mobbdev 1.4.34 → 1.4.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.mjs CHANGED
@@ -346,6 +346,9 @@ var init_client_generates = __esm({
346
346
  key
347
347
  value
348
348
  }
349
+ content
350
+ description
351
+ guidance
349
352
  }
350
353
  extraContext {
351
354
  extraContext {
@@ -590,6 +593,9 @@ var init_client_generates = __esm({
590
593
  name
591
594
  options
592
595
  value
596
+ content
597
+ description
598
+ guidance
593
599
  __typename
594
600
  }
595
601
  extraContext {
@@ -599,6 +605,7 @@ var init_client_generates = __esm({
599
605
  __typename
600
606
  }
601
607
  fixDescription
608
+ guidances
602
609
  manifestActionsRequired {
603
610
  action
604
611
  lib {
@@ -1087,6 +1094,9 @@ var init_client_generates = __esm({
1087
1094
  key
1088
1095
  value
1089
1096
  }
1097
+ content
1098
+ description
1099
+ guidance
1090
1100
  }
1091
1101
  extraContext {
1092
1102
  extraContext {
@@ -1367,26 +1377,26 @@ var init_getIssueType = __esm({
1367
1377
  });
1368
1378
 
1369
1379
  // src/features/analysis/scm/shared/src/types/shared.ts
1370
- import { z as z5 } from "zod";
1380
+ import { z as z2 } from "zod";
1371
1381
  var ParsedSeverityZ, ScmSubmitFixRequestsZ;
1372
1382
  var init_shared = __esm({
1373
1383
  "src/features/analysis/scm/shared/src/types/shared.ts"() {
1374
1384
  "use strict";
1375
1385
  init_client_generates();
1376
- ParsedSeverityZ = z5.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
1377
- ScmSubmitFixRequestsZ = z5.array(
1378
- z5.object({
1379
- scmSubmitFixRequest: z5.object({
1380
- submitFixRequest: z5.object({
1381
- createdByUser: z5.object({
1382
- email: z5.string()
1386
+ ParsedSeverityZ = z2.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
1387
+ ScmSubmitFixRequestsZ = z2.array(
1388
+ z2.object({
1389
+ scmSubmitFixRequest: z2.object({
1390
+ submitFixRequest: z2.object({
1391
+ createdByUser: z2.object({
1392
+ email: z2.string()
1383
1393
  }),
1384
- targetBranchName: z5.string().default("")
1394
+ targetBranchName: z2.string().default("")
1385
1395
  }),
1386
- prUrl: z5.string().nullable(),
1387
- prStatus: z5.nativeEnum(Pr_Status_Enum).nullable(),
1388
- commitUrl: z5.string().nullable(),
1389
- scmId: z5.string()
1396
+ prUrl: z2.string().nullable(),
1397
+ prStatus: z2.nativeEnum(Pr_Status_Enum).nullable(),
1398
+ commitUrl: z2.string().nullable(),
1399
+ scmId: z2.string()
1390
1400
  })
1391
1401
  })
1392
1402
  );
@@ -1394,94 +1404,106 @@ var init_shared = __esm({
1394
1404
  });
1395
1405
 
1396
1406
  // src/features/analysis/scm/shared/src/types/fix.ts
1397
- import { z as z6 } from "zod";
1407
+ import { z as z3 } from "zod";
1398
1408
  var PackageInfoZ, ManifestActionRequiredZ, ExtraContextInternalZ, FixExtraContextZ, PatchAndQuestionsZ, FixRatingZ, IssueRatingZ, IssueSharedStateZ, FixSharedStateZ, FixQueryZ, FixPartsForFixScreenZ;
1399
1409
  var init_fix = __esm({
1400
1410
  "src/features/analysis/scm/shared/src/types/fix.ts"() {
1401
1411
  "use strict";
1402
1412
  init_client_generates();
1403
1413
  init_shared();
1404
- PackageInfoZ = z6.object({
1405
- name: z6.string(),
1406
- version: z6.string(),
1407
- envName: z6.string().nullable()
1408
- });
1409
- ManifestActionRequiredZ = z6.object({
1410
- action: z6.nativeEnum(ManifestAction),
1411
- language: z6.nativeEnum(Language),
1414
+ PackageInfoZ = z3.object({
1415
+ name: z3.string(),
1416
+ version: z3.string(),
1417
+ envName: z3.string().nullable()
1418
+ });
1419
+ ManifestActionRequiredZ = z3.object({
1420
+ action: z3.nativeEnum(ManifestAction),
1421
+ language: z3.nativeEnum(Language),
1412
1422
  lib: PackageInfoZ,
1413
1423
  typesLib: PackageInfoZ.nullable()
1414
1424
  });
1415
- ExtraContextInternalZ = z6.object({
1416
- key: z6.string(),
1417
- value: z6.string().or(z6.boolean()).or(
1418
- z6.object({
1419
- int: z6.boolean(),
1420
- integer: z6.boolean(),
1421
- string: z6.boolean(),
1422
- date: z6.boolean()
1425
+ ExtraContextInternalZ = z3.object({
1426
+ key: z3.string(),
1427
+ value: z3.string().or(z3.boolean()).or(
1428
+ z3.object({
1429
+ int: z3.boolean(),
1430
+ integer: z3.boolean(),
1431
+ string: z3.boolean(),
1432
+ date: z3.boolean()
1423
1433
  })
1424
1434
  )
1425
1435
  });
1426
- FixExtraContextZ = z6.object({
1427
- fixDescription: z6.string(),
1428
- manifestActionsRequired: z6.array(ManifestActionRequiredZ),
1429
- extraContext: z6.array(ExtraContextInternalZ)
1430
- });
1431
- PatchAndQuestionsZ = z6.object({
1432
- __typename: z6.literal("FixData"),
1433
- patch: z6.string(),
1434
- patchOriginalEncodingBase64: z6.string(),
1435
- questions: z6.array(
1436
- z6.object({
1437
- name: z6.string(),
1438
- key: z6.string(),
1439
- index: z6.number(),
1440
- defaultValue: z6.string(),
1441
- value: z6.string().nullable(),
1442
- extraContext: z6.array(ExtraContextInternalZ),
1443
- inputType: z6.nativeEnum(FixQuestionInputType),
1444
- options: z6.array(z6.string())
1436
+ FixExtraContextZ = z3.object({
1437
+ fixDescription: z3.string(),
1438
+ manifestActionsRequired: z3.array(ManifestActionRequiredZ),
1439
+ extraContext: z3.array(ExtraContextInternalZ),
1440
+ // E-2015: analyzer-served fix-level guidance. default([]) so a query that
1441
+ // omits it still parses, while the output type is a required string[] to match
1442
+ // the non-null GraphQL field. The analyzer is the sole source; getFixGuidances
1443
+ // uses the served value directly (no fallback).
1444
+ guidances: z3.array(z3.string()).default([])
1445
+ });
1446
+ PatchAndQuestionsZ = z3.object({
1447
+ __typename: z3.literal("FixData"),
1448
+ patch: z3.string(),
1449
+ patchOriginalEncodingBase64: z3.string(),
1450
+ questions: z3.array(
1451
+ z3.object({
1452
+ name: z3.string(),
1453
+ key: z3.string(),
1454
+ index: z3.number(),
1455
+ defaultValue: z3.string(),
1456
+ value: z3.string().nullable(),
1457
+ extraContext: z3.array(ExtraContextInternalZ),
1458
+ inputType: z3.nativeEnum(FixQuestionInputType),
1459
+ options: z3.array(z3.string()),
1460
+ // E-2015: analyzer-served question text. default('') so a query that
1461
+ // omits these still parses (-> ''), while the output type stays a required
1462
+ // `string` to match the non-null GraphQL fields. The analyzer is the sole
1463
+ // source; consumers use the served value directly (no fallback).
1464
+ content: z3.string().default(""),
1465
+ description: z3.string().default(""),
1466
+ guidance: z3.string().default("")
1445
1467
  })
1446
1468
  ),
1447
1469
  extraContext: FixExtraContextZ
1448
1470
  });
1449
- FixRatingZ = z6.object({
1450
- voteScore: z6.number(),
1451
- fixRatingTag: z6.nativeEnum(Fix_Rating_Tag_Enum).nullable().default(null),
1452
- comment: z6.string().nullable().default(null),
1453
- updatedDate: z6.string().nullable(),
1454
- user: z6.object({
1455
- email: z6.string(),
1456
- name: z6.string()
1471
+ FixRatingZ = z3.object({
1472
+ voteScore: z3.number(),
1473
+ fixRatingTag: z3.nativeEnum(Fix_Rating_Tag_Enum).nullable().default(null),
1474
+ comment: z3.string().nullable().default(null),
1475
+ updatedDate: z3.string().nullable(),
1476
+ user: z3.object({
1477
+ email: z3.string(),
1478
+ name: z3.string()
1457
1479
  })
1458
1480
  });
1459
- IssueRatingZ = z6.object({
1460
- voteScore: z6.number(),
1461
- comment: z6.string().nullable().default(null),
1462
- updatedDate: z6.string().nullable(),
1463
- user: z6.object({
1464
- email: z6.string(),
1465
- name: z6.string()
1481
+ IssueRatingZ = z3.object({
1482
+ voteScore: z3.number(),
1483
+ comment: z3.string().nullable().default(null),
1484
+ updatedDate: z3.string().nullable(),
1485
+ user: z3.object({
1486
+ email: z3.string(),
1487
+ name: z3.string()
1466
1488
  })
1467
1489
  });
1468
- IssueSharedStateZ = z6.object({
1469
- id: z6.string(),
1470
- createdAt: z6.string(),
1471
- isArchived: z6.boolean(),
1472
- ticketIntegrationId: z6.string().nullable(),
1473
- ticketIntegrations: z6.array(
1474
- z6.object({
1475
- url: z6.string()
1490
+ IssueSharedStateZ = z3.object({
1491
+ id: z3.string(),
1492
+ createdAt: z3.string(),
1493
+ isArchived: z3.boolean(),
1494
+ ticketIntegrationId: z3.string().nullable(),
1495
+ ticketIntegrations: z3.array(
1496
+ z3.object({
1497
+ url: z3.string()
1476
1498
  })
1477
1499
  ),
1478
- issueRatings: z6.array(IssueRatingZ).default([])
1500
+ issueRatings: z3.array(IssueRatingZ).default([])
1479
1501
  }).nullable();
1480
- FixSharedStateZ = z6.object({
1481
- state: z6.nativeEnum(Fix_State_Enum),
1482
- isArchived: z6.boolean(),
1502
+ FixSharedStateZ = z3.object({
1503
+ state: z3.nativeEnum(Fix_State_Enum),
1504
+ isArchived: z3.boolean(),
1483
1505
  scmSubmitFixRequests: ScmSubmitFixRequestsZ,
1484
- fixRatings: z6.array(FixRatingZ).default([])
1506
+ fixRatings: z3.array(FixRatingZ).default([])
1485
1507
  }).nullish().transform(
1486
1508
  (data) => data ? data : {
1487
1509
  state: "Ready" /* Ready */,
@@ -1490,46 +1512,46 @@ var init_fix = __esm({
1490
1512
  fixRatings: []
1491
1513
  }
1492
1514
  );
1493
- FixQueryZ = z6.object({
1494
- __typename: z6.literal("fix").optional(),
1495
- id: z6.string().uuid(),
1515
+ FixQueryZ = z3.object({
1516
+ __typename: z3.literal("fix").optional(),
1517
+ id: z3.string().uuid(),
1496
1518
  sharedState: FixSharedStateZ,
1497
- modifiedBy: z6.string().nullable(),
1498
- gitBlameLogin: z6.string().nullable(),
1499
- safeIssueLanguage: z6.string(),
1500
- safeIssueType: z6.string(),
1501
- confidence: z6.number(),
1502
- fixReportId: z6.string().uuid(),
1503
- isExpired: z6.boolean().default(false),
1504
- fixFiles: z6.array(
1505
- z6.object({
1506
- fileRepoRelativePath: z6.string()
1519
+ modifiedBy: z3.string().nullable(),
1520
+ gitBlameLogin: z3.string().nullable(),
1521
+ safeIssueLanguage: z3.string(),
1522
+ safeIssueType: z3.string(),
1523
+ confidence: z3.number(),
1524
+ fixReportId: z3.string().uuid(),
1525
+ isExpired: z3.boolean().default(false),
1526
+ fixFiles: z3.array(
1527
+ z3.object({
1528
+ fileRepoRelativePath: z3.string()
1507
1529
  })
1508
1530
  ),
1509
- numberOfVulnerabilityIssues: z6.number(),
1510
- severityText: z6.nativeEnum(Vulnerability_Severity_Enum),
1511
- vulnerabilityReportIssues: z6.array(
1512
- z6.object({
1513
- vendorIssueId: z6.string(),
1514
- issueLanguage: z6.string(),
1531
+ numberOfVulnerabilityIssues: z3.number(),
1532
+ severityText: z3.nativeEnum(Vulnerability_Severity_Enum),
1533
+ vulnerabilityReportIssues: z3.array(
1534
+ z3.object({
1535
+ vendorIssueId: z3.string(),
1536
+ issueLanguage: z3.string(),
1515
1537
  parsedSeverity: ParsedSeverityZ,
1516
- sharedState: z6.object({
1517
- id: z6.string().uuid(),
1518
- isArchived: z6.boolean(),
1519
- ticketIntegrationId: z6.string().uuid().nullable()
1538
+ sharedState: z3.object({
1539
+ id: z3.string().uuid(),
1540
+ isArchived: z3.boolean(),
1541
+ ticketIntegrationId: z3.string().uuid().nullable()
1520
1542
  }).nullable()
1521
1543
  })
1522
1544
  ),
1523
1545
  patchAndQuestions: PatchAndQuestionsZ,
1524
- effortToApplyFix: z6.nativeEnum(Effort_To_Apply_Fix_Enum).nullable()
1546
+ effortToApplyFix: z3.nativeEnum(Effort_To_Apply_Fix_Enum).nullable()
1525
1547
  });
1526
1548
  FixPartsForFixScreenZ = FixQueryZ.merge(
1527
- z6.object({
1528
- vulnerabilityReportIssues: z6.array(
1529
- z6.object({
1530
- vendorIssueId: z6.string(),
1531
- issueType: z6.string(),
1532
- issueLanguage: z6.string(),
1549
+ z3.object({
1550
+ vulnerabilityReportIssues: z3.array(
1551
+ z3.object({
1552
+ vendorIssueId: z3.string(),
1553
+ issueType: z3.string(),
1554
+ issueLanguage: z3.string(),
1533
1555
  sharedState: IssueSharedStateZ
1534
1556
  })
1535
1557
  )
@@ -1539,24 +1561,24 @@ var init_fix = __esm({
1539
1561
  });
1540
1562
 
1541
1563
  // src/features/analysis/scm/shared/src/types/analysis.ts
1542
- import { z as z7 } from "zod";
1564
+ import { z as z4 } from "zod";
1543
1565
  var FixPageFixReportZ;
1544
1566
  var init_analysis = __esm({
1545
1567
  "src/features/analysis/scm/shared/src/types/analysis.ts"() {
1546
1568
  "use strict";
1547
1569
  init_client_generates();
1548
1570
  init_client_generates();
1549
- FixPageFixReportZ = z7.object({
1550
- id: z7.string().uuid(),
1551
- analysisUrl: z7.string(),
1552
- createdOn: z7.string(),
1553
- state: z7.nativeEnum(Fix_Report_State_Enum),
1554
- repo: z7.object({
1555
- name: z7.string().nullable(),
1556
- originalUrl: z7.string(),
1557
- reference: z7.string(),
1558
- commitSha: z7.string(),
1559
- isKnownBranch: z7.boolean().nullish().default(true)
1571
+ FixPageFixReportZ = z4.object({
1572
+ id: z4.string().uuid(),
1573
+ analysisUrl: z4.string(),
1574
+ createdOn: z4.string(),
1575
+ state: z4.nativeEnum(Fix_Report_State_Enum),
1576
+ repo: z4.object({
1577
+ name: z4.string().nullable(),
1578
+ originalUrl: z4.string(),
1579
+ reference: z4.string(),
1580
+ commitSha: z4.string(),
1581
+ isKnownBranch: z4.boolean().nullish().default(true)
1560
1582
  }).nullable().transform(
1561
1583
  (repo) => repo ?? {
1562
1584
  name: null,
@@ -1566,13 +1588,13 @@ var init_analysis = __esm({
1566
1588
  isKnownBranch: true
1567
1589
  }
1568
1590
  ),
1569
- vulnerabilityReport: z7.object({
1570
- id: z7.string().uuid(),
1571
- vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum),
1572
- computedVendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum),
1573
- projectId: z7.string().uuid(),
1574
- project: z7.object({
1575
- organizationId: z7.string().uuid()
1591
+ vulnerabilityReport: z4.object({
1592
+ id: z4.string().uuid(),
1593
+ vendor: z4.nativeEnum(Vulnerability_Report_Vendor_Enum),
1594
+ computedVendor: z4.nativeEnum(Vulnerability_Report_Vendor_Enum),
1595
+ projectId: z4.string().uuid(),
1596
+ project: z4.object({
1597
+ organizationId: z4.string().uuid()
1576
1598
  })
1577
1599
  })
1578
1600
  });
@@ -1580,7 +1602,7 @@ var init_analysis = __esm({
1580
1602
  });
1581
1603
 
1582
1604
  // src/features/analysis/scm/shared/src/types/issue.ts
1583
- import { z as z8 } from "zod";
1605
+ import { z as z5 } from "zod";
1584
1606
  var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, UnfixablePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapCategoryToBucket, mapBucketTypeToCategory;
1585
1607
  var init_issue = __esm({
1586
1608
  "src/features/analysis/scm/shared/src/types/issue.ts"() {
@@ -1590,57 +1612,57 @@ var init_issue = __esm({
1590
1612
  init_fix();
1591
1613
  init_shared();
1592
1614
  MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES = 1e5;
1593
- VulnerabilityReportIssueRatingZ = z8.object({
1594
- voteScore: z8.number(),
1595
- comment: z8.string().nullable().default(null),
1596
- updatedDate: z8.string().nullable(),
1597
- user: z8.object({
1598
- email: z8.string(),
1599
- name: z8.string()
1615
+ VulnerabilityReportIssueRatingZ = z5.object({
1616
+ voteScore: z5.number(),
1617
+ comment: z5.string().nullable().default(null),
1618
+ updatedDate: z5.string().nullable(),
1619
+ user: z5.object({
1620
+ email: z5.string(),
1621
+ name: z5.string()
1600
1622
  })
1601
1623
  });
1602
- VulnerabilityReportIssueSharedStateZ = z8.object({
1603
- id: z8.string().uuid(),
1604
- createdAt: z8.string(),
1605
- isArchived: z8.boolean(),
1606
- ticketIntegrationId: z8.string().uuid().nullable(),
1607
- ticketIntegrations: z8.array(
1608
- z8.object({
1609
- url: z8.string()
1624
+ VulnerabilityReportIssueSharedStateZ = z5.object({
1625
+ id: z5.string().uuid(),
1626
+ createdAt: z5.string(),
1627
+ isArchived: z5.boolean(),
1628
+ ticketIntegrationId: z5.string().uuid().nullable(),
1629
+ ticketIntegrations: z5.array(
1630
+ z5.object({
1631
+ url: z5.string()
1610
1632
  })
1611
1633
  ),
1612
- issueRatings: z8.array(VulnerabilityReportIssueRatingZ).default([])
1634
+ issueRatings: z5.array(VulnerabilityReportIssueRatingZ).default([])
1613
1635
  }).nullish();
1614
- BaseIssuePartsZ = z8.object({
1615
- id: z8.string().uuid(),
1616
- safeIssueType: z8.string(),
1617
- safeIssueLanguage: z8.string(),
1618
- createdAt: z8.string(),
1636
+ BaseIssuePartsZ = z5.object({
1637
+ id: z5.string().uuid(),
1638
+ safeIssueType: z5.string(),
1639
+ safeIssueLanguage: z5.string(),
1640
+ createdAt: z5.string(),
1619
1641
  parsedSeverity: ParsedSeverityZ,
1620
- category: z8.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
1621
- extraData: z8.object({
1622
- missing_files: z8.string().array().nullish(),
1623
- error_files: z8.string().array().nullish(),
1624
- ai_cost_limit_exceeded: z8.string().nullish()
1642
+ category: z5.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
1643
+ extraData: z5.object({
1644
+ missing_files: z5.string().array().nullish(),
1645
+ error_files: z5.string().array().nullish(),
1646
+ ai_cost_limit_exceeded: z5.string().nullish()
1625
1647
  }),
1626
- vulnerabilityReportIssueTags: z8.array(
1627
- z8.object({
1628
- tag: z8.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
1648
+ vulnerabilityReportIssueTags: z5.array(
1649
+ z5.object({
1650
+ tag: z5.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
1629
1651
  })
1630
1652
  ),
1631
- codeNodes: z8.array(
1632
- z8.object({
1633
- path: z8.string(),
1634
- line: z8.number(),
1635
- index: z8.number()
1653
+ codeNodes: z5.array(
1654
+ z5.object({
1655
+ path: z5.string(),
1656
+ line: z5.number(),
1657
+ index: z5.number()
1636
1658
  })
1637
1659
  ).transform((nodes) => nodes.sort((a, b) => b.index - a.index)),
1638
- sourceCodeNodes: z8.array(
1639
- z8.object({
1640
- sourceCodeFile: z8.object({
1641
- path: z8.string(),
1642
- signedFile: z8.object({
1643
- url: z8.string()
1660
+ sourceCodeNodes: z5.array(
1661
+ z5.object({
1662
+ sourceCodeFile: z5.object({
1663
+ path: z5.string(),
1664
+ signedFile: z5.object({
1665
+ url: z5.string()
1644
1666
  })
1645
1667
  })
1646
1668
  }).transform(async ({ sourceCodeFile }) => {
@@ -1656,71 +1678,71 @@ var init_issue = __esm({
1656
1678
  })
1657
1679
  ).transform((nodes) => nodes.filter((node) => node !== null)),
1658
1680
  fix: FixPartsForFixScreenZ.nullish(),
1659
- vulnerabilityReportIssueNodeDiffFile: z8.object({
1660
- signedFile: z8.object({
1661
- url: z8.string()
1681
+ vulnerabilityReportIssueNodeDiffFile: z5.object({
1682
+ signedFile: z5.object({
1683
+ url: z5.string()
1662
1684
  }).transform(async ({ url }) => {
1663
1685
  const codeDiff = await fetch(url).then((res) => res.text());
1664
1686
  return { codeDiff };
1665
1687
  })
1666
1688
  }).nullish(),
1667
1689
  sharedState: VulnerabilityReportIssueSharedStateZ,
1668
- unfixableId: z8.string().uuid().nullish()
1690
+ unfixableId: z5.string().uuid().nullish()
1669
1691
  });
1670
- FalsePositivePartsZ = z8.object({
1671
- extraContext: z8.array(z8.object({ key: z8.string(), value: z8.string() })),
1672
- fixDescription: z8.string()
1692
+ FalsePositivePartsZ = z5.object({
1693
+ extraContext: z5.array(z5.object({ key: z5.string(), value: z5.string() })),
1694
+ fixDescription: z5.string()
1673
1695
  });
1674
- UnfixablePartsZ = z8.object({
1675
- extraContext: z8.array(z8.object({ key: z8.string(), value: z8.string() })),
1676
- fixDescription: z8.string()
1696
+ UnfixablePartsZ = z5.object({
1697
+ extraContext: z5.array(z5.object({ key: z5.string(), value: z5.string() })),
1698
+ fixDescription: z5.string()
1677
1699
  });
1678
1700
  IssuePartsWithFixZ = BaseIssuePartsZ.merge(
1679
- z8.object({
1680
- category: z8.literal("Irrelevant" /* Irrelevant */),
1701
+ z5.object({
1702
+ category: z5.literal("Irrelevant" /* Irrelevant */),
1681
1703
  fix: FixPartsForFixScreenZ.nullish()
1682
1704
  })
1683
1705
  );
1684
1706
  IssuePartsFpZ = BaseIssuePartsZ.merge(
1685
- z8.object({
1686
- category: z8.literal("FalsePositive" /* FalsePositive */),
1687
- fpId: z8.string().uuid(),
1707
+ z5.object({
1708
+ category: z5.literal("FalsePositive" /* FalsePositive */),
1709
+ fpId: z5.string().uuid(),
1688
1710
  getFalsePositive: FalsePositivePartsZ
1689
1711
  })
1690
1712
  );
1691
1713
  GeneralIssueZ = BaseIssuePartsZ.merge(
1692
- z8.object({
1693
- category: z8.union([
1694
- z8.literal("NoFix" /* NoFix */),
1695
- z8.literal("Unsupported" /* Unsupported */),
1696
- z8.literal("Fixable" /* Fixable */),
1697
- z8.literal("Filtered" /* Filtered */),
1698
- z8.literal("Pending" /* Pending */)
1714
+ z5.object({
1715
+ category: z5.union([
1716
+ z5.literal("NoFix" /* NoFix */),
1717
+ z5.literal("Unsupported" /* Unsupported */),
1718
+ z5.literal("Fixable" /* Fixable */),
1719
+ z5.literal("Filtered" /* Filtered */),
1720
+ z5.literal("Pending" /* Pending */)
1699
1721
  ]),
1700
1722
  getUnfixable: UnfixablePartsZ.nullish()
1701
1723
  })
1702
1724
  );
1703
- IssuePartsZ = z8.union([
1725
+ IssuePartsZ = z5.union([
1704
1726
  IssuePartsFpZ,
1705
1727
  IssuePartsWithFixZ,
1706
1728
  GeneralIssueZ
1707
1729
  ]);
1708
- GetIssueIndexesZ = z8.object({
1709
- currentIndex: z8.number(),
1710
- totalIssues: z8.number(),
1711
- nextIssue: z8.object({
1712
- id: z8.string().uuid()
1730
+ GetIssueIndexesZ = z5.object({
1731
+ currentIndex: z5.number(),
1732
+ totalIssues: z5.number(),
1733
+ nextIssue: z5.object({
1734
+ id: z5.string().uuid()
1713
1735
  }).nullish(),
1714
- prevIssue: z8.object({
1715
- id: z8.string().uuid()
1736
+ prevIssue: z5.object({
1737
+ id: z5.string().uuid()
1716
1738
  }).nullish()
1717
1739
  });
1718
- GetIssueScreenDataZ = z8.object({
1740
+ GetIssueScreenDataZ = z5.object({
1719
1741
  fixReport_by_pk: FixPageFixReportZ,
1720
1742
  vulnerability_report_issue_by_pk: IssuePartsZ,
1721
1743
  issueIndexes: GetIssueIndexesZ
1722
1744
  });
1723
- IssueBucketZ = z8.enum(["fixable", "irrelevant", "remaining"]);
1745
+ IssueBucketZ = z5.enum(["fixable", "irrelevant", "remaining"]);
1724
1746
  mapCategoryToBucket = {
1725
1747
  FalsePositive: "irrelevant",
1726
1748
  Irrelevant: "irrelevant",
@@ -1747,19 +1769,19 @@ var init_issue = __esm({
1747
1769
  });
1748
1770
 
1749
1771
  // src/features/analysis/scm/shared/src/validations.ts
1750
- import { z as z9 } from "zod";
1772
+ import { z as z6 } from "zod";
1751
1773
  var IssueTypeSettingZ, IssueTypeSettingsZ;
1752
1774
  var init_validations = __esm({
1753
1775
  "src/features/analysis/scm/shared/src/validations.ts"() {
1754
1776
  "use strict";
1755
1777
  init_getIssueType();
1756
1778
  init_issueTypeCatalog();
1757
- IssueTypeSettingZ = z9.object({
1758
- autoPrEnabled: z9.boolean(),
1759
- enabled: z9.boolean(),
1779
+ IssueTypeSettingZ = z6.object({
1780
+ autoPrEnabled: z6.boolean(),
1781
+ enabled: z6.boolean(),
1760
1782
  issueType: SafeIssueTypeStringZ
1761
1783
  });
1762
- IssueTypeSettingsZ = z9.array(IssueTypeSettingZ).transform((issueTypeSettings) => {
1784
+ IssueTypeSettingsZ = z6.array(IssueTypeSettingZ).transform((issueTypeSettings) => {
1763
1785
  const catalogValues = listIssueTypeCatalog().map((entry) => entry.value);
1764
1786
  if (catalogValues.length === 0) {
1765
1787
  throw new Error(
@@ -1784,7 +1806,7 @@ var init_validations = __esm({
1784
1806
  });
1785
1807
 
