javascript/noLimitsOrThrottling.ts
4769
- var noLimitsOrThrottling = {
4770
- guidance: () => "We set the default limit to 60 requests per minute. To customize the rate limit settings, please read the documentation of the [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) package."
4771
- };
4772
-
4773
- // src/features/analysis/scm/shared/src/storedFixData/javascript/ssrf.ts
4774
- var ssrf = {
4775
- guidance: () => "The server-side validates the domains it has access to, otherwise it throws an error if validation failed. Please make sure you handled the error correctly."
4776
- };
4777
-
4778
- // src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
4779
- var vulnerabilities6 = {
4780
- ["SSRF"]: ssrf,
4781
- ["HARDCODED_SECRETS"]: hardcodedSecrets,
4782
- ["PASSWORD_IN_COMMENT"]: passwordInComment,
4783
- ["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling,
4784
- ["CSRF"]: csrf
4785
- };
4786
- var javascript_default = vulnerabilities6;
4787
-
4788
- // src/features/analysis/scm/shared/src/storedFixData/php/index.ts
4789
- var vulnerabilities7 = {};
4790
- var php_default = vulnerabilities7;
4791
-
4792
- // src/features/analysis/scm/shared/src/storedFixData/python/autoEscapeFalse.ts
4793
- var autoEscapeFalse = {
4794
- guidance: () => `This fix enables automatic escaping for HTML. When that's enabled, everything is escaped by default except for values explicitly marked as safe. Variables and expressions can be marked as safe either in:
4795
-
4796
- a. The context dictionary by the application with \`markupsafe.Markup\`
4797
-
4798
- b. The template, with the \`|safe\` filter.
4799
-
4800
- &nbsp;
4801
-
4802
-
4803
- See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates/#working-with-automatic-escaping) and [here](https://pypi.org/project/MarkupSafe/).
4804
-
4805
- &nbsp;
4806
-
4807
-
4808
- ***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
4809
- };
4810
-
4811
- // src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
4812
- var improperCertificateValidation = {
4813
- guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
4814
-
4815
- &nbsp;
4816
-
4817
- ***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
4818
-
4819
- &nbsp;
4820
-
4821
- See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
4822
- };
4823
-
4824
- // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
4825
- var vulnerabilities8 = {
4826
- ["AUTO_ESCAPE_FALSE"]: autoEscapeFalse,
4827
- ["CSRF"]: csrf,
4828
- ["IMPROPER_CERTIFICATE_VALIDATION"]: improperCertificateValidation
4829
- };
4830
- var python_default = vulnerabilities8;
4831
-
4832
- // src/features/analysis/scm/shared/src/storedFixData/sql/defaultRightsInObjDefinition.ts
4833
- var defaultRightsInObjDefinition = {
4834
- guidance: () => "***Make sure the user who is supposed to run the procedure has sufficient permissions.***\n\nRead more details about the `EXECUTE AS` statement in [the official Microsoft documentation](https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-clause-transact-sql?view=sql-server-ver16&tabs=sqlserver).\n\n`EXECUTE AS CALLER` is the default behavior for SQL Server 2005 and later."
4835
- };
4836
-
4837
- // src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
4838
- var vulnerabilities9 = {
4839
- ["DEFAULT_RIGHTS_IN_OBJ_DEFINITION"]: defaultRightsInObjDefinition
4840
- };
4841
- var sql_default = vulnerabilities9;
4842
-
4843
- // src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
4844
- var vulnerabilities10 = {
4845
- ["PASSWORD_IN_COMMENT"]: passwordInComment
4846
- };
4847
- var xml_default = vulnerabilities10;
4848
-
4849
- // src/features/analysis/scm/shared/src/storedFixData/index.ts
4850
- var StoredFixDataItemZ = z9.object({
4851
- guidance: z9.function().args(z9.any()).returns(z9.string())
4852
- });
4853
- var languages = {
4854
- ["Java" /* Java */]: java_default,
4855
- ["JavaScript" /* JavaScript */]: javascript_default,
4856
- ["CSharp" /* CSharp */]: csharp_default,
4857
- ["SQL" /* Sql */]: sql_default,
4858
- ["XML" /* Xml */]: xml_default,
4859
- ["Python" /* Python */]: python_default,
4860
- ["PHP" /* Php */]: php_default,
4861
- ["Go" /* Go */]: go_default,
4862
- ["Dockerfile" /* Dockerfile */]: dockerfile_default,
4863
- ["Hcl" /* Hcl */]: hcl_default
4864
- };
4865
-
4866
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
4867
- init_client_generates();
4868
- import { z as z10 } from "zod";
4869
-
4870
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
4871
- var commandInjection = {
4872
- isUnixShellCommandPart: {
4873
- content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
4874
- description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
4875
-
4876
- - \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
4877
- - \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
4878
-
4879
- Answer **no** (the input is not plain data) when the input is:
4880
-
4881
- 1. The program/executable itself:
4882
- - \`system(input);\`
4883
- - \`sprintf(cmd, "%s -x", input);\`
4884
- 2. A command after a pipe or redirect:
4885
- - \`sprintf(cmd, "cat file.txt | %s", input);\`
4886
- 3. A part of a non-Unix or cross-platform shell command.
4887
- 4. A part of embedded code in another language:
4888
- - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
4889
- - \`sprintf(cmd, "awk '%s' file", input);\`
4890
- 5. A flag/option that controls a tool's behaviour:
4891
- - \`sprintf(cmd, "git --upload-pack %s", input);\``,
4892
- guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
4893
- },
4894
- executableLocationPath: {
4895
- content: () => "What is the absolute path of the directory containing the executable?",
4896
- description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
4897
-
4898
- Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
4899
- guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
4900
- }
4901
- };
4902
-
4903
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/pathManipulation.ts
4904
- var pathManipulation = {
4905
- baseDirectory: {
4906
- content: ({ expression }) => `Which directory must \`${expression}\` stay within? Enter the absolute base directory file access is restricted to.`,
4907
- description: ({ expression }) => `The fix canonicalizes \`${expression}\` (resolving \`.\`, \`..\`, and symlinks) and verifies the result stays inside this base directory. Provide the **absolute** root the application is allowed to read or write under, for example \`/var/app/data\`. The directory must exist at runtime. A path that resolves outside it is rejected at runtime.`,
4908
- guidance: (_) => "You **must** set this to an absolute path that exists at runtime and that your application confines file access to. If you leave it unset (or give a relative path), the generated fix is emitted with a placeholder identifier (`MOBB_SET_ALLOWED_BASE_DIR`) that **deliberately does not compile**, so a missing security boundary cannot be overlooked \u2014 replace it with your absolute base directory. A relative path would otherwise resolve against the process working directory (moving the boundary). At runtime the guard aborts (C: `exit(EXIT_FAILURE)`) / throws (C++: `std::runtime_error`) on a path that escapes the base. Pick the narrowest directory that still contains every legitimate file the code opens."
4909
- }
4910
- };
4911
-
4912
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
4913
- var vulnerabilities11 = {
4914
- ["CMDi"]: commandInjection,
4915
- ["PT"]: pathManipulation
4916
- };
4917
- var cpp_default = vulnerabilities11;
4918
-
4919
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
4920
- var httpOnlyCookie = {
4921
- httpOnlyCookie: {
4922
- content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
4923
- description: () => httpOnlyMessage,
4924
- guidance: () => ""
4925
- },
4926
- cookieVarName: {
4927
- content: () => "Please define a variable name",
4928
- description: () => `We need a variable for the new cookie instance`,
4929
- guidance: () => ""
4930
- }
4931
- };
4932
- var httpOnlyMessage = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
4933
- when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
4934
- be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
4935
-
4936
- &nbsp;
4937
-
4938
-
4939
- ***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
4940
-
4941
- &nbsp;
4942
-
4943
- `;
4944
-
4945
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureBinderConfiguration.ts
4946
- var insecureBinderConfiguration = {
4947
- bindAttributeParam: {
4948
- content: ({ func_param_name }) => `Which properties of the model should be included in model binding for \`${func_param_name}\`?`,
4949
- description: () => "Provide a comma-separated list of valid property names to be included in model binding. See [the official documentation](https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding?view=aspnetcore-8.0#bind-attribute) for more details.",
4950
- guidance: () => ""
4951
- }
4952
- };
4953
-
4954
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureCookie.ts
4955
- var insecureCookie = {
4956
- insecureCookie: {
4957
- content: () => "Will this cookie be used only in encrypted channels (https)?",
4958
- description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
4959
- In environments like local development or test, setting cookies as secure might have some consequences:
4960
-
4961
- &nbsp;
4962
- - Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
4963
- additional configuration and certificates. If cookies are marked as secure,
4964
- they won't be sent over HTTP, and this could potentially interfere with the normal
4965
- functioning of your application during development.
4966
-
4967
- &nbsp;
4968
- - Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
4969
- testing environment accurately simulates the production environment's security features.
4970
- This may involve setting up HTTPS in your local development environment.
4971
-
4972
- &nbsp;
4973
- - Debugging Challenges: Debugging may be more challenging when using secure cookies in a
4974
- development environment, especially if you need to inspect or manipulate the cookies during
4975
- development.`,
4976
- guidance: () => ""
4977
- },
4978
- cookieVarName: {
4979
- content: () => "Please define a variable name",
4980
- description: () => `We need a variable for the new cookie instance`,
4981
- guidance: () => ""
4982
- }
4983
- };
4984
-
4985
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureRandomness.ts
4986
- var insecureRandomness = {
4987
- isRandomNumberGeneratorAvailable: {
4988
- content: () => "We use the `RandomNumberGenerator` class from the `System.Security.Cryptography` package. Does this class exist for the .NET version you use?",
4989
- description: () => "See [the official documentation](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-8.0#applies-to) for more details.",
4990
- guidance: () => ""
4991
- },
4992
- isNetVersionGreaterThan6: {
4993
- content: () => "We are able to offer a more concise solution if the .NET version is greater then .NET 6",
4994
- description: () => "",
4995
- guidance: () => ""
4996
- }
4997
- };
4998
-
4999
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insufficientLogging.ts
5000
- var insufficientLogging = {
5001
- logMessage: {
5002
- content: () => "Enter the message that you want to appear in the log",
5003
- description: () => "",
5004
- guidance: () => ""
5005
- }
5006
- };
5007
-
5008
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/logForging.ts
5009
- var logForging = {
5010
- isHtmlDisplay: {
5011
- content: () => "Is the text written to the log going to be displayed as HTML?",
5012
- description: () => "",
5013
- guidance: ({ userInputValue }) => {
5014
- switch (userInputValue) {
5015
- case "yes":
5016
- return "We use the `System.Web` `HttpUtility` to decode the HTML";
5017
- default:
5018
- return "";
5019
- }
5020
- }
5021
- }
5022
- };
5023
-
5024
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/overlyBroadCatch.ts
5025
- var overlyBroadCatch = {
5026
- defaultExceptionsInWhenFilter: {
5027
- content: () => "Exceptions to filter",
5028
- description: () => "Coma separated list of the Fully Qualified Exceptions names",
5029
- guidance: () => ""
5030
- }
5031
- };
5032
-
5033
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/pt.ts
5034
- var pt = {
5035
- taintedTermType: {
5036
- content: ({ expression }) => `Does \`${expression}\` represent a file name or a file path?`,
5037
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
5038
- guidance: () => ""
5039
- },
5040
- pathTargetDir: {
5041
- content: () => "Allowed file path",
5042
- description: () => "Provide the intended file path destination eg: /tmp/testfiles/users/",
5043
- guidance: () => ""
5044
- }
5045
- };
5046
-
5047
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/regexMissingTimeout.ts
5048
- var regexMissingTimeout = {
5049
- netVersionGreaterOrEqual7: {
5050
- content: () => "Is your target framework .NET 7 or greater?",
5051
- description: () => "",
5052
- guidance: () => ""
5053
- },
5054
- timeout: {
5055
- content: () => "Enter the timeout in milliseconds",
5056
- description: () => "If the limit is reached a RegexTimeoutException is thrown, this could be caused by excessive backtracking",
5057
- guidance: () => ""
5058
- },
5059
- useBacktrackingOption: {
5060
- content: () => "Use non backtracking option",
5061
- description: () => "If the regex does not need to use backtracking we can disable it using regex options",
5062
- guidance: () => ""
5063
- }
5064
- };
5065
-
5066
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/requestParametersBoundViaInput.ts
5067
- var requestParametersBoundViaInput = {
5068
- fieldsToCopy: {
5069
- content: () => "Please list all the fields you expect as input from the user. Use comma separated list.",
5070
- description: () => `This is meant to avoid mass assignment vulnerabilities, where the user would enter an inner unexpected field`,
5071
- guidance: () => ""
5072
- }
5073
- };
5074
-
5075
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
5076
- var sqlInjection2 = {
5077
- databaseProvider: {
5078
- content: () => "Select the database provider",
5079
- description: () => "",
5080
- guidance: () => ""
5081
- }
5082
- };
5083
-
5084
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/ssrf.ts
5085
- var ssrf2 = {
5086
- domainsAllowlist: {
5087
- content: () => "Allowed domains",
5088
- description: () => "Coma separated list of allowed domains.",
5089
- guidance: () => ""
5090
- }
5091
- };
5092
-
5093
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sysLeak.ts
5094
- var sysLeak = {
5095
- errorMessage: {
5096
- content: () => "Enter the error message that you want to appear in the log",
5097
- description: () => "",
5098
- guidance: () => ""
5099
- },
5100
- noLoggerAction: {
5101
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5102
- description: () => "",
5103
- guidance: () => ""
5104
- }
5105
- };
5106
-
5107
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/trustBoundaryViolation.ts
5108
- var trustBoundaryViolation = {
5109
- validationPattern: {
5110
- content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
5111
- description: () => "We use regex to validate the input to avoid runtime surprises",
5112
- guidance: () => ""
5113
- },
5114
- otherPatternValue: {
5115
- content: () => `Enter the regex pattern you would like to use to validate the input`,
5116
- description: () => "See patterns at [the regex docs](https://learn.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference)",
5117
- guidance: () => ""
5118
- }
5119
- };
5120
-
5121
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/useOfSystemOutputStream.ts
5122
- var useOfSystemOutputStream = {
5123
- noLoggerAction: {
5124
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5125
- description: () => "",
5126
- guidance: () => ""
5127
- }
5128
- };
5129
-
5130
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/valueShadowing.ts
5131
- var valueShadowing = {
5132
- collectionName: {
5133
- content: () => "Please select the collection to search/index from",
5134
- description: () => `Accessing the root object eg Request["item"] searches across all available collections and returns the first item that matches. Potentially leading to the correct value being shadowed. Available collections include:
5135
- - QueryString: The values of variables in the HTTP query string.
5136
- - Form: The values of form elements in the HTTP request body.
5137
- - Cookies: The values of cookies sent in the HTTP request.
