mobbdev 1.4.35 → 1.4.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.mjs CHANGED
@@ -1377,26 +1377,26 @@ var init_getIssueType = __esm({
1377
1377
  });
1378
1378
 
1379
1379
  // src/features/analysis/scm/shared/src/types/shared.ts
1380
- import { z as z5 } from "zod";
1380
+ import { z as z2 } from "zod";
1381
1381
  var ParsedSeverityZ, ScmSubmitFixRequestsZ;
1382
1382
  var init_shared = __esm({
1383
1383
  "src/features/analysis/scm/shared/src/types/shared.ts"() {
1384
1384
  "use strict";
1385
1385
  init_client_generates();
1386
- ParsedSeverityZ = z5.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
1387
- ScmSubmitFixRequestsZ = z5.array(
1388
- z5.object({
1389
- scmSubmitFixRequest: z5.object({
1390
- submitFixRequest: z5.object({
1391
- createdByUser: z5.object({
1392
- email: z5.string()
1386
+ ParsedSeverityZ = z2.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
1387
+ ScmSubmitFixRequestsZ = z2.array(
1388
+ z2.object({
1389
+ scmSubmitFixRequest: z2.object({
1390
+ submitFixRequest: z2.object({
1391
+ createdByUser: z2.object({
1392
+ email: z2.string()
1393
1393
  }),
1394
- targetBranchName: z5.string().default("")
1394
+ targetBranchName: z2.string().default("")
1395
1395
  }),
1396
- prUrl: z5.string().nullable(),
1397
- prStatus: z5.nativeEnum(Pr_Status_Enum).nullable(),
1398
- commitUrl: z5.string().nullable(),
1399
- scmId: z5.string()
1396
+ prUrl: z2.string().nullable(),
1397
+ prStatus: z2.nativeEnum(Pr_Status_Enum).nullable(),
1398
+ commitUrl: z2.string().nullable(),
1399
+ scmId: z2.string()
1400
1400
  })
1401
1401
  })
1402
1402
  );
@@ -1404,105 +1404,106 @@ var init_shared = __esm({
1404
1404
  });
1405
1405
 
1406
1406
  // src/features/analysis/scm/shared/src/types/fix.ts
1407
- import { z as z6 } from "zod";
1407
+ import { z as z3 } from "zod";
1408
1408
  var PackageInfoZ, ManifestActionRequiredZ, ExtraContextInternalZ, FixExtraContextZ, PatchAndQuestionsZ, FixRatingZ, IssueRatingZ, IssueSharedStateZ, FixSharedStateZ, FixQueryZ, FixPartsForFixScreenZ;
1409
1409
  var init_fix = __esm({
1410
1410
  "src/features/analysis/scm/shared/src/types/fix.ts"() {
1411
1411
  "use strict";
1412
1412
  init_client_generates();
1413
1413
  init_shared();
1414
- PackageInfoZ = z6.object({
1415
- name: z6.string(),
1416
- version: z6.string(),
1417
- envName: z6.string().nullable()
1418
- });
1419
- ManifestActionRequiredZ = z6.object({
1420
- action: z6.nativeEnum(ManifestAction),
1421
- language: z6.nativeEnum(Language),
1414
+ PackageInfoZ = z3.object({
1415
+ name: z3.string(),
1416
+ version: z3.string(),
1417
+ envName: z3.string().nullable()
1418
+ });
1419
+ ManifestActionRequiredZ = z3.object({
1420
+ action: z3.nativeEnum(ManifestAction),
1421
+ language: z3.nativeEnum(Language),
1422
1422
  lib: PackageInfoZ,
1423
1423
  typesLib: PackageInfoZ.nullable()
1424
1424
  });
1425
- ExtraContextInternalZ = z6.object({
1426
- key: z6.string(),
1427
- value: z6.string().or(z6.boolean()).or(
1428
- z6.object({
1429
- int: z6.boolean(),
1430
- integer: z6.boolean(),
1431
- string: z6.boolean(),
1432
- date: z6.boolean()
1425
+ ExtraContextInternalZ = z3.object({
1426
+ key: z3.string(),
1427
+ value: z3.string().or(z3.boolean()).or(
1428
+ z3.object({
1429
+ int: z3.boolean(),
1430
+ integer: z3.boolean(),
1431
+ string: z3.boolean(),
1432
+ date: z3.boolean()
1433
1433
  })
1434
1434
  )
1435
1435
  });
1436
- FixExtraContextZ = z6.object({
1437
- fixDescription: z6.string(),
1438
- manifestActionsRequired: z6.array(ManifestActionRequiredZ),
1439
- extraContext: z6.array(ExtraContextInternalZ),
1440
- // E-2015 PR5c: analyzer-served fix-level guidance. default([]) so a query that
1436
+ FixExtraContextZ = z3.object({
1437
+ fixDescription: z3.string(),
1438
+ manifestActionsRequired: z3.array(ManifestActionRequiredZ),
1439
+ extraContext: z3.array(ExtraContextInternalZ),
1440
+ // E-2015: analyzer-served fix-level guidance. default([]) so a query that
1441
1441
  // omits it still parses, while the output type is a required string[] to match
1442
- // the non-null GraphQL field. getFixGuidances prefers served then falls back.
1443
- guidances: z6.array(z6.string()).default([])
1444
- });
1445
- PatchAndQuestionsZ = z6.object({
1446
- __typename: z6.literal("FixData"),
1447
- patch: z6.string(),
1448
- patchOriginalEncodingBase64: z6.string(),
1449
- questions: z6.array(
1450
- z6.object({
1451
- name: z6.string(),
1452
- key: z6.string(),
1453
- index: z6.number(),
1454
- defaultValue: z6.string(),
1455
- value: z6.string().nullable(),
1456
- extraContext: z6.array(ExtraContextInternalZ),
1457
- inputType: z6.nativeEnum(FixQuestionInputType),
1458
- options: z6.array(z6.string()),
1459
- // E-2015 PR5: analyzer-served question copy. default('') so a query that
1460
- // omits these still parses (-> '' -> FE falls back to its own copy), while
1461
- // the output type stays a required `string` to match the non-null GraphQL
1462
- // fields. Consumers use `served || storedQuestionData`.
1463
- content: z6.string().default(""),
1464
- description: z6.string().default(""),
1465
- guidance: z6.string().default("")
1442
+ // the non-null GraphQL field. The analyzer is the sole source; getFixGuidances
1443
+ // uses the served value directly (no fallback).
1444
+ guidances: z3.array(z3.string()).default([])
1445
+ });
1446
+ PatchAndQuestionsZ = z3.object({
1447
+ __typename: z3.literal("FixData"),
1448
+ patch: z3.string(),
1449
+ patchOriginalEncodingBase64: z3.string(),
1450
+ questions: z3.array(
1451
+ z3.object({
1452
+ name: z3.string(),
1453
+ key: z3.string(),
1454
+ index: z3.number(),
1455
+ defaultValue: z3.string(),
1456
+ value: z3.string().nullable(),
1457
+ extraContext: z3.array(ExtraContextInternalZ),
1458
+ inputType: z3.nativeEnum(FixQuestionInputType),
1459
+ options: z3.array(z3.string()),
1460
+ // E-2015: analyzer-served question text. default('') so a query that
1461
+ // omits these still parses (-> ''), while the output type stays a required
1462
+ // `string` to match the non-null GraphQL fields. The analyzer is the sole
1463
+ // source; consumers use the served value directly (no fallback).
1464
+ content: z3.string().default(""),
1465
+ description: z3.string().default(""),
1466
+ guidance: z3.string().default("")
1466
1467
  })
1467
1468
  ),
1468
1469
  extraContext: FixExtraContextZ
1469
1470
  });
1470
- FixRatingZ = z6.object({
1471
- voteScore: z6.number(),
1472
- fixRatingTag: z6.nativeEnum(Fix_Rating_Tag_Enum).nullable().default(null),
1473
- comment: z6.string().nullable().default(null),
1474
- updatedDate: z6.string().nullable(),
1475
- user: z6.object({
1476
- email: z6.string(),
1477
- name: z6.string()
1471
+ FixRatingZ = z3.object({
1472
+ voteScore: z3.number(),
1473
+ fixRatingTag: z3.nativeEnum(Fix_Rating_Tag_Enum).nullable().default(null),
1474
+ comment: z3.string().nullable().default(null),
1475
+ updatedDate: z3.string().nullable(),
1476
+ user: z3.object({
1477
+ email: z3.string(),
1478
+ name: z3.string()
1478
1479
  })
1479
1480
  });
1480
- IssueRatingZ = z6.object({
1481
- voteScore: z6.number(),
1482
- comment: z6.string().nullable().default(null),
1483
- updatedDate: z6.string().nullable(),
1484
- user: z6.object({
1485
- email: z6.string(),
1486
- name: z6.string()
1481
+ IssueRatingZ = z3.object({
1482
+ voteScore: z3.number(),
1483
+ comment: z3.string().nullable().default(null),
1484
+ updatedDate: z3.string().nullable(),
1485
+ user: z3.object({
1486
+ email: z3.string(),
1487
+ name: z3.string()
1487
1488
  })
1488
1489
  });
1489
- IssueSharedStateZ = z6.object({
1490
- id: z6.string(),
1491
- createdAt: z6.string(),
1492
- isArchived: z6.boolean(),
1493
- ticketIntegrationId: z6.string().nullable(),
1494
- ticketIntegrations: z6.array(
1495
- z6.object({
1496
- url: z6.string()
1490
+ IssueSharedStateZ = z3.object({
1491
+ id: z3.string(),
1492
+ createdAt: z3.string(),
1493
+ isArchived: z3.boolean(),
1494
+ ticketIntegrationId: z3.string().nullable(),
1495
+ ticketIntegrations: z3.array(
1496
+ z3.object({
1497
+ url: z3.string()
1497
1498
  })
1498
1499
  ),
1499
- issueRatings: z6.array(IssueRatingZ).default([])
1500
+ issueRatings: z3.array(IssueRatingZ).default([])
1500
1501
  }).nullable();
1501
- FixSharedStateZ = z6.object({
1502
- state: z6.nativeEnum(Fix_State_Enum),
1503
- isArchived: z6.boolean(),
1502
+ FixSharedStateZ = z3.object({
1503
+ state: z3.nativeEnum(Fix_State_Enum),
1504
+ isArchived: z3.boolean(),
1504
1505
  scmSubmitFixRequests: ScmSubmitFixRequestsZ,
1505
- fixRatings: z6.array(FixRatingZ).default([])
1506
+ fixRatings: z3.array(FixRatingZ).default([])
1506
1507
  }).nullish().transform(
1507
1508
  (data) => data ? data : {
1508
1509
  state: "Ready" /* Ready */,
@@ -1511,46 +1512,46 @@ var init_fix = __esm({
1511
1512
  fixRatings: []
1512
1513
  }
1513
1514
  );
1514
- FixQueryZ = z6.object({
1515
- __typename: z6.literal("fix").optional(),
1516
- id: z6.string().uuid(),
1515
+ FixQueryZ = z3.object({
1516
+ __typename: z3.literal("fix").optional(),
1517
+ id: z3.string().uuid(),
1517
1518
  sharedState: FixSharedStateZ,
1518
- modifiedBy: z6.string().nullable(),
1519
- gitBlameLogin: z6.string().nullable(),
1520
- safeIssueLanguage: z6.string(),
1521
- safeIssueType: z6.string(),
1522
- confidence: z6.number(),
1523
- fixReportId: z6.string().uuid(),
1524
- isExpired: z6.boolean().default(false),
1525
- fixFiles: z6.array(
1526
- z6.object({
1527
- fileRepoRelativePath: z6.string()
1519
+ modifiedBy: z3.string().nullable(),
1520
+ gitBlameLogin: z3.string().nullable(),
1521
+ safeIssueLanguage: z3.string(),
1522
+ safeIssueType: z3.string(),
1523
+ confidence: z3.number(),
1524
+ fixReportId: z3.string().uuid(),
1525
+ isExpired: z3.boolean().default(false),
1526
+ fixFiles: z3.array(
1527
+ z3.object({
1528
+ fileRepoRelativePath: z3.string()
1528
1529
  })
1529
1530
  ),
1530
- numberOfVulnerabilityIssues: z6.number(),
1531
- severityText: z6.nativeEnum(Vulnerability_Severity_Enum),
1532
- vulnerabilityReportIssues: z6.array(
1533
- z6.object({
1534
- vendorIssueId: z6.string(),
1535
- issueLanguage: z6.string(),
1531
+ numberOfVulnerabilityIssues: z3.number(),
1532
+ severityText: z3.nativeEnum(Vulnerability_Severity_Enum),
1533
+ vulnerabilityReportIssues: z3.array(
1534
+ z3.object({
1535
+ vendorIssueId: z3.string(),
1536
+ issueLanguage: z3.string(),
1536
1537
  parsedSeverity: ParsedSeverityZ,
1537
- sharedState: z6.object({
1538
- id: z6.string().uuid(),
1539
- isArchived: z6.boolean(),
1540
- ticketIntegrationId: z6.string().uuid().nullable()
1538
+ sharedState: z3.object({
1539
+ id: z3.string().uuid(),
1540
+ isArchived: z3.boolean(),
1541
+ ticketIntegrationId: z3.string().uuid().nullable()
1541
1542
  }).nullable()
1542
1543
  })
1543
1544
  ),
1544
1545
  patchAndQuestions: PatchAndQuestionsZ,
1545
- effortToApplyFix: z6.nativeEnum(Effort_To_Apply_Fix_Enum).nullable()
1546
+ effortToApplyFix: z3.nativeEnum(Effort_To_Apply_Fix_Enum).nullable()
1546
1547
  });
1547
1548
  FixPartsForFixScreenZ = FixQueryZ.merge(
1548
- z6.object({
1549
- vulnerabilityReportIssues: z6.array(
1550
- z6.object({
1551
- vendorIssueId: z6.string(),
1552
- issueType: z6.string(),
1553
- issueLanguage: z6.string(),
1549
+ z3.object({
1550
+ vulnerabilityReportIssues: z3.array(
1551
+ z3.object({
1552
+ vendorIssueId: z3.string(),
1553
+ issueType: z3.string(),
1554
+ issueLanguage: z3.string(),
1554
1555
  sharedState: IssueSharedStateZ
1555
1556
  })
1556
1557
  )
@@ -1560,24 +1561,24 @@ var init_fix = __esm({
1560
1561
  });
1561
1562
 
1562
1563
  // src/features/analysis/scm/shared/src/types/analysis.ts
1563
- import { z as z7 } from "zod";
1564
+ import { z as z4 } from "zod";
1564
1565
  var FixPageFixReportZ;
1565
1566
  var init_analysis = __esm({
1566
1567
  "src/features/analysis/scm/shared/src/types/analysis.ts"() {
1567
1568
  "use strict";
1568
1569
  init_client_generates();
1569
1570
  init_client_generates();
1570
- FixPageFixReportZ = z7.object({
1571
- id: z7.string().uuid(),
1572
- analysisUrl: z7.string(),
1573
- createdOn: z7.string(),
1574
- state: z7.nativeEnum(Fix_Report_State_Enum),
1575
- repo: z7.object({
1576
- name: z7.string().nullable(),
1577
- originalUrl: z7.string(),
1578
- reference: z7.string(),
1579
- commitSha: z7.string(),
1580
- isKnownBranch: z7.boolean().nullish().default(true)
1571
+ FixPageFixReportZ = z4.object({
1572
+ id: z4.string().uuid(),
1573
+ analysisUrl: z4.string(),
1574
+ createdOn: z4.string(),
1575
+ state: z4.nativeEnum(Fix_Report_State_Enum),
1576
+ repo: z4.object({
1577
+ name: z4.string().nullable(),
1578
+ originalUrl: z4.string(),
1579
+ reference: z4.string(),
1580
+ commitSha: z4.string(),
1581
+ isKnownBranch: z4.boolean().nullish().default(true)
1581
1582
  }).nullable().transform(
1582
1583
  (repo) => repo ?? {
1583
1584
  name: null,
@@ -1587,13 +1588,13 @@ var init_analysis = __esm({
1587
1588
  isKnownBranch: true
1588
1589
  }
1589
1590
  ),
1590
- vulnerabilityReport: z7.object({
1591
- id: z7.string().uuid(),
1592
- vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum),
1593
- computedVendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum),
1594
- projectId: z7.string().uuid(),
1595
- project: z7.object({
1596
- organizationId: z7.string().uuid()
1591
+ vulnerabilityReport: z4.object({
1592
+ id: z4.string().uuid(),
1593
+ vendor: z4.nativeEnum(Vulnerability_Report_Vendor_Enum),
1594
+ computedVendor: z4.nativeEnum(Vulnerability_Report_Vendor_Enum),
1595
+ projectId: z4.string().uuid(),
1596
+ project: z4.object({
1597
+ organizationId: z4.string().uuid()
1597
1598
  })
1598
1599
  })
1599
1600
  });
@@ -1601,7 +1602,7 @@ var init_analysis = __esm({
1601
1602
  });
1602
1603
 
1603
1604
  // src/features/analysis/scm/shared/src/types/issue.ts
1604
- import { z as z8 } from "zod";
1605
+ import { z as z5 } from "zod";
1605
1606
  var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, UnfixablePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapCategoryToBucket, mapBucketTypeToCategory;
1606
1607
  var init_issue = __esm({
1607
1608
  "src/features/analysis/scm/shared/src/types/issue.ts"() {
@@ -1611,57 +1612,57 @@ var init_issue = __esm({
1611
1612
  init_fix();
1612
1613
  init_shared();
1613
1614
  MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES = 1e5;
1614
- VulnerabilityReportIssueRatingZ = z8.object({
1615
- voteScore: z8.number(),
1616
- comment: z8.string().nullable().default(null),
1617
- updatedDate: z8.string().nullable(),
1618
- user: z8.object({
1619
- email: z8.string(),
1620
- name: z8.string()
1615
+ VulnerabilityReportIssueRatingZ = z5.object({
1616
+ voteScore: z5.number(),
1617
+ comment: z5.string().nullable().default(null),
1618
+ updatedDate: z5.string().nullable(),
1619
+ user: z5.object({
1620
+ email: z5.string(),
1621
+ name: z5.string()
1621
1622
  })
1622
1623
  });
1623
- VulnerabilityReportIssueSharedStateZ = z8.object({
1624
- id: z8.string().uuid(),
1625
- createdAt: z8.string(),
1626
- isArchived: z8.boolean(),
1627
- ticketIntegrationId: z8.string().uuid().nullable(),
1628
- ticketIntegrations: z8.array(
1629
- z8.object({
1630
- url: z8.string()
1624
+ VulnerabilityReportIssueSharedStateZ = z5.object({
1625
+ id: z5.string().uuid(),
1626
+ createdAt: z5.string(),
1627
+ isArchived: z5.boolean(),
1628
+ ticketIntegrationId: z5.string().uuid().nullable(),
1629
+ ticketIntegrations: z5.array(
1630
+ z5.object({
1631
+ url: z5.string()
1631
1632
  })
1632
1633
  ),
1633
- issueRatings: z8.array(VulnerabilityReportIssueRatingZ).default([])
1634
+ issueRatings: z5.array(VulnerabilityReportIssueRatingZ).default([])
1634
1635
  }).nullish();
1635
- BaseIssuePartsZ = z8.object({
1636
- id: z8.string().uuid(),
1637
- safeIssueType: z8.string(),
1638
- safeIssueLanguage: z8.string(),
1639
- createdAt: z8.string(),
1636
+ BaseIssuePartsZ = z5.object({
1637
+ id: z5.string().uuid(),
1638
+ safeIssueType: z5.string(),
1639
+ safeIssueLanguage: z5.string(),
1640
+ createdAt: z5.string(),
1640
1641
  parsedSeverity: ParsedSeverityZ,
1641
- category: z8.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
1642
- extraData: z8.object({
1643
- missing_files: z8.string().array().nullish(),
1644
- error_files: z8.string().array().nullish(),
1645
- ai_cost_limit_exceeded: z8.string().nullish()
1642
+ category: z5.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
1643
+ extraData: z5.object({
1644
+ missing_files: z5.string().array().nullish(),
1645
+ error_files: z5.string().array().nullish(),
1646
+ ai_cost_limit_exceeded: z5.string().nullish()
1646
1647
  }),
1647
- vulnerabilityReportIssueTags: z8.array(
1648
- z8.object({
1649
- tag: z8.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
1648
+ vulnerabilityReportIssueTags: z5.array(
1649
+ z5.object({
1650
+ tag: z5.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
1650
1651
  })
1651
1652
  ),
1652
- codeNodes: z8.array(
1653
- z8.object({
1654
- path: z8.string(),
1655
- line: z8.number(),
1656
- index: z8.number()
1653
+ codeNodes: z5.array(
1654
+ z5.object({
1655
+ path: z5.string(),
1656
+ line: z5.number(),
1657
+ index: z5.number()
1657
1658
  })
1658
1659
  ).transform((nodes) => nodes.sort((a, b) => b.index - a.index)),
1659
- sourceCodeNodes: z8.array(
1660
- z8.object({
1661
- sourceCodeFile: z8.object({
1662
- path: z8.string(),
1663
- signedFile: z8.object({
1664
- url: z8.string()
1660
+ sourceCodeNodes: z5.array(
1661
+ z5.object({
1662
+ sourceCodeFile: z5.object({
1663
+ path: z5.string(),
1664
+ signedFile: z5.object({
1665
+ url: z5.string()
1665
1666
  })
1666
1667
  })
1667
1668
  }).transform(async ({ sourceCodeFile }) => {
@@ -1677,71 +1678,71 @@ var init_issue = __esm({
1677
1678
  })
1678
1679
  ).transform((nodes) => nodes.filter((node) => node !== null)),
1679
1680
  fix: FixPartsForFixScreenZ.nullish(),
1680
- vulnerabilityReportIssueNodeDiffFile: z8.object({
1681
- signedFile: z8.object({
1682
- url: z8.string()
1681
+ vulnerabilityReportIssueNodeDiffFile: z5.object({
1682
+ signedFile: z5.object({
1683
+ url: z5.string()
1683
1684
  }).transform(async ({ url }) => {
1684
1685
  const codeDiff = await fetch(url).then((res) => res.text());
1685
1686
  return { codeDiff };
1686
1687
  })
1687
1688
  }).nullish(),
1688
1689
  sharedState: VulnerabilityReportIssueSharedStateZ,
1689
- unfixableId: z8.string().uuid().nullish()
1690
+ unfixableId: z5.string().uuid().nullish()
1690
1691
  });
1691
- FalsePositivePartsZ = z8.object({
1692
- extraContext: z8.array(z8.object({ key: z8.string(), value: z8.string() })),
1693
- fixDescription: z8.string()
1692
+ FalsePositivePartsZ = z5.object({
1693
+ extraContext: z5.array(z5.object({ key: z5.string(), value: z5.string() })),
1694
+ fixDescription: z5.string()
1694
1695
  });
1695
- UnfixablePartsZ = z8.object({
1696
- extraContext: z8.array(z8.object({ key: z8.string(), value: z8.string() })),
1697
- fixDescription: z8.string()
1696
+ UnfixablePartsZ = z5.object({
1697
+ extraContext: z5.array(z5.object({ key: z5.string(), value: z5.string() })),
1698
+ fixDescription: z5.string()
1698
1699
  });
1699
1700
  IssuePartsWithFixZ = BaseIssuePartsZ.merge(
1700
- z8.object({
1701
- category: z8.literal("Irrelevant" /* Irrelevant */),
1701
+ z5.object({
1702
+ category: z5.literal("Irrelevant" /* Irrelevant */),
1702
1703
  fix: FixPartsForFixScreenZ.nullish()
1703
1704
  })
1704
1705
  );
1705
1706
  IssuePartsFpZ = BaseIssuePartsZ.merge(
1706
- z8.object({
1707
- category: z8.literal("FalsePositive" /* FalsePositive */),
1708
- fpId: z8.string().uuid(),
1707
+ z5.object({
1708
+ category: z5.literal("FalsePositive" /* FalsePositive */),
1709
+ fpId: z5.string().uuid(),
1709
1710
  getFalsePositive: FalsePositivePartsZ
1710
1711
  })
1711
1712
  );
1712
1713
  GeneralIssueZ = BaseIssuePartsZ.merge(
1713
- z8.object({
1714
- category: z8.union([
1715
- z8.literal("NoFix" /* NoFix */),
1716
- z8.literal("Unsupported" /* Unsupported */),
1717
- z8.literal("Fixable" /* Fixable */),
1718
- z8.literal("Filtered" /* Filtered */),
1719
- z8.literal("Pending" /* Pending */)
1714
+ z5.object({
1715
+ category: z5.union([
1716
+ z5.literal("NoFix" /* NoFix */),
1717
+ z5.literal("Unsupported" /* Unsupported */),
1718
+ z5.literal("Fixable" /* Fixable */),
1719
+ z5.literal("Filtered" /* Filtered */),
1720
+ z5.literal("Pending" /* Pending */)
1720
1721
  ]),
1721
1722
  getUnfixable: UnfixablePartsZ.nullish()
1722
1723
  })
1723
1724
  );
1724
- IssuePartsZ = z8.union([
1725
+ IssuePartsZ = z5.union([
1725
1726
  IssuePartsFpZ,
1726
1727
  IssuePartsWithFixZ,
1727
1728
  GeneralIssueZ
1728
1729
  ]);
1729
- GetIssueIndexesZ = z8.object({
1730
- currentIndex: z8.number(),
1731
- totalIssues: z8.number(),
1732
- nextIssue: z8.object({
1733
- id: z8.string().uuid()
1730
+ GetIssueIndexesZ = z5.object({
1731
+ currentIndex: z5.number(),
1732
+ totalIssues: z5.number(),
1733
+ nextIssue: z5.object({
1734
+ id: z5.string().uuid()
1734
1735
  }).nullish(),
1735
- prevIssue: z8.object({
1736
- id: z8.string().uuid()
1736
+ prevIssue: z5.object({
1737
+ id: z5.string().uuid()
1737
1738
  }).nullish()
1738
1739
  });
1739
- GetIssueScreenDataZ = z8.object({
1740
+ GetIssueScreenDataZ = z5.object({
1740
1741
  fixReport_by_pk: FixPageFixReportZ,
1741
1742
  vulnerability_report_issue_by_pk: IssuePartsZ,
1742
1743
  issueIndexes: GetIssueIndexesZ
1743
1744
  });
1744
- IssueBucketZ = z8.enum(["fixable", "irrelevant", "remaining"]);
1745
+ IssueBucketZ = z5.enum(["fixable", "irrelevant", "remaining"]);
1745
1746
  mapCategoryToBucket = {
1746
1747
  FalsePositive: "irrelevant",
1747
1748
  Irrelevant: "irrelevant",
@@ -1768,19 +1769,19 @@ var init_issue = __esm({
1768
1769
  });
1769
1770
 
