mobbdev 1.4.35 → 1.4.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/args/commands/upload_ai_blame.mjs +246 -1799
- package/dist/index.mjs +1061 -2709
- package/package.json +1 -1
|
@@ -1335,9 +1335,10 @@ var init_fix = __esm({
|
|
|
1335
1335
|
fixDescription: z2.string(),
|
|
1336
1336
|
manifestActionsRequired: z2.array(ManifestActionRequiredZ),
|
|
1337
1337
|
extraContext: z2.array(ExtraContextInternalZ),
|
|
1338
|
-
// E-2015
|
|
1338
|
+
// E-2015: analyzer-served fix-level guidance. default([]) so a query that
|
|
1339
1339
|
// omits it still parses, while the output type is a required string[] to match
|
|
1340
|
-
// the non-null GraphQL field.
|
|
1340
|
+
// the non-null GraphQL field. The analyzer is the sole source; getFixGuidances
|
|
1341
|
+
// uses the served value directly (no fallback).
|
|
1341
1342
|
guidances: z2.array(z2.string()).default([])
|
|
1342
1343
|
});
|
|
1343
1344
|
PatchAndQuestionsZ = z2.object({
|
|
@@ -1354,10 +1355,10 @@ var init_fix = __esm({
|
|
|
1354
1355
|
extraContext: z2.array(ExtraContextInternalZ),
|
|
1355
1356
|
inputType: z2.nativeEnum(FixQuestionInputType),
|
|
1356
1357
|
options: z2.array(z2.string()),
|
|
1357
|
-
// E-2015
|
|
1358
|
-
// omits these still parses (-> ''
|
|
1359
|
-
//
|
|
1360
|
-
//
|
|
1358
|
+
// E-2015: analyzer-served question text. default('') so a query that
|
|
1359
|
+
// omits these still parses (-> ''), while the output type stays a required
|
|
1360
|
+
// `string` to match the non-null GraphQL fields. The analyzer is the sole
|
|
1361
|
+
// source; consumers use the served value directly (no fallback).
|
|
1361
1362
|
content: z2.string().default(""),
|
|
1362
1363
|
description: z2.string().default(""),
|
|
1363
1364
|
guidance: z2.string().default("")
|
|
@@ -2208,7 +2209,7 @@ var init_types2 = __esm({
|
|
|
2208
2209
|
});
|
|
2209
2210
|
|
|
2210
2211
|
// src/features/analysis/scm/shared/src/urlParser/urlParser.ts
|
|
2211
|
-
import { z as
|
|
2212
|
+
import { z as z9 } from "zod";
|
|
2212
2213
|
function computeCanonicalUrl(data) {
|
|
2213
2214
|
const {
|
|
2214
2215
|
scmType,
|
|
@@ -2250,7 +2251,7 @@ function detectAdoUrl(args) {
|
|
|
2250
2251
|
scmType: "Ado" /* Ado */,
|
|
2251
2252
|
organization,
|
|
2252
2253
|
// project has single repo - repoName === projectName
|
|
2253
|
-
projectName:
|
|
2254
|
+
projectName: z9.string().parse(projectName),
|
|
2254
2255
|
repoName: projectName,
|
|
2255
2256
|
prefixPath
|
|
2256
2257
|
};
|
|
@@ -2261,7 +2262,7 @@ function detectAdoUrl(args) {
|
|
|
2261
2262
|
return {
|
|
2262
2263
|
scmType: "Ado" /* Ado */,
|
|
2263
2264
|
organization,
|
|
2264
|
-
projectName:
|
|
2265
|
+
projectName: z9.string().parse(projectName),
|
|
2265
2266
|
repoName,
|
|
2266
2267
|
prefixPath
|
|
2267
2268
|
};
|
|
@@ -2275,7 +2276,7 @@ function detectAdoUrl(args) {
|
|
|
2275
2276
|
scmType: "Ado" /* Ado */,
|
|
2276
2277
|
organization,
|
|
2277
2278
|
// project has only one repo - repoName === projectName
|
|
2278
|
-
projectName:
|
|
2279
|
+
projectName: z9.string().parse(repoName),
|
|
2279
2280
|
repoName,
|
|
2280
2281
|
prefixPath
|
|
2281
2282
|
};
|
|
@@ -2285,7 +2286,7 @@ function detectAdoUrl(args) {
|
|
|
2285
2286
|
return {
|
|
2286
2287
|
scmType: "Ado" /* Ado */,
|
|
2287
2288
|
organization,
|
|
2288
|
-
projectName:
|
|
2289
|
+
projectName: z9.string().parse(projectName),
|
|
2289
2290
|
repoName,
|
|
2290
2291
|
prefixPath
|
|
2291
2292
|
};
|
|
@@ -2361,7 +2362,7 @@ function parseSshUrl(scmURL, scmType) {
|
|
|
2361
2362
|
if (pathElements.length === 3) {
|
|
2362
2363
|
const [organization2, projectName, repoName2] = pathElements;
|
|
2363
2364
|
if (organization2?.match(NAME_REGEX) && projectName && repoName2?.match(NAME_REGEX)) {
|
|
2364
|
-
const parsedProjectName =
|
|
2365
|
+
const parsedProjectName = z9.string().parse(projectName);
|
|
2365
2366
|
return {
|
|
2366
2367
|
scmType: "Ado" /* Ado */,
|
|
2367
2368
|
hostname: normalizedHostname,
|
|
@@ -2589,17 +2590,17 @@ var init_urlParser2 = __esm({
|
|
|
2589
2590
|
});
|
|
2590
2591
|
|
|
2591
2592
|
// src/features/analysis/scm/env.ts
|
|
2592
|
-
import { z as
|
|
2593
|
+
import { z as z12 } from "zod";
|
|
2593
2594
|
var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB, GITHUB_API_CONCURRENCY;
|
|
2594
2595
|
var init_env = __esm({
|
|
2595
2596
|
"src/features/analysis/scm/env.ts"() {
|
|
2596
2597
|
"use strict";
|
|
2597
|
-
EnvVariablesZod =
|
|
2598
|
-
GITLAB_API_TOKEN:
|
|
2599
|
-
GITHUB_API_TOKEN:
|
|
2600
|
-
GIT_PROXY_HOST:
|
|
2601
|
-
MAX_UPLOAD_FILE_SIZE_MB:
|
|
2602
|
-
GITHUB_API_CONCURRENCY:
|
|
2598
|
+
EnvVariablesZod = z12.object({
|
|
2599
|
+
GITLAB_API_TOKEN: z12.string().optional(),
|
|
2600
|
+
GITHUB_API_TOKEN: z12.string().optional(),
|
|
2601
|
+
GIT_PROXY_HOST: z12.string().optional().default("http://tinyproxy:8888"),
|
|
2602
|
+
MAX_UPLOAD_FILE_SIZE_MB: z12.coerce.number().gt(0).default(2),
|
|
2603
|
+
GITHUB_API_CONCURRENCY: z12.coerce.number().gt(0).optional().default(10)
|
|
2603
2604
|
});
|
|
2604
2605
|
({
|
|
2605
2606
|
GITLAB_API_TOKEN,
|
|
@@ -2633,7 +2634,7 @@ var init_configs = __esm({
|
|
|
2633
2634
|
});
|
|
2634
2635
|
|
|
2635
2636
|
// src/utils/blame/gitBlameTypes.ts
|
|
2636
|
-
import { z as
|
|
2637
|
+
import { z as z15 } from "zod";
|
|
2637
2638
|
function parseCoAuthorValue(raw) {
|
|
2638
2639
|
const trimmed = raw.trim();
|
|
2639
2640
|
if (!trimmed) {
|
|
@@ -2669,9 +2670,9 @@ var PrepareGitBlameMessageZ, PrepareGitBlameResponseMessageZ, CommitMetadataZ, L
|
|
|
2669
2670
|
var init_gitBlameTypes = __esm({
|
|
2670
2671
|
"src/utils/blame/gitBlameTypes.ts"() {
|
|
2671
2672
|
"use strict";
|
|
2672
|
-
PrepareGitBlameMessageZ =
|
|
2673
|
-
reportId:
|
|
2674
|
-
repoArchivePath:
|
|
2673
|
+
PrepareGitBlameMessageZ = z15.object({
|
|
2674
|
+
reportId: z15.string(),
|
|
2675
|
+
repoArchivePath: z15.string(),
|
|
2675
2676
|
// Optional list of file paths to blame. Producers must pick one of two modes:
|
|
2676
2677
|
//
|
|
2677
2678
|
// - **Omit `filePaths`** = "blame every file in the archive". Used by the
|
|
@@ -2687,132 +2688,132 @@ var init_gitBlameTypes = __esm({
|
|
|
2687
2688
|
// "Login.java" when the actual file is "src/main/java/Login.java") are
|
|
2688
2689
|
// tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
|
|
2689
2690
|
// strings are filtered out defensively.
|
|
2690
|
-
filePaths:
|
|
2691
|
+
filePaths: z15.array(z15.string()).optional()
|
|
2691
2692
|
});
|
|
2692
|
-
PrepareGitBlameResponseMessageZ =
|
|
2693
|
-
reportId:
|
|
2693
|
+
PrepareGitBlameResponseMessageZ = z15.object({
|
|
2694
|
+
reportId: z15.string()
|
|
2694
2695
|
});
|
|
2695
|
-
CommitMetadataZ =
|
|
2696
|
-
author:
|
|
2697
|
-
"author-mail":
|
|
2698
|
-
"author-time":
|
|
2699
|
-
"author-tz":
|
|
2700
|
-
committer:
|
|
2701
|
-
"committer-mail":
|
|
2702
|
-
"committer-time":
|
|
2703
|
-
"committer-tz":
|
|
2704
|
-
summary:
|
|
2705
|
-
filename:
|
|
2696
|
+
CommitMetadataZ = z15.object({
|
|
2697
|
+
author: z15.string().optional(),
|
|
2698
|
+
"author-mail": z15.string().optional(),
|
|
2699
|
+
"author-time": z15.string().optional(),
|
|
2700
|
+
"author-tz": z15.string().optional(),
|
|
2701
|
+
committer: z15.string().optional(),
|
|
2702
|
+
"committer-mail": z15.string().optional(),
|
|
2703
|
+
"committer-time": z15.string().optional(),
|
|
2704
|
+
"committer-tz": z15.string().optional(),
|
|
2705
|
+
summary: z15.string().optional(),
|
|
2706
|
+
filename: z15.string().optional()
|
|
2706
2707
|
});
|
|
2707
|
-
LineToCommitMapZ =
|
|
2708
|
-
CommitMetadataMapZ =
|
|
2709
|
-
BlameInfoZ =
|
|
2708
|
+
LineToCommitMapZ = z15.record(z15.string(), z15.string());
|
|
2709
|
+
CommitMetadataMapZ = z15.record(z15.string(), CommitMetadataZ);
|
|
2710
|
+
BlameInfoZ = z15.object({
|
|
2710
2711
|
lineToCommit: LineToCommitMapZ,
|
|
2711
2712
|
commitMetadata: CommitMetadataMapZ
|
|
2712
2713
|
});
|
|
2713
|
-
LineRangeZ =
|
|
2714
|
+
LineRangeZ = z15.object({
|
|
2714
2715
|
/** First line in chunk (1-indexed) */
|
|
2715
|
-
start:
|
|
2716
|
+
start: z15.number(),
|
|
2716
2717
|
/** Last line in chunk (inclusive) */
|
|
2717
|
-
end:
|
|
2718
|
+
end: z15.number()
|
|
2718
2719
|
});
|
|
2719
|
-
PrContextZ =
|
|
2720
|
-
prNumber:
|
|
2721
|
-
repositoryUrl:
|
|
2722
|
-
organizationId:
|
|
2723
|
-
userEmail:
|
|
2724
|
-
source:
|
|
2725
|
-
githubContext:
|
|
2726
|
-
prNumber:
|
|
2727
|
-
installationId:
|
|
2728
|
-
repositoryURL:
|
|
2720
|
+
PrContextZ = z15.object({
|
|
2721
|
+
prNumber: z15.number(),
|
|
2722
|
+
repositoryUrl: z15.string(),
|
|
2723
|
+
organizationId: z15.string(),
|
|
2724
|
+
userEmail: z15.string(),
|
|
2725
|
+
source: z15.enum(["pr", "github"]),
|
|
2726
|
+
githubContext: z15.object({
|
|
2727
|
+
prNumber: z15.number(),
|
|
2728
|
+
installationId: z15.number(),
|
|
2729
|
+
repositoryURL: z15.string()
|
|
2729
2730
|
}).optional()
|
|
2730
2731
|
});
|
|
2731
|
-
PrepareCommitBlameMessageZ =
|
|
2732
|
+
PrepareCommitBlameMessageZ = z15.object({
|
|
2732
2733
|
/** Commit blame request ID from database (for tracking and updating status) */
|
|
2733
|
-
commitBlameRequestId:
|
|
2734
|
+
commitBlameRequestId: z15.string(),
|
|
2734
2735
|
/** Organization ID (for org-scoped caching) */
|
|
2735
|
-
organizationId:
|
|
2736
|
+
organizationId: z15.string(),
|
|
2736
2737
|
/** Full repository URL (e.g., https://github.com/org/repo) */
|
|
2737
|
-
repositoryUrl:
|
|
2738
|
+
repositoryUrl: z15.string(),
|
|
2738
2739
|
/** Commit SHA to analyze (typically PR head commit) */
|
|
2739
|
-
commitSha:
|
|
2740
|
+
commitSha: z15.string(),
|
|
2740
2741
|
/** Authentication headers for repository access (e.g., GitHub token) */
|
|
2741
|
-
extraHeaders:
|
|
2742
|
+
extraHeaders: z15.record(z15.string(), z15.string()).default({}),
|
|
2742
2743
|
// --- PR analysis fields ---
|
|
2743
2744
|
/** Target branch name (from getPr() base.ref). When set, enables PR analysis mode. */
|
|
2744
|
-
targetBranch:
|
|
2745
|
+
targetBranch: z15.string().optional(),
|
|
2745
2746
|
/** Context for triggering blame attribution analysis after SCM agent completes. */
|
|
2746
2747
|
prContext: PrContextZ.optional(),
|
|
2747
2748
|
/** User email for blame attribution analysis trigger context (used for both PR and single commit flows). */
|
|
2748
|
-
userEmail:
|
|
2749
|
+
userEmail: z15.string().optional()
|
|
2749
2750
|
});
|
|
2750
|
-
BlameLineInfoZ =
|
|
2751
|
+
BlameLineInfoZ = z15.object({
|
|
2751
2752
|
/** Line number as it appeared in the introducing commit */
|
|
2752
|
-
originalLineNumber:
|
|
2753
|
+
originalLineNumber: z15.number(),
|
|
2753
2754
|
/** Commit SHA that introduced this line */
|
|
2754
|
-
commitSha:
|
|
2755
|
+
commitSha: z15.string(),
|
|
2755
2756
|
/** Author name for this line */
|
|
2756
|
-
authorName:
|
|
2757
|
+
authorName: z15.string().optional(),
|
|
2757
2758
|
/** Author email for this line */
|
|
2758
|
-
authorEmail:
|
|
2759
|
+
authorEmail: z15.string().optional()
|
|
2759
2760
|
}).nullable();
|
|
2760
|
-
FileBlameDataZ =
|
|
2761
|
-
ChunkFetchResultZ =
|
|
2762
|
-
filePath:
|
|
2763
|
-
lines:
|
|
2761
|
+
FileBlameDataZ = z15.array(BlameLineInfoZ);
|
|
2762
|
+
ChunkFetchResultZ = z15.object({
|
|
2763
|
+
filePath: z15.string(),
|
|
2764
|
+
lines: z15.array(z15.number()),
|
|
2764
2765
|
data: FileBlameDataZ.nullable()
|
|
2765
2766
|
});
|
|
2766
|
-
FileBlameResponseEntryZ =
|
|
2767
|
+
FileBlameResponseEntryZ = z15.object({
|
|
2767
2768
|
/** Chunk index (0 for small files, 0-N for large file chunks) */
|
|
2768
|
-
chunkIndex:
|
|
2769
|
+
chunkIndex: z15.number(),
|
|
2769
2770
|
/** Blame data array (1-indexed, index 0 is null) */
|
|
2770
2771
|
blameData: FileBlameDataZ
|
|
2771
2772
|
});
|
|
2772
|
-
CommitBlameDataZ =
|
|
2773
|
-
|
|
2773
|
+
CommitBlameDataZ = z15.record(
|
|
2774
|
+
z15.string(),
|
|
2774
2775
|
// fileName
|
|
2775
|
-
|
|
2776
|
+
z15.array(FileBlameResponseEntryZ)
|
|
2776
2777
|
);
|
|
2777
|
-
CommitInfoZ =
|
|
2778
|
+
CommitInfoZ = z15.object({
|
|
2778
2779
|
/** Number of parent commits (1 = normal commit, 2+ = merge commit, null = failed to determine) */
|
|
2779
|
-
parentCount:
|
|
2780
|
+
parentCount: z15.number().nullable()
|
|
2780
2781
|
});
|
|
2781
|
-
GitIdentityZ =
|
|
2782
|
-
name:
|
|
2783
|
-
email:
|
|
2782
|
+
GitIdentityZ = z15.object({
|
|
2783
|
+
name: z15.string(),
|
|
2784
|
+
email: z15.string()
|
|
2784
2785
|
});
|
|
2785
2786
|
COMMIT_LOG_FORMAT = "%H%x00%ae%x00%an%x00%ce%x00%cn%x00%at%x00%s%x00%(trailers:key=Co-authored-by,valueonly,separator=%x00)";
|
|
2786
|
-
CommitDataZ =
|
|
2787
|
-
diff:
|
|
2787
|
+
CommitDataZ = z15.object({
|
|
2788
|
+
diff: z15.string(),
|
|
2788
2789
|
author: GitIdentityZ,
|
|
2789
2790
|
committer: GitIdentityZ,
|
|
2790
|
-
coAuthors:
|
|
2791
|
-
timestamp:
|
|
2791
|
+
coAuthors: z15.array(GitIdentityZ),
|
|
2792
|
+
timestamp: z15.number(),
|
|
2792
2793
|
// Unix timestamp in seconds
|
|
2793
|
-
message:
|
|
2794
|
-
parentCount:
|
|
2794
|
+
message: z15.string().optional(),
|
|
2795
|
+
parentCount: z15.number().nullable()
|
|
2795
2796
|
});
|
|
2796
|
-
PrDiffDataZ =
|
|
2797
|
-
diff:
|
|
2797
|
+
PrDiffDataZ = z15.object({
|
|
2798
|
+
diff: z15.string()
|
|
2798
2799
|
});
|
|
2799
|
-
PrStatsZ =
|
|
2800
|
-
additions:
|
|
2801
|
-
deletions:
|
|
2800
|
+
PrStatsZ = z15.object({
|
|
2801
|
+
additions: z15.number(),
|
|
2802
|
+
deletions: z15.number()
|
|
2802
2803
|
});
|
|
2803
|
-
CommitsManifestZ =
|
|
2804
|
-
commits:
|
|
2804
|
+
CommitsManifestZ = z15.object({
|
|
2805
|
+
commits: z15.array(z15.string())
|
|
2805
2806
|
// Array of commit SHAs in order
|
|
2806
2807
|
});
|
|
2807
|
-
BlameLineEntryZ =
|
|
2808
|
+
BlameLineEntryZ = z15.object({
|
|
2808
2809
|
/** Current file path in the PR head (what git blame was invoked on). */
|
|
2809
|
-
file:
|
|
2810
|
+
file: z15.string(),
|
|
2810
2811
|
/** Current line number in the PR head. */
|
|
2811
|
-
line:
|
|
2812
|
+
line: z15.number(),
|
|
2812
2813
|
/** SHA of the commit that originally authored this line. */
|
|
2813
|
-
originalCommitSha:
|
|
2814
|
+
originalCommitSha: z15.string(),
|
|
2814
2815
|
/** Line number as it was in `originalCommitSha`. */
|
|
2815
|
-
originalLineNumber:
|
|
2816
|
+
originalLineNumber: z15.number(),
|
|
2816
2817
|
/**
|
|
2817
2818
|
* File path as it was in `originalCommitSha` at the time that commit
|
|
2818
2819
|
* authored this line. When a file has been renamed since, this differs
|
|
@@ -2825,24 +2826,24 @@ var init_gitBlameTypes = __esm({
|
|
|
2825
2826
|
* must treat empty as "fall back to `file`" (see enrichDiffLines,
|
|
2826
2827
|
* targetedBlame).