5138
- - ClientCertificate: The values of fields stored in the client certificate that is sent in the HTTP request.
5139
- - ServerVariables: The values of predetermined environment variables.`,
5140
- guidance: () => `See
5141
- - https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524948(v=vs.90),
5142
- - https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest?view=netframework-4.8.1`
5143
- }
5144
- };
5145
-
5146
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/wcfMisconfigurationThrottlingNotEnabled.ts
5147
- var wcfMisconfigurationThrottlingNotEnabled = {
5148
- maxConcurrentCalls: {
5149
- content: () => "Please define the maximum concurrent calls",
5150
- description: () => `A positive integer that limits the number of messages that currently process across a ServiceHost. Calls in excess of the limit are queued. Setting this value to 0 is equivalent to setting it to Int32.MaxValue.`,
5151
- guidance: () => {
5152
- return "";
5153
- }
5154
- },
5155
- maxConcurrentInstances: {
5156
- content: () => "Please define the maximum concurrent instances",
5157
- description: () => `A positive integer that limits the number of InstanceContext objects that execute at one time across a ServiceHost. Requests to create additional instances are queued and complete when a slot below the limit becomes available.`,
5158
- guidance: () => {
5159
- return "";
5160
- }
5161
- },
5162
- maxConcurrentSessions: {
5163
- content: () => "Please define the maximum concurrent sessions",
5164
- description: () => `A positive integer that limits the number of sessions a ServiceHost object can accept.`,
5165
- guidance: () => {
5166
- return "";
5167
- }
5168
- }
5169
- };
5170
-
5171
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/xss.ts
5172
- var xss = {
5173
- allowSpecialCharacters: {
5174
- content: ({ source_value }) => `Does your code allow encodable HTML characters like '&', '<', '"' etc. in: \`${source_value}\`?`,
5175
- description: () => "",
5176
- guidance: () => ""
5177
- },
5178
- containsHtml: {
5179
- content: ({ prop_value }) => `Does your code allow having HTML tags in: \`${prop_value}\`?`,
5180
- description: () => "",
5181
- guidance: () => ""
5182
- },
5183
- netVersionGreaterOrEqual45: {
5184
- content: () => "Is your target framework .NET 4.5 or greater?",
5185
- description: () => "",
5186
- guidance: () => ""
5187
- },
5188
- useHTML4NamedEntities: {
5189
- content: () => "Would you like to use HTML 4.0 Named entities?",
5190
- description: () => "See [examples](https://www.w3schools.com/charsets/ref_html_entities_4.asp) and [full description](https://www.w3.org/TR/WD-html40-970708/sgml/entities.html)",
5191
- guidance: () => ""
5192
- }
5193
- };
5194
-
5195
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/xxe.ts
5196
- var xxe = {
5197
- netVersionGreaterOrEqual4: {
5198
- content: () => "Is your target framework .NET 4.0.0 or greater?",
5199
- description: () => "",
5200
- guidance: ({ userInputValue }) => {
5201
- switch (userInputValue) {
5202
- case "yes":
5203
- return "We set `DtdProcessing` to `DtdProcessing.Prohibit` in order to prevent DTD parsing.";
5204
- default:
5205
- return "We set `ProhibitDtd` to `true` in order to prevent DTD parsing.";
5206
- }
5207
- }
5208
- }
5209
- };
5210
-
5211
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
5212
- var vulnerabilities12 = {
5213
- ["LOG_FORGING"]: logForging,
5214
- ["SSRF"]: ssrf2,
5215
- ["XXE"]: xxe,
5216
- ["XSS"]: xss,
5217
- ["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream,
5218
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak,
5219
- ["OVERLY_BROAD_CATCH"]: overlyBroadCatch,
5220
- ["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation,
5221
- ["PT"]: pt,
5222
- ["REGEX_MISSING_TIMEOUT"]: regexMissingTimeout,
5223
- ["HTTP_ONLY_COOKIE"]: httpOnlyCookie,
5224
- ["INSECURE_COOKIE"]: insecureCookie,
5225
- ["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED"]: wcfMisconfigurationThrottlingNotEnabled,
5226
- ["INSECURE_BINDER_CONFIGURATION"]: insecureBinderConfiguration,
5227
- ["VALUE_SHADOWING"]: valueShadowing,
5228
- ["INSECURE_RANDOMNESS"]: insecureRandomness,
5229
- ["INSUFFICIENT_LOGGING"]: insufficientLogging,
5230
- ["SQL_Injection"]: sqlInjection2,
5231
- ["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
5232
- };
5233
- var csharp_default2 = vulnerabilities12;
5234
-
5235
- // src/features/analysis/scm/shared/src/storedQuestionData/go/logForging.ts
5236
- var logForging2 = {
5237
- isHtmlDisplay: {
5238
- content: () => "Is the text written to the log going to be displayed as HTML?",
5239
- description: () => "",
5240
- guidance: () => ""
5241
- }
5242
- };
5243
-
5244
- // src/features/analysis/scm/shared/src/storedQuestionData/go/missingSslMinversion.ts
5245
- var missingSslMinversion = {
5246
- minTlsVersion: {
5247
- content: () => "What is the minimum version of Transport Layer Security (TLS) you allow? Ensure compatibility between the server and clients.",
5248
- description: () => "",
5249
- guidance: () => ""
5250
- }
5251
- };
5252
-
5253
- // src/features/analysis/scm/shared/src/storedQuestionData/go/websocketMissingOriginCheck.ts
5254
- var websocketMissingOriginCheck = {
5255
- minTlsVersion: {
5256
- content: () => "Please provide a comma-separated list of valid hosts. This list will serve as an allow list to check the connection `Origin` header.",
5257
- description: () => "",
5258
- guidance: () => ""
5259
- }
5260
- };
5261
-
5262
- // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
5263
- var vulnerabilities13 = {
5264
- ["LOG_FORGING"]: logForging2,
5265
- ["MISSING_SSL_MINVERSION"]: missingSslMinversion,
5266
- ["WEBSOCKET_MISSING_ORIGIN_CHECK"]: websocketMissingOriginCheck
5267
- };
5268
- var go_default2 = vulnerabilities13;
5269
-
5270
- // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
5271
- var commandInjection2 = {
5272
- isUnixShellCommandPart: {
5273
- content: () => "Is the input part of Unix shell command?",
5274
- description: () => `For example:
5275
-
5276
- - \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", "ping -t 5 -c 5 " + input});\`
5277
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "curl " + input + " > file.txt"});\`
5278
-
5279
- Make sure the input is not:
5280
-
5281
- 1. An executable name:
5282
- - \`Runtime.getRuntime().exec(input);\`
5283
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", input});\`
5284
- - \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", input + " param"});\`
5285
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "cat file.txt | " + input});\`
5286
- - \`Runtime.getRuntime().exec(new String[] {"/usr/bin/git", "--upload-pack", input});\`
5287
- 2. A part of non-unix or cross platform shell command:
5288
- - \`Runtime.getRuntime().exec(new String[] {"cmd.exe", "/c", "ping " + input});\`
5289
- 3. A part of programming language code:
5290
- - \`Runtime.getRuntime().exec(new String[] {"php", "-r", "echo '" + input + "';"});\`
5291
- - \`Runtime.getRuntime().exec(new String[] {"perl", "-e", "print '" + input + "'"});\``,
5292
- guidance: () => ""
5293
- },
5294
- installApacheCommonsText: {
5295
- content: () => "Is the Apache Commons library (org.apache.commons) included in your project, if not, can you add it?",
5296
- description: () => "Apache Commons Text is a library focused on algorithms working on strings.",
5297
- guidance: ({ userInputValue }) => userInputValue === "yes" ? "To add the library, modify your pom.xml or build.gradle to include the library. You can find the latest version here https://mvnrepository.com/artifact/org.apache.commons/commons-text" : ""
5298
- },
5299
- cmdAllowlist: {
5300
- content: () => "Allowed Commands",
5301
- description: () => "Make sure that the list of commands is separated by commas.",
5302
- guidance: () => ""
5303
- }
5304
- };
5305
-
5306
- // src/features/analysis/scm/shared/src/storedQuestionData/java/confusingNaming.ts
5307
- var confusingNaming = {
5308
- newFieldName: {
5309
- content: () => "Rename the existing field",
5310
- description: () => "",
5311
- guidance: () => ""
5312
- }
5313
- };
5314
-
5315
- // src/features/analysis/scm/shared/src/storedQuestionData/java/duplicatedStrings.ts
5316
- var duplicatedStrings = {
5317
- constantName: {
5318
- content: () => "New constant name",
5319
- description: () => "",
5320
- guidance: () => ""
5321
- }
5322
- };
5323
-
5324
- // src/features/analysis/scm/shared/src/storedQuestionData/java/erroneousStringCompare.ts
5325
- var erroneousStringCompare = {
5326
- javaVersionGreaterOrEqual17: {
5327
- content: () => "Is `java.util.Objects` package available in your runtime?",
5328
- description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
5329
- guidance: () => ""
5330
- }
5331
- };
5332
-
5333
- // src/features/analysis/scm/shared/src/storedQuestionData/java/errorConditionWithoutAction.ts
5334
- var errorConditionWithoutAction = {
5335
- errorMessage: {
5336
- content: () => "Enter the error message that you want to appear in the log",
5337
- description: () => "",
5338
- guidance: () => ""
5339
- }
5340
- };
5341
-
5342
- // src/features/analysis/scm/shared/src/storedQuestionData/java/httpOnlyCookie.ts
5343
- var httpOnlyCookie2 = {
5344
- httpOnlyCookie: {
5345
- content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
5346
- description: ({ class_name }) => class_name == "Cookie" ? `${httpOnlyMessage2} ${setHttpOnlyMethodMessage}` : httpOnlyMessage2,
5347
- guidance: () => ""
5348
- },
5349
- cookieVarName: {
5350
- content: () => "Please define a variable name",
5351
- description: () => `We need a variable for the new cookie instance`,
5352
- guidance: () => ""
5353
- }
5354
- };
5355
- var httpOnlyMessage2 = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
5356
- when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
5357
- be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
5358
-
5359
- &nbsp;
5360
-
5361
-
5362
- ***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
5363
-
5364
- &nbsp;
5365
-
5366
- `;
5367
- var setHttpOnlyMethodMessage = `Beware that if your application is using a version of the javax.servlet-api package < 3.0
5368
- this change will not work since the method "setHttpOnly" is not present in previous of the package.`;
5369
-
5370
- // src/features/analysis/scm/shared/src/storedQuestionData/java/insecureCookie.ts
5371
- var insecureCookie2 = {
5372
- insecureCookie: {
5373
- content: () => "Will this cookie be used only in encrypted channels (https)?",
5374
- description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
5375
- In environments like local development or test, setting cookies as secure might have some consequences:
5376
-
5377
- &nbsp;
5378
- - Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
5379
- additional configuration and certificates. If cookies are marked as secure,
5380
- they won't be sent over HTTP, and this could potentially interfere with the normal
5381
- functioning of your application during development.
5382
-
5383
- &nbsp;
5384
- - Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
5385
- testing environment accurately simulates the production environment's security features.
5386
- This may involve setting up HTTPS in your local development environment.
5387
-
5388
- &nbsp;
5389
- - Debugging Challenges: Debugging may be more challenging when using secure cookies in a
5390
- development environment, especially if you need to inspect or manipulate the cookies during
5391
- development.`,
5392
- guidance: () => ""
5393
- },
5394
- cookieVarName: {
5395
- content: () => "Please define a variable name",
5396
- description: () => `We need a variable for the new cookie instance`,
5397
- guidance: () => ""
5398
- }
5399
- };
5400
-
5401
- // src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
5402
- var j2eeGetConnection2 = {
5403
- jndiResourceName: {
5404
- content: () => "What JNDI name is the database connection pool registered under?",
5405
- description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
5406
- guidance: () => ""
5407
- }
5408
- };
5409
-
5410
- // src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
5411
- var leftoverDebugCode = {
5412
- isCodeUsed: {
5413
- content: () => "The function seems to be a remnant of debug code. Is it still being used?",
5414
- description: () => "",
5415
- guidance: () => ""
5416
- }
5417
- };
5418
-
5419
- // src/features/analysis/scm/shared/src/storedQuestionData/java/localeDependentComparison.ts
5420
- var localeDependentComparison = {
5421
- localeType: {
5422
- content: ({ variable }) => `Is ${variable} locale dependent?`,
5423
- description: () => `Select "locale insensitive" for string comparisons that are not dependent on the locale.
5424
-
5425
- Select "default locale" for string comparisons that uses the default locale.
5426
-
5427
- Select "custom locale" for string comparisons that are dependent on a specific locale language.`,
5428
- guidance: () => ""
5429
- },
5430
- customLocaleLanguage: {
5431
- content: () => "What is your locale language?",
5432
- description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
5433
- guidance: () => ""
5434
- },
5435
- customLocaleCountry: {
5436
- content: () => "What is your locale country?",
5437
- description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
5438
- guidance: () => ""
5439
- }
5440
- };
5441
-
5442
- // src/features/analysis/scm/shared/src/storedQuestionData/java/logForging.ts
5443
- var logForging3 = {
5444
- isHtmlDisplay: {
5445
- content: () => "Is the text written to the log going to be displayed as HTML?",
5446
- description: () => "",
5447
- guidance: () => ""
5448
- },
5449
- htmlEscapingLib: {
5450
- content: () => "Which HTML escaping library would you like to use?",
5451
- description: () => `
5452
- - If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
5453
- - Another \`option is org.apache.commons.text.StringEscapeUtils\``,
5454
- guidance: () => ""
5455
- }
5456
- };
5457
-
5458
- // src/features/analysis/scm/shared/src/storedQuestionData/java/missingCheckAgainstNull.ts
5459
- var missingCheckAgainstNull = {
5460
- preferredAction: {
5461
- content: ({ tainted_expression }) => `What is expected behavior if \`${tainted_expression}\` returns null?`,
5462
- description: () => "",
5463
- guidance: () => ""
5464
- },
5465
- javaVersionGreaterOrEqual17: {
5466
- content: () => "Is `java.util.Objects` package available in your runtime?",
5467
- description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
5468
- guidance: () => ""
5469
- }
5470
- };
5471
-
5472
- // src/features/analysis/scm/shared/src/storedQuestionData/java/openRedirect.ts
5473
- var openRedirect = {
5474
- allowlist: {
5475
- content: () => "Allowed domains",
5476
- description: () => "Add a comma separated list of allowed domains (e.g. 'google.com,example.com')",
5477
- guidance: () => ""
5478
- }
5479
- };
5480
-
5481
- // src/features/analysis/scm/shared/src/storedQuestionData/java/overlyBroadCatch.ts
5482
- var overlyBroadCatch2 = {
5483
- handleRuntimeExceptions: {
5484
- content: () => "Does the code intentionally catch `RuntimeException` instances like `ArithmeticException` or `NullPointerException` in the `catch` block?",
5485
- description: () => "Usually, when catching the general `Exception` class catching of `RuntimeException` is implied and not necessarily the wanted/safe behavior. The application needs to deal with it explicitly in a different way, as the Mobb fix suggests.",
5486
- guidance: () => ""
5487
- }
5488
- };
5489
-
5490
- // src/features/analysis/scm/shared/src/storedQuestionData/java/privacyViolation.ts
5491
- var privacyViolation = {
5492
- remediationOption: {
5493
- content: () => "Preferred fix solution",
5494
- description: () => `
5495
- - Completely Remove the log message
5496
- - Replace the sensitive data with the string [Redacted]
5497
- - SHA 256 Hash the sensitive information in the log message`,
5498
- guidance: () => ""
5499
- }
5500
- };
5501
-
5502
- // src/features/analysis/scm/shared/src/storedQuestionData/java/pt.ts
5503
- var pt2 = {
5504
- isPathRelativeOnly: {
5505
- content: ({ expression }) => `Do you expect \`${expression}\` to be a relative path?`,
5506
- description: () => "You most likely want to serve files relative to the web server's static files folder in web applications. If so, your answer should be `yes`. In CLI applications, you probably would like to give the user more flexibility and allow them to specify absolute paths to any location on the disk \u2013 your answer should be `no` in such cases.",