1770
1771
  // src/features/analysis/scm/shared/src/validations.ts
1771
- import { z as z9 } from "zod";
1772
+ import { z as z6 } from "zod";
1772
1773
  var IssueTypeSettingZ, IssueTypeSettingsZ;
1773
1774
  var init_validations = __esm({
1774
1775
  "src/features/analysis/scm/shared/src/validations.ts"() {
1775
1776
  "use strict";
1776
1777
  init_getIssueType();
1777
1778
  init_issueTypeCatalog();
1778
- IssueTypeSettingZ = z9.object({
1779
- autoPrEnabled: z9.boolean(),
1780
- enabled: z9.boolean(),
1779
+ IssueTypeSettingZ = z6.object({
1780
+ autoPrEnabled: z6.boolean(),
1781
+ enabled: z6.boolean(),
1781
1782
  issueType: SafeIssueTypeStringZ
1782
1783
  });
1783
- IssueTypeSettingsZ = z9.array(IssueTypeSettingZ).transform((issueTypeSettings) => {
1784
+ IssueTypeSettingsZ = z6.array(IssueTypeSettingZ).transform((issueTypeSettings) => {
1784
1785
  const catalogValues = listIssueTypeCatalog().map((entry) => entry.value);
1785
1786
  if (catalogValues.length === 0) {
1786
1787
  throw new Error(
@@ -1805,7 +1806,7 @@ var init_validations = __esm({
1805
1806
  });
1806
1807
 
1807
1808
  // src/features/analysis/scm/shared/src/types/types.ts
1808
- import { z as z10 } from "zod";
1809
+ import { z as z7 } from "zod";
1809
1810
  var OrganizationScreenQueryParamsZ, ProjectPageQueryParamsZ, AnalysisPageQueryParamsZ, FixPageQueryParamsZ, IssuePageQueryParamsZ, CliLoginPageQueryParamsZ, AnalysisReportDigestedZ, IssueSharedStateZ2, ReportQueryResultZ, ReportFixesQueryFixZ, BaseVulnerabilityReportIssueZ, VulnerabilityReportIssueZ, VulnerabilityReportIssueWithCodeFilePathZ, GetReportIssuesQueryZ, FixReportByProjectZ, FixScreenQueryResultZ, FixPageQueryZ, GetReportFixesQueryZ, GetFixReportStatsQueryZ, ProjectVulnerabilityReport, GetProjectsQueryZ, ProjectPageQueryResultZ, GetProjectMembersDataZ, RepoArgsZ, scmCloudUrl, ScmType, ConvertToSarifInputFileFormat;
1810
1811
  var init_types = __esm({
1811
1812
  "src/features/analysis/scm/shared/src/types/types.ts"() {
@@ -1816,117 +1817,117 @@ var init_types = __esm({
1816
1817
  init_fix();
1817
1818
  init_issue();
1818
1819
  init_shared();
1819
- OrganizationScreenQueryParamsZ = z10.object({
1820
- organizationId: z10.string().uuid()
1820
+ OrganizationScreenQueryParamsZ = z7.object({
1821
+ organizationId: z7.string().uuid()
1821
1822
  });
1822
- ProjectPageQueryParamsZ = z10.object({
1823
- organizationId: z10.string().uuid(),
1824
- projectId: z10.string().uuid()
1823
+ ProjectPageQueryParamsZ = z7.object({
1824
+ organizationId: z7.string().uuid(),
1825
+ projectId: z7.string().uuid()
1825
1826
  });
1826
1827
  AnalysisPageQueryParamsZ = ProjectPageQueryParamsZ.extend({
1827
- reportId: z10.string().uuid()
1828
+ reportId: z7.string().uuid()
1828
1829
  });
1829
1830
  FixPageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
1830
- fixId: z10.string().uuid()
1831
+ fixId: z7.string().uuid()
1831
1832
  });
1832
1833
  IssuePageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
1833
- issueId: z10.string().uuid()
1834
- });
1835
- CliLoginPageQueryParamsZ = z10.object({
1836
- loginId: z10.string().uuid()
1837
- });
1838
- AnalysisReportDigestedZ = z10.object({
1839
- id: z10.string().uuid(),
1840
- state: z10.nativeEnum(Fix_Report_State_Enum),
1841
- vulnerabilityReport: z10.object({
1842
- reportSummaryUrl: z10.string().url().nullish(),
1843
- scanDate: z10.string().nullable(),
1844
- supported: z10.object({
1845
- aggregate: z10.object({
1846
- count: z10.number()
1834
+ issueId: z7.string().uuid()
1835
+ });
1836
+ CliLoginPageQueryParamsZ = z7.object({
1837
+ loginId: z7.string().uuid()
1838
+ });
1839
+ AnalysisReportDigestedZ = z7.object({
1840
+ id: z7.string().uuid(),
1841
+ state: z7.nativeEnum(Fix_Report_State_Enum),
1842
+ vulnerabilityReport: z7.object({
1843
+ reportSummaryUrl: z7.string().url().nullish(),
1844
+ scanDate: z7.string().nullable(),
1845
+ supported: z7.object({
1846
+ aggregate: z7.object({
1847
+ count: z7.number()
1847
1848
  })
1848
1849
  }),
1849
- all: z10.object({
1850
- aggregate: z10.object({
1851
- count: z10.number()
1850
+ all: z7.object({
1851
+ aggregate: z7.object({
1852
+ count: z7.number()
1852
1853
  })
1853
1854
  }),
1854
- vendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum),
1855
- project: z10.object({
1856
- organizationId: z10.string().uuid()
1855
+ vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum),
1856
+ project: z7.object({
1857
+ organizationId: z7.string().uuid()
1857
1858
  })
1858
1859
  })
1859
1860
  });
1860
- IssueSharedStateZ2 = z10.object({
1861
- id: z10.string().uuid(),
1862
- createdAt: z10.string(),
1863
- isArchived: z10.boolean(),
1864
- ticketIntegrationId: z10.string().uuid().nullable(),
1865
- ticketIntegrations: z10.array(
1866
- z10.object({
1867
- url: z10.string()
1861
+ IssueSharedStateZ2 = z7.object({
1862
+ id: z7.string().uuid(),
1863
+ createdAt: z7.string(),
1864
+ isArchived: z7.boolean(),
1865
+ ticketIntegrationId: z7.string().uuid().nullable(),
1866
+ ticketIntegrations: z7.array(
1867
+ z7.object({
1868
+ url: z7.string()
1868
1869
  })
1869
1870
  )
1870
1871
  }).nullable();
1871
- ReportQueryResultZ = z10.object({
1872
- fixReport_by_pk: z10.object({
1873
- id: z10.string().uuid(),
1874
- analysisUrl: z10.string(),
1875
- fixesCommitted: z10.object({
1876
- aggregate: z10.object({ count: z10.number() })
1872
+ ReportQueryResultZ = z7.object({
1873
+ fixReport_by_pk: z7.object({
1874
+ id: z7.string().uuid(),
1875
+ analysisUrl: z7.string(),
1876
+ fixesCommitted: z7.object({
1877
+ aggregate: z7.object({ count: z7.number() })
1877
1878
  }),
1878
- fixesDownloaded: z10.object({
1879
- aggregate: z10.object({ count: z10.number() })
1879
+ fixesDownloaded: z7.object({
1880
+ aggregate: z7.object({ count: z7.number() })
1880
1881
  }),
1881
- fixesDoneCount: z10.number(),
1882
- fixesInprogressCount: z10.number(),
1883
- fixesReadyCount: z10.object({
1884
- aggregate: z10.object({ count: z10.number() })
1882
+ fixesDoneCount: z7.number(),
1883
+ fixesInprogressCount: z7.number(),
1884
+ fixesReadyCount: z7.object({
1885
+ aggregate: z7.object({ count: z7.number() })
1885
1886
  }),
1886
- issueTypes: z10.record(z10.string(), z10.number()).nullable(),
1887
- issueLanguages: z10.record(z10.string(), z10.number()).nullable(),
1888
- fixesCountByEffort: z10.record(z10.string(), z10.number()).nullable(),
1889
- vulnerabilitySeverities: z10.record(z10.string(), z10.number()).nullable(),
1890
- createdOn: z10.string(),
1891
- expirationOn: z10.string().nullable(),
1892
- state: z10.nativeEnum(Fix_Report_State_Enum),
1893
- failReason: z10.string().nullable(),
1894
- candidateToRerun: z10.boolean(),
1895
- fixes: z10.array(
1896
- z10.object({
1897
- id: z10.string().uuid(),
1898
- safeIssueLanguage: z10.string(),
1899
- safeIssueType: z10.string(),
1900
- confidence: z10.number(),
1901
- effortToApplyFix: z10.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
1902
- modifiedBy: z10.string().nullable(),
1903
- gitBlameLogin: z10.string().nullable(),
1904
- fixReportId: z10.string().uuid(),
1905
- filePaths: z10.array(
1906
- z10.object({
1907
- fileRepoRelativePath: z10.string()
1887
+ issueTypes: z7.record(z7.string(), z7.number()).nullable(),
1888
+ issueLanguages: z7.record(z7.string(), z7.number()).nullable(),
1889
+ fixesCountByEffort: z7.record(z7.string(), z7.number()).nullable(),
1890
+ vulnerabilitySeverities: z7.record(z7.string(), z7.number()).nullable(),
1891
+ createdOn: z7.string(),
1892
+ expirationOn: z7.string().nullable(),
1893
+ state: z7.nativeEnum(Fix_Report_State_Enum),
1894
+ failReason: z7.string().nullable(),
1895
+ candidateToRerun: z7.boolean(),
1896
+ fixes: z7.array(
1897
+ z7.object({
1898
+ id: z7.string().uuid(),
1899
+ safeIssueLanguage: z7.string(),
1900
+ safeIssueType: z7.string(),
1901
+ confidence: z7.number(),
1902
+ effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
1903
+ modifiedBy: z7.string().nullable(),
1904
+ gitBlameLogin: z7.string().nullable(),
1905
+ fixReportId: z7.string().uuid(),
1906
+ filePaths: z7.array(
1907
+ z7.object({
1908
+ fileRepoRelativePath: z7.string()
1908
1909
  })
1909
1910
  ),
1910
1911
  sharedState: FixSharedStateZ,
1911
- numberOfVulnerabilityIssues: z10.number(),
1912
- severityText: z10.nativeEnum(Vulnerability_Severity_Enum),
1913
- vulnerabilityReportIssues: z10.array(
1914
- z10.object({
1915
- id: z10.string().uuid(),
1916
- issueType: z10.string(),
1917
- issueLanguage: z10.string(),
1918
- category: z10.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
1912
+ numberOfVulnerabilityIssues: z7.number(),
1913
+ severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
1914
+ vulnerabilityReportIssues: z7.array(
1915
+ z7.object({
1916
+ id: z7.string().uuid(),
1917
+ issueType: z7.string(),
1918
+ issueLanguage: z7.string(),
1919
+ category: z7.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
1919
1920
  sharedState: IssueSharedStateZ2
1920
1921
  })
1921
1922
  )
1922
1923
  })
1923
1924
  ),
1924
- repo: z10.object({
1925
- name: z10.string().nullable(),
1926
- originalUrl: z10.string(),
1927
- reference: z10.string(),
1928
- commitSha: z10.string(),
1929
- isKnownBranch: z10.boolean().nullish().default(true)
1925
+ repo: z7.object({
1926
+ name: z7.string().nullable(),
1927
+ originalUrl: z7.string(),
1928
+ reference: z7.string(),
1929
+ commitSha: z7.string(),
1930
+ isKnownBranch: z7.boolean().nullish().default(true)
1930
1931
  }).nullable().transform(
1931
1932
  (repo) => repo ?? {
1932
1933
  name: null,
@@ -1936,229 +1937,229 @@ var init_types = __esm({
1936
1937
  isKnownBranch: true
1937
1938
  }
1938
1939
  ),
1939
- vulnerabilityReportIssuesFixedCount: z10.object({
1940
- vulnerabilityReportIssues_aggregate: z10.object({
1941
- aggregate: z10.object({ count: z10.number() })
1940
+ vulnerabilityReportIssuesFixedCount: z7.object({
1941
+ vulnerabilityReportIssues_aggregate: z7.object({
1942
+ aggregate: z7.object({ count: z7.number() })
1942
1943
  })
1943
1944
  }),
1944
- vulnerabilityReport: z10.object({
1945
- id: z10.string().uuid(),
1946
- reportSummaryUrl: z10.string().url().nullish(),
1947
- computedVendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1948
- vendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1949
- issuesWithKnownLanguage: z10.number().nullable(),
1950
- scanDate: z10.string().nullable(),
1951
- vendorReportId: z10.string().uuid().nullable(),
1952
- projectId: z10.string().uuid(),
1953
- project: z10.object({
1954
- organizationId: z10.string().uuid()
1945
+ vulnerabilityReport: z7.object({
1946
+ id: z7.string().uuid(),
1947
+ reportSummaryUrl: z7.string().url().nullish(),
1948
+ computedVendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1949
+ vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
1950
+ issuesWithKnownLanguage: z7.number().nullable(),
1951
+ scanDate: z7.string().nullable(),
1952
+ vendorReportId: z7.string().uuid().nullable(),
1953
+ projectId: z7.string().uuid(),
1954
+ project: z7.object({
1955
+ organizationId: z7.string().uuid()
1955
1956
  }),
1956
- file: z10.object({
1957
- id: z10.string().uuid(),
1958
- path: z10.string()
1957
+ file: z7.object({
1958
+ id: z7.string().uuid(),
1959
+ path: z7.string()
1959
1960
  }).nullable(),
1960
- pending: z10.object({
1961
- aggregate: z10.object({
1962
- count: z10.number()
1961
+ pending: z7.object({
1962
+ aggregate: z7.object({
1963
+ count: z7.number()
1963
1964
  })
1964
1965
  }),
1965
- irrelevant: z10.object({
1966
- aggregate: z10.object({
1967
- count: z10.number()
1966
+ irrelevant: z7.object({
1967
+ aggregate: z7.object({
1968
+ count: z7.number()
1968
1969
  })
1969
1970
  }),
1970
- remaining: z10.object({
1971
- aggregate: z10.object({
1972
- count: z10.number()
1971
+ remaining: z7.object({
1972
+ aggregate: z7.object({
1973
+ count: z7.number()
1973
1974
  })
1974
1975
  }),
1975
- digested: z10.object({
1976
- aggregate: z10.object({
1977
- count: z10.number()
1976
+ digested: z7.object({
1977
+ aggregate: z7.object({
1978
+ count: z7.number()
1978
1979
  })
1979
1980
  }),
1980
- supported: z10.object({
1981
- aggregate: z10.object({
1982
- count: z10.number()
1981
+ supported: z7.object({
1982
+ aggregate: z7.object({
1983
+ count: z7.number()
1983
1984
  })
1984
1985
  }),
1985
- all: z10.object({
1986
- aggregate: z10.object({
1987
- count: z10.number()
1986
+ all: z7.object({
1987
+ aggregate: z7.object({
1988
+ count: z7.number()
1988
1989
  })
1989
1990
  }),
1990
- fixable: z10.object({
1991
- aggregate: z10.object({
1992
- count: z10.number()
1991
+ fixable: z7.object({
1992
+ aggregate: z7.object({
1993
+ count: z7.number()
1993
1994
  })
1994
1995
  }),
1995
- errors: z10.object({
1996
- aggregate: z10.object({
1997
- count: z10.number()
1996
+ errors: z7.object({
1997
+ aggregate: z7.object({
1998
+ count: z7.number()
1998
1999
  })
1999
2000
  }),
2000
- vulnerabilityReportIssues: z10.object({
2001
- id: z10.string().uuid(),
2002
- extraData: z10.object({
2003
- missing_files: z10.string().array().nullish(),
2004
- large_files: z10.string().array().nullish(),
2005
- error_files: z10.string().array().nullish(),
2006
- ai_cost_limit_exceeded: z10.string().nullish()
2001
+ vulnerabilityReportIssues: z7.object({
2002
+ id: z7.string().uuid(),
2003
+ extraData: z7.object({
2004
+ missing_files: z7.string().array().nullish(),
2005
+ large_files: z7.string().array().nullish(),
2006
+ error_files: z7.string().array().nullish(),
2007
+ ai_cost_limit_exceeded: z7.string().nullish()
2007
2008
  })
2008
2009
  }).array()
2009
2010
  })
2010
2011
  })
2011
2012
  });
2012
- ReportFixesQueryFixZ = z10.object({
2013
- id: z10.string().uuid(),
2013
+ ReportFixesQueryFixZ = z7.object({
2014
+ id: z7.string().uuid(),
2014
2015
  sharedState: FixSharedStateZ,
2015
- confidence: z10.number(),
2016
- gitBlameLogin: z10.string().nullable(),
2017
- effortToApplyFix: z10.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
2018
- safeIssueLanguage: z10.string(),
2019
- safeIssueType: z10.string(),
2020
- fixReportId: z10.string().uuid(),
2021
- filePaths: z10.array(
2022
- z10.object({
2023
- fileRepoRelativePath: z10.string()
2016
+ confidence: z7.number(),
2017
+ gitBlameLogin: z7.string().nullable(),
2018
+ effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
2019
+ safeIssueLanguage: z7.string(),
2020
+ safeIssueType: z7.string(),
2021
+ fixReportId: z7.string().uuid(),
2022
+ filePaths: z7.array(
2023
+ z7.object({
2024
+ fileRepoRelativePath: z7.string()
2024
2025
  })
2025
2026
  ),
2026
- numberOfVulnerabilityIssues: z10.number(),
2027
- severityText: z10.nativeEnum(Vulnerability_Severity_Enum),
2028
- vulnerabilityReportIssues: z10.array(
2029
- z10.object({
2030
- issueType: z10.string(),
2031
- issueLanguage: z10.string(),
2027
+ numberOfVulnerabilityIssues: z7.number(),
2028
+ severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
2029
+ vulnerabilityReportIssues: z7.array(
2030
+ z7.object({
2031
+ issueType: z7.string(),
2032
+ issueLanguage: z7.string(),
2032
2033
  sharedState: IssueSharedStateZ2
2033
2034
  })
2034
2035
  ).min(1)
2035
2036
  });
2036
- BaseVulnerabilityReportIssueZ = z10.object({
2037
- id: z10.string().uuid(),
2038
- createdAt: z10.string(),
2039
- state: z10.nativeEnum(Vulnerability_Report_Issue_State_Enum),
2040
- safeIssueType: z10.string(),
2041
- safeIssueLanguage: z10.string(),
2042
- extraData: z10.object({
2043
- missing_files: z10.string().array().nullish(),
2044
- large_files: z10.string().array().nullish(),
2045
- error_files: z10.string().array().nullish(),
2046
- ai_cost_limit_exceeded: z10.string().nullish()
2037
+ BaseVulnerabilityReportIssueZ = z7.object({
2038
+ id: z7.string().uuid(),
2039
+ createdAt: z7.string(),
2040
+ state: z7.nativeEnum(Vulnerability_Report_Issue_State_Enum),
2041
+ safeIssueType: z7.string(),
2042
+ safeIssueLanguage: z7.string(),
2043
+ extraData: z7.object({
2044
+ missing_files: z7.string().array().nullish(),
2045
+ large_files: z7.string().array().nullish(),
2046
+ error_files: z7.string().array().nullish(),
2047
+ ai_cost_limit_exceeded: z7.string().nullish()
2047
2048
  }),
2048
2049
  fix: ReportFixesQueryFixZ.nullable(),
2049
- falsePositive: z10.object({
2050
- id: z10.string().uuid()
2050
+ falsePositive: z7.object({
2051
+ id: z7.string().uuid()
2051
2052
  }).nullable(),
2052
2053
  parsedSeverity: ParsedSeverityZ,
2053
- severity: z10.string(),
2054
- severityValue: z10.number(),
2055
- category: z10.string(),
2056
- vulnerabilityReportIssueTags: z10.array(
2057
- z10.object({
2058
- vulnerability_report_issue_tag_value: z10.string()
2054
+ severity: z7.string(),
2055
+ severityValue: z7.number(),
2056
+ category: z7.string(),
2057
+ vulnerabilityReportIssueTags: z7.array(
2058
+ z7.object({
2059
+ vulnerability_report_issue_tag_value: z7.string()
2059
2060
  })
2060
2061
  ),
2061
2062
  sharedState: VulnerabilityReportIssueSharedStateZ
2062
2063
  });
2063
2064
  VulnerabilityReportIssueZ = BaseVulnerabilityReportIssueZ.merge(
2064
- z10.object({
2065
- codeNodes: z10.array(z10.object({ path: z10.string() }))
2065
+ z7.object({
2066
+ codeNodes: z7.array(z7.object({ path: z7.string() }))
2066
2067
  })
2067
2068
  );
2068
2069
  VulnerabilityReportIssueWithCodeFilePathZ = BaseVulnerabilityReportIssueZ.merge(
2069
- z10.object({
2070
- codeFilePath: z10.string().nullable()
2070
+ z7.object({
2071
+ codeFilePath: z7.string().nullable()
2071
2072
  })
2072
2073
  );
2073
- GetReportIssuesQueryZ = z10.object({
2074
- fixReport: z10.object({
2075
- vulnerabilityReport: z10.object({
2076
- id: z10.string().uuid(),
2077
- lastIssueUpdatedAt: z10.string(),
2078
- vulnerabilityReportIssues_aggregate: z10.object({
2079
- aggregate: z10.object({ count: z10.number() })
2074
+ GetReportIssuesQueryZ = z7.object({
2075
+ fixReport: z7.object({
2076
+ vulnerabilityReport: z7.object({
2077
+ id: z7.string().uuid(),
2078
+ lastIssueUpdatedAt: z7.string(),
2079
+ vulnerabilityReportIssues_aggregate: z7.object({
2080
+ aggregate: z7.object({ count: z7.number() })
2080
2081
  }),
2081
- vulnerabilityReportIssues: z10.array(
2082
+ vulnerabilityReportIssues: z7.array(
2082
2083
  VulnerabilityReportIssueWithCodeFilePathZ
2083
2084
  )
2084
2085
  })
2085
2086
  }).array()
2086
2087
  }).nullish();
2087
- FixReportByProjectZ = z10.object({
2088
- project_by_pk: z10.object({
2089
- vulnerabilityReports: z10.array(
2090
- z10.object({
2091
- fixReport: z10.object({ id: z10.string().uuid() }).nullable()
2088
+ FixReportByProjectZ = z7.object({
2089
+ project_by_pk: z7.object({
2090
+ vulnerabilityReports: z7.array(
2091
+ z7.object({
2092
+ fixReport: z7.object({ id: z7.string().uuid() }).nullable()
2092
2093
  })
2093
2094
  )
2094
2095
  })
2095
2096
  });
2096
- FixScreenQueryResultZ = z10.object({
2097
+ FixScreenQueryResultZ = z7.object({
2097
2098
  fixReport_by_pk: FixPageFixReportZ,
2098
2099
  fix_by_pk: FixPartsForFixScreenZ,
2099
- fixesWithSameIssueType: z10.array(
2100
- z10.object({
2101
- id: z10.string().uuid(),
2102
- sharedState: z10.object({ state: z10.nativeEnum(Fix_State_Enum) }).nullable().default({ state: "Ready" /* Ready */ })
2100
+ fixesWithSameIssueType: z7.array(
2101
+ z7.object({
2102
+ id: z7.string().uuid(),
2103
+ sharedState: z7.object({ state: z7.nativeEnum(Fix_State_Enum) }).nullable().default({ state: "Ready" /* Ready */ })
2103
2104
  })
2104
2105
  ),
2105
2106
  relevantIssue: IssuePartsZ.nullish()
2106
2107
  });
2107
- FixPageQueryZ = z10.object({
2108
+ FixPageQueryZ = z7.object({
2108
2109
  data: FixScreenQueryResultZ
2109
2110
  });
2110
- GetReportFixesQueryZ = z10.object({
2111
- fixReport: z10.array(
2112
- z10.object({
2113
- fixes: z10.array(ReportFixesQueryFixZ),
2114
- vulnerabilityReportIssuesTotalCount: z10.object({
2115
- vulnerabilityReportIssues_aggregate: z10.object({
2116
- aggregate: z10.object({ count: z10.number() })
2111
+ GetReportFixesQueryZ = z7.object({
2112
+ fixReport: z7.array(
2113
+ z7.object({
2114
+ fixes: z7.array(ReportFixesQueryFixZ),
2115
+ vulnerabilityReportIssuesTotalCount: z7.object({
2116
+ vulnerabilityReportIssues_aggregate: z7.object({
2117
+ aggregate: z7.object({ count: z7.number() })
2117
2118
  })
2118
2119
  }),
2119
- vulnerabilityReportIssuesFixedCount: z10.object({
2120
- vulnerabilityReportIssues_aggregate: z10.object({
2121
- aggregate: z10.object({ count: z10.number() })
2120
+ vulnerabilityReportIssuesFixedCount: z7.object({
2121
+ vulnerabilityReportIssues_aggregate: z7.object({
2122
+ aggregate: z7.object({ count: z7.number() })
2122
2123
  })
2123
2124
  }),
2124
- vulnerabilityReportIssuesIrrelevantCount: z10.object({
2125
- vulnerabilityReportIssues_aggregate: z10.object({
2126
- aggregate: z10.object({ count: z10.number() })
2125
+ vulnerabilityReportIssuesIrrelevantCount: z7.object({
2126
+ vulnerabilityReportIssues_aggregate: z7.object({
2127
+ aggregate: z7.object({ count: z7.number() })
2127
2128
  })
2128
2129
  }),
2129
- vulnerabilityReportIssuesRemainingCount: z10.object({
2130
- vulnerabilityReportIssues_aggregate: z10.object({
2131
- aggregate: z10.object({ count: z10.number() })
2130
+ vulnerabilityReportIssuesRemainingCount: z7.object({
2131
+ vulnerabilityReportIssues_aggregate: z7.object({
2132
+ aggregate: z7.object({ count: z7.number() })
2132
2133
  })
2133
2134
  })
2134
2135
  })
2135
2136
  )
2136
2137
  }).nullish();
2137
- GetFixReportStatsQueryZ = z10.object({
2138
- fixReport_by_pk: z10.object({
2139
- id: z10.string().uuid(),
2140
- vulnerabilitySeverities: z10.record(z10.nativeEnum(Vulnerability_Severity_Enum), z10.number()).nullable(),
2141
- vulnerabilityReportIrrelevantIssuesCount: z10.object({
2142
- vulnerabilityReportIssues_aggregate: z10.object({
2143
- aggregate: z10.object({ count: z10.number() })
2138
+ GetFixReportStatsQueryZ = z7.object({
2139
+ fixReport_by_pk: z7.object({
2140
+ id: z7.string().uuid(),
2141
+ vulnerabilitySeverities: z7.record(z7.nativeEnum(Vulnerability_Severity_Enum), z7.number()).nullable(),
2142
+ vulnerabilityReportIrrelevantIssuesCount: z7.object({
2143
+ vulnerabilityReportIssues_aggregate: z7.object({
2144
+ aggregate: z7.object({ count: z7.number() })
2144
2145
  })
2145
2146
  })
2146
2147
  }).nullable()
2147
2148
  });
2148
- ProjectVulnerabilityReport = z10.object({
2149
- id: z10.string().uuid(),
2150
- name: z10.string().nullable(),
2151
- vendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
2152
- computedVendor: z10.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
2153
- fixReport: z10.object({
2154
- id: z10.string().uuid(),
2155
- createdOn: z10.string(),
2156
- issueTypes: z10.record(z10.string(), z10.number()).nullable(),
2157
- issueLanguages: z10.record(z10.nativeEnum(IssueLanguage_Enum), z10.number()).nullable(),
2158
- repo: z10.object({
2159
- originalUrl: z10.string(),
2160
- reference: z10.string(),
2161
- name: z10.string()
2149
+ ProjectVulnerabilityReport = z7.object({
2150
+ id: z7.string().uuid(),
2151
+ name: z7.string().nullable(),
2152
+ vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
2153
+ computedVendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
2154
+ fixReport: z7.object({
2155
+ id: z7.string().uuid(),
2156
+ createdOn: z7.string(),
2157
+ issueTypes: z7.record(z7.string(), z7.number()).nullable(),
2158
+ issueLanguages: z7.record(z7.nativeEnum(IssueLanguage_Enum), z7.number()).nullable(),
2159
+ repo: z7.object({
2160
+ originalUrl: z7.string(),
2161
+ reference: z7.string(),
2162
+ name: z7.string()
2162
2163
  }).nullable().transform(
2163
2164
  (repo) => repo ?? {
2164
2165
  originalUrl: "",
@@ -2166,64 +2167,64 @@ var init_types = __esm({
2166
2167
  name: ""
2167
2168
  }
2168
2169
  ),
2169
- createdByUser: z10.object({
2170
- email: z10.string()
2170
+ createdByUser: z7.object({
2171
+ email: z7.string()
2171
2172
  }).nullable(),
2172
- state: z10.nativeEnum(Fix_Report_State_Enum),
2173
- expirationOn: z10.string()
2173
+ state: z7.nativeEnum(Fix_Report_State_Enum),
2174
+ expirationOn: z7.string()
2174
2175
  })
2175
2176
  });
2176
- GetProjectsQueryZ = z10.object({
2177
- organization: z10.object({
2178
- id: z10.string(),
2179
- projects: z10.array(
2180
- z10.object({
2181
- id: z10.string().uuid(),
2182
- name: z10.string(),
2183
- numberOfUniqueRepos: z10.number()
2177
+ GetProjectsQueryZ = z7.object({
2178
+ organization: z7.object({
2179
+ id: z7.string(),
2180
+ projects: z7.array(
2181
+ z7.object({
2182
+ id: z7.string().uuid(),
2183
+ name: z7.string(),
2184
+ numberOfUniqueRepos: z7.number()
2184
2185
  })
2185
2186
  )
2186
2187
  })
2187
2188
  });
2188
- ProjectPageQueryResultZ = z10.object({
2189
- name: z10.string(),
2190
- id: z10.string().uuid(),
2191
- isDefault: z10.boolean().default(false),
2192
- organizationId: z10.string().uuid(),
2193
- vulnerabilityReports: z10.array(ProjectVulnerabilityReport),
2194
- autoPrIncludeAiFixes: z10.preprocess(
2189
+ ProjectPageQueryResultZ = z7.object({
2190
+ name: z7.string(),
2191
+ id: z7.string().uuid(),
2192
+ isDefault: z7.boolean().default(false),
2193
+ organizationId: z7.string().uuid(),
2194
+ vulnerabilityReports: z7.array(ProjectVulnerabilityReport),
2195
+ autoPrIncludeAiFixes: z7.preprocess(
2195
2196
  (val) => val === null || val === void 0 ? false : val,
2196
- z10.boolean()
2197
+ z7.boolean()
2197
2198
  ),
2198
- projectIssueTypeSettings: z10.array(
2199
- IssueTypeSettingZ.merge(z10.object({ id: z10.string() }))
2199
+ projectIssueTypeSettings: z7.array(
2200
+ IssueTypeSettingZ.merge(z7.object({ id: z7.string() }))
2200
2201
  )
2201
2202
  });
2202
- GetProjectMembersDataZ = z10.object({
2203
- project_by_pk: z10.object({
2204
- name: z10.string(),
2205
- id: z10.string(),
2206
- projectUsers: z10.array(
2207
- z10.object({
2208
- projectToRole: z10.object({
2209
- projectRole: z10.object({
2210
- type: z10.nativeEnum(Project_Role_Type_Enum)
2203
+ GetProjectMembersDataZ = z7.object({
2204
+ project_by_pk: z7.object({
2205
+ name: z7.string(),
2206
+ id: z7.string(),
2207
+ projectUsers: z7.array(
2208
+ z7.object({
2209
+ projectToRole: z7.object({
2210
+ projectRole: z7.object({
2211
+ type: z7.nativeEnum(Project_Role_Type_Enum)
2211
2212
  })
2212
2213
  }),
2213
- user: z10.object({
2214
- id: z10.string().uuid(),
2215
- picture: z10.string().nullable().optional(),
2216
- name: z10.string().nullish(),
2217
- email: z10.string().email()
2214
+ user: z7.object({
2215
+ id: z7.string().uuid(),
2216
+ picture: z7.string().nullable().optional(),
2217
+ name: z7.string().nullish(),
2218
+ email: z7.string().email()
2218
2219
  })
2219
2220
  })
2220
2221
  )
2221
2222
  })
2222
2223
  });
2223
- RepoArgsZ = z10.object({
2224
- originalUrl: z10.string().url(),
2225
- branch: z10.string(),
2226
- commitSha: z10.string()
2224
+ RepoArgsZ = z7.object({
2225
+ originalUrl: z7.string().url(),
2226
+ branch: z7.string(),
2227
+ commitSha: z7.string()
2227
2228
  });
2228
2229
  scmCloudUrl = {
2229
2230
  GitLab: "https://gitlab.com",
@@ -2257,7 +2258,7 @@ var init_types2 = __esm({
2257
2258
  });
2258
2259
 