|
|
2827
2828
|
*/
|
|
2828
|
-
originalFile:
|
|
2829
|
+
originalFile: z15.string().default("")
|
|
2829
2830
|
});
|
|
2830
|
-
BlameLinesDataZ =
|
|
2831
|
-
lines:
|
|
2831
|
+
BlameLinesDataZ = z15.object({
|
|
2832
|
+
lines: z15.array(BlameLineEntryZ)
|
|
2832
2833
|
});
|
|
2833
|
-
PrepareCommitBlameResponseMessageZ =
|
|
2834
|
+
PrepareCommitBlameResponseMessageZ = z15.object({
|
|
2834
2835
|
/** Commit blame request ID (matches request, used to update specific DB record) */
|
|
2835
|
-
commitBlameRequestId:
|
|
2836
|
+
commitBlameRequestId: z15.string(),
|
|
2836
2837
|
/** Organization ID (matches request) */
|
|
2837
|
-
organizationId:
|
|
2838
|
+
organizationId: z15.string(),
|
|
2838
2839
|
/** Repository URL (matches request) */
|
|
2839
|
-
repositoryUrl:
|
|
2840
|
+
repositoryUrl: z15.string(),
|
|
2840
2841
|
/** Commit SHA analyzed (matches request) */
|
|
2841
|
-
commitSha:
|
|
2842
|
+
commitSha: z15.string(),
|
|
2842
2843
|
/** Processing status */
|
|
2843
|
-
status:
|
|
2844
|
+
status: z15.enum(["success", "failure"]),
|
|
2844
2845
|
/** Error message (only present if status is 'failure') */
|
|
2845
|
-
error:
|
|
2846
|
+
error: z15.string().optional(),
|
|
2846
2847
|
/**
|
|
2847
2848
|
* Blame data for all processed files/chunks.
|
|
2848
2849
|
* Empty dictionary if status is 'failure'.
|
|
@@ -2854,29 +2855,29 @@ var init_gitBlameTypes = __esm({
|
|
|
2854
2855
|
* Keyed by commit SHA, deduplicated.
|
|
2855
2856
|
* Empty dictionary if status is 'failure'.
|
|
2856
2857
|
*/
|
|
2857
|
-
commits:
|
|
2858
|
+
commits: z15.record(z15.string(), CommitInfoZ).default({}),
|
|
2858
2859
|
// --- New PR diff computation response fields ---
|
|
2859
2860
|
/** S3 paths for commit-level data (commitSha → S3 key). Present in PR analysis mode and single commit mode. */
|
|
2860
|
-
commitDataS3Paths:
|
|
2861
|
+
commitDataS3Paths: z15.record(z15.string(), z15.string()).optional(),
|
|
2861
2862
|
/** S3 key for PR diff JSON. Present in PR analysis mode. */
|
|
2862
|
-
prDiffS3Path:
|
|
2863
|
+
prDiffS3Path: z15.string().optional(),
|
|
2863
2864
|
/** S3 key for commits manifest. Present in PR analysis mode. */
|
|
2864
|
-
commitsManifestS3Path:
|
|
2865
|
+
commitsManifestS3Path: z15.string().optional(),
|
|
2865
2866
|
/** S3 key for per-line targeted blame data. Present in PR analysis mode. */
|
|
2866
|
-
blameLinesS3Path:
|
|
2867
|
+
blameLinesS3Path: z15.string().optional(),
|
|
2867
2868
|
/** S3 key for PR stats (additions/deletions). Present in PR analysis mode. */
|
|
2868
|
-
prStatsS3Path:
|
|
2869
|
+
prStatsS3Path: z15.string().optional(),
|
|
2869
2870
|
/** PR context passed through from request for response handler. */
|
|
2870
2871
|
prContext: PrContextZ.optional(),
|
|
2871
2872
|
/** PR title from the request metadata (passed through). */
|
|
2872
|
-
prTitle:
|
|
2873
|
+
prTitle: z15.string().optional(),
|
|
2873
2874
|
/** User email passed through from request for single commit blame attribution analysis trigger. */
|
|
2874
|
-
userEmail:
|
|
2875
|
+
userEmail: z15.string().optional()
|
|
2875
2876
|
});
|
|
2876
|
-
VulnerabilityAttributionMessageZ =
|
|
2877
|
-
fixReportId:
|
|
2878
|
-
vulnerabilityAttributionRequestId:
|
|
2879
|
-
userEmail:
|
|
2877
|
+
VulnerabilityAttributionMessageZ = z15.object({
|
|
2878
|
+
fixReportId: z15.string().uuid(),
|
|
2879
|
+
vulnerabilityAttributionRequestId: z15.string().uuid(),
|
|
2880
|
+
userEmail: z15.string()
|
|
2880
2881
|
});
|
|
2881
2882
|
}
|
|
2882
2883
|
});
|
|
@@ -4143,7 +4144,7 @@ import * as os3 from "os";
|
|
|
4143
4144
|
import path6 from "path";
|
|
4144
4145
|
import chalk3 from "chalk";
|
|
4145
4146
|
import { withFile } from "tmp-promise";
|
|
4146
|
-
import
|
|
4147
|
+
import z23 from "zod";
|
|
4147
4148
|
|
|
4148
4149
|
// src/commands/handleMobbLogin.ts
|
|
4149
4150
|
import chalk2 from "chalk";
|
|
@@ -4615,7 +4616,7 @@ import debugModule from "debug";
|
|
|
4615
4616
|
var debug3 = debugModule("mobb:shared");
|
|
4616
4617
|
|
|
4617
4618
|
// src/features/analysis/scm/utils/index.ts
|
|
4618
|
-
import { z as
|
|
4619
|
+
import { z as z11 } from "zod";
|
|
4619
4620
|
|
|
4620
4621
|
// src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
|
|
4621
4622
|
init_client_generates();
|
|
@@ -4633,1560 +4634,6 @@ init_getIssueType();
|
|
|
4633
4634
|
|
|
4634
4635
|
// src/features/analysis/scm/shared/src/guidances.ts
|
|
4635
4636
|
init_client_generates();
|
|
4636
|
-
init_getIssueType();
|
|
4637
|
-
import { z as z11 } from "zod";
|
|
4638
|
-
|
|
4639
|
-
// src/features/analysis/scm/shared/src/storedFixData/index.ts
|
|
4640
|
-
init_client_generates();
|
|
4641
|
-
import { z as z9 } from "zod";
|
|
4642
|
-
|
|
4643
|
-
// src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
|
|
4644
|
-
var passwordInComment = {
|
|
4645
|
-
guidance: () => "Removing sensitive information from the comments is not enough. To ensure the security of your data, you have to rotate passwords and tokens and update all places where they were used."
|
|
4646
|
-
};
|
|
4647
|
-
|
|
4648
|
-
// src/features/analysis/scm/shared/src/storedFixData/csharp/missingAntiForgeryValidation.ts
|
|
4649
|
-
var missingAntiForgeryValidation = {
|
|
4650
|
-
guidance: () => `The \`ValidateAntiForgeryToken\` attribute helps prevent cross-site request forgery (CSRF) attacks. The token is automatically injected into the view by the [FormTagHelper](https://learn.microsoft.com/en-us/aspnet/core/mvc/views/working-with-forms?view=aspnetcore-8.0#the-form-tag-helper)
|
|
4651
|
-
and is included when the form is submitted by the user. The token is validated by the \`ValidateAntiForgeryToken\` attribute. The token could be also generated using the [Html.AntiForgeryToken](https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.htmlhelper.antiforgerytoken?view=aspnet-mvc-5.2) helper.
|
|
4652
|
-
|
|
4653
|
-
|
|
4654
|
-
|
|
4655
|
-
|
|
4656
|
-
***Make sure this controller's client provides the validation token before approving this change.***
|
|
4657
|
-
|
|
4658
|
-
|
|
4659
|
-
|
|
4660
|
-
|
|
4661
|
-
This is an illustration of how the form will look like:
|
|
4662
|
-
|
|
4663
|
-
|
|
4664
|
-
|
|
4665
|
-
<form method="post" action="/Action">
|
|
4666
|
-
<!-- Input and Submit elements -->
|
|
4667
|
-
<input name="__RequestVerificationToken"
|
|
4668
|
-
type="hidden" value="<removed for brevity>">
|
|
4669
|
-
</form>
|
|
4670
|
-
|
|
4671
|
-
|
|
4672
|
-
***Notice the \`__RequestVerificationToken\` parameters.***
|
|
4673
|
-
`
|
|
4674
|
-
};
|
|
4675
|
-
|
|
4676
|
-
// src/features/analysis/scm/shared/src/storedFixData/csharp/index.ts
|
|
4677
|
-
var vulnerabilities = {
|
|
4678
|
-
["MISSING_ANTIFORGERY_VALIDATION"]: missingAntiForgeryValidation,
|
|
4679
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment
|
|
4680
|
-
};
|
|
4681
|
-
var csharp_default = vulnerabilities;
|
|
4682
|
-
|
|
4683
|
-
// src/features/analysis/scm/shared/src/storedFixData/dockerfile/index.ts
|
|
4684
|
-
var vulnerabilities2 = {};
|
|
4685
|
-
var dockerfile_default = vulnerabilities2;
|
|
4686
|
-
|
|
4687
|
-
// src/features/analysis/scm/shared/src/storedFixData/go/index.ts
|
|
4688
|
-
var vulnerabilities3 = {};
|
|
4689
|
-
var go_default = vulnerabilities3;
|
|
4690
|
-
|
|
4691
|
-
// src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
|
|
4692
|
-
var vulnerabilities4 = {};
|
|
4693
|
-
var hcl_default = vulnerabilities4;
|
|
4694
|
-
|
|
4695
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
|
|
4696
|
-
var insecureDeserialization = {
|
|
4697
|
-
guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
|
|
4698
|
-
};
|
|
4699
|
-
|
|
4700
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
|
|
4701
|
-
var j2eeGetConnection = {
|
|
4702
|
-
guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
|
|
4703
|
-
|
|
4704
|
-
|
|
4705
|
-
|
|
4706
|
-
|
|
4707
|
-
***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
|
|
4708
|
-
|
|
4709
|
-
- **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
|
|
4710
|
-
- **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
|
|
4711
|
-
- **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
|
|
4712
|
-
- **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
|
|
4713
|
-
|
|
4714
|
-
|
|
4715
|
-
|
|
4716
|
-
|
|
4717
|
-
Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
|
|
4718
|
-
|
|
4719
|
-
|
|
4720
|
-
|
|
4721
|
-
|
|
4722
|
-
This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
|
|
4723
|
-
};
|
|
4724
|
-
|
|
4725
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
|
|
4726
|
-
var systemInformationLeak = {
|
|
4727
|
-
guidance: ({
|
|
4728
|
-
clientMightBeAffected
|
|
4729
|
-
}) => {
|
|
4730
|
-
if (clientMightBeAffected) {
|
|
4731
|
-
return "You should never expose error details to the client. We removed the error details from the response. Ensure the client application code does not rely on the removed information.";
|
|
4732
|
-
}
|
|
4733
|
-
return "";
|
|
4734
|
-
}
|
|
4735
|
-
};
|
|
4736
|
-
|
|
4737
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/index.ts
|
|
4738
|
-
var vulnerabilities5 = {
|
|
4739
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment,
|
|
4740
|
-
["INSECURE_DESERIALIZATION"]: insecureDeserialization,
|
|
4741
|
-
["J2EE_GET_CONNECTION"]: j2eeGetConnection,
|
|
4742
|
-
["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
|
|
4743
|
-
};
|
|
4744
|
-
var java_default = vulnerabilities5;
|
|
4745
|
-
|
|
4746
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/csrf.ts
|
|
4747
|
-
var csrf = {
|
|
4748
|
-
guidance: () => `Please make sure the CSRF middleware is activated by default in the MIDDLEWARE setting. If you override that setting, remember that \`django.middleware.csrf.CsrfViewMiddleware\` should come before any view middleware that assume that CSRF attacks have been dealt with.
|
|
4749
|
-
|
|
4750
|
-
|
|
4751
|
-
If you disabled it, which is not recommended, you can use [\`csrf_protect()\`](https://docs.djangoproject.com/en/5.1/ref/csrf/#django.views.decorators.csrf.csrf_protect) annotation on this particular view.