1786
1808
  // src/features/analysis/scm/shared/src/types/types.ts
1787
- import { z as z10 } from "zod";
1809
+ import { z as z7 } from "zod";
1788
1810
  var OrganizationScreenQueryParamsZ, ProjectPageQueryParamsZ, AnalysisPageQueryParamsZ, FixPageQueryParamsZ, IssuePageQueryParamsZ, CliLoginPageQueryParamsZ, AnalysisReportDigestedZ, IssueSharedStateZ2, ReportQueryResultZ, ReportFixesQueryFixZ, BaseVulnerabilityReportIssueZ, VulnerabilityReportIssueZ, VulnerabilityReportIssueWithCodeFilePathZ, GetReportIssuesQueryZ, FixReportByProjectZ, FixScreenQueryResultZ, FixPageQueryZ, GetReportFixesQueryZ, GetFixReportStatsQueryZ, ProjectVulnerabilityReport, GetProjectsQueryZ, ProjectPageQueryResultZ, GetProjectMembersDataZ, RepoArgsZ, scmCloudUrl, ScmType, ConvertToSarifInputFileFormat;
1789
1811
  var init_types = __esm({
1790
1812
  "src/features/analysis/scm/shared/src/types/types.ts"() {
@@ -1795,117 +1817,117 @@ var init_types = __esm({
1795
1817
  init_fix();
1796
1818
  init_issue();
1797
1819
  init_shared();
1798
- OrganizationScreenQueryParamsZ = z10.object({
1799
- organizationId: z10.string().uuid()
1820
+ OrganizationScreenQueryParamsZ = z7.object({
1821
+ organizationId: z7.string().uuid()
1800
1822
  });
1801
- ProjectPageQueryParamsZ = z10.object({
1802
- organizationId: z10.string().uuid(),
1803
- projectId: z10.string().uuid()
1823
+ ProjectPageQueryParamsZ = z7.object({
1824
+ organizationId: z7.string().uuid(),
1825
+ projectId: z7.string().uuid()
1804
1826
  });
1805
1827
  AnalysisPageQueryParamsZ = ProjectPageQueryParamsZ.extend({
1806
- reportId: z10.string().uuid()
1828
+ reportId: z7.string().uuid()
1807
1829
  });
1808
1830
  FixPageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
1809
- fixId: z10.string().uuid()
1831
+ fixId: z7.string().uuid()
1810
1832
  });
1811
1833
  IssuePageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
1812
- issueId: z10.string().uuid()
1813
- });
1814
- CliLoginPageQueryParamsZ = z10.object({
1815
- loginId: z10.string().uuid()
1816
- });
1817
- AnalysisReportDigestedZ = z10.object({
1818
- id: z10.string().uuid(),
1819
- state: z10.nativeEnum(Fix_Report_State_Enum),
1820
- vulnerabilityReport: z10.object({
1821
- reportSummaryUrl: z10.string().url().nullish(),
1822
- scanDate: z10.string().nullable(),
1823
- supported: z10.object({
1824
- aggregate: z10.object({
1825
- count: z10.number()
1834
+ issueId: z7.string().uuid()
1835
+ });
1836
+ CliLoginPageQueryParamsZ = z7.object({
1837
+ loginId: z7.string().uuid()
1838
+ });
1839
+ AnalysisReportDigestedZ = z7.object({
1840
+ id: z7.string().uuid(),
1841
+ state: z7.nativeEnum(Fix_Report_State_Enum),
1842
+ vulnerabilityReport: z7.object({
1843
+ reportSummaryUrl: z7.string().url().nullish(),
1844
+ scanDate: z7.string().nullable(),
1845
+ supported: z7.object({
1846
+ aggregate: z7.object({
1847
+ count: z7.number()
1826
1848
  })
1827
1849
  }),
1828
- all: z10.object({
1829
- aggregate: z10.object({
1830
- count: z10.number()
1850
+ all: z7.object({
1851
+ aggregate: z7.object({
1852
+ count: z7.number()
1831
1853
  })
1832
1854
  }),
1833
- vendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum),
1834
- project: z10.object({
1835
- organizationId: z10.string().uuid()
1855
+ vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum),
1856
+ project: z7.object({
1857
+ organizationId: z7.string().uuid()
1836
1858
  })
1837
1859
  })
1838
1860
  });
1839
- IssueSharedStateZ2 = z10.object({
1840
- id: z10.string().uuid(),
1841
- createdAt: z10.string(),
1842
- isArchived: z10.boolean(),
1843
- ticketIntegrationId: z10.string().uuid().nullable(),
1844
- ticketIntegrations: z10.array(
1845
- z10.object({
1846
- url: z10.string()
1861
+ IssueSharedStateZ2 = z7.object({
1862
+ id: z7.string().uuid(),
1863
+ createdAt: z7.string(),
1864
+ isArchived: z7.boolean(),
1865
+ ticketIntegrationId: z7.string().uuid().nullable(),
1866
+ ticketIntegrations: z7.array(
1867
+ z7.object({
1868
+ url: z7.string()
1847
1869
  })
1848
1870
  )
1849
1871
  }).nullable();
1850
- ReportQueryResultZ = z10.object({
1851
- fixReport_by_pk: z10.object({
1852
- id: z10.string().uuid(),
1853
- analysisUrl: z10.string(),
1854
- fixesCommitted: z10.object({
1855
- aggregate: z10.object({ count: z10.number() })
1872
+ ReportQueryResultZ = z7.object({
1873
+ fixReport_by_pk: z7.object({
1874
+ id: z7.string().uuid(),
1875
+ analysisUrl: z7.string(),
1876
+ fixesCommitted: z7.object({
1877
+ aggregate: z7.object({ count: z7.number() })
1856
1878
  }),
1857
- fixesDownloaded: z10.object({
1858
- aggregate: z10.object({ count: z10.number() })
1879
+ fixesDownloaded: z7.object({
1880
+ aggregate: z7.object({ count: z7.number() })
1859
1881
  }),
1860
- fixesDoneCount: z10.number(),
1861
- fixesInprogressCount: z10.number(),
1862
- fixesReadyCount: z10.object({
1863
- aggregate: z10.object({ count: z10.number() })
1882
+ fixesDoneCount: z7.number(),
1883
+ fixesInprogressCount: z7.number(),
1884
+ fixesReadyCount: z7.object({
1885
+ aggregate: z7.object({ count: z7.number() })
1864
1886
  }),
1865
- issueTypes: z10.record(z10.string(), z10.number()).nullable(),
1866
- issueLanguages: z10.record(z10.string(), z10.number()).nullable(),
1867
- fixesCountByEffort: z10.record(z10.string(), z10.number()).nullable(),
1868
- vulnerabilitySeverities: z10.record(z10.string(), z10.number()).nullable(),
1869
- createdOn: z10.string(),
1870
- expirationOn: z10.string().nullable(),
1871
- state: z10.nativeEnum(Fix_Report_State_Enum),
1872
- failReason: z10.string().nullable(),
1873
- candidateToRerun: z10.boolean(),
1874
- fixes: z10.array(
1875
- z10.object({
1876
- id: z10.string().uuid(),
1877
- safeIssueLanguage: z10.string(),
1878
- safeIssueType: z10.string(),
1879
- confidence: z10.number(),
1880
- effortToApplyFix: z10.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
1881
- modifiedBy: z10.string().nullable(),
1882
- gitBlameLogin: z10.string().nullable(),
1883
- fixReportId: z10.string().uuid(),
1884
- filePaths: z10.array(
1885
- z10.object({
1886
- fileRepoRelativePath: z10.string()
1887
+ issueTypes: z7.record(z7.string(), z7.number()).nullable(),
1888
+ issueLanguages: z7.record(z7.string(), z7.number()).nullable(),
1889
+ fixesCountByEffort: z7.record(z7.string(), z7.number()).nullable(),
1890
+ vulnerabilitySeverities: z7.record(z7.string(), z7.number()).nullable(),
1891
+ createdOn: z7.string(),
1892
+ expirationOn: z7.string().nullable(),
1893
+ state: z7.nativeEnum(Fix_Report_State_Enum),
1894
+ failReason: z7.string().nullable(),
1895
+ candidateToRerun: z7.boolean(),
1896
+ fixes: z7.array(
1897
+ z7.object({
1898
+ id: z7.string().uuid(),
1899
+ safeIssueLanguage: z7.string(),
1900
+ safeIssueType: z7.string(),
1901
+ confidence: z7.number(),
1902
+ effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
1903
+ modifiedBy: z7.string().nullable(),
1904
+ gitBlameLogin: z7.string().nullable(),
1905
+ fixReportId: z7.string().uuid(),
1906
+ filePaths: z7.array(
1907
+ z7.object({
1908
+ fileRepoRelativePath: z7.string()
1887
1909
  })
1888
1910
  ),
1889
1911
  sharedState: FixSharedStateZ,
1890
- numberOfVulnerabilityIssues: z10.number(),
1891
- severityText: z10.nativeEnum(Vulnerability_Severity_Enum),
1892
- vulnerabilityReportIssues: z10.array(
1893
- z10.object({
1894
- id: z10.string().uuid(),
1895
- issueType: z10.string(),
1896
- issueLanguage: z10.string(),
1897
- category: z10.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
1912
+ numberOfVulnerabilityIssues: z7.number(),
1913
+ severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
1914
+ vulnerabilityReportIssues: z7.array(
1915
+ z7.object({
1916
+ id: z7.string().uuid(),
1917
+ issueType: z7.string(),
1918
+ issueLanguage: z7.string(),
1919
+ category: z7.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
1898
1920
  sharedState: IssueSharedStateZ2
1899
1921
  })
1900
1922
  )
1901
1923
  })
1902
1924
  ),
1903
- repo: z10.object({
1904
- name: z10.string().nullable(),
1905
- originalUrl: z10.string(),
1906
- reference: z10.string(),
1907
- commitSha: z10.string(),
1908
- isKnownBranch: z10.boolean().nullish().default(true)
1925
+ repo: z7.object({
1926
+ name: z7.string().nullable(),
1927
+ originalUrl: z7.string(),
1928
+ reference: z7.string(),
1929
+ commitSha: z7.string(),
1930
+ isKnownBranch: z7.boolean().nullish().default(true)
1909
1931
  }).nullable().transform(
1910
1932
  (repo) => repo ?? {
1911
1933
  name: null,
@@ -1915,229 +1937,229 @@ var init_types = __esm({
1915
1937
  isKnownBranch: true
1916
1938
  }
1917
1939
  ),
1918
- vulnerabilityReportIssuesFixedCount: z10.object({
1919
- vulnerabilityReportIssues_aggregate: z10.object({
1920
- aggregate: z10.object({ count: z10.number() })
1940
+ vulnerabilityReportIssuesFixedCount: z7.object({
1941
+ vulnerabilityReportIssues_aggregate: z7.object({
1942
+ aggregate: z7.object({ count: z7.number() })
1921
1943
  })
1922
1944
  }),
1923
- vulnerabilityReport: z10.object({
1924
- id: z10.string().uuid(),
1925
- reportSummaryUrl: z10.string().url().nullish(),
1926
- computedVendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1927
- vendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1928
- issuesWithKnownLanguage: z10.number().nullable(),
1929
- scanDate: z10.string().nullable(),
1930
- vendorReportId: z10.string().uuid().nullable(),
1931
- projectId: z10.string().uuid(),
1932
- project: z10.object({
1933
- organizationId: z10.string().uuid()
1945
+ vulnerabilityReport: z7.object({
1946
+ id: z7.string().uuid(),
1947
+ reportSummaryUrl: z7.string().url().nullish(),
1948
+ computedVendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1949
+ vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1950
+ issuesWithKnownLanguage: z7.number().nullable(),
1951
+ scanDate: z7.string().nullable(),
1952
+ vendorReportId: z7.string().uuid().nullable(),
1953
+ projectId: z7.string().uuid(),
1954
+ project: z7.object({
1955
+ organizationId: z7.string().uuid()
1934
1956
  }),
1935
- file: z10.object({
1936
- id: z10.string().uuid(),
1937
- path: z10.string()
1957
+ file: z7.object({
1958
+ id: z7.string().uuid(),
1959
+ path: z7.string()
1938
1960
  }).nullable(),
1939
- pending: z10.object({
1940
- aggregate: z10.object({
1941
- count: z10.number()
1961
+ pending: z7.object({
1962
+ aggregate: z7.object({
1963
+ count: z7.number()
1942
1964
  })
1943
1965
  }),
1944
- irrelevant: z10.object({
1945
- aggregate: z10.object({
1946
- count: z10.number()
1966
+ irrelevant: z7.object({
1967
+ aggregate: z7.object({
1968
+ count: z7.number()
1947
1969
  })
1948
1970
  }),
1949
- remaining: z10.object({
1950
- aggregate: z10.object({
1951
- count: z10.number()
1971
+ remaining: z7.object({
1972
+ aggregate: z7.object({
1973
+ count: z7.number()
1952
1974
  })
1953
1975
  }),
1954
- digested: z10.object({
1955
- aggregate: z10.object({
1956
- count: z10.number()
1976
+ digested: z7.object({
1977
+ aggregate: z7.object({
1978
+ count: z7.number()
1957
1979
  })
1958
1980
  }),
1959
- supported: z10.object({
1960
- aggregate: z10.object({
1961
- count: z10.number()
1981
+ supported: z7.object({
1982
+ aggregate: z7.object({
1983
+ count: z7.number()
1962
1984
  })
1963
1985
  }),
1964
- all: z10.object({
1965
- aggregate: z10.object({
1966
- count: z10.number()
1986
+ all: z7.object({
1987
+ aggregate: z7.object({
1988
+ count: z7.number()
1967
1989
  })
1968
1990
  }),
1969
- fixable: z10.object({
1970
- aggregate: z10.object({
1971
- count: z10.number()
1991
+ fixable: z7.object({
1992
+ aggregate: z7.object({
1993
+ count: z7.number()
1972
1994
  })
1973
1995
  }),
1974
- errors: z10.object({
1975
- aggregate: z10.object({
1976
- count: z10.number()
1996
+ errors: z7.object({
1997
+ aggregate: z7.object({
1998
+ count: z7.number()
1977
1999
  })
1978
2000
  }),
1979
- vulnerabilityReportIssues: z10.object({
1980
- id: z10.string().uuid(),
1981
- extraData: z10.object({
1982
- missing_files: z10.string().array().nullish(),
1983
- large_files: z10.string().array().nullish(),
1984
- error_files: z10.string().array().nullish(),
1985
- ai_cost_limit_exceeded: z10.string().nullish()
2001
+ vulnerabilityReportIssues: z7.object({
2002
+ id: z7.string().uuid(),
2003
+ extraData: z7.object({
2004
+ missing_files: z7.string().array().nullish(),
2005
+ large_files: z7.string().array().nullish(),
2006
+ error_files: z7.string().array().nullish(),
2007
+ ai_cost_limit_exceeded: z7.string().nullish()
1986
2008
  })
1987
2009
  }).array()
1988
2010
  })
1989
2011
  })
1990
2012
  });
1991
- ReportFixesQueryFixZ = z10.object({
1992
- id: z10.string().uuid(),
2013
+ ReportFixesQueryFixZ = z7.object({
2014
+ id: z7.string().uuid(),
1993
2015
  sharedState: FixSharedStateZ,
1994
- confidence: z10.number(),
1995
- gitBlameLogin: z10.string().nullable(),
1996
- effortToApplyFix: z10.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
1997
- safeIssueLanguage: z10.string(),
1998
- safeIssueType: z10.string(),
1999
- fixReportId: z10.string().uuid(),
2000
- filePaths: z10.array(
2001
- z10.object({
2002
- fileRepoRelativePath: z10.string()
2016
+ confidence: z7.number(),
2017
+ gitBlameLogin: z7.string().nullable(),
2018
+ effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
2019
+ safeIssueLanguage: z7.string(),
2020
+ safeIssueType: z7.string(),
2021
+ fixReportId: z7.string().uuid(),
2022
+ filePaths: z7.array(
2023
+ z7.object({
2024
+ fileRepoRelativePath: z7.string()
2003
2025
  })
2004
2026
  ),
2005
- numberOfVulnerabilityIssues: z10.number(),
2006
- severityText: z10.nativeEnum(Vulnerability_Severity_Enum),
2007
- vulnerabilityReportIssues: z10.array(
2008
- z10.object({
2009
- issueType: z10.string(),
2010
- issueLanguage: z10.string(),
2027
+ numberOfVulnerabilityIssues: z7.number(),
2028
+ severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
2029
+ vulnerabilityReportIssues: z7.array(
2030
+ z7.object({
2031
+ issueType: z7.string(),
2032
+ issueLanguage: z7.string(),
2011
2033
  sharedState: IssueSharedStateZ2
2012
2034
  })
2013
2035
  ).min(1)
2014
2036
  });
2015
- BaseVulnerabilityReportIssueZ = z10.object({
2016
- id: z10.string().uuid(),
2017
- createdAt: z10.string(),
2018
- state: z10.nativeEnum(Vulnerability_Report_Issue_State_Enum),
2019
- safeIssueType: z10.string(),
2020
- safeIssueLanguage: z10.string(),
2021
- extraData: z10.object({
2022
- missing_files: z10.string().array().nullish(),
2023
- large_files: z10.string().array().nullish(),
2024
- error_files: z10.string().array().nullish(),
2025
- ai_cost_limit_exceeded: z10.string().nullish()
2037
+ BaseVulnerabilityReportIssueZ = z7.object({
2038
+ id: z7.string().uuid(),
2039
+ createdAt: z7.string(),
2040
+ state: z7.nativeEnum(Vulnerability_Report_Issue_State_Enum),
2041
+ safeIssueType: z7.string(),
2042
+ safeIssueLanguage: z7.string(),
2043
+ extraData: z7.object({
2044
+ missing_files: z7.string().array().nullish(),
2045
+ large_files: z7.string().array().nullish(),
2046
+ error_files: z7.string().array().nullish(),
2047
+ ai_cost_limit_exceeded: z7.string().nullish()
2026
2048
  }),
2027
2049
  fix: ReportFixesQueryFixZ.nullable(),
2028
- falsePositive: z10.object({
2029
- id: z10.string().uuid()
2050
+ falsePositive: z7.object({
2051
+ id: z7.string().uuid()
2030
2052
  }).nullable(),
2031
2053
  parsedSeverity: ParsedSeverityZ,
2032
- severity: z10.string(),
2033
- severityValue: z10.number(),
2034
- category: z10.string(),
2035
- vulnerabilityReportIssueTags: z10.array(
2036
- z10.object({
2037
- vulnerability_report_issue_tag_value: z10.string()
2054
+ severity: z7.string(),
2055
+ severityValue: z7.number(),
2056
+ category: z7.string(),
2057
+ vulnerabilityReportIssueTags: z7.array(
2058
+ z7.object({
2059
+ vulnerability_report_issue_tag_value: z7.string()
2038
2060
  })
2039
2061
  ),
2040
2062
  sharedState: VulnerabilityReportIssueSharedStateZ
2041
2063
  });
2042
2064
  VulnerabilityReportIssueZ = BaseVulnerabilityReportIssueZ.merge(
2043
- z10.object({
2044
- codeNodes: z10.array(z10.object({ path: z10.string() }))
2065
+ z7.object({
2066
+ codeNodes: z7.array(z7.object({ path: z7.string() }))
2045
2067
  })
2046
2068
  );
2047
2069
  VulnerabilityReportIssueWithCodeFilePathZ = BaseVulnerabilityReportIssueZ.merge(
2048
- z10.object({
2049
- codeFilePath: z10.string().nullable()
2070
+ z7.object({
2071
+ codeFilePath: z7.string().nullable()
2050
2072
  })
2051
2073
  );
2052
- GetReportIssuesQueryZ = z10.object({
2053
- fixReport: z10.object({
2054
- vulnerabilityReport: z10.object({
2055
- id: z10.string().uuid(),
2056
- lastIssueUpdatedAt: z10.string(),
2057
- vulnerabilityReportIssues_aggregate: z10.object({
2058
- aggregate: z10.object({ count: z10.number() })
2074
+ GetReportIssuesQueryZ = z7.object({
2075
+ fixReport: z7.object({
2076
+ vulnerabilityReport: z7.object({
2077
+ id: z7.string().uuid(),
2078
+ lastIssueUpdatedAt: z7.string(),
2079
+ vulnerabilityReportIssues_aggregate: z7.object({
2080
+ aggregate: z7.object({ count: z7.number() })
2059
2081
  }),
2060
- vulnerabilityReportIssues: z10.array(
2082
+ vulnerabilityReportIssues: z7.array(
2061
2083
  VulnerabilityReportIssueWithCodeFilePathZ
2062
2084
  )
2063
2085
  })
2064
2086
  }).array()
2065
2087
  }).nullish();
2066
- FixReportByProjectZ = z10.object({
2067
- project_by_pk: z10.object({
2068
- vulnerabilityReports: z10.array(
2069
- z10.object({
2070
- fixReport: z10.object({ id: z10.string().uuid() }).nullable()
2088
+ FixReportByProjectZ = z7.object({
2089
+ project_by_pk: z7.object({
2090
+ vulnerabilityReports: z7.array(
2091
+ z7.object({
2092
+ fixReport: z7.object({ id: z7.string().uuid() }).nullable()
2071
2093
  })
2072
2094
  )
2073
2095
  })
2074
2096
  });
2075
- FixScreenQueryResultZ = z10.object({
2097
+ FixScreenQueryResultZ = z7.object({
2076
2098
  fixReport_by_pk: FixPageFixReportZ,
2077
2099
  fix_by_pk: FixPartsForFixScreenZ,
2078
- fixesWithSameIssueType: z10.array(
2079
- z10.object({
2080
- id: z10.string().uuid(),
2081
- sharedState: z10.object({ state: z10.nativeEnum(Fix_State_Enum) }).nullable().default({ state: "Ready" /* Ready */ })
2100
+ fixesWithSameIssueType: z7.array(
2101
+ z7.object({
2102
+ id: z7.string().uuid(),
2103
+ sharedState: z7.object({ state: z7.nativeEnum(Fix_State_Enum) }).nullable().default({ state: "Ready" /* Ready */ })
2082
2104
  })
2083
2105
  ),
2084
2106
  relevantIssue: IssuePartsZ.nullish()
2085
2107
  });
2086
- FixPageQueryZ = z10.object({
2108
+ FixPageQueryZ = z7.object({
2087
2109
  data: FixScreenQueryResultZ
2088
2110
  });
2089
- GetReportFixesQueryZ = z10.object({
2090
- fixReport: z10.array(
2091
- z10.object({
2092
- fixes: z10.array(ReportFixesQueryFixZ),
2093
- vulnerabilityReportIssuesTotalCount: z10.object({
2094
- vulnerabilityReportIssues_aggregate: z10.object({
2095
- aggregate: z10.object({ count: z10.number() })
2111
+ GetReportFixesQueryZ = z7.object({
2112
+ fixReport: z7.array(
2113
+ z7.object({
2114
+ fixes: z7.array(ReportFixesQueryFixZ),
2115
+ vulnerabilityReportIssuesTotalCount: z7.object({
2116
+ vulnerabilityReportIssues_aggregate: z7.object({
2117
+ aggregate: z7.object({ count: z7.number() })
2096
2118
  })
2097
2119
  }),
2098
- vulnerabilityReportIssuesFixedCount: z10.object({
2099
- vulnerabilityReportIssues_aggregate: z10.object({
2100
- aggregate: z10.object({ count: z10.number() })
2120
+ vulnerabilityReportIssuesFixedCount: z7.object({
2121
+ vulnerabilityReportIssues_aggregate: z7.object({
2122
+ aggregate: z7.object({ count: z7.number() })
2101
2123
  })
2102
2124
  }),
2103
- vulnerabilityReportIssuesIrrelevantCount: z10.object({
2104
- vulnerabilityReportIssues_aggregate: z10.object({
2105
- aggregate: z10.object({ count: z10.number() })
2125
+ vulnerabilityReportIssuesIrrelevantCount: z7.object({
2126
+ vulnerabilityReportIssues_aggregate: z7.object({
2127
+ aggregate: z7.object({ count: z7.number() })
2106
2128
  })
2107
2129
  }),
2108
- vulnerabilityReportIssuesRemainingCount: z10.object({
2109
- vulnerabilityReportIssues_aggregate: z10.object({
2110
- aggregate: z10.object({ count: z10.number() })
2130
+ vulnerabilityReportIssuesRemainingCount: z7.object({
2131
+ vulnerabilityReportIssues_aggregate: z7.object({
2132
+ aggregate: z7.object({ count: z7.number() })
2111
2133
  })
2112
2134
  })
2113
2135
  })
2114
2136
  )
2115
2137
  }).nullish();
2116
- GetFixReportStatsQueryZ = z10.object({
2117
- fixReport_by_pk: z10.object({
2118
- id: z10.string().uuid(),
2119
- vulnerabilitySeverities: z10.record(z10.nativeEnum(Vulnerability_Severity_Enum), z10.number()).nullable(),
2120
- vulnerabilityReportIrrelevantIssuesCount: z10.object({
2121
- vulnerabilityReportIssues_aggregate: z10.object({
2122
- aggregate: z10.object({ count: z10.number() })
2138
+ GetFixReportStatsQueryZ = z7.object({
2139
+ fixReport_by_pk: z7.object({
2140
+ id: z7.string().uuid(),
2141
+ vulnerabilitySeverities: z7.record(z7.nativeEnum(Vulnerability_Severity_Enum), z7.number()).nullable(),
2142
+ vulnerabilityReportIrrelevantIssuesCount: z7.object({
2143
+ vulnerabilityReportIssues_aggregate: z7.object({
2144
+ aggregate: z7.object({ count: z7.number() })
2123
2145
  })
2124
2146
  })
2125
2147
  }).nullable()
2126
2148
  });
2127
- ProjectVulnerabilityReport = z10.object({
2128
- id: z10.string().uuid(),
2129
- name: z10.string().nullable(),
2130
- vendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
2131
- computedVendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
2132
- fixReport: z10.object({
2133
- id: z10.string().uuid(),
2134
- createdOn: z10.string(),
2135
- issueTypes: z10.record(z10.string(), z10.number()).nullable(),
2136
- issueLanguages: z10.record(z10.nativeEnum(IssueLanguage_Enum), z10.number()).nullable(),
2137
- repo: z10.object({
2138
- originalUrl: z10.string(),
2139
- reference: z10.string(),
2140
- name: z10.string()
2149
+ ProjectVulnerabilityReport = z7.object({
2150
+ id: z7.string().uuid(),
2151
+ name: z7.string().nullable(),
2152
+ vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
2153
+ computedVendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
2154
+ fixReport: z7.object({
2155
+ id: z7.string().uuid(),
2156
+ createdOn: z7.string(),
2157
+ issueTypes: z7.record(z7.string(), z7.number()).nullable(),
2158
+ issueLanguages: z7.record(z7.nativeEnum(IssueLanguage_Enum), z7.number()).nullable(),
2159
+ repo: z7.object({
2160
+ originalUrl: z7.string(),
2161
+ reference: z7.string(),
2162
+ name: z7.string()
2141
2163
  }).nullable().transform(
2142
2164
  (repo) => repo ?? {
2143
2165
  originalUrl: "",
@@ -2145,64 +2167,64 @@ var init_types = __esm({
2145
2167
  name: ""
2146
2168
  }
2147
2169
  ),
2148
- createdByUser: z10.object({
2149
- email: z10.string()
2170
+ createdByUser: z7.object({
2171
+ email: z7.string()
2150
2172
  }).nullable(),
2151
- state: z10.nativeEnum(Fix_Report_State_Enum),
2152
- expirationOn: z10.string()
2173
+ state: z7.nativeEnum(Fix_Report_State_Enum),
2174
+ expirationOn: z7.string()
2153
2175
  })
2154
2176
  });
2155
- GetProjectsQueryZ = z10.object({
2156
- organization: z10.object({
2157
- id: z10.string(),
2158
- projects: z10.array(
2159
- z10.object({
2160
- id: z10.string().uuid(),
2161
- name: z10.string(),
2162
- numberOfUniqueRepos: z10.number()
2177
+ GetProjectsQueryZ = z7.object({
2178
+ organization: z7.object({
2179
+ id: z7.string(),
2180
+ projects: z7.array(
2181
+ z7.object({
2182
+ id: z7.string().uuid(),
2183
+ name: z7.string(),
2184
+ numberOfUniqueRepos: z7.number()
2163
2185
  })
2164
2186
  )
2165
2187
  })
2166
2188
  });
2167
- ProjectPageQueryResultZ = z10.object({
2168
- name: z10.string(),
2169
- id: z10.string().uuid(),
2170
- isDefault: z10.boolean().default(false),
2171
- organizationId: z10.string().uuid(),
2172
- vulnerabilityReports: z10.array(ProjectVulnerabilityReport),
2173
- autoPrIncludeAiFixes: z10.preprocess(
2189
+ ProjectPageQueryResultZ = z7.object({
2190
+ name: z7.string(),
2191
+ id: z7.string().uuid(),
2192
+ isDefault: z7.boolean().default(false),
2193
+ organizationId: z7.string().uuid(),
2194
+ vulnerabilityReports: z7.array(ProjectVulnerabilityReport),
2195
+ autoPrIncludeAiFixes: z7.preprocess(
2174
2196
  (val) => val === null || val === void 0 ? false : val,
2175
- z10.boolean()
2197
+ z7.boolean()
2176
2198
  ),
2177
- projectIssueTypeSettings: z10.array(
2178
- IssueTypeSettingZ.merge(z10.object({ id: z10.string() }))
2199
+ projectIssueTypeSettings: z7.array(
2200
+ IssueTypeSettingZ.merge(z7.object({ id: z7.string() }))
2179
2201
  )
2180
2202
  });
2181
- GetProjectMembersDataZ = z10.object({
2182
- project_by_pk: z10.object({
2183
- name: z10.string(),
2184
- id: z10.string(),
2185
- projectUsers: z10.array(
2186
- z10.object({
2187
- projectToRole: z10.object({
2188
- projectRole: z10.object({
2189
- type: z10.nativeEnum(Project_Role_Type_Enum)
2203
+ GetProjectMembersDataZ = z7.object({
2204
+ project_by_pk: z7.object({
2205
+ name: z7.string(),
2206
+ id: z7.string(),
2207
+ projectUsers: z7.array(
2208
+ z7.object({
2209
+ projectToRole: z7.object({
2210
+ projectRole: z7.object({
2211
+ type: z7.nativeEnum(Project_Role_Type_Enum)
2190
2212
  })
2191
2213
  }),
2192
- user: z10.object({
2193
- id: z10.string().uuid(),
2194
- picture: z10.string().nullable().optional(),
2195
- name: z10.string().nullish(),
2196
- email: z10.string().email()
2214
+ user: z7.object({
2215
+ id: z7.string().uuid(),
2216
+ picture: z7.string().nullable().optional(),
2217
+ name: z7.string().nullish(),
2218
+ email: z7.string().email()
2197
2219
  })
2198
2220
  })
2199
2221
  )
2200
2222
  })
2201
2223
  });
2202
- RepoArgsZ = z10.object({
2203
- originalUrl: z10.string().url(),
2204
- branch: z10.string(),
2205
- commitSha: z10.string()
2224
+ RepoArgsZ = z7.object({
2225
+ originalUrl: z7.string().url(),
2226
+ branch: z7.string(),
2227
+ commitSha: z7.string()
2206
2228
  });
2207
2229
  scmCloudUrl = {
2208
2230
  GitLab: "https://gitlab.com",
@@ -2236,7 +2258,7 @@ var init_types2 = __esm({
2236
2258
  });
2237
2259
 