2259
2260
  // src/features/analysis/scm/shared/src/urlParser/urlParser.ts
2260
- import { z as z11 } from "zod";
2261
+ import { z as z8 } from "zod";
2261
2262
  function computeCanonicalUrl(data) {
2262
2263
  const {
2263
2264
  scmType,
@@ -2299,7 +2300,7 @@ function detectAdoUrl(args) {
2299
2300
  scmType: "Ado" /* Ado */,
2300
2301
  organization,
2301
2302
  // project has single repo - repoName === projectName
2302
- projectName: z11.string().parse(projectName),
2303
+ projectName: z8.string().parse(projectName),
2303
2304
  repoName: projectName,
2304
2305
  prefixPath
2305
2306
  };
@@ -2310,7 +2311,7 @@ function detectAdoUrl(args) {
2310
2311
  return {
2311
2312
  scmType: "Ado" /* Ado */,
2312
2313
  organization,
2313
- projectName: z11.string().parse(projectName),
2314
+ projectName: z8.string().parse(projectName),
2314
2315
  repoName,
2315
2316
  prefixPath
2316
2317
  };
@@ -2324,7 +2325,7 @@ function detectAdoUrl(args) {
2324
2325
  scmType: "Ado" /* Ado */,
2325
2326
  organization,
2326
2327
  // project has only one repo - repoName === projectName
2327
- projectName: z11.string().parse(repoName),
2328
+ projectName: z8.string().parse(repoName),
2328
2329
  repoName,
2329
2330
  prefixPath
2330
2331
  };
@@ -2334,7 +2335,7 @@ function detectAdoUrl(args) {
2334
2335
  return {
2335
2336
  scmType: "Ado" /* Ado */,
2336
2337
  organization,
2337
- projectName: z11.string().parse(projectName),
2338
+ projectName: z8.string().parse(projectName),
2338
2339
  repoName,
2339
2340
  prefixPath
2340
2341
  };
@@ -2410,7 +2411,7 @@ function parseSshUrl(scmURL, scmType) {
2410
2411
  if (pathElements.length === 3) {
2411
2412
  const [organization2, projectName, repoName2] = pathElements;
2412
2413
  if (organization2?.match(NAME_REGEX) && projectName && repoName2?.match(NAME_REGEX)) {
2413
- const parsedProjectName = z11.string().parse(projectName);
2414
+ const parsedProjectName = z8.string().parse(projectName);
2414
2415
  return {
2415
2416
  scmType: "Ado" /* Ado */,
2416
2417
  hostname: normalizedHostname,
@@ -2638,17 +2639,17 @@ var init_urlParser2 = __esm({
2638
2639
  });
2639
2640
 
2640
2641
  // src/features/analysis/scm/env.ts
2641
- import { z as z14 } from "zod";
2642
+ import { z as z11 } from "zod";
2642
2643
  var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB, GITHUB_API_CONCURRENCY;
2643
2644
  var init_env = __esm({
2644
2645
  "src/features/analysis/scm/env.ts"() {
2645
2646
  "use strict";
2646
- EnvVariablesZod = z14.object({
2647
- GITLAB_API_TOKEN: z14.string().optional(),
2648
- GITHUB_API_TOKEN: z14.string().optional(),
2649
- GIT_PROXY_HOST: z14.string().optional().default("http://tinyproxy:8888"),
2650
- MAX_UPLOAD_FILE_SIZE_MB: z14.coerce.number().gt(0).default(2),
2651
- GITHUB_API_CONCURRENCY: z14.coerce.number().gt(0).optional().default(10)
2647
+ EnvVariablesZod = z11.object({
2648
+ GITLAB_API_TOKEN: z11.string().optional(),
2649
+ GITHUB_API_TOKEN: z11.string().optional(),
2650
+ GIT_PROXY_HOST: z11.string().optional().default("http://tinyproxy:8888"),
2651
+ MAX_UPLOAD_FILE_SIZE_MB: z11.coerce.number().gt(0).default(2),
2652
+ GITHUB_API_CONCURRENCY: z11.coerce.number().gt(0).optional().default(10)
2652
2653
  });
2653
2654
  ({
2654
2655
  GITLAB_API_TOKEN,
@@ -2685,7 +2686,7 @@ var init_configs = __esm({
2685
2686
  });
2686
2687
 