|
|
4752
|
-
|
|
4753
|
-
|
|
4754
|
-
See more information [here](https://docs.djangoproject.com/en/5.1/howto/csrf/).`
|
|
4755
|
-
};
|
|
4756
|
-
|
|
4757
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/hardcodedSecrets.ts
|
|
4758
|
-
var hardcodedSecrets = {
|
|
4759
|
-
guidance: ({ questions }) => {
|
|
4760
|
-
const envVarName = questions.find((q) => q.key === "env_var_name")?.value || "the";
|
|
4761
|
-
const keepAsDefault = questions.find(
|
|
4762
|
-
(q) => q.key === "keep_as_default"
|
|
4763
|
-
)?.value;
|
|
4764
|
-
let additionalText = "";
|
|
4765
|
-
if (keepAsDefault === "yes") {
|
|
4766
|
-
additionalText = "\n1. Remove the hardcoded secret from the code.\n";
|
|
4767
|
-
}
|
|
4768
|
-
return `Please follow the steps in this specific order:
|
|
4769
|
-
|
|
4770
|
-
1. Change the secret that was hardcoded. It is essential because even when you commit the changes, the secret will remain in the git history.${additionalText}
|
|
4771
|
-
1. Update the configuration of all your application environments and CI/CD pipelines to set \`${envVarName}\` environment variable.
|
|
4772
|
-
1. Commit the changes.`;
|
|
4773
|
-
}
|
|
4774
|
-
};
|
|
4775
|
-
|
|
4776
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/noLimitsOrThrottling.ts
|
|
4777
|
-
var noLimitsOrThrottling = {
|
|
4778
|
-
guidance: () => "We set the default limit to 60 requests per minute. To customize the rate limit settings, please read the documentation of the [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) package."
|
|
4779
|
-
};
|
|
4780
|
-
|
|
4781
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/ssrf.ts
|
|
4782
|
-
var ssrf = {
|
|
4783
|
-
guidance: () => "The server-side validates the domains it has access to, otherwise it throws an error if validation failed. Please make sure you handled the error correctly."
|
|
4784
|
-
};
|
|
4785
|
-
|
|
4786
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
|
|
4787
|
-
var vulnerabilities6 = {
|
|
4788
|
-
["SSRF"]: ssrf,
|
|
4789
|
-
["HARDCODED_SECRETS"]: hardcodedSecrets,
|
|
4790
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment,
|
|
4791
|
-
["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling,
|
|
4792
|
-
["CSRF"]: csrf
|
|
4793
|
-
};
|
|
4794
|
-
var javascript_default = vulnerabilities6;
|
|
4795
|
-
|
|
4796
|
-
// src/features/analysis/scm/shared/src/storedFixData/php/index.ts
|
|
4797
|
-
var vulnerabilities7 = {};
|
|
4798
|
-
var php_default = vulnerabilities7;
|
|
4799
|
-
|
|
4800
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/autoEscapeFalse.ts
|
|
4801
|
-
var autoEscapeFalse = {
|
|
4802
|
-
guidance: () => `This fix enables automatic escaping for HTML. When that's enabled, everything is escaped by default except for values explicitly marked as safe. Variables and expressions can be marked as safe either in:
|
|
4803
|
-
|
|
4804
|
-
a. The context dictionary by the application with \`markupsafe.Markup\`
|
|
4805
|
-
|
|
4806
|
-
b. The template, with the \`|safe\` filter.
|
|
4807
|
-
|
|
4808
|
-
|
|
4809
|
-
|
|
4810
|
-
|
|
4811
|
-
See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates/#working-with-automatic-escaping) and [here](https://pypi.org/project/MarkupSafe/).
|
|
4812
|
-
|
|
4813
|
-
|
|
4814
|
-
|
|
4815
|
-
|
|
4816
|
-
***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
|
|
4817
|
-
};
|
|
4818
|
-
|
|
4819
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
|
|
4820
|
-
var improperCertificateValidation = {
|
|
4821
|
-
guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
|
|
4822
|
-
|
|
4823
|
-
|
|
4824
|
-
|
|
4825
|
-
***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
|
|
4826
|
-
|
|
4827
|
-
|
|
4828
|
-
|
|
4829
|
-
See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
|
|
4830
|
-
};
|
|
4831
|
-
|
|
4832
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/index.ts
|
|
4833
|
-
var vulnerabilities8 = {
|
|
4834
|
-
["AUTO_ESCAPE_FALSE"]: autoEscapeFalse,
|
|
4835
|
-
["CSRF"]: csrf,
|
|
4836
|
-
["IMPROPER_CERTIFICATE_VALIDATION"]: improperCertificateValidation
|
|
4837
|
-
};
|
|
4838
|
-
var python_default = vulnerabilities8;
|
|
4839
|
-
|
|
4840
|
-
// src/features/analysis/scm/shared/src/storedFixData/sql/defaultRightsInObjDefinition.ts
|
|
4841
|
-
var defaultRightsInObjDefinition = {
|
|
4842
|
-
guidance: () => "***Make sure the user who is supposed to run the procedure has sufficient permissions.***\n\nRead more details about the `EXECUTE AS` statement in [the official Microsoft documentation](https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-clause-transact-sql?view=sql-server-ver16&tabs=sqlserver).\n\n`EXECUTE AS CALLER` is the default behavior for SQL Server 2005 and later."
|
|
4843
|
-
};
|
|
4844
|
-
|
|
4845
|
-
// src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
|
|
4846
|
-
var vulnerabilities9 = {
|
|
4847
|
-
["DEFAULT_RIGHTS_IN_OBJ_DEFINITION"]: defaultRightsInObjDefinition
|
|
4848
|
-
};
|
|
4849
|
-
var sql_default = vulnerabilities9;
|
|
4850
|
-
|
|
4851
|
-
// src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
|
|
4852
|
-
var vulnerabilities10 = {
|
|
4853
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment
|
|
4854
|
-
};
|
|
4855
|
-
var xml_default = vulnerabilities10;
|
|
4856
|
-
|
|
4857
|
-
// src/features/analysis/scm/shared/src/storedFixData/index.ts
|
|
4858
|
-
var StoredFixDataItemZ = z9.object({
|
|
4859
|
-
guidance: z9.function().args(z9.any()).returns(z9.string())
|
|
4860
|
-
});
|
|
4861
|
-
var languages = {
|
|
4862
|
-
["Java" /* Java */]: java_default,
|
|
4863
|
-
["JavaScript" /* JavaScript */]: javascript_default,
|
|
4864
|
-
["CSharp" /* CSharp */]: csharp_default,
|
|
4865
|
-
["SQL" /* Sql */]: sql_default,
|
|
4866
|
-
["XML" /* Xml */]: xml_default,
|
|
4867
|
-
["Python" /* Python */]: python_default,
|
|
4868
|
-
["PHP" /* Php */]: php_default,
|
|
4869
|
-
["Go" /* Go */]: go_default,
|
|
4870
|
-
["Dockerfile" /* Dockerfile */]: dockerfile_default,
|
|
4871
|
-
["Hcl" /* Hcl */]: hcl_default
|
|
4872
|
-
};
|
|
4873
|
-
|
|
4874
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/index.ts
|
|
4875
|
-
init_client_generates();
|
|
4876
|
-
import { z as z10 } from "zod";
|
|
4877
|
-
|
|
4878
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
|
|
4879
|
-
var commandInjection = {
|
|
4880
|
-
isUnixShellCommandPart: {
|
|
4881
|
-
content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
|
|
4882
|
-
description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
|
|
4883
|
-
|
|
4884
|
-
- \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
|
|
4885
|
-
- \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
|
|
4886
|
-
|
|
4887
|
-
Answer **no** (the input is not plain data) when the input is:
|
|
4888
|
-
|
|
4889
|
-
1. The program/executable itself:
|
|
4890
|
-
- \`system(input);\`
|
|
4891
|
-
- \`sprintf(cmd, "%s -x", input);\`
|
|
4892
|
-
2. A command after a pipe or redirect:
|
|
4893
|
-
- \`sprintf(cmd, "cat file.txt | %s", input);\`
|
|
4894
|
-
3. A part of a non-Unix or cross-platform shell command.
|
|
4895
|
-
4. A part of embedded code in another language:
|
|
4896
|
-
- \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
|
|
4897
|
-
- \`sprintf(cmd, "awk '%s' file", input);\`
|
|
4898
|
-
5. A flag/option that controls a tool's behaviour:
|
|
4899
|
-
- \`sprintf(cmd, "git --upload-pack %s", input);\``,
|
|
4900
|
-
guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
|
|
4901
|
-
},
|
|
4902
|
-
executableLocationPath: {
|
|
4903
|
-
content: () => "What is the absolute path of the directory containing the executable?",
|
|
4904
|
-
description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
|
|
4905
|
-
|
|
4906
|
-
Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
|
|
4907
|
-
guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
|
|
4908
|
-
}
|
|
4909
|
-
};
|
|
4910
|
-
|
|
4911
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/pathManipulation.ts
|
|
4912
|
-
var pathManipulation = {
|
|
4913
|
-
baseDirectory: {
|
|
4914
|
-
content: ({ expression }) => `Which directory must \`${expression}\` stay within? Enter the absolute base directory file access is restricted to.`,
|
|
4915
|
-
description: ({ expression }) => `The fix canonicalizes \`${expression}\` (resolving \`.\`, \`..\`, and symlinks) and verifies the result stays inside this base directory. Provide the **absolute** root the application is allowed to read or write under, for example \`/var/app/data\`. The directory must exist at runtime. A path that resolves outside it is rejected at runtime.`,
|
|
4916
|
-
guidance: (_) => "You **must** set this to an absolute path that exists at runtime and that your application confines file access to. If you leave it unset (or give a relative path), the generated fix is emitted with a placeholder identifier (`MOBB_SET_ALLOWED_BASE_DIR`) that **deliberately does not compile**, so a missing security boundary cannot be overlooked \u2014 replace it with your absolute base directory. A relative path would otherwise resolve against the process working directory (moving the boundary). At runtime the guard aborts (C: `exit(EXIT_FAILURE)`) / throws (C++: `std::runtime_error`) on a path that escapes the base. Pick the narrowest directory that still contains every legitimate file the code opens."
|
|
4917
|
-
}
|
|
4918
|
-
};
|
|
4919
|
-
|
|
4920
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
|
|
4921
|
-
var vulnerabilities11 = {
|
|
4922
|
-
["CMDi"]: commandInjection,
|
|
4923
|
-
["PT"]: pathManipulation
|
|
4924
|
-
};
|
|
4925
|
-
var cpp_default = vulnerabilities11;
|
|
4926
|
-
|
|
4927
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
|
|
4928
|
-
var httpOnlyCookie = {
|
|
4929
|
-
httpOnlyCookie: {
|
|
4930
|
-
content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
|
|
4931
|
-
description: () => httpOnlyMessage,
|
|
4932
|
-
guidance: () => ""
|
|
4933
|
-
},
|
|
4934
|
-
cookieVarName: {
|
|
4935
|
-
content: () => "Please define a variable name",
|
|
4936
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
4937
|
-
guidance: () => ""
|
|
4938
|
-
}
|
|
4939
|
-
};
|
|
4940
|
-
var httpOnlyMessage = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
|
|
4941
|
-
when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
|
|
4942
|
-
be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
|
|
4943
|
-
|
|
4944
|
-
|
|
4945
|
-
|
|
4946
|
-
|
|
4947
|
-
***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
|
|
4948
|
-
|
|
4949
|
-
|
|
4950
|
-
|
|
4951
|
-
`;
|
|
4952
|
-
|
|
4953
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureBinderConfiguration.ts
|
|
4954
|
-
var insecureBinderConfiguration = {
|
|
4955
|
-
bindAttributeParam: {
|
|
4956
|
-
content: ({ func_param_name }) => `Which properties of the model should be included in model binding for \`${func_param_name}\`?`,
|
|
4957
|
-
description: () => "Provide a comma-separated list of valid property names to be included in model binding. See [the official documentation](https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding?view=aspnetcore-8.0#bind-attribute) for more details.",
|
|
4958
|
-
guidance: () => ""
|
|
4959
|
-
}
|
|
4960
|
-
};
|
|
4961
|
-
|
|
4962
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureCookie.ts
|
|
4963
|
-
var insecureCookie = {
|
|
4964
|
-
insecureCookie: {
|
|
4965
|
-
content: () => "Will this cookie be used only in encrypted channels (https)?",
|
|
4966
|
-
description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
|
|
4967
|
-
In environments like local development or test, setting cookies as secure might have some consequences:
|
|
4968
|
-
|
|
4969
|
-
|
|
4970
|
-
- Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
|
|
4971
|
-
additional configuration and certificates. If cookies are marked as secure,
|
|
4972
|
-
they won't be sent over HTTP, and this could potentially interfere with the normal
|
|
4973
|
-
functioning of your application during development.
|
|
4974
|
-
|
|
4975
|
-
|
|
4976
|
-
- Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
|
|
4977
|
-
testing environment accurately simulates the production environment's security features.
|
|
4978
|
-
This may involve setting up HTTPS in your local development environment.