2238
2260
  // src/features/analysis/scm/shared/src/urlParser/urlParser.ts
2239
- import { z as z11 } from "zod";
2261
+ import { z as z8 } from "zod";
2240
2262
  function computeCanonicalUrl(data) {
2241
2263
  const {
2242
2264
  scmType,
@@ -2278,7 +2300,7 @@ function detectAdoUrl(args) {
2278
2300
  scmType: "Ado" /* Ado */,
2279
2301
  organization,
2280
2302
  // project has single repo - repoName === projectName
2281
- projectName: z11.string().parse(projectName),
2303
+ projectName: z8.string().parse(projectName),
2282
2304
  repoName: projectName,
2283
2305
  prefixPath
2284
2306
  };
@@ -2289,7 +2311,7 @@ function detectAdoUrl(args) {
2289
2311
  return {
2290
2312
  scmType: "Ado" /* Ado */,
2291
2313
  organization,
2292
- projectName: z11.string().parse(projectName),
2314
+ projectName: z8.string().parse(projectName),
2293
2315
  repoName,
2294
2316
  prefixPath
2295
2317
  };
@@ -2303,7 +2325,7 @@ function detectAdoUrl(args) {
2303
2325
  scmType: "Ado" /* Ado */,
2304
2326
  organization,
2305
2327
  // project has only one repo - repoName === projectName
2306
- projectName: z11.string().parse(repoName),
2328
+ projectName: z8.string().parse(repoName),
2307
2329
  repoName,
2308
2330
  prefixPath
2309
2331
  };
@@ -2313,7 +2335,7 @@ function detectAdoUrl(args) {
2313
2335
  return {
2314
2336
  scmType: "Ado" /* Ado */,
2315
2337
  organization,
2316
- projectName: z11.string().parse(projectName),
2338
+ projectName: z8.string().parse(projectName),
2317
2339
  repoName,
2318
2340
  prefixPath
2319
2341
  };
@@ -2389,7 +2411,7 @@ function parseSshUrl(scmURL, scmType) {
2389
2411
  if (pathElements.length === 3) {
2390
2412
  const [organization2, projectName, repoName2] = pathElements;
2391
2413
  if (organization2?.match(NAME_REGEX) && projectName && repoName2?.match(NAME_REGEX)) {
2392
- const parsedProjectName = z11.string().parse(projectName);
2414
+ const parsedProjectName = z8.string().parse(projectName);
2393
2415
  return {
2394
2416
  scmType: "Ado" /* Ado */,
2395
2417
  hostname: normalizedHostname,
@@ -2617,17 +2639,17 @@ var init_urlParser2 = __esm({
2617
2639
  });
2618
2640
 
2619
2641
  // src/features/analysis/scm/env.ts
2620
- import { z as z14 } from "zod";
2642
+ import { z as z11 } from "zod";
2621
2643
  var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB, GITHUB_API_CONCURRENCY;
2622
2644
  var init_env = __esm({
2623
2645
  "src/features/analysis/scm/env.ts"() {
2624
2646
  "use strict";
2625
- EnvVariablesZod = z14.object({
2626
- GITLAB_API_TOKEN: z14.string().optional(),
2627
- GITHUB_API_TOKEN: z14.string().optional(),
2628
- GIT_PROXY_HOST: z14.string().optional().default("http://tinyproxy:8888"),
2629
- MAX_UPLOAD_FILE_SIZE_MB: z14.coerce.number().gt(0).default(2),
2630
- GITHUB_API_CONCURRENCY: z14.coerce.number().gt(0).optional().default(10)
2647
+ EnvVariablesZod = z11.object({
2648
+ GITLAB_API_TOKEN: z11.string().optional(),
2649
+ GITHUB_API_TOKEN: z11.string().optional(),
2650
+ GIT_PROXY_HOST: z11.string().optional().default("http://tinyproxy:8888"),
2651
+ MAX_UPLOAD_FILE_SIZE_MB: z11.coerce.number().gt(0).default(2),
2652
+ GITHUB_API_CONCURRENCY: z11.coerce.number().gt(0).optional().default(10)
2631
2653
  });
2632
2654
  ({
2633
2655
  GITLAB_API_TOKEN,
@@ -2664,7 +2686,7 @@ var init_configs = __esm({
2664
2686
  });
2665
2687
 