5507
- guidance: () => ""
5508
- },
5509
- isFileName: {
5510
- content: ({ expression }) => `Does \`${expression}\` represent a file name or a file name part?`,
5511
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters. If \`${expression}\` is supposed to legitimately include such characters, the answer should be "no".`,
5512
- guidance: () => ""
5513
- }
5514
- };
5515
-
5516
- // src/features/analysis/scm/shared/src/storedQuestionData/java/relativePathCommand.ts
5517
- var relativePathCommand = {
5518
- executableLocationPath: {
5519
- content: () => "What is the absolute path of the directory containing the executable?",
5520
- description: () => "We need the absolute path to the executable to protect your application from command injection and ensure malicious actors cannot execute arbitrary commands on your system.",
5521
- guidance: () => ""
5522
- }
5523
- };
5524
-
5525
- // src/features/analysis/scm/shared/src/storedQuestionData/java/sqlInjection.ts
5526
- function capitalizeFirstLetter(item) {
5527
- return item.charAt(0).toUpperCase() + item.slice(1);
5528
- }
5529
- var typeToSetMethod = {
5530
- integer: "setInt",
5531
- date: "setDate",
5532
- string: "setString"
5533
- };
5534
- var sqlInjection3 = {
5535
- parameterType: {
5536
- content: ({ tainted_term }) => `What is the SQL Data Type of the \`${tainted_term}\` parameter?`,
5537
- description: () => "In order to make sure the statement is built correctly, we must ensure we use the same type that is defined for this parameter in the SQL table. If you are unsure of this type, please consult with your team.",
5538
- guidance: ({
5539
- tainted_term,
5540
- taint_var_type_guidance_required,
5541
- userInputValue
5542
- }) => {
5543
- if (!taint_var_type_guidance_required || !userInputValue) {
5544
- return "";
5545
- }
5546
- if (!taint_var_type_guidance_required[userInputValue]) {
5547
- return "";
5548
- }
5549
- return `Make sure to convert \`${tainted_term}\` to \`${capitalizeFirstLetter(
5550
- userInputValue
5551
- )}\` which is the type expected by the new setter method: \`${typeToSetMethod[userInputValue]}\``;
5552
- }
5553
- },
5554
- varName: {
5555
- content: () => "Name the new PreparedStatement variable",
5556
- description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
5557
- guidance: () => ""
5558
- },
5559
- taintIndex: {
5560
- content: ({ tainted_term }) => `What is the index of \`\`\`${tainted_term}\`\`\` in the query?`,
5561
- description: () => "When constructing a query, we need to know exactly where to insert this parameter. If the query has more than one parameter, the index gives us this information. Leave the value as 1 if there is only one parameter.",
5562
- guidance: () => ""
5563
- },
5564
- statementAfterQuery: {
5565
- content: ({ var_name }) => `Is the \`Statement\` variable \`${var_name}\` declared after constructing the query string?`,
5566
- description: () => "When creating the `PreparedStatement` parameter, we need to give it the constructed query. Currently, Mobb doesn't support the case where the query string is defined after the statement in your code.",
5567
- guidance: ({ userInputValue }) => userInputValue === "no" ? "You should move the code creating the query so it is executed before being used by the prepared statement" : ""
5568
- },
5569
- statementBeforeQuery: {
5570
- content: ({ var_name }) => `Is the query string variable declared after the \`Statement\` variable \`${var_name}\`?`,
5571
- description: ({ enquote_func_name }) => `We need to have the \`Statement\` object defined before using the \`${enquote_func_name}()\` method. Currently, Mobb doesn't support the case where the query string is defined before the statement in your code.`,
5572
- guidance: ({
5573
- userInputValue,
5574
- enquote_func_name
5575
- }) => userInputValue === "no" ? `You should move the code creating the query so it is executed after creating the \`Statement\` object as we need to have the \`Statement\` object defined before using the \`${enquote_func_name}()\` method.` : ""
5576
- },
5577
- containsControlCharacters: {
5578
- content: ({ tainted_term }) => `Does \`\`\`${tainted_term}\`\`\` represent a single SQL parameter value?`,
5579
- description: () => `This should be 'no' only in the rare cases where the input variable itself does not represent a single SQL parameter value but rather other parts of a SQL query such as a table name, a column name, a list of values, a complete or partial inner SQL statement, etc.
5580
-
5581
- It may be confusing a bit, so here are some examples:
5582
-
5583
- * A SQL identifier \`\`\`(SELECT * FROM \${tableName})\`\`\`
5584
-
5585
- * A SQL statement \`\`\`(SELECT * FROM users ORDER BY id \${order})\`\`\``,
5586
- guidance: () => ""
5587
- },
5588
- javaVersionGreaterOrEqual19: {
5589
- content: ({ enquote_func_name }) => `Is \`java.sql.Statement.${enquote_func_name}\` method available in your runtime?`,
5590
- description: ({ enquote_func_name }) => `\`java.sql.Statement.${enquote_func_name}\` is supported in Java 1.9 or greater.`,
5591
- guidance: () => ""
5592
- },
5593
- queryParameterName: {
5594
- content: () => "What should be the name of the query parameter?",
5595
- description: () => "",
5596
- guidance: () => ""
5597
- }
5598
- };
5599
-
5600
- // src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
5601
- var ssrf3 = {
5602
- domainsAllowlist: {
5603
- content: () => "Allowed URL prefixes",
5604
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
5605
- &nbsp;
5606
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
5607
- guidance: () => ""
5608
- }
5609
- };
5610
-
5611
- // src/features/analysis/scm/shared/src/storedQuestionData/java/sysLeak.ts
5612
- var sysLeak2 = {
5613
- errorMessage: {
5614
- content: () => "Enter the error message that you want to appear in the log",
5615
- description: () => "",
5616
- guidance: () => ""
5617
- },
5618
- noLoggerAction: {
5619
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5620
- description: () => "",
5621
- guidance: () => ""
5622
- }
5623
- };
5624
-
5625
- // src/features/analysis/scm/shared/src/storedQuestionData/java/trustBoundaryViolation.ts
5626
- var trustBoundaryViolation2 = {
5627
- validationPattern: {
5628
- content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
5629
- description: () => "We use regex to validate the input to avoid runtime surprises",
5630
- guidance: () => ""
5631
- },
5632
- otherPatternValue: {
5633
- content: () => `Enter the regex pattern you would like to use to validate the input`,
5634
- description: () => "See patterns at [the regex javadoc](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html)",
5635
- guidance: () => ""
5636
- }
5637
- };
5638
-
5639
- // src/features/analysis/scm/shared/src/storedQuestionData/java/uncheckedLoopCondition.ts
5640
- var uncheckedLoopCondition = {
5641
- loopLimit: {
5642
- content: () => "Please define a maximum loop limit",
5643
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5644
- guidance: () => ""
5645
- },
5646
- varName: {
5647
- content: () => "Please define a variable name",
5648
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5649
- guidance: () => ""
5650
- }
5651
- };
5652
-
5653
- // src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
5654
- var unsafeReflection = {
5655
- classAllowlist: {
5656
- content: () => "Allowed class names for reflection",
5657
- description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
5658
- guidance: () => ""
5659
- }
5660
- };
5661
-
5662
- // src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
5663
- var useOfSystemOutputStream2 = {
5664
- noLoggerAction: {
5665
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5666
- description: () => "",
5667
- guidance: () => ""
5668
- }
5669
- };
5670
-
5671
- // src/features/analysis/scm/shared/src/storedQuestionData/java/xss.ts
5672
- var xss2 = {
5673
- isHtmlOrSafeAttribute: {
5674
- content: ({ tainted_variable }) => `Where is \`${tainted_variable}\` written to?`,
5675
- description: () => `Answer examples:
5676
-
5677
- - a text in an HTML tag or a value of a safe HTML attribute:
5678
- - \`<li><%= name %></li>\`
5679
- - \`<div>Name: <%= name %></div>\`
5680
- - \`<input value="<%= name %>" name="name"/>\`
5681
- - \`<div data-name="<%= name %>"></div>\`
5682
- - a JavaScript code block:
5683
- - \`<script>const name = "<%= name %>";</script>\`
5684
- - an event attribute of an HTML tag:
5685
- - \`<a onclick="alert('<%= name %>')">click me</a>\`
5686
- - \`<img onmouseover="alert('<%= name %>')"/>\`
5687
- - a src-like attribute of an HTML tag:
5688
- - \`<a href="/user/<%= name %>">me</a>\`
5689
- - \`<img src="/img/<%= name %>"/>\`
5690
- - \`<form action="<%= name %>"></form>\`
5691
- - \`<iframe srcdoc="<%= name %>"/>\`
5692
- - a part of an HTML tag attributes list:
5693
- - \`<a <%= name %>>text</a>\`
5694
-
5695
- See more details about safe and unsafe HTML attributes:
5696
- - [PortSwigger cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
5697
- - [DOMPurify attributes filter implementation](https://github.com/cure53/DOMPurify/blob/c29aa900a1c286b82ee4f48a7ffab96cab3e84fa/src/attrs.js)
5698
- `,
5699
- guidance: () => ""
5700
- },
5701
- isHtmlEncoded: {
5702
- content: () => "Is the user input already encoded as HTML text?",
5703
- description: () => "If you are unsure, we will decode the user input and encode it again to ensure it is safe and the data is kept the same.",
5704
- guidance: () => ""
5705
- },
5706
- htmlEscapingLib: {
5707
- content: () => "Which HTML escaping library would you like to use?",
5708
- description: () => `
5709
- - If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
5710
- - Another option is \`org.apache.commons.text.StringEscapeUtils\``,
5711
- guidance: () => ""
5712
- }
5713
- };
5714
-
5715
- // src/features/analysis/scm/shared/src/storedQuestionData/java/xxe.ts
5716
- var xxe2 = {
5717
- factoryVarName: {
5718
- content: () => "Name the new Factory variable",
5719
- description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
5720
- guidance: () => ""
5721
- }
5722
- };
5723
-
5724
- // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
5725
- var vulnerabilities14 = {
5726
- ["SQL_Injection"]: sqlInjection3,
5727
- ["CMDi_relative_path_command"]: relativePathCommand,
5728
- ["CMDi"]: commandInjection2,
5729
- ["CONFUSING_NAMING"]: confusingNaming,
5730
- ["ERROR_CONDTION_WITHOUT_ACTION"]: errorConditionWithoutAction,
5731
- ["XXE"]: xxe2,
5732
- ["XSS"]: xss2,
5733
- ["PRIVACY_VIOLATION"]: privacyViolation,
5734
- ["PT"]: pt2,
5735
- ["SSRF"]: ssrf3,
5736
- ["LOG_FORGING"]: logForging3,
5737
- ["LOCALE_DEPENDENT_COMPARISON"]: localeDependentComparison,
5738
- ["MISSING_CHECK_AGAINST_NULL"]: missingCheckAgainstNull,
5739
- ["OPEN_REDIRECT"]: openRedirect,
5740
- ["OVERLY_BROAD_CATCH"]: overlyBroadCatch2,
5741
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak2,
5742
- ["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream2,
5743
- ["HTTP_ONLY_COOKIE"]: httpOnlyCookie2,
5744
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition,
5745
- ["INSECURE_COOKIE"]: insecureCookie2,
5746
- ["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation2,
5747
- ["UNSAFE_REFLECTION"]: unsafeReflection,
5748
- ["J2EE_GET_CONNECTION"]: j2eeGetConnection2,
5749
- ["LEFTOVER_DEBUG_CODE"]: leftoverDebugCode,
5750
- ["ERRONEOUS_STRING_COMPARE"]: erroneousStringCompare,
5751
- ["DUPLICATED_STRINGS"]: duplicatedStrings
5752
- };
5753
- var java_default2 = vulnerabilities14;
5754
-
5755
- // src/features/analysis/scm/shared/src/storedQuestionData/python/csrf.ts
5756
- var csrf2 = {
5757
- isPythonDjangoTemplate: {
5758
- content: () => "Is the reported file Python Django template?",
5759
- description: () => "",
5760
- guidance: () => ""
5761
- }
5762
- };
5763
-
5764
- // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
5765
- var commandInjection3 = {
5766
- isCommandExecutable: {
5767
- content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
5768
- description: () => `Does the command fall into one of the following categories:
5769
-
5770
- 1. An executable name:
5771
- - \`exec(input);\`
5772
- - \`exec("/bin/bash " + input);\`
5773
- - \`exec("/bin/sh -c" + input + " param");\`
5774
- - \`exec("/bin/bash -c cat file.txt | " + input);\`
5775
- - \`exec("/usr/bin/git --upload-pack " + input);\`
5776
- 2. A part of non-unix or cross platform shell command:
5777
- - \`exec("cmd.exe /c ping " + input);\`
5778
- 3. A part of programming language code:
5779
- - \`exec("php -r echo '" + input + "';");\`
5780
- - \`exec("perl -e print '" + input + "'");\``,
5781
- guidance: () => ""
5782
- }
5783
- };
5784
-
5785
- // src/features/analysis/scm/shared/src/storedQuestionData/js/graphqlDepthLimit.ts
5786
- var graphqlDepthLimit = {
5787
- depthLimit: {
5788
- content: () => "Please define a maximum query depth",
5789
- description: () => `Setting this number to a reasonable value will prevent the attack.
5790
- Make sure to pick a value large enough to allowed the nessecary amount of nested queries.`,
5791
- guidance: () => {
5792
- return "We use `graphql-depth-limit` npm package to limit the depth of nested queries. Please make sure you install the package using `npm install graphql-depth-limit`.";
5793
- }
5794
- }
5795
- };
5796
-
5797
- // src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedDomainInHtml.ts
5798
- var hardcodedDomainInHtml = {
5799
- isCDNFixedVersion: {
5800
- content: ({ url }) => `Does the content of \`${url}\` change over time? If it does, we can't offer this fix.`,
5801
- description: () => "You need to make sure the content of the file you are loading from the external source is persistent. To guarantee the integrity hash does not change over time, please make sure you use a proper CDN and version of the script you are loading is pinned.",
5802
- guidance: () => ""
5803
- }
5804
- };
5805
-
5806
- // src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedSecrets.ts
5807
- var hardcodedSecrets2 = {
5808
- envVarName: {
5809
- content: () => "Please define an environment variable name",
5810
- description: () => `We will use this environment variable instead of the hardcoded secret`,
5811
- guidance: () => ""
5812
- },
5813
- keepAsDefault: {
5814
- content: () => "Do you want to keep the hardcoded secret in the code for now?",
5815
- description: () => 'Answer "yes" if you cannot set the environment variable in all environments right away.',
5816
- guidance: () => ""
5817
- }
5818
- };
5819
-
5820
- // src/features/analysis/scm/shared/src/storedQuestionData/js/iframeWithoutSandbox.ts
5821
- var iframeWithoutSandbox = {
5822
- iframeRestrictions: {
5823
- content: () => "Please define a comma-separated list of iframe sandbox restrictions (optional)",
5824
- description: () => `Possible values:
5825
- - allow-downloads
5826
- - allow-forms
5827
- - allow-modals
5828
- - allow-orientation-lock
5829
- - allow-pointer-lock
5830
- - allow-popups
5831
- - allow-popups-to-escape-sandbox
5832
- - allow-presentation
5833
- - allow-same-origin
5834
- - allow-scripts
5835
- - allow-storage-access-by-user-activation
5836
- - allow-top-navigation
5837
- - allow-top-navigation-by-user-activation
5838
- - allow-top-navigation-to-custom-protocols
5839
-
5840
- See more info [here](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox).`,
5841
- guidance: () => ""
5842
- }
5843
- };
5844
-
5845
- // src/features/analysis/scm/shared/src/storedQuestionData/js/incompleteUrlSanitization.ts
5846
- var incompleteUrlSanitization = {
5847
- allowedRootDomain: {
5848
- content: () => "The root domain of your application",
5849
- description: () => "We needed to strengthen the security check by ensuring that the url is under the root domain of your application.",
5850
- guidance: () => ""
5851
- }
5852
- };
5853
-
5854
- // src/features/analysis/scm/shared/src/storedQuestionData/js/insecureRandomness.ts
5855
- var insecureRandomness2 = {
5856
- isGetRandomValuesSupported: {
5857
- content: () => "Is getRandomValues() function supported by your JavaScript engine?",
5858
- description: () => "[getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is supported by [more than 97% of browsers](https://caniuse.com/?search=getRandomValues) and [Node.js >= 15.0.0](https://nodejs.org/api/webcrypto.html#cryptogetrandomvaluestypedarray).",
5859
- guidance: () => ""
5860
- }
5861
- };
5862
-
5863
- // src/features/analysis/scm/shared/src/storedQuestionData/js/logForging.ts
5864
- var logForging4 = {
5865
- isHtmlDisplay: {