|
|
4979
|
-
|
|
4980
|
-
|
|
4981
|
-
- Debugging Challenges: Debugging may be more challenging when using secure cookies in a
|
|
4982
|
-
development environment, especially if you need to inspect or manipulate the cookies during
|
|
4983
|
-
development.`,
|
|
4984
|
-
guidance: () => ""
|
|
4985
|
-
},
|
|
4986
|
-
cookieVarName: {
|
|
4987
|
-
content: () => "Please define a variable name",
|
|
4988
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
4989
|
-
guidance: () => ""
|
|
4990
|
-
}
|
|
4991
|
-
};
|
|
4992
|
-
|
|
4993
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureRandomness.ts
|
|
4994
|
-
var insecureRandomness = {
|
|
4995
|
-
isRandomNumberGeneratorAvailable: {
|
|
4996
|
-
content: () => "We use the `RandomNumberGenerator` class from the `System.Security.Cryptography` package. Does this class exist for the .NET version you use?",
|
|
4997
|
-
description: () => "See [the official documentation](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-8.0#applies-to) for more details.",
|
|
4998
|
-
guidance: () => ""
|
|
4999
|
-
},
|
|
5000
|
-
isNetVersionGreaterThan6: {
|
|
5001
|
-
content: () => "We are able to offer a more concise solution if the .NET version is greater then .NET 6",
|
|
5002
|
-
description: () => "",
|
|
5003
|
-
guidance: () => ""
|
|
5004
|
-
}
|
|
5005
|
-
};
|
|
5006
|
-
|
|
5007
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insufficientLogging.ts
|
|
5008
|
-
var insufficientLogging = {
|
|
5009
|
-
logMessage: {
|
|
5010
|
-
content: () => "Enter the message that you want to appear in the log",
|
|
5011
|
-
description: () => "",
|
|
5012
|
-
guidance: () => ""
|
|
5013
|
-
}
|
|
5014
|
-
};
|
|
5015
|
-
|
|
5016
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/logForging.ts
|
|
5017
|
-
var logForging = {
|
|
5018
|
-
isHtmlDisplay: {
|
|
5019
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5020
|
-
description: () => "",
|
|
5021
|
-
guidance: ({ userInputValue }) => {
|
|
5022
|
-
switch (userInputValue) {
|
|
5023
|
-
case "yes":
|
|
5024
|
-
return "We use the `System.Web` `HttpUtility` to decode the HTML";
|
|
5025
|
-
default:
|
|
5026
|
-
return "";
|
|
5027
|
-
}
|
|
5028
|
-
}
|
|
5029
|
-
}
|
|
5030
|
-
};
|
|
5031
|
-
|
|
5032
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/overlyBroadCatch.ts
|
|
5033
|
-
var overlyBroadCatch = {
|
|
5034
|
-
defaultExceptionsInWhenFilter: {
|
|
5035
|
-
content: () => "Exceptions to filter",
|
|
5036
|
-
description: () => "Coma separated list of the Fully Qualified Exceptions names",
|
|
5037
|
-
guidance: () => ""
|
|
5038
|
-
}
|
|
5039
|
-
};
|
|
5040
|
-
|
|
5041
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/pt.ts
|
|
5042
|
-
var pt = {
|
|
5043
|
-
taintedTermType: {
|
|
5044
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name or a file path?`,
|
|
5045
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
|
|
5046
|
-
guidance: () => ""
|
|
5047
|
-
},
|
|
5048
|
-
pathTargetDir: {
|
|
5049
|
-
content: () => "Allowed file path",
|
|
5050
|
-
description: () => "Provide the intended file path destination eg: /tmp/testfiles/users/",
|
|
5051
|
-
guidance: () => ""
|
|
5052
|
-
}
|
|
5053
|
-
};
|
|
5054
|
-
|
|
5055
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/regexMissingTimeout.ts
|
|
5056
|
-
var regexMissingTimeout = {
|
|
5057
|
-
netVersionGreaterOrEqual7: {
|
|
5058
|
-
content: () => "Is your target framework .NET 7 or greater?",
|
|
5059
|
-
description: () => "",
|
|
5060
|
-
guidance: () => ""
|
|
5061
|
-
},
|
|
5062
|
-
timeout: {
|
|
5063
|
-
content: () => "Enter the timeout in milliseconds",
|
|
5064
|
-
description: () => "If the limit is reached a RegexTimeoutException is thrown, this could be caused by excessive backtracking",
|
|
5065
|
-
guidance: () => ""
|
|
5066
|
-
},
|
|
5067
|
-
useBacktrackingOption: {
|
|
5068
|
-
content: () => "Use non backtracking option",
|
|
5069
|
-
description: () => "If the regex does not need to use backtracking we can disable it using regex options",
|
|
5070
|
-
guidance: () => ""
|
|
5071
|
-
}
|
|
5072
|
-
};
|
|
5073
|
-
|
|
5074
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/requestParametersBoundViaInput.ts
|
|
5075
|
-
var requestParametersBoundViaInput = {
|
|
5076
|
-
fieldsToCopy: {
|
|
5077
|
-
content: () => "Please list all the fields you expect as input from the user. Use comma separated list.",
|
|
5078
|
-
description: () => `This is meant to avoid mass assignment vulnerabilities, where the user would enter an inner unexpected field`,
|
|
5079
|
-
guidance: () => ""
|
|
5080
|
-
}
|
|
5081
|
-
};
|
|
5082
|
-
|
|
5083
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
|
|
5084
|
-
var sqlInjection = {
|
|
5085
|
-
databaseProvider: {
|
|
5086
|
-
content: () => "Select the database provider",
|
|
5087
|
-
description: () => "",
|
|
5088
|
-
guidance: () => ""
|
|
5089
|
-
}
|
|
5090
|
-
};
|
|
5091
|
-
|
|
5092
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/ssrf.ts
|
|
5093
|
-
var ssrf2 = {
|
|
5094
|
-
domainsAllowlist: {
|
|
5095
|
-
content: () => "Allowed domains",
|
|
5096
|
-
description: () => "Coma separated list of allowed domains.",
|
|
5097
|
-
guidance: () => ""
|
|
5098
|
-
}
|
|
5099
|
-
};
|
|
5100
|
-
|
|
5101
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/sysLeak.ts
|
|
5102
|
-
var sysLeak = {
|
|
5103
|
-
errorMessage: {
|
|
5104
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5105
|
-
description: () => "",
|
|
5106
|
-
guidance: () => ""
|
|
5107
|
-
},
|
|
5108
|
-
noLoggerAction: {
|
|
5109
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5110
|
-
description: () => "",
|
|
5111
|
-
guidance: () => ""
|
|
5112
|
-
}
|
|
5113
|
-
};
|
|
5114
|
-
|
|
5115
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/trustBoundaryViolation.ts
|
|
5116
|
-
var trustBoundaryViolation = {
|
|
5117
|
-
validationPattern: {
|
|
5118
|
-
content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
|
|
5119
|
-
description: () => "We use regex to validate the input to avoid runtime surprises",
|
|
5120
|
-
guidance: () => ""
|
|
5121
|
-
},
|
|
5122
|
-
otherPatternValue: {
|
|
5123
|
-
content: () => `Enter the regex pattern you would like to use to validate the input`,
|
|
5124
|
-
description: () => "See patterns at [the regex docs](https://learn.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference)",
|
|
5125
|
-
guidance: () => ""
|
|
5126
|
-
}
|
|
5127
|
-
};
|
|
5128
|
-
|
|
5129
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/useOfSystemOutputStream.ts
|
|
5130
|
-
var useOfSystemOutputStream = {
|
|
5131
|
-
noLoggerAction: {
|
|
5132
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5133
|
-
description: () => "",
|
|
5134
|
-
guidance: () => ""
|
|
5135
|
-
}
|
|
5136
|
-
};
|
|
5137
|
-
|
|
5138
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/valueShadowing.ts
|
|
5139
|
-
var valueShadowing = {
|
|
5140
|
-
collectionName: {
|
|
5141
|
-
content: () => "Please select the collection to search/index from",
|
|
5142
|
-
description: () => `Accessing the root object eg Request["item"] searches across all available collections and returns the first item that matches. Potentially leading to the correct value being shadowed. Available collections include:
|
|
5143
|
-
- QueryString: The values of variables in the HTTP query string.
|
|
5144
|
-
- Form: The values of form elements in the HTTP request body.
|
|
5145
|
-
- Cookies: The values of cookies sent in the HTTP request.
|
|
5146
|
-
- ClientCertificate: The values of fields stored in the client certificate that is sent in the HTTP request.
|
|
5147
|
-
- ServerVariables: The values of predetermined environment variables.`,
|
|
5148
|
-
guidance: () => `See
|
|
5149
|
-
- https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524948(v=vs.90),
|
|
5150
|
-
- https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest?view=netframework-4.8.1`
|
|
5151
|
-
}
|
|
5152
|
-
};
|
|
5153
|
-
|
|
5154
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/wcfMisconfigurationThrottlingNotEnabled.ts
|
|
5155
|
-
var wcfMisconfigurationThrottlingNotEnabled = {
|
|
5156
|
-
maxConcurrentCalls: {
|
|
5157
|
-
content: () => "Please define the maximum concurrent calls",
|
|
5158
|
-
description: () => `A positive integer that limits the number of messages that currently process across a ServiceHost. Calls in excess of the limit are queued. Setting this value to 0 is equivalent to setting it to Int32.MaxValue.`,
|
|
5159
|
-
guidance: () => {
|
|
5160
|
-
return "";
|
|
5161
|
-
}
|
|
5162
|
-
},
|
|
5163
|
-
maxConcurrentInstances: {
|
|
5164
|
-
content: () => "Please define the maximum concurrent instances",
|
|
5165
|
-
description: () => `A positive integer that limits the number of InstanceContext objects that execute at one time across a ServiceHost. Requests to create additional instances are queued and complete when a slot below the limit becomes available.`,
|
|
5166
|
-
guidance: () => {
|
|
5167
|
-
return "";
|
|
5168
|
-
}
|
|
5169
|
-
},
|
|
5170
|
-
maxConcurrentSessions: {
|
|
5171
|
-
content: () => "Please define the maximum concurrent sessions",
|
|
5172
|
-
description: () => `A positive integer that limits the number of sessions a ServiceHost object can accept.`,
|
|
5173
|
-
guidance: () => {
|
|
5174
|
-
return "";
|
|
5175
|
-
}
|
|
5176
|
-
}
|
|
5177
|
-
};
|
|
5178
|
-
|
|
5179
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/xss.ts
|
|
5180
|
-
var xss = {
|
|
5181
|
-
allowSpecialCharacters: {
|
|
5182
|
-
content: ({ source_value }) => `Does your code allow encodable HTML characters like '&', '<', '"' etc. in: \`${source_value}\`?`,
|
|
5183
|
-
description: () => "",
|
|
5184
|
-
guidance: () => ""
|
|
5185
|
-
},
|
|
5186
|
-
containsHtml: {
|
|
5187
|
-
content: ({ prop_value }) => `Does your code allow having HTML tags in: \`${prop_value}\`?`,
|
|
5188
|
-
description: () => "",
|
|
5189
|
-
guidance: () => ""
|
|
5190
|
-
},
|
|
5191
|
-
netVersionGreaterOrEqual45: {
|
|
5192
|
-
content: () => "Is your target framework .NET 4.5 or greater?",
|
|
5193
|
-
description: () => "",
|
|
5194
|
-
guidance: () => ""
|
|
5195
|
-
},
|
|
5196
|
-
useHTML4NamedEntities: {
|
|
5197
|
-
content: () => "Would you like to use HTML 4.0 Named entities?",
|
|
5198
|
-
description: () => "See [examples](https://www.w3schools.com/charsets/ref_html_entities_4.asp) and [full description](https://www.w3.org/TR/WD-html40-970708/sgml/entities.html)",
|
|
5199
|
-
guidance: () => ""
|
|
5200
|
-
}
|
|
5201
|
-
};
|
|
5202
|
-
|
|
5203
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/xxe.ts
|
|
5204
|
-
var xxe = {
|
|
5205
|
-
netVersionGreaterOrEqual4: {
|
|
5206
|
-
content: () => "Is your target framework .NET 4.0.0 or greater?",
|
|
5207
|
-
description: () => "",
|
|
5208
|
-
guidance: ({ userInputValue }) => {
|
|
5209
|
-
switch (userInputValue) {
|
|
5210
|
-
case "yes":
|
|
5211
|
-
return "We set `DtdProcessing` to `DtdProcessing.Prohibit` in order to prevent DTD parsing.";
|
|
5212
|
-
default:
|
|
5213
|
-
return "We set `ProhibitDtd` to `true` in order to prevent DTD parsing.";
|
|
5214
|
-
}
|
|
5215
|
-
}
|
|
5216
|
-
}
|
|
5217
|
-
};
|
|
5218
|
-
|
|
5219
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
|
|
5220
|
-
var vulnerabilities12 = {
|
|
5221
|
-
["LOG_FORGING"]: logForging,
|
|
5222
|
-
["SSRF"]: ssrf2,
|
|
5223
|
-
["XXE"]: xxe,
|
|
5224
|
-
["XSS"]: xss,
|
|
5225
|
-
["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream,
|
|
5226
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak,
|
|
5227
|
-
["OVERLY_BROAD_CATCH"]: overlyBroadCatch,
|
|
5228
|
-
["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation,
|
|
5229
|
-
["PT"]: pt,
|
|
5230
|
-
["REGEX_MISSING_TIMEOUT"]: regexMissingTimeout,
|
|
5231
|
-
["HTTP_ONLY_COOKIE"]: httpOnlyCookie,
|
|
5232
|
-
["INSECURE_COOKIE"]: insecureCookie,
|
|
5233
|
-
["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED"]: wcfMisconfigurationThrottlingNotEnabled,
|
|
5234
|
-
["INSECURE_BINDER_CONFIGURATION"]: insecureBinderConfiguration,
|
|
5235
|
-
["VALUE_SHADOWING"]: valueShadowing,
|
|
5236
|
-
["INSECURE_RANDOMNESS"]: insecureRandomness,
|
|
5237
|
-
["INSUFFICIENT_LOGGING"]: insufficientLogging,
|
|
5238
|
-
["SQL_Injection"]: sqlInjection,
|
|
5239
|
-
["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
|
|
5240
|
-
};
|
|
5241
|
-
var csharp_default2 = vulnerabilities12;
|
|
5242
|
-
|
|
5243
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/logForging.ts
|
|
5244
|
-
var logForging2 = {
|
|
5245
|
-
isHtmlDisplay: {
|
|
5246
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5247
|
-
description: () => "",
|
|
5248
|
-
guidance: () => ""
|
|
5249
|
-
}
|
|
5250
|
-
};
|
|
5251
|
-
|
|
5252
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/missingSslMinversion.ts
|
|
5253
|
-
var missingSslMinversion = {
|
|
5254
|
-
minTlsVersion: {
|
|
5255
|
-
content: () => "What is the minimum version of Transport Layer Security (TLS) you allow? Ensure compatibility between the server and clients.",
|
|
5256
|
-
description: () => "",
|
|
5257
|
-
guidance: () => ""
|
|
5258
|
-
}
|
|
5259
|
-
};
|
|
5260
|
-
|
|
5261
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/websocketMissingOriginCheck.ts
|
|
5262
|
-
var websocketMissingOriginCheck = {
|
|
5263
|
-
minTlsVersion: {
|
|
5264
|
-
content: () => "Please provide a comma-separated list of valid hosts. This list will serve as an allow list to check the connection `Origin` header.",
|
|
5265
|
-
description: () => "",
|
|
5266
|
-
guidance: () => ""
|
|
5267
|
-
}
|
|
5268
|
-
};
|
|
5269
|
-
|
|
5270
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
|
|
5271
|
-
var vulnerabilities13 = {
|
|
5272
|
-
["LOG_FORGING"]: logForging2,
|
|
5273
|
-
["MISSING_SSL_MINVERSION"]: missingSslMinversion,
|
|
5274
|
-
["WEBSOCKET_MISSING_ORIGIN_CHECK"]: websocketMissingOriginCheck
|
|
5275
|
-
};
|
|
5276
|
-
var go_default2 = vulnerabilities13;
|
|
5277
|
-
|
|
5278
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
|
|
5279
|
-
var commandInjection2 = {
|
|
5280
|
-
isUnixShellCommandPart: {
|
|
5281
|
-
content: () => "Is the input part of Unix shell command?",
|
|
5282
|
-
description: () => `For example:
|
|
5283
|
-
|
|
5284
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", "ping -t 5 -c 5 " + input});\`
|
|
5285
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "curl " + input + " > file.txt"});\`
|
|
5286
|
-
|
|
5287
|
-
Make sure the input is not:
|
|
5288
|
-
|
|
5289
|
-
1. An executable name:
|
|
5290
|
-
- \`Runtime.getRuntime().exec(input);\`
|
|
5291
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", input});\`
|
|
5292
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", input + " param"});\`
|
|
5293
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "cat file.txt | " + input});\`
|
|
5294
|
-
- \`Runtime.getRuntime().exec(new String[] {"/usr/bin/git", "--upload-pack", input});\`
|
|
5295
|
-
2. A part of non-unix or cross platform shell command:
|
|
5296
|
-
- \`Runtime.getRuntime().exec(new String[] {"cmd.exe", "/c", "ping " + input});\`
|
|
5297
|
-
3. A part of programming language code:
|
|
5298
|
-
- \`Runtime.getRuntime().exec(new String[] {"php", "-r", "echo '" + input + "';"});\`
|
|
5299
|
-
- \`Runtime.getRuntime().exec(new String[] {"perl", "-e", "print '" + input + "'"});\``,
|
|
5300
|
-
guidance: () => ""
|
|
5301
|
-
},
|
|
5302
|
-
installApacheCommonsText: {
|
|
5303
|
-
content: () => "Is the Apache Commons library (org.apache.commons) included in your project, if not, can you add it?",
|
|
5304
|
-
description: () => "Apache Commons Text is a library focused on algorithms working on strings.",
|
|
5305
|
-
guidance: ({ userInputValue }) => userInputValue === "yes" ? "To add the library, modify your pom.xml or build.gradle to include the library. You can find the latest version here https://mvnrepository.com/artifact/org.apache.commons/commons-text" : ""
|
|
5306
|
-
},
|
|
5307
|
-
cmdAllowlist: {
|
|
5308
|
-
content: () => "Allowed Commands",
|
|
5309
|
-
description: () => "Make sure that the list of commands is separated by commas.",
|
|
5310
|
-
guidance: () => ""
|
|
5311
|
-
}
|
|
5312
|
-
};
|
|
5313
|
-
|
|
5314
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/confusingNaming.ts
|
|
5315
|
-
var confusingNaming = {
|
|
5316
|
-
newFieldName: {
|
|
5317
|
-
content: () => "Rename the existing field",
|
|
5318
|
-
description: () => "",
|
|
5319
|
-
guidance: () => ""
|
|
5320
|
-
}
|
|
5321
|
-
};
|
|
5322
|
-
|
|
5323
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/duplicatedStrings.ts
|
|
5324
|
-
var duplicatedStrings = {
|
|
5325
|
-
constantName: {
|
|
5326
|
-
content: () => "New constant name",
|
|
5327
|
-
description: () => "",
|
|
5328
|
-
guidance: () => ""
|
|
5329
|
-
}
|
|
5330
|
-
};
|
|
5331
|
-
|
|
5332
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/erroneousStringCompare.ts
|
|
5333
|
-
var erroneousStringCompare = {
|
|
5334
|
-
javaVersionGreaterOrEqual17: {
|
|
5335
|
-
content: () => "Is `java.util.Objects` package available in your runtime?",
|
|
5336
|
-
description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
|
|
5337
|
-
guidance: () => ""
|
|
5338
|
-
}
|
|
5339
|
-
};
|
|
5340
|
-
|
|
5341
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/errorConditionWithoutAction.ts
|
|
5342
|
-
var errorConditionWithoutAction = {
|
|
5343
|
-
errorMessage: {
|
|
5344
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5345
|
-
description: () => "",
|
|
5346
|
-
guidance: () => ""
|
|
5347
|
-
}
|
|
5348
|
-
};
|
|
5349
|
-
|
|
5350
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/httpOnlyCookie.ts
|
|
5351
|
-
var httpOnlyCookie2 = {
|
|
5352
|
-
httpOnlyCookie: {
|
|
5353
|
-
content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
|
|
5354
|
-
description: ({ class_name }) => class_name == "Cookie" ? `${httpOnlyMessage2} ${setHttpOnlyMethodMessage}` : httpOnlyMessage2,
|
|
5355
|
-
guidance: () => ""
|
|
5356
|
-
},
|
|
5357
|
-
cookieVarName: {
|
|
5358
|
-
content: () => "Please define a variable name",
|
|
5359
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
5360
|
-
guidance: () => ""
|
|
5361
|
-
}
|
|
5362
|
-
};
|
|
5363
|
-
var httpOnlyMessage2 = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
|
|
5364
|
-
when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
|
|
5365
|
-
be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
|
|
5366
|
-
|
|
5367
|
-
|
|
5368
|
-
|
|
5369
|
-
|
|
5370
|
-
***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
|
|
5371
|
-
|
|
5372
|
-
|
|
5373
|
-
|
|
5374
|
-
`;
|
|
5375
|
-
var setHttpOnlyMethodMessage = `Beware that if your application is using a version of the javax.servlet-api package < 3.0
|
|
5376
|
-
this change will not work since the method "setHttpOnly" is not present in previous of the package.`;
|
|
5377
|
-
|
|
5378
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/insecureCookie.ts
|
|
5379
|
-
var insecureCookie2 = {
|
|
5380
|
-
insecureCookie: {
|
|
5381
|
-
content: () => "Will this cookie be used only in encrypted channels (https)?",
|
|
5382
|
-
description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
|
|
5383
|
-
In environments like local development or test, setting cookies as secure might have some consequences:
|
|
5384
|
-
|
|
5385
|
-
|
|
5386
|
-
- Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
|
|
5387
|
-
additional configuration and certificates. If cookies are marked as secure,
|
|
5388
|
-
they won't be sent over HTTP, and this could potentially interfere with the normal
|
|
5389
|
-
functioning of your application during development.