2666
2688
  // src/utils/blame/gitBlameTypes.ts
2667
- import { z as z17 } from "zod";
2689
+ import { z as z14 } from "zod";
2668
2690
  function parseCoAuthorValue(raw) {
2669
2691
  const trimmed = raw.trim();
2670
2692
  if (!trimmed) {
@@ -2700,9 +2722,9 @@ var PrepareGitBlameMessageZ, PrepareGitBlameResponseMessageZ, CommitMetadataZ, L
2700
2722
  var init_gitBlameTypes = __esm({
2701
2723
  "src/utils/blame/gitBlameTypes.ts"() {
2702
2724
  "use strict";
2703
- PrepareGitBlameMessageZ = z17.object({
2704
- reportId: z17.string(),
2705
- repoArchivePath: z17.string(),
2725
+ PrepareGitBlameMessageZ = z14.object({
2726
+ reportId: z14.string(),
2727
+ repoArchivePath: z14.string(),
2706
2728
  // Optional list of file paths to blame. Producers must pick one of two modes:
2707
2729
  //
2708
2730
  // - **Omit `filePaths`** = "blame every file in the archive". Used by the
@@ -2718,132 +2740,132 @@ var init_gitBlameTypes = __esm({
2718
2740
  // "Login.java" when the actual file is "src/main/java/Login.java") are
2719
2741
  // tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
2720
2742
  // strings are filtered out defensively.
2721
- filePaths: z17.array(z17.string()).optional()
2722
- });
2723
- PrepareGitBlameResponseMessageZ = z17.object({
2724
- reportId: z17.string()
2725
- });
2726
- CommitMetadataZ = z17.object({
2727
- author: z17.string().optional(),
2728
- "author-mail": z17.string().optional(),
2729
- "author-time": z17.string().optional(),
2730
- "author-tz": z17.string().optional(),
2731
- committer: z17.string().optional(),
2732
- "committer-mail": z17.string().optional(),
2733
- "committer-time": z17.string().optional(),
2734
- "committer-tz": z17.string().optional(),
2735
- summary: z17.string().optional(),
2736
- filename: z17.string().optional()
2737
- });
2738
- LineToCommitMapZ = z17.record(z17.string(), z17.string());
2739
- CommitMetadataMapZ = z17.record(z17.string(), CommitMetadataZ);
2740
- BlameInfoZ = z17.object({
2743
+ filePaths: z14.array(z14.string()).optional()
2744
+ });
2745
+ PrepareGitBlameResponseMessageZ = z14.object({
2746
+ reportId: z14.string()
2747
+ });
2748
+ CommitMetadataZ = z14.object({
2749
+ author: z14.string().optional(),
2750
+ "author-mail": z14.string().optional(),
2751
+ "author-time": z14.string().optional(),
2752
+ "author-tz": z14.string().optional(),
2753
+ committer: z14.string().optional(),
2754
+ "committer-mail": z14.string().optional(),
2755
+ "committer-time": z14.string().optional(),
2756
+ "committer-tz": z14.string().optional(),
2757
+ summary: z14.string().optional(),
2758
+ filename: z14.string().optional()
2759
+ });
2760
+ LineToCommitMapZ = z14.record(z14.string(), z14.string());
2761
+ CommitMetadataMapZ = z14.record(z14.string(), CommitMetadataZ);
2762
+ BlameInfoZ = z14.object({
2741
2763
  lineToCommit: LineToCommitMapZ,
2742
2764
  commitMetadata: CommitMetadataMapZ
2743
2765
  });
2744
- LineRangeZ = z17.object({
2766
+ LineRangeZ = z14.object({
2745
2767
  /** First line in chunk (1-indexed) */
2746
- start: z17.number(),
2768
+ start: z14.number(),
2747
2769
  /** Last line in chunk (inclusive) */
2748
- end: z17.number()
2749
- });
2750
- PrContextZ = z17.object({
2751
- prNumber: z17.number(),
2752
- repositoryUrl: z17.string(),
2753
- organizationId: z17.string(),
2754
- userEmail: z17.string(),
2755
- source: z17.enum(["pr", "github"]),
2756
- githubContext: z17.object({
2757
- prNumber: z17.number(),
2758
- installationId: z17.number(),
2759
- repositoryURL: z17.string()
2770
+ end: z14.number()
2771
+ });
2772
+ PrContextZ = z14.object({
2773
+ prNumber: z14.number(),
2774
+ repositoryUrl: z14.string(),
2775
+ organizationId: z14.string(),
2776
+ userEmail: z14.string(),
2777
+ source: z14.enum(["pr", "github"]),
2778
+ githubContext: z14.object({
2779
+ prNumber: z14.number(),
2780
+ installationId: z14.number(),
2781
+ repositoryURL: z14.string()
2760
2782
  }).optional()
2761
2783
  });
2762
- PrepareCommitBlameMessageZ = z17.object({
2784
+ PrepareCommitBlameMessageZ = z14.object({
2763
2785
  /** Commit blame request ID from database (for tracking and updating status) */
2764
- commitBlameRequestId: z17.string(),
2786
+ commitBlameRequestId: z14.string(),
2765
2787
  /** Organization ID (for org-scoped caching) */
2766
- organizationId: z17.string(),
2788
+ organizationId: z14.string(),
2767
2789
  /** Full repository URL (e.g., https://github.com/org/repo) */
2768
- repositoryUrl: z17.string(),
2790
+ repositoryUrl: z14.string(),
2769
2791
  /** Commit SHA to analyze (typically PR head commit) */
2770
- commitSha: z17.string(),
2792
+ commitSha: z14.string(),
2771
2793
  /** Authentication headers for repository access (e.g., GitHub token) */
2772
- extraHeaders: z17.record(z17.string(), z17.string()).default({}),
2794
+ extraHeaders: z14.record(z14.string(), z14.string()).default({}),
2773
2795
  // --- PR analysis fields ---
2774
2796
  /** Target branch name (from getPr() base.ref). When set, enables PR analysis mode. */
2775
- targetBranch: z17.string().optional(),
2797
+ targetBranch: z14.string().optional(),
2776
2798
  /** Context for triggering blame attribution analysis after SCM agent completes. */
2777
2799
  prContext: PrContextZ.optional(),
2778
2800
  /** User email for blame attribution analysis trigger context (used for both PR and single commit flows). */
2779
- userEmail: z17.string().optional()
2801
+ userEmail: z14.string().optional()
2780
2802
  });
2781
- BlameLineInfoZ = z17.object({
2803
+ BlameLineInfoZ = z14.object({
2782
2804
  /** Line number as it appeared in the introducing commit */
2783
- originalLineNumber: z17.number(),
2805
+ originalLineNumber: z14.number(),
2784
2806
  /** Commit SHA that introduced this line */
2785
- commitSha: z17.string(),
2807
+ commitSha: z14.string(),
2786
2808
  /** Author name for this line */
2787
- authorName: z17.string().optional(),
2809
+ authorName: z14.string().optional(),
2788
2810
  /** Author email for this line */
2789
- authorEmail: z17.string().optional()
2811
+ authorEmail: z14.string().optional()
2790
2812
  }).nullable();
2791
- FileBlameDataZ = z17.array(BlameLineInfoZ);
2792
- ChunkFetchResultZ = z17.object({
2793
- filePath: z17.string(),
2794
- lines: z17.array(z17.number()),
2813
+ FileBlameDataZ = z14.array(BlameLineInfoZ);
2814
+ ChunkFetchResultZ = z14.object({
2815
+ filePath: z14.string(),
2816
+ lines: z14.array(z14.number()),
2795
2817
  data: FileBlameDataZ.nullable()
2796
2818
  });
2797
- FileBlameResponseEntryZ = z17.object({
2819
+ FileBlameResponseEntryZ = z14.object({
2798
2820
  /** Chunk index (0 for small files, 0-N for large file chunks) */
2799
- chunkIndex: z17.number(),
2821
+ chunkIndex: z14.number(),
2800
2822
  /** Blame data array (1-indexed, index 0 is null) */
2801
2823
  blameData: FileBlameDataZ
2802
2824
  });
2803
- CommitBlameDataZ = z17.record(
2804
- z17.string(),
2825
+ CommitBlameDataZ = z14.record(
2826
+ z14.string(),
2805
2827
  // fileName
2806
- z17.array(FileBlameResponseEntryZ)
2828
+ z14.array(FileBlameResponseEntryZ)
2807
2829
  );
2808
- CommitInfoZ = z17.object({
2830
+ CommitInfoZ = z14.object({
2809
2831
  /** Number of parent commits (1 = normal commit, 2+ = merge commit, null = failed to determine) */
2810
- parentCount: z17.number().nullable()
2832
+ parentCount: z14.number().nullable()
2811
2833
  });
2812
- GitIdentityZ = z17.object({
2813
- name: z17.string(),
2814
- email: z17.string()
2834
+ GitIdentityZ = z14.object({
2835
+ name: z14.string(),
2836
+ email: z14.string()
2815
2837
  });
2816
2838
  COMMIT_LOG_FORMAT = "%H%x00%ae%x00%an%x00%ce%x00%cn%x00%at%x00%s%x00%(trailers:key=Co-authored-by,valueonly,separator=%x00)";
2817
- CommitDataZ = z17.object({
2818
- diff: z17.string(),
2839
+ CommitDataZ = z14.object({
2840
+ diff: z14.string(),
2819
2841
  author: GitIdentityZ,
2820
2842
  committer: GitIdentityZ,
2821
- coAuthors: z17.array(GitIdentityZ),
2822
- timestamp: z17.number(),
2843
+ coAuthors: z14.array(GitIdentityZ),
2844
+ timestamp: z14.number(),
2823
2845
  // Unix timestamp in seconds
2824
- message: z17.string().optional(),
2825
- parentCount: z17.number().nullable()
2846
+ message: z14.string().optional(),
2847
+ parentCount: z14.number().nullable()
2826
2848
  });
2827
- PrDiffDataZ = z17.object({
2828
- diff: z17.string()
2849
+ PrDiffDataZ = z14.object({
2850
+ diff: z14.string()
2829
2851
  });
2830
- PrStatsZ = z17.object({
2831
- additions: z17.number(),
2832
- deletions: z17.number()
2852
+ PrStatsZ = z14.object({
2853
+ additions: z14.number(),
2854
+ deletions: z14.number()
2833
2855
  });
2834
- CommitsManifestZ = z17.object({
2835
- commits: z17.array(z17.string())
2856
+ CommitsManifestZ = z14.object({
2857
+ commits: z14.array(z14.string())
2836
2858
  // Array of commit SHAs in order
2837
2859
  });
2838
- BlameLineEntryZ = z17.object({
2860
+ BlameLineEntryZ = z14.object({
2839
2861
  /** Current file path in the PR head (what git blame was invoked on). */
2840
- file: z17.string(),
2862
+ file: z14.string(),
2841
2863
  /** Current line number in the PR head. */
2842
- line: z17.number(),
2864
+ line: z14.number(),
2843
2865
  /** SHA of the commit that originally authored this line. */
2844
- originalCommitSha: z17.string(),
2866
+ originalCommitSha: z14.string(),
2845
2867
  /** Line number as it was in `originalCommitSha`. */
2846
- originalLineNumber: z17.number(),
2868
+ originalLineNumber: z14.number(),
2847
2869
  /**
2848
2870
  * File path as it was in `originalCommitSha` at the time that commit
2849
2871
  * authored this line. When a file has been renamed since, this differs
@@ -2856,24 +2878,24 @@ var init_gitBlameTypes = __esm({
2856
2878
  * must treat empty as "fall back to `file`" (see enrichDiffLines,
2857
2879
  * targetedBlame).
2858
2880
  */
2859
- originalFile: z17.string().default("")
2881
+ originalFile: z14.string().default("")
2860
2882
  });
2861
- BlameLinesDataZ = z17.object({
2862
- lines: z17.array(BlameLineEntryZ)
2883
+ BlameLinesDataZ = z14.object({
2884
+ lines: z14.array(BlameLineEntryZ)
2863
2885
  });
2864
- PrepareCommitBlameResponseMessageZ = z17.object({
2886
+ PrepareCommitBlameResponseMessageZ = z14.object({
2865
2887
  /** Commit blame request ID (matches request, used to update specific DB record) */
2866
- commitBlameRequestId: z17.string(),
2888
+ commitBlameRequestId: z14.string(),
2867
2889
  /** Organization ID (matches request) */
2868
- organizationId: z17.string(),
2890
+ organizationId: z14.string(),
2869
2891
  /** Repository URL (matches request) */
2870
- repositoryUrl: z17.string(),
2892
+ repositoryUrl: z14.string(),
2871
2893
  /** Commit SHA analyzed (matches request) */
2872
- commitSha: z17.string(),
2894
+ commitSha: z14.string(),
2873
2895
  /** Processing status */
2874
- status: z17.enum(["success", "failure"]),
2896
+ status: z14.enum(["success", "failure"]),
2875
2897
  /** Error message (only present if status is 'failure') */
2876
- error: z17.string().optional(),
2898
+ error: z14.string().optional(),
2877
2899
  /**
2878
2900
  * Blame data for all processed files/chunks.
2879
2901
  * Empty dictionary if status is 'failure'.
@@ -2885,29 +2907,29 @@ var init_gitBlameTypes = __esm({
2885
2907
  * Keyed by commit SHA, deduplicated.
2886
2908
  * Empty dictionary if status is 'failure'.
2887
2909
  */
2888
- commits: z17.record(z17.string(), CommitInfoZ).default({}),
2910
+ commits: z14.record(z14.string(), CommitInfoZ).default({}),
2889
2911
  // --- New PR diff computation response fields ---
2890
2912
  /** S3 paths for commit-level data (commitSha → S3 key). Present in PR analysis mode and single commit mode. */
2891
- commitDataS3Paths: z17.record(z17.string(), z17.string()).optional(),
2913
+ commitDataS3Paths: z14.record(z14.string(), z14.string()).optional(),
2892
2914
  /** S3 key for PR diff JSON. Present in PR analysis mode. */
2893
- prDiffS3Path: z17.string().optional(),
2915
+ prDiffS3Path: z14.string().optional(),
2894
2916
  /** S3 key for commits manifest. Present in PR analysis mode. */
2895
- commitsManifestS3Path: z17.string().optional(),
2917
+ commitsManifestS3Path: z14.string().optional(),
2896
2918
  /** S3 key for per-line targeted blame data. Present in PR analysis mode. */
2897
- blameLinesS3Path: z17.string().optional(),
2919
+ blameLinesS3Path: z14.string().optional(),
2898
2920
  /** S3 key for PR stats (additions/deletions). Present in PR analysis mode. */
2899
- prStatsS3Path: z17.string().optional(),
2921
+ prStatsS3Path: z14.string().optional(),
2900
2922
  /** PR context passed through from request for response handler. */
2901
2923
  prContext: PrContextZ.optional(),
2902
2924
  /** PR title from the request metadata (passed through). */
2903
- prTitle: z17.string().optional(),
2925
+ prTitle: z14.string().optional(),
2904
2926
  /** User email passed through from request for single commit blame attribution analysis trigger. */
2905
- userEmail: z17.string().optional()
2927
+ userEmail: z14.string().optional()
2906
2928
  });
2907
- VulnerabilityAttributionMessageZ = z17.object({
2908
- fixReportId: z17.string().uuid(),
2909
- vulnerabilityAttributionRequestId: z17.string().uuid(),
2910
- userEmail: z17.string()
2929
+ VulnerabilityAttributionMessageZ = z14.object({
2930
+ fixReportId: z14.string().uuid(),
2931
+ vulnerabilityAttributionRequestId: z14.string().uuid(),
2932
+ userEmail: z14.string()
2911
2933
  });
2912
2934
  }
2913
2935
  });
@@ -4237,1843 +4259,180 @@ var contextLogger = {
4237
4259
  const logger3 = await createContextLogger();
4238
4260
  return logger3.debug(message, data);
4239
4261
  },
4240
- warn: async (message, data) => {
4241
- const logger3 = await createContextLogger();
4242
- return logger3.warn(message, data);
4243
- },
4244
- error: async (message, data) => {
4245
- const logger3 = await createContextLogger();
4246
- return logger3.error(message, data);
4247
- }
4248
- };
4249
-
4250
- // src/features/analysis/scm/errors.ts
4251
- var InvalidAccessTokenError = class extends Error {
4252
- constructor(m, scmType) {
4253
- super(m);
4254
- this.scmType = scmType;
4255
- }
4256
- };
4257
- var InvalidUrlPatternError = class extends Error {
4258
- constructor(m, scmType) {
4259
- super(m);
4260
- this.scmType = scmType;
4261
- }
4262
- };
4263
- var RefNotFoundError = class extends Error {
4264
- constructor(m) {
4265
- super(m);
4266
- }
4267
- };
4268
- var ScmBadCredentialsError = class extends Error {
4269
- constructor(m, scmType) {
4270
- super(m);
4271
- this.scmType = scmType;
4272
- }
4273
- };
4274
- var InvalidRepoUrlError = class extends Error {
4275
- constructor(m, scmType) {
4276
- super(m);
4277
- this.scmType = scmType;
4278
- }
4279
- };
4280
- var RepoNoTokenAccessError = class extends Error {
4281
- constructor(m, scmType) {
4282
- super(m);
4283
- this.scmType = scmType;
4284
- }
4285
- };
4286
- var RateLimitError = class extends Error {
4287
- constructor(m, scmType, retryAfter) {
4288
- super(m);
4289
- this.scmType = scmType;
4290
- this.retryAfter = retryAfter;
4291
- }
4292
- };
4293
- var NetworkError = class extends Error {
4294
- constructor(m, scmType, errorCode) {
4295
- super(m);
4296
- this.scmType = scmType;
4297
- this.errorCode = errorCode;
4298
- }
4299
- };
4300
-
4301
- // src/features/analysis/scm/utils/index.ts
4302
- import { z as z13 } from "zod";
4303
-
4304
- // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
4305
- init_client_generates();
4306
- init_getIssueType();
4307
- init_issueTypeCatalog();
4308
- function capitalizeFirstLetter(str) {
4309
- return str?.length ? str[0].toUpperCase() + str.slice(1) : "";
4310
- }
4311
- function lowercaseFirstLetter(str) {
4312
- if (!str) return str;
4313
- return `${str.charAt(0).toLowerCase()}${str.slice(1)}`;
4314
- }
4315
- var severityToEmoji = {
4316
- ["critical" /* Critical */]: "\u{1F6A8}",
4317
- ["high" /* High */]: "\u{1F6A9}",
4318
- ["medium" /* Medium */]: "\u{1F7E1}",
4319
- ["low" /* Low */]: "\u{1F7E2}"
4320
- };
4321
- var getCommitDescription = ({
4322
- vendor,
4323
- issueType,
4324
- severity,
4325
- guidances,
4326
- fixUrl,
4327
- irrelevantIssueWithTags
4328
- }) => {
4329
- const issueTypeString = getIssueTypeFriendlyString(issueType);
4330
- let description = `This change fixes a **${severity} severity** (${severityToEmoji[severity]}) **${issueTypeString}** issue reported by **${capitalizeFirstLetter(
4331
- vendor
4332
- )}**.
4333
-
4334
- `;
4335
- if (issueType) {
4336
- if (irrelevantIssueWithTags?.[0]?.tag) {
4337
- description += `
4338
- > [!tip]
4339
- > This issue was found to be irrelevant to your project - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
4340
- > Mobb recommends to ignore this issue, however fix is available if you think differently.
4341
-
4342
-
4343
- ## Justification
4344
- ${issueDescription[irrelevantIssueWithTags[0].tag]}
4345
- `;
4346
- }
4347
- const catalogEntry = getIssueTypeCatalogEntry(issueType);
4348
- if (catalogEntry?.issueDescription) {
4349
- description += `## Issue description
4350
- ${catalogEntry.issueDescription}
4351
- `;
4352
- if (catalogEntry.fixInstructions) {
4353
- description += `
4354
- ## Fix instructions
4355
- ${catalogEntry.fixInstructions}
4356
- `;
4357
- }
4358
- }
4359
- }
4360
- description += `
4361
- ${guidances.map(({ guidance }) => `## Additional actions required
4362
- ${guidance}
4363
- `).join("")}
4364
- `;
4365
- if (fixUrl) {
4366
- description += `
4367
- [More info and fix customization are available in the Mobb platform](${fixUrl})`;
4368
- }
4369
- return description;
4370
- };
4371
- var getCommitIssueDescription = ({
4372
- vendor,
4373
- issueType,
4374
- irrelevantIssueWithTags,
4375
- fpDescription,
4376
- unfixableDescription
4377
- }) => {
4378
- const issueTypeString = getIssueTypeFriendlyString(issueType);
4379
- let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
4380
- `;
4381
- if (issueType) {
4382
- if (irrelevantIssueWithTags?.[0]?.tag) {
4383
- description = `
4384
- > [!tip]
4385
- > The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
4386
- > ${issueTypeString} - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
4387
- > Mobb recommends to ignore this issue, however fix is available if you think differently.
4388
-
4389
-
4390
- ## Justification
4391
- ${fpDescription ?? unfixableDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
4392
- `;
4393
- }
4394
- const catalogEntry = getIssueTypeCatalogEntry(issueType);
4395
- if (catalogEntry?.issueDescription) {
4396
- description += `## Issue description
4397
- ${catalogEntry.issueDescription}
4398
- `;
4399
- }
4400
- }
4401
- return description;
4402
- };
4403
-
4404
- // src/features/analysis/scm/shared/src/index.ts
4405
- init_getIssueType();
4406
-
4407
- // src/features/analysis/scm/shared/src/guidances.ts
4408
- init_client_generates();
4409
- init_getIssueType();
4410
- import { z as z4 } from "zod";
4411
-
4412
- // src/features/analysis/scm/shared/src/storedFixData/index.ts
4413
- init_client_generates();
4414
- import { z as z2 } from "zod";
4415
-
4416
- // src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
4417
- var passwordInComment = {
4418
- guidance: () => "Removing sensitive information from the comments is not enough. To ensure the security of your data, you have to rotate passwords and tokens and update all places where they were used."
4419
- };
4420
-
4421
- // src/features/analysis/scm/shared/src/storedFixData/csharp/missingAntiForgeryValidation.ts
4422
- var missingAntiForgeryValidation = {
4423
- guidance: () => `The \`ValidateAntiForgeryToken\` attribute helps prevent cross-site request forgery (CSRF) attacks. The token is automatically injected into the view by the [FormTagHelper](https://learn.microsoft.com/en-us/aspnet/core/mvc/views/working-with-forms?view=aspnetcore-8.0#the-form-tag-helper)
4424
- and is included when the form is submitted by the user. The token is validated by the \`ValidateAntiForgeryToken\` attribute. The token could be also generated using the [Html.AntiForgeryToken](https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.htmlhelper.antiforgerytoken?view=aspnet-mvc-5.2) helper.
4425
-
4426
-  
4427
-
4428
-
4429
- ***Make sure this controller's client provides the validation token before approving this change.***
4430
-
4431
-  
4432
-
4433
-
4434
- This is an illustration of how the form will look like:
4435
-
4436
-  
4437
-
4438
- <form method="post" action="/Action">
4439
- <!-- Input and Submit elements -->
4440
- <input name="__RequestVerificationToken"
4441
- type="hidden" value="<removed for brevity>">
4442
- </form>
4443
-
4444
-
4445
- ***Notice the \`__RequestVerificationToken\` parameters.***
4446
- `
4447
- };
4448
-
4449
- // src/features/analysis/scm/shared/src/storedFixData/csharp/index.ts
4450
- var vulnerabilities = {
4451
- ["MISSING_ANTIFORGERY_VALIDATION"]: missingAntiForgeryValidation,
4452
- ["PASSWORD_IN_COMMENT"]: passwordInComment
4453
- };
4454
- var csharp_default = vulnerabilities;
4455
-
4456
- // src/features/analysis/scm/shared/src/storedFixData/dockerfile/index.ts
4457
- var vulnerabilities2 = {};
4458
- var dockerfile_default = vulnerabilities2;
4459
-
4460
- // src/features/analysis/scm/shared/src/storedFixData/go/index.ts
4461
- var vulnerabilities3 = {};
4462
- var go_default = vulnerabilities3;
4463
-
4464
- // src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
4465
- var vulnerabilities4 = {};
4466
- var hcl_default = vulnerabilities4;
4467
-
4468
- // src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
4469
- var insecureDeserialization = {
4470
- guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
4471
- };
4472
-
4473
- // src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
4474
- var j2eeGetConnection = {
4475
- guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
4476
-
4477
-
4478
- &nbsp;
4479
-
4480
- ***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
4481
-
4482
- - **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
4483
- - **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
4484
- - **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
4485
- - **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
4486
-
4487
-
4488
- &nbsp;
4489
-
4490
- Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
4491
-
4492
-
4493
- &nbsp;
4494
-
4495
- This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
4496
- };
4497
-
4498
- // src/features/analysis/scm/shared/src/storedFixData/java/sqlInjection.ts
4499
- var sqlInjection = {
4500
- guidance: ({
4501
- hasQuestionMarksAfterTaintVar
4502
- }) => {
4503
- if (hasQuestionMarksAfterTaintVar) {
4504
- return "Please make sure to correct the following indices of the setInt()/setString() calls after the new parameter is added.";
4505
- }
4506
- return "";
4507
- }
4508
- };
4509
-
4510
- // src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
4511
- var systemInformationLeak = {
4512
- guidance: ({
4513
- clientMightBeAffected
4514
- }) => {
4515
- if (clientMightBeAffected) {
4516
- return "You should never expose error details to the client. We removed the error details from the response. Ensure the client application code does not rely on the removed information.";
4517
- }
4518
- return "";
4519
- }
4520
- };
4521
-
4522
- // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
4523
- var vulnerabilities5 = {
4524
- ["PASSWORD_IN_COMMENT"]: passwordInComment,
4525
- ["INSECURE_DESERIALIZATION"]: insecureDeserialization,
4526
- ["J2EE_GET_CONNECTION"]: j2eeGetConnection,
4527
- ["SQL_Injection"]: sqlInjection,
4528
- ["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
4529
- };
4530
- var java_default = vulnerabilities5;
4531
-
4532
- // src/features/analysis/scm/shared/src/storedFixData/python/csrf.ts
4533
- var csrf = {
4534
- guidance: () => `Please make sure the CSRF middleware is activated by default in the MIDDLEWARE setting. If you override that setting, remember that \`django.middleware.csrf.CsrfViewMiddleware\` should come before any view middleware that assume that CSRF attacks have been dealt with.
4535
-
4536
-
4537
- If you disabled it, which is not recommended, you can use [\`csrf_protect()\`](https://docs.djangoproject.com/en/5.1/ref/csrf/#django.views.decorators.csrf.csrf_protect) annotation on this particular view.
4538
-
4539
-
4540
- See more information [here](https://docs.djangoproject.com/en/5.1/howto/csrf/).`
4541
- };
4542
-
4543
- // src/features/analysis/scm/shared/src/storedFixData/javascript/hardcodedSecrets.ts
4544
- var hardcodedSecrets = {
4545
- guidance: ({ questions }) => {
4546
- const envVarName = questions.find((q) => q.key === "env_var_name")?.value || "the";
4547
- const keepAsDefault = questions.find(
4548
- (q) => q.key === "keep_as_default"
4549
- )?.value;
4550
- let additionalText = "";
4551
- if (keepAsDefault === "yes") {
4552
- additionalText = "\n1. Remove the hardcoded secret from the code.\n";
4553
- }
4554
- return `Please follow the steps in this specific order:
4555
-
4556
- 1. Change the secret that was hardcoded. It is essential because even when you commit the changes, the secret will remain in the git history.${additionalText}
4557
- 1. Update the configuration of all your application environments and CI/CD pipelines to set \`${envVarName}\` environment variable.
4558
- 1. Commit the changes.`;
4559
- }
4560
- };
4561
-
4562
- // src/features/analysis/scm/shared/src/storedFixData/javascript/noLimitsOrThrottling.ts
4563
- var noLimitsOrThrottling = {
4564
- guidance: () => "We set the default limit to 60 requests per minute. To customize the rate limit settings, please read the documentation of the [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) package."
4565
- };
4566
-
4567
- // src/features/analysis/scm/shared/src/storedFixData/javascript/ssrf.ts
4568
- var ssrf = {
4569
- guidance: () => "The server-side validates the domains it has access to, otherwise it throws an error if validation failed. Please make sure you handled the error correctly."
4570
- };
4571
-
4572
- // src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
4573
- var vulnerabilities6 = {
4574
- ["SSRF"]: ssrf,
4575
- ["HARDCODED_SECRETS"]: hardcodedSecrets,
4576
- ["PASSWORD_IN_COMMENT"]: passwordInComment,
4577
- ["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling,
4578
- ["CSRF"]: csrf
4579
- };
4580
- var javascript_default = vulnerabilities6;
4581
-
4582
- // src/features/analysis/scm/shared/src/storedFixData/php/index.ts
4583
- var vulnerabilities7 = {};
4584
- var php_default = vulnerabilities7;
4585
-
4586
- // src/features/analysis/scm/shared/src/storedFixData/python/autoEscapeFalse.ts
4587
- var autoEscapeFalse = {
4588
- guidance: () => `This fix enables automatic escaping for HTML. When that's enabled, everything is escaped by default except for values explicitly marked as safe. Variables and expressions can be marked as safe either in:
4589
-
4590
- a. The context dictionary by the application with \`markupsafe.Markup\`
4591
-
4592
- b. The template, with the \`|safe\` filter.
4593
-
4594
- &nbsp;
4595
-
4596
-
4597
- See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates/#working-with-automatic-escaping) and [here](https://pypi.org/project/MarkupSafe/).
4598
-
4599
- &nbsp;
4600
-
4601
-
4602
- ***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
4603
- };
4604
-
4605
- // src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
4606
- var improperCertificateValidation = {
4607
- guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
4608
-
4609
- &nbsp;
4610
-
4611
- ***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
4612
-
4613
- &nbsp;
4614
-
4615
- See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
4616
- };
4617
-
4618
- // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
4619
- var vulnerabilities8 = {
4620
- ["AUTO_ESCAPE_FALSE"]: autoEscapeFalse,
4621
- ["CSRF"]: csrf,
4622
- ["IMPROPER_CERTIFICATE_VALIDATION"]: improperCertificateValidation
4623
- };
4624
- var python_default = vulnerabilities8;
4625
-
4626
- // src/features/analysis/scm/shared/src/storedFixData/sql/defaultRightsInObjDefinition.ts
4627
- var defaultRightsInObjDefinition = {
4628
- guidance: () => "***Make sure the user who is supposed to run the procedure has sufficient permissions.***\n\nRead more details about the `EXECUTE AS` statement in [the official Microsoft documentation](https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-clause-transact-sql?view=sql-server-ver16&tabs=sqlserver).\n\n`EXECUTE AS CALLER` is the default behavior for SQL Server 2005 and later."
4629
- };
4630
-
4631
- // src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
4632
- var vulnerabilities9 = {
4633
- ["DEFAULT_RIGHTS_IN_OBJ_DEFINITION"]: defaultRightsInObjDefinition
4634
- };
4635
- var sql_default = vulnerabilities9;
4636
-
4637
- // src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
4638
- var vulnerabilities10 = {
4639
- ["PASSWORD_IN_COMMENT"]: passwordInComment
4640
- };
4641
- var xml_default = vulnerabilities10;
4642
-
4643
- // src/features/analysis/scm/shared/src/storedFixData/index.ts
4644
- var StoredFixDataItemZ = z2.object({
4645
- guidance: z2.function().args(z2.any()).returns(z2.string())
4646
- });
4647
- var languages = {
4648
- ["Java" /* Java */]: java_default,
4649
- ["JavaScript" /* JavaScript */]: javascript_default,
4650
- ["CSharp" /* CSharp */]: csharp_default,
4651
- ["SQL" /* Sql */]: sql_default,
4652
- ["XML" /* Xml */]: xml_default,
4653
- ["Python" /* Python */]: python_default,
4654
- ["PHP" /* Php */]: php_default,
4655
- ["Go" /* Go */]: go_default,
4656
- ["Dockerfile" /* Dockerfile */]: dockerfile_default,
4657
- ["Hcl" /* Hcl */]: hcl_default
4658
- };
4659
-
4660
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
4661
- init_client_generates();
4662
- import { z as z3 } from "zod";
4663
-
4664
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
4665
- var commandInjection = {
4666
- isUnixShellCommandPart: {
4667
- content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
4668
- description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
4669
-
4670
- - \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
4671
- - \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
4672
-
4673
- Answer **no** (the input is not plain data) when the input is:
4674
-
4675
- 1. The program/executable itself:
4676
- - \`system(input);\`
4677
- - \`sprintf(cmd, "%s -x", input);\`
4678
- 2. A command after a pipe or redirect:
4679
- - \`sprintf(cmd, "cat file.txt | %s", input);\`
4680
- 3. A part of a non-Unix or cross-platform shell command.
4681
- 4. A part of embedded code in another language:
4682
- - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
4683
- - \`sprintf(cmd, "awk '%s' file", input);\`
4684
- 5. A flag/option that controls a tool's behaviour:
4685
- - \`sprintf(cmd, "git --upload-pack %s", input);\``,
4686
- guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
4687
- },
4688
- executableLocationPath: {
4689
- content: () => "What is the absolute path of the directory containing the executable?",
4690
- description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
4691
-
4692
- Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
4693
- guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
4694
- }
4695
- };
4696
-
4697
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/pathManipulation.ts
4698
- var pathManipulation = {
4699
- baseDirectory: {
4700
- content: ({ expression }) => `Which directory must \`${expression}\` stay within? Enter the absolute base directory file access is restricted to.`,
4701
- description: ({ expression }) => `The fix canonicalizes \`${expression}\` (resolving \`.\`, \`..\`, and symlinks) and verifies the result stays inside this base directory. Provide the **absolute** root the application is allowed to read or write under, for example \`/var/app/data\`. The directory must exist at runtime. A path that resolves outside it is rejected at runtime.`,
4702
- guidance: (_) => "You **must** set this to an absolute path that exists at runtime and that your application confines file access to. If you leave it unset (or give a relative path), the generated fix is emitted with a placeholder identifier (`MOBB_SET_ALLOWED_BASE_DIR`) that **deliberately does not compile**, so a missing security boundary cannot be overlooked \u2014 replace it with your absolute base directory. A relative path would otherwise resolve against the process working directory (moving the boundary). At runtime the guard aborts (C: `exit(EXIT_FAILURE)`) / throws (C++: `std::runtime_error`) on a path that escapes the base. Pick the narrowest directory that still contains every legitimate file the code opens."
4703
- }
4704
- };
4705
-
4706
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
4707
- var vulnerabilities11 = {
4708
- ["CMDi"]: commandInjection,
4709
- ["PT"]: pathManipulation
4710
- };
4711
- var cpp_default = vulnerabilities11;
4712
-
4713
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
4714
- var httpOnlyCookie = {
4715
- httpOnlyCookie: {
4716
- content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
4717
- description: () => httpOnlyMessage,
4718
- guidance: () => ""
4719
- },
4720
- cookieVarName: {
4721
- content: () => "Please define a variable name",
4722
- description: () => `We need a variable for the new cookie instance`,
4723
- guidance: () => ""
4724
- }
4725
- };
4726
- var httpOnlyMessage = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
4727
- when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
4728
- be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
4729
-
4730
- &nbsp;
4731
-
4732
-
4733
- ***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
4734
-
4735
- &nbsp;
4736
-
4737
- `;
4738
-
4739
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureBinderConfiguration.ts
4740
- var insecureBinderConfiguration = {
4741
- bindAttributeParam: {
4742
- content: ({ func_param_name }) => `Which properties of the model should be included in model binding for \`${func_param_name}\`?`,
4743
- description: () => "Provide a comma-separated list of valid property names to be included in model binding. See [the official documentation](https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding?view=aspnetcore-8.0#bind-attribute) for more details.",
4744
- guidance: () => ""
4745
- }
4746
- };
4747
-
4748
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureCookie.ts
4749
- var insecureCookie = {
4750
- insecureCookie: {
4751
- content: () => "Will this cookie be used only in encrypted channels (https)?",
4752
- description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
4753
- In environments like local development or test, setting cookies as secure might have some consequences:
4754
-
4755
- &nbsp;
4756
- - Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
4757
- additional configuration and certificates. If cookies are marked as secure,
4758
- they won't be sent over HTTP, and this could potentially interfere with the normal
4759
- functioning of your application during development.
4760
-
4761
- &nbsp;
4762
- - Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
4763
- testing environment accurately simulates the production environment's security features.
4764
- This may involve setting up HTTPS in your local development environment.
4765
-
4766
- &nbsp;
4767
- - Debugging Challenges: Debugging may be more challenging when using secure cookies in a
4768
- development environment, especially if you need to inspect or manipulate the cookies during
4769
- development.`,
4770
- guidance: () => ""
4771
- },
4772
- cookieVarName: {
4773
- content: () => "Please define a variable name",
4774
- description: () => `We need a variable for the new cookie instance`,
4775
- guidance: () => ""
4776
- }
4777
- };
4778
-
4779
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureRandomness.ts
4780
- var insecureRandomness = {
4781
- isRandomNumberGeneratorAvailable: {
4782
- content: () => "We use the `RandomNumberGenerator` class from the `System.Security.Cryptography` package. Does this class exist for the .NET version you use?",
4783
- description: () => "See [the official documentation](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-8.0#applies-to) for more details.",
4784
- guidance: () => ""
4785
- },
4786
- isNetVersionGreaterThan6: {
4787
- content: () => "We are able to offer a more concise solution if the .NET version is greater then .NET 6",
4788
- description: () => "",
4789
- guidance: () => ""
4790
- }
4791
- };
4792
-
4793
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insufficientLogging.ts
4794
- var insufficientLogging = {
4795
- logMessage: {
4796
- content: () => "Enter the message that you want to appear in the log",
4797
- description: () => "",
4798
- guidance: () => ""
4799
- }
4800
- };
4801
-
4802
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/logForging.ts
4803
- var logForging = {
4804
- isHtmlDisplay: {
4805
- content: () => "Is the text written to the log going to be displayed as HTML?",
4806
- description: () => "",
4807
- guidance: ({ userInputValue }) => {
4808
- switch (userInputValue) {
4809
- case "yes":
4810
- return "We use the `System.Web` `HttpUtility` to decode the HTML";
4811
- default:
4812
- return "";
4813
- }
4814
- }
4815
- }
4816
- };
4817
-
4818
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/overlyBroadCatch.ts
4819
- var overlyBroadCatch = {
4820
- defaultExceptionsInWhenFilter: {
4821
- content: () => "Exceptions to filter",
4822
- description: () => "Coma separated list of the Fully Qualified Exceptions names",
4823
- guidance: () => ""
4824
- }
4825
- };
4826
-
4827
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/pt.ts
4828
- var pt = {
4829
- taintedTermType: {
4830
- content: ({ expression }) => `Does \`${expression}\` represent a file name or a file path?`,
4831
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
4832
- guidance: () => ""
4833
- },
4834
- pathTargetDir: {
4835
- content: () => "Allowed file path",
4836
- description: () => "Provide the intended file path destination eg: /tmp/testfiles/users/",
4837
- guidance: () => ""
4838
- }
4839
- };
4840
-
4841
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/regexMissingTimeout.ts
4842
- var regexMissingTimeout = {
4843
- netVersionGreaterOrEqual7: {
4844
- content: () => "Is your target framework .NET 7 or greater?",
4845
- description: () => "",
4846
- guidance: () => ""
4847
- },
4848
- timeout: {
4849
- content: () => "Enter the timeout in milliseconds",
4850
- description: () => "If the limit is reached a RegexTimeoutException is thrown, this could be caused by excessive backtracking",
4851
- guidance: () => ""
4852
- },
4853
- useBacktrackingOption: {
4854
- content: () => "Use non backtracking option",
4855
- description: () => "If the regex does not need to use backtracking we can disable it using regex options",
4856
- guidance: () => ""
4857
- }
4858
- };
4859
-
4860
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/requestParametersBoundViaInput.ts
4861
- var requestParametersBoundViaInput = {
4862
- fieldsToCopy: {
4863
- content: () => "Please list all the fields you expect as input from the user. Use comma separated list.",
4864
- description: () => `This is meant to avoid mass assignment vulnerabilities, where the user would enter an inner unexpected field`,
4865
- guidance: () => ""
4866
- }
4867
- };
4868
-
4869
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
4870
- var sqlInjection2 = {
4871
- databaseProvider: {
4872
- content: () => "Select the database provider",
4873
- description: () => "",
4874
- guidance: () => ""
4875
- }
4876
- };
4877
-
4878
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/ssrf.ts
4879
- var ssrf2 = {
4880
- domainsAllowlist: {
4881
- content: () => "Allowed domains",
4882
- description: () => "Coma separated list of allowed domains.",
4883
- guidance: () => ""
4884
- }
4885
- };
4886
-
4887
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sysLeak.ts
4888
- var sysLeak = {
4889
- errorMessage: {
4890
- content: () => "Enter the error message that you want to appear in the log",
4891
- description: () => "",
4892
- guidance: () => ""
4893
- },
4894
- noLoggerAction: {
4895
- content: () => "Which of the following you want to use instead of the vulnerable code?",
4896
- description: () => "",
4897
- guidance: () => ""
4898
- }
4899
- };
4900
-
4901
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/trustBoundaryViolation.ts
4902
- var trustBoundaryViolation = {
4903
- validationPattern: {
4904
- content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
4905
- description: () => "We use regex to validate the input to avoid runtime surprises",
4906
- guidance: () => ""
4907
- },
4908
- otherPatternValue: {
4909
- content: () => `Enter the regex pattern you would like to use to validate the input`,
4910
- description: () => "See patterns at [the regex docs](https://learn.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference)",
4911
- guidance: () => ""
4912
- }
4913
- };
4914
-
4915
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/useOfSystemOutputStream.ts
4916
- var useOfSystemOutputStream = {
4917
- noLoggerAction: {
4918
- content: () => "Which of the following you want to use instead of the vulnerable code?",
4919
- description: () => "",
4920
- guidance: () => ""
4921
- }
4922
- };
4923
-
4924
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/valueShadowing.ts
4925
- var valueShadowing = {
4926
- collectionName: {
4927
- content: () => "Please select the collection to search/index from",
4928
- description: () => `Accessing the root object eg Request["item"] searches across all available collections and returns the first item that matches. Potentially leading to the correct value being shadowed. Available collections include:
4929
- - QueryString: The values of variables in the HTTP query string.
4930
- - Form: The values of form elements in the HTTP request body.
4931
- - Cookies: The values of cookies sent in the HTTP request.
4932
- - ClientCertificate: The values of fields stored in the client certificate that is sent in the HTTP request.
4933
- - ServerVariables: The values of predetermined environment variables.`,
4934
- guidance: () => `See
4935
- - https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524948(v=vs.90),
4936
- - https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest?view=netframework-4.8.1`
4937
- }
4938
- };
4939
-
4940
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/wcfMisconfigurationThrottlingNotEnabled.ts
4941
- var wcfMisconfigurationThrottlingNotEnabled = {
4942
- maxConcurrentCalls: {
4943
- content: () => "Please define the maximum concurrent calls",
4944
- description: () => `A positive integer that limits the number of messages that currently process across a ServiceHost. Calls in excess of the limit are queued. Setting this value to 0 is equivalent to setting it to Int32.MaxValue.`,
4945
- guidance: () => {
4946
- return "";
4947
- }
4948
- },
4949
- maxConcurrentInstances: {
4950
- content: () => "Please define the maximum concurrent instances",
4951
- description: () => `A positive integer that limits the number of InstanceContext objects that execute at one time across a ServiceHost. Requests to create additional instances are queued and complete when a slot below the limit becomes available.`,
4952
- guidance: () => {
4953
- return "";
4954
- }
4955
- },
4956
- maxConcurrentSessions: {
4957
- content: () => "Please define the maximum concurrent sessions",
4958
- description: () => `A positive integer that limits the number of sessions a ServiceHost object can accept.`,
4959
- guidance: () => {
4960
- return "";
4961
- }
4962
- }
4963
- };
4964
-
4965
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/xss.ts
4966
- var xss = {
4967
- allowSpecialCharacters: {
4968
- content: ({ source_value }) => `Does your code allow encodable HTML characters like '&', '<', '"' etc. in: \`${source_value}\`?`,
4969
- description: () => "",
4970
- guidance: () => ""
4971
- },
4972
- containsHtml: {
4973
- content: ({ prop_value }) => `Does your code allow having HTML tags in: \`${prop_value}\`?`,
4974
- description: () => "",
4975
- guidance: () => ""
4976
- },
4977
- netVersionGreaterOrEqual45: {
4978
- content: () => "Is your target framework .NET 4.5 or greater?",
4979
- description: () => "",
4980
- guidance: () => ""
4981
- },
4982
- useHTML4NamedEntities: {
4983
- content: () => "Would you like to use HTML 4.0 Named entities?",
4984
- description: () => "See [examples](https://www.w3schools.com/charsets/ref_html_entities_4.asp) and [full description](https://www.w3.org/TR/WD-html40-970708/sgml/entities.html)",
4985
- guidance: () => ""
4986
- }
4987
- };
4988
-
4989
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/xxe.ts
4990
- var xxe = {
4991
- netVersionGreaterOrEqual4: {
4992
- content: () => "Is your target framework .NET 4.0.0 or greater?",
4993
- description: () => "",
4994
- guidance: ({ userInputValue }) => {
4995
- switch (userInputValue) {
4996
- case "yes":
4997
- return "We set `DtdProcessing` to `DtdProcessing.Prohibit` in order to prevent DTD parsing.";
4998
- default:
4999
- return "We set `ProhibitDtd` to `true` in order to prevent DTD parsing.";
5000
- }
5001
- }
5002
- }
5003
- };
5004
-
5005
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
5006
- var vulnerabilities12 = {
5007
- ["LOG_FORGING"]: logForging,
5008
- ["SSRF"]: ssrf2,
5009
- ["XXE"]: xxe,
5010
- ["XSS"]: xss,
5011
- ["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream,
5012
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak,
5013
- ["OVERLY_BROAD_CATCH"]: overlyBroadCatch,
5014
- ["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation,
5015
- ["PT"]: pt,
5016
- ["REGEX_MISSING_TIMEOUT"]: regexMissingTimeout,
5017
- ["HTTP_ONLY_COOKIE"]: httpOnlyCookie,
5018
- ["INSECURE_COOKIE"]: insecureCookie,
5019
- ["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED"]: wcfMisconfigurationThrottlingNotEnabled,
5020
- ["INSECURE_BINDER_CONFIGURATION"]: insecureBinderConfiguration,
5021
- ["VALUE_SHADOWING"]: valueShadowing,
5022
- ["INSECURE_RANDOMNESS"]: insecureRandomness,
5023
- ["INSUFFICIENT_LOGGING"]: insufficientLogging,
5024
- ["SQL_Injection"]: sqlInjection2,
5025
- ["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
5026
- };
5027
- var csharp_default2 = vulnerabilities12;
5028
-
5029
- // src/features/analysis/scm/shared/src/storedQuestionData/go/logForging.ts
5030
- var logForging2 = {
5031
- isHtmlDisplay: {
5032
- content: () => "Is the text written to the log going to be displayed as HTML?",
5033
- description: () => "",
5034
- guidance: () => ""
5035
- }
5036
- };
5037
-
5038
- // src/features/analysis/scm/shared/src/storedQuestionData/go/missingSslMinversion.ts
5039
- var missingSslMinversion = {
5040
- minTlsVersion: {
5041
- content: () => "What is the minimum version of Transport Layer Security (TLS) you allow? Ensure compatibility between the server and clients.",
5042
- description: () => "",
5043
- guidance: () => ""
5044
- }
5045
- };
5046
-
5047
- // src/features/analysis/scm/shared/src/storedQuestionData/go/websocketMissingOriginCheck.ts
5048
- var websocketMissingOriginCheck = {
5049
- minTlsVersion: {
5050
- content: () => "Please provide a comma-separated list of valid hosts. This list will serve as an allow list to check the connection `Origin` header.",
5051
- description: () => "",
5052
- guidance: () => ""
5053
- }
5054
- };
5055
-
5056
- // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
5057
- var vulnerabilities13 = {
5058
- ["LOG_FORGING"]: logForging2,
5059
- ["MISSING_SSL_MINVERSION"]: missingSslMinversion,
5060
- ["WEBSOCKET_MISSING_ORIGIN_CHECK"]: websocketMissingOriginCheck
5061
- };
5062
- var go_default2 = vulnerabilities13;
5063
-
5064
- // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
5065
- var commandInjection2 = {
5066
- isUnixShellCommandPart: {
5067
- content: () => "Is the input part of Unix shell command?",
5068
- description: () => `For example:
5069
-
5070
- - \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", "ping -t 5 -c 5 " + input});\`
5071
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "curl " + input + " > file.txt"});\`
5072
-
5073
- Make sure the input is not:
5074
-
5075
- 1. An executable name:
5076
- - \`Runtime.getRuntime().exec(input);\`
5077
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", input});\`
5078
- - \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", input + " param"});\`
5079
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "cat file.txt | " + input});\`
5080
- - \`Runtime.getRuntime().exec(new String[] {"/usr/bin/git", "--upload-pack", input});\`
5081
- 2. A part of non-unix or cross platform shell command:
5082
- - \`Runtime.getRuntime().exec(new String[] {"cmd.exe", "/c", "ping " + input});\`
5083
- 3. A part of programming language code:
5084
- - \`Runtime.getRuntime().exec(new String[] {"php", "-r", "echo '" + input + "';"});\`
5085
- - \`Runtime.getRuntime().exec(new String[] {"perl", "-e", "print '" + input + "'"});\``,
5086
- guidance: () => ""
5087
- },
5088
- installApacheCommonsText: {
5089
- content: () => "Is the Apache Commons library (org.apache.commons) included in your project, if not, can you add it?",
5090
- description: () => "Apache Commons Text is a library focused on algorithms working on strings.",
5091
- guidance: ({ userInputValue }) => userInputValue === "yes" ? "To add the library, modify your pom.xml or build.gradle to include the library. You can find the latest version here https://mvnrepository.com/artifact/org.apache.commons/commons-text" : ""
5092
- },
5093
- cmdAllowlist: {
5094
- content: () => "Allowed Commands",
5095
- description: () => "Make sure that the list of commands is separated by commas.",
5096
- guidance: () => ""
5097
- }
5098
- };
5099
-
5100
- // src/features/analysis/scm/shared/src/storedQuestionData/java/confusingNaming.ts
5101
- var confusingNaming = {
5102
- newFieldName: {
5103
- content: () => "Rename the existing field",
5104
- description: () => "",
5105
- guidance: () => ""
5106
- }
5107
- };
5108
-
5109
- // src/features/analysis/scm/shared/src/storedQuestionData/java/duplicatedStrings.ts
5110
- var duplicatedStrings = {
5111
- constantName: {
5112
- content: () => "New constant name",
5113
- description: () => "",
5114
- guidance: () => ""
5115
- }
5116
- };
5117
-
5118
- // src/features/analysis/scm/shared/src/storedQuestionData/java/erroneousStringCompare.ts
5119
- var erroneousStringCompare = {
5120
- javaVersionGreaterOrEqual17: {
5121
- content: () => "Is `java.util.Objects` package available in your runtime?",
5122
- description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
5123
- guidance: () => ""
5124
- }
5125
- };
5126
-
5127
- // src/features/analysis/scm/shared/src/storedQuestionData/java/errorConditionWithoutAction.ts
5128
- var errorConditionWithoutAction = {
5129
- errorMessage: {
5130
- content: () => "Enter the error message that you want to appear in the log",
5131
- description: () => "",
5132
- guidance: () => ""
5133
- }
5134
- };
5135
-
5136
- // src/features/analysis/scm/shared/src/storedQuestionData/java/httpOnlyCookie.ts
5137
- var httpOnlyCookie2 = {
5138
- httpOnlyCookie: {
5139
- content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
5140
- description: ({ class_name }) => class_name == "Cookie" ? `${httpOnlyMessage2} ${setHttpOnlyMethodMessage}` : httpOnlyMessage2,
5141
- guidance: () => ""
5142
- },
5143
- cookieVarName: {
5144
- content: () => "Please define a variable name",
5145
- description: () => `We need a variable for the new cookie instance`,
5146
- guidance: () => ""
5147
- }
5148
- };
5149
- var httpOnlyMessage2 = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
5150
- when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
5151
- be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
5152
-
5153
- &nbsp;
5154
-
5155
-
5156
- ***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
5157
-
5158
- &nbsp;
5159
-
5160
- `;
5161
- var setHttpOnlyMethodMessage = `Beware that if your application is using a version of the javax.servlet-api package < 3.0
5162
- this change will not work since the method "setHttpOnly" is not present in previous of the package.`;
5163
-
5164
- // src/features/analysis/scm/shared/src/storedQuestionData/java/insecureCookie.ts
5165
- var insecureCookie2 = {
5166
- insecureCookie: {
5167
- content: () => "Will this cookie be used only in encrypted channels (https)?",
5168
- description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
5169
- In environments like local development or test, setting cookies as secure might have some consequences:
5170
-
5171
- &nbsp;
5172
- - Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
5173
- additional configuration and certificates. If cookies are marked as secure,
5174
- they won't be sent over HTTP, and this could potentially interfere with the normal
5175
- functioning of your application during development.
5176
-
5177
- &nbsp;
5178
- - Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
5179
- testing environment accurately simulates the production environment's security features.
5180
- This may involve setting up HTTPS in your local development environment.
5181
-
5182
- &nbsp;
5183
- - Debugging Challenges: Debugging may be more challenging when using secure cookies in a
5184
- development environment, especially if you need to inspect or manipulate the cookies during
5185
- development.`,
5186
- guidance: () => ""
5187
- },
5188
- cookieVarName: {
5189
- content: () => "Please define a variable name",
5190
- description: () => `We need a variable for the new cookie instance`,
5191
- guidance: () => ""
5192
- }
5193
- };
5194
-
5195
- // src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
5196
- var j2eeGetConnection2 = {
5197
- jndiResourceName: {
5198
- content: () => "What JNDI name is the database connection pool registered under?",
5199
- description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
5200
- guidance: () => ""
5201
- }
5202
- };
5203
-
5204
- // src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
5205
- var leftoverDebugCode = {
5206
- isCodeUsed: {
5207
- content: () => "The function seems to be a remnant of debug code. Is it still being used?",
5208
- description: () => "",
5209
- guidance: () => ""
5210
- }
5211
- };
5212
-
5213
- // src/features/analysis/scm/shared/src/storedQuestionData/java/localeDependentComparison.ts
5214
- var localeDependentComparison = {
5215
- localeType: {
5216
- content: ({ variable }) => `Is ${variable} locale dependent?`,
5217
- description: () => `Select "locale insensitive" for string comparisons that are not dependent on the locale.
5218
-
5219
- Select "default locale" for string comparisons that uses the default locale.
5220
-
5221
- Select "custom locale" for string comparisons that are dependent on a specific locale language.`,
5222
- guidance: () => ""
5223
- },
5224
- customLocaleLanguage: {
5225
- content: () => "What is your locale language?",
5226
- description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
5227
- guidance: () => ""
5228
- },
5229
- customLocaleCountry: {
5230
- content: () => "What is your locale country?",
5231
- description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
5232
- guidance: () => ""
5233
- }
5234
- };
5235
-
5236
- // src/features/analysis/scm/shared/src/storedQuestionData/java/logForging.ts
5237
- var logForging3 = {
5238
- isHtmlDisplay: {
5239
- content: () => "Is the text written to the log going to be displayed as HTML?",
5240
- description: () => "",
5241
- guidance: () => ""
5242
- },
5243
- htmlEscapingLib: {
5244
- content: () => "Which HTML escaping library would you like to use?",
5245
- description: () => `
5246
- - If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
5247
- - Another \`option is org.apache.commons.text.StringEscapeUtils\``,
5248
- guidance: () => ""
5249
- }
5250
- };
5251
-
5252
- // src/features/analysis/scm/shared/src/storedQuestionData/java/missingCheckAgainstNull.ts
5253
- var missingCheckAgainstNull = {
5254
- preferredAction: {
5255
- content: ({ tainted_expression }) => `What is expected behavior if \`${tainted_expression}\` returns null?`,
5256
- description: () => "",
5257
- guidance: () => ""
5258
- },
5259
- javaVersionGreaterOrEqual17: {
5260
- content: () => "Is `java.util.Objects` package available in your runtime?",
5261
- description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
5262
- guidance: () => ""
5263
- }
5264
- };
5265
-
5266
- // src/features/analysis/scm/shared/src/storedQuestionData/java/openRedirect.ts
5267
- var openRedirect = {
5268
- allowlist: {
5269
- content: () => "Allowed domains",
5270
- description: () => "Add a comma separated list of allowed domains (e.g. 'google.com,example.com')",
5271
- guidance: () => ""
5272
- }
5273
- };
5274
-
5275
- // src/features/analysis/scm/shared/src/storedQuestionData/java/overlyBroadCatch.ts
5276
- var overlyBroadCatch2 = {
5277
- handleRuntimeExceptions: {
5278
- content: () => "Does the code intentionally catch `RuntimeException` instances like `ArithmeticException` or `NullPointerException` in the `catch` block?",
5279
- description: () => "Usually, when catching the general `Exception` class catching of `RuntimeException` is implied and not necessarily the wanted/safe behavior. The application needs to deal with it explicitly in a different way, as the Mobb fix suggests.",
5280
- guidance: () => ""
5281
- }
5282
- };
5283
-
5284
- // src/features/analysis/scm/shared/src/storedQuestionData/java/privacyViolation.ts
5285
- var privacyViolation = {
5286
- remediationOption: {
5287
- content: () => "Preferred fix solution",
5288
- description: () => `
5289
- - Completely Remove the log message
5290
- - Replace the sensitive data with the string [Redacted]
5291
- - SHA 256 Hash the sensitive information in the log message`,
5292
- guidance: () => ""
5293
- }
5294
- };
5295
-
5296
- // src/features/analysis/scm/shared/src/storedQuestionData/java/pt.ts
5297
- var pt2 = {
5298
- isPathRelativeOnly: {
5299
- content: ({ expression }) => `Do you expect \`${expression}\` to be a relative path?`,
5300
- description: () => "You most likely want to serve files relative to the web server's static files folder in web applications. If so, your answer should be `yes`. In CLI applications, you probably would like to give the user more flexibility and allow them to specify absolute paths to any location on the disk \u2013 your answer should be `no` in such cases.",
5301
- guidance: () => ""
5302
- },
5303
- isFileName: {
5304
- content: ({ expression }) => `Does \`${expression}\` represent a file name or a file name part?`,
5305
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters. If \`${expression}\` is supposed to legitimately include such characters, the answer should be "no".`,
5306
- guidance: () => ""
5307
- }
5308
- };
5309
-
5310
- // src/features/analysis/scm/shared/src/storedQuestionData/java/relativePathCommand.ts
5311
- var relativePathCommand = {
5312
- executableLocationPath: {
5313
- content: () => "What is the absolute path of the directory containing the executable?",
5314
- description: () => "We need the absolute path to the executable to protect your application from command injection and ensure malicious actors cannot execute arbitrary commands on your system.",
5315
- guidance: () => ""
5316
- }
5317
- };
5318
-
5319
- // src/features/analysis/scm/shared/src/storedQuestionData/java/sqlInjection.ts
5320
- function capitalizeFirstLetter2(item) {
5321
- return item.charAt(0).toUpperCase() + item.slice(1);
5322
- }
5323
- var typeToSetMethod = {
5324
- integer: "setInt",
5325
- date: "setDate",
5326
- string: "setString"
5327
- };
5328
- var sqlInjection3 = {
5329
- parameterType: {
5330
- content: ({ tainted_term }) => `What is the SQL Data Type of the \`${tainted_term}\` parameter?`,
5331
- description: () => "In order to make sure the statement is built correctly, we must ensure we use the same type that is defined for this parameter in the SQL table. If you are unsure of this type, please consult with your team.",
5332
- guidance: ({
5333
- tainted_term,
5334
- taint_var_type_guidance_required,
5335
- userInputValue
5336
- }) => {
5337
- if (!taint_var_type_guidance_required || !userInputValue) {
5338
- return "";
5339
- }
5340
- if (!taint_var_type_guidance_required[userInputValue]) {
5341
- return "";
5342
- }
5343
- return `Make sure to convert \`${tainted_term}\` to \`${capitalizeFirstLetter2(
5344
- userInputValue
5345
- )}\` which is the type expected by the new setter method: \`${typeToSetMethod[userInputValue]}\``;
5346
- }
5347
- },
5348
- varName: {
5349
- content: () => "Name the new PreparedStatement variable",
5350
- description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
5351
- guidance: () => ""
5352
- },
5353
- taintIndex: {
5354
- content: ({ tainted_term }) => `What is the index of \`\`\`${tainted_term}\`\`\` in the query?`,
5355
- description: () => "When constructing a query, we need to know exactly where to insert this parameter. If the query has more than one parameter, the index gives us this information. Leave the value as 1 if there is only one parameter.",
5356
- guidance: () => ""
5357
- },
5358
- statementAfterQuery: {
5359
- content: ({ var_name }) => `Is the \`Statement\` variable \`${var_name}\` declared after constructing the query string?`,
5360
- description: () => "When creating the `PreparedStatement` parameter, we need to give it the constructed query. Currently, Mobb doesn't support the case where the query string is defined after the statement in your code.",
5361
- guidance: ({ userInputValue }) => userInputValue === "no" ? "You should move the code creating the query so it is executed before being used by the prepared statement" : ""
5362
- },
5363
- statementBeforeQuery: {
5364
- content: ({ var_name }) => `Is the query string variable declared after the \`Statement\` variable \`${var_name}\`?`,
5365
- description: ({ enquote_func_name }) => `We need to have the \`Statement\` object defined before using the \`${enquote_func_name}()\` method. Currently, Mobb doesn't support the case where the query string is defined before the statement in your code.`,
5366
- guidance: ({
5367
- userInputValue,
5368
- enquote_func_name
5369
- }) => userInputValue === "no" ? `You should move the code creating the query so it is executed after creating the \`Statement\` object as we need to have the \`Statement\` object defined before using the \`${enquote_func_name}()\` method.` : ""
5370
- },
5371
- containsControlCharacters: {
5372
- content: ({ tainted_term }) => `Does \`\`\`${tainted_term}\`\`\` represent a single SQL parameter value?`,
5373
- description: () => `This should be 'no' only in the rare cases where the input variable itself does not represent a single SQL parameter value but rather other parts of a SQL query such as a table name, a column name, a list of values, a complete or partial inner SQL statement, etc.
5374
-
5375
- It may be confusing a bit, so here are some examples:
5376
-
5377
- * A SQL identifier \`\`\`(SELECT * FROM \${tableName})\`\`\`
5378
-
5379
- * A SQL statement \`\`\`(SELECT * FROM users ORDER BY id \${order})\`\`\``,
5380
- guidance: () => ""
5381
- },
5382
- javaVersionGreaterOrEqual19: {
5383
- content: ({ enquote_func_name }) => `Is \`java.sql.Statement.${enquote_func_name}\` method available in your runtime?`,
5384
- description: ({ enquote_func_name }) => `\`java.sql.Statement.${enquote_func_name}\` is supported in Java 1.9 or greater.`,
5385
- guidance: () => ""
5386
- },
5387
- queryParameterName: {
5388
- content: () => "What should be the name of the query parameter?",
5389
- description: () => "",
5390
- guidance: () => ""
5391
- }
5392
- };
5393
-
5394
- // src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
5395
- var ssrf3 = {
5396
- domainsAllowlist: {
5397
- content: () => "Allowed URL prefixes",
5398
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
5399
- &nbsp;
5400
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
5401
- guidance: () => ""
5402
- }
5403
- };
5404
-
5405
- // src/features/analysis/scm/shared/src/storedQuestionData/java/sysLeak.ts
5406
- var sysLeak2 = {
5407
- errorMessage: {
5408
- content: () => "Enter the error message that you want to appear in the log",
5409
- description: () => "",
5410
- guidance: () => ""
5411
- },
5412
- noLoggerAction: {
5413
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5414
- description: () => "",
5415
- guidance: () => ""
5416
- }
5417
- };
5418
-
5419
- // src/features/analysis/scm/shared/src/storedQuestionData/java/trustBoundaryViolation.ts
5420
- var trustBoundaryViolation2 = {
5421
- validationPattern: {
5422
- content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
5423
- description: () => "We use regex to validate the input to avoid runtime surprises",
5424
- guidance: () => ""
5425
- },
5426
- otherPatternValue: {
5427
- content: () => `Enter the regex pattern you would like to use to validate the input`,
5428
- description: () => "See patterns at [the regex javadoc](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html)",
5429
- guidance: () => ""
5430
- }
5431
- };
5432
-
5433
- // src/features/analysis/scm/shared/src/storedQuestionData/java/uncheckedLoopCondition.ts
5434
- var uncheckedLoopCondition = {
5435
- loopLimit: {
5436
- content: () => "Please define a maximum loop limit",
5437
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5438
- guidance: () => ""
5439
- },
5440
- varName: {
5441
- content: () => "Please define a variable name",
5442
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5443
- guidance: () => ""
5444
- }
5445
- };
5446
-
5447
- // src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
5448
- var unsafeReflection = {
5449
- classAllowlist: {
5450
- content: () => "Allowed class names for reflection",
5451
- description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
5452
- guidance: () => ""
5453
- }
5454
- };
5455
-
5456
- // src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
5457
- var useOfSystemOutputStream2 = {
5458
- noLoggerAction: {
5459
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5460
- description: () => "",
5461
- guidance: () => ""
5462
- }
5463
- };
5464
-
5465
- // src/features/analysis/scm/shared/src/storedQuestionData/java/xss.ts
5466
- var xss2 = {
5467
- isHtmlOrSafeAttribute: {
5468
- content: ({ tainted_variable }) => `Where is \`${tainted_variable}\` written to?`,
5469
- description: () => `Answer examples:
5470
-
5471
- - a text in an HTML tag or a value of a safe HTML attribute:
5472
- - \`<li><%= name %></li>\`
5473
- - \`<div>Name: <%= name %></div>\`
5474
- - \`<input value="<%= name %>" name="name"/>\`
5475
- - \`<div data-name="<%= name %>"></div>\`
5476
- - a JavaScript code block:
5477
- - \`<script>const name = "<%= name %>";</script>\`
5478
- - an event attribute of an HTML tag:
5479
- - \`<a onclick="alert('<%= name %>')">click me</a>\`
5480
- - \`<img onmouseover="alert('<%= name %>')"/>\`
5481
- - a src-like attribute of an HTML tag:
5482
- - \`<a href="/user/<%= name %>">me</a>\`
5483
- - \`<img src="/img/<%= name %>"/>\`
5484
- - \`<form action="<%= name %>"></form>\`
5485
- - \`<iframe srcdoc="<%= name %>"/>\`
5486
- - a part of an HTML tag attributes list:
5487
- - \`<a <%= name %>>text</a>\`
5488
-
5489
- See more details about safe and unsafe HTML attributes:
5490
- - [PortSwigger cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
5491
- - [DOMPurify attributes filter implementation](https://github.com/cure53/DOMPurify/blob/c29aa900a1c286b82ee4f48a7ffab96cab3e84fa/src/attrs.js)
5492
- `,
5493
- guidance: () => ""
5494
- },
5495
- isHtmlEncoded: {
5496
- content: () => "Is the user input already encoded as HTML text?",
5497
- description: () => "If you are unsure, we will decode the user input and encode it again to ensure it is safe and the data is kept the same.",
5498
- guidance: () => ""
5499
- },
5500
- htmlEscapingLib: {
5501
- content: () => "Which HTML escaping library would you like to use?",
5502
- description: () => `
5503
- - If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
5504
- - Another option is \`org.apache.commons.text.StringEscapeUtils\``,
5505
- guidance: () => ""
5506
- }
5507
- };
5508
-
5509
- // src/features/analysis/scm/shared/src/storedQuestionData/java/xxe.ts
5510
- var xxe2 = {
5511
- factoryVarName: {
5512
- content: () => "Name the new Factory variable",
5513
- description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
5514
- guidance: () => ""
5515
- }
5516
- };
5517
-
5518
- // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
5519
- var vulnerabilities14 = {
5520
- ["SQL_Injection"]: sqlInjection3,
5521
- ["CMDi_relative_path_command"]: relativePathCommand,
5522
- ["CMDi"]: commandInjection2,
5523
- ["CONFUSING_NAMING"]: confusingNaming,
5524
- ["ERROR_CONDTION_WITHOUT_ACTION"]: errorConditionWithoutAction,
5525
- ["XXE"]: xxe2,
5526
- ["XSS"]: xss2,
5527
- ["PRIVACY_VIOLATION"]: privacyViolation,
5528
- ["PT"]: pt2,
5529
- ["SSRF"]: ssrf3,
5530
- ["LOG_FORGING"]: logForging3,
5531
- ["LOCALE_DEPENDENT_COMPARISON"]: localeDependentComparison,
5532
- ["MISSING_CHECK_AGAINST_NULL"]: missingCheckAgainstNull,
5533
- ["OPEN_REDIRECT"]: openRedirect,
5534
- ["OVERLY_BROAD_CATCH"]: overlyBroadCatch2,
5535
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak2,
5536
- ["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream2,
5537
- ["HTTP_ONLY_COOKIE"]: httpOnlyCookie2,
5538
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition,
5539
- ["INSECURE_COOKIE"]: insecureCookie2,
5540
- ["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation2,
5541
- ["UNSAFE_REFLECTION"]: unsafeReflection,
5542
- ["J2EE_GET_CONNECTION"]: j2eeGetConnection2,
5543
- ["LEFTOVER_DEBUG_CODE"]: leftoverDebugCode,
5544
- ["ERRONEOUS_STRING_COMPARE"]: erroneousStringCompare,
5545
- ["DUPLICATED_STRINGS"]: duplicatedStrings
5546
- };
5547
- var java_default2 = vulnerabilities14;
5548
-
5549
- // src/features/analysis/scm/shared/src/storedQuestionData/python/csrf.ts
5550
- var csrf2 = {
5551
- isPythonDjangoTemplate: {
5552
- content: () => "Is the reported file Python Django template?",
5553
- description: () => "",
5554
- guidance: () => ""
5555
- }
5556
- };
5557
-
5558
- // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
5559
- var commandInjection3 = {
5560
- isCommandExecutable: {
5561
- content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
5562
- description: () => `Does the command fall into one of the following categories:
5563
-
5564
- 1. An executable name:
5565
- - \`exec(input);\`
5566
- - \`exec("/bin/bash " + input);\`
5567
- - \`exec("/bin/sh -c" + input + " param");\`
5568
- - \`exec("/bin/bash -c cat file.txt | " + input);\`
5569
- - \`exec("/usr/bin/git --upload-pack " + input);\`
5570
- 2. A part of non-unix or cross platform shell command:
5571
- - \`exec("cmd.exe /c ping " + input);\`
5572
- 3. A part of programming language code:
5573
- - \`exec("php -r echo '" + input + "';");\`
5574
- - \`exec("perl -e print '" + input + "'");\``,
5575
- guidance: () => ""
5576
- }
5577
- };
5578
-
5579
- // src/features/analysis/scm/shared/src/storedQuestionData/js/graphqlDepthLimit.ts
5580
- var graphqlDepthLimit = {
5581
- depthLimit: {
5582
- content: () => "Please define a maximum query depth",
5583
- description: () => `Setting this number to a reasonable value will prevent the attack.
5584
- Make sure to pick a value large enough to allowed the nessecary amount of nested queries.`,
5585
- guidance: () => {
5586
- return "We use `graphql-depth-limit` npm package to limit the depth of nested queries. Please make sure you install the package using `npm install graphql-depth-limit`.";
5587
- }
5588
- }
5589
- };
5590
-
5591
- // src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedDomainInHtml.ts
5592
- var hardcodedDomainInHtml = {
5593
- isCDNFixedVersion: {
5594
- content: ({ url }) => `Does the content of \`${url}\` change over time? If it does, we can't offer this fix.`,
5595
- description: () => "You need to make sure the content of the file you are loading from the external source is persistent. To guarantee the integrity hash does not change over time, please make sure you use a proper CDN and version of the script you are loading is pinned.",
5596
- guidance: () => ""
5597
- }
5598
- };
5599
-
5600
- // src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedSecrets.ts
5601
- var hardcodedSecrets2 = {
5602
- envVarName: {
5603
- content: () => "Please define an environment variable name",
5604
- description: () => `We will use this environment variable instead of the hardcoded secret`,
5605
- guidance: () => ""
5606
- },
5607
- keepAsDefault: {
5608
- content: () => "Do you want to keep the hardcoded secret in the code for now?",
5609
- description: () => 'Answer "yes" if you cannot set the environment variable in all environments right away.',
5610
- guidance: () => ""
5611
- }
5612
- };
5613
-
5614
- // src/features/analysis/scm/shared/src/storedQuestionData/js/iframeWithoutSandbox.ts
5615
- var iframeWithoutSandbox = {
5616
- iframeRestrictions: {
5617
- content: () => "Please define a comma-separated list of iframe sandbox restrictions (optional)",
5618
- description: () => `Possible values:
5619
- - allow-downloads
5620
- - allow-forms
5621
- - allow-modals
5622
- - allow-orientation-lock
5623
- - allow-pointer-lock
5624
- - allow-popups
5625
- - allow-popups-to-escape-sandbox
5626
- - allow-presentation
5627
- - allow-same-origin
5628
- - allow-scripts
5629
- - allow-storage-access-by-user-activation
5630
- - allow-top-navigation
5631
- - allow-top-navigation-by-user-activation
5632
- - allow-top-navigation-to-custom-protocols
5633
-
5634
- See more info [here](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox).`,
5635
- guidance: () => ""
5636
- }
5637
- };
5638
-
5639
- // src/features/analysis/scm/shared/src/storedQuestionData/js/incompleteUrlSanitization.ts
5640
- var incompleteUrlSanitization = {
5641
- allowedRootDomain: {
5642
- content: () => "The root domain of your application",
5643
- description: () => "We needed to strengthen the security check by ensuring that the url is under the root domain of your application.",
5644
- guidance: () => ""
5645
- }
5646
- };
5647
-
5648
- // src/features/analysis/scm/shared/src/storedQuestionData/js/insecureRandomness.ts
5649
- var insecureRandomness2 = {
5650
- isGetRandomValuesSupported: {
5651
- content: () => "Is getRandomValues() function supported by your JavaScript engine?",
5652
- description: () => "[getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is supported by [more than 97% of browsers](https://caniuse.com/?search=getRandomValues) and [Node.js >= 15.0.0](https://nodejs.org/api/webcrypto.html#cryptogetrandomvaluestypedarray).",
5653
- guidance: () => ""
5654
- }
5655
- };
5656
-
5657
- // src/features/analysis/scm/shared/src/storedQuestionData/js/logForging.ts
5658
- var logForging4 = {
5659
- isHtmlDisplay: {
5660
- content: () => "Is the text written to the log going to be displayed as HTML?",
5661
- description: () => "",
5662
- guidance: () => ""
5663
- }
5664
- };
5665
-
5666
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingCSPHeader.ts
5667
- var cspHeaderValue = {
5668
- cspHeaderValue: {
5669
- content: () => "Please provide the value for the Content-Security-Policy header",
5670
- description: () => `The Content-Security-Policy (CSP) header is a critical security measure that helps protect websites from various attacks, particularly Cross-Site Scripting (XSS) and other code injection attacks. Here's a concise explanation:
5671
-
5672
- &nbsp;
5673
- &nbsp;
5674
- **What it does**:
5675
-
5676
- &nbsp;
5677
- &nbsp;
5678
- CSP lets you specify which content sources the browser should consider valid, essentially creating a whitelist of trusted content. It controls things like:
5679
-
5680
- &nbsp;
5681
- &nbsp;
5682
- - Which scripts can execute.
5683
- &nbsp; - Where images can be loaded from.
5684
- &nbsp; - Which styles can be applied.
5685
- &nbsp; - Which forms can be submitted to.
5686
- &nbsp; - What domains can be connected to.
5687
- &nbsp;
5688
- &nbsp; Default value explanation:
5689
- &nbsp;
5690
- &nbsp; - default-src 'self: Only allows resources from the same origin by default.
5691
- &nbsp; - script-src 'self': Only allows scripts to be loaded from the same origin.
5692
- &nbsp; - style-src 'self': Only allows styles from the same origin.
5693
- &nbsp; - object-src 'none': Disallows <object>, <embed>, and <applet> elements.
5694
- &nbsp; - base-uri 'self': Restricts where the <base> tag can point to.
5695
- &nbsp; - frame-ancestors 'self': Ensures that only the same origin can embed the page using an iframe.
5696
-
5697
- &nbsp;
5698
- &nbsp; **This kind of \`CSP\` is more secure but may require adjustments for your specific application, especially if you need to load resources from external domains or use inline scripts/styles.**`,
5699
- guidance: () => ``
5700
- }
5701
- };
5702
-
5703
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingHSTSHeader.ts
5704
- var headerMaxAge = {
5705
- headerMaxAge: {
5706
- content: () => "Please provide the maximum age of the header",
5707
- description: () => `This is the time, in seconds, that the browser should remember that the site is only to be accessed using \`HTTPS\`.
5708
- &nbsp;
5709
- &nbsp;
5710
- Setting the \`max-age\` to \`0\` (over an https connection) will immediately expire the Strict-Transport-Security header, allowing access via \`HTTP\`.
5711
-
5712
-
5713
- &nbsp;
5714
- &nbsp;
5715
- The HTTP Strict-Transport-Security response header (\`HSTS\`) informs browsers that the site
5716
- should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically
5717
- be converted to HTTPS.
5718
-
5719
-
5720
- &nbsp;
5721
- &nbsp;
5722
- If a website accepts a connection through \`HTTP\` and redirects to \`HTTPS\`, visitors may initially communicate with
5723
- the non-encrypted version of the site before being redirected, if, for example, the visitor
5724
- types \`http://www.example.com\` or even just \`example.com\`. This creates an opportunity for a man-in-the-middle attack.
5725
- The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
5726
-
5727
- &nbsp;
5728
- &nbsp;
5729
- The \`HTTP\` Strict Transport Security header informs the browser that it should never load a site using \`HTTP\`
5730
- and should automatically convert all attempts to access the site using \`HTTP\` to \`HTTPS\` requests instead.`,
5731
- guidance: () => ``
5732
- }
5733
- };
5734
-
5735
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingXFrameOptions.ts
5736
- var xFrameOptionsValue = {
5737
- xFrameOptionsValue: {
5738
- content: () => "Please provide the value for the X-Frame-Options header",
5739
- description: () => `The \`X-Frame-Options\` HTTP response header tells the browser whether the page is allowed to be rendered inside a \`<frame>\`, \`<iframe>\`, \`<embed>\` or \`<object>\`. Without it, attackers can embed your application in an invisible iframe and trick users into clicking on it \u2014 a class of attacks known as clickjacking (UI redressing).
5740
- &nbsp;
5741
- &nbsp; **Allowed values:**
5742
- &nbsp; - \`DENY\` \u2014 the page cannot be framed by any site, including your own. Recommended default for any page that does not need to be embedded.
5743
- &nbsp; - \`SAMEORIGIN\` \u2014 the page can only be framed by pages served from the same origin. Use this only if your own application legitimately embeds this page in an iframe.`,
5744
- guidance: () => ``
5745
- }
5746
- };
5747
-
5748
- // src/features/analysis/scm/shared/src/storedQuestionData/js/noLimitsOrThrottling.ts
5749
- var noLimitsOrThrottling2 = {
5750
- setGlobalLimiter: {
5751
- content: () => "Would you like to use a global rate limit for all your endpoints within the same file?",
5752
- description: () => "",
5753
- guidance: () => ""
5754
- }
5755
- };
5756
-
5757
- // src/features/analysis/scm/shared/src/storedQuestionData/js/openRedirect.ts
5758
- var openRedirect2 = {
5759
- isExternal: {
5760
- content: () => "Does the redirect go to an external site?",
5761
- description: () => "",
5762
- guidance: () => ""
5763
- },
5764
- domainAllowlist: {
5765
- content: () => "Allowed domains names",
5766
- description: () => "please provide a coma separated list of allowed domains names (example.com, example.org, etc.)",
5767
- guidance: () => ""
5768
- },
5769
- pathAllowlist: {
5770
- content: () => "Allowed paths (URIs)",
5771
- description: () => "please provide a coma separated list of allowed path (/health, /api/v1/health, etc.)",
5772
- guidance: () => ""
5773
- },
5774
- includeProtocolValidation: {
5775
- content: () => "Should HTTP or HTTPS protocol be enforced?",
5776
- description: () => "please indicate if the protocol should be enforced",
5777
- guidance: () => ""
5778
- }
5779
- };
5780
-
5781
- // src/features/analysis/scm/shared/src/storedQuestionData/js/pt.ts
5782
- var pt3 = {
5783
- taintedTermType: {
5784
- content: ({ expression }) => `Does \`${expression}\` represent a file name, a relative path or an absolute path?`,
5785
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
5786
- guidance: () => ""
5787
- }
5788
- };
5789
-
5790
- // src/features/analysis/scm/shared/src/storedQuestionData/js/ssrf.ts
5791
- var ssrf4 = {
5792
- domainsAllowlist: {
5793
- content: () => "List of allowed domain names",
5794
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary domains.
5795
-
5796
- &nbsp;
5797
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of domains the server should be allowed to call.`,
5798
- guidance: () => ""
5799
- }
5800
- };
5801
-
5802
- // src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeak.ts
5803
- var sysLeak3 = {
5804
- errorMessage: {
5805
- content: () => "Enter the error message that you want to appear in the log",
5806
- description: () => "",
5807
- guidance: () => ""
5808
- },
5809
- noLoggerAction: {
5810
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5811
- description: () => "",
5812
- guidance: () => ""
5813
- }
5814
- };
5815
-
5816
- // src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeakExternal.ts
5817
- var sysLeakExternal = {
5818
- errorMessage: {
5819
- content: () => "Enter the error message that you want to appear to the user",
5820
- description: () => "",
5821
- guidance: () => ""
4262
+ warn: async (message, data) => {
4263
+ const logger3 = await createContextLogger();
4264
+ return logger3.warn(message, data);
4265
+ },
4266
+ error: async (message, data) => {
4267
+ const logger3 = await createContextLogger();
4268
+ return logger3.error(message, data);
5822
4269
  }
5823
4270
  };
5824
4271
 