5866
- content: () => "Is the text written to the log going to be displayed as HTML?",
5867
- description: () => "",
5868
- guidance: () => ""
5869
- }
5870
- };
5871
-
5872
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingCSPHeader.ts
5873
- var cspHeaderValue = {
5874
- cspHeaderValue: {
5875
- content: () => "Please provide the value for the Content-Security-Policy header",
5876
- description: () => `The Content-Security-Policy (CSP) header is a critical security measure that helps protect websites from various attacks, particularly Cross-Site Scripting (XSS) and other code injection attacks. Here's a concise explanation:
5877
-
5878
- &nbsp;
5879
- &nbsp;
5880
- **What it does**:
5881
-
5882
- &nbsp;
5883
- &nbsp;
5884
- CSP lets you specify which content sources the browser should consider valid, essentially creating a whitelist of trusted content. It controls things like:
5885
-
5886
- &nbsp;
5887
- &nbsp;
5888
- - Which scripts can execute.
5889
- &nbsp; - Where images can be loaded from.
5890
- &nbsp; - Which styles can be applied.
5891
- &nbsp; - Which forms can be submitted to.
5892
- &nbsp; - What domains can be connected to.
5893
- &nbsp;
5894
- &nbsp; Default value explanation:
5895
- &nbsp;
5896
- &nbsp; - default-src 'self: Only allows resources from the same origin by default.
5897
- &nbsp; - script-src 'self': Only allows scripts to be loaded from the same origin.
5898
- &nbsp; - style-src 'self': Only allows styles from the same origin.
5899
- &nbsp; - object-src 'none': Disallows <object>, <embed>, and <applet> elements.
5900
- &nbsp; - base-uri 'self': Restricts where the <base> tag can point to.
5901
- &nbsp; - frame-ancestors 'self': Ensures that only the same origin can embed the page using an iframe.
5902
-
5903
- &nbsp;
5904
- &nbsp; **This kind of \`CSP\` is more secure but may require adjustments for your specific application, especially if you need to load resources from external domains or use inline scripts/styles.**`,
5905
- guidance: () => ``
5906
- }
5907
- };
5908
-
5909
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingHSTSHeader.ts
5910
- var headerMaxAge = {
5911
- headerMaxAge: {
5912
- content: () => "Please provide the maximum age of the header",
5913
- description: () => `This is the time, in seconds, that the browser should remember that the site is only to be accessed using \`HTTPS\`.
5914
- &nbsp;
5915
- &nbsp;
5916
- Setting the \`max-age\` to \`0\` (over an https connection) will immediately expire the Strict-Transport-Security header, allowing access via \`HTTP\`.
5917
-
5918
-
5919
- &nbsp;
5920
- &nbsp;
5921
- The HTTP Strict-Transport-Security response header (\`HSTS\`) informs browsers that the site
5922
- should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically
5923
- be converted to HTTPS.
5924
-
5925
-
5926
- &nbsp;
5927
- &nbsp;
5928
- If a website accepts a connection through \`HTTP\` and redirects to \`HTTPS\`, visitors may initially communicate with
5929
- the non-encrypted version of the site before being redirected, if, for example, the visitor
5930
- types \`http://www.example.com\` or even just \`example.com\`. This creates an opportunity for a man-in-the-middle attack.
5931
- The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
5932
-
5933
- &nbsp;
5934
- &nbsp;
5935
- The \`HTTP\` Strict Transport Security header informs the browser that it should never load a site using \`HTTP\`
5936
- and should automatically convert all attempts to access the site using \`HTTP\` to \`HTTPS\` requests instead.`,
5937
- guidance: () => ``
5938
- }
5939
- };
5940
-
5941
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingXFrameOptions.ts
5942
- var xFrameOptionsValue = {
5943
- xFrameOptionsValue: {
5944
- content: () => "Please provide the value for the X-Frame-Options header",
5945
- description: () => `The \`X-Frame-Options\` HTTP response header tells the browser whether the page is allowed to be rendered inside a \`<frame>\`, \`<iframe>\`, \`<embed>\` or \`<object>\`. Without it, attackers can embed your application in an invisible iframe and trick users into clicking on it \u2014 a class of attacks known as clickjacking (UI redressing).
5946
- &nbsp;
5947
- &nbsp; **Allowed values:**
5948
- &nbsp; - \`DENY\` \u2014 the page cannot be framed by any site, including your own. Recommended default for any page that does not need to be embedded.
5949
- &nbsp; - \`SAMEORIGIN\` \u2014 the page can only be framed by pages served from the same origin. Use this only if your own application legitimately embeds this page in an iframe.`,
5950
- guidance: () => ``
5951
- }
5952
- };
5953
-
5954
- // src/features/analysis/scm/shared/src/storedQuestionData/js/noLimitsOrThrottling.ts
5955
- var noLimitsOrThrottling2 = {
5956
- setGlobalLimiter: {
5957
- content: () => "Would you like to use a global rate limit for all your endpoints within the same file?",
5958
- description: () => "",
5959
- guidance: () => ""
5960
- }
5961
- };
5962
-
5963
- // src/features/analysis/scm/shared/src/storedQuestionData/js/openRedirect.ts
5964
- var openRedirect2 = {
5965
- isExternal: {
5966
- content: () => "Does the redirect go to an external site?",
5967
- description: () => "",
5968
- guidance: () => ""
5969
- },
5970
- domainAllowlist: {
5971
- content: () => "Allowed domains names",
5972
- description: () => "please provide a coma separated list of allowed domains names (example.com, example.org, etc.)",
5973
- guidance: () => ""
5974
- },
5975
- pathAllowlist: {
5976
- content: () => "Allowed paths (URIs)",
5977
- description: () => "please provide a coma separated list of allowed path (/health, /api/v1/health, etc.)",
5978
- guidance: () => ""
5979
- },
5980
- includeProtocolValidation: {
5981
- content: () => "Should HTTP or HTTPS protocol be enforced?",
5982
- description: () => "please indicate if the protocol should be enforced",
5983
- guidance: () => ""
5984
- }
5985
- };
5986
-
5987
- // src/features/analysis/scm/shared/src/storedQuestionData/js/pt.ts
5988
- var pt3 = {
5989
- taintedTermType: {
5990
- content: ({ expression }) => `Does \`${expression}\` represent a file name, a relative path or an absolute path?`,
5991
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
5992
- guidance: () => ""
5993
- }
5994
- };
5995
-
5996
- // src/features/analysis/scm/shared/src/storedQuestionData/js/ssrf.ts
5997
- var ssrf4 = {
5998
- domainsAllowlist: {
5999
- content: () => "List of allowed domain names",
6000
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary domains.
6001
-
6002
- &nbsp;
6003
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of domains the server should be allowed to call.`,
6004
- guidance: () => ""
6005
- }
6006
- };
6007
-
6008
- // src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeak.ts
6009
- var sysLeak3 = {
6010
- errorMessage: {
6011
- content: () => "Enter the error message that you want to appear in the log",
6012
- description: () => "",
6013
- guidance: () => ""
6014
- },
6015
- noLoggerAction: {
6016
- content: () => "Which of the following you want to use instead of the vulnerable code?",
6017
- description: () => "",
6018
- guidance: () => ""
6019
- }
6020
- };
6021
-
6022
- // src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeakExternal.ts
6023
- var sysLeakExternal = {
6024
- errorMessage: {
6025
- content: () => "Enter the error message that you want to appear to the user",
6026
- description: () => "",
6027
- guidance: () => ""
6028
- }
6029
- };
6030
-
6031
- // src/features/analysis/scm/shared/src/storedQuestionData/js/typeConfusion.ts
6032
- var typeConfusion = {
6033
- argumentType: {
6034
- content: () => "What is the type of the HTTP argument?",
6035
- description: () => "What is the type of the HTTP argument?",
6036
- guidance: () => ""
6037
- }
6038
- };
6039
-
6040
- // src/features/analysis/scm/shared/src/storedQuestionData/js/uncheckedLoopCondition.ts
6041
- var uncheckedLoopCondition2 = {
6042
- loopLimit: {
6043
- content: () => "Please define a maximum loop limit",
6044
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
6045
- guidance: () => ""
6046
- },
6047
- varName: {
6048
- content: () => "Please define a variable name",
6049
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
6050
- guidance: () => ""
6051
- }
6052
- };
6053
-
6054
- // src/features/analysis/scm/shared/src/storedQuestionData/js/xss.ts
6055
- var xss3 = {
6056
- containsHtml: {
6057
- content: () => "Does the element or variable contain HTML formatting",
6058
- description: () => "",
6059
- guidance: () => ""
6060
- },
6061
- isParamTypeString: {
6062
- content: () => "Is the parameter passed to the $() function a string",
6063
- description: () => "",
6064
- guidance: () => ""
6065
- },
6066
- isSanitized: {
6067
- content: ({ expression }) => `Is the expression \`${expression}\` supposed to be not sanitized in this context?`,
6068
- description: () => "You are using unsafe string substitution in the template. This means that if the expression can contain maliciously crafted data, it may lead to XSS injection. To apply the fix, you have to make sure the expression is not sanitized on the backend already, and it does not represent an HTML code block.",
6069
- guidance: () => ""
6070
- },
6071
- isServerSideCode: {
6072
- content: () => "Is this code running on the server side (a NodeJS application)",
6073
- description: () => "The fix to this vulnerability is different is the code runs in the client (browser) or the server side (NodeJs)",
6074
- guidance: () => ""
6075
- }
6076
- };
6077
-
6078
- // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
6079
- var vulnerabilities15 = {
6080
- ["CMDi"]: commandInjection3,
6081
- ["GRAPHQL_DEPTH_LIMIT"]: graphqlDepthLimit,
6082
- ["INSECURE_RANDOMNESS"]: insecureRandomness2,
6083
- ["SSRF"]: ssrf4,
6084
- ["TYPE_CONFUSION"]: typeConfusion,
6085
- ["INCOMPLETE_URL_SANITIZATION"]: incompleteUrlSanitization,
6086
- ["LOG_FORGING"]: logForging4,
6087
- ["XSS"]: xss3,
6088
- ["OPEN_REDIRECT"]: openRedirect2,
6089
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak3,
6090
- ["SYSTEM_INFORMATION_LEAK_EXTERNAL"]: sysLeakExternal,
6091
- ["IFRAME_WITHOUT_SANDBOX"]: iframeWithoutSandbox,
6092
- ["PT"]: pt3,
6093
- ["HARDCODED_SECRETS"]: hardcodedSecrets2,
6094
- ["MISSING_HSTS_HEADER"]: headerMaxAge,
6095
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition2,
6096
- ["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling2,
6097
- ["MISSING_CSP_HEADER"]: cspHeaderValue,
6098
- ["MISSING_X_FRAME_OPTIONS"]: xFrameOptionsValue,
6099
- ["HARDCODED_DOMAIN_IN_HTML"]: hardcodedDomainInHtml,
6100
- ["CSRF"]: csrf2
6101
- };
6102
- var js_default = vulnerabilities15;
6103
-
6104
- // src/features/analysis/scm/shared/src/storedQuestionData/python/duplicatedStrings.ts
6105
- var duplicatedStrings2 = {
6106
- constantName: {
6107
- content: () => "New constant name",
6108
- description: () => "",
6109
- guidance: () => ""
6110
- }
6111
- };
6112
-
6113
- // src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
6114
- var logForging5 = {
6115
- isHtmlDisplay: {
6116
- content: () => "Is the text written to the log going to be displayed as HTML?",
6117
- description: () => "",
6118
- guidance: ({ userInputValue }) => {
6119
- switch (userInputValue) {
6120
- case "yes":
6121
- return "We use `html.escape` to decode the HTML";
6122
- default:
6123
- return "";
6124
- }
6125
- }
6126
- }
6127
- };
6128
-
6129
- // src/features/analysis/scm/shared/src/storedQuestionData/python/missingEncoding.ts
6130
- var missingEncoding = {
6131
- fEncoding: {
6132
- content: () => "Enter the encoding of the file",
6133
- description: () => "",
6134
- guidance: () => ""
6135
- }
6136
- };
6137
-
6138
- // src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
6139
- var openRedirect3 = {
6140
- allowed_hosts: {
6141
- content: () => "Allowed domains/paths",
6142
- description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
6143
- guidance: () => ""
6144
- }
6145
- };
6146
-
6147
- // src/features/analysis/scm/shared/src/storedQuestionData/python/ssrf.ts
6148
- var ssrf5 = {
6149
- domainsAllowlist: {
6150
- content: () => "Allowed URL prefixes",
6151
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
6152
- &nbsp;
6153
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
6154
- guidance: () => ""
6155
- }
6156
- };
6157
-
6158
- // src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
6159
- var uncheckedLoopCondition3 = {
6160
- loopLimit: {
6161
- content: () => "Please define a maximum loop limit",
6162
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
6163
- guidance: () => ""
6164
- },
6165
- varName: {
6166
- content: () => "Please define a variable name",
6167
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
6168
- guidance: () => ""
6169
- }
6170
- };
6171
-
6172
- // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
6173
- var vulnerabilities16 = {
6174
- ["CSRF"]: csrf2,
6175
- ["LOG_FORGING"]: logForging5,
6176
- ["OPEN_REDIRECT"]: openRedirect3,
6177
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition3,
6178
- ["DUPLICATED_STRINGS"]: duplicatedStrings2,
6179
- ["MISSING_ENCODING_FILE_OPEN"]: missingEncoding,
6180
- ["SSRF"]: ssrf5
6181
- };
6182
- var python_default2 = vulnerabilities16;
6183
-
6184
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
6185
- var unboundedOccurrences = {
6186
- maxOccursLimit: {
6187
- content: () => "The number of allowed repetitions of the element.",
6188
- description: () => "",
6189
- guidance: () => `Setting this number to a reasonable value will prevent the attack.
6190
- A value too low will prevent valid XMLs from being processed.
6191
- A value too high will cause performance issues up to and including denial of service.`
6192
- }
6193
- };
6194
-
6195
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
6196
- var vulnerabilities17 = {
6197
- ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES"]: unboundedOccurrences
6198
- };
6199
- var xml_default2 = vulnerabilities17;
6200
-
6201
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/noNewPrivileges.ts
6202
- var noNewPrivileges = {
6203
- requireNewPrivileges: {
6204
- content: () => "Does the container require new privileges?",
6205
- description: () => "",
6206
- guidance: () => `If the container requires new privileges, setting the no-new-privileges option might harm the container functionality.`
6207
- }
6208
- };
6209
-
6210
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/portAllInterfaces.ts
6211
- var portAllInterfaces = {
6212
- trustedIP: {
6213
- content: () => "Enter trusted Network IP",
6214
- description: () => "",
6215
- guidance: () => `Properly set this value to prevent access from untrusted network adapters. Setting this to a wrong value would prevent accessing the container and might break the system.`
6216
- }
6217
- };
6218
-
6219
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/writableFilesystemService.ts
6220
- var writableFilesystemService = {
6221
- requireWriteAccess: {
6222
- content: () => "Does the container require writable filesystem access?",
6223
- description: () => "",
6224
- guidance: () => `If the container requires writable filesystem access, setting the filesystem as readonly might harm the container functionality.`
6225
- }
6226
- };
6227
-
6228
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
6229
- var vulnerabilities18 = {
6230
- ["PORT_ALL_INTERFACES"]: portAllInterfaces,
6231
- ["WRITABLE_FILESYSTEM_SERVICE"]: writableFilesystemService,
6232
- ["NO_NEW_PRIVILEGES"]: noNewPrivileges
6233
- };
6234
- var yaml_default = vulnerabilities18;
6235
-
6236
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
6237
- var StoredQuestionDataItemZ = z10.object({
6238
- content: z10.function().args(z10.any()).returns(z10.string()),
6239
- description: z10.function().args(z10.any()).returns(z10.string()),
6240
- guidance: z10.function().args(z10.any()).returns(z10.string())
6241
- });
6242
- var languages2 = {
6243
- ["Java" /* Java */]: java_default2,
6244
- ["JavaScript" /* JavaScript */]: js_default,
6245
- ["XML" /* Xml */]: xml_default2,
6246
- ["CSharp" /* CSharp */]: csharp_default2,
6247
- ["Python" /* Python */]: python_default2,
6248
- ["Go" /* Go */]: go_default2,
6249
- ["Cpp" /* Cpp */]: cpp_default,
6250
- ["YAML" /* Yaml */]: yaml_default
6251
- };
6252
-
6253
- // src/features/analysis/scm/shared/src/guidances.ts
6254
- var IssueTypeAndLanguageZ = z11.object({
6255
- issueType: SafeIssueTypeStringZ,
6256
- issueLanguage: z11.nativeEnum(IssueLanguage_Enum)
6257
- });
6258
4637
 