|
|
5390
|
-
|
|
5391
|
-
|
|
5392
|
-
- Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
|
|
5393
|
-
testing environment accurately simulates the production environment's security features.
|
|
5394
|
-
This may involve setting up HTTPS in your local development environment.
|
|
5395
|
-
|
|
5396
|
-
|
|
5397
|
-
- Debugging Challenges: Debugging may be more challenging when using secure cookies in a
|
|
5398
|
-
development environment, especially if you need to inspect or manipulate the cookies during
|
|
5399
|
-
development.`,
|
|
5400
|
-
guidance: () => ""
|
|
5401
|
-
},
|
|
5402
|
-
cookieVarName: {
|
|
5403
|
-
content: () => "Please define a variable name",
|
|
5404
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
5405
|
-
guidance: () => ""
|
|
5406
|
-
}
|
|
5407
|
-
};
|
|
5408
|
-
|
|
5409
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
|
|
5410
|
-
var j2eeGetConnection2 = {
|
|
5411
|
-
jndiResourceName: {
|
|
5412
|
-
content: () => "What JNDI name is the database connection pool registered under?",
|
|
5413
|
-
description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
|
|
5414
|
-
guidance: () => ""
|
|
5415
|
-
}
|
|
5416
|
-
};
|
|
5417
|
-
|
|
5418
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
|
|
5419
|
-
var leftoverDebugCode = {
|
|
5420
|
-
isCodeUsed: {
|
|
5421
|
-
content: () => "The function seems to be a remnant of debug code. Is it still being used?",
|
|
5422
|
-
description: () => "",
|
|
5423
|
-
guidance: () => ""
|
|
5424
|
-
}
|
|
5425
|
-
};
|
|
5426
|
-
|
|
5427
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/localeDependentComparison.ts
|
|
5428
|
-
var localeDependentComparison = {
|
|
5429
|
-
localeType: {
|
|
5430
|
-
content: ({ variable }) => `Is ${variable} locale dependent?`,
|
|
5431
|
-
description: () => `Select "locale insensitive" for string comparisons that are not dependent on the locale.
|
|
5432
|
-
|
|
5433
|
-
Select "default locale" for string comparisons that uses the default locale.
|
|
5434
|
-
|
|
5435
|
-
Select "custom locale" for string comparisons that are dependent on a specific locale language.`,
|
|
5436
|
-
guidance: () => ""
|
|
5437
|
-
},
|
|
5438
|
-
customLocaleLanguage: {
|
|
5439
|
-
content: () => "What is your locale language?",
|
|
5440
|
-
description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
|
|
5441
|
-
guidance: () => ""
|
|
5442
|
-
},
|
|
5443
|
-
customLocaleCountry: {
|
|
5444
|
-
content: () => "What is your locale country?",
|
|
5445
|
-
description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
|
|
5446
|
-
guidance: () => ""
|
|
5447
|
-
}
|
|
5448
|
-
};
|
|
5449
|
-
|
|
5450
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/logForging.ts
|
|
5451
|
-
var logForging3 = {
|
|
5452
|
-
isHtmlDisplay: {
|
|
5453
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5454
|
-
description: () => "",
|
|
5455
|
-
guidance: () => ""
|
|
5456
|
-
},
|
|
5457
|
-
htmlEscapingLib: {
|
|
5458
|
-
content: () => "Which HTML escaping library would you like to use?",
|
|
5459
|
-
description: () => `
|
|
5460
|
-
- If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
|
|
5461
|
-
- Another \`option is org.apache.commons.text.StringEscapeUtils\``,
|
|
5462
|
-
guidance: () => ""
|
|
5463
|
-
}
|
|
5464
|
-
};
|
|
5465
|
-
|
|
5466
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/missingCheckAgainstNull.ts
|
|
5467
|
-
var missingCheckAgainstNull = {
|
|
5468
|
-
preferredAction: {
|
|
5469
|
-
content: ({ tainted_expression }) => `What is expected behavior if \`${tainted_expression}\` returns null?`,
|
|
5470
|
-
description: () => "",
|
|
5471
|
-
guidance: () => ""
|
|
5472
|
-
},
|
|
5473
|
-
javaVersionGreaterOrEqual17: {
|
|
5474
|
-
content: () => "Is `java.util.Objects` package available in your runtime?",
|
|
5475
|
-
description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
|
|
5476
|
-
guidance: () => ""
|
|
5477
|
-
}
|
|
5478
|
-
};
|
|
5479
|
-
|
|
5480
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/openRedirect.ts
|
|
5481
|
-
var openRedirect = {
|
|
5482
|
-
allowlist: {
|
|
5483
|
-
content: () => "Allowed domains",
|
|
5484
|
-
description: () => "Add a comma separated list of allowed domains (e.g. 'google.com,example.com')",
|
|
5485
|
-
guidance: () => ""
|
|
5486
|
-
}
|
|
5487
|
-
};
|
|
5488
|
-
|
|
5489
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/overlyBroadCatch.ts
|
|
5490
|
-
var overlyBroadCatch2 = {
|
|
5491
|
-
handleRuntimeExceptions: {
|
|
5492
|
-
content: () => "Does the code intentionally catch `RuntimeException` instances like `ArithmeticException` or `NullPointerException` in the `catch` block?",
|
|
5493
|
-
description: () => "Usually, when catching the general `Exception` class catching of `RuntimeException` is implied and not necessarily the wanted/safe behavior. The application needs to deal with it explicitly in a different way, as the Mobb fix suggests.",
|
|
5494
|
-
guidance: () => ""
|
|
5495
|
-
}
|
|
5496
|
-
};
|
|
5497
|
-
|
|
5498
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/privacyViolation.ts
|
|
5499
|
-
var privacyViolation = {
|
|
5500
|
-
remediationOption: {
|
|
5501
|
-
content: () => "Preferred fix solution",
|
|
5502
|
-
description: () => `
|
|
5503
|
-
- Completely Remove the log message
|
|
5504
|
-
- Replace the sensitive data with the string [Redacted]
|
|
5505
|
-
- SHA 256 Hash the sensitive information in the log message`,
|
|
5506
|
-
guidance: () => ""
|
|
5507
|
-
}
|
|
5508
|
-
};
|
|
5509
|
-
|
|
5510
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/pt.ts
|
|
5511
|
-
var pt2 = {
|
|
5512
|
-
isPathRelativeOnly: {
|
|
5513
|
-
content: ({ expression }) => `Do you expect \`${expression}\` to be a relative path?`,
|
|
5514
|
-
description: () => "You most likely want to serve files relative to the web server's static files folder in web applications. If so, your answer should be `yes`. In CLI applications, you probably would like to give the user more flexibility and allow them to specify absolute paths to any location on the disk \u2013 your answer should be `no` in such cases.",
|
|
5515
|
-
guidance: () => ""
|
|
5516
|
-
},
|
|
5517
|
-
isFileName: {
|
|
5518
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name or a file name part?`,
|
|
5519
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters. If \`${expression}\` is supposed to legitimately include such characters, the answer should be "no".`,
|
|
5520
|
-
guidance: () => ""
|
|
5521
|
-
}
|
|
5522
|
-
};
|
|
5523
|
-
|
|
5524
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/relativePathCommand.ts
|
|
5525
|
-
var relativePathCommand = {
|
|
5526
|
-
executableLocationPath: {
|
|
5527
|
-
content: () => "What is the absolute path of the directory containing the executable?",
|
|
5528
|
-
description: () => "We need the absolute path to the executable to protect your application from command injection and ensure malicious actors cannot execute arbitrary commands on your system.",
|
|
5529
|
-
guidance: () => ""
|
|
5530
|
-
}
|
|
5531
|
-
};
|
|
5532
|
-
|
|
5533
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
|
|
5534
|
-
var ssrf3 = {
|
|
5535
|
-
domainsAllowlist: {
|
|
5536
|
-
content: () => "Allowed URL prefixes",
|
|
5537
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
|
|
5538
|
-
|
|
5539
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
|
|
5540
|
-
guidance: () => ""
|
|
5541
|
-
}
|
|
5542
|
-
};
|
|
5543
|
-
|
|
5544
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/sysLeak.ts
|
|
5545
|
-
var sysLeak2 = {
|
|
5546
|
-
errorMessage: {
|
|
5547
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5548
|
-
description: () => "",
|
|
5549
|
-
guidance: () => ""
|
|
5550
|
-
},
|
|
5551
|
-
noLoggerAction: {
|
|
5552
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5553
|
-
description: () => "",
|
|
5554
|
-
guidance: () => ""
|
|
5555
|
-
}
|
|
5556
|
-
};
|
|
5557
|
-
|
|
5558
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/trustBoundaryViolation.ts
|
|
5559
|
-
var trustBoundaryViolation2 = {
|
|
5560
|
-
validationPattern: {
|
|
5561
|
-
content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
|
|
5562
|
-
description: () => "We use regex to validate the input to avoid runtime surprises",
|
|
5563
|
-
guidance: () => ""
|
|
5564
|
-
},
|
|
5565
|
-
otherPatternValue: {
|
|
5566
|
-
content: () => `Enter the regex pattern you would like to use to validate the input`,
|
|
5567
|
-
description: () => "See patterns at [the regex javadoc](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html)",
|
|
5568
|
-
guidance: () => ""
|
|
5569
|
-
}
|
|
5570
|
-
};
|
|
5571
|
-
|
|
5572
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/uncheckedLoopCondition.ts
|
|
5573
|
-
var uncheckedLoopCondition = {
|
|
5574
|
-
loopLimit: {
|
|
5575
|
-
content: () => "Please define a maximum loop limit",
|
|
5576
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
5577
|
-
guidance: () => ""
|
|
5578
|
-
},
|
|
5579
|
-
varName: {
|
|
5580
|
-
content: () => "Please define a variable name",
|
|
5581
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
5582
|
-
guidance: () => ""
|
|
5583
|
-
}
|
|
5584
|
-
};
|
|
5585
|
-
|
|
5586
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
|
|
5587
|
-
var unsafeReflection = {
|
|
5588
|
-
classAllowlist: {
|
|
5589
|
-
content: () => "Allowed class names for reflection",
|
|
5590
|
-
description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
|
|
5591
|
-
guidance: () => ""
|
|
5592
|
-
}
|
|
5593
|
-
};
|
|
5594
|
-
|
|
5595
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
|
|
5596
|
-
var useOfSystemOutputStream2 = {
|
|
5597
|
-
noLoggerAction: {
|
|
5598
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5599
|
-
description: () => "",
|
|
5600
|
-
guidance: () => ""
|
|
5601
|
-
}
|
|
5602
|
-
};
|
|
5603
|
-
|
|
5604
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/xss.ts
|
|
5605
|
-
var xss2 = {
|
|
5606
|
-
isHtmlOrSafeAttribute: {
|
|
5607
|
-
content: ({ tainted_variable }) => `Where is \`${tainted_variable}\` written to?`,
|
|
5608
|
-
description: () => `Answer examples:
|
|
5609
|
-
|
|
5610
|
-
- a text in an HTML tag or a value of a safe HTML attribute:
|
|
5611
|
-
- \`<li><%= name %></li>\`
|
|
5612
|
-
- \`<div>Name: <%= name %></div>\`
|
|
5613
|
-
- \`<input value="<%= name %>" name="name"/>\`
|
|
5614
|
-
- \`<div data-name="<%= name %>"></div>\`
|
|
5615
|
-
- a JavaScript code block:
|
|
5616
|
-
- \`<script>const name = "<%= name %>";</script>\`
|
|
5617
|
-
- an event attribute of an HTML tag:
|
|
5618
|
-
- \`<a onclick="alert('<%= name %>')">click me</a>\`
|
|
5619
|
-
- \`<img onmouseover="alert('<%= name %>')"/>\`
|
|
5620
|
-
- a src-like attribute of an HTML tag:
|
|
5621
|
-
- \`<a href="/user/<%= name %>">me</a>\`
|
|
5622
|
-
- \`<img src="/img/<%= name %>"/>\`
|
|
5623
|
-
- \`<form action="<%= name %>"></form>\`
|
|
5624
|
-
- \`<iframe srcdoc="<%= name %>"/>\`
|
|
5625
|
-
- a part of an HTML tag attributes list:
|
|
5626
|
-
- \`<a <%= name %>>text</a>\`
|
|
5627
|
-
|
|
5628
|
-
See more details about safe and unsafe HTML attributes:
|
|
5629
|
-
- [PortSwigger cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
|
|
5630
|
-
- [DOMPurify attributes filter implementation](https://github.com/cure53/DOMPurify/blob/c29aa900a1c286b82ee4f48a7ffab96cab3e84fa/src/attrs.js)
|
|
5631
|
-
`,
|
|
5632
|
-
guidance: () => ""
|
|
5633
|
-
},
|
|
5634
|
-
isHtmlEncoded: {
|
|
5635
|
-
content: () => "Is the user input already encoded as HTML text?",
|
|
5636
|
-
description: () => "If you are unsure, we will decode the user input and encode it again to ensure it is safe and the data is kept the same.",
|
|
5637
|
-
guidance: () => ""
|
|
5638
|
-
},
|
|
5639
|
-
htmlEscapingLib: {
|
|
5640
|
-
content: () => "Which HTML escaping library would you like to use?",
|
|
5641
|
-
description: () => `
|
|
5642
|
-
- If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
|
|
5643
|
-
- Another option is \`org.apache.commons.text.StringEscapeUtils\``,
|
|
5644
|
-
guidance: () => ""
|
|
5645
|
-
}
|
|
5646
|
-
};
|
|
5647
|
-
|
|
5648
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/xxe.ts
|
|
5649
|
-
var xxe2 = {
|
|
5650
|
-
factoryVarName: {
|
|
5651
|
-
content: () => "Name the new Factory variable",
|
|
5652
|
-
description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
|
|
5653
|
-
guidance: () => ""
|
|
5654
|
-
}
|
|
5655
|
-
};
|
|
5656
|
-
|
|
5657
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
|
|
5658
|
-
var vulnerabilities14 = {
|
|
5659
|
-
["CMDi_relative_path_command"]: relativePathCommand,
|
|
5660
|
-
["CMDi"]: commandInjection2,
|
|
5661
|
-
["CONFUSING_NAMING"]: confusingNaming,
|
|
5662
|
-
["ERROR_CONDTION_WITHOUT_ACTION"]: errorConditionWithoutAction,
|
|
5663
|
-
["XXE"]: xxe2,
|
|
5664
|
-
["XSS"]: xss2,
|
|
5665
|
-
["PRIVACY_VIOLATION"]: privacyViolation,
|
|
5666
|
-
["PT"]: pt2,
|
|
5667
|
-
["SSRF"]: ssrf3,
|
|
5668
|
-
["LOG_FORGING"]: logForging3,
|
|
5669
|
-
["LOCALE_DEPENDENT_COMPARISON"]: localeDependentComparison,
|
|
5670
|
-
["MISSING_CHECK_AGAINST_NULL"]: missingCheckAgainstNull,
|
|
5671
|
-
["OPEN_REDIRECT"]: openRedirect,
|
|
5672
|
-
["OVERLY_BROAD_CATCH"]: overlyBroadCatch2,
|
|
5673
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak2,
|
|
5674
|
-
["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream2,
|
|
5675
|
-
["HTTP_ONLY_COOKIE"]: httpOnlyCookie2,
|
|
5676
|
-
["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition,
|
|
5677
|
-
["INSECURE_COOKIE"]: insecureCookie2,
|
|
5678
|
-
["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation2,
|
|
5679
|
-
["UNSAFE_REFLECTION"]: unsafeReflection,
|
|
5680
|
-
["J2EE_GET_CONNECTION"]: j2eeGetConnection2,
|
|
5681
|
-
["LEFTOVER_DEBUG_CODE"]: leftoverDebugCode,
|
|
5682
|
-
["ERRONEOUS_STRING_COMPARE"]: erroneousStringCompare,
|
|
5683
|
-
["DUPLICATED_STRINGS"]: duplicatedStrings
|
|
5684
|
-
};
|
|
5685
|
-
var java_default2 = vulnerabilities14;
|
|
5686
|
-
|
|
5687
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/csrf.ts
|
|
5688
|
-
var csrf2 = {
|
|
5689
|
-
isPythonDjangoTemplate: {
|
|
5690
|
-
content: () => "Is the reported file Python Django template?",
|
|
5691
|
-
description: () => "",
|
|
5692
|
-
guidance: () => ""
|
|
5693
|
-
}
|
|
5694
|
-
};
|
|
5695
|
-
|
|
5696
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
|
|
5697
|
-
var commandInjection3 = {
|
|
5698
|
-
isCommandExecutable: {
|
|
5699
|
-
content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
|
|
5700
|
-
description: () => `Does the command fall into one of the following categories:
|
|
5701
|
-
|
|
5702
|
-
1. An executable name:
|
|
5703
|
-
- \`exec(input);\`
|
|
5704
|
-
- \`exec("/bin/bash " + input);\`
|
|
5705
|
-
- \`exec("/bin/sh -c" + input + " param");\`
|
|
5706
|
-
- \`exec("/bin/bash -c cat file.txt | " + input);\`
|
|
5707
|
-
- \`exec("/usr/bin/git --upload-pack " + input);\`
|
|
5708
|
-
2. A part of non-unix or cross platform shell command:
|
|
5709
|
-
- \`exec("cmd.exe /c ping " + input);\`
|
|
5710
|
-
3. A part of programming language code:
|
|
5711
|
-
- \`exec("php -r echo '" + input + "';");\`
|
|
5712
|
-
- \`exec("perl -e print '" + input + "'");\``,
|
|
5713
|
-
guidance: () => ""
|
|
5714
|
-
}
|
|
5715
|
-
};
|
|
5716
|
-
|
|
5717
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/graphqlDepthLimit.ts
|
|
5718
|
-
var graphqlDepthLimit = {
|
|
5719
|
-
depthLimit: {
|
|
5720
|
-
content: () => "Please define a maximum query depth",
|
|
5721
|
-
description: () => `Setting this number to a reasonable value will prevent the attack.