5825
- // src/features/analysis/scm/shared/src/storedQuestionData/js/typeConfusion.ts
5826
- var typeConfusion = {
5827
- argumentType: {
5828
- content: () => "What is the type of the HTTP argument?",
5829
- description: () => "What is the type of the HTTP argument?",
5830
- guidance: () => ""
4272
+ // src/features/analysis/scm/errors.ts
4273
+ var InvalidAccessTokenError = class extends Error {
4274
+ constructor(m, scmType) {
4275
+ super(m);
4276
+ this.scmType = scmType;
5831
4277
  }
5832
4278
  };
5833
-
5834
- // src/features/analysis/scm/shared/src/storedQuestionData/js/uncheckedLoopCondition.ts
5835
- var uncheckedLoopCondition2 = {
5836
- loopLimit: {
5837
- content: () => "Please define a maximum loop limit",
5838
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5839
- guidance: () => ""
5840
- },
5841
- varName: {
5842
- content: () => "Please define a variable name",
5843
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5844
- guidance: () => ""
4279
+ var InvalidUrlPatternError = class extends Error {
4280
+ constructor(m, scmType) {
4281
+ super(m);
4282
+ this.scmType = scmType;
5845
4283
  }
5846
4284
  };
5847
-
5848
- // src/features/analysis/scm/shared/src/storedQuestionData/js/xss.ts
5849
- var xss3 = {
5850
- containsHtml: {
5851
- content: () => "Does the element or variable contain HTML formatting",
5852
- description: () => "",
5853
- guidance: () => ""
5854
- },
5855
- isParamTypeString: {
5856
- content: () => "Is the parameter passed to the $() function a string",
5857
- description: () => "",
5858
- guidance: () => ""
5859
- },
5860
- isSanitized: {
5861
- content: ({ expression }) => `Is the expression \`${expression}\` supposed to be not sanitized in this context?`,
5862
- description: () => "You are using unsafe string substitution in the template. This means that if the expression can contain maliciously crafted data, it may lead to XSS injection. To apply the fix, you have to make sure the expression is not sanitized on the backend already, and it does not represent an HTML code block.",
5863
- guidance: () => ""
5864
- },
5865
- isServerSideCode: {
5866
- content: () => "Is this code running on the server side (a NodeJS application)",
5867
- description: () => "The fix to this vulnerability is different is the code runs in the client (browser) or the server side (NodeJs)",
5868
- guidance: () => ""
4285
+ var RefNotFoundError = class extends Error {
4286
+ constructor(m) {
4287
+ super(m);
5869
4288
  }
5870
4289
  };
5871
-
5872
- // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
5873
- var vulnerabilities15 = {
5874
- ["CMDi"]: commandInjection3,
5875
- ["GRAPHQL_DEPTH_LIMIT"]: graphqlDepthLimit,
5876
- ["INSECURE_RANDOMNESS"]: insecureRandomness2,
5877
- ["SSRF"]: ssrf4,
5878
- ["TYPE_CONFUSION"]: typeConfusion,
5879
- ["INCOMPLETE_URL_SANITIZATION"]: incompleteUrlSanitization,
5880
- ["LOG_FORGING"]: logForging4,
5881
- ["XSS"]: xss3,
5882
- ["OPEN_REDIRECT"]: openRedirect2,
5883
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak3,
5884
- ["SYSTEM_INFORMATION_LEAK_EXTERNAL"]: sysLeakExternal,
5885
- ["IFRAME_WITHOUT_SANDBOX"]: iframeWithoutSandbox,
5886
- ["PT"]: pt3,
5887
- ["HARDCODED_SECRETS"]: hardcodedSecrets2,
5888
- ["MISSING_HSTS_HEADER"]: headerMaxAge,
5889
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition2,
5890
- ["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling2,
5891
- ["MISSING_CSP_HEADER"]: cspHeaderValue,
5892
- ["MISSING_X_FRAME_OPTIONS"]: xFrameOptionsValue,
5893
- ["HARDCODED_DOMAIN_IN_HTML"]: hardcodedDomainInHtml,
5894
- ["CSRF"]: csrf2
5895
- };
5896
- var js_default = vulnerabilities15;
5897
-
5898
- // src/features/analysis/scm/shared/src/storedQuestionData/python/duplicatedStrings.ts
5899
- var duplicatedStrings2 = {
5900
- constantName: {
5901
- content: () => "New constant name",
5902
- description: () => "",
5903
- guidance: () => ""
4290
+ var ScmBadCredentialsError = class extends Error {
4291
+ constructor(m, scmType) {
4292
+ super(m);
4293
+ this.scmType = scmType;
5904
4294
  }
5905
4295
  };
5906
-
5907
- // src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
5908
- var logForging5 = {
5909
- isHtmlDisplay: {
5910
- content: () => "Is the text written to the log going to be displayed as HTML?",
5911
- description: () => "",
5912
- guidance: ({ userInputValue }) => {
5913
- switch (userInputValue) {
5914
- case "yes":
5915
- return "We use `html.escape` to decode the HTML";
5916
- default:
5917
- return "";
5918
- }
5919
- }
4296
+ var InvalidRepoUrlError = class extends Error {
4297
+ constructor(m, scmType) {
4298
+ super(m);
4299
+ this.scmType = scmType;
5920
4300
  }
5921
4301
  };
5922
-
5923
- // src/features/analysis/scm/shared/src/storedQuestionData/python/missingEncoding.ts
5924
- var missingEncoding = {
5925
- fEncoding: {
5926
- content: () => "Enter the encoding of the file",
5927
- description: () => "",
5928
- guidance: () => ""
4302
+ var RepoNoTokenAccessError = class extends Error {
4303
+ constructor(m, scmType) {
4304
+ super(m);
4305
+ this.scmType = scmType;
5929
4306
  }
5930
4307
  };
5931
-
5932
- // src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
5933
- var openRedirect3 = {
5934
- allowed_hosts: {
5935
- content: () => "Allowed domains/paths",
5936
- description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
5937
- guidance: () => ""
4308
+ var RateLimitError = class extends Error {
4309
+ constructor(m, scmType, retryAfter) {
4310
+ super(m);
4311
+ this.scmType = scmType;
4312
+ this.retryAfter = retryAfter;
5938
4313
  }
5939
4314
  };
5940
-
5941
- // src/features/analysis/scm/shared/src/storedQuestionData/python/ssrf.ts
5942
- var ssrf5 = {
5943
- domainsAllowlist: {
5944
- content: () => "Allowed URL prefixes",
5945
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
5946
- &nbsp;
5947
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
5948
- guidance: () => ""
4315
+ var NetworkError = class extends Error {
4316
+ constructor(m, scmType, errorCode) {
4317
+ super(m);
4318
+ this.scmType = scmType;
4319
+ this.errorCode = errorCode;
5949
4320
  }
5950
4321
  };
5951
4322
 