6259
4638
  // src/features/analysis/scm/shared/src/index.ts
6260
4639
  init_issueTypeCatalog();
@@ -6263,19 +4642,19 @@ init_urlParser2();
6263
4642
  init_validations();
6264
4643
 
6265
4644
  // src/features/analysis/scm/types.ts
6266
- import { z as z13 } from "zod";
4645
+ import { z as z10 } from "zod";
6267
4646
  var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
6268
4647
  ReferenceType2["BRANCH"] = "BRANCH";
6269
4648
  ReferenceType2["COMMIT"] = "COMMIT";
6270
4649
  ReferenceType2["TAG"] = "TAG";
6271
4650
  return ReferenceType2;
6272
4651
  })(ReferenceType || {});
6273
- var GithubFullShaZ = z13.string().regex(/^[a-f0-9]{40}$/);
6274
- var MergedPrSurvivalMetadataZ = z13.object({
6275
- mergeCommitShas: z13.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
4652
+ var GithubFullShaZ = z10.string().regex(/^[a-f0-9]{40}$/);
4653
+ var MergedPrSurvivalMetadataZ = z10.object({
4654
+ mergeCommitShas: z10.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
6276
4655
  message: "mergeCommitShas must contain unique SHAs"
6277
4656
  }),
6278
- targetBranch: z13.string().min(1)
4657
+ targetBranch: z10.string().min(1)
6279
4658
  });
6280
4659
  var scmCloudHostname = {
6281
4660
  ["GitLab" /* GitLab */]: new URL(scmCloudUrl.GitLab).hostname,
@@ -6295,10 +4674,10 @@ var scmTypeToScmLibScmType = {
6295
4674
  ["Ado" /* Ado */]: "ADO" /* ADO */,
6296
4675
  ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
6297
4676
  };
6298
- var GetReferenceResultZ = z13.object({
6299
- date: z13.date().optional(),
6300
- sha: z13.string(),
6301
- type: z13.nativeEnum(ReferenceType)
4677
+ var GetReferenceResultZ = z10.object({
4678
+ date: z10.date().optional(),
4679
+ sha: z10.string(),
4680
+ type: z10.nativeEnum(ReferenceType)
6302
4681
  });
6303
4682
 