2687
2688
  // src/utils/blame/gitBlameTypes.ts
2688
- import { z as z17 } from "zod";
2689
+ import { z as z14 } from "zod";
2689
2690
  function parseCoAuthorValue(raw) {
2690
2691
  const trimmed = raw.trim();
2691
2692
  if (!trimmed) {
@@ -2721,9 +2722,9 @@ var PrepareGitBlameMessageZ, PrepareGitBlameResponseMessageZ, CommitMetadataZ, L
2721
2722
  var init_gitBlameTypes = __esm({
2722
2723
  "src/utils/blame/gitBlameTypes.ts"() {
2723
2724
  "use strict";
2724
- PrepareGitBlameMessageZ = z17.object({
2725
- reportId: z17.string(),
2726
- repoArchivePath: z17.string(),
2725
+ PrepareGitBlameMessageZ = z14.object({
2726
+ reportId: z14.string(),
2727
+ repoArchivePath: z14.string(),
2727
2728
  // Optional list of file paths to blame. Producers must pick one of two modes:
2728
2729
  //
2729
2730
  // - **Omit `filePaths`** = "blame every file in the archive". Used by the
@@ -2739,132 +2740,132 @@ var init_gitBlameTypes = __esm({
2739
2740
  // "Login.java" when the actual file is "src/main/java/Login.java") are
2740
2741
  // tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
2741
2742
  // strings are filtered out defensively.
2742
- filePaths: z17.array(z17.string()).optional()
2743
- });
2744
- PrepareGitBlameResponseMessageZ = z17.object({
2745
- reportId: z17.string()
2746
- });
2747
- CommitMetadataZ = z17.object({
2748
- author: z17.string().optional(),
2749
- "author-mail": z17.string().optional(),
2750
- "author-time": z17.string().optional(),
2751
- "author-tz": z17.string().optional(),
2752
- committer: z17.string().optional(),
2753
- "committer-mail": z17.string().optional(),
2754
- "committer-time": z17.string().optional(),
2755
- "committer-tz": z17.string().optional(),
2756
- summary: z17.string().optional(),
2757
- filename: z17.string().optional()
2758
- });
2759
- LineToCommitMapZ = z17.record(z17.string(), z17.string());
2760
- CommitMetadataMapZ = z17.record(z17.string(), CommitMetadataZ);
2761
- BlameInfoZ = z17.object({
2743
+ filePaths: z14.array(z14.string()).optional()
2744
+ });
2745
+ PrepareGitBlameResponseMessageZ = z14.object({
2746
+ reportId: z14.string()
2747
+ });
2748
+ CommitMetadataZ = z14.object({
2749
+ author: z14.string().optional(),
2750
+ "author-mail": z14.string().optional(),
2751
+ "author-time": z14.string().optional(),
2752
+ "author-tz": z14.string().optional(),
2753
+ committer: z14.string().optional(),
2754
+ "committer-mail": z14.string().optional(),
2755
+ "committer-time": z14.string().optional(),
2756
+ "committer-tz": z14.string().optional(),
2757
+ summary: z14.string().optional(),
2758
+ filename: z14.string().optional()
2759
+ });
2760
+ LineToCommitMapZ = z14.record(z14.string(), z14.string());
2761
+ CommitMetadataMapZ = z14.record(z14.string(), CommitMetadataZ);
2762
+ BlameInfoZ = z14.object({
2762
2763
  lineToCommit: LineToCommitMapZ,
2763
2764
  commitMetadata: CommitMetadataMapZ
2764
2765
  });
2765
- LineRangeZ = z17.object({
2766
+ LineRangeZ = z14.object({
2766
2767
  /** First line in chunk (1-indexed) */
2767
- start: z17.number(),
2768
+ start: z14.number(),
2768
2769
  /** Last line in chunk (inclusive) */
2769
- end: z17.number()
2770
- });
2771
- PrContextZ = z17.object({
2772
- prNumber: z17.number(),
2773
- repositoryUrl: z17.string(),
2774
- organizationId: z17.string(),
2775
- userEmail: z17.string(),
2776
- source: z17.enum(["pr", "github"]),
2777
- githubContext: z17.object({
2778
- prNumber: z17.number(),
2779
- installationId: z17.number(),
2780
- repositoryURL: z17.string()
2770
+ end: z14.number()
2771
+ });
2772
+ PrContextZ = z14.object({
2773
+ prNumber: z14.number(),
2774
+ repositoryUrl: z14.string(),
2775
+ organizationId: z14.string(),
2776
+ userEmail: z14.string(),
2777
+ source: z14.enum(["pr", "github"]),
2778
+ githubContext: z14.object({
2779
+ prNumber: z14.number(),
2780
+ installationId: z14.number(),
2781
+ repositoryURL: z14.string()
2781
2782
  }).optional()
2782
2783
  });
2783
- PrepareCommitBlameMessageZ = z17.object({
2784
+ PrepareCommitBlameMessageZ = z14.object({
2784
2785
  /** Commit blame request ID from database (for tracking and updating status) */
2785
- commitBlameRequestId: z17.string(),
2786
+ commitBlameRequestId: z14.string(),
2786
2787
  /** Organization ID (for org-scoped caching) */
2787
- organizationId: z17.string(),
2788
+ organizationId: z14.string(),
2788
2789
  /** Full repository URL (e.g., https://github.com/org/repo) */
2789
- repositoryUrl: z17.string(),
2790
+ repositoryUrl: z14.string(),
2790
2791
  /** Commit SHA to analyze (typically PR head commit) */
2791
- commitSha: z17.string(),
2792
+ commitSha: z14.string(),
2792
2793
  /** Authentication headers for repository access (e.g., GitHub token) */
2793
- extraHeaders: z17.record(z17.string(), z17.string()).default({}),
2794
+ extraHeaders: z14.record(z14.string(), z14.string()).default({}),
2794
2795
  // --- PR analysis fields ---
2795
2796
  /** Target branch name (from getPr() base.ref). When set, enables PR analysis mode. */
2796
- targetBranch: z17.string().optional(),
2797
+ targetBranch: z14.string().optional(),
2797
2798
  /** Context for triggering blame attribution analysis after SCM agent completes. */
2798
2799
  prContext: PrContextZ.optional(),
2799
2800
  /** User email for blame attribution analysis trigger context (used for both PR and single commit flows). */
2800
- userEmail: z17.string().optional()
2801
+ userEmail: z14.string().optional()
2801
2802
  });
2802
- BlameLineInfoZ = z17.object({
2803
+ BlameLineInfoZ = z14.object({
2803
2804
  /** Line number as it appeared in the introducing commit */
2804
- originalLineNumber: z17.number(),
2805
+ originalLineNumber: z14.number(),
2805
2806
  /** Commit SHA that introduced this line */
2806
- commitSha: z17.string(),
2807
+ commitSha: z14.string(),
2807
2808
  /** Author name for this line */
2808
- authorName: z17.string().optional(),
2809
+ authorName: z14.string().optional(),
2809
2810
  /** Author email for this line */
2810
- authorEmail: z17.string().optional()
2811
+ authorEmail: z14.string().optional()
2811
2812
  }).nullable();
2812
- FileBlameDataZ = z17.array(BlameLineInfoZ);
2813
- ChunkFetchResultZ = z17.object({
2814
- filePath: z17.string(),
2815
- lines: z17.array(z17.number()),
2813
+ FileBlameDataZ = z14.array(BlameLineInfoZ);
2814
+ ChunkFetchResultZ = z14.object({
2815
+ filePath: z14.string(),
2816
+ lines: z14.array(z14.number()),
2816
2817
  data: FileBlameDataZ.nullable()
2817
2818
  });
2818
- FileBlameResponseEntryZ = z17.object({
2819
+ FileBlameResponseEntryZ = z14.object({
2819
2820
  /** Chunk index (0 for small files, 0-N for large file chunks) */
2820
- chunkIndex: z17.number(),
2821
+ chunkIndex: z14.number(),
2821
2822
  /** Blame data array (1-indexed, index 0 is null) */
2822
2823
  blameData: FileBlameDataZ
2823
2824
  });
2824
- CommitBlameDataZ = z17.record(
2825
- z17.string(),
2825
+ CommitBlameDataZ = z14.record(
2826
+ z14.string(),
2826
2827
  // fileName
2827
- z17.array(FileBlameResponseEntryZ)
2828
+ z14.array(FileBlameResponseEntryZ)
2828
2829
  );
2829
- CommitInfoZ = z17.object({
2830
+ CommitInfoZ = z14.object({
2830
2831
  /** Number of parent commits (1 = normal commit, 2+ = merge commit, null = failed to determine) */
2831
- parentCount: z17.number().nullable()
2832
+ parentCount: z14.number().nullable()
2832
2833
  });
2833
- GitIdentityZ = z17.object({
2834
- name: z17.string(),
2835
- email: z17.string()
2834
+ GitIdentityZ = z14.object({
2835
+ name: z14.string(),
2836
+ email: z14.string()
2836
2837
  });
2837
2838
  COMMIT_LOG_FORMAT = "%H%x00%ae%x00%an%x00%ce%x00%cn%x00%at%x00%s%x00%(trailers:key=Co-authored-by,valueonly,separator=%x00)";
2838
- CommitDataZ = z17.object({
2839
- diff: z17.string(),
2839
+ CommitDataZ = z14.object({
2840
+ diff: z14.string(),
2840
2841
  author: GitIdentityZ,
2841
2842
  committer: GitIdentityZ,
2842
- coAuthors: z17.array(GitIdentityZ),
2843
- timestamp: z17.number(),
2843
+ coAuthors: z14.array(GitIdentityZ),
2844
+ timestamp: z14.number(),
2844
2845
  // Unix timestamp in seconds
2845
- message: z17.string().optional(),
2846
- parentCount: z17.number().nullable()
2846
+ message: z14.string().optional(),
2847
+ parentCount: z14.number().nullable()
2847
2848
  });
2848
- PrDiffDataZ = z17.object({
2849
- diff: z17.string()
2849
+ PrDiffDataZ = z14.object({
2850
+ diff: z14.string()
2850
2851
  });
2851
- PrStatsZ = z17.object({
2852
- additions: z17.number(),
2853
- deletions: z17.number()
2852
+ PrStatsZ = z14.object({
2853
+ additions: z14.number(),
2854
+ deletions: z14.number()
2854
2855
  });
2855
- CommitsManifestZ = z17.object({
2856
- commits: z17.array(z17.string())
2856
+ CommitsManifestZ = z14.object({
2857
+ commits: z14.array(z14.string())
2857
2858
  // Array of commit SHAs in order
2858
2859
  });
2859
- BlameLineEntryZ = z17.object({
2860
+ BlameLineEntryZ = z14.object({
2860
2861
  /** Current file path in the PR head (what git blame was invoked on). */
2861
- file: z17.string(),
2862
+ file: z14.string(),
2862
2863
  /** Current line number in the PR head. */
2863
- line: z17.number(),
2864
+ line: z14.number(),
2864
2865
  /** SHA of the commit that originally authored this line. */
2865
- originalCommitSha: z17.string(),
2866
+ originalCommitSha: z14.string(),
2866
2867
  /** Line number as it was in `originalCommitSha`. */
2867
- originalLineNumber: z17.number(),
2868
+ originalLineNumber: z14.number(),
2868
2869
  /**
2869
2870
  * File path as it was in `originalCommitSha` at the time that commit
2870
2871
  * authored this line. When a file has been renamed since, this differs
@@ -2877,24 +2878,24 @@ var init_gitBlameTypes = __esm({
2877
2878
  * must treat empty as "fall back to `file`" (see enrichDiffLines,
2878
2879
  * targetedBlame).
2879
2880
  */
2880
- originalFile: z17.string().default("")
2881
+ originalFile: z14.string().default("")
2881
2882
  });
2882
- BlameLinesDataZ = z17.object({
2883
- lines: z17.array(BlameLineEntryZ)
2883
+ BlameLinesDataZ = z14.object({
2884
+ lines: z14.array(BlameLineEntryZ)
2884
2885
  });
2885
- PrepareCommitBlameResponseMessageZ = z17.object({
2886
+ PrepareCommitBlameResponseMessageZ = z14.object({
2886
2887
  /** Commit blame request ID (matches request, used to update specific DB record) */
2887
- commitBlameRequestId: z17.string(),
2888
+ commitBlameRequestId: z14.string(),
2888
2889
  /** Organization ID (matches request) */
2889
- organizationId: z17.string(),
2890
+ organizationId: z14.string(),
2890
2891
  /** Repository URL (matches request) */
2891
- repositoryUrl: z17.string(),
2892
+ repositoryUrl: z14.string(),
2892
2893
  /** Commit SHA analyzed (matches request) */
2893
- commitSha: z17.string(),
2894
+ commitSha: z14.string(),
2894
2895
  /** Processing status */
2895
- status: z17.enum(["success", "failure"]),
2896
+ status: z14.enum(["success", "failure"]),
2896
2897
  /** Error message (only present if status is 'failure') */
2897
- error: z17.string().optional(),
2898
+ error: z14.string().optional(),
2898
2899
  /**
2899
2900
  * Blame data for all processed files/chunks.
2900
2901
  * Empty dictionary if status is 'failure'.
@@ -2906,29 +2907,29 @@ var init_gitBlameTypes = __esm({
2906
2907
  * Keyed by commit SHA, deduplicated.
2907
2908
  * Empty dictionary if status is 'failure'.
2908
2909
  */
2909
- commits: z17.record(z17.string(), CommitInfoZ).default({}),
2910
+ commits: z14.record(z14.string(), CommitInfoZ).default({}),
2910
2911
  // --- New PR diff computation response fields ---
2911
2912
  /** S3 paths for commit-level data (commitSha → S3 key). Present in PR analysis mode and single commit mode. */
2912
- commitDataS3Paths: z17.record(z17.string(), z17.string()).optional(),
2913
+ commitDataS3Paths: z14.record(z14.string(), z14.string()).optional(),
2913
2914
  /** S3 key for PR diff JSON. Present in PR analysis mode. */
2914
- prDiffS3Path: z17.string().optional(),
2915
+ prDiffS3Path: z14.string().optional(),
2915
2916
  /** S3 key for commits manifest. Present in PR analysis mode. */
2916
- commitsManifestS3Path: z17.string().optional(),
2917
+ commitsManifestS3Path: z14.string().optional(),
2917
2918
  /** S3 key for per-line targeted blame data. Present in PR analysis mode. */
2918
- blameLinesS3Path: z17.string().optional(),
2919
+ blameLinesS3Path: z14.string().optional(),
2919
2920
  /** S3 key for PR stats (additions/deletions). Present in PR analysis mode. */
2920
- prStatsS3Path: z17.string().optional(),
2921
+ prStatsS3Path: z14.string().optional(),
2921
2922
  /** PR context passed through from request for response handler. */
2922
2923
  prContext: PrContextZ.optional(),
2923
2924
  /** PR title from the request metadata (passed through). */
2924
- prTitle: z17.string().optional(),
2925
+ prTitle: z14.string().optional(),
2925
2926
  /** User email passed through from request for single commit blame attribution analysis trigger. */
2926
- userEmail: z17.string().optional()
2927
+ userEmail: z14.string().optional()
2927
2928
  });
2928
- VulnerabilityAttributionMessageZ = z17.object({
2929
- fixReportId: z17.string().uuid(),
2930
- vulnerabilityAttributionRequestId: z17.string().uuid(),
2931
- userEmail: z17.string()
2929
+ VulnerabilityAttributionMessageZ = z14.object({
2930
+ fixReportId: z14.string().uuid(),
2931
+ vulnerabilityAttributionRequestId: z14.string().uuid(),
2932
+ userEmail: z14.string()
2932
2933
  });
2933
2934
  }
2934
2935
  });
@@ -4262,1755 +4263,176 @@ var contextLogger = {
4262
4263
  const logger3 = await createContextLogger();
4263
4264
  return logger3.warn(message, data);
4264
4265
  },
4265
- error: async (message, data) => {
4266
- const logger3 = await createContextLogger();
4267
- return logger3.error(message, data);
4268
- }
4269
- };
4270
-
4271
- // src/features/analysis/scm/errors.ts
4272
- var InvalidAccessTokenError = class extends Error {
4273
- constructor(m, scmType) {
4274
- super(m);
4275
- this.scmType = scmType;
4276
- }
4277
- };
4278
- var InvalidUrlPatternError = class extends Error {
4279
- constructor(m, scmType) {
4280
- super(m);
4281
- this.scmType = scmType;
4282
- }
4283
- };
4284
- var RefNotFoundError = class extends Error {
4285
- constructor(m) {
4286
- super(m);
4287
- }
4288
- };
4289
- var ScmBadCredentialsError = class extends Error {
4290
- constructor(m, scmType) {
4291
- super(m);
4292
- this.scmType = scmType;
4293
- }
4294
- };
4295
- var InvalidRepoUrlError = class extends Error {
4296
- constructor(m, scmType) {
4297
- super(m);
4298
- this.scmType = scmType;
4299
- }
4300
- };
4301
- var RepoNoTokenAccessError = class extends Error {
4302
- constructor(m, scmType) {
4303
- super(m);
4304
- this.scmType = scmType;
4305
- }
4306
- };
4307
- var RateLimitError = class extends Error {
4308
- constructor(m, scmType, retryAfter) {
4309
- super(m);
4310
- this.scmType = scmType;
4311
- this.retryAfter = retryAfter;
4312
- }
4313
- };
4314
- var NetworkError = class extends Error {
4315
- constructor(m, scmType, errorCode) {
4316
- super(m);
4317
- this.scmType = scmType;
4318
- this.errorCode = errorCode;
4319
- }
4320
- };
4321
-
4322
- // src/features/analysis/scm/utils/index.ts
4323
- import { z as z13 } from "zod";
4324
-
4325
- // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
4326
- init_client_generates();
4327
- init_getIssueType();
4328
- init_issueTypeCatalog();
4329
- function capitalizeFirstLetter(str) {
4330
- return str?.length ? str[0].toUpperCase() + str.slice(1) : "";
4331
- }
4332
- function lowercaseFirstLetter(str) {
4333
- if (!str) return str;
4334
- return `${str.charAt(0).toLowerCase()}${str.slice(1)}`;
4335
- }
4336
- var severityToEmoji = {
4337
- ["critical" /* Critical */]: "\u{1F6A8}",
4338
- ["high" /* High */]: "\u{1F6A9}",
4339
- ["medium" /* Medium */]: "\u{1F7E1}",
4340
- ["low" /* Low */]: "\u{1F7E2}"
4341
- };
4342
- var getCommitDescription = ({
4343
- vendor,
4344
- issueType,
4345
- severity,
4346
- guidances,
4347
- fixUrl,
4348
- irrelevantIssueWithTags
4349
- }) => {
4350
- const issueTypeString = getIssueTypeFriendlyString(issueType);
4351
- let description = `This change fixes a **${severity} severity** (${severityToEmoji[severity]}) **${issueTypeString}** issue reported by **${capitalizeFirstLetter(
4352
- vendor
4353
- )}**.
4354
-
4355
- `;
4356
- if (issueType) {
4357
- if (irrelevantIssueWithTags?.[0]?.tag) {
4358
- description += `
4359
- > [!tip]
4360
- > This issue was found to be irrelevant to your project - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
4361
- > Mobb recommends to ignore this issue, however fix is available if you think differently.
4362
-
4363
-
4364
- ## Justification
4365
- ${issueDescription[irrelevantIssueWithTags[0].tag]}
4366
- `;
4367
- }
4368
- const catalogEntry = getIssueTypeCatalogEntry(issueType);
4369
- if (catalogEntry?.issueDescription) {
4370
- description += `## Issue description
4371
- ${catalogEntry.issueDescription}
4372
- `;
4373
- if (catalogEntry.fixInstructions) {
4374
- description += `
4375
- ## Fix instructions
4376
- ${catalogEntry.fixInstructions}
4377
- `;
4378
- }
4379
- }
4380
- }
4381
- description += `
4382
- ${guidances.map(({ guidance }) => `## Additional actions required
4383
- ${guidance}
4384
- `).join("")}
4385
- `;
4386
- if (fixUrl) {
4387
- description += `
4388
- [More info and fix customization are available in the Mobb platform](${fixUrl})`;
4389
- }
4390
- return description;
4391
- };
4392
- var getCommitIssueDescription = ({
4393
- vendor,
4394
- issueType,
4395
- irrelevantIssueWithTags,
4396
- fpDescription,
4397
- unfixableDescription
4398
- }) => {
4399
- const issueTypeString = getIssueTypeFriendlyString(issueType);
4400
- let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
4401
- `;
4402
- if (issueType) {
4403
- if (irrelevantIssueWithTags?.[0]?.tag) {
4404
- description = `
4405
- > [!tip]
4406
- > The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
4407
- > ${issueTypeString} - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
4408
- > Mobb recommends to ignore this issue, however fix is available if you think differently.
4409
-
4410
-
4411
- ## Justification
4412
- ${fpDescription ?? unfixableDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
4413
- `;
4414
- }
4415
- const catalogEntry = getIssueTypeCatalogEntry(issueType);
4416
- if (catalogEntry?.issueDescription) {
4417
- description += `## Issue description
4418
- ${catalogEntry.issueDescription}
4419
- `;
4420
- }
4421
- }
4422
- return description;
4423
- };
4424
-
4425
- // src/features/analysis/scm/shared/src/index.ts
4426
- init_getIssueType();
4427
-
4428
- // src/features/analysis/scm/shared/src/guidances.ts
4429
- init_client_generates();
4430
- init_getIssueType();
4431
- import { z as z4 } from "zod";
4432
-
4433
- // src/features/analysis/scm/shared/src/storedFixData/index.ts
4434
- init_client_generates();
4435
- import { z as z2 } from "zod";
4436
-
4437
- // src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
4438
- var passwordInComment = {
4439
- guidance: () => "Removing sensitive information from the comments is not enough. To ensure the security of your data, you have to rotate passwords and tokens and update all places where they were used."
4440
- };
4441
-
4442
- // src/features/analysis/scm/shared/src/storedFixData/csharp/missingAntiForgeryValidation.ts
4443
- var missingAntiForgeryValidation = {
4444
- guidance: () => `The \`ValidateAntiForgeryToken\` attribute helps prevent cross-site request forgery (CSRF) attacks. The token is automatically injected into the view by the [FormTagHelper](https://learn.microsoft.com/en-us/aspnet/core/mvc/views/working-with-forms?view=aspnetcore-8.0#the-form-tag-helper)
4445
- and is included when the form is submitted by the user. The token is validated by the \`ValidateAntiForgeryToken\` attribute. The token could be also generated using the [Html.AntiForgeryToken](https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.htmlhelper.antiforgerytoken?view=aspnet-mvc-5.2) helper.
4446
-
4447
-  
4448
-
4449
-
4450
- ***Make sure this controller's client provides the validation token before approving this change.***
4451
-
4452
-  
4453
-
4454
-
4455
- This is an illustration of how the form will look like:
4456
-
4457
-  
4458
-
4459
- <form method="post" action="/Action">
4460
- <!-- Input and Submit elements -->
4461
- <input name="__RequestVerificationToken"
4462
- type="hidden" value="<removed for brevity>">
4463
- </form>
4464
-
4465
-
4466
- ***Notice the \`__RequestVerificationToken\` parameters.***
4467
- `
4468
- };
4469
-
4470
- // src/features/analysis/scm/shared/src/storedFixData/csharp/index.ts
4471
- var vulnerabilities = {
4472
- ["MISSING_ANTIFORGERY_VALIDATION"]: missingAntiForgeryValidation,
4473
- ["PASSWORD_IN_COMMENT"]: passwordInComment
4474
- };
4475
- var csharp_default = vulnerabilities;
4476
-
4477
- // src/features/analysis/scm/shared/src/storedFixData/dockerfile/index.ts
4478
- var vulnerabilities2 = {};
4479
- var dockerfile_default = vulnerabilities2;
4480
-
4481
- // src/features/analysis/scm/shared/src/storedFixData/go/index.ts
4482
- var vulnerabilities3 = {};
4483
- var go_default = vulnerabilities3;
4484
-
4485
- // src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
4486
- var vulnerabilities4 = {};
4487
- var hcl_default = vulnerabilities4;
4488
-
4489
- // src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
4490
- var insecureDeserialization = {
4491
- guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
4492
- };
4493
-
4494
- // src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
4495
- var j2eeGetConnection = {
4496
- guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
4497
-
4498
-
4499
- &nbsp;
4500
-
4501
- ***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
4502
-
4503
- - **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
4504
- - **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
4505
- - **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
4506
- - **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
4507
-
4508
-
4509
- &nbsp;
4510
-
4511
- Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
4512
-
4513
-
4514
- &nbsp;
4515
-
4516
- This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
4517
- };
4518
-
4519
- // src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
4520
- var systemInformationLeak = {
4521
- guidance: ({
4522
- clientMightBeAffected
4523
- }) => {
4524
- if (clientMightBeAffected) {
4525
- return "You should never expose error details to the client. We removed the error details from the response. Ensure the client application code does not rely on the removed information.";
4526
- }
4527
- return "";
4528
- }
4529
- };
4530
-
4531
- // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
4532
- var vulnerabilities5 = {
4533
- ["PASSWORD_IN_COMMENT"]: passwordInComment,
4534
- ["INSECURE_DESERIALIZATION"]: insecureDeserialization,
4535
- ["J2EE_GET_CONNECTION"]: j2eeGetConnection,
4536
- ["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
4537
- };
4538
- var java_default = vulnerabilities5;
4539
-
4540
- // src/features/analysis/scm/shared/src/storedFixData/python/csrf.ts
4541
- var csrf = {
4542
- guidance: () => `Please make sure the CSRF middleware is activated by default in the MIDDLEWARE setting. If you override that setting, remember that \`django.middleware.csrf.CsrfViewMiddleware\` should come before any view middleware that assume that CSRF attacks have been dealt with.
4543
-
4544
-
4545
- If you disabled it, which is not recommended, you can use [\`csrf_protect()\`](https://docs.djangoproject.com/en/5.1/ref/csrf/#django.views.decorators.csrf.csrf_protect) annotation on this particular view.
4546
-
4547
-
4548
- See more information [here](https://docs.djangoproject.com/en/5.1/howto/csrf/).`
4549
- };
4550
-
4551
- // src/features/analysis/scm/shared/src/storedFixData/javascript/hardcodedSecrets.ts
4552
- var hardcodedSecrets = {
4553
- guidance: ({ questions }) => {
4554
- const envVarName = questions.find((q) => q.key === "env_var_name")?.value || "the";
4555
- const keepAsDefault = questions.find(
4556
- (q) => q.key === "keep_as_default"
4557
- )?.value;
4558
- let additionalText = "";
4559
- if (keepAsDefault === "yes") {
4560
- additionalText = "\n1. Remove the hardcoded secret from the code.\n";
4561
- }
4562
- return `Please follow the steps in this specific order:
4563
-
4564
- 1. Change the secret that was hardcoded. It is essential because even when you commit the changes, the secret will remain in the git history.${additionalText}
4565
- 1. Update the configuration of all your application environments and CI/CD pipelines to set \`${envVarName}\` environment variable.
4566
- 1. Commit the changes.`;
4567
- }
4568
- };
4569
-
4570
- // src/features/analysis/scm/shared/src/storedFixData/javascript/noLimitsOrThrottling.ts
4571
- var noLimitsOrThrottling = {
4572
- guidance: () => "We set the default limit to 60 requests per minute. To customize the rate limit settings, please read the documentation of the [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) package."
4573
- };
4574
-
4575
- // src/features/analysis/scm/shared/src/storedFixData/javascript/ssrf.ts
4576
- var ssrf = {
4577
- guidance: () => "The server-side validates the domains it has access to, otherwise it throws an error if validation failed. Please make sure you handled the error correctly."
4578
- };
4579
-
4580
- // src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
4581
- var vulnerabilities6 = {
4582
- ["SSRF"]: ssrf,
4583
- ["HARDCODED_SECRETS"]: hardcodedSecrets,
4584
- ["PASSWORD_IN_COMMENT"]: passwordInComment,
4585
- ["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling,
4586
- ["CSRF"]: csrf
4587
- };
4588
- var javascript_default = vulnerabilities6;
4589
-
4590
- // src/features/analysis/scm/shared/src/storedFixData/php/index.ts
4591
- var vulnerabilities7 = {};
4592
- var php_default = vulnerabilities7;
4593
-
4594
- // src/features/analysis/scm/shared/src/storedFixData/python/autoEscapeFalse.ts
4595
- var autoEscapeFalse = {
4596
- guidance: () => `This fix enables automatic escaping for HTML. When that's enabled, everything is escaped by default except for values explicitly marked as safe. Variables and expressions can be marked as safe either in:
4597
-
4598
- a. The context dictionary by the application with \`markupsafe.Markup\`
4599
-
4600
- b. The template, with the \`|safe\` filter.
4601
-
4602
- &nbsp;
4603
-
4604
-
4605
- See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates/#working-with-automatic-escaping) and [here](https://pypi.org/project/MarkupSafe/).
4606
-
4607
- &nbsp;
4608
-
4609
-
4610
- ***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
4611
- };
4612
-
4613
- // src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
4614
- var improperCertificateValidation = {
4615
- guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
4616
-
4617
- &nbsp;
4618
-
4619
- ***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
4620
-
4621
- &nbsp;
4622
-
4623
- See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
4624
- };
4625
-
4626
- // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
4627
- var vulnerabilities8 = {
4628
- ["AUTO_ESCAPE_FALSE"]: autoEscapeFalse,
4629
- ["CSRF"]: csrf,
4630
- ["IMPROPER_CERTIFICATE_VALIDATION"]: improperCertificateValidation
4631
- };
4632
- var python_default = vulnerabilities8;
4633
-
4634
- // src/features/analysis/scm/shared/src/storedFixData/sql/defaultRightsInObjDefinition.ts
4635
- var defaultRightsInObjDefinition = {
4636
- guidance: () => "***Make sure the user who is supposed to run the procedure has sufficient permissions.***\n\nRead more details about the `EXECUTE AS` statement in [the official Microsoft documentation](https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-clause-transact-sql?view=sql-server-ver16&tabs=sqlserver).\n\n`EXECUTE AS CALLER` is the default behavior for SQL Server 2005 and later."
4637
- };
4638
-
4639
- // src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
4640
- var vulnerabilities9 = {
4641
- ["DEFAULT_RIGHTS_IN_OBJ_DEFINITION"]: defaultRightsInObjDefinition
4642
- };
4643
- var sql_default = vulnerabilities9;
4644
-
4645
- // src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
4646
- var vulnerabilities10 = {
4647
- ["PASSWORD_IN_COMMENT"]: passwordInComment
4648
- };
4649
- var xml_default = vulnerabilities10;
4650
-
4651
- // src/features/analysis/scm/shared/src/storedFixData/index.ts
4652
- var StoredFixDataItemZ = z2.object({
4653
- guidance: z2.function().args(z2.any()).returns(z2.string())
4654
- });
4655
- var languages = {
4656
- ["Java" /* Java */]: java_default,
4657
- ["JavaScript" /* JavaScript */]: javascript_default,
4658
- ["CSharp" /* CSharp */]: csharp_default,
4659
- ["SQL" /* Sql */]: sql_default,
4660
- ["XML" /* Xml */]: xml_default,
4661
- ["Python" /* Python */]: python_default,
4662
- ["PHP" /* Php */]: php_default,
4663
- ["Go" /* Go */]: go_default,
4664
- ["Dockerfile" /* Dockerfile */]: dockerfile_default,
4665
- ["Hcl" /* Hcl */]: hcl_default
4666
- };
4667
-
4668
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
4669
- init_client_generates();
4670
- import { z as z3 } from "zod";
4671
-
4672
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
4673
- var commandInjection = {
4674
- isUnixShellCommandPart: {
4675
- content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
4676
- description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
4677
-
4678
- - \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
4679
- - \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
4680
-
4681
- Answer **no** (the input is not plain data) when the input is:
4682
-
4683
- 1. The program/executable itself:
4684
- - \`system(input);\`
4685
- - \`sprintf(cmd, "%s -x", input);\`
4686
- 2. A command after a pipe or redirect:
4687
- - \`sprintf(cmd, "cat file.txt | %s", input);\`
4688
- 3. A part of a non-Unix or cross-platform shell command.
4689
- 4. A part of embedded code in another language:
4690
- - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
4691
- - \`sprintf(cmd, "awk '%s' file", input);\`
4692
- 5. A flag/option that controls a tool's behaviour:
4693
- - \`sprintf(cmd, "git --upload-pack %s", input);\``,
4694
- guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
4695
- },
4696
- executableLocationPath: {
4697
- content: () => "What is the absolute path of the directory containing the executable?",
4698
- description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
4699
-
4700
- Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
4701
- guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
4702
- }
4703
- };
4704
-
4705
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/pathManipulation.ts
4706
- var pathManipulation = {
4707
- baseDirectory: {
4708
- content: ({ expression }) => `Which directory must \`${expression}\` stay within? Enter the absolute base directory file access is restricted to.`,
4709
- description: ({ expression }) => `The fix canonicalizes \`${expression}\` (resolving \`.\`, \`..\`, and symlinks) and verifies the result stays inside this base directory. Provide the **absolute** root the application is allowed to read or write under, for example \`/var/app/data\`. The directory must exist at runtime. A path that resolves outside it is rejected at runtime.`,
4710
- guidance: (_) => "You **must** set this to an absolute path that exists at runtime and that your application confines file access to. If you leave it unset (or give a relative path), the generated fix is emitted with a placeholder identifier (`MOBB_SET_ALLOWED_BASE_DIR`) that **deliberately does not compile**, so a missing security boundary cannot be overlooked \u2014 replace it with your absolute base directory. A relative path would otherwise resolve against the process working directory (moving the boundary). At runtime the guard aborts (C: `exit(EXIT_FAILURE)`) / throws (C++: `std::runtime_error`) on a path that escapes the base. Pick the narrowest directory that still contains every legitimate file the code opens."
4711
- }
4712
- };
4713
-
4714
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
4715
- var vulnerabilities11 = {
4716
- ["CMDi"]: commandInjection,
4717
- ["PT"]: pathManipulation
4718
- };
4719
- var cpp_default = vulnerabilities11;
4720
-
4721
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
4722
- var httpOnlyCookie = {
4723
- httpOnlyCookie: {
4724
- content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
4725
- description: () => httpOnlyMessage,
4726
- guidance: () => ""
4727
- },
4728
- cookieVarName: {
4729
- content: () => "Please define a variable name",
4730
- description: () => `We need a variable for the new cookie instance`,
4731
- guidance: () => ""
4732
- }
4733
- };
4734
- var httpOnlyMessage = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
4735
- when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
4736
- be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
4737
-
4738
- &nbsp;
4739
-
4740
-
4741
- ***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
4742
-
4743
- &nbsp;
4744
-
4745
- `;
4746
-
4747
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureBinderConfiguration.ts
4748
- var insecureBinderConfiguration = {
4749
- bindAttributeParam: {
4750
- content: ({ func_param_name }) => `Which properties of the model should be included in model binding for \`${func_param_name}\`?`,
4751
- description: () => "Provide a comma-separated list of valid property names to be included in model binding. See [the official documentation](https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding?view=aspnetcore-8.0#bind-attribute) for more details.",
4752
- guidance: () => ""
4753
- }
4754
- };
4755
-
4756
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureCookie.ts
4757
- var insecureCookie = {
4758
- insecureCookie: {
4759
- content: () => "Will this cookie be used only in encrypted channels (https)?",
4760
- description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
4761
- In environments like local development or test, setting cookies as secure might have some consequences:
4762
-
4763
- &nbsp;
4764
- - Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
4765
- additional configuration and certificates. If cookies are marked as secure,
4766
- they won't be sent over HTTP, and this could potentially interfere with the normal
4767
- functioning of your application during development.
4768
-
4769
- &nbsp;
4770
- - Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
4771
- testing environment accurately simulates the production environment's security features.
4772
- This may involve setting up HTTPS in your local development environment.
4773
-
4774
- &nbsp;
4775
- - Debugging Challenges: Debugging may be more challenging when using secure cookies in a
4776
- development environment, especially if you need to inspect or manipulate the cookies during
4777
- development.`,
4778
- guidance: () => ""
4779
- },
4780
- cookieVarName: {
4781
- content: () => "Please define a variable name",
4782
- description: () => `We need a variable for the new cookie instance`,
4783
- guidance: () => ""
4784
- }
4785
- };
4786
-
4787
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureRandomness.ts
4788
- var insecureRandomness = {
4789
- isRandomNumberGeneratorAvailable: {
4790
- content: () => "We use the `RandomNumberGenerator` class from the `System.Security.Cryptography` package. Does this class exist for the .NET version you use?",
4791
- description: () => "See [the official documentation](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-8.0#applies-to) for more details.",
4792
- guidance: () => ""
4793
- },
4794
- isNetVersionGreaterThan6: {
4795
- content: () => "We are able to offer a more concise solution if the .NET version is greater then .NET 6",
4796
- description: () => "",
4797
- guidance: () => ""
4798
- }
4799
- };
4800
-
4801
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insufficientLogging.ts
4802
- var insufficientLogging = {
4803
- logMessage: {
4804
- content: () => "Enter the message that you want to appear in the log",
4805
- description: () => "",
4806
- guidance: () => ""
4807
- }
4808
- };
4809
-
4810
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/logForging.ts
4811
- var logForging = {
4812
- isHtmlDisplay: {
4813
- content: () => "Is the text written to the log going to be displayed as HTML?",
4814
- description: () => "",
4815
- guidance: ({ userInputValue }) => {
4816
- switch (userInputValue) {
4817
- case "yes":
4818
- return "We use the `System.Web` `HttpUtility` to decode the HTML";
4819
- default:
4820
- return "";
4821
- }
4822
- }
4823
- }
4824
- };
4825
-
4826
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/overlyBroadCatch.ts
4827
- var overlyBroadCatch = {
4828
- defaultExceptionsInWhenFilter: {
4829
- content: () => "Exceptions to filter",
4830
- description: () => "Coma separated list of the Fully Qualified Exceptions names",
4831
- guidance: () => ""
4832
- }
4833
- };
4834
-
4835
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/pt.ts
4836
- var pt = {
4837
- taintedTermType: {
4838
- content: ({ expression }) => `Does \`${expression}\` represent a file name or a file path?`,
4839
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
4840
- guidance: () => ""
4841
- },
4842
- pathTargetDir: {
4843
- content: () => "Allowed file path",
4844
- description: () => "Provide the intended file path destination eg: /tmp/testfiles/users/",
4845
- guidance: () => ""
4846
- }
4847
- };
4848
-
4849
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/regexMissingTimeout.ts
4850
- var regexMissingTimeout = {
4851
- netVersionGreaterOrEqual7: {
4852
- content: () => "Is your target framework .NET 7 or greater?",
4853
- description: () => "",
4854
- guidance: () => ""
4855
- },
4856
- timeout: {
4857
- content: () => "Enter the timeout in milliseconds",
4858
- description: () => "If the limit is reached a RegexTimeoutException is thrown, this could be caused by excessive backtracking",
4859
- guidance: () => ""
4860
- },
4861
- useBacktrackingOption: {
4862
- content: () => "Use non backtracking option",
4863
- description: () => "If the regex does not need to use backtracking we can disable it using regex options",
4864
- guidance: () => ""
4865
- }
4866
- };
4867
-
4868
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/requestParametersBoundViaInput.ts
4869
- var requestParametersBoundViaInput = {
4870
- fieldsToCopy: {
4871
- content: () => "Please list all the fields you expect as input from the user. Use comma separated list.",
4872
- description: () => `This is meant to avoid mass assignment vulnerabilities, where the user would enter an inner unexpected field`,
4873
- guidance: () => ""
4874
- }
4875
- };
4876
-
4877
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