|
|
5722
|
-
Make sure to pick a value large enough to allowed the nessecary amount of nested queries.`,
|
|
5723
|
-
guidance: () => {
|
|
5724
|
-
return "We use `graphql-depth-limit` npm package to limit the depth of nested queries. Please make sure you install the package using `npm install graphql-depth-limit`.";
|
|
5725
|
-
}
|
|
5726
|
-
}
|
|
5727
|
-
};
|
|
5728
|
-
|
|
5729
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedDomainInHtml.ts
|
|
5730
|
-
var hardcodedDomainInHtml = {
|
|
5731
|
-
isCDNFixedVersion: {
|
|
5732
|
-
content: ({ url }) => `Does the content of \`${url}\` change over time? If it does, we can't offer this fix.`,
|
|
5733
|
-
description: () => "You need to make sure the content of the file you are loading from the external source is persistent. To guarantee the integrity hash does not change over time, please make sure you use a proper CDN and version of the script you are loading is pinned.",
|
|
5734
|
-
guidance: () => ""
|
|
5735
|
-
}
|
|
5736
|
-
};
|
|
5737
|
-
|
|
5738
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedSecrets.ts
|
|
5739
|
-
var hardcodedSecrets2 = {
|
|
5740
|
-
envVarName: {
|
|
5741
|
-
content: () => "Please define an environment variable name",
|
|
5742
|
-
description: () => `We will use this environment variable instead of the hardcoded secret`,
|
|
5743
|
-
guidance: () => ""
|
|
5744
|
-
},
|
|
5745
|
-
keepAsDefault: {
|
|
5746
|
-
content: () => "Do you want to keep the hardcoded secret in the code for now?",
|
|
5747
|
-
description: () => 'Answer "yes" if you cannot set the environment variable in all environments right away.',
|
|
5748
|
-
guidance: () => ""
|
|
5749
|
-
}
|
|
5750
|
-
};
|
|
5751
|
-
|
|
5752
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/iframeWithoutSandbox.ts
|
|
5753
|
-
var iframeWithoutSandbox = {
|
|
5754
|
-
iframeRestrictions: {
|
|
5755
|
-
content: () => "Please define a comma-separated list of iframe sandbox restrictions (optional)",
|
|
5756
|
-
description: () => `Possible values:
|
|
5757
|
-
- allow-downloads
|
|
5758
|
-
- allow-forms
|
|
5759
|
-
- allow-modals
|
|
5760
|
-
- allow-orientation-lock
|
|
5761
|
-
- allow-pointer-lock
|
|
5762
|
-
- allow-popups
|
|
5763
|
-
- allow-popups-to-escape-sandbox
|
|
5764
|
-
- allow-presentation
|
|
5765
|
-
- allow-same-origin
|
|
5766
|
-
- allow-scripts
|
|
5767
|
-
- allow-storage-access-by-user-activation
|
|
5768
|
-
- allow-top-navigation
|
|
5769
|
-
- allow-top-navigation-by-user-activation
|
|
5770
|
-
- allow-top-navigation-to-custom-protocols
|
|
5771
|
-
|
|
5772
|
-
See more info [here](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox).`,
|
|
5773
|
-
guidance: () => ""
|
|
5774
|
-
}
|
|
5775
|
-
};
|
|
5776
|
-
|
|
5777
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/incompleteUrlSanitization.ts
|
|
5778
|
-
var incompleteUrlSanitization = {
|
|
5779
|
-
allowedRootDomain: {
|
|
5780
|
-
content: () => "The root domain of your application",
|
|
5781
|
-
description: () => "We needed to strengthen the security check by ensuring that the url is under the root domain of your application.",
|
|
5782
|
-
guidance: () => ""
|
|
5783
|
-
}
|
|
5784
|
-
};
|
|
5785
|
-
|
|
5786
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/insecureRandomness.ts
|
|
5787
|
-
var insecureRandomness2 = {
|
|
5788
|
-
isGetRandomValuesSupported: {
|
|
5789
|
-
content: () => "Is getRandomValues() function supported by your JavaScript engine?",
|
|
5790
|
-
description: () => "[getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is supported by [more than 97% of browsers](https://caniuse.com/?search=getRandomValues) and [Node.js >= 15.0.0](https://nodejs.org/api/webcrypto.html#cryptogetrandomvaluestypedarray).",
|
|
5791
|
-
guidance: () => ""
|
|
5792
|
-
}
|
|
5793
|
-
};
|
|
5794
|
-
|
|
5795
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/logForging.ts
|
|
5796
|
-
var logForging4 = {
|
|
5797
|
-
isHtmlDisplay: {
|
|
5798
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5799
|
-
description: () => "",
|
|
5800
|
-
guidance: () => ""
|
|
5801
|
-
}
|
|
5802
|
-
};
|
|
5803
|
-
|
|
5804
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingCSPHeader.ts
|
|
5805
|
-
var cspHeaderValue = {
|
|
5806
|
-
cspHeaderValue: {
|
|
5807
|
-
content: () => "Please provide the value for the Content-Security-Policy header",
|
|
5808
|
-
description: () => `The Content-Security-Policy (CSP) header is a critical security measure that helps protect websites from various attacks, particularly Cross-Site Scripting (XSS) and other code injection attacks. Here's a concise explanation:
|
|
5809
|
-
|
|
5810
|
-
|
|
5811
|
-
|
|
5812
|
-
**What it does**:
|
|
5813
|
-
|
|
5814
|
-
|
|
5815
|
-
|
|
5816
|
-
CSP lets you specify which content sources the browser should consider valid, essentially creating a whitelist of trusted content. It controls things like:
|
|
5817
|
-
|
|
5818
|
-
|
|
5819
|
-
|
|
5820
|
-
- Which scripts can execute.
|
|
5821
|
-
- Where images can be loaded from.
|
|
5822
|
-
- Which styles can be applied.
|
|
5823
|
-
- Which forms can be submitted to.
|
|
5824
|
-
- What domains can be connected to.
|
|
5825
|
-
|
|
5826
|
-
Default value explanation:
|
|
5827
|
-
|
|
5828
|
-
- default-src 'self: Only allows resources from the same origin by default.
|
|
5829
|
-
- script-src 'self': Only allows scripts to be loaded from the same origin.
|
|
5830
|
-
- style-src 'self': Only allows styles from the same origin.
|
|
5831
|
-
- object-src 'none': Disallows <object>, <embed>, and <applet> elements.
|
|
5832
|
-
- base-uri 'self': Restricts where the <base> tag can point to.
|
|
5833
|
-
- frame-ancestors 'self': Ensures that only the same origin can embed the page using an iframe.
|
|
5834
|
-
|
|
5835
|
-
|
|
5836
|
-
**This kind of \`CSP\` is more secure but may require adjustments for your specific application, especially if you need to load resources from external domains or use inline scripts/styles.**`,
|
|
5837
|
-
guidance: () => ``
|
|
5838
|
-
}
|
|
5839
|
-
};
|
|
5840
|
-
|
|
5841
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingHSTSHeader.ts
|
|
5842
|
-
var headerMaxAge = {
|
|
5843
|
-
headerMaxAge: {
|
|
5844
|
-
content: () => "Please provide the maximum age of the header",
|
|
5845
|
-
description: () => `This is the time, in seconds, that the browser should remember that the site is only to be accessed using \`HTTPS\`.
|
|
5846
|
-
|
|
5847
|
-
|
|
5848
|
-
Setting the \`max-age\` to \`0\` (over an https connection) will immediately expire the Strict-Transport-Security header, allowing access via \`HTTP\`.
|
|
5849
|
-
|
|
5850
|
-
|
|
5851
|
-
|
|
5852
|
-
|
|
5853
|
-
The HTTP Strict-Transport-Security response header (\`HSTS\`) informs browsers that the site
|
|
5854
|
-
should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically
|
|
5855
|
-
be converted to HTTPS.
|
|
5856
|
-
|
|
5857
|
-
|
|
5858
|
-
|
|
5859
|
-
|
|
5860
|
-
If a website accepts a connection through \`HTTP\` and redirects to \`HTTPS\`, visitors may initially communicate with
|
|
5861
|
-
the non-encrypted version of the site before being redirected, if, for example, the visitor
|
|
5862
|
-
types \`http://www.example.com\` or even just \`example.com\`. This creates an opportunity for a man-in-the-middle attack.
|
|
5863
|
-
The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
|
|
5864
|
-
|
|
5865
|
-
|
|
5866
|
-
|
|
5867
|
-
The \`HTTP\` Strict Transport Security header informs the browser that it should never load a site using \`HTTP\`
|
|
5868
|
-
and should automatically convert all attempts to access the site using \`HTTP\` to \`HTTPS\` requests instead.`,
|
|
5869
|
-
guidance: () => ``
|
|
5870
|
-
}
|
|
5871
|
-
};
|
|
5872
|
-
|
|
5873
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingXFrameOptions.ts
|
|
5874
|
-
var xFrameOptionsValue = {
|
|
5875
|
-
xFrameOptionsValue: {
|
|
5876
|
-
content: () => "Please provide the value for the X-Frame-Options header",
|
|
5877
|
-
description: () => `The \`X-Frame-Options\` HTTP response header tells the browser whether the page is allowed to be rendered inside a \`<frame>\`, \`<iframe>\`, \`<embed>\` or \`<object>\`. Without it, attackers can embed your application in an invisible iframe and trick users into clicking on it \u2014 a class of attacks known as clickjacking (UI redressing).
|
|
5878
|
-
|
|
5879
|
-
**Allowed values:**
|
|
5880
|
-
- \`DENY\` \u2014 the page cannot be framed by any site, including your own. Recommended default for any page that does not need to be embedded.
|
|
5881
|
-
- \`SAMEORIGIN\` \u2014 the page can only be framed by pages served from the same origin. Use this only if your own application legitimately embeds this page in an iframe.`,
|
|
5882
|
-
guidance: () => ``
|
|
5883
|
-
}
|
|
5884
|
-
};
|
|
5885
|
-
|
|
5886
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/noLimitsOrThrottling.ts
|
|
5887
|
-
var noLimitsOrThrottling2 = {
|
|
5888
|
-
setGlobalLimiter: {
|
|
5889
|
-
content: () => "Would you like to use a global rate limit for all your endpoints within the same file?",
|
|
5890
|
-
description: () => "",
|
|
5891
|
-
guidance: () => ""
|
|
5892
|
-
}
|
|
5893
|
-
};
|
|
5894
|
-
|
|
5895
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/openRedirect.ts
|
|
5896
|
-
var openRedirect2 = {
|
|
5897
|
-
isExternal: {
|
|
5898
|
-
content: () => "Does the redirect go to an external site?",
|
|
5899
|
-
description: () => "",
|
|
5900
|
-
guidance: () => ""
|
|
5901
|
-
},
|
|
5902
|
-
domainAllowlist: {
|
|
5903
|
-
content: () => "Allowed domains names",
|
|
5904
|
-
description: () => "please provide a coma separated list of allowed domains names (example.com, example.org, etc.)",
|
|
5905
|
-
guidance: () => ""
|
|
5906
|
-
},
|
|
5907
|
-
pathAllowlist: {
|
|
5908
|
-
content: () => "Allowed paths (URIs)",
|
|
5909
|
-
description: () => "please provide a coma separated list of allowed path (/health, /api/v1/health, etc.)",
|
|
5910
|
-
guidance: () => ""
|
|
5911
|
-
},
|
|
5912
|
-
includeProtocolValidation: {
|
|
5913
|
-
content: () => "Should HTTP or HTTPS protocol be enforced?",
|
|
5914
|
-
description: () => "please indicate if the protocol should be enforced",
|
|
5915
|
-
guidance: () => ""
|
|
5916
|
-
}
|
|
5917
|
-
};
|
|
5918
|
-
|
|
5919
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/pt.ts
|
|
5920
|
-
var pt3 = {
|
|
5921
|
-
taintedTermType: {
|
|
5922
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name, a relative path or an absolute path?`,
|
|
5923
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
|
|
5924
|
-
guidance: () => ""
|
|
5925
|
-
}
|
|
5926
|
-
};
|
|
5927
|
-
|
|
5928
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/ssrf.ts
|
|
5929
|
-
var ssrf4 = {
|
|
5930
|
-
domainsAllowlist: {
|
|
5931
|
-
content: () => "List of allowed domain names",
|
|
5932
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary domains.