5952
- // src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
5953
- var uncheckedLoopCondition3 = {
5954
- loopLimit: {
5955
- content: () => "Please define a maximum loop limit",
5956
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5957
- guidance: () => ""
5958
- },
5959
- varName: {
5960
- content: () => "Please define a variable name",
5961
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5962
- guidance: () => ""
5963
- }
5964
- };
4323
+ // src/features/analysis/scm/utils/index.ts
4324
+ import { z as z10 } from "zod";
5965
4325
 
5966
- // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
5967
- var vulnerabilities16 = {
5968
- ["CSRF"]: csrf2,
5969
- ["LOG_FORGING"]: logForging5,
5970
- ["OPEN_REDIRECT"]: openRedirect3,
5971
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition3,
5972
- ["DUPLICATED_STRINGS"]: duplicatedStrings2,
5973
- ["MISSING_ENCODING_FILE_OPEN"]: missingEncoding,
5974
- ["SSRF"]: ssrf5
4326
+ // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
4327
+ init_client_generates();
4328
+ init_getIssueType();
4329
+ init_issueTypeCatalog();
4330
+ function capitalizeFirstLetter(str) {
4331
+ return str?.length ? str[0].toUpperCase() + str.slice(1) : "";
4332
+ }
4333
+ function lowercaseFirstLetter(str) {
4334
+ if (!str) return str;
4335
+ return `${str.charAt(0).toLowerCase()}${str.slice(1)}`;
4336
+ }
4337
+ var severityToEmoji = {
4338
+ ["critical" /* Critical */]: "\u{1F6A8}",
4339
+ ["high" /* High */]: "\u{1F6A9}",
4340
+ ["medium" /* Medium */]: "\u{1F7E1}",
4341
+ ["low" /* Low */]: "\u{1F7E2}"
5975
4342
  };
5976
- var python_default2 = vulnerabilities16;
4343
+ var getCommitDescription = ({
4344
+ vendor,
4345
+ issueType,
4346
+ severity,
4347
+ guidances,
4348
+ fixUrl,
4349
+ irrelevantIssueWithTags
4350
+ }) => {
4351
+ const issueTypeString = getIssueTypeFriendlyString(issueType);
4352
+ let description = `This change fixes a **${severity} severity** (${severityToEmoji[severity]}) **${issueTypeString}** issue reported by **${capitalizeFirstLetter(
4353
+ vendor
4354
+ )}**.
5977
4355
 
5978
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
5979
- var unboundedOccurrences = {
5980
- maxOccursLimit: {
5981
- content: () => "The number of allowed repetitions of the element.",
5982
- description: () => "",
5983
- guidance: () => `Setting this number to a reasonable value will prevent the attack.
5984
- A value too low will prevent valid XMLs from being processed.
5985
- A value too high will cause performance issues up to and including denial of service.`
5986
- }
5987
- };
4356
+ `;
4357
+ if (issueType) {
4358
+ if (irrelevantIssueWithTags?.[0]?.tag) {
4359
+ description += `
4360
+ > [!tip]
4361
+ > This issue was found to be irrelevant to your project - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
4362
+ > Mobb recommends to ignore this issue, however fix is available if you think differently.
5988
4363
 
5989
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
5990
- var vulnerabilities17 = {
5991
- ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES"]: unboundedOccurrences
5992
- };
5993
- var xml_default2 = vulnerabilities17;
5994
4364
 
5995
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/noNewPrivileges.ts
5996
- var noNewPrivileges = {
5997
- requireNewPrivileges: {
5998
- content: () => "Does the container require new privileges?",
5999
- description: () => "",
6000
- guidance: () => `If the container requires new privileges, setting the no-new-privileges option might harm the container functionality.`
4365
+ ## Justification
4366
+ ${issueDescription[irrelevantIssueWithTags[0].tag]}
4367
+ `;
4368
+ }
4369
+ const catalogEntry = getIssueTypeCatalogEntry(issueType);
4370
+ if (catalogEntry?.issueDescription) {
4371
+ description += `## Issue description
4372
+ ${catalogEntry.issueDescription}
4373
+ `;
4374
+ if (catalogEntry.fixInstructions) {
4375
+ description += `
4376
+ ## Fix instructions
4377
+ ${catalogEntry.fixInstructions}
4378
+ `;
4379
+ }
4380
+ }
6001
4381
  }
6002
- };
6003
-
6004
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/portAllInterfaces.ts
6005
- var portAllInterfaces = {
6006
- trustedIP: {
6007
- content: () => "Enter trusted Network IP",
6008
- description: () => "",
6009
- guidance: () => `Properly set this value to prevent access from untrusted network adapters. Setting this to a wrong value would prevent accessing the container and might break the system.`
4382
+ description += `
4383
+ ${guidances.map(({ guidance }) => `## Additional actions required
4384
+ ${guidance}
4385
+ `).join("")}
4386
+ `;
4387
+ if (fixUrl) {
4388
+ description += `
4389
+ [More info and fix customization are available in the Mobb platform](${fixUrl})`;
6010
4390
  }
4391
+ return description;
6011
4392
  };
4393
+ var getCommitIssueDescription = ({
4394
+ vendor,
4395
+ issueType,
4396
+ irrelevantIssueWithTags,
4397
+ fpDescription,
4398
+ unfixableDescription
4399
+ }) => {
4400
+ const issueTypeString = getIssueTypeFriendlyString(issueType);
4401
+ let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
4402
+ `;
4403
+ if (issueType) {
4404
+ if (irrelevantIssueWithTags?.[0]?.tag) {
4405
+ description = `
4406
+ > [!tip]
4407
+ > The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
4408
+ > ${issueTypeString} - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
4409
+ > Mobb recommends to ignore this issue, however fix is available if you think differently.
6012
4410
 
6013
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/writableFilesystemService.ts
6014
- var writableFilesystemService = {
6015
- requireWriteAccess: {
6016
- content: () => "Does the container require writable filesystem access?",
6017
- description: () => "",
6018
- guidance: () => `If the container requires writable filesystem access, setting the filesystem as readonly might harm the container functionality.`
6019
- }
6020
- };
6021
4411
 
6022
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
6023
- var vulnerabilities18 = {
6024
- ["PORT_ALL_INTERFACES"]: portAllInterfaces,
6025
- ["WRITABLE_FILESYSTEM_SERVICE"]: writableFilesystemService,
6026
- ["NO_NEW_PRIVILEGES"]: noNewPrivileges
4412
+ ## Justification
4413
+ ${fpDescription ?? unfixableDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
4414
+ `;
4415
+ }
4416
+ const catalogEntry = getIssueTypeCatalogEntry(issueType);
4417
+ if (catalogEntry?.issueDescription) {
4418
+ description += `## Issue description
4419
+ ${catalogEntry.issueDescription}
4420
+ `;
4421
+ }
4422
+ }
4423
+ return description;
6027
4424
  };
6028
- var yaml_default = vulnerabilities18;
6029
4425
 
6030
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
6031
- var StoredQuestionDataItemZ = z3.object({
6032
- content: z3.function().args(z3.any()).returns(z3.string()),
6033
- description: z3.function().args(z3.any()).returns(z3.string()),
6034
- guidance: z3.function().args(z3.any()).returns(z3.string())
6035
- });
6036
- var languages2 = {
6037
- ["Java" /* Java */]: java_default2,
6038
- ["JavaScript" /* JavaScript */]: js_default,
6039
- ["XML" /* Xml */]: xml_default2,
6040
- ["CSharp" /* CSharp */]: csharp_default2,
6041
- ["Python" /* Python */]: python_default2,
6042
- ["Go" /* Go */]: go_default2,
6043
- ["Cpp" /* Cpp */]: cpp_default,
6044
- ["YAML" /* Yaml */]: yaml_default
6045
- };
6046
- var storedQuestionData_default = languages2;
4426
+ // src/features/analysis/scm/shared/src/index.ts
4427
+ init_getIssueType();
6047
4428
 
6048
4429
  // src/features/analysis/scm/shared/src/guidances.ts
4430
+ init_client_generates();
6049
4431
  function toQuestion(userInput) {
6050
4432
  const { key, defaultValue } = userInput;
6051
4433
  const value = userInput.value || defaultValue;
6052
4434
  return { ...userInput, defaultValue, value, key, error: false };
6053
4435
  }
6054
- function getQuestionInformation({
6055
- fixQuestionData,
6056
- issueType,
6057
- language
6058
- }) {
6059
- const { name } = fixQuestionData;
6060
- const storedQuestionDataItem = storedQuestionData_default[language]?.[issueType]?.[name] ?? {
6061
- content: () => "",
6062
- description: () => "",
6063
- guidance: () => ""
6064
- };
6065
- return StoredQuestionDataItemZ.parse(storedQuestionDataItem);
6066
- }
6067
- function curriedQuestionInformationByQuestion({
6068
- issueType,
6069
- language
6070
- }) {
6071
- return (fixQuestionData) => getQuestionInformation({
6072
- issueType,
6073
- language,
6074
- fixQuestionData
6075
- });
6076
- }
6077
4436
  function getPackageFixGuidance(actionsRequired) {
6078
4437
  const actionRequiredStrings = actionsRequired.map((action) => {
6079
4438
  if (action.language === "JS" /* Js */) {
@@ -6108,63 +4467,20 @@ function getPackageFixGuidance(actionsRequired) {
6108
4467
  return actionRequiredStrings.filter((action) => !!action);
6109
4468
  }
6110
4469
  function getFixGuidances({
6111
- issueType,
6112
- issueLanguage,
6113
- fixExtraContext,
6114
- questions
4470
+ fixExtraContext
6115
4471
  }) {
6116
- const storedFixGuidanceDataItem = languages[issueLanguage || ""]?.[issueType || ""] ?? {};
6117
- const storeFixResult = StoredFixDataItemZ.safeParse(storedFixGuidanceDataItem);
6118
4472
  const libGuidances = getPackageFixGuidance(
6119
4473
  fixExtraContext.manifestActionsRequired
6120
4474
  );
6121
- const extraContext = fixExtraContext.extraContext.reduce(
6122
- (acc, obj) => {
6123
- acc[obj.key] = obj.value;
6124
- return acc;
6125
- },
6126
- {}
6127
- );
6128
- const fixGuidance = storeFixResult.success ? [storeFixResult.data.guidance({ questions, ...extraContext })] : [];
6129
- return libGuidances.concat(fixGuidance).filter((guidance) => !!guidance);
4475
+ const servedFixGuidances = fixExtraContext.guidances ?? [];
4476
+ return libGuidances.concat(servedFixGuidances).filter((guidance) => !!guidance);
6130
4477
  }
6131
- var IssueTypeAndLanguageZ = z4.object({
6132
- issueType: SafeIssueTypeStringZ,
6133
- issueLanguage: z4.nativeEnum(IssueLanguage_Enum)
6134
- });
6135
4478
  function getGuidances(args) {
6136
- const safeIssueTypeAndLanguage = IssueTypeAndLanguageZ.safeParse({
6137
- issueType: args.issueType,
6138
- issueLanguage: args.issueLanguage
6139
- });
6140
- if (!safeIssueTypeAndLanguage.success) {
6141
- return [];
6142
- }
6143
4479
  const { questions, fixExtraContext } = args;
6144
- const { issueType, issueLanguage } = safeIssueTypeAndLanguage.data;
6145
- const fixGuidances = getFixGuidances({
6146
- issueType,
6147
- issueLanguage,
6148
- fixExtraContext,
6149
- questions
6150
- }).map((guidance, index) => ({ guidance, key: `fixGuidance_index_${index}` }));
6151
- return questions.map((question) => {
6152
- let questionGuidance = question.guidance;
6153
- if (!questionGuidance && issueType && issueLanguage) {
6154
- const getFixInformation = curriedQuestionInformationByQuestion({
6155
- issueType,
6156
- language: issueLanguage
6157
- });
6158
- const { guidance } = getFixInformation(question);
6159
- questionGuidance = guidance({
6160
- userInputValue: question.value
6161
- });
6162
- }
6163
- return {
6164
- ...question,
6165
- guidance: questionGuidance
6166
- };
6167
- }).filter(({ guidance }) => !!guidance).map(({ guidance, key }) => ({ guidance, key })).concat(fixGuidances);
4480
+ const fixGuidances = getFixGuidances({ fixExtraContext }).map(
4481
+ (guidance, index) => ({ guidance, key: `fixGuidance_index_${index}` })
4482
+ );
4483
+ return questions.map((question) => ({ guidance: question.guidance, key: question.key })).filter(({ guidance }) => !!guidance).concat(fixGuidances);
6168
4484
  }
6169
4485
 
6170
4486
  // src/features/analysis/scm/shared/src/index.ts
@@ -6196,19 +4512,19 @@ function getIssueUrl({
6196
4512
  init_validations();
6197
4513
 
6198
4514
  // src/features/analysis/scm/types.ts
6199
- import { z as z12 } from "zod";
4515
+ import { z as z9 } from "zod";
6200
4516
  var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
6201
4517
  ReferenceType2["BRANCH"] = "BRANCH";
6202
4518
  ReferenceType2["COMMIT"] = "COMMIT";
6203
4519
  ReferenceType2["TAG"] = "TAG";
6204
4520
  return ReferenceType2;
6205
4521
  })(ReferenceType || {});
6206
- var GithubFullShaZ = z12.string().regex(/^[a-f0-9]{40}$/);
6207
- var MergedPrSurvivalMetadataZ = z12.object({
6208
- mergeCommitShas: z12.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
4522
+ var GithubFullShaZ = z9.string().regex(/^[a-f0-9]{40}$/);
4523
+ var MergedPrSurvivalMetadataZ = z9.object({
4524
+ mergeCommitShas: z9.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
6209
4525
  message: "mergeCommitShas must contain unique SHAs"
6210
4526
  }),
6211
- targetBranch: z12.string().min(1)
4527
+ targetBranch: z9.string().min(1)
6212
4528
  });
6213
4529
  var ScmLibScmType = /* @__PURE__ */ ((ScmLibScmType2) => {
6214
4530
  ScmLibScmType2["GITHUB"] = "GITHUB";
@@ -6235,10 +4551,10 @@ var scmTypeToScmLibScmType = {
6235
4551
  ["Ado" /* Ado */]: "ADO" /* ADO */,
6236
4552
  ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
6237
4553
  };
6238
- var GetReferenceResultZ = z12.object({
6239
- date: z12.date().optional(),
6240
- sha: z12.string(),
6241
- type: z12.nativeEnum(ReferenceType)
4554
+ var GetReferenceResultZ = z9.object({
4555
+ date: z9.date().optional(),
4556
+ sha: z9.string(),
4557
+ type: z9.nativeEnum(ReferenceType)
6242
4558
  });
6243
4559
 
6244
4560
  // src/features/analysis/scm/utils/scm.ts
@@ -6385,7 +4701,7 @@ function shouldValidateUrl(repoUrl) {
6385
4701
  return repoUrl && isUrlHasPath(repoUrl);
6386
4702
  }
6387
4703
  function isBrokerUrl(url) {
6388
- return z13.string().uuid().safeParse(new URL(url).host).success;
4704
+ return z10.string().uuid().safeParse(new URL(url).host).success;
6389
4705
  }
6390
4706
  function buildAuthorizedRepoUrl(args) {
6391
4707
  const { url, username, password } = args;
@@ -6421,7 +4737,7 @@ function getCloudScmLibTypeFromUrl(url) {
6421
4737
  return void 0;
6422
4738
  }
6423
4739
  function getScmLibTypeFromScmType(scmType) {
6424
- const parsedScmType = z13.nativeEnum(ScmType).parse(scmType);
4740
+ const parsedScmType = z10.nativeEnum(ScmType).parse(scmType);
6425
4741
  return scmTypeToScmLibScmType[parsedScmType];
6426
4742
  }
6427
4743
  function getScmConfig({
@@ -6489,39 +4805,39 @@ init_env();
6489
4805
  import querystring from "querystring";
6490
4806
  import * as api from "azure-devops-node-api";
6491
4807
  import Debug from "debug";
6492
- import { z as z16 } from "zod";
4808
+ import { z as z13 } from "zod";
6493
4809
 
6494
4810
  // src/features/analysis/scm/ado/validation.ts
6495
- import { z as z15 } from "zod";
6496
- var ValidPullRequestStatusZ = z15.union([
6497
- z15.literal(1 /* Active */),
6498
- z15.literal(2 /* Abandoned */),
6499
- z15.literal(3 /* Completed */)
4811
+ import { z as z12 } from "zod";
4812
+ var ValidPullRequestStatusZ = z12.union([
4813
+ z12.literal(1 /* Active */),
4814
+ z12.literal(2 /* Abandoned */),
4815
+ z12.literal(3 /* Completed */)
6500
4816
  ]);
6501
- var AdoAuthResultZ = z15.object({
6502
- access_token: z15.string().min(1),
6503
- token_type: z15.string().min(1),
6504
- refresh_token: z15.string().min(1)
4817
+ var AdoAuthResultZ = z12.object({
4818
+ access_token: z12.string().min(1),
4819
+ token_type: z12.string().min(1),
4820
+ refresh_token: z12.string().min(1)
6505
4821
  });
6506
4822
  var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
6507
- scmOrgs: z15.array(z15.string())
4823
+ scmOrgs: z12.array(z12.string())
6508
4824
  });
6509
- var profileZ = z15.object({
6510
- displayName: z15.string(),
6511
- publicAlias: z15.string().min(1),
6512
- emailAddress: z15.string(),
6513
- coreRevision: z15.number(),
6514
- timeStamp: z15.string(),
6515
- id: z15.string(),
6516
- revision: z15.number()
4825
+ var profileZ = z12.object({
4826
+ displayName: z12.string(),
4827
+ publicAlias: z12.string().min(1),
4828
+ emailAddress: z12.string(),
4829
+ coreRevision: z12.number(),
4830
+ timeStamp: z12.string(),
4831
+ id: z12.string(),
4832
+ revision: z12.number()
6517
4833
  });
6518
- var accountsZ = z15.object({
6519
- count: z15.number(),
6520
- value: z15.array(
6521
- z15.object({
6522
- accountId: z15.string(),
6523
- accountUri: z15.string(),
6524
- accountName: z15.string()
4834
+ var accountsZ = z12.object({
4835
+ count: z12.number(),
4836
+ value: z12.array(
4837
+ z12.object({
4838
+ accountId: z12.string(),
4839
+ accountUri: z12.string(),
4840
+ accountName: z12.string()
6525
4841
  })
6526
4842
  )
6527
4843
  });
@@ -6614,7 +4930,7 @@ async function getAdoConnectData({
6614
4930
  oauthToken: adoTokenInfo.accessToken
6615
4931
  });
6616
4932
  return {
6617
- org: z16.string().parse(org),
4933
+ org: z13.string().parse(org),
6618
4934
  origin: DEFUALT_ADO_ORIGIN
6619
4935
  };
6620
4936
  }
@@ -6700,7 +5016,7 @@ async function getAdoClientParams(params) {
6700
5016
  return {
6701
5017
  tokenType: "PAT" /* PAT */,
6702
5018
  accessToken: adoTokenInfo.accessToken,
6703
- patTokenOrg: z16.string().parse(tokenOrg).toLowerCase(),
5019
+ patTokenOrg: z13.string().parse(tokenOrg).toLowerCase(),
6704
5020
  origin,
6705
5021
  orgName: org.toLowerCase()
6706
5022
  };
@@ -7840,40 +6156,40 @@ import querystring2 from "querystring";
7840
6156
  import * as bitbucketPkgNode from "bitbucket";
7841
6157
  import bitbucketPkg from "bitbucket";
7842
6158
  import Debug2 from "debug";
7843
- import { z as z19 } from "zod";
6159
+ import { z as z16 } from "zod";
7844
6160
 