4878
- var sqlInjection = {
4879
- databaseProvider: {
4880
- content: () => "Select the database provider",
4881
- description: () => "",
4882
- guidance: () => ""
4883
- }
4884
- };
4885
-
4886
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/ssrf.ts
4887
- var ssrf2 = {
4888
- domainsAllowlist: {
4889
- content: () => "Allowed domains",
4890
- description: () => "Coma separated list of allowed domains.",
4891
- guidance: () => ""
4892
- }
4893
- };
4894
-
4895
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sysLeak.ts
4896
- var sysLeak = {
4897
- errorMessage: {
4898
- content: () => "Enter the error message that you want to appear in the log",
4899
- description: () => "",
4900
- guidance: () => ""
4901
- },
4902
- noLoggerAction: {
4903
- content: () => "Which of the following you want to use instead of the vulnerable code?",
4904
- description: () => "",
4905
- guidance: () => ""
4906
- }
4907
- };
4908
-
4909
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/trustBoundaryViolation.ts
4910
- var trustBoundaryViolation = {
4911
- validationPattern: {
4912
- content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
4913
- description: () => "We use regex to validate the input to avoid runtime surprises",
4914
- guidance: () => ""
4915
- },
4916
- otherPatternValue: {
4917
- content: () => `Enter the regex pattern you would like to use to validate the input`,
4918
- description: () => "See patterns at [the regex docs](https://learn.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference)",
4919
- guidance: () => ""
4920
- }
4921
- };
4922
-
4923
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/useOfSystemOutputStream.ts
4924
- var useOfSystemOutputStream = {
4925
- noLoggerAction: {
4926
- content: () => "Which of the following you want to use instead of the vulnerable code?",
4927
- description: () => "",
4928
- guidance: () => ""
4929
- }
4930
- };
4931
-
4932
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/valueShadowing.ts
4933
- var valueShadowing = {
4934
- collectionName: {
4935
- content: () => "Please select the collection to search/index from",
4936
- description: () => `Accessing the root object eg Request["item"] searches across all available collections and returns the first item that matches. Potentially leading to the correct value being shadowed. Available collections include:
4937
- - QueryString: The values of variables in the HTTP query string.
4938
- - Form: The values of form elements in the HTTP request body.
4939
- - Cookies: The values of cookies sent in the HTTP request.
4940
- - ClientCertificate: The values of fields stored in the client certificate that is sent in the HTTP request.
4941
- - ServerVariables: The values of predetermined environment variables.`,
4942
- guidance: () => `See
4943
- - https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524948(v=vs.90),
4944
- - https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest?view=netframework-4.8.1`
4945
- }
4946
- };
4947
-
4948
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/wcfMisconfigurationThrottlingNotEnabled.ts
4949
- var wcfMisconfigurationThrottlingNotEnabled = {
4950
- maxConcurrentCalls: {
4951
- content: () => "Please define the maximum concurrent calls",
4952
- description: () => `A positive integer that limits the number of messages that currently process across a ServiceHost. Calls in excess of the limit are queued. Setting this value to 0 is equivalent to setting it to Int32.MaxValue.`,
4953
- guidance: () => {
4954
- return "";
4955
- }
4956
- },
4957
- maxConcurrentInstances: {
4958
- content: () => "Please define the maximum concurrent instances",
4959
- description: () => `A positive integer that limits the number of InstanceContext objects that execute at one time across a ServiceHost. Requests to create additional instances are queued and complete when a slot below the limit becomes available.`,
4960
- guidance: () => {
4961
- return "";
4962
- }
4963
- },
4964
- maxConcurrentSessions: {
4965
- content: () => "Please define the maximum concurrent sessions",
4966
- description: () => `A positive integer that limits the number of sessions a ServiceHost object can accept.`,
4967
- guidance: () => {
4968
- return "";
4969
- }
4970
- }
4971
- };
4972
-
4973
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/xss.ts
4974
- var xss = {
4975
- allowSpecialCharacters: {
4976
- content: ({ source_value }) => `Does your code allow encodable HTML characters like '&', '<', '"' etc. in: \`${source_value}\`?`,
4977
- description: () => "",
4978
- guidance: () => ""
4979
- },
4980
- containsHtml: {
4981
- content: ({ prop_value }) => `Does your code allow having HTML tags in: \`${prop_value}\`?`,
4982
- description: () => "",
4983
- guidance: () => ""
4984
- },
4985
- netVersionGreaterOrEqual45: {
4986
- content: () => "Is your target framework .NET 4.5 or greater?",
4987
- description: () => "",
4988
- guidance: () => ""
4989
- },
4990
- useHTML4NamedEntities: {
4991
- content: () => "Would you like to use HTML 4.0 Named entities?",
4992
- description: () => "See [examples](https://www.w3schools.com/charsets/ref_html_entities_4.asp) and [full description](https://www.w3.org/TR/WD-html40-970708/sgml/entities.html)",
4993
- guidance: () => ""
4994
- }
4995
- };
4996
-
4997
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/xxe.ts
4998
- var xxe = {
4999
- netVersionGreaterOrEqual4: {
5000
- content: () => "Is your target framework .NET 4.0.0 or greater?",
5001
- description: () => "",
5002
- guidance: ({ userInputValue }) => {
5003
- switch (userInputValue) {
5004
- case "yes":
5005
- return "We set `DtdProcessing` to `DtdProcessing.Prohibit` in order to prevent DTD parsing.";
5006
- default:
5007
- return "We set `ProhibitDtd` to `true` in order to prevent DTD parsing.";
5008
- }
5009
- }
5010
- }
5011
- };
5012
-
5013
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
5014
- var vulnerabilities12 = {
5015
- ["LOG_FORGING"]: logForging,
5016
- ["SSRF"]: ssrf2,
5017
- ["XXE"]: xxe,
5018
- ["XSS"]: xss,
5019
- ["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream,
5020
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak,
5021
- ["OVERLY_BROAD_CATCH"]: overlyBroadCatch,
5022
- ["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation,
5023
- ["PT"]: pt,
5024
- ["REGEX_MISSING_TIMEOUT"]: regexMissingTimeout,
5025
- ["HTTP_ONLY_COOKIE"]: httpOnlyCookie,
5026
- ["INSECURE_COOKIE"]: insecureCookie,
5027
- ["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED"]: wcfMisconfigurationThrottlingNotEnabled,
5028
- ["INSECURE_BINDER_CONFIGURATION"]: insecureBinderConfiguration,
5029
- ["VALUE_SHADOWING"]: valueShadowing,
5030
- ["INSECURE_RANDOMNESS"]: insecureRandomness,
5031
- ["INSUFFICIENT_LOGGING"]: insufficientLogging,
5032
- ["SQL_Injection"]: sqlInjection,
5033
- ["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
5034
- };
5035
- var csharp_default2 = vulnerabilities12;
5036
-
5037
- // src/features/analysis/scm/shared/src/storedQuestionData/go/logForging.ts
5038
- var logForging2 = {
5039
- isHtmlDisplay: {
5040
- content: () => "Is the text written to the log going to be displayed as HTML?",
5041
- description: () => "",
5042
- guidance: () => ""
5043
- }
5044
- };
5045
-
5046
- // src/features/analysis/scm/shared/src/storedQuestionData/go/missingSslMinversion.ts
5047
- var missingSslMinversion = {
5048
- minTlsVersion: {
5049
- content: () => "What is the minimum version of Transport Layer Security (TLS) you allow? Ensure compatibility between the server and clients.",
5050
- description: () => "",
5051
- guidance: () => ""
5052
- }
5053
- };
5054
-
5055
- // src/features/analysis/scm/shared/src/storedQuestionData/go/websocketMissingOriginCheck.ts
5056
- var websocketMissingOriginCheck = {
5057
- minTlsVersion: {
5058
- content: () => "Please provide a comma-separated list of valid hosts. This list will serve as an allow list to check the connection `Origin` header.",
5059
- description: () => "",
5060
- guidance: () => ""
5061
- }
5062
- };
5063
-
5064
- // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
5065
- var vulnerabilities13 = {
5066
- ["LOG_FORGING"]: logForging2,
5067
- ["MISSING_SSL_MINVERSION"]: missingSslMinversion,
5068
- ["WEBSOCKET_MISSING_ORIGIN_CHECK"]: websocketMissingOriginCheck
5069
- };
5070
- var go_default2 = vulnerabilities13;
5071
-
5072
- // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
5073
- var commandInjection2 = {
5074
- isUnixShellCommandPart: {
5075
- content: () => "Is the input part of Unix shell command?",
5076
- description: () => `For example:
5077
-
5078
- - \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", "ping -t 5 -c 5 " + input});\`
5079
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "curl " + input + " > file.txt"});\`
5080
-
5081
- Make sure the input is not:
5082
-
5083
- 1. An executable name:
5084
- - \`Runtime.getRuntime().exec(input);\`
5085
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", input});\`
5086
- - \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", input + " param"});\`
5087
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "cat file.txt | " + input});\`
5088
- - \`Runtime.getRuntime().exec(new String[] {"/usr/bin/git", "--upload-pack", input});\`
5089
- 2. A part of non-unix or cross platform shell command:
5090
- - \`Runtime.getRuntime().exec(new String[] {"cmd.exe", "/c", "ping " + input});\`
5091
- 3. A part of programming language code:
5092
- - \`Runtime.getRuntime().exec(new String[] {"php", "-r", "echo '" + input + "';"});\`
5093
- - \`Runtime.getRuntime().exec(new String[] {"perl", "-e", "print '" + input + "'"});\``,
5094
- guidance: () => ""
5095
- },
5096
- installApacheCommonsText: {
5097
- content: () => "Is the Apache Commons library (org.apache.commons) included in your project, if not, can you add it?",
5098
- description: () => "Apache Commons Text is a library focused on algorithms working on strings.",
5099
- guidance: ({ userInputValue }) => userInputValue === "yes" ? "To add the library, modify your pom.xml or build.gradle to include the library. You can find the latest version here https://mvnrepository.com/artifact/org.apache.commons/commons-text" : ""
5100
- },
5101
- cmdAllowlist: {
5102
- content: () => "Allowed Commands",
5103
- description: () => "Make sure that the list of commands is separated by commas.",
5104
- guidance: () => ""
5105
- }
5106
- };
5107
-
5108
- // src/features/analysis/scm/shared/src/storedQuestionData/java/confusingNaming.ts
5109
- var confusingNaming = {
5110
- newFieldName: {
5111
- content: () => "Rename the existing field",
5112
- description: () => "",
5113
- guidance: () => ""
5114
- }
5115
- };
5116
-
5117
- // src/features/analysis/scm/shared/src/storedQuestionData/java/duplicatedStrings.ts
5118
- var duplicatedStrings = {
5119
- constantName: {
5120
- content: () => "New constant name",
5121
- description: () => "",
5122
- guidance: () => ""
5123
- }
5124
- };
5125
-
5126
- // src/features/analysis/scm/shared/src/storedQuestionData/java/erroneousStringCompare.ts
5127
- var erroneousStringCompare = {
5128
- javaVersionGreaterOrEqual17: {
5129
- content: () => "Is `java.util.Objects` package available in your runtime?",
5130
- description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
5131
- guidance: () => ""
5132
- }
5133
- };
5134
-
5135
- // src/features/analysis/scm/shared/src/storedQuestionData/java/errorConditionWithoutAction.ts
5136
- var errorConditionWithoutAction = {
5137
- errorMessage: {
5138
- content: () => "Enter the error message that you want to appear in the log",
5139
- description: () => "",
5140
- guidance: () => ""
5141
- }
5142
- };
5143
-
5144
- // src/features/analysis/scm/shared/src/storedQuestionData/java/httpOnlyCookie.ts
5145
- var httpOnlyCookie2 = {
5146
- httpOnlyCookie: {
5147
- content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
5148
- description: ({ class_name }) => class_name == "Cookie" ? `${httpOnlyMessage2} ${setHttpOnlyMethodMessage}` : httpOnlyMessage2,
5149
- guidance: () => ""
5150
- },
5151
- cookieVarName: {
5152
- content: () => "Please define a variable name",
5153
- description: () => `We need a variable for the new cookie instance`,
5154
- guidance: () => ""
5155
- }
5156
- };
5157
- var httpOnlyMessage2 = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
5158
- when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
5159
- be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
5160
-
5161
- &nbsp;
5162
-
5163
-
5164
- ***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
5165
-
5166
- &nbsp;
5167
-
5168
- `;
5169
- var setHttpOnlyMethodMessage = `Beware that if your application is using a version of the javax.servlet-api package < 3.0
5170
- this change will not work since the method "setHttpOnly" is not present in previous of the package.`;
5171
-
5172
- // src/features/analysis/scm/shared/src/storedQuestionData/java/insecureCookie.ts
5173
- var insecureCookie2 = {
5174
- insecureCookie: {
5175
- content: () => "Will this cookie be used only in encrypted channels (https)?",
5176
- description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
5177
- In environments like local development or test, setting cookies as secure might have some consequences:
5178
-
5179
- &nbsp;
5180
- - Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
5181
- additional configuration and certificates. If cookies are marked as secure,
5182
- they won't be sent over HTTP, and this could potentially interfere with the normal
5183
- functioning of your application during development.
5184
-
5185
- &nbsp;
5186
- - Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
5187
- testing environment accurately simulates the production environment's security features.
5188
- This may involve setting up HTTPS in your local development environment.
5189
-
5190
- &nbsp;
5191
- - Debugging Challenges: Debugging may be more challenging when using secure cookies in a
5192
- development environment, especially if you need to inspect or manipulate the cookies during
5193
- development.`,
5194
- guidance: () => ""
5195
- },
5196
- cookieVarName: {
5197
- content: () => "Please define a variable name",
5198
- description: () => `We need a variable for the new cookie instance`,
5199
- guidance: () => ""
5200
- }
5201
- };
5202
-
5203
- // src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
5204
- var j2eeGetConnection2 = {
5205
- jndiResourceName: {
5206
- content: () => "What JNDI name is the database connection pool registered under?",
5207
- description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
5208
- guidance: () => ""
5209
- }
5210
- };
5211
-
5212
- // src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
5213
- var leftoverDebugCode = {
5214
- isCodeUsed: {
5215
- content: () => "The function seems to be a remnant of debug code. Is it still being used?",
5216
- description: () => "",
5217
- guidance: () => ""
5218
- }
5219
- };
5220
-
5221
- // src/features/analysis/scm/shared/src/storedQuestionData/java/localeDependentComparison.ts
5222
- var localeDependentComparison = {
5223
- localeType: {
5224
- content: ({ variable }) => `Is ${variable} locale dependent?`,
5225
- description: () => `Select "locale insensitive" for string comparisons that are not dependent on the locale.
5226
-
5227
- Select "default locale" for string comparisons that uses the default locale.
5228
-
5229
- Select "custom locale" for string comparisons that are dependent on a specific locale language.`,
5230
- guidance: () => ""
5231
- },
5232
- customLocaleLanguage: {
5233
- content: () => "What is your locale language?",
5234
- description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
5235
- guidance: () => ""
5236
- },
5237
- customLocaleCountry: {
5238
- content: () => "What is your locale country?",
5239
- description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
5240
- guidance: () => ""
5241
- }
5242
- };
5243
-
5244
- // src/features/analysis/scm/shared/src/storedQuestionData/java/logForging.ts
5245
- var logForging3 = {
5246
- isHtmlDisplay: {
5247
- content: () => "Is the text written to the log going to be displayed as HTML?",
5248
- description: () => "",
5249
- guidance: () => ""
5250
- },
5251
- htmlEscapingLib: {
5252
- content: () => "Which HTML escaping library would you like to use?",
5253
- description: () => `
5254
- - If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
5255
- - Another \`option is org.apache.commons.text.StringEscapeUtils\``,
5256
- guidance: () => ""
5257
- }
5258
- };
5259
-
5260
- // src/features/analysis/scm/shared/src/storedQuestionData/java/missingCheckAgainstNull.ts
5261
- var missingCheckAgainstNull = {
5262
- preferredAction: {
5263
- content: ({ tainted_expression }) => `What is expected behavior if \`${tainted_expression}\` returns null?`,
5264
- description: () => "",
5265
- guidance: () => ""
5266
- },
5267
- javaVersionGreaterOrEqual17: {
5268
- content: () => "Is `java.util.Objects` package available in your runtime?",
5269
- description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
5270
- guidance: () => ""
5271
- }
5272
- };
5273
-
5274
- // src/features/analysis/scm/shared/src/storedQuestionData/java/openRedirect.ts
5275
- var openRedirect = {
5276
- allowlist: {
5277
- content: () => "Allowed domains",
5278
- description: () => "Add a comma separated list of allowed domains (e.g. 'google.com,example.com')",
5279
- guidance: () => ""
5280
- }
5281
- };
5282
-
5283
- // src/features/analysis/scm/shared/src/storedQuestionData/java/overlyBroadCatch.ts
5284
- var overlyBroadCatch2 = {
5285
- handleRuntimeExceptions: {
5286
- content: () => "Does the code intentionally catch `RuntimeException` instances like `ArithmeticException` or `NullPointerException` in the `catch` block?",
5287
- description: () => "Usually, when catching the general `Exception` class catching of `RuntimeException` is implied and not necessarily the wanted/safe behavior. The application needs to deal with it explicitly in a different way, as the Mobb fix suggests.",
5288
- guidance: () => ""
5289
- }
5290
- };
5291
-
5292
- // src/features/analysis/scm/shared/src/storedQuestionData/java/privacyViolation.ts
5293
- var privacyViolation = {
5294
- remediationOption: {
5295
- content: () => "Preferred fix solution",
5296
- description: () => `
5297
- - Completely Remove the log message
5298
- - Replace the sensitive data with the string [Redacted]
5299
- - SHA 256 Hash the sensitive information in the log message`,
5300
- guidance: () => ""
5301
- }
5302
- };
5303
-
5304
- // src/features/analysis/scm/shared/src/storedQuestionData/java/pt.ts
5305
- var pt2 = {
5306
- isPathRelativeOnly: {
5307
- content: ({ expression }) => `Do you expect \`${expression}\` to be a relative path?`,
5308
- description: () => "You most likely want to serve files relative to the web server's static files folder in web applications. If so, your answer should be `yes`. In CLI applications, you probably would like to give the user more flexibility and allow them to specify absolute paths to any location on the disk \u2013 your answer should be `no` in such cases.",
5309
- guidance: () => ""
5310
- },
5311
- isFileName: {
5312
- content: ({ expression }) => `Does \`${expression}\` represent a file name or a file name part?`,
5313
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters. If \`${expression}\` is supposed to legitimately include such characters, the answer should be "no".`,
5314
- guidance: () => ""
5315
- }
5316
- };
5317
-
5318
- // src/features/analysis/scm/shared/src/storedQuestionData/java/relativePathCommand.ts
5319
- var relativePathCommand = {
5320
- executableLocationPath: {
5321
- content: () => "What is the absolute path of the directory containing the executable?",
5322
- description: () => "We need the absolute path to the executable to protect your application from command injection and ensure malicious actors cannot execute arbitrary commands on your system.",
5323
- guidance: () => ""
5324
- }
5325
- };
5326
-
5327
- // src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
5328
- var ssrf3 = {
5329
- domainsAllowlist: {
5330
- content: () => "Allowed URL prefixes",
5331
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
5332
- &nbsp;
5333
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
5334
- guidance: () => ""
5335
- }
5336
- };
5337
-
5338
- // src/features/analysis/scm/shared/src/storedQuestionData/java/sysLeak.ts
5339
- var sysLeak2 = {
5340
- errorMessage: {
5341
- content: () => "Enter the error message that you want to appear in the log",
5342
- description: () => "",
5343
- guidance: () => ""
5344
- },
5345
- noLoggerAction: {
5346
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5347
- description: () => "",
5348
- guidance: () => ""
5349
- }
5350
- };
5351
-
5352
- // src/features/analysis/scm/shared/src/storedQuestionData/java/trustBoundaryViolation.ts
5353
- var trustBoundaryViolation2 = {
5354
- validationPattern: {
5355
- content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
5356
- description: () => "We use regex to validate the input to avoid runtime surprises",
5357
- guidance: () => ""
5358
- },
5359
- otherPatternValue: {
5360
- content: () => `Enter the regex pattern you would like to use to validate the input`,
5361
- description: () => "See patterns at [the regex javadoc](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html)",
5362
- guidance: () => ""
5363
- }
5364
- };
5365
-
5366
- // src/features/analysis/scm/shared/src/storedQuestionData/java/uncheckedLoopCondition.ts
5367
- var uncheckedLoopCondition = {
5368
- loopLimit: {
5369
- content: () => "Please define a maximum loop limit",
5370
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5371
- guidance: () => ""
5372
- },
5373
- varName: {
5374
- content: () => "Please define a variable name",
5375
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5376
- guidance: () => ""
5377
- }
5378
- };
5379
-
5380
- // src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
5381
- var unsafeReflection = {
5382
- classAllowlist: {
5383
- content: () => "Allowed class names for reflection",
5384
- description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
5385
- guidance: () => ""
5386
- }
5387
- };
5388
-
5389
- // src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
5390
- var useOfSystemOutputStream2 = {
5391
- noLoggerAction: {
5392
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5393
- description: () => "",
5394
- guidance: () => ""
5395
- }
5396
- };
5397
-
5398
- // src/features/analysis/scm/shared/src/storedQuestionData/java/xss.ts
5399
- var xss2 = {
5400
- isHtmlOrSafeAttribute: {
5401
- content: ({ tainted_variable }) => `Where is \`${tainted_variable}\` written to?`,
5402
- description: () => `Answer examples:
5403
-
5404
- - a text in an HTML tag or a value of a safe HTML attribute:
5405
- - \`<li><%= name %></li>\`
5406
- - \`<div>Name: <%= name %></div>\`
5407
- - \`<input value="<%= name %>" name="name"/>\`
5408
- - \`<div data-name="<%= name %>"></div>\`
5409
- - a JavaScript code block:
5410
- - \`<script>const name = "<%= name %>";</script>\`
5411
- - an event attribute of an HTML tag:
5412
- - \`<a onclick="alert('<%= name %>')">click me</a>\`
5413
- - \`<img onmouseover="alert('<%= name %>')"/>\`
5414
- - a src-like attribute of an HTML tag:
5415
- - \`<a href="/user/<%= name %>">me</a>\`
5416
- - \`<img src="/img/<%= name %>"/>\`
5417
- - \`<form action="<%= name %>"></form>\`
5418
- - \`<iframe srcdoc="<%= name %>"/>\`
5419
- - a part of an HTML tag attributes list:
5420
- - \`<a <%= name %>>text</a>\`
5421
-
5422
- See more details about safe and unsafe HTML attributes:
5423
- - [PortSwigger cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
5424
- - [DOMPurify attributes filter implementation](https://github.com/cure53/DOMPurify/blob/c29aa900a1c286b82ee4f48a7ffab96cab3e84fa/src/attrs.js)
5425
- `,
5426
- guidance: () => ""
5427
- },
5428
- isHtmlEncoded: {
5429
- content: () => "Is the user input already encoded as HTML text?",
5430
- description: () => "If you are unsure, we will decode the user input and encode it again to ensure it is safe and the data is kept the same.",
5431
- guidance: () => ""
5432
- },
5433
- htmlEscapingLib: {
5434
- content: () => "Which HTML escaping library would you like to use?",
5435
- description: () => `
5436
- - If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
5437
- - Another option is \`org.apache.commons.text.StringEscapeUtils\``,
5438
- guidance: () => ""
5439
- }
5440
- };
5441
-
5442
- // src/features/analysis/scm/shared/src/storedQuestionData/java/xxe.ts
5443
- var xxe2 = {
5444
- factoryVarName: {
5445
- content: () => "Name the new Factory variable",
5446
- description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
5447
- guidance: () => ""
5448
- }
5449
- };
5450
-
5451
- // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
5452
- var vulnerabilities14 = {
5453
- ["CMDi_relative_path_command"]: relativePathCommand,
5454
- ["CMDi"]: commandInjection2,
5455
- ["CONFUSING_NAMING"]: confusingNaming,
5456
- ["ERROR_CONDTION_WITHOUT_ACTION"]: errorConditionWithoutAction,
5457
- ["XXE"]: xxe2,
5458
- ["XSS"]: xss2,
5459
- ["PRIVACY_VIOLATION"]: privacyViolation,
5460
- ["PT"]: pt2,
5461
- ["SSRF"]: ssrf3,
5462
- ["LOG_FORGING"]: logForging3,
5463
- ["LOCALE_DEPENDENT_COMPARISON"]: localeDependentComparison,
5464
- ["MISSING_CHECK_AGAINST_NULL"]: missingCheckAgainstNull,
5465
- ["OPEN_REDIRECT"]: openRedirect,
5466
- ["OVERLY_BROAD_CATCH"]: overlyBroadCatch2,
5467
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak2,
5468
- ["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream2,
5469
- ["HTTP_ONLY_COOKIE"]: httpOnlyCookie2,
5470
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition,
5471
- ["INSECURE_COOKIE"]: insecureCookie2,
5472
- ["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation2,
5473
- ["UNSAFE_REFLECTION"]: unsafeReflection,
5474
- ["J2EE_GET_CONNECTION"]: j2eeGetConnection2,
5475
- ["LEFTOVER_DEBUG_CODE"]: leftoverDebugCode,
5476
- ["ERRONEOUS_STRING_COMPARE"]: erroneousStringCompare,
5477
- ["DUPLICATED_STRINGS"]: duplicatedStrings
5478
- };
5479
- var java_default2 = vulnerabilities14;
5480
-
5481
- // src/features/analysis/scm/shared/src/storedQuestionData/python/csrf.ts
5482
- var csrf2 = {
5483
- isPythonDjangoTemplate: {
5484
- content: () => "Is the reported file Python Django template?",
5485
- description: () => "",
5486
- guidance: () => ""
5487
- }
5488
- };
5489
-
5490
- // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
5491
- var commandInjection3 = {
5492
- isCommandExecutable: {
5493
- content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
5494
- description: () => `Does the command fall into one of the following categories:
5495
-
5496
- 1. An executable name:
5497
- - \`exec(input);\`
5498
- - \`exec("/bin/bash " + input);\`
5499
- - \`exec("/bin/sh -c" + input + " param");\`
5500
- - \`exec("/bin/bash -c cat file.txt | " + input);\`
5501
- - \`exec("/usr/bin/git --upload-pack " + input);\`
5502
- 2. A part of non-unix or cross platform shell command:
5503
- - \`exec("cmd.exe /c ping " + input);\`
5504
- 3. A part of programming language code:
5505
- - \`exec("php -r echo '" + input + "';");\`
5506
- - \`exec("perl -e print '" + input + "'");\``,
5507
- guidance: () => ""
5508
- }
5509
- };
5510
-
5511
- // src/features/analysis/scm/shared/src/storedQuestionData/js/graphqlDepthLimit.ts
5512
- var graphqlDepthLimit = {
5513
- depthLimit: {
5514
- content: () => "Please define a maximum query depth",
5515
- description: () => `Setting this number to a reasonable value will prevent the attack.
5516
- Make sure to pick a value large enough to allowed the nessecary amount of nested queries.`,
5517
- guidance: () => {
5518
- return "We use `graphql-depth-limit` npm package to limit the depth of nested queries. Please make sure you install the package using `npm install graphql-depth-limit`.";
5519
- }
5520
- }
5521
- };
5522
-
5523
- // src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedDomainInHtml.ts
5524
- var hardcodedDomainInHtml = {
5525
- isCDNFixedVersion: {
5526
- content: ({ url }) => `Does the content of \`${url}\` change over time? If it does, we can't offer this fix.`,
5527
- description: () => "You need to make sure the content of the file you are loading from the external source is persistent. To guarantee the integrity hash does not change over time, please make sure you use a proper CDN and version of the script you are loading is pinned.",
5528
- guidance: () => ""
5529
- }
5530
- };
5531
-
5532
- // src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedSecrets.ts
5533
- var hardcodedSecrets2 = {
5534
- envVarName: {
5535
- content: () => "Please define an environment variable name",
5536
- description: () => `We will use this environment variable instead of the hardcoded secret`,
5537
- guidance: () => ""
5538
- },
5539
- keepAsDefault: {
5540
- content: () => "Do you want to keep the hardcoded secret in the code for now?",
5541
- description: () => 'Answer "yes" if you cannot set the environment variable in all environments right away.',
5542
- guidance: () => ""
5543
- }
5544
- };
5545
-
5546
- // src/features/analysis/scm/shared/src/storedQuestionData/js/iframeWithoutSandbox.ts
5547
- var iframeWithoutSandbox = {
5548
- iframeRestrictions: {
5549
- content: () => "Please define a comma-separated list of iframe sandbox restrictions (optional)",
5550
- description: () => `Possible values:
5551
- - allow-downloads
5552
- - allow-forms
5553
- - allow-modals
5554
- - allow-orientation-lock
5555
- - allow-pointer-lock
5556
- - allow-popups
5557
- - allow-popups-to-escape-sandbox
5558
- - allow-presentation
5559
- - allow-same-origin
5560
- - allow-scripts
5561
- - allow-storage-access-by-user-activation
5562
- - allow-top-navigation
5563
- - allow-top-navigation-by-user-activation
5564
- - allow-top-navigation-to-custom-protocols
5565
-
5566
- See more info [here](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox).`,
5567
- guidance: () => ""
5568
- }
5569
- };
5570
-
5571
- // src/features/analysis/scm/shared/src/storedQuestionData/js/incompleteUrlSanitization.ts
5572
- var incompleteUrlSanitization = {
5573
- allowedRootDomain: {
5574
- content: () => "The root domain of your application",
5575
- description: () => "We needed to strengthen the security check by ensuring that the url is under the root domain of your application.",
5576
- guidance: () => ""
5577
- }
5578
- };
5579
-
5580
- // src/features/analysis/scm/shared/src/storedQuestionData/js/insecureRandomness.ts
5581
- var insecureRandomness2 = {
5582
- isGetRandomValuesSupported: {
5583
- content: () => "Is getRandomValues() function supported by your JavaScript engine?",
5584
- description: () => "[getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is supported by [more than 97% of browsers](https://caniuse.com/?search=getRandomValues) and [Node.js >= 15.0.0](https://nodejs.org/api/webcrypto.html#cryptogetrandomvaluestypedarray).",
5585
- guidance: () => ""
5586
- }
5587
- };
5588
-
5589
- // src/features/analysis/scm/shared/src/storedQuestionData/js/logForging.ts
5590
- var logForging4 = {
5591
- isHtmlDisplay: {
5592
- content: () => "Is the text written to the log going to be displayed as HTML?",
5593
- description: () => "",
5594
- guidance: () => ""
5595
- }
5596
- };
5597
-
5598
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingCSPHeader.ts
5599
- var cspHeaderValue = {
5600
- cspHeaderValue: {
5601
- content: () => "Please provide the value for the Content-Security-Policy header",
5602
- description: () => `The Content-Security-Policy (CSP) header is a critical security measure that helps protect websites from various attacks, particularly Cross-Site Scripting (XSS) and other code injection attacks. Here's a concise explanation:
5603
-
5604
- &nbsp;
5605
- &nbsp;
5606
- **What it does**:
5607
-
5608
- &nbsp;
5609
- &nbsp;
5610
- CSP lets you specify which content sources the browser should consider valid, essentially creating a whitelist of trusted content. It controls things like:
5611
-
5612
- &nbsp;
5613
- &nbsp;
5614
- - Which scripts can execute.
5615
- &nbsp; - Where images can be loaded from.
5616
- &nbsp; - Which styles can be applied.
5617
- &nbsp; - Which forms can be submitted to.
5618
- &nbsp; - What domains can be connected to.
5619
- &nbsp;
5620
- &nbsp; Default value explanation:
5621
- &nbsp;
5622
- &nbsp; - default-src 'self: Only allows resources from the same origin by default.
5623
- &nbsp; - script-src 'self': Only allows scripts to be loaded from the same origin.
5624
- &nbsp; - style-src 'self': Only allows styles from the same origin.
5625
- &nbsp; - object-src 'none': Disallows <object>, <embed>, and <applet> elements.
5626
- &nbsp; - base-uri 'self': Restricts where the <base> tag can point to.
5627
- &nbsp; - frame-ancestors 'self': Ensures that only the same origin can embed the page using an iframe.
5628
-
5629
- &nbsp;
5630
- &nbsp; **This kind of \`CSP\` is more secure but may require adjustments for your specific application, especially if you need to load resources from external domains or use inline scripts/styles.**`,
5631
- guidance: () => ``
5632
- }
5633
- };
5634
-
5635
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingHSTSHeader.ts
5636
- var headerMaxAge = {
5637
- headerMaxAge: {
5638
- content: () => "Please provide the maximum age of the header",
5639
- description: () => `This is the time, in seconds, that the browser should remember that the site is only to be accessed using \`HTTPS\`.
5640
- &nbsp;
5641
- &nbsp;
5642
- Setting the \`max-age\` to \`0\` (over an https connection) will immediately expire the Strict-Transport-Security header, allowing access via \`HTTP\`.
5643
-
5644
-
5645
- &nbsp;
5646
- &nbsp;
5647
- The HTTP Strict-Transport-Security response header (\`HSTS\`) informs browsers that the site
5648
- should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically
5649
- be converted to HTTPS.
5650
-
5651
-
5652
- &nbsp;
5653
- &nbsp;
5654
- If a website accepts a connection through \`HTTP\` and redirects to \`HTTPS\`, visitors may initially communicate with
5655
- the non-encrypted version of the site before being redirected, if, for example, the visitor
5656
- types \`http://www.example.com\` or even just \`example.com\`. This creates an opportunity for a man-in-the-middle attack.
5657
- The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
5658
-
5659
- &nbsp;
5660
- &nbsp;
5661
- The \`HTTP\` Strict Transport Security header informs the browser that it should never load a site using \`HTTP\`
5662
- and should automatically convert all attempts to access the site using \`HTTP\` to \`HTTPS\` requests instead.`,
5663
- guidance: () => ``
5664
- }
5665
- };
5666
-
5667
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingXFrameOptions.ts
5668
- var xFrameOptionsValue = {
5669
- xFrameOptionsValue: {
5670
- content: () => "Please provide the value for the X-Frame-Options header",
5671
- description: () => `The \`X-Frame-Options\` HTTP response header tells the browser whether the page is allowed to be rendered inside a \`<frame>\`, \`<iframe>\`, \`<embed>\` or \`<object>\`. Without it, attackers can embed your application in an invisible iframe and trick users into clicking on it \u2014 a class of attacks known as clickjacking (UI redressing).
5672
- &nbsp;
5673
- &nbsp; **Allowed values:**
5674
- &nbsp; - \`DENY\` \u2014 the page cannot be framed by any site, including your own. Recommended default for any page that does not need to be embedded.
5675
- &nbsp; - \`SAMEORIGIN\` \u2014 the page can only be framed by pages served from the same origin. Use this only if your own application legitimately embeds this page in an iframe.`,
5676
- guidance: () => ``
5677
- }
5678
- };
5679
-
5680
- // src/features/analysis/scm/shared/src/storedQuestionData/js/noLimitsOrThrottling.ts
5681
- var noLimitsOrThrottling2 = {
5682
- setGlobalLimiter: {
5683
- content: () => "Would you like to use a global rate limit for all your endpoints within the same file?",
5684
- description: () => "",
5685
- guidance: () => ""
5686
- }
5687
- };
5688
-
5689
- // src/features/analysis/scm/shared/src/storedQuestionData/js/openRedirect.ts
5690
- var openRedirect2 = {
5691
- isExternal: {
5692
- content: () => "Does the redirect go to an external site?",
5693
- description: () => "",
5694
- guidance: () => ""
5695
- },
5696
- domainAllowlist: {
5697
- content: () => "Allowed domains names",
5698
- description: () => "please provide a coma separated list of allowed domains names (example.com, example.org, etc.)",
5699
- guidance: () => ""
5700
- },
5701
- pathAllowlist: {
5702
- content: () => "Allowed paths (URIs)",
5703
- description: () => "please provide a coma separated list of allowed path (/health, /api/v1/health, etc.)",
5704
- guidance: () => ""
5705
- },
5706
- includeProtocolValidation: {
5707
- content: () => "Should HTTP or HTTPS protocol be enforced?",
5708
- description: () => "please indicate if the protocol should be enforced",
5709
- guidance: () => ""
5710
- }
5711
- };
5712
-
5713
- // src/features/analysis/scm/shared/src/storedQuestionData/js/pt.ts
5714
- var pt3 = {
5715
- taintedTermType: {
5716
- content: ({ expression }) => `Does \`${expression}\` represent a file name, a relative path or an absolute path?`,
5717
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
5718
- guidance: () => ""
5719
- }
5720
- };
5721
-
5722
- // src/features/analysis/scm/shared/src/storedQuestionData/js/ssrf.ts
5723
- var ssrf4 = {
5724
- domainsAllowlist: {
5725
- content: () => "List of allowed domain names",
5726
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary domains.
5727
-
5728
- &nbsp;
5729
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of domains the server should be allowed to call.`,
5730
- guidance: () => ""
5731
- }
5732
- };
5733
-
5734
- // src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeak.ts
5735
- var sysLeak3 = {
5736
- errorMessage: {
5737
- content: () => "Enter the error message that you want to appear in the log",
5738
- description: () => "",
5739
- guidance: () => ""
5740
- },
5741
- noLoggerAction: {
5742
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5743
- description: () => "",
5744
- guidance: () => ""
5745
- }
5746
- };
5747
-
5748
- // src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeakExternal.ts
5749
- var sysLeakExternal = {
5750
- errorMessage: {
5751
- content: () => "Enter the error message that you want to appear to the user",
5752
- description: () => "",
5753
- guidance: () => ""
4266
+ error: async (message, data) => {
4267
+ const logger3 = await createContextLogger();
4268
+ return logger3.error(message, data);
5754
4269
  }
5755
4270
  };
5756
4271
 