6304
4683
  // src/features/analysis/scm/ado/constants.ts
@@ -6310,39 +4689,39 @@ init_env();
6310
4689
  import querystring from "querystring";
6311
4690
  import * as api from "azure-devops-node-api";
6312
4691
  import Debug3 from "debug";
6313
- import { z as z17 } from "zod";
4692
+ import { z as z14 } from "zod";
6314
4693
 
6315
4694
  // src/features/analysis/scm/ado/validation.ts
6316
- import { z as z16 } from "zod";
6317
- var ValidPullRequestStatusZ = z16.union([
6318
- z16.literal(1 /* Active */),
6319
- z16.literal(2 /* Abandoned */),
6320
- z16.literal(3 /* Completed */)
4695
+ import { z as z13 } from "zod";
4696
+ var ValidPullRequestStatusZ = z13.union([
4697
+ z13.literal(1 /* Active */),
4698
+ z13.literal(2 /* Abandoned */),
4699
+ z13.literal(3 /* Completed */)
6321
4700
  ]);
6322
- var AdoAuthResultZ = z16.object({
6323
- access_token: z16.string().min(1),
6324
- token_type: z16.string().min(1),
6325
- refresh_token: z16.string().min(1)
4701
+ var AdoAuthResultZ = z13.object({
4702
+ access_token: z13.string().min(1),
4703
+ token_type: z13.string().min(1),
4704
+ refresh_token: z13.string().min(1)
6326
4705
  });
6327
4706
  var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
6328
- scmOrgs: z16.array(z16.string())
4707
+ scmOrgs: z13.array(z13.string())
6329
4708
  });
6330
- var profileZ = z16.object({
6331
- displayName: z16.string(),
6332
- publicAlias: z16.string().min(1),
6333
- emailAddress: z16.string(),
6334
- coreRevision: z16.number(),
6335
- timeStamp: z16.string(),
6336
- id: z16.string(),
6337
- revision: z16.number()
4709
+ var profileZ = z13.object({
4710
+ displayName: z13.string(),
4711
+ publicAlias: z13.string().min(1),
4712
+ emailAddress: z13.string(),
4713
+ coreRevision: z13.number(),
4714
+ timeStamp: z13.string(),
4715
+ id: z13.string(),
4716
+ revision: z13.number()
6338
4717
  });
6339
- var accountsZ = z16.object({
6340
- count: z16.number(),
6341
- value: z16.array(
6342
- z16.object({
6343
- accountId: z16.string(),
6344
- accountUri: z16.string(),
6345
- accountName: z16.string()
4718
+ var accountsZ = z13.object({
4719
+ count: z13.number(),
4720
+ value: z13.array(
4721
+ z13.object({
4722
+ accountId: z13.string(),
4723
+ accountUri: z13.string(),
4724
+ accountName: z13.string()
6346
4725
  })
6347
4726
  )
6348
4727
  });
@@ -6363,39 +4742,39 @@ import querystring2 from "querystring";
6363
4742
  import * as bitbucketPkgNode from "bitbucket";
6364
4743
  import bitbucketPkg from "bitbucket";
6365
4744
  import Debug4 from "debug";
6366
- import { z as z20 } from "zod";
4745
+ import { z as z17 } from "zod";
6367
4746
 