7845
6161
  // src/features/analysis/scm/bitbucket/validation.ts
7846
- import { z as z18 } from "zod";
7847
- var BitbucketAuthResultZ = z18.object({
7848
- access_token: z18.string(),
7849
- token_type: z18.string(),
7850
- refresh_token: z18.string()
6162
+ import { z as z15 } from "zod";
6163
+ var BitbucketAuthResultZ = z15.object({
6164
+ access_token: z15.string(),
6165
+ token_type: z15.string(),
6166
+ refresh_token: z15.string()
7851
6167
  });
7852
6168
 
7853
6169
  // src/features/analysis/scm/bitbucket/bitbucket.ts
7854
6170
  var debug3 = Debug2("scm:bitbucket");
7855
6171
  var BITBUCKET_HOSTNAME = "bitbucket.org";
7856
- var TokenExpiredErrorZ = z19.object({
7857
- status: z19.number(),
7858
- error: z19.object({
7859
- type: z19.string(),
7860
- error: z19.object({
7861
- message: z19.string()
6172
+ var TokenExpiredErrorZ = z16.object({
6173
+ status: z16.number(),
6174
+ error: z16.object({
6175
+ type: z16.string(),
6176
+ error: z16.object({
6177
+ message: z16.string()
7862
6178
  })
7863
6179
  })
7864
6180
  });
7865
6181
  var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
7866
6182
  var MAX_BITBUCKET_PR_BODY_LENGTH = 32768;
7867
- var BitbucketParseResultZ = z19.object({
7868
- organization: z19.string(),
7869
- repoName: z19.string(),
7870
- hostname: z19.literal(BITBUCKET_HOSTNAME)
6183
+ var BitbucketParseResultZ = z16.object({
6184
+ organization: z16.string(),
6185
+ repoName: z16.string(),
6186
+ hostname: z16.literal(BITBUCKET_HOSTNAME)
7871
6187
  });
7872
- var UserWorkspacePermissionsRepositoriesResponseZ = z19.object({
7873
- values: z19.array(
7874
- z19.object({
7875
- repository: z19.object({
7876
- full_name: z19.string().optional()
6188
+ var UserWorkspacePermissionsRepositoriesResponseZ = z16.object({
6189
+ values: z16.array(
6190
+ z16.object({
6191
+ repository: z16.object({
6192
+ full_name: z16.string().optional()
7877
6193
  }).optional()
7878
6194
  })
7879
6195
  ).optional()
@@ -7936,7 +6252,7 @@ function getBitbucketSdk(params) {
7936
6252
  if (!res.data.values) {
7937
6253
  return [];
7938
6254
  }
7939
- return res.data.values.filter((branch) => !!branch.name).map((branch) => z19.string().parse(branch.name));
6255
+ return res.data.values.filter((branch) => !!branch.name).map((branch) => z16.string().parse(branch.name));
7940
6256
  },
7941
6257
  async getIsUserCollaborator(params2) {
7942
6258
  const { repoUrl } = params2;
@@ -8056,7 +6372,7 @@ function getBitbucketSdk(params) {
8056
6372
  return GetReferenceResultZ.parse({
8057
6373
  sha: tagRes.data.target?.hash,
8058
6374
  type: "TAG" /* TAG */,
8059
- date: new Date(z19.string().parse(tagRes.data.target?.date))
6375
+ date: new Date(z16.string().parse(tagRes.data.target?.date))
8060
6376
  });
8061
6377
  },
8062
6378
  async getBranchRef(params2) {
@@ -8064,7 +6380,7 @@ function getBitbucketSdk(params) {
8064
6380
  return GetReferenceResultZ.parse({
8065
6381
  sha: getBranchRes.target?.hash,
8066
6382
  type: "BRANCH" /* BRANCH */,
8067
- date: new Date(z19.string().parse(getBranchRes.target?.date))
6383
+ date: new Date(z16.string().parse(getBranchRes.target?.date))
8068
6384
  });
8069
6385
  },
8070
6386
  async getCommitRef(params2) {
@@ -8072,13 +6388,13 @@ function getBitbucketSdk(params) {
8072
6388
  return GetReferenceResultZ.parse({
8073
6389
  sha: getCommitRes.hash,
8074
6390
  type: "COMMIT" /* COMMIT */,
8075
- date: new Date(z19.string().parse(getCommitRes.date))
6391
+ date: new Date(z16.string().parse(getCommitRes.date))
8076
6392
  });
8077
6393
  },
8078
6394
  async getDownloadUrl({ url, sha }) {
8079
6395
  this.getReferenceData({ ref: sha, url });
8080
6396
  const repoRes = await this.getRepo({ repoUrl: url });
8081
- const parsedRepoUrl = z19.string().url().parse(repoRes.links?.html?.href);
6397
+ const parsedRepoUrl = z16.string().url().parse(repoRes.links?.html?.href);
8082
6398
  return `${parsedRepoUrl}/get/${sha}.zip`;
8083
6399
  },
8084
6400
  async getPullRequest(params2) {
@@ -8236,7 +6552,7 @@ async function validateBitbucketParams(params) {
8236
6552
  }
8237
6553
  async function getUsersWorkspacesSlugs(bitbucketClient) {
8238
6554
  const res = await bitbucketClient.workspaces.getWorkspaces({});
8239
- return res.data.values?.map((v) => z19.string().parse(v.slug));
6555
+ return res.data.values?.map((v) => z16.string().parse(v.slug));
8240
6556
  }
8241
6557
  async function getAllUsersRepositories(bitbucketClient) {
8242
6558
  const userWorkspacesSlugs = await getUsersWorkspacesSlugs(bitbucketClient);
@@ -8264,11 +6580,11 @@ async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
8264
6580
 
8265
6581
  // src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
8266
6582
  import { setTimeout as setTimeout3 } from "timers/promises";
8267
- import { z as z20 } from "zod";
6583
+ import { z as z17 } from "zod";
8268
6584
  var BITBUCKET_API_TOKEN_GIT_USERNAME = "x-bitbucket-api-token-auth";
8269
6585
  function getUserAndPassword(token) {
8270
6586
  const [username, password] = token.split(":");
8271
- const safePasswordAndUsername = z20.object({ username: z20.string(), password: z20.string() }).parse({ username, password });
6587
+ const safePasswordAndUsername = z17.object({ username: z17.string(), password: z17.string() }).parse({ username, password });
8272
6588
  return {
8273
6589
  username: safePasswordAndUsername.username,
8274
6590
  password: safePasswordAndUsername.password
@@ -8344,7 +6660,7 @@ var BitbucketSCMLib = class extends SCMLib {
8344
6660
  return { username, password, authType };
8345
6661
  }
8346
6662
  case "token": {
8347
- return { authType, token: z20.string().parse(this.accessToken) };
6663
+ return { authType, token: z17.string().parse(this.accessToken) };
8348
6664
  }
8349
6665
  case "public":
8350
6666
  return { authType };
@@ -8358,7 +6674,7 @@ var BitbucketSCMLib = class extends SCMLib {
8358
6674
  ...params,
8359
6675
  repoUrl: this.url
8360
6676
  });
8361
- return String(z20.number().parse(pullRequestRes.id));
6677
+ return String(z17.number().parse(pullRequestRes.id));
8362
6678
  } catch (e) {
8363
6679
  console.warn(
8364
6680
  `error creating pull request for BB. Try number ${String(i + 1).replace(/\n|\r/g, "")}`,
@@ -8443,7 +6759,7 @@ var BitbucketSCMLib = class extends SCMLib {
8443
6759
  async getUsername() {
8444
6760
  this._validateAccessToken();
8445
6761
  const res = await this.bitbucketSdk.getUser();
8446
- return z20.string().parse(res["username"]);
6762
+ return z17.string().parse(res["username"]);
8447
6763
  }
8448
6764
  async getSubmitRequestStatus(_scmSubmitRequestId) {
8449
6765
  this._validateAccessTokenAndUrl();
@@ -8469,7 +6785,7 @@ var BitbucketSCMLib = class extends SCMLib {
8469
6785
  async getRepoDefaultBranch() {
8470
6786
  this._validateUrl();
8471
6787
  const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
8472
- return z20.string().parse(repoRes.mainbranch?.name);
6788
+ return z17.string().parse(repoRes.mainbranch?.name);
8473
6789
  }
8474
6790
  getSubmitRequestUrl(submitRequestId) {
8475
6791
  this._validateUrl();
@@ -8637,7 +6953,7 @@ init_env();
8637
6953
 
8638
6954
  // src/features/analysis/scm/github/GithubSCMLib.ts
8639
6955
  import pLimit3 from "p-limit";
8640
- import { z as z21 } from "zod";
6956
+ import { z as z18 } from "zod";
8641
6957
  init_client_generates();
8642
6958
 
8643
6959
  // src/features/analysis/scm/github/github.ts
@@ -9805,7 +8121,7 @@ var GithubSCMLib = class extends SCMLib {
9805
8121
  owner,
9806
8122
  repo
9807
8123
  });
9808
- return z21.string().parse(prRes.data);
8124
+ return z18.string().parse(prRes.data);
9809
8125
  }
9810
8126
  async getRepoList(_scmOrg) {
9811
8127
  this._validateAccessToken();
@@ -10432,11 +8748,11 @@ import {
10432
8748
  init_env();
10433
8749
 
10434
8750
  // src/features/analysis/scm/gitlab/types.ts
10435
- import { z as z22 } from "zod";
10436
- var GitlabAuthResultZ = z22.object({
10437
- access_token: z22.string(),
10438
- token_type: z22.string(),
10439
- refresh_token: z22.string()
8751
+ import { z as z19 } from "zod";
8752
+ var GitlabAuthResultZ = z19.object({
8753
+ access_token: z19.string(),
8754
+ token_type: z19.string(),
8755
+ refresh_token: z19.string()
10440
8756
  });
10441
8757
 
10442
8758
  // src/features/analysis/scm/gitlab/gitlab.ts
@@ -10651,8 +8967,8 @@ async function getGitlabProjectLanguages({
10651
8967
  }) {
10652
8968
  try {
10653
8969
  const api2 = getGitBeaker({ url, gitlabAuthToken: accessToken });
10654
- const languages3 = await api2.Projects.showLanguages(projectId);
10655
- return Object.keys(languages3);
8970
+ const languages = await api2.Projects.showLanguages(projectId);
8971
+ return Object.keys(languages);
10656
8972
  } catch (e) {
10657
8973
  debug4(
10658
8974
  "[getGitlabProjectLanguages] Failed for project %d: %s",
@@ -11654,7 +9970,7 @@ var GitlabSCMLib = class extends SCMLib {
11654
9970
  };
11655
9971
 
11656
9972
  // src/features/analysis/scm/scmFactory.ts
11657
- import { z as z23 } from "zod";
9973
+ import { z as z20 } from "zod";
11658
9974
 
11659
9975
  // src/features/analysis/scm/StubSCMLib.ts
11660
9976
  var StubSCMLib = class extends SCMLib {
@@ -11807,7 +10123,7 @@ async function createScmLib({ url, accessToken, scmType, scmOrg }, {
11807
10123
  if (e instanceof InvalidRepoUrlError && url) {
11808
10124
  throw new RepoNoTokenAccessError(
11809
10125
  "no access to repo",
11810
- scmLibScmTypeToScmType[z23.nativeEnum(ScmLibScmType).parse(scmType)]
10126
+ scmLibScmTypeToScmType[z20.nativeEnum(ScmLibScmType).parse(scmType)]
11811
10127
  );
11812
10128
  }
11813
10129
  console.error(`error validating scm: ${scmType} `, e);
@@ -12414,7 +10730,7 @@ import path6 from "path";
12414
10730
  import chalk from "chalk";
12415
10731
  import Debug4 from "debug";
12416
10732
  import * as dotenv from "dotenv";
12417
- import { z as z24 } from "zod";
10733
+ import { z as z21 } from "zod";
12418
10734
  var debug5 = Debug4("mobbdev:constants");
12419
10735
  var runtimeConfigPath = path6.join(
12420
10736
  getModuleRootDir(),
@@ -12461,17 +10777,17 @@ var scannerToVulnerabilityReportVendorEnum = {
12461
10777
  [SCANNERS.Datadog]: "datadog" /* Datadog */,
12462
10778
  [SCANNERS.BlackDuck]: "blackDuck" /* BlackDuck */
12463
10779
  };
12464
- var SupportedScannersZ = z24.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
12465
- var envVariablesSchema = z24.object({
10780
+ var SupportedScannersZ = z21.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
10781
+ var envVariablesSchema = z21.object({
12466
10782
  // These have safe defaults for production - the VS Code extension passes explicit URLs
12467
- WEB_APP_URL: z24.string().optional().default(DEFAULT_WEB_APP_URL),
12468
- API_URL: z24.string().optional().default(DEFAULT_API_URL),
10783
+ WEB_APP_URL: z21.string().optional().default(DEFAULT_WEB_APP_URL),
10784
+ API_URL: z21.string().optional().default(DEFAULT_API_URL),
12469
10785
  // These are only needed for local development with Hasura
12470
- HASURA_ACCESS_KEY: z24.string().optional().default(""),
12471
- LOCAL_GRAPHQL_ENDPOINT: z24.string().optional().default(""),
10786
+ HASURA_ACCESS_KEY: z21.string().optional().default(""),
10787
+ LOCAL_GRAPHQL_ENDPOINT: z21.string().optional().default(""),
12472
10788
  // Proxy settings
12473
- HTTP_PROXY: z24.string().optional().default(""),
12474
- HTTPS_PROXY: z24.string().optional().default("")
10789
+ HTTP_PROXY: z21.string().optional().default(""),
10790
+ HTTPS_PROXY: z21.string().optional().default("")
12475
10791
  });
12476
10792
  var envVariables = envVariablesSchema.parse(process.env);
12477
10793
  debug5("config %o", envVariables);
@@ -12729,7 +11045,7 @@ import { createSpinner as createSpinner4 } from "nanospinner";
12729
11045
  import fetch4 from "node-fetch";
12730
11046
  import open3 from "open";
12731
11047
  import tmp2 from "tmp";
12732
- import { z as z30 } from "zod";
11048
+ import { z as z27 } from "zod";
12733
11049
 
12734
11050
  // src/commands/AuthManager.ts
12735
11051
  import crypto from "crypto";
@@ -13006,62 +11322,62 @@ init_client_generates();
13006
11322
 
13007
11323
  // src/features/analysis/graphql/types.ts
13008
11324
  init_client_generates();
13009
- import { z as z25 } from "zod";
13010
- var VulnerabilityReportIssueCodeNodeZ = z25.object({
13011
- vulnerabilityReportIssueId: z25.string(),
13012
- path: z25.string(),
13013
- startLine: z25.number(),
13014
- vulnerabilityReportIssue: z25.object({
13015
- fixId: z25.string(),
13016
- category: z25.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
13017
- safeIssueType: z25.string(),
13018
- vulnerabilityReportIssueTags: z25.array(
13019
- z25.object({
13020
- tag: z25.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
11325
+ import { z as z22 } from "zod";
11326
+ var VulnerabilityReportIssueCodeNodeZ = z22.object({
11327
+ vulnerabilityReportIssueId: z22.string(),
11328
+ path: z22.string(),
11329
+ startLine: z22.number(),
11330
+ vulnerabilityReportIssue: z22.object({
11331
+ fixId: z22.string(),
11332
+ category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
11333
+ safeIssueType: z22.string(),
11334
+ vulnerabilityReportIssueTags: z22.array(
11335
+ z22.object({
11336
+ tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
13021
11337
  })
13022
11338
  )
13023
11339
  })
13024
11340
  });
13025
- var VulnerabilityReportIssueNoFixCodeNodeZ = z25.object({
13026
- vulnerabilityReportIssues: z25.array(
13027
- z25.object({
13028
- id: z25.string(),
13029
- fixId: z25.string().nullable(),
13030
- category: z25.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
13031
- safeIssueType: z25.string(),
13032
- fpId: z25.string().uuid().nullable(),
13033
- codeNodes: z25.array(
13034
- z25.object({
13035
- path: z25.string(),
13036
- startLine: z25.number()
11341
+ var VulnerabilityReportIssueNoFixCodeNodeZ = z22.object({
11342
+ vulnerabilityReportIssues: z22.array(
11343
+ z22.object({
11344
+ id: z22.string(),
11345
+ fixId: z22.string().nullable(),
11346
+ category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
11347
+ safeIssueType: z22.string(),
11348
+ fpId: z22.string().uuid().nullable(),
11349
+ codeNodes: z22.array(
11350
+ z22.object({
11351
+ path: z22.string(),
11352
+ startLine: z22.number()
13037
11353
  })
13038
11354
  ),
13039
- vulnerabilityReportIssueTags: z25.array(
13040
- z25.object({
13041
- tag: z25.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
11355
+ vulnerabilityReportIssueTags: z22.array(
11356
+ z22.object({
11357
+ tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
13042
11358
  })
13043
11359
  )
13044
11360
  })
13045
11361
  )
13046
11362
  });
13047
- var GetVulByNodesMetadataZ = z25.object({
13048
- vulnerabilityReportIssueCodeNodes: z25.array(VulnerabilityReportIssueCodeNodeZ),
13049
- nonFixablePrVuls: z25.object({
13050
- aggregate: z25.object({
13051
- count: z25.number()
11363
+ var GetVulByNodesMetadataZ = z22.object({
11364
+ vulnerabilityReportIssueCodeNodes: z22.array(VulnerabilityReportIssueCodeNodeZ),
11365
+ nonFixablePrVuls: z22.object({
11366
+ aggregate: z22.object({
11367
+ count: z22.number()
13052
11368
  })
13053
11369
  }),
13054
- fixablePrVuls: z25.object({
13055
- aggregate: z25.object({
13056
- count: z25.number()
11370
+ fixablePrVuls: z22.object({
11371
+ aggregate: z22.object({
11372
+ count: z22.number()
13057
11373
  })
13058
11374
  }),
13059
- totalScanVulnerabilities: z25.object({
13060
- aggregate: z25.object({
13061
- count: z25.number()
11375
+ totalScanVulnerabilities: z22.object({
11376
+ aggregate: z22.object({
11377
+ count: z22.number()
13062
11378
  })
13063
11379
  }),
13064
- irrelevantVulnerabilityReportIssue: z25.array(
11380
+ irrelevantVulnerabilityReportIssue: z22.array(
13065
11381
  VulnerabilityReportIssueNoFixCodeNodeZ
13066
11382
  )
13067
11383
  });
@@ -13583,7 +11899,7 @@ import * as os2 from "os";
13583
11899
  import path7 from "path";
13584
11900
  import chalk4 from "chalk";
13585
11901
  import { withFile } from "tmp-promise";
13586
- import z26 from "zod";
11902
+ import z23 from "zod";
13587
11903
 
13588
11904
  // src/commands/handleMobbLogin.ts
13589
11905
  import chalk3 from "chalk";
@@ -14123,8 +12439,8 @@ var defaultLogger2 = {
14123
12439
  }
14124
12440
  }
14125
12441
  };
14126
- var PromptItemZ = z26.object({
14127
- type: z26.enum([
12442
+ var PromptItemZ = z23.object({
12443
+ type: z23.enum([
14128
12444
  "USER_PROMPT",
14129
12445
  "AI_RESPONSE",
14130
12446
  "TOOL_EXECUTION",
@@ -14132,32 +12448,32 @@ var PromptItemZ = z26.object({
14132
12448
  "MCP_TOOL_CALL"
14133
12449
  // MCP (Model Context Protocol) tool invocation
14134
12450
  ]),
14135
- attachedFiles: z26.array(
14136
- z26.object({
14137
- relativePath: z26.string(),
14138
- startLine: z26.number().optional()
12451
+ attachedFiles: z23.array(
12452
+ z23.object({
12453
+ relativePath: z23.string(),
12454
+ startLine: z23.number().optional()
14139
12455
  })
14140
12456
  ).optional(),
14141
- tokens: z26.object({
14142
- inputCount: z26.number(),
14143
- outputCount: z26.number()
12457
+ tokens: z23.object({
12458
+ inputCount: z23.number(),
12459
+ outputCount: z23.number()
14144
12460
  }).optional(),
14145
- text: z26.string().optional(),
14146
- date: z26.date().optional(),
14147
- tool: z26.object({
14148
- name: z26.string(),
14149
- parameters: z26.string(),
14150
- result: z26.string(),
14151
- rawArguments: z26.string().optional(),
14152
- accepted: z26.boolean().optional(),
12461
+ text: z23.string().optional(),
12462
+ date: z23.date().optional(),
12463
+ tool: z23.object({
12464
+ name: z23.string(),
12465
+ parameters: z23.string(),
12466
+ result: z23.string(),
12467
+ rawArguments: z23.string().optional(),
12468
+ accepted: z23.boolean().optional(),
14153
12469
  // MCP-specific fields (only populated for MCP_TOOL_CALL type)
14154
- mcpServer: z26.string().optional(),
12470
+ mcpServer: z23.string().optional(),
14155
12471
  // MCP server name (e.g., "datadog", "mobb-mcp")
14156
- mcpToolName: z26.string().optional()
12472
+ mcpToolName: z23.string().optional()
14157
12473
  // MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
14158
12474
  }).optional()
14159
12475
  });
14160
- var PromptItemArrayZ = z26.array(PromptItemZ);
12476
+ var PromptItemArrayZ = z23.array(PromptItemZ);
14161
12477
  var NULL_REPO_STATE = {
14162
12478
  repositoryUrl: null,
14163
12479
  branch: null,
@@ -15095,7 +13411,7 @@ import Debug15 from "debug";
15095
13411
  // src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
15096
13412
  import Debug14 from "debug";
15097
13413
  import parseDiff from "parse-diff";
15098
- import { z as z28 } from "zod";
13414
+ import { z as z25 } from "zod";
15099
13415
 
15100
13416
  // src/features/analysis/utils/by_key.ts
15101
13417
  function keyBy(array, keyBy2) {
@@ -15184,7 +13500,7 @@ var scannerToFriendlyString = {
15184
13500
 
15185
13501
  // src/features/analysis/add_fix_comments_for_pr/utils/buildCommentBody.ts
15186
13502
  import Debug13 from "debug";
15187
- import { z as z27 } from "zod";
13503
+ import { z as z24 } from "zod";
15188
13504
  init_client_generates();
15189
13505
  var debug14 = Debug13("mobbdev:handle-finished-analysis");
15190
13506
  var getCommitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
@@ -15230,10 +13546,10 @@ function buildFixCommentBody({
15230
13546
  });
15231
13547
  const issueType = getIssueTypeFriendlyString(fix.safeIssueType);
15232
13548
  const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
15233
- const validFixParseRes = z27.object({
13549
+ const validFixParseRes = z24.object({
15234
13550
  patchAndQuestions: PatchAndQuestionsZ,
15235
- safeIssueLanguage: z27.nativeEnum(IssueLanguage_Enum),
15236
- severityText: z27.nativeEnum(Vulnerability_Severity_Enum),
13551
+ safeIssueLanguage: z24.nativeEnum(IssueLanguage_Enum),
13552
+ severityText: z24.nativeEnum(Vulnerability_Severity_Enum),
15237
13553
  safeIssueType: SafeIssueTypeStringZ
15238
13554
  }).safeParse(fix);
15239
13555
  if (!validFixParseRes.success) {
@@ -15468,7 +13784,7 @@ async function getRelevantVulenrabilitiesFromDiff(params) {
15468
13784
  });
15469
13785
  const lineAddedRanges = calculateRanges(fileNumbers);
15470
13786
  const fileFilter = {
15471
- path: z28.string().parse(file.to),
13787
+ path: z25.string().parse(file.to),
15472
13788
  ranges: lineAddedRanges.map(([startLine, endLine]) => ({
15473
13789
  endLine,
15474
13790
  startLine
@@ -15780,15 +14096,15 @@ import { globby } from "globby";
15780
14096
  import { isBinary as isBinary2 } from "istextorbinary";
15781
14097
  import { simpleGit as simpleGit3 } from "simple-git";
15782
14098
  import { parseStringPromise } from "xml2js";
15783
- import { z as z29 } from "zod";
14099
+ import { z as z26 } from "zod";
15784
14100
  var debug19 = Debug18("mobbdev:pack");
15785
- var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z29.object({
15786
- properties: z29.object({
15787
- entry: z29.array(
15788
- z29.object({
15789
- _: z29.string(),
15790
- $: z29.object({
15791
- key: z29.string()
14101
+ var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z26.object({
14102
+ properties: z26.object({
14103
+ entry: z26.array(
14104
+ z26.object({
14105
+ _: z26.string(),
14106
+ $: z26.object({
14107
+ key: z26.string()
15792
14108
  })
15793
14109
  })
15794
14110
  )
@@ -16572,7 +14888,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
16572
14888
  spinner: mobbSpinner,
16573
14889
  submitVulnerabilityReportVariables: {
16574
14890
  fixReportId: reportUploadInfo.fixReportId,
16575
- repoUrl: z30.string().parse(repo),
14891
+ repoUrl: z27.string().parse(repo),
16576
14892
  reference,
16577
14893
  projectId,
16578
14894
  vulnerabilityReportFileName: shouldScan ? void 0 : REPORT_DEFAULT_FILE_NAME,
@@ -16912,9 +15228,9 @@ async function waitForAnaysisAndReviewPr({
16912
15228
  gqlClient,
16913
15229
  polling
16914
15230
  }) {
16915
- const params = z30.object({
16916
- repo: z30.string().url(),
16917
- githubActionToken: z30.string()
15231
+ const params = z27.object({
15232
+ repo: z27.string().url(),
15233
+ githubActionToken: z27.string()
16918
15234
  }).parse({ repo, githubActionToken });
16919
15235
  const scm = await createScmLib(
16920
15236
  {
@@ -16932,7 +15248,7 @@ async function waitForAnaysisAndReviewPr({
16932
15248
  analysisId: analysisId2,
16933
15249
  gqlClient,
16934
15250
  scm,
16935
- scanner: z30.nativeEnum(SCANNERS).parse(scanner)
15251
+ scanner: z27.nativeEnum(SCANNERS).parse(scanner)
16936
15252
  });
16937
15253
  };
16938
15254
  if (polling) {
@@ -17248,7 +15564,7 @@ async function scanSkill(options) {
17248
15564
  // src/args/validation.ts
17249
15565
  import chalk9 from "chalk";
17250
15566
  import path12 from "path";
17251
- import { z as z31 } from "zod";
15567
+ import { z as z28 } from "zod";
17252
15568
  function throwRepoUrlErrorMessage({
17253
15569
  error,
17254
15570
  repoUrl,
@@ -17265,11 +15581,11 @@ Example:
17265
15581
  )}`;
17266
15582
  throw new CliError(formattedErrorMessage);
17267
15583
  }
17268
- var UrlZ = z31.string({
15584
+ var UrlZ = z28.string({
17269
15585
  invalid_type_error: `is not a valid ${Object.values(ScmType).join("/ ")} URL`
17270
15586
  });
17271
15587
  function validateOrganizationId(organizationId) {
17272
- const orgIdValidation = z31.string().uuid().nullish().safeParse(organizationId);
15588
+ const orgIdValidation = z28.string().uuid().nullish().safeParse(organizationId);
17273
15589
  if (!orgIdValidation.success) {
17274
15590
  throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
17275
15591
  }
@@ -19416,7 +17732,7 @@ function createLogger(config2) {
19416
17732
 