5757
- // src/features/analysis/scm/shared/src/storedQuestionData/js/typeConfusion.ts
5758
- var typeConfusion = {
5759
- argumentType: {
5760
- content: () => "What is the type of the HTTP argument?",
5761
- description: () => "What is the type of the HTTP argument?",
5762
- guidance: () => ""
4272
+ // src/features/analysis/scm/errors.ts
4273
+ var InvalidAccessTokenError = class extends Error {
4274
+ constructor(m, scmType) {
4275
+ super(m);
4276
+ this.scmType = scmType;
5763
4277
  }
5764
4278
  };
5765
-
5766
- // src/features/analysis/scm/shared/src/storedQuestionData/js/uncheckedLoopCondition.ts
5767
- var uncheckedLoopCondition2 = {
5768
- loopLimit: {
5769
- content: () => "Please define a maximum loop limit",
5770
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5771
- guidance: () => ""
5772
- },
5773
- varName: {
5774
- content: () => "Please define a variable name",
5775
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5776
- guidance: () => ""
4279
+ var InvalidUrlPatternError = class extends Error {
4280
+ constructor(m, scmType) {
4281
+ super(m);
4282
+ this.scmType = scmType;
5777
4283
  }
5778
4284
  };
5779
-
5780
- // src/features/analysis/scm/shared/src/storedQuestionData/js/xss.ts
5781
- var xss3 = {
5782
- containsHtml: {
5783
- content: () => "Does the element or variable contain HTML formatting",
5784
- description: () => "",
5785
- guidance: () => ""
5786
- },
5787
- isParamTypeString: {
5788
- content: () => "Is the parameter passed to the $() function a string",
5789
- description: () => "",
5790
- guidance: () => ""
5791
- },
5792
- isSanitized: {
5793
- content: ({ expression }) => `Is the expression \`${expression}\` supposed to be not sanitized in this context?`,
5794
- description: () => "You are using unsafe string substitution in the template. This means that if the expression can contain maliciously crafted data, it may lead to XSS injection. To apply the fix, you have to make sure the expression is not sanitized on the backend already, and it does not represent an HTML code block.",
5795
- guidance: () => ""
5796
- },
5797
- isServerSideCode: {
5798
- content: () => "Is this code running on the server side (a NodeJS application)",
5799
- description: () => "The fix to this vulnerability is different is the code runs in the client (browser) or the server side (NodeJs)",
5800
- guidance: () => ""
4285
+ var RefNotFoundError = class extends Error {
4286
+ constructor(m) {
4287
+ super(m);
5801
4288
  }
5802
4289
  };
5803
-
5804
- // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
5805
- var vulnerabilities15 = {
5806
- ["CMDi"]: commandInjection3,
5807
- ["GRAPHQL_DEPTH_LIMIT"]: graphqlDepthLimit,
5808
- ["INSECURE_RANDOMNESS"]: insecureRandomness2,
5809
- ["SSRF"]: ssrf4,
5810
- ["TYPE_CONFUSION"]: typeConfusion,
5811
- ["INCOMPLETE_URL_SANITIZATION"]: incompleteUrlSanitization,
5812
- ["LOG_FORGING"]: logForging4,
5813
- ["XSS"]: xss3,
5814
- ["OPEN_REDIRECT"]: openRedirect2,
5815
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak3,
5816
- ["SYSTEM_INFORMATION_LEAK_EXTERNAL"]: sysLeakExternal,
5817
- ["IFRAME_WITHOUT_SANDBOX"]: iframeWithoutSandbox,
5818
- ["PT"]: pt3,
5819
- ["HARDCODED_SECRETS"]: hardcodedSecrets2,
5820
- ["MISSING_HSTS_HEADER"]: headerMaxAge,
5821
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition2,
5822
- ["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling2,
5823
- ["MISSING_CSP_HEADER"]: cspHeaderValue,
5824
- ["MISSING_X_FRAME_OPTIONS"]: xFrameOptionsValue,
5825
- ["HARDCODED_DOMAIN_IN_HTML"]: hardcodedDomainInHtml,
5826
- ["CSRF"]: csrf2
5827
- };
5828
- var js_default = vulnerabilities15;
5829
-
5830
- // src/features/analysis/scm/shared/src/storedQuestionData/python/duplicatedStrings.ts
5831
- var duplicatedStrings2 = {
5832
- constantName: {
5833
- content: () => "New constant name",
5834
- description: () => "",
5835
- guidance: () => ""
4290
+ var ScmBadCredentialsError = class extends Error {
4291
+ constructor(m, scmType) {
4292
+ super(m);
4293
+ this.scmType = scmType;
5836
4294
  }
5837
4295
  };
5838
-
5839
- // src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
5840
- var logForging5 = {
5841
- isHtmlDisplay: {
5842
- content: () => "Is the text written to the log going to be displayed as HTML?",
5843
- description: () => "",
5844
- guidance: ({ userInputValue }) => {
5845
- switch (userInputValue) {
5846
- case "yes":
5847
- return "We use `html.escape` to decode the HTML";
5848
- default:
5849
- return "";
5850
- }
5851
- }
4296
+ var InvalidRepoUrlError = class extends Error {
4297
+ constructor(m, scmType) {
4298
+ super(m);
4299
+ this.scmType = scmType;
5852
4300
  }
5853
4301
  };
5854
-
5855
- // src/features/analysis/scm/shared/src/storedQuestionData/python/missingEncoding.ts
5856
- var missingEncoding = {
5857
- fEncoding: {
5858
- content: () => "Enter the encoding of the file",
5859
- description: () => "",
5860
- guidance: () => ""
4302
+ var RepoNoTokenAccessError = class extends Error {
4303
+ constructor(m, scmType) {
4304
+ super(m);
4305
+ this.scmType = scmType;
5861
4306
  }
5862
4307
  };
5863
-
5864
- // src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
5865
- var openRedirect3 = {
5866
- allowed_hosts: {
5867
- content: () => "Allowed domains/paths",
5868
- description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
5869
- guidance: () => ""
4308
+ var RateLimitError = class extends Error {
4309
+ constructor(m, scmType, retryAfter) {
4310
+ super(m);
4311
+ this.scmType = scmType;
4312
+ this.retryAfter = retryAfter;
5870
4313
  }
5871
4314
  };
5872
-
5873
- // src/features/analysis/scm/shared/src/storedQuestionData/python/ssrf.ts
5874
- var ssrf5 = {
5875
- domainsAllowlist: {
5876
- content: () => "Allowed URL prefixes",
5877
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
5878
- &nbsp;
5879
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
5880
- guidance: () => ""
4315
+ var NetworkError = class extends Error {
4316
+ constructor(m, scmType, errorCode) {
4317
+ super(m);
4318
+ this.scmType = scmType;
4319
+ this.errorCode = errorCode;
5881
4320
  }
5882
4321
  };
5883
4322
 