|
|
5933
|
-
|
|
5934
|
-
|
|
5935
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of domains the server should be allowed to call.`,
|
|
5936
|
-
guidance: () => ""
|
|
5937
|
-
}
|
|
5938
|
-
};
|
|
5939
|
-
|
|
5940
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeak.ts
|
|
5941
|
-
var sysLeak3 = {
|
|
5942
|
-
errorMessage: {
|
|
5943
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5944
|
-
description: () => "",
|
|
5945
|
-
guidance: () => ""
|
|
5946
|
-
},
|
|
5947
|
-
noLoggerAction: {
|
|
5948
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5949
|
-
description: () => "",
|
|
5950
|
-
guidance: () => ""
|
|
5951
|
-
}
|
|
5952
|
-
};
|
|
5953
|
-
|
|
5954
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeakExternal.ts
|
|
5955
|
-
var sysLeakExternal = {
|
|
5956
|
-
errorMessage: {
|
|
5957
|
-
content: () => "Enter the error message that you want to appear to the user",
|
|
5958
|
-
description: () => "",
|
|
5959
|
-
guidance: () => ""
|
|
5960
|
-
}
|
|
5961
|
-
};
|
|
5962
|
-
|
|
5963
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/typeConfusion.ts
|
|
5964
|
-
var typeConfusion = {
|
|
5965
|
-
argumentType: {
|
|
5966
|
-
content: () => "What is the type of the HTTP argument?",
|
|
5967
|
-
description: () => "What is the type of the HTTP argument?",
|
|
5968
|
-
guidance: () => ""
|
|
5969
|
-
}
|
|
5970
|
-
};
|
|
5971
|
-
|
|
5972
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/uncheckedLoopCondition.ts
|
|
5973
|
-
var uncheckedLoopCondition2 = {
|
|
5974
|
-
loopLimit: {
|
|
5975
|
-
content: () => "Please define a maximum loop limit",
|
|
5976
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
5977
|
-
guidance: () => ""
|
|
5978
|
-
},
|
|
5979
|
-
varName: {
|
|
5980
|
-
content: () => "Please define a variable name",
|
|
5981
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
5982
|
-
guidance: () => ""
|
|
5983
|
-
}
|
|
5984
|
-
};
|
|
5985
|
-
|
|
5986
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/xss.ts
|
|
5987
|
-
var xss3 = {
|
|
5988
|
-
containsHtml: {
|
|
5989
|
-
content: () => "Does the element or variable contain HTML formatting",
|
|
5990
|
-
description: () => "",
|
|
5991
|
-
guidance: () => ""
|
|
5992
|
-
},
|
|
5993
|
-
isParamTypeString: {
|
|
5994
|
-
content: () => "Is the parameter passed to the $() function a string",
|
|
5995
|
-
description: () => "",
|
|
5996
|
-
guidance: () => ""
|
|
5997
|
-
},
|
|
5998
|
-
isSanitized: {
|
|
5999
|
-
content: ({ expression }) => `Is the expression \`${expression}\` supposed to be not sanitized in this context?`,
|
|
6000
|
-
description: () => "You are using unsafe string substitution in the template. This means that if the expression can contain maliciously crafted data, it may lead to XSS injection. To apply the fix, you have to make sure the expression is not sanitized on the backend already, and it does not represent an HTML code block.",
|
|
6001
|
-
guidance: () => ""
|
|
6002
|
-
},
|
|
6003
|
-
isServerSideCode: {
|
|
6004
|
-
content: () => "Is this code running on the server side (a NodeJS application)",
|
|
6005
|
-
description: () => "The fix to this vulnerability is different is the code runs in the client (browser) or the server side (NodeJs)",
|
|
6006
|
-
guidance: () => ""
|
|
6007
|
-
}
|
|
6008
|
-
};
|
|
6009
|
-
|
|
6010
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
|
|
6011
|
-
var vulnerabilities15 = {
|
|
6012
|
-
["CMDi"]: commandInjection3,
|
|
6013
|
-
["GRAPHQL_DEPTH_LIMIT"]: graphqlDepthLimit,
|
|
6014
|
-
["INSECURE_RANDOMNESS"]: insecureRandomness2,
|
|
6015
|
-
["SSRF"]: ssrf4,
|
|
6016
|
-
["TYPE_CONFUSION"]: typeConfusion,
|
|
6017
|
-
["INCOMPLETE_URL_SANITIZATION"]: incompleteUrlSanitization,
|
|
6018
|
-
["LOG_FORGING"]: logForging4,
|
|
6019
|
-
["XSS"]: xss3,
|
|
6020
|
-
["OPEN_REDIRECT"]: openRedirect2,
|
|
6021
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak3,
|
|
6022
|
-
["SYSTEM_INFORMATION_LEAK_EXTERNAL"]: sysLeakExternal,
|
|
6023
|
-
["IFRAME_WITHOUT_SANDBOX"]: iframeWithoutSandbox,
|
|
6024
|
-
["PT"]: pt3,
|
|
6025
|
-
["HARDCODED_SECRETS"]: hardcodedSecrets2,
|
|
6026
|
-
["MISSING_HSTS_HEADER"]: headerMaxAge,
|
|
6027
|
-
["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition2,
|
|
6028
|
-
["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling2,
|
|
6029
|
-
["MISSING_CSP_HEADER"]: cspHeaderValue,
|
|
6030
|
-
["MISSING_X_FRAME_OPTIONS"]: xFrameOptionsValue,
|
|
6031
|
-
["HARDCODED_DOMAIN_IN_HTML"]: hardcodedDomainInHtml,
|
|
6032
|
-
["CSRF"]: csrf2
|
|
6033
|
-
};
|
|
6034
|
-
var js_default = vulnerabilities15;
|
|
6035
|
-
|
|
6036
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/duplicatedStrings.ts
|
|
6037
|
-
var duplicatedStrings2 = {
|
|
6038
|
-
constantName: {
|
|
6039
|
-
content: () => "New constant name",
|
|
6040
|
-
description: () => "",
|
|
6041
|
-
guidance: () => ""
|
|
6042
|
-
}
|
|
6043
|
-
};
|
|
6044
|
-
|
|
6045
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
|
|
6046
|
-
var logForging5 = {
|
|
6047
|
-
isHtmlDisplay: {
|
|
6048
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
6049
|
-
description: () => "",
|
|
6050
|
-
guidance: ({ userInputValue }) => {
|
|
6051
|
-
switch (userInputValue) {
|
|
6052
|
-
case "yes":
|
|
6053
|
-
return "We use `html.escape` to decode the HTML";
|
|
6054
|
-
default:
|
|
6055
|
-
return "";
|
|
6056
|
-
}
|
|
6057
|
-
}
|
|
6058
|
-
}
|
|
6059
|
-
};
|
|
6060
|
-
|
|
6061
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/missingEncoding.ts
|
|
6062
|
-
var missingEncoding = {
|
|
6063
|
-
fEncoding: {
|
|
6064
|
-
content: () => "Enter the encoding of the file",
|
|
6065
|
-
description: () => "",
|
|
6066
|
-
guidance: () => ""
|
|
6067
|
-
}
|
|
6068
|
-
};
|
|
6069
|
-
|
|
6070
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
|
|
6071
|
-
var openRedirect3 = {
|
|
6072
|
-
allowed_hosts: {
|
|
6073
|
-
content: () => "Allowed domains/paths",
|
|
6074
|
-
description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
|
|
6075
|
-
guidance: () => ""
|
|
6076
|
-
}
|
|
6077
|
-
};
|
|
6078
|
-
|
|
6079
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/ssrf.ts
|
|
6080
|
-
var ssrf5 = {
|
|
6081
|
-
domainsAllowlist: {
|
|
6082
|
-
content: () => "Allowed URL prefixes",
|
|
6083
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
|
|
6084
|
-
|
|
6085
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
|
|
6086
|
-
guidance: () => ""
|
|
6087
|
-
}
|
|
6088
|
-
};
|
|
6089
|
-
|
|
6090
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
|
|
6091
|
-
var uncheckedLoopCondition3 = {
|
|
6092
|
-
loopLimit: {
|
|
6093
|
-
content: () => "Please define a maximum loop limit",
|
|
6094
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
6095
|
-
guidance: () => ""
|
|
6096
|
-
},
|
|
6097
|
-
varName: {
|
|
6098
|
-
content: () => "Please define a variable name",
|
|
6099
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
6100
|
-
guidance: () => ""
|
|
6101
|
-
}
|
|
6102
|
-
};
|
|
6103
|
-
|
|
6104
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
|
|
6105
|
-
var vulnerabilities16 = {
|
|
6106
|
-
["CSRF"]: csrf2,
|
|
6107
|
-
["LOG_FORGING"]: logForging5,
|
|
6108
|
-
["OPEN_REDIRECT"]: openRedirect3,
|
|
6109
|
-
["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition3,
|
|
6110
|
-
["DUPLICATED_STRINGS"]: duplicatedStrings2,
|
|
6111
|
-
["MISSING_ENCODING_FILE_OPEN"]: missingEncoding,
|
|
6112
|
-
["SSRF"]: ssrf5
|
|
6113
|
-
};
|
|
6114
|
-
var python_default2 = vulnerabilities16;
|
|
6115
|
-
|
|
6116
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
|
|
6117
|
-
var unboundedOccurrences = {
|
|
6118
|
-
maxOccursLimit: {
|
|
6119
|
-
content: () => "The number of allowed repetitions of the element.",
|
|
6120
|
-
description: () => "",
|
|
6121
|
-
guidance: () => `Setting this number to a reasonable value will prevent the attack.
|
|
6122
|
-
A value too low will prevent valid XMLs from being processed.
|
|
6123
|
-
A value too high will cause performance issues up to and including denial of service.`
|
|
6124
|
-
}
|
|
6125
|
-
};
|
|
6126
|
-
|
|
6127
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
|
|
6128
|
-
var vulnerabilities17 = {
|
|
6129
|
-
["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES"]: unboundedOccurrences
|
|
6130
|
-
};
|
|
6131
|
-
var xml_default2 = vulnerabilities17;
|
|
6132
|
-
|
|
6133
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/noNewPrivileges.ts
|
|
6134
|
-
var noNewPrivileges = {
|
|
6135
|
-
requireNewPrivileges: {
|
|
6136
|
-
content: () => "Does the container require new privileges?",
|
|
6137
|
-
description: () => "",
|
|
6138
|
-
guidance: () => `If the container requires new privileges, setting the no-new-privileges option might harm the container functionality.`
|
|
6139
|
-
}
|
|
6140
|
-
};
|
|
6141
|
-
|
|
6142
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/portAllInterfaces.ts
|
|
6143
|
-
var portAllInterfaces = {
|
|
6144
|
-
trustedIP: {
|
|
6145
|
-
content: () => "Enter trusted Network IP",
|
|
6146
|
-
description: () => "",
|
|
6147
|
-
guidance: () => `Properly set this value to prevent access from untrusted network adapters. Setting this to a wrong value would prevent accessing the container and might break the system.`
|
|
6148
|
-
}
|
|
6149
|
-
};
|
|
6150
|
-
|
|
6151
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/writableFilesystemService.ts
|
|
6152
|
-
var writableFilesystemService = {
|
|
6153
|
-
requireWriteAccess: {
|
|
6154
|
-
content: () => "Does the container require writable filesystem access?",
|
|
6155
|
-
description: () => "",
|
|
6156
|
-
guidance: () => `If the container requires writable filesystem access, setting the filesystem as readonly might harm the container functionality.`
|
|
6157
|
-
}
|
|
6158
|
-
};
|
|
6159
|
-
|
|
6160
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
|
|
6161
|
-
var vulnerabilities18 = {
|
|
6162
|
-
["PORT_ALL_INTERFACES"]: portAllInterfaces,
|
|
6163
|
-
["WRITABLE_FILESYSTEM_SERVICE"]: writableFilesystemService,
|
|
6164
|
-
["NO_NEW_PRIVILEGES"]: noNewPrivileges
|
|
6165
|
-
};
|
|
6166
|
-
var yaml_default = vulnerabilities18;
|
|
6167
|
-
|
|
6168
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/index.ts
|
|
6169
|
-
var StoredQuestionDataItemZ = z10.object({
|
|
6170
|
-
content: z10.function().args(z10.any()).returns(z10.string()),
|
|
6171
|
-
description: z10.function().args(z10.any()).returns(z10.string()),
|
|
6172
|
-
guidance: z10.function().args(z10.any()).returns(z10.string())
|
|
6173
|
-
});
|
|
6174
|
-
var languages2 = {
|
|
6175
|
-
["Java" /* Java */]: java_default2,
|
|
6176
|
-
["JavaScript" /* JavaScript */]: js_default,
|
|
6177
|
-
["XML" /* Xml */]: xml_default2,
|
|
6178
|
-
["CSharp" /* CSharp */]: csharp_default2,
|
|
6179
|
-
["Python" /* Python */]: python_default2,
|
|
6180
|
-
["Go" /* Go */]: go_default2,
|
|
6181
|
-
["Cpp" /* Cpp */]: cpp_default,
|
|
6182
|
-
["YAML" /* Yaml */]: yaml_default
|
|
6183
|
-
};
|
|
6184
|
-
|
|
6185
|
-
// src/features/analysis/scm/shared/src/guidances.ts
|
|
6186
|
-
var IssueTypeAndLanguageZ = z11.object({
|
|
6187
|
-
issueType: SafeIssueTypeStringZ,
|
|
6188
|
-
issueLanguage: z11.nativeEnum(IssueLanguage_Enum)
|
|
6189
|
-
});
|
|
6190
4637
|
|
|
6191
4638
|
// src/features/analysis/scm/shared/src/index.ts
|
|
6192
4639
|
init_issueTypeCatalog();
|
|
@@ -6195,19 +4642,19 @@ init_urlParser2();
|
|
|
6195
4642
|
init_validations();
|
|
6196
4643
|
|
|
6197
4644
|
// src/features/analysis/scm/types.ts
|
|
6198
|
-
import { z as
|
|
4645
|
+
import { z as z10 } from "zod";
|
|
6199
4646
|
var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
|
|
6200
4647
|
ReferenceType2["BRANCH"] = "BRANCH";
|
|
6201
4648
|
ReferenceType2["COMMIT"] = "COMMIT";
|
|
6202
4649
|
ReferenceType2["TAG"] = "TAG";
|
|
6203
4650
|
return ReferenceType2;
|
|
6204
4651
|
})(ReferenceType || {});
|
|
6205
|
-
var GithubFullShaZ =
|
|
6206
|
-
var MergedPrSurvivalMetadataZ =
|
|
6207
|
-
mergeCommitShas:
|
|
4652
|
+
var GithubFullShaZ = z10.string().regex(/^[a-f0-9]{40}$/);
|
|
4653
|
+
var MergedPrSurvivalMetadataZ = z10.object({
|
|
4654
|
+
mergeCommitShas: z10.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
|
|
6208
4655
|
message: "mergeCommitShas must contain unique SHAs"
|
|
6209
4656
|
}),
|
|
6210
|
-
targetBranch:
|
|
4657
|
+
targetBranch: z10.string().min(1)
|
|
6211
4658
|
});
|