19417
17733
  // src/features/claude_code/hook_logger.ts
19418
17734
  var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
19419
- var CLI_VERSION = true ? "1.4.34" : "unknown";
17735
+ var CLI_VERSION = true ? "1.4.36" : "unknown";
19420
17736
  var NAMESPACE = "mobbdev-claude-code-hook-logs";
19421
17737
  var claudeCodeVersion;
19422
17738
  function buildDdTags() {
@@ -20946,145 +19262,151 @@ init_client_generates();
20946
19262
  init_configs();
20947
19263
 
20948
19264
  // src/mcp/types.ts
20949
- import { z as z32 } from "zod";
19265
+ import { z as z29 } from "zod";
20950
19266
  init_client_generates();
20951
- var ScanAndFixVulnerabilitiesToolSchema = z32.object({
20952
- path: z32.string()
19267
+ var ScanAndFixVulnerabilitiesToolSchema = z29.object({
19268
+ path: z29.string()
20953
19269
  });
20954
- var VulnerabilityReportIssueTagSchema = z32.object({
20955
- vulnerability_report_issue_tag_value: z32.nativeEnum(
19270
+ var VulnerabilityReportIssueTagSchema = z29.object({
19271
+ vulnerability_report_issue_tag_value: z29.nativeEnum(
20956
19272
  Vulnerability_Report_Issue_Tag_Enum
20957
19273
  )
20958
19274
  });
20959
- var VulnerabilityReportIssueSchema = z32.object({
20960
- category: z32.any().optional().nullable(),
19275
+ var VulnerabilityReportIssueSchema = z29.object({
19276
+ category: z29.any().optional().nullable(),
20961
19277
  parsedIssueType: SafeIssueTypeStringZ.nullable().optional(),
20962
- parsedSeverity: z32.nativeEnum(Vulnerability_Severity_Enum).nullable().optional(),
20963
- vulnerabilityReportIssueTags: z32.array(VulnerabilityReportIssueTagSchema)
19278
+ parsedSeverity: z29.nativeEnum(Vulnerability_Severity_Enum).nullable().optional(),
19279
+ vulnerabilityReportIssueTags: z29.array(VulnerabilityReportIssueTagSchema)
20964
19280
  });
20965
- var SharedStateSchema = z32.object({
20966
- __typename: z32.literal("fix_shared_state").optional(),
20967
- id: z32.any(),
19281
+ var SharedStateSchema = z29.object({
19282
+ __typename: z29.literal("fix_shared_state").optional(),
19283
+ id: z29.any(),
20968
19284
  // GraphQL uses `any` type for UUID
20969
- downloadedBy: z32.array(z32.any().nullable()).optional().nullable()
19285
+ downloadedBy: z29.array(z29.any().nullable()).optional().nullable()
20970
19286
  });
20971
- var UnstructuredFixExtraContextSchema = z32.object({
20972
- __typename: z32.literal("UnstructuredFixExtraContext").optional(),
20973
- key: z32.string(),
20974
- value: z32.any()
19287
+ var UnstructuredFixExtraContextSchema = z29.object({
19288
+ __typename: z29.literal("UnstructuredFixExtraContext").optional(),
19289
+ key: z29.string(),
19290
+ value: z29.any()
20975
19291
  // GraphQL JSON type
20976
19292
  });
20977
- var FixExtraContextResponseSchema = z32.object({
20978
- __typename: z32.literal("FixExtraContextResponse").optional(),
20979
- extraContext: z32.array(UnstructuredFixExtraContextSchema),
20980
- fixDescription: z32.string()
19293
+ var FixExtraContextResponseSchema = z29.object({
19294
+ __typename: z29.literal("FixExtraContextResponse").optional(),
19295
+ extraContext: z29.array(UnstructuredFixExtraContextSchema),
19296
+ fixDescription: z29.string()
20981
19297
  });
20982
- var FixQuestionSchema = z32.object({
20983
- __typename: z32.literal("FixQuestion").optional(),
20984
- key: z32.string(),
20985
- name: z32.string(),
20986
- defaultValue: z32.string(),
20987
- value: z32.string().nullable().optional(),
20988
- inputType: z32.nativeEnum(FixQuestionInputType),
20989
- options: z32.array(z32.string()),
20990
- index: z32.number(),
20991
- extraContext: z32.array(UnstructuredFixExtraContextSchema)
19298
+ var FixQuestionSchema = z29.object({
19299
+ __typename: z29.literal("FixQuestion").optional(),
19300
+ key: z29.string(),
19301
+ name: z29.string(),
19302
+ defaultValue: z29.string(),
19303
+ value: z29.string().nullable().optional(),
19304
+ inputType: z29.nativeEnum(FixQuestionInputType),
19305
+ options: z29.array(z29.string()),
19306
+ index: z29.number(),
19307
+ extraContext: z29.array(UnstructuredFixExtraContextSchema),
19308
+ // E-2015: analyzer-served question text. default('') so a query that omits it
19309
+ // still parses, while the output type stays a required string. The analyzer is
19310
+ // the sole source; consumers use the served value directly (no fallback).
19311
+ content: z29.string().default(""),
19312
+ description: z29.string().default(""),
19313
+ guidance: z29.string().default("")
20992
19314
  });
20993
- var FixDataSchema = z32.object({
20994
- __typename: z32.literal("FixData"),
20995
- patch: z32.string(),
20996
- patchOriginalEncodingBase64: z32.string(),
20997
- questions: z32.array(FixQuestionSchema),
19315
+ var FixDataSchema = z29.object({
19316
+ __typename: z29.literal("FixData"),
19317
+ patch: z29.string(),
19318
+ patchOriginalEncodingBase64: z29.string(),
19319
+ questions: z29.array(FixQuestionSchema),
20998
19320
  extraContext: FixExtraContextResponseSchema
20999
19321
  });
21000
- var GetFixNoFixErrorSchema = z32.object({
21001
- __typename: z32.literal("GetFixNoFixError")
19322
+ var GetFixNoFixErrorSchema = z29.object({
19323
+ __typename: z29.literal("GetFixNoFixError")
21002
19324
  });
21003
- var PatchAndQuestionsSchema = z32.union([FixDataSchema, GetFixNoFixErrorSchema]);
21004
- var McpFixSchema = z32.object({
21005
- __typename: z32.literal("fix").optional(),
21006
- id: z32.any(),
19325
+ var PatchAndQuestionsSchema = z29.union([FixDataSchema, GetFixNoFixErrorSchema]);
19326
+ var McpFixSchema = z29.object({
19327
+ __typename: z29.literal("fix").optional(),
19328
+ id: z29.any(),
21007
19329
  // GraphQL uses `any` type for UUID
21008
- confidence: z32.number(),
21009
- safeIssueType: z32.string().nullable(),
21010
- safeIssueLanguage: z32.string().nullable().optional(),
21011
- severityText: z32.string().nullable(),
21012
- gitBlameLogin: z32.string().nullable().optional(),
19330
+ confidence: z29.number(),
19331
+ safeIssueType: z29.string().nullable(),
19332
+ safeIssueLanguage: z29.string().nullable().optional(),
19333
+ severityText: z29.string().nullable(),
19334
+ gitBlameLogin: z29.string().nullable().optional(),
21013
19335
  // Optional in GraphQL
21014
- severityValue: z32.number().nullable(),
21015
- vulnerabilityReportIssues: z32.array(VulnerabilityReportIssueSchema),
19336
+ severityValue: z29.number().nullable(),
19337
+ vulnerabilityReportIssues: z29.array(VulnerabilityReportIssueSchema),
21016
19338
  sharedState: SharedStateSchema.nullable().optional(),
21017
19339
  // Optional in GraphQL
21018
19340
  patchAndQuestions: PatchAndQuestionsSchema,
21019
19341
  // Additional field added by the client
21020
- fixUrl: z32.string().optional()
19342
+ fixUrl: z29.string().optional()
21021
19343
  });
21022
- var FixAggregateSchema = z32.object({
21023
- __typename: z32.literal("fix_aggregate").optional(),
21024
- aggregate: z32.object({
21025
- __typename: z32.literal("fix_aggregate_fields").optional(),
21026
- count: z32.number()
19344
+ var FixAggregateSchema = z29.object({
19345
+ __typename: z29.literal("fix_aggregate").optional(),
19346
+ aggregate: z29.object({
19347
+ __typename: z29.literal("fix_aggregate_fields").optional(),
19348
+ count: z29.number()
21027
19349
  }).nullable()
21028
19350
  });
21029
- var VulnerabilityReportIssueAggregateSchema = z32.object({
21030
- __typename: z32.literal("vulnerability_report_issue_aggregate").optional(),
21031
- aggregate: z32.object({
21032
- __typename: z32.literal("vulnerability_report_issue_aggregate_fields").optional(),
21033
- count: z32.number()
19351
+ var VulnerabilityReportIssueAggregateSchema = z29.object({
19352
+ __typename: z29.literal("vulnerability_report_issue_aggregate").optional(),
19353
+ aggregate: z29.object({
19354
+ __typename: z29.literal("vulnerability_report_issue_aggregate_fields").optional(),
19355
+ count: z29.number()
21034
19356
  }).nullable()
21035
19357
  });
21036
- var RepoSchema = z32.object({
21037
- __typename: z32.literal("repo").optional(),
21038
- originalUrl: z32.string()
19358
+ var RepoSchema = z29.object({
19359
+ __typename: z29.literal("repo").optional(),
19360
+ originalUrl: z29.string()
21039
19361
  });
21040
- var ProjectSchema = z32.object({
21041
- id: z32.any(),
19362
+ var ProjectSchema = z29.object({
19363
+ id: z29.any(),
21042
19364
  // GraphQL uses `any` type for UUID
21043
- organizationId: z32.any()
19365
+ organizationId: z29.any()
21044
19366
  // GraphQL uses `any` type for UUID
21045
19367
  });
21046
- var VulnerabilityReportSchema = z32.object({
21047
- scanDate: z32.any().nullable(),
19368
+ var VulnerabilityReportSchema = z29.object({
19369
+ scanDate: z29.any().nullable(),
21048
19370
  // GraphQL uses `any` type for timestamp
21049
- vendor: z32.string(),
19371
+ vendor: z29.string(),
21050
19372
  // GraphQL generates as string, not enum
21051
- projectId: z32.any().optional(),
19373
+ projectId: z29.any().optional(),
21052
19374
  // GraphQL uses `any` type for UUID
21053
19375
  project: ProjectSchema,
21054
19376
  totalVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema,
21055
19377
  notFixableVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema
21056
19378
  });
21057
- var FixReportSummarySchema = z32.object({
21058
- __typename: z32.literal("fixReport").optional(),
21059
- id: z32.any(),
19379
+ var FixReportSummarySchema = z29.object({
19380
+ __typename: z29.literal("fixReport").optional(),
19381
+ id: z29.any(),
21060
19382
  // GraphQL uses `any` type for UUID
21061
- createdOn: z32.any(),
19383
+ createdOn: z29.any(),
21062
19384
  // GraphQL uses `any` type for timestamp
21063
19385
  repo: RepoSchema.nullable(),
21064
- issueTypes: z32.any().nullable(),
19386
+ issueTypes: z29.any().nullable(),
21065
19387
  // GraphQL uses `any` type for JSON
21066
19388
  CRITICAL: FixAggregateSchema,
21067
19389
  HIGH: FixAggregateSchema,
21068
19390
  MEDIUM: FixAggregateSchema,
21069
19391
  LOW: FixAggregateSchema,
21070
- fixes: z32.array(McpFixSchema),
21071
- userFixes: z32.array(McpFixSchema).optional(),
19392
+ fixes: z29.array(McpFixSchema),
19393
+ userFixes: z29.array(McpFixSchema).optional(),
21072
19394
  // Present in some responses but can be omitted
21073
19395
  filteredFixesCount: FixAggregateSchema,
21074
19396
  totalFixesCount: FixAggregateSchema,
21075
19397
  vulnerabilityReport: VulnerabilityReportSchema
21076
19398
  });
21077
- var ExpiredReportSchema = z32.object({
21078
- __typename: z32.literal("fixReport").optional(),
21079
- id: z32.any(),
19399
+ var ExpiredReportSchema = z29.object({
19400
+ __typename: z29.literal("fixReport").optional(),
19401
+ id: z29.any(),
21080
19402
  // GraphQL uses `any` type for UUID
21081
- expirationOn: z32.any().nullable()
19403
+ expirationOn: z29.any().nullable()
21082
19404
  // GraphQL uses `any` type for timestamp
21083
19405
  });
21084
- var GetLatestReportByRepoUrlResponseSchema = z32.object({
21085
- __typename: z32.literal("query_root").optional(),
21086
- fixReport: z32.array(FixReportSummarySchema),
21087
- expiredReport: z32.array(ExpiredReportSchema)
19406
+ var GetLatestReportByRepoUrlResponseSchema = z29.object({
19407
+ __typename: z29.literal("query_root").optional(),
19408
+ fixReport: z29.array(FixReportSummarySchema),
19409
+ expiredReport: z29.array(ExpiredReportSchema)
21088
19410
  });
21089
19411
 
21090
19412
  // src/mcp/services/InteractiveFixFilter.ts
@@ -22894,10 +21216,10 @@ var McpServer = class {
22894
21216
  };
22895
21217
 
22896
21218
  // src/mcp/prompts/CheckForNewVulnerabilitiesPrompt.ts
22897
- import { z as z34 } from "zod";
21219
+ import { z as z31 } from "zod";
22898
21220
 
22899
21221
  // src/mcp/prompts/base/BasePrompt.ts
22900
- import { z as z33 } from "zod";
21222
+ import { z as z30 } from "zod";
22901
21223
  var BasePrompt = class {
22902
21224
  getDefinition() {
22903
21225
  return {
@@ -22926,7 +21248,7 @@ var BasePrompt = class {
22926
21248
  const argsToValidate = args === void 0 ? {} : args;
22927
21249
  return this.argumentsValidationSchema.parse(argsToValidate);
22928
21250
  } catch (error) {
22929
- if (error instanceof z33.ZodError) {
21251
+ if (error instanceof z30.ZodError) {
22930
21252
  const errorDetails = error.errors.map((e) => {
22931
21253
  const fieldPath = e.path.length > 0 ? e.path.join(".") : "root";
22932
21254
  const message = e.message === "Required" ? `Missing required argument '${fieldPath}'` : `Invalid value for '${fieldPath}': ${e.message}`;
@@ -22955,8 +21277,8 @@ var BasePrompt = class {
22955
21277
  };
22956
21278
 
22957
21279
  // src/mcp/prompts/CheckForNewVulnerabilitiesPrompt.ts
22958
- var CheckForNewVulnerabilitiesArgsSchema = z34.object({
22959
- path: z34.string().optional()
21280
+ var CheckForNewVulnerabilitiesArgsSchema = z31.object({
21281
+ path: z31.string().optional()
22960
21282
  });
22961
21283
  var CheckForNewVulnerabilitiesPrompt = class extends BasePrompt {
22962
21284
  constructor() {
@@ -23201,9 +21523,9 @@ Call the \`check_for_new_available_fixes\` tool now${args?.path ? ` for ${args.p
23201
21523
  };
23202
21524
 
23203
21525
  // src/mcp/prompts/FullSecurityAuditPrompt.ts
23204
- import { z as z35 } from "zod";
23205
- var FullSecurityAuditArgsSchema = z35.object({
23206
- path: z35.string().optional()
21526
+ import { z as z32 } from "zod";
21527
+ var FullSecurityAuditArgsSchema = z32.object({
21528
+ path: z32.string().optional()
23207
21529
  });
23208
21530
  var FullSecurityAuditPrompt = class extends BasePrompt {
23209
21531
  constructor() {
@@ -23654,9 +21976,9 @@ Begin the audit now${args?.path ? ` for ${args.path}` : ""}.
23654
21976
  };
23655
21977
 
23656
21978
  // src/mcp/prompts/ReviewAndFixCriticalPrompt.ts
23657
- import { z as z36 } from "zod";
23658
- var ReviewAndFixCriticalArgsSchema = z36.object({
23659
- path: z36.string().optional()
21979
+ import { z as z33 } from "zod";
21980
+ var ReviewAndFixCriticalArgsSchema = z33.object({
21981
+ path: z33.string().optional()
23660
21982
  });
23661
21983
  var ReviewAndFixCriticalPrompt = class extends BasePrompt {
23662
21984
  constructor() {
@@ -23960,9 +22282,9 @@ Start by scanning${args?.path ? ` ${args.path}` : " the repository"} and priorit
23960
22282
  };
23961
22283
 
23962
22284
  // src/mcp/prompts/ScanRecentChangesPrompt.ts
23963
- import { z as z37 } from "zod";
23964
- var ScanRecentChangesArgsSchema = z37.object({
23965
- path: z37.string().optional()
22285
+ import { z as z34 } from "zod";
22286
+ var ScanRecentChangesArgsSchema = z34.object({
22287
+ path: z34.string().optional()
23966
22288
  });
23967
22289
  var ScanRecentChangesPrompt = class extends BasePrompt {
23968
22290
  constructor() {
@@ -24173,9 +22495,9 @@ You now have the guidance needed to perform a fast, targeted security scan of re
24173
22495
  };
24174
22496
 
24175
22497
  // src/mcp/prompts/ScanRepositoryPrompt.ts
24176
- import { z as z38 } from "zod";
24177
- var ScanRepositoryArgsSchema = z38.object({
24178
- path: z38.string().optional()
22498
+ import { z as z35 } from "zod";
22499
+ var ScanRepositoryArgsSchema = z35.object({
22500
+ path: z35.string().optional()
24179
22501
  });
24180
22502
  var ScanRepositoryPrompt = class extends BasePrompt {
24181
22503
  constructor() {
@@ -24573,7 +22895,7 @@ import * as os15 from "os";
24573
22895
  import * as path29 from "path";
24574
22896
 
24575
22897
  // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
24576
- import { z as z40 } from "zod";
22898
+ import { z as z37 } from "zod";
24577
22899
 
24578
22900
  // src/mcp/services/PathValidation.ts
24579
22901
  import fs21 from "fs";
@@ -24649,7 +22971,7 @@ async function validatePath(inputPath) {
24649
22971
  }
24650
22972
 
24651
22973
  // src/mcp/tools/base/BaseTool.ts
24652
- import { z as z39 } from "zod";
22974
+ import { z as z36 } from "zod";
24653
22975
  var BaseTool = class {
24654
22976
  getDefinition() {
24655
22977
  return {
@@ -24676,7 +22998,7 @@ var BaseTool = class {
24676
22998
  try {
24677
22999
  return this.inputValidationSchema.parse(args);
24678
23000
  } catch (error) {
24679
- if (error instanceof z39.ZodError) {
23001
+ if (error instanceof z36.ZodError) {
24680
23002
  const errorDetails = error.errors.map((e) => {
24681
23003
  const fieldPath = e.path.length > 0 ? e.path.join(".") : "root";
24682
23004
  const message = e.message === "Required" ? `Missing required parameter '${fieldPath}'` : `Invalid value for '${fieldPath}': ${e.message}`;
@@ -24715,33 +23037,12 @@ function friendlyType(s) {
24715
23037
  var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
24716
23038
  `;
24717
23039
  var resolveQuestionText = ({
24718
- fix,
24719
23040
  question
24720
23041
  }) => {
24721
- const language = fix.safeIssueLanguage ?? void 0;
24722
- const issueType = fix.safeIssueType ?? void 0;
24723
- if (!language || !issueType) {
24724
- return { content: question.name, description: "" };
24725
- }
24726
- const item = storedQuestionData_default[language]?.[issueType]?.[question.name];
24727
- if (!item) {
24728
- return { content: question.name, description: "" };
24729
- }
24730
- const args = question.extraContext.reduce(
24731
- (acc, ctx) => {
24732
- acc[ctx.key] = ctx.value;
24733
- return acc;
24734
- },
24735
- {}
24736
- );
24737
- try {
24738
- return {
24739
- content: item.content(args) || question.name,
24740
- description: item.description(args) || ""
24741
- };
24742
- } catch {
24743
- return { content: question.name, description: "" };
24744
- }
23042
+ return {
23043
+ content: question.content || question.name,
23044
+ description: question.description ?? ""
23045
+ };
24745
23046
  };
24746
23047
  var formatQuestionInputContract = (question) => {
24747
23048
  switch (question.inputType) {
@@ -24758,7 +23059,7 @@ var renderInteractiveFix = (fix, index) => {
24758
23059
  const { questions, extraContext } = fix.patchAndQuestions;
24759
23060
  const vulnerabilityType = friendlyType(fix.safeIssueType ?? "Unknown");
24760
23061
  const questionsBlock = questions.slice().sort((a, b) => a.index - b.index).map((q, qIdx) => {
24761
- const { content, description } = resolveQuestionText({ fix, question: q });
23062
+ const { content, description } = resolveQuestionText({ question: q });
24762
23063
  const desc = description ? `
24763
23064
  *Why it matters:* ${description}` : "";
24764
23065
  const defaultLine = q.defaultValue ? `
@@ -28275,8 +26576,8 @@ Example payload:
28275
26576
  },
28276
26577
  required: ["path"]
28277
26578
  });
28278
- __publicField(this, "inputValidationSchema", z40.object({
28279
- path: z40.string().describe(
26579
+ __publicField(this, "inputValidationSchema", z37.object({
26580
+ path: z37.string().describe(
28280
26581
  "Full local path to the cloned git repository to check for new available fixes"
28281
26582
  )
28282
26583
  }));
@@ -28306,7 +26607,7 @@ Example payload:
28306
26607
 
28307
26608
  // src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesTool.ts
28308
26609
  init_GitService();
28309
- import { z as z41 } from "zod";
26610
+ import { z as z38 } from "zod";
28310
26611
 
28311
26612
  // src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesService.ts
28312
26613
  init_configs();
@@ -28452,16 +26753,16 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
28452
26753
  },
28453
26754
  required: ["path"]
28454
26755
  });
28455
- __publicField(this, "inputValidationSchema", z41.object({
28456
- path: z41.string().describe(
26756
+ __publicField(this, "inputValidationSchema", z38.object({
26757
+ path: z38.string().describe(
28457
26758
  "Full local path to the cloned git repository to check for available fixes"
28458
26759
  ),
28459
- offset: z41.number().optional().describe("Optional offset for pagination"),
28460
- limit: z41.number().optional().describe("Optional maximum number of fixes to return"),
28461
- fileFilter: z41.array(z41.string()).optional().describe(
26760
+ offset: z38.number().optional().describe("Optional offset for pagination"),
26761
+ limit: z38.number().optional().describe("Optional maximum number of fixes to return"),
26762
+ fileFilter: z38.array(z38.string()).optional().describe(
28462
26763
  "Optional list of file paths relative to the path parameter to filter fixes by. INCOMPATIBLE with fetchFixesFromAnyFile"
28463
26764
  ),
28464
- fetchFixesFromAnyFile: z41.boolean().optional().describe(
26765
+ fetchFixesFromAnyFile: z38.boolean().optional().describe(
28465
26766
  "Optional boolean to fetch fixes for all files. INCOMPATIBLE with fileFilter"
28466
26767
  )
28467
26768
  }));
@@ -28527,7 +26828,7 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
28527
26828
  };
28528
26829
 
28529
26830
  // src/mcp/tools/mcpChecker/mcpCheckerTool.ts
28530
- import z42 from "zod";
26831
+ import z39 from "zod";
28531
26832
 
28532
26833
  // src/mcp/tools/mcpChecker/mcpCheckerService.ts
28533
26834
  var _McpCheckerService = class _McpCheckerService {
@@ -28588,7 +26889,7 @@ var McpCheckerTool = class extends BaseTool {
28588
26889
  __publicField(this, "displayName", "MCP Checker");
28589
26890
  // A detailed description to guide the LLM on when and how to invoke this tool.
28590
26891
  __publicField(this, "description", "Check the MCP servers running on this IDE against organization policies.");
28591
- __publicField(this, "inputValidationSchema", z42.object({}));
26892
+ __publicField(this, "inputValidationSchema", z39.object({}));
28592
26893
  __publicField(this, "inputSchema", {
28593
26894
  type: "object",
28594
26895
  properties: {},
@@ -28614,7 +26915,7 @@ var McpCheckerTool = class extends BaseTool {
28614
26915
  };
28615
26916
 
28616
26917
  // src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesTool.ts
28617
- import z43 from "zod";
26918
+ import z40 from "zod";
28618
26919
  init_configs();
28619
26920
 
28620
26921
  // src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesService.ts
@@ -28994,26 +27295,26 @@ Example payload (Mode B \u2014 abstain from every interactive fix, no rescan):
28994
27295
  "interactiveAnswers": []
28995
27296
  }`);
28996
27297
  __publicField(this, "hasAuthentication", true);
28997
- __publicField(this, "inputValidationSchema", z43.object({
28998
- path: z43.string().describe(
27298
+ __publicField(this, "inputValidationSchema", z40.object({
27299
+ path: z40.string().describe(
28999
27300
  "Full local path to repository to scan and fix vulnerabilities"
29000
27301
  ),
29001
- offset: z43.number().optional().describe("Optional offset for pagination"),
29002
- limit: z43.number().optional().describe("Optional maximum number of results to return"),
29003
- maxFiles: z43.number().optional().describe(
27302
+ offset: z40.number().optional().describe("Optional offset for pagination"),
27303
+ limit: z40.number().optional().describe("Optional maximum number of results to return"),
27304
+ maxFiles: z40.number().optional().describe(
29004
27305
  `Optional maximum number of files to scan (default: ${MCP_DEFAULT_MAX_FILES_TO_SCAN}). Increase for comprehensive scans of larger codebases or decrease for faster focused scans.`
29005
27306
  ),
29006
- rescan: z43.boolean().optional().describe("Optional whether to rescan the repository"),
29007
- scanRecentlyChangedFiles: z43.boolean().optional().describe(
27307
+ rescan: z40.boolean().optional().describe("Optional whether to rescan the repository"),
27308
+ scanRecentlyChangedFiles: z40.boolean().optional().describe(
29008
27309
  "Optional whether to automatically scan recently changed files when no changed files are found in git status. If false, the tool will prompt the user instead."
29009
27310
  ),
29010
- interactiveAnswers: z43.array(
29011
- z43.object({
29012
- fixId: z43.string().min(1).describe('Fix id from a previous "Interactive fix" prompt block.'),
29013
- answers: z43.array(
29014
- z43.object({
29015
- key: z43.string().min(1).describe("FixQuestion key."),
29016
- value: z43.string().describe(
27311
+ interactiveAnswers: z40.array(
27312
+ z40.object({
27313
+ fixId: z40.string().min(1).describe('Fix id from a previous "Interactive fix" prompt block.'),
27314
+ answers: z40.array(
27315
+ z40.object({
27316
+ key: z40.string().min(1).describe("FixQuestion key."),
27317
+ value: z40.string().describe(
29017
27318
  "For SELECT questions MUST be one of the listed options; for TEXT/NUMBER, a free-form value."
29018
27319
  )
29019
27320
  })
@@ -29376,7 +27677,7 @@ async function addScmTokenHandler(args) {
29376
27677
  }
29377
27678
 
29378
27679
  // src/features/codeium_intellij/data_collector.ts
29379
- import { z as z44 } from "zod";
27680
+ import { z as z41 } from "zod";
29380
27681
 
29381
27682
  // src/utils/read-stdin.ts
29382
27683
  import { setTimeout as setTimeout4 } from "timers";
@@ -29493,12 +27794,12 @@ function promisifyClient(client) {
29493
27794
  }
29494
27795
  });
29495
27796
  }
29496
- async function getGrpcClient(port, csrf3) {
27797
+ async function getGrpcClient(port, csrf) {
29497
27798
  const client = promisifyClient(
29498
27799
  new PROTO.exa.language_server_pb.LanguageServerService(
29499
27800
  `localhost:${port}`,
29500
27801
  grpc.credentials.createInsecure(),
29501
- { interceptors: [createCsrfInterceptor(csrf3)] }
27802
+ { interceptors: [createCsrfInterceptor(csrf)] }
29502
27803
  )
29503
27804
  );
29504
27805
  try {
@@ -29578,8 +27879,8 @@ function findRunningCodeiumLanguageServers() {
29578
27879
  }
29579
27880
 
29580
27881
  // src/features/codeium_intellij/data_collector.ts
29581
- var HookDataSchema = z44.object({
29582
- trajectory_id: z44.string()
27882
+ var HookDataSchema = z41.object({
27883
+ trajectory_id: z41.string()
29583
27884
  });
29584
27885
  async function processAndUploadHookData() {
29585
27886
  const tracePayload = await getTraceDataForHook();