5884
- // src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
5885
- var uncheckedLoopCondition3 = {
5886
- loopLimit: {
5887
- content: () => "Please define a maximum loop limit",
5888
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5889
- guidance: () => ""
5890
- },
5891
- varName: {
5892
- content: () => "Please define a variable name",
5893
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5894
- guidance: () => ""
5895
- }
5896
- };
4323
+ // src/features/analysis/scm/utils/index.ts
4324
+ import { z as z10 } from "zod";
5897
4325
 
5898
- // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
5899
- var vulnerabilities16 = {
5900
- ["CSRF"]: csrf2,
5901
- ["LOG_FORGING"]: logForging5,
5902
- ["OPEN_REDIRECT"]: openRedirect3,
5903
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition3,
5904
- ["DUPLICATED_STRINGS"]: duplicatedStrings2,
5905
- ["MISSING_ENCODING_FILE_OPEN"]: missingEncoding,
5906
- ["SSRF"]: ssrf5
4326
+ // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
4327
+ init_client_generates();
4328
+ init_getIssueType();
4329
+ init_issueTypeCatalog();
4330
+ function capitalizeFirstLetter(str) {
4331
+ return str?.length ? str[0].toUpperCase() + str.slice(1) : "";
4332
+ }
4333
+ function lowercaseFirstLetter(str) {
4334
+ if (!str) return str;
4335
+ return `${str.charAt(0).toLowerCase()}${str.slice(1)}`;
4336
+ }
4337
+ var severityToEmoji = {
4338
+ ["critical" /* Critical */]: "\u{1F6A8}",
4339
+ ["high" /* High */]: "\u{1F6A9}",
4340
+ ["medium" /* Medium */]: "\u{1F7E1}",
4341
+ ["low" /* Low */]: "\u{1F7E2}"
5907
4342
  };
5908
- var python_default2 = vulnerabilities16;
4343
+ var getCommitDescription = ({
4344
+ vendor,
4345
+ issueType,
4346
+ severity,
4347
+ guidances,
4348
+ fixUrl,
4349
+ irrelevantIssueWithTags
4350
+ }) => {
4351
+ const issueTypeString = getIssueTypeFriendlyString(issueType);
4352
+ let description = `This change fixes a **${severity} severity** (${severityToEmoji[severity]}) **${issueTypeString}** issue reported by **${capitalizeFirstLetter(
4353
+ vendor
4354
+ )}**.
5909
4355
 
5910
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
5911
- var unboundedOccurrences = {
5912
- maxOccursLimit: {
5913
- content: () => "The number of allowed repetitions of the element.",
5914
- description: () => "",
5915
- guidance: () => `Setting this number to a reasonable value will prevent the attack.
5916
- A value too low will prevent valid XMLs from being processed.
5917
- A value too high will cause performance issues up to and including denial of service.`
5918
- }
5919
- };
4356
+ `;
4357
+ if (issueType) {
4358
+ if (irrelevantIssueWithTags?.[0]?.tag) {
4359
+ description += `
4360
+ > [!tip]
4361
+ > This issue was found to be irrelevant to your project - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
4362
+ > Mobb recommends to ignore this issue, however fix is available if you think differently.
5920
4363
 
5921
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
5922
- var vulnerabilities17 = {
5923
- ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES"]: unboundedOccurrences
5924
- };
5925
- var xml_default2 = vulnerabilities17;
5926
4364
 
5927
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/noNewPrivileges.ts
5928
- var noNewPrivileges = {
5929
- requireNewPrivileges: {
5930
- content: () => "Does the container require new privileges?",
5931
- description: () => "",
5932
- guidance: () => `If the container requires new privileges, setting the no-new-privileges option might harm the container functionality.`
4365
+ ## Justification
4366
+ ${issueDescription[irrelevantIssueWithTags[0].tag]}
4367
+ `;
4368
+ }
4369
+ const catalogEntry = getIssueTypeCatalogEntry(issueType);
4370
+ if (catalogEntry?.issueDescription) {
4371
+ description += `## Issue description
4372
+ ${catalogEntry.issueDescription}
4373
+ `;
4374
+ if (catalogEntry.fixInstructions) {
4375
+ description += `
4376
+ ## Fix instructions
4377
+ ${catalogEntry.fixInstructions}
4378
+ `;
4379
+ }
4380
+ }
5933
4381
  }
5934
- };
5935
-
5936
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/portAllInterfaces.ts
5937
- var portAllInterfaces = {
5938
- trustedIP: {
5939
- content: () => "Enter trusted Network IP",
5940
- description: () => "",
5941
- guidance: () => `Properly set this value to prevent access from untrusted network adapters. Setting this to a wrong value would prevent accessing the container and might break the system.`
4382
+ description += `
4383
+ ${guidances.map(({ guidance }) => `## Additional actions required
4384
+ ${guidance}
4385
+ `).join("")}
4386
+ `;
4387
+ if (fixUrl) {
4388
+ description += `
4389
+ [More info and fix customization are available in the Mobb platform](${fixUrl})`;
5942
4390
  }
4391
+ return description;
5943
4392
  };
4393
+ var getCommitIssueDescription = ({
4394
+ vendor,
4395
+ issueType,
4396
+ irrelevantIssueWithTags,
4397
+ fpDescription,
4398
+ unfixableDescription
4399
+ }) => {
4400
+ const issueTypeString = getIssueTypeFriendlyString(issueType);
4401
+ let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
4402
+ `;
4403
+ if (issueType) {
4404
+ if (irrelevantIssueWithTags?.[0]?.tag) {
4405
+ description = `
4406
+ > [!tip]
4407
+ > The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
4408
+ > ${issueTypeString} - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
4409
+ > Mobb recommends to ignore this issue, however fix is available if you think differently.
5944
4410
 
5945
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/writableFilesystemService.ts
5946
- var writableFilesystemService = {
5947
- requireWriteAccess: {
5948
- content: () => "Does the container require writable filesystem access?",
5949
- description: () => "",
5950
- guidance: () => `If the container requires writable filesystem access, setting the filesystem as readonly might harm the container functionality.`
5951
- }
5952
- };
5953
4411
 
5954
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
5955
- var vulnerabilities18 = {
5956
- ["PORT_ALL_INTERFACES"]: portAllInterfaces,
5957
- ["WRITABLE_FILESYSTEM_SERVICE"]: writableFilesystemService,
5958
- ["NO_NEW_PRIVILEGES"]: noNewPrivileges
4412
+ ## Justification
4413
+ ${fpDescription ?? unfixableDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
4414
+ `;
4415
+ }
4416
+ const catalogEntry = getIssueTypeCatalogEntry(issueType);
4417
+ if (catalogEntry?.issueDescription) {
4418
+ description += `## Issue description
4419
+ ${catalogEntry.issueDescription}
4420
+ `;
4421
+ }
4422
+ }
4423
+ return description;
5959
4424
  };
5960
- var yaml_default = vulnerabilities18;
5961
4425
 
5962
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
5963
- var StoredQuestionDataItemZ = z3.object({
5964
- content: z3.function().args(z3.any()).returns(z3.string()),
5965
- description: z3.function().args(z3.any()).returns(z3.string()),
5966
- guidance: z3.function().args(z3.any()).returns(z3.string())
5967
- });
5968
- var languages2 = {
5969
- ["Java" /* Java */]: java_default2,
5970
- ["JavaScript" /* JavaScript */]: js_default,
5971
- ["XML" /* Xml */]: xml_default2,
5972
- ["CSharp" /* CSharp */]: csharp_default2,
5973
- ["Python" /* Python */]: python_default2,
5974
- ["Go" /* Go */]: go_default2,
5975
- ["Cpp" /* Cpp */]: cpp_default,
5976
- ["YAML" /* Yaml */]: yaml_default
5977
- };
5978
- var storedQuestionData_default = languages2;
4426
+ // src/features/analysis/scm/shared/src/index.ts
4427
+ init_getIssueType();
5979
4428
 
5980
4429
  // src/features/analysis/scm/shared/src/guidances.ts
4430
+ init_client_generates();
5981
4431
  function toQuestion(userInput) {
5982
4432
  const { key, defaultValue } = userInput;
5983
4433
  const value = userInput.value || defaultValue;
5984
4434
  return { ...userInput, defaultValue, value, key, error: false };
5985
4435
  }
5986
- function getQuestionInformation({
5987
- fixQuestionData,
5988
- issueType,
5989
- language
5990
- }) {
5991
- const { name, content, description, guidance } = fixQuestionData;
5992
- const storedQuestionDataItem = storedQuestionData_default[language]?.[issueType]?.[name] ?? {
5993
- content: () => "",
5994
- description: () => "",
5995
- guidance: () => ""
5996
- };
5997
- const stored = StoredQuestionDataItemZ.parse(storedQuestionDataItem);
5998
- return {
5999
- content: (args) => content || stored.content(args),
6000
- description: (args) => description || stored.description(args),
6001
- guidance: (args) => guidance || stored.guidance(args)
6002
- };
6003
- }
6004
- function curriedQuestionInformationByQuestion({
6005
- issueType,
6006
- language
6007
- }) {
6008
- return (fixQuestionData) => getQuestionInformation({
6009
- issueType,
6010
- language,
6011
- fixQuestionData
6012
- });
6013
- }
6014
4436
  function getPackageFixGuidance(actionsRequired) {
6015
4437
  const actionRequiredStrings = actionsRequired.map((action) => {
6016
4438
  if (action.language === "JS" /* Js */) {
@@ -6045,64 +4467,20 @@ function getPackageFixGuidance(actionsRequired) {
6045
4467
  return actionRequiredStrings.filter((action) => !!action);
6046
4468
  }
6047
4469
  function getFixGuidances({
6048
- issueType,
6049
- issueLanguage,
6050
- fixExtraContext,
6051
- questions
4470
+ fixExtraContext
6052
4471
  }) {
6053
- const storedFixGuidanceDataItem = languages[issueLanguage || ""]?.[issueType || ""] ?? {};
6054
- const storeFixResult = StoredFixDataItemZ.safeParse(storedFixGuidanceDataItem);
6055
4472
  const libGuidances = getPackageFixGuidance(
6056
4473
  fixExtraContext.manifestActionsRequired
6057
4474
  );
6058
- const extraContext = fixExtraContext.extraContext.reduce(
6059
- (acc, obj) => {
6060
- acc[obj.key] = obj.value;
6061
- return acc;
6062
- },
6063
- {}
6064
- );
6065
4475
  const servedFixGuidances = fixExtraContext.guidances ?? [];
6066
- const fixGuidance = servedFixGuidances.length > 0 ? servedFixGuidances : storeFixResult.success ? [storeFixResult.data.guidance({ questions, ...extraContext })] : [];
6067
- return libGuidances.concat(fixGuidance).filter((guidance) => !!guidance);
4476
+ return libGuidances.concat(servedFixGuidances).filter((guidance) => !!guidance);
6068
4477
  }
6069
- var IssueTypeAndLanguageZ = z4.object({
6070
- issueType: SafeIssueTypeStringZ,
6071
- issueLanguage: z4.nativeEnum(IssueLanguage_Enum)
6072
- });
6073
4478
  function getGuidances(args) {
6074
- const safeIssueTypeAndLanguage = IssueTypeAndLanguageZ.safeParse({
6075
- issueType: args.issueType,
6076
- issueLanguage: args.issueLanguage
6077
- });
6078
- if (!safeIssueTypeAndLanguage.success) {
6079
- return [];
6080
- }
6081
4479
  const { questions, fixExtraContext } = args;
6082
- const { issueType, issueLanguage } = safeIssueTypeAndLanguage.data;
6083
- const fixGuidances = getFixGuidances({
6084
- issueType,
6085
- issueLanguage,
6086
- fixExtraContext,
6087
- questions
6088
- }).map((guidance, index) => ({ guidance, key: `fixGuidance_index_${index}` }));
6089
- return questions.map((question) => {
6090
- let questionGuidance = question.guidance;
6091
- if (!questionGuidance && issueType && issueLanguage) {
6092
- const getFixInformation = curriedQuestionInformationByQuestion({
6093
- issueType,
6094
- language: issueLanguage
6095
- });
6096
- const { guidance } = getFixInformation(question);
6097
- questionGuidance = guidance({
6098
- userInputValue: question.value
6099
- });
6100
- }
6101
- return {
6102
- ...question,
6103
- guidance: questionGuidance
6104
- };
6105
- }).filter(({ guidance }) => !!guidance).map(({ guidance, key }) => ({ guidance, key })).concat(fixGuidances);
4480
+ const fixGuidances = getFixGuidances({ fixExtraContext }).map(
4481
+ (guidance, index) => ({ guidance, key: `fixGuidance_index_${index}` })
4482
+ );
4483
+ return questions.map((question) => ({ guidance: question.guidance, key: question.key })).filter(({ guidance }) => !!guidance).concat(fixGuidances);
6106
4484
  }
6107
4485
 
6108
4486
  // src/features/analysis/scm/shared/src/index.ts
@@ -6134,19 +4512,19 @@ function getIssueUrl({
6134
4512
  init_validations();
6135
4513
 
6136
4514
  // src/features/analysis/scm/types.ts
6137
- import { z as z12 } from "zod";
4515
+ import { z as z9 } from "zod";
6138
4516
  var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
6139
4517
  ReferenceType2["BRANCH"] = "BRANCH";
6140
4518
  ReferenceType2["COMMIT"] = "COMMIT";
6141
4519
  ReferenceType2["TAG"] = "TAG";
6142
4520
  return ReferenceType2;
6143
4521
  })(ReferenceType || {});
6144
- var GithubFullShaZ = z12.string().regex(/^[a-f0-9]{40}$/);
6145
- var MergedPrSurvivalMetadataZ = z12.object({
6146
- mergeCommitShas: z12.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
4522
+ var GithubFullShaZ = z9.string().regex(/^[a-f0-9]{40}$/);
4523
+ var MergedPrSurvivalMetadataZ = z9.object({
4524
+ mergeCommitShas: z9.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
6147
4525
  message: "mergeCommitShas must contain unique SHAs"
6148
4526
  }),
6149
- targetBranch: z12.string().min(1)
4527
+ targetBranch: z9.string().min(1)
6150
4528
  });
6151
4529
  var ScmLibScmType = /* @__PURE__ */ ((ScmLibScmType2) => {
6152
4530
  ScmLibScmType2["GITHUB"] = "GITHUB";
@@ -6173,10 +4551,10 @@ var scmTypeToScmLibScmType = {
6173
4551
  ["Ado" /* Ado */]: "ADO" /* ADO */,
6174
4552
  ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
6175
4553
  };
6176
- var GetReferenceResultZ = z12.object({
6177
- date: z12.date().optional(),
6178
- sha: z12.string(),
6179
- type: z12.nativeEnum(ReferenceType)
4554
+ var GetReferenceResultZ = z9.object({
4555
+ date: z9.date().optional(),
4556
+ sha: z9.string(),
4557
+ type: z9.nativeEnum(ReferenceType)
6180
4558
  });
6181
4559
 
6182
4560
  // src/features/analysis/scm/utils/scm.ts
@@ -6323,7 +4701,7 @@ function shouldValidateUrl(repoUrl) {
6323
4701
  return repoUrl && isUrlHasPath(repoUrl);
6324
4702
  }
6325
4703
  function isBrokerUrl(url) {
6326
- return z13.string().uuid().safeParse(new URL(url).host).success;
4704
+ return z10.string().uuid().safeParse(new URL(url).host).success;
6327
4705
  }
6328
4706
  function buildAuthorizedRepoUrl(args) {
6329
4707
  const { url, username, password } = args;
@@ -6359,7 +4737,7 @@ function getCloudScmLibTypeFromUrl(url) {
6359
4737
  return void 0;
6360
4738
  }
6361
4739
  function getScmLibTypeFromScmType(scmType) {
6362
- const parsedScmType = z13.nativeEnum(ScmType).parse(scmType);
4740
+ const parsedScmType = z10.nativeEnum(ScmType).parse(scmType);
6363
4741
  return scmTypeToScmLibScmType[parsedScmType];
6364
4742
  }
6365
4743
  function getScmConfig({
@@ -6427,39 +4805,39 @@ init_env();
6427
4805
  import querystring from "querystring";
6428
4806
  import * as api from "azure-devops-node-api";
6429
4807
  import Debug from "debug";
6430
- import { z as z16 } from "zod";
4808
+ import { z as z13 } from "zod";
6431
4809
 
6432
4810
  // src/features/analysis/scm/ado/validation.ts
6433
- import { z as z15 } from "zod";
6434
- var ValidPullRequestStatusZ = z15.union([
6435
- z15.literal(1 /* Active */),
6436
- z15.literal(2 /* Abandoned */),
6437
- z15.literal(3 /* Completed */)
4811
+ import { z as z12 } from "zod";
4812
+ var ValidPullRequestStatusZ = z12.union([
4813
+ z12.literal(1 /* Active */),
4814
+ z12.literal(2 /* Abandoned */),
4815
+ z12.literal(3 /* Completed */)
6438
4816
  ]);
6439
- var AdoAuthResultZ = z15.object({
6440
- access_token: z15.string().min(1),
6441
- token_type: z15.string().min(1),
6442
- refresh_token: z15.string().min(1)
4817
+ var AdoAuthResultZ = z12.object({
4818
+ access_token: z12.string().min(1),
4819
+ token_type: z12.string().min(1),
4820
+ refresh_token: z12.string().min(1)
6443
4821
  });
6444
4822
  var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
6445
- scmOrgs: z15.array(z15.string())
4823
+ scmOrgs: z12.array(z12.string())
6446
4824
  });
6447
- var profileZ = z15.object({
6448
- displayName: z15.string(),
6449
- publicAlias: z15.string().min(1),
6450
- emailAddress: z15.string(),
6451
- coreRevision: z15.number(),
6452
- timeStamp: z15.string(),
6453
- id: z15.string(),
6454
- revision: z15.number()
4825
+ var profileZ = z12.object({
4826
+ displayName: z12.string(),
4827
+ publicAlias: z12.string().min(1),
4828
+ emailAddress: z12.string(),
4829
+ coreRevision: z12.number(),
4830
+ timeStamp: z12.string(),
4831
+ id: z12.string(),
4832
+ revision: z12.number()
6455
4833
  });
6456
- var accountsZ = z15.object({
6457
- count: z15.number(),
6458
- value: z15.array(
6459
- z15.object({
6460
- accountId: z15.string(),
6461
- accountUri: z15.string(),
6462
- accountName: z15.string()
4834
+ var accountsZ = z12.object({
4835
+ count: z12.number(),
4836
+ value: z12.array(
4837
+ z12.object({
4838
+ accountId: z12.string(),
4839
+ accountUri: z12.string(),
4840
+ accountName: z12.string()
6463
4841
  })
6464
4842
  )
6465
4843
  });
@@ -6552,7 +4930,7 @@ async function getAdoConnectData({
6552
4930
  oauthToken: adoTokenInfo.accessToken
6553
4931
  });
6554
4932
  return {
6555
- org: z16.string().parse(org),
4933
+ org: z13.string().parse(org),
6556
4934
  origin: DEFUALT_ADO_ORIGIN
6557
4935
  };
6558
4936
  }
@@ -6638,7 +5016,7 @@ async function getAdoClientParams(params) {
6638
5016
  return {
6639
5017
  tokenType: "PAT" /* PAT */,
6640
5018
  accessToken: adoTokenInfo.accessToken,
6641
- patTokenOrg: z16.string().parse(tokenOrg).toLowerCase(),
5019
+ patTokenOrg: z13.string().parse(tokenOrg).toLowerCase(),
6642
5020
  origin,
6643
5021
  orgName: org.toLowerCase()
6644
5022
  };
@@ -7778,40 +6156,40 @@ import querystring2 from "querystring";
7778
6156
  import * as bitbucketPkgNode from "bitbucket";
7779
6157
  import bitbucketPkg from "bitbucket";
7780
6158
  import Debug2 from "debug";
7781
- import { z as z19 } from "zod";
6159
+ import { z as z16 } from "zod";
7782
6160
 
7783
6161
  // src/features/analysis/scm/bitbucket/validation.ts
7784
- import { z as z18 } from "zod";
7785
- var BitbucketAuthResultZ = z18.object({
7786
- access_token: z18.string(),
7787
- token_type: z18.string(),
7788
- refresh_token: z18.string()
6162
+ import { z as z15 } from "zod";
6163
+ var BitbucketAuthResultZ = z15.object({
6164
+ access_token: z15.string(),
6165
+ token_type: z15.string(),
6166
+ refresh_token: z15.string()
7789
6167
  });
7790
6168
 