6368
4747
  // src/features/analysis/scm/bitbucket/validation.ts
6369
- import { z as z19 } from "zod";
6370
- var BitbucketAuthResultZ = z19.object({
6371
- access_token: z19.string(),
6372
- token_type: z19.string(),
6373
- refresh_token: z19.string()
4748
+ import { z as z16 } from "zod";
4749
+ var BitbucketAuthResultZ = z16.object({
4750
+ access_token: z16.string(),
4751
+ token_type: z16.string(),
4752
+ refresh_token: z16.string()
6374
4753
  });
6375
4754
 
6376
4755
  // src/features/analysis/scm/bitbucket/bitbucket.ts
6377
4756
  var debug5 = Debug4("scm:bitbucket");
6378
4757
  var BITBUCKET_HOSTNAME = "bitbucket.org";
6379
- var TokenExpiredErrorZ = z20.object({
6380
- status: z20.number(),
6381
- error: z20.object({
6382
- type: z20.string(),
6383
- error: z20.object({
6384
- message: z20.string()
4758
+ var TokenExpiredErrorZ = z17.object({
4759
+ status: z17.number(),
4760
+ error: z17.object({
4761
+ type: z17.string(),
4762
+ error: z17.object({
4763
+ message: z17.string()
6385
4764
  })
6386
4765
  })
6387
4766
  });
6388
4767
  var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
6389
- var BitbucketParseResultZ = z20.object({
6390
- organization: z20.string(),
6391
- repoName: z20.string(),
6392
- hostname: z20.literal(BITBUCKET_HOSTNAME)
4768
+ var BitbucketParseResultZ = z17.object({
4769
+ organization: z17.string(),
4770
+ repoName: z17.string(),
4771
+ hostname: z17.literal(BITBUCKET_HOSTNAME)
6393
4772
  });
6394
- var UserWorkspacePermissionsRepositoriesResponseZ = z20.object({
6395
- values: z20.array(
6396
- z20.object({
6397
- repository: z20.object({
6398
- full_name: z20.string().optional()
4773
+ var UserWorkspacePermissionsRepositoriesResponseZ = z17.object({
4774
+ values: z17.array(
4775
+ z17.object({
4776
+ repository: z17.object({
4777
+ full_name: z17.string().optional()
6399
4778
  }).optional()
6400
4779
  })
6401
4780
  ).optional()
@@ -6403,7 +4782,7 @@ var UserWorkspacePermissionsRepositoriesResponseZ = z20.object({
6403
4782
 