|
6212
4659
|
var scmCloudHostname = {
|
|
6213
4660
|
["GitLab" /* GitLab */]: new URL(scmCloudUrl.GitLab).hostname,
|
|
@@ -6227,10 +4674,10 @@ var scmTypeToScmLibScmType = {
|
|
|
6227
4674
|
["Ado" /* Ado */]: "ADO" /* ADO */,
|
|
6228
4675
|
["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
|
|
6229
4676
|
};
|
|
6230
|
-
var GetReferenceResultZ =
|
|
6231
|
-
date:
|
|
6232
|
-
sha:
|
|
6233
|
-
type:
|
|
4677
|
+
var GetReferenceResultZ = z10.object({
|
|
4678
|
+
date: z10.date().optional(),
|
|
4679
|
+
sha: z10.string(),
|
|
4680
|
+
type: z10.nativeEnum(ReferenceType)
|
|
6234
4681
|
});
|
|
6235
4682
|
|
|
6236
4683
|
// src/features/analysis/scm/ado/constants.ts
|
|
@@ -6242,39 +4689,39 @@ init_env();
|
|
|
6242
4689
|
import querystring from "querystring";
|
|
6243
4690
|
import * as api from "azure-devops-node-api";
|
|
6244
4691
|
import Debug3 from "debug";
|
|
6245
|
-
import { z as
|
|
4692
|
+
import { z as z14 } from "zod";
|
|
6246
4693
|
|
|
6247
4694
|
// src/features/analysis/scm/ado/validation.ts
|
|
6248
|
-
import { z as
|
|
6249
|
-
var ValidPullRequestStatusZ =
|
|
6250
|
-
|
|
6251
|
-
|
|
6252
|
-
|
|
4695
|
+
import { z as z13 } from "zod";
|
|
4696
|
+
var ValidPullRequestStatusZ = z13.union([
|
|
4697
|
+
z13.literal(1 /* Active */),
|
|
4698
|
+
z13.literal(2 /* Abandoned */),
|
|
4699
|
+
z13.literal(3 /* Completed */)
|
|
6253
4700
|
]);
|
|
6254
|
-
var AdoAuthResultZ =
|
|
6255
|
-
access_token:
|
|
6256
|
-
token_type:
|
|
6257
|
-
refresh_token:
|
|
4701
|
+
var AdoAuthResultZ = z13.object({
|
|
4702
|
+
access_token: z13.string().min(1),
|
|
4703
|
+
token_type: z13.string().min(1),
|
|
4704
|
+
refresh_token: z13.string().min(1)
|
|
6258
4705
|
});
|
|
6259
4706
|
var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
|
|
6260
|
-
scmOrgs:
|
|
4707
|
+
scmOrgs: z13.array(z13.string())
|
|
6261
4708
|
});
|
|
6262
|
-
var profileZ =
|
|
6263
|
-
displayName:
|
|
6264
|
-
publicAlias:
|
|
6265
|
-
emailAddress:
|
|
6266
|
-
coreRevision:
|
|
6267
|
-
timeStamp:
|
|
6268
|
-
id:
|
|
6269
|
-
revision:
|
|
4709
|
+
var profileZ = z13.object({
|
|
4710
|
+
displayName: z13.string(),
|
|
4711
|
+
publicAlias: z13.string().min(1),
|
|
4712
|
+
emailAddress: z13.string(),
|
|
4713
|
+
coreRevision: z13.number(),
|
|
4714
|
+
timeStamp: z13.string(),
|
|
4715
|
+
id: z13.string(),
|
|
4716
|
+
revision: z13.number()
|
|
6270
4717
|
});
|
|
6271
|
-
var accountsZ =
|
|
6272
|
-
count:
|
|
6273
|
-
value:
|
|
6274
|
-
|
|
6275
|
-
accountId:
|
|
6276
|
-
accountUri:
|
|
6277
|
-
accountName:
|
|
4718
|
+
var accountsZ = z13.object({
|
|
4719
|
+
count: z13.number(),
|
|
4720
|
+
value: z13.array(
|
|
4721
|
+
z13.object({
|
|
4722
|
+
accountId: z13.string(),
|
|
4723
|
+
accountUri: z13.string(),
|
|
4724
|
+
accountName: z13.string()
|
|
6278
4725
|
})
|
|
6279
4726
|
)
|
|
6280
4727
|
});
|
|
@@ -6295,39 +4742,39 @@ import querystring2 from "querystring";
|
|
|
6295
4742
|
import * as bitbucketPkgNode from "bitbucket";
|
|
6296
4743
|
import bitbucketPkg from "bitbucket";
|
|
6297
4744
|
import Debug4 from "debug";
|
|
6298
|
-
import { z as
|
|
4745
|
+
import { z as z17 } from "zod";
|
|
6299
4746
|
|
|
6300
4747
|
// src/features/analysis/scm/bitbucket/validation.ts
|
|
6301
|
-
import { z as
|
|
6302
|
-
var BitbucketAuthResultZ =
|
|
6303
|
-
access_token:
|
|
6304
|
-
token_type:
|
|
6305
|
-
refresh_token:
|
|
4748
|
+
import { z as z16 } from "zod";
|
|
4749
|
+
var BitbucketAuthResultZ = z16.object({
|
|
4750
|
+
access_token: z16.string(),
|
|
4751
|
+
token_type: z16.string(),
|
|
4752
|
+
refresh_token: z16.string()
|
|
6306
4753
|
});
|
|
6307
4754
|
|
|
6308
4755
|
// src/features/analysis/scm/bitbucket/bitbucket.ts
|
|
6309
4756
|
var debug5 = Debug4("scm:bitbucket");
|
|
6310
4757
|
var BITBUCKET_HOSTNAME = "bitbucket.org";
|
|
6311
|
-
var TokenExpiredErrorZ =
|
|
6312
|
-
status:
|
|
6313
|
-
error:
|
|
6314
|
-
type:
|
|
6315
|
-
error:
|
|
6316
|
-
message:
|
|
4758
|
+
var TokenExpiredErrorZ = z17.object({
|
|
4759
|
+
status: z17.number(),
|
|
4760
|
+
error: z17.object({
|
|
4761
|
+
type: z17.string(),
|
|
4762
|
+
error: z17.object({
|
|
4763
|
+
message: z17.string()
|
|
6317
4764
|
})
|
|
6318
4765
|
})
|
|
6319
4766
|
});
|
|
6320
4767
|
var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
|
|
6321
|
-
var BitbucketParseResultZ =
|
|
6322
|
-
organization:
|
|
6323
|
-
repoName:
|
|
6324
|
-
hostname:
|
|
4768
|
+
var BitbucketParseResultZ = z17.object({
|
|
4769
|
+
organization: z17.string(),
|
|
4770
|
+
repoName: z17.string(),
|
|
4771
|
+
hostname: z17.literal(BITBUCKET_HOSTNAME)
|
|
6325
4772
|
});
|
|
6326
|
-
var UserWorkspacePermissionsRepositoriesResponseZ =
|
|
6327
|
-
values:
|
|
6328
|
-
|
|
6329
|
-
repository:
|
|
6330
|
-
full_name:
|
|
4773
|
+
var UserWorkspacePermissionsRepositoriesResponseZ = z17.object({
|
|
4774
|
+
values: z17.array(
|
|
4775
|
+
z17.object({
|
|
4776
|
+
repository: z17.object({
|
|
4777
|
+
full_name: z17.string().optional()
|
|
6331
4778
|
}).optional()
|
|
6332
4779
|
})
|
|
6333
4780
|
).optional()
|
|
@@ -6335,7 +4782,7 @@ var UserWorkspacePermissionsRepositoriesResponseZ = z20.object({
|
|
|
6335
4782
|
|
|
6336
4783
|
// src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
|
|
6337
4784
|
import { setTimeout as setTimeout3 } from "timers/promises";
|
|
6338
|
-
import { z as
|
|
4785
|
+
import { z as z18 } from "zod";
|
|
6339
4786
|
|
|
6340
4787
|
// src/features/analysis/scm/constants.ts
|
|
6341
4788
|
var REPORT_DEFAULT_FILE_NAME = "report.json";
|
|
@@ -6345,7 +4792,7 @@ init_env();
|
|
|
6345
4792
|
|
|
6346
4793
|
// src/features/analysis/scm/github/GithubSCMLib.ts
|
|
6347
4794
|
import pLimit3 from "p-limit";
|
|
6348
|
-
import { z as
|
|
4795
|
+
import { z as z19 } from "zod";
|
|
6349
4796
|
init_client_generates();
|
|
6350
4797
|
|
|
6351
4798
|
// src/features/analysis/scm/github/github.ts
|
|
@@ -6378,11 +4825,11 @@ import {
|
|
|
6378
4825
|
init_env();
|
|
6379
4826
|
|
|
6380
4827
|
// src/features/analysis/scm/gitlab/types.ts
|
|
6381
|
-
import { z as
|
|
6382
|
-
var GitlabAuthResultZ =
|
|
6383
|
-
access_token:
|
|
6384
|
-
token_type:
|
|
6385
|
-
refresh_token:
|
|
4828
|
+
import { z as z20 } from "zod";
|
|
4829
|
+
var GitlabAuthResultZ = z20.object({
|
|
4830
|
+
access_token: z20.string(),
|
|
4831
|
+
token_type: z20.string(),
|
|
4832
|
+
refresh_token: z20.string()
|
|
6386
4833
|
});
|
|
6387
4834
|
|
|
6388
4835
|
// src/features/analysis/scm/gitlab/gitlab.ts
|
|
@@ -6393,69 +4840,69 @@ import pLimit5 from "p-limit";
|
|
|
6393
4840
|
init_client_generates();
|
|
6394
4841
|
|
|
6395
4842
|
// src/features/analysis/scm/scmFactory.ts
|
|
6396
|
-
import { z as
|
|
4843
|
+
import { z as z21 } from "zod";
|
|
6397
4844
|
|
|
6398
4845
|
// src/features/analysis/graphql/gql.ts
|
|
6399
4846
|
init_client_generates();
|
|
6400
4847
|
|
|
6401
4848
|
// src/features/analysis/graphql/types.ts
|
|
6402
4849
|
init_client_generates();
|
|
6403
|
-
import { z as
|
|
6404
|
-
var VulnerabilityReportIssueCodeNodeZ =
|
|
6405
|
-
vulnerabilityReportIssueId:
|
|
6406
|
-
path:
|
|
6407
|
-
startLine:
|
|
6408
|
-
vulnerabilityReportIssue:
|
|
6409
|
-
fixId:
|
|
6410
|
-
category:
|
|
6411
|
-
safeIssueType:
|
|
6412
|
-
vulnerabilityReportIssueTags:
|
|
6413
|
-
|
|
6414
|
-
tag:
|
|
4850
|
+
import { z as z22 } from "zod";
|
|
4851
|
+
var VulnerabilityReportIssueCodeNodeZ = z22.object({
|
|
4852
|
+
vulnerabilityReportIssueId: z22.string(),
|
|
4853
|
+
path: z22.string(),
|
|
4854
|
+
startLine: z22.number(),
|
|
4855
|
+
vulnerabilityReportIssue: z22.object({
|
|
4856
|
+
fixId: z22.string(),
|
|
4857
|
+
category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
|
|
4858
|
+
safeIssueType: z22.string(),
|
|
4859
|
+
vulnerabilityReportIssueTags: z22.array(
|
|
4860
|
+
z22.object({
|
|
4861
|
+
tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
|
|
6415
4862
|
})
|
|
6416
4863
|
)
|
|
6417
4864
|
})
|
|
6418
4865
|
});
|
|
6419
|
-
var VulnerabilityReportIssueNoFixCodeNodeZ =
|
|
6420
|
-
vulnerabilityReportIssues:
|
|
6421
|
-
|
|
6422
|
-
id:
|
|
6423
|
-
fixId:
|
|
6424
|
-
category:
|
|
6425
|
-
safeIssueType:
|
|
6426
|
-
fpId:
|
|
6427
|
-
codeNodes:
|
|
6428
|
-
|
|
6429
|
-
path:
|
|
6430
|
-
startLine:
|
|
4866
|
+
var VulnerabilityReportIssueNoFixCodeNodeZ = z22.object({
|
|
4867
|
+
vulnerabilityReportIssues: z22.array(
|
|
4868
|
+
z22.object({
|
|
4869
|
+
id: z22.string(),
|
|
4870
|
+
fixId: z22.string().nullable(),
|
|
4871
|
+
category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
|
|
4872
|
+
safeIssueType: z22.string(),
|
|
4873
|
+
fpId: z22.string().uuid().nullable(),
|
|
4874
|
+
codeNodes: z22.array(
|
|
4875
|
+
z22.object({
|
|
4876
|
+
path: z22.string(),
|
|
4877
|
+
startLine: z22.number()
|
|
6431
4878
|
})
|
|
6432
4879
|
),
|
|
6433
|
-
vulnerabilityReportIssueTags:
|
|
6434
|
-
|
|
6435
|
-
tag:
|
|
4880
|
+
vulnerabilityReportIssueTags: z22.array(
|
|
4881
|
+
z22.object({
|
|
4882
|
+
tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
|
|
6436
4883
|
})
|
|
6437
4884
|
)
|
|
6438
4885
|
})
|
|
6439
4886
|
)
|
|
6440
4887
|
});
|
|
6441
|
-
var GetVulByNodesMetadataZ =
|
|
6442
|
-
vulnerabilityReportIssueCodeNodes:
|
|
6443
|
-
nonFixablePrVuls:
|
|
6444
|
-
aggregate:
|
|
6445
|
-
count:
|
|
4888
|
+
var GetVulByNodesMetadataZ = z22.object({
|
|
4889
|
+
vulnerabilityReportIssueCodeNodes: z22.array(VulnerabilityReportIssueCodeNodeZ),
|
|
4890
|
+
nonFixablePrVuls: z22.object({
|
|
4891
|
+
aggregate: z22.object({
|
|
4892
|
+
count: z22.number()
|
|
6446
4893
|
})
|
|
6447
4894
|
}),
|
|
6448
|
-
fixablePrVuls:
|
|
6449
|
-
aggregate:
|
|
6450
|
-
count:
|
|
4895
|
+
fixablePrVuls: z22.object({
|
|
4896
|
+
aggregate: z22.object({
|
|
4897
|
+
count: z22.number()
|
|
6451
4898
|
})
|
|
6452
4899
|
}),
|
|
6453
|
-
totalScanVulnerabilities:
|
|
6454
|
-
aggregate:
|
|
6455
|
-
count:
|
|
4900
|
+
totalScanVulnerabilities: z22.object({
|
|
4901
|
+
aggregate: z22.object({
|
|
4902
|
+
count: z22.number()
|
|
6456
4903
|
})
|
|
6457
4904
|
}),
|
|
6458
|
-
irrelevantVulnerabilityReportIssue:
|
|
4905
|
+
irrelevantVulnerabilityReportIssue: z22.array(
|
|
6459
4906
|
VulnerabilityReportIssueNoFixCodeNodeZ
|
|
6460
4907
|
)
|
|
6461
4908
|
});
|
|
@@ -7755,8 +6202,8 @@ var defaultLogger2 = {
|
|
|
7755
6202
|
}
|
|
7756
6203
|
}
|
|
7757
6204
|
};
|
|
7758
|
-
var PromptItemZ =
|
|
7759
|
-
type:
|
|
6205
|
+
var PromptItemZ = z23.object({
|
|
6206
|
+
type: z23.enum([
|
|
7760
6207
|
"USER_PROMPT",
|
|
7761
6208
|
"AI_RESPONSE",
|
|
7762
6209
|
"TOOL_EXECUTION",
|
|
@@ -7764,32 +6211,32 @@ var PromptItemZ = z26.object({
|
|
|
7764
6211
|
"MCP_TOOL_CALL"
|
|
7765
6212
|
// MCP (Model Context Protocol) tool invocation
|
|
7766
6213
|
]),
|
|
7767
|
-
attachedFiles:
|
|
7768
|
-
|
|
7769
|
-
relativePath:
|
|
7770
|
-
startLine:
|
|
6214
|
+
attachedFiles: z23.array(
|
|
6215
|
+
z23.object({
|
|
6216
|
+
relativePath: z23.string(),
|
|
6217
|
+
startLine: z23.number().optional()
|
|
7771
6218
|
})
|
|
7772
6219
|
).optional(),
|
|
7773
|
-
tokens:
|
|
7774
|
-
inputCount:
|
|
7775
|
-
outputCount:
|
|
6220
|
+
tokens: z23.object({
|
|
6221
|
+
inputCount: z23.number(),
|
|
6222
|
+
outputCount: z23.number()
|
|
7776
6223
|
}).optional(),
|
|
7777
|
-
text:
|
|
7778
|
-
date:
|
|
7779
|
-
tool:
|
|
7780
|
-
name:
|
|
7781
|
-
parameters:
|
|
7782
|
-
result:
|
|
7783
|
-
rawArguments:
|
|
7784
|
-
accepted:
|
|
6224
|
+
text: z23.string().optional(),
|
|
6225
|
+
date: z23.date().optional(),
|
|
6226
|
+
tool: z23.object({
|
|
6227
|
+
name: z23.string(),
|
|
6228
|
+
parameters: z23.string(),
|
|
6229
|
+
result: z23.string(),
|
|
6230
|
+
rawArguments: z23.string().optional(),
|
|
6231
|
+
accepted: z23.boolean().optional(),
|
|
7785
6232
|
// MCP-specific fields (only populated for MCP_TOOL_CALL type)
|
|
7786
|
-
mcpServer:
|
|
6233
|
+
mcpServer: z23.string().optional(),
|
|
7787
6234
|
// MCP server name (e.g., "datadog", "mobb-mcp")
|
|
7788
|
-
mcpToolName:
|
|
6235
|
+
mcpToolName: z23.string().optional()
|
|
7789
6236
|
// MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
|
|
7790
6237
|
}).optional()
|
|
7791
6238
|
});
|
|
7792
|
-
var PromptItemArrayZ =
|
|
6239
|
+
var PromptItemArrayZ = z23.array(PromptItemZ);
|
|
7793
6240
|
var NULL_REPO_STATE = {
|
|
7794
6241
|
repositoryUrl: null,
|
|
7795
6242
|
branch: null,
|