6404
4783
  // src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
6405
4784
  import { setTimeout as setTimeout3 } from "timers/promises";
6406
- import { z as z21 } from "zod";
4785
+ import { z as z18 } from "zod";
6407
4786
 
6408
4787
  // src/features/analysis/scm/constants.ts
6409
4788
  var REPORT_DEFAULT_FILE_NAME = "report.json";
@@ -6413,7 +4792,7 @@ init_env();
6413
4792
 
6414
4793
  // src/features/analysis/scm/github/GithubSCMLib.ts
6415
4794
  import pLimit3 from "p-limit";
6416
- import { z as z22 } from "zod";
4795
+ import { z as z19 } from "zod";
6417
4796
  init_client_generates();
6418
4797
 
6419
4798
  // src/features/analysis/scm/github/github.ts
@@ -6446,11 +4825,11 @@ import {
6446
4825
  init_env();
6447
4826
 
6448
4827
  // src/features/analysis/scm/gitlab/types.ts
6449
- import { z as z23 } from "zod";
6450
- var GitlabAuthResultZ = z23.object({
6451
- access_token: z23.string(),
6452
- token_type: z23.string(),
6453
- refresh_token: z23.string()
4828
+ import { z as z20 } from "zod";
4829
+ var GitlabAuthResultZ = z20.object({
4830
+ access_token: z20.string(),
4831
+ token_type: z20.string(),
4832
+ refresh_token: z20.string()
6454
4833
  });
6455
4834
 
6456
4835
  // src/features/analysis/scm/gitlab/gitlab.ts
@@ -6461,69 +4840,69 @@ import pLimit5 from "p-limit";
6461
4840
  init_client_generates();
6462
4841
 
6463
4842
  // src/features/analysis/scm/scmFactory.ts
6464
- import { z as z24 } from "zod";
4843
+ import { z as z21 } from "zod";
6465
4844
 
6466
4845
  // src/features/analysis/graphql/gql.ts
6467
4846
  init_client_generates();
6468
4847
 
6469
4848
  // src/features/analysis/graphql/types.ts
6470
4849
  init_client_generates();
6471
- import { z as z25 } from "zod";
6472
- var VulnerabilityReportIssueCodeNodeZ = z25.object({
6473
- vulnerabilityReportIssueId: z25.string(),
6474
- path: z25.string(),
6475
- startLine: z25.number(),
6476
- vulnerabilityReportIssue: z25.object({
6477
- fixId: z25.string(),
6478
- category: z25.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
6479
- safeIssueType: z25.string(),
6480
- vulnerabilityReportIssueTags: z25.array(
6481
- z25.object({
6482
- tag: z25.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
4850
+ import { z as z22 } from "zod";
4851
+ var VulnerabilityReportIssueCodeNodeZ = z22.object({
4852
+ vulnerabilityReportIssueId: z22.string(),
4853
+ path: z22.string(),
4854
+ startLine: z22.number(),
4855
+ vulnerabilityReportIssue: z22.object({
4856
+ fixId: z22.string(),
4857
+ category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
4858
+ safeIssueType: z22.string(),
4859
+ vulnerabilityReportIssueTags: z22.array(
4860
+ z22.object({
4861
+ tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
6483
4862
  })
6484
4863
  )
6485
4864
  })
6486
4865
  });
6487
- var VulnerabilityReportIssueNoFixCodeNodeZ = z25.object({
6488
- vulnerabilityReportIssues: z25.array(
6489
- z25.object({
6490
- id: z25.string(),
6491
- fixId: z25.string().nullable(),
6492
- category: z25.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
6493
- safeIssueType: z25.string(),
6494
- fpId: z25.string().uuid().nullable(),
6495
- codeNodes: z25.array(
6496
- z25.object({
6497
- path: z25.string(),
6498
- startLine: z25.number()
4866
+ var VulnerabilityReportIssueNoFixCodeNodeZ = z22.object({
4867
+ vulnerabilityReportIssues: z22.array(
4868
+ z22.object({
4869
+ id: z22.string(),
4870
+ fixId: z22.string().nullable(),
4871
+ category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
4872
+ safeIssueType: z22.string(),
4873
+ fpId: z22.string().uuid().nullable(),
4874
+ codeNodes: z22.array(
4875
+ z22.object({
4876
+ path: z22.string(),
4877
+ startLine: z22.number()
6499
4878
  })
6500
4879
  ),
6501
- vulnerabilityReportIssueTags: z25.array(
6502
- z25.object({
6503
- tag: z25.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
4880
+ vulnerabilityReportIssueTags: z22.array(
4881
+ z22.object({
4882
+ tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
6504
4883
  })
6505
4884
  )
6506
4885
  })
6507
4886
  )
6508
4887
  });
6509
- var GetVulByNodesMetadataZ = z25.object({
6510
- vulnerabilityReportIssueCodeNodes: z25.array(VulnerabilityReportIssueCodeNodeZ),
6511
- nonFixablePrVuls: z25.object({
6512
- aggregate: z25.object({
6513
- count: z25.number()
4888
+ var GetVulByNodesMetadataZ = z22.object({
4889
+ vulnerabilityReportIssueCodeNodes: z22.array(VulnerabilityReportIssueCodeNodeZ),
4890
+ nonFixablePrVuls: z22.object({
4891
+ aggregate: z22.object({
4892
+ count: z22.number()
6514
4893
  })
6515
4894
  }),
6516
- fixablePrVuls: z25.object({
6517
- aggregate: z25.object({
6518
- count: z25.number()
4895
+ fixablePrVuls: z22.object({
4896
+ aggregate: z22.object({
4897
+ count: z22.number()
6519
4898
  })
6520
4899
  }),
6521
- totalScanVulnerabilities: z25.object({
6522
- aggregate: z25.object({
6523
- count: z25.number()
4900
+ totalScanVulnerabilities: z22.object({
4901
+ aggregate: z22.object({
4902
+ count: z22.number()
6524
4903
  })
6525
4904
  }),
6526
- irrelevantVulnerabilityReportIssue: z25.array(
4905
+ irrelevantVulnerabilityReportIssue: z22.array(
6527
4906
  VulnerabilityReportIssueNoFixCodeNodeZ
6528
4907
  )
6529
4908
  });
@@ -7823,8 +6202,8 @@ var defaultLogger2 = {
7823
6202
  }
7824
6203
  }
7825
6204
  };
7826
- var PromptItemZ = z26.object({
7827
- type: z26.enum([
6205
+ var PromptItemZ = z23.object({
6206
+ type: z23.enum([
7828
6207
  "USER_PROMPT",
7829
6208
  "AI_RESPONSE",
7830
6209
  "TOOL_EXECUTION",
@@ -7832,32 +6211,32 @@ var PromptItemZ = z26.object({
7832
6211
  "MCP_TOOL_CALL"
7833
6212
  // MCP (Model Context Protocol) tool invocation
7834
6213
  ]),
7835
- attachedFiles: z26.array(
7836
- z26.object({
7837
- relativePath: z26.string(),
7838
- startLine: z26.number().optional()
6214
+ attachedFiles: z23.array(
6215
+ z23.object({
6216
+ relativePath: z23.string(),
6217
+ startLine: z23.number().optional()
7839
6218
  })
7840
6219
  ).optional(),
7841
- tokens: z26.object({
7842
- inputCount: z26.number(),
7843
- outputCount: z26.number()
6220
+ tokens: z23.object({
6221
+ inputCount: z23.number(),
6222
+ outputCount: z23.number()
7844
6223
  }).optional(),
7845
- text: z26.string().optional(),
7846
- date: z26.date().optional(),
7847
- tool: z26.object({
7848
- name: z26.string(),
7849
- parameters: z26.string(),
7850
- result: z26.string(),
7851
- rawArguments: z26.string().optional(),
7852
- accepted: z26.boolean().optional(),
6224
+ text: z23.string().optional(),
6225
+ date: z23.date().optional(),
6226
+ tool: z23.object({
6227
+ name: z23.string(),
6228
+ parameters: z23.string(),
6229
+ result: z23.string(),
6230
+ rawArguments: z23.string().optional(),
6231
+ accepted: z23.boolean().optional(),
7853
6232
  // MCP-specific fields (only populated for MCP_TOOL_CALL type)
7854
- mcpServer: z26.string().optional(),
6233
+ mcpServer: z23.string().optional(),
7855
6234
  // MCP server name (e.g., "datadog", "mobb-mcp")
7856
- mcpToolName: z26.string().optional()
6235
+ mcpToolName: z23.string().optional()
7857
6236
  // MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
7858
6237
  }).optional()
7859
6238
  });
7860
- var PromptItemArrayZ = z26.array(PromptItemZ);
6239
+ var PromptItemArrayZ = z23.array(PromptItemZ);
7861
6240
  var NULL_REPO_STATE = {
7862
6241
  repositoryUrl: null,
7863
6242
  branch: null,