7791
6169
  // src/features/analysis/scm/bitbucket/bitbucket.ts
7792
6170
  var debug3 = Debug2("scm:bitbucket");
7793
6171
  var BITBUCKET_HOSTNAME = "bitbucket.org";
7794
- var TokenExpiredErrorZ = z19.object({
7795
- status: z19.number(),
7796
- error: z19.object({
7797
- type: z19.string(),
7798
- error: z19.object({
7799
- message: z19.string()
6172
+ var TokenExpiredErrorZ = z16.object({
6173
+ status: z16.number(),
6174
+ error: z16.object({
6175
+ type: z16.string(),
6176
+ error: z16.object({
6177
+ message: z16.string()
7800
6178
  })
7801
6179
  })
7802
6180
  });
7803
6181
  var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
7804
6182
  var MAX_BITBUCKET_PR_BODY_LENGTH = 32768;
7805
- var BitbucketParseResultZ = z19.object({
7806
- organization: z19.string(),
7807
- repoName: z19.string(),
7808
- hostname: z19.literal(BITBUCKET_HOSTNAME)
6183
+ var BitbucketParseResultZ = z16.object({
6184
+ organization: z16.string(),
6185
+ repoName: z16.string(),
6186
+ hostname: z16.literal(BITBUCKET_HOSTNAME)
7809
6187
  });
7810
- var UserWorkspacePermissionsRepositoriesResponseZ = z19.object({
7811
- values: z19.array(
7812
- z19.object({
7813
- repository: z19.object({
7814
- full_name: z19.string().optional()
6188
+ var UserWorkspacePermissionsRepositoriesResponseZ = z16.object({
6189
+ values: z16.array(
6190
+ z16.object({
6191
+ repository: z16.object({
6192
+ full_name: z16.string().optional()
7815
6193
  }).optional()
7816
6194
  })
7817
6195
  ).optional()
@@ -7874,7 +6252,7 @@ function getBitbucketSdk(params) {
7874
6252
  if (!res.data.values) {
7875
6253
  return [];
7876
6254
  }
7877
- return res.data.values.filter((branch) => !!branch.name).map((branch) => z19.string().parse(branch.name));
6255
+ return res.data.values.filter((branch) => !!branch.name).map((branch) => z16.string().parse(branch.name));
7878
6256
  },
7879
6257
  async getIsUserCollaborator(params2) {
7880
6258
  const { repoUrl } = params2;
@@ -7994,7 +6372,7 @@ function getBitbucketSdk(params) {
7994
6372
  return GetReferenceResultZ.parse({
7995
6373
  sha: tagRes.data.target?.hash,
7996
6374
  type: "TAG" /* TAG */,
7997
- date: new Date(z19.string().parse(tagRes.data.target?.date))
6375
+ date: new Date(z16.string().parse(tagRes.data.target?.date))
7998
6376
  });
7999
6377
  },
8000
6378
  async getBranchRef(params2) {
@@ -8002,7 +6380,7 @@ function getBitbucketSdk(params) {
8002
6380
  return GetReferenceResultZ.parse({
8003
6381
  sha: getBranchRes.target?.hash,
8004
6382
  type: "BRANCH" /* BRANCH */,
8005
- date: new Date(z19.string().parse(getBranchRes.target?.date))
6383
+ date: new Date(z16.string().parse(getBranchRes.target?.date))
8006
6384
  });
8007
6385
  },
8008
6386
  async getCommitRef(params2) {
@@ -8010,13 +6388,13 @@ function getBitbucketSdk(params) {
8010
6388
  return GetReferenceResultZ.parse({
8011
6389
  sha: getCommitRes.hash,
8012
6390
  type: "COMMIT" /* COMMIT */,
8013
- date: new Date(z19.string().parse(getCommitRes.date))
6391
+ date: new Date(z16.string().parse(getCommitRes.date))
8014
6392
  });
8015
6393
  },
8016
6394
  async getDownloadUrl({ url, sha }) {
8017
6395
  this.getReferenceData({ ref: sha, url });
8018
6396
  const repoRes = await this.getRepo({ repoUrl: url });
8019
- const parsedRepoUrl = z19.string().url().parse(repoRes.links?.html?.href);
6397
+ const parsedRepoUrl = z16.string().url().parse(repoRes.links?.html?.href);
8020
6398
  return `${parsedRepoUrl}/get/${sha}.zip`;
8021
6399
  },
8022
6400
  async getPullRequest(params2) {
@@ -8174,7 +6552,7 @@ async function validateBitbucketParams(params) {
8174
6552
  }
8175
6553
  async function getUsersWorkspacesSlugs(bitbucketClient) {
8176
6554
  const res = await bitbucketClient.workspaces.getWorkspaces({});
8177
- return res.data.values?.map((v) => z19.string().parse(v.slug));
6555
+ return res.data.values?.map((v) => z16.string().parse(v.slug));
8178
6556
  }
8179
6557
  async function getAllUsersRepositories(bitbucketClient) {
8180
6558
  const userWorkspacesSlugs = await getUsersWorkspacesSlugs(bitbucketClient);
@@ -8202,11 +6580,11 @@ async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
8202
6580
 
8203
6581
  // src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
8204
6582
  import { setTimeout as setTimeout3 } from "timers/promises";
8205
- import { z as z20 } from "zod";
6583
+ import { z as z17 } from "zod";
8206
6584
  var BITBUCKET_API_TOKEN_GIT_USERNAME = "x-bitbucket-api-token-auth";
8207
6585
  function getUserAndPassword(token) {
8208
6586
  const [username, password] = token.split(":");
8209
- const safePasswordAndUsername = z20.object({ username: z20.string(), password: z20.string() }).parse({ username, password });
6587
+ const safePasswordAndUsername = z17.object({ username: z17.string(), password: z17.string() }).parse({ username, password });
8210
6588
  return {
8211
6589
  username: safePasswordAndUsername.username,
8212
6590
  password: safePasswordAndUsername.password
@@ -8282,7 +6660,7 @@ var BitbucketSCMLib = class extends SCMLib {
8282
6660
  return { username, password, authType };
8283
6661
  }
8284
6662
  case "token": {
8285
- return { authType, token: z20.string().parse(this.accessToken) };
6663
+ return { authType, token: z17.string().parse(this.accessToken) };
8286
6664
  }
8287
6665
  case "public":
8288
6666
  return { authType };
@@ -8296,7 +6674,7 @@ var BitbucketSCMLib = class extends SCMLib {
8296
6674
  ...params,
8297
6675
  repoUrl: this.url
8298
6676
  });
8299
- return String(z20.number().parse(pullRequestRes.id));
6677
+ return String(z17.number().parse(pullRequestRes.id));
8300
6678
  } catch (e) {
8301
6679
  console.warn(
8302
6680
  `error creating pull request for BB. Try number ${String(i + 1).replace(/\n|\r/g, "")}`,
@@ -8381,7 +6759,7 @@ var BitbucketSCMLib = class extends SCMLib {
8381
6759
  async getUsername() {
8382
6760
  this._validateAccessToken();
8383
6761
  const res = await this.bitbucketSdk.getUser();
8384
- return z20.string().parse(res["username"]);
6762
+ return z17.string().parse(res["username"]);
8385
6763
  }
8386
6764
  async getSubmitRequestStatus(_scmSubmitRequestId) {
8387
6765
  this._validateAccessTokenAndUrl();
@@ -8407,7 +6785,7 @@ var BitbucketSCMLib = class extends SCMLib {
8407
6785
  async getRepoDefaultBranch() {
8408
6786
  this._validateUrl();
8409
6787
  const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
8410
- return z20.string().parse(repoRes.mainbranch?.name);
6788
+ return z17.string().parse(repoRes.mainbranch?.name);
8411
6789
  }
8412
6790
  getSubmitRequestUrl(submitRequestId) {
8413
6791
  this._validateUrl();
@@ -8575,7 +6953,7 @@ init_env();
8575
6953
 
8576
6954
  // src/features/analysis/scm/github/GithubSCMLib.ts
8577
6955
  import pLimit3 from "p-limit";
8578
- import { z as z21 } from "zod";
6956
+ import { z as z18 } from "zod";
8579
6957
  init_client_generates();
8580
6958
 
8581
6959
  // src/features/analysis/scm/github/github.ts
@@ -9743,7 +8121,7 @@ var GithubSCMLib = class extends SCMLib {
9743
8121
  owner,
9744
8122
  repo
9745
8123
  });
9746
- return z21.string().parse(prRes.data);
8124
+ return z18.string().parse(prRes.data);
9747
8125
  }
9748
8126
  async getRepoList(_scmOrg) {
9749
8127
  this._validateAccessToken();
@@ -10370,11 +8748,11 @@ import {
10370
8748
  init_env();
10371
8749
 
10372
8750
  // src/features/analysis/scm/gitlab/types.ts
10373
- import { z as z22 } from "zod";
10374
- var GitlabAuthResultZ = z22.object({
10375
- access_token: z22.string(),
10376
- token_type: z22.string(),
10377
- refresh_token: z22.string()
8751
+ import { z as z19 } from "zod";
8752
+ var GitlabAuthResultZ = z19.object({
8753
+ access_token: z19.string(),
8754
+ token_type: z19.string(),
8755
+ refresh_token: z19.string()
10378
8756
  });
10379
8757
 
10380
8758
  // src/features/analysis/scm/gitlab/gitlab.ts
@@ -10589,8 +8967,8 @@ async function getGitlabProjectLanguages({
10589
8967
  }) {
10590
8968
  try {
10591
8969
  const api2 = getGitBeaker({ url, gitlabAuthToken: accessToken });
10592
- const languages3 = await api2.Projects.showLanguages(projectId);
10593
- return Object.keys(languages3);
8970
+ const languages = await api2.Projects.showLanguages(projectId);
8971
+ return Object.keys(languages);
10594
8972
  } catch (e) {
10595
8973
  debug4(
10596
8974
  "[getGitlabProjectLanguages] Failed for project %d: %s",
@@ -11592,7 +9970,7 @@ var GitlabSCMLib = class extends SCMLib {
11592
9970
  };
11593
9971
 
11594
9972
  // src/features/analysis/scm/scmFactory.ts
11595
- import { z as z23 } from "zod";
9973
+ import { z as z20 } from "zod";
11596
9974
 
11597
9975
  // src/features/analysis/scm/StubSCMLib.ts
11598
9976
  var StubSCMLib = class extends SCMLib {
@@ -11745,7 +10123,7 @@ async function createScmLib({ url, accessToken, scmType, scmOrg }, {
11745
10123
  if (e instanceof InvalidRepoUrlError && url) {
11746
10124
  throw new RepoNoTokenAccessError(
11747
10125
  "no access to repo",
11748
- scmLibScmTypeToScmType[z23.nativeEnum(ScmLibScmType).parse(scmType)]
10126
+ scmLibScmTypeToScmType[z20.nativeEnum(ScmLibScmType).parse(scmType)]
11749
10127
  );
11750
10128
  }
11751
10129
  console.error(`error validating scm: ${scmType} `, e);
@@ -12352,7 +10730,7 @@ import path6 from "path";
12352
10730
  import chalk from "chalk";
12353
10731
  import Debug4 from "debug";
12354
10732
  import * as dotenv from "dotenv";
12355
- import { z as z24 } from "zod";
10733
+ import { z as z21 } from "zod";
12356
10734
  var debug5 = Debug4("mobbdev:constants");
12357
10735
  var runtimeConfigPath = path6.join(
12358
10736
  getModuleRootDir(),
@@ -12399,17 +10777,17 @@ var scannerToVulnerabilityReportVendorEnum = {
12399
10777
  [SCANNERS.Datadog]: "datadog" /* Datadog */,
12400
10778
  [SCANNERS.BlackDuck]: "blackDuck" /* BlackDuck */
12401
10779
  };
12402
- var SupportedScannersZ = z24.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
12403
- var envVariablesSchema = z24.object({
10780
+ var SupportedScannersZ = z21.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
10781
+ var envVariablesSchema = z21.object({
12404
10782
  // These have safe defaults for production - the VS Code extension passes explicit URLs
12405
- WEB_APP_URL: z24.string().optional().default(DEFAULT_WEB_APP_URL),
12406
- API_URL: z24.string().optional().default(DEFAULT_API_URL),
10783
+ WEB_APP_URL: z21.string().optional().default(DEFAULT_WEB_APP_URL),
10784
+ API_URL: z21.string().optional().default(DEFAULT_API_URL),
12407
10785
  // These are only needed for local development with Hasura
12408
- HASURA_ACCESS_KEY: z24.string().optional().default(""),
12409
- LOCAL_GRAPHQL_ENDPOINT: z24.string().optional().default(""),
10786
+ HASURA_ACCESS_KEY: z21.string().optional().default(""),
10787
+ LOCAL_GRAPHQL_ENDPOINT: z21.string().optional().default(""),
12410
10788
  // Proxy settings
12411
- HTTP_PROXY: z24.string().optional().default(""),
12412
- HTTPS_PROXY: z24.string().optional().default("")
10789
+ HTTP_PROXY: z21.string().optional().default(""),
10790
+ HTTPS_PROXY: z21.string().optional().default("")
12413
10791
  });
12414
10792
  var envVariables = envVariablesSchema.parse(process.env);
12415
10793
  debug5("config %o", envVariables);
@@ -12667,7 +11045,7 @@ import { createSpinner as createSpinner4 } from "nanospinner";
12667
11045
  import fetch4 from "node-fetch";
12668
11046
  import open3 from "open";
12669
11047
  import tmp2 from "tmp";
12670
- import { z as z30 } from "zod";
11048
+ import { z as z27 } from "zod";
12671
11049
 
12672
11050
  // src/commands/AuthManager.ts
12673
11051
  import crypto from "crypto";
@@ -12944,62 +11322,62 @@ init_client_generates();
12944
11322
 
12945
11323
  // src/features/analysis/graphql/types.ts
12946
11324
  init_client_generates();
12947
- import { z as z25 } from "zod";
12948
- var VulnerabilityReportIssueCodeNodeZ = z25.object({
12949
- vulnerabilityReportIssueId: z25.string(),
12950
- path: z25.string(),
12951
- startLine: z25.number(),
12952
- vulnerabilityReportIssue: z25.object({
12953
- fixId: z25.string(),
12954
- category: z25.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
12955
- safeIssueType: z25.string(),
12956
- vulnerabilityReportIssueTags: z25.array(
12957
- z25.object({
12958
- tag: z25.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
11325
+ import { z as z22 } from "zod";
11326
+ var VulnerabilityReportIssueCodeNodeZ = z22.object({
11327
+ vulnerabilityReportIssueId: z22.string(),
11328
+ path: z22.string(),
11329
+ startLine: z22.number(),
11330
+ vulnerabilityReportIssue: z22.object({
11331
+ fixId: z22.string(),
11332
+ category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
11333
+ safeIssueType: z22.string(),
11334
+ vulnerabilityReportIssueTags: z22.array(
11335
+ z22.object({
11336
+ tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
12959
11337
  })
12960
11338
  )
12961
11339
  })
12962
11340
  });
12963
- var VulnerabilityReportIssueNoFixCodeNodeZ = z25.object({
12964
- vulnerabilityReportIssues: z25.array(
12965
- z25.object({
12966
- id: z25.string(),
12967
- fixId: z25.string().nullable(),
12968
- category: z25.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
12969
- safeIssueType: z25.string(),
12970
- fpId: z25.string().uuid().nullable(),
12971
- codeNodes: z25.array(
12972
- z25.object({
12973
- path: z25.string(),
12974
- startLine: z25.number()
11341
+ var VulnerabilityReportIssueNoFixCodeNodeZ = z22.object({
11342
+ vulnerabilityReportIssues: z22.array(
11343
+ z22.object({
11344
+ id: z22.string(),
11345
+ fixId: z22.string().nullable(),
11346
+ category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
11347
+ safeIssueType: z22.string(),
11348
+ fpId: z22.string().uuid().nullable(),
11349
+ codeNodes: z22.array(
11350
+ z22.object({
11351
+ path: z22.string(),
11352
+ startLine: z22.number()
12975
11353
  })
12976
11354
  ),
12977
- vulnerabilityReportIssueTags: z25.array(
12978
- z25.object({
12979
- tag: z25.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
11355
+ vulnerabilityReportIssueTags: z22.array(
11356
+ z22.object({
11357
+ tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
12980
11358
  })
12981
11359
  )
12982
11360
  })
12983
11361
  )
12984
11362
  });
12985
- var GetVulByNodesMetadataZ = z25.object({
12986
- vulnerabilityReportIssueCodeNodes: z25.array(VulnerabilityReportIssueCodeNodeZ),
12987
- nonFixablePrVuls: z25.object({
12988
- aggregate: z25.object({
12989
- count: z25.number()
11363
+ var GetVulByNodesMetadataZ = z22.object({
11364
+ vulnerabilityReportIssueCodeNodes: z22.array(VulnerabilityReportIssueCodeNodeZ),
11365
+ nonFixablePrVuls: z22.object({
11366
+ aggregate: z22.object({
11367
+ count: z22.number()
12990
11368
  })
12991
11369
  }),
12992
- fixablePrVuls: z25.object({
12993
- aggregate: z25.object({
12994
- count: z25.number()
11370
+ fixablePrVuls: z22.object({
11371
+ aggregate: z22.object({
11372
+ count: z22.number()
12995
11373
  })
12996
11374
  }),
12997
- totalScanVulnerabilities: z25.object({
12998
- aggregate: z25.object({
12999
- count: z25.number()
11375
+ totalScanVulnerabilities: z22.object({
11376
+ aggregate: z22.object({
11377
+ count: z22.number()
13000
11378
  })
13001
11379
  }),
13002
- irrelevantVulnerabilityReportIssue: z25.array(
11380
+ irrelevantVulnerabilityReportIssue: z22.array(
13003
11381
  VulnerabilityReportIssueNoFixCodeNodeZ
13004
11382
  )
13005
11383
  });
@@ -13521,7 +11899,7 @@ import * as os2 from "os";
13521
11899
  import path7 from "path";
13522
11900
  import chalk4 from "chalk";
13523
11901
  import { withFile } from "tmp-promise";
13524
- import z26 from "zod";
11902
+ import z23 from "zod";
13525
11903
 
13526
11904
  // src/commands/handleMobbLogin.ts
13527
11905
  import chalk3 from "chalk";
@@ -14061,8 +12439,8 @@ var defaultLogger2 = {
14061
12439
  }
14062
12440
  }
14063
12441
  };
14064
- var PromptItemZ = z26.object({
14065
- type: z26.enum([
12442
+ var PromptItemZ = z23.object({
12443
+ type: z23.enum([
14066
12444
  "USER_PROMPT",
14067
12445
  "AI_RESPONSE",
14068
12446
  "TOOL_EXECUTION",
@@ -14070,32 +12448,32 @@ var PromptItemZ = z26.object({
14070
12448
  "MCP_TOOL_CALL"
14071
12449
  // MCP (Model Context Protocol) tool invocation
14072
12450
  ]),
14073
- attachedFiles: z26.array(
14074
- z26.object({
14075
- relativePath: z26.string(),
14076
- startLine: z26.number().optional()
12451
+ attachedFiles: z23.array(
12452
+ z23.object({
12453
+ relativePath: z23.string(),
12454
+ startLine: z23.number().optional()
14077
12455
  })
14078
12456
  ).optional(),
14079
- tokens: z26.object({
14080
- inputCount: z26.number(),
14081
- outputCount: z26.number()
12457
+ tokens: z23.object({
12458
+ inputCount: z23.number(),
12459
+ outputCount: z23.number()
14082
12460
  }).optional(),
14083
- text: z26.string().optional(),
14084
- date: z26.date().optional(),
14085
- tool: z26.object({
14086
- name: z26.string(),
14087
- parameters: z26.string(),
14088
- result: z26.string(),
14089
- rawArguments: z26.string().optional(),
14090
- accepted: z26.boolean().optional(),
12461
+ text: z23.string().optional(),
12462
+ date: z23.date().optional(),
12463
+ tool: z23.object({
12464
+ name: z23.string(),
12465
+ parameters: z23.string(),
12466
+ result: z23.string(),
12467
+ rawArguments: z23.string().optional(),
12468
+ accepted: z23.boolean().optional(),
14091
12469
  // MCP-specific fields (only populated for MCP_TOOL_CALL type)
14092
- mcpServer: z26.string().optional(),
12470
+ mcpServer: z23.string().optional(),
14093
12471
  // MCP server name (e.g., "datadog", "mobb-mcp")
14094
- mcpToolName: z26.string().optional()
12472
+ mcpToolName: z23.string().optional()
14095
12473
  // MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
14096
12474
  }).optional()
14097
12475
  });
14098
- var PromptItemArrayZ = z26.array(PromptItemZ);
12476
+ var PromptItemArrayZ = z23.array(PromptItemZ);
14099
12477
  var NULL_REPO_STATE = {
14100
12478
  repositoryUrl: null,
14101
12479
  branch: null,
@@ -15033,7 +13411,7 @@ import Debug15 from "debug";
15033
13411
  // src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
15034
13412
  import Debug14 from "debug";
15035
13413
  import parseDiff from "parse-diff";
15036
- import { z as z28 } from "zod";
13414
+ import { z as z25 } from "zod";
15037
13415
 
15038
13416
  // src/features/analysis/utils/by_key.ts
15039
13417
  function keyBy(array, keyBy2) {
@@ -15122,7 +13500,7 @@ var scannerToFriendlyString = {
15122
13500
 
15123
13501
  // src/features/analysis/add_fix_comments_for_pr/utils/buildCommentBody.ts
15124
13502
  import Debug13 from "debug";
15125
- import { z as z27 } from "zod";
13503
+ import { z as z24 } from "zod";
15126
13504
  init_client_generates();
15127
13505
  var debug14 = Debug13("mobbdev:handle-finished-analysis");
15128
13506
  var getCommitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
@@ -15168,10 +13546,10 @@ function buildFixCommentBody({
15168
13546
  });
15169
13547
  const issueType = getIssueTypeFriendlyString(fix.safeIssueType);
15170
13548
  const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
15171
- const validFixParseRes = z27.object({
13549
+ const validFixParseRes = z24.object({
15172
13550
  patchAndQuestions: PatchAndQuestionsZ,
15173
- safeIssueLanguage: z27.nativeEnum(IssueLanguage_Enum),
15174
- severityText: z27.nativeEnum(Vulnerability_Severity_Enum),
13551
+ safeIssueLanguage: z24.nativeEnum(IssueLanguage_Enum),
13552
+ severityText: z24.nativeEnum(Vulnerability_Severity_Enum),
15175
13553
  safeIssueType: SafeIssueTypeStringZ
15176
13554
  }).safeParse(fix);
15177
13555
  if (!validFixParseRes.success) {
@@ -15406,7 +13784,7 @@ async function getRelevantVulenrabilitiesFromDiff(params) {
15406
13784
  });
15407
13785
  const lineAddedRanges = calculateRanges(fileNumbers);
15408
13786
  const fileFilter = {
15409
- path: z28.string().parse(file.to),
13787
+ path: z25.string().parse(file.to),
15410
13788
  ranges: lineAddedRanges.map(([startLine, endLine]) => ({
15411
13789
  endLine,
15412
13790
  startLine
@@ -15718,15 +14096,15 @@ import { globby } from "globby";
15718
14096
  import { isBinary as isBinary2 } from "istextorbinary";
15719
14097
  import { simpleGit as simpleGit3 } from "simple-git";
15720
14098
  import { parseStringPromise } from "xml2js";
15721
- import { z as z29 } from "zod";
14099
+ import { z as z26 } from "zod";
15722
14100
  var debug19 = Debug18("mobbdev:pack");
15723
- var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z29.object({
15724
- properties: z29.object({
15725
- entry: z29.array(
15726
- z29.object({
15727
- _: z29.string(),
15728
- $: z29.object({
15729
- key: z29.string()
14101
+ var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z26.object({
14102
+ properties: z26.object({
14103
+ entry: z26.array(
14104
+ z26.object({
14105
+ _: z26.string(),
14106
+ $: z26.object({
14107
+ key: z26.string()
15730
14108
  })
15731
14109
  })
15732
14110
  )
@@ -16510,7 +14888,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
16510
14888
  spinner: mobbSpinner,
16511
14889
  submitVulnerabilityReportVariables: {
16512
14890
  fixReportId: reportUploadInfo.fixReportId,
16513
- repoUrl: z30.string().parse(repo),
14891
+ repoUrl: z27.string().parse(repo),
16514
14892
  reference,
16515
14893
  projectId,
16516
14894
  vulnerabilityReportFileName: shouldScan ? void 0 : REPORT_DEFAULT_FILE_NAME,
@@ -16850,9 +15228,9 @@ async function waitForAnaysisAndReviewPr({
16850
15228
  gqlClient,
16851
15229
  polling
16852
15230
  }) {
16853
- const params = z30.object({
16854
- repo: z30.string().url(),
16855
- githubActionToken: z30.string()
15231
+ const params = z27.object({
15232
+ repo: z27.string().url(),
15233
+ githubActionToken: z27.string()
16856
15234
  }).parse({ repo, githubActionToken });
16857
15235
  const scm = await createScmLib(
16858
15236
  {
@@ -16870,7 +15248,7 @@ async function waitForAnaysisAndReviewPr({
16870
15248
  analysisId: analysisId2,
16871
15249
  gqlClient,
16872
15250
  scm,
16873
- scanner: z30.nativeEnum(SCANNERS).parse(scanner)
15251
+ scanner: z27.nativeEnum(SCANNERS).parse(scanner)
16874
15252
  });
16875
15253
  };
16876
15254
  if (polling) {
@@ -17186,7 +15564,7 @@ async function scanSkill(options) {
17186
15564
  // src/args/validation.ts
17187
15565
  import chalk9 from "chalk";
17188
15566
  import path12 from "path";
17189
- import { z as z31 } from "zod";
15567
+ import { z as z28 } from "zod";
17190
15568
  function throwRepoUrlErrorMessage({
17191
15569
  error,
17192
15570
  repoUrl,
@@ -17203,11 +15581,11 @@ Example:
17203
15581
  )}`;
17204
15582
  throw new CliError(formattedErrorMessage);
17205
15583
  }
17206
- var UrlZ = z31.string({
15584
+ var UrlZ = z28.string({
17207
15585
  invalid_type_error: `is not a valid ${Object.values(ScmType).join("/ ")} URL`
17208
15586
  });
17209
15587
  function validateOrganizationId(organizationId) {
17210
- const orgIdValidation = z31.string().uuid().nullish().safeParse(organizationId);
15588
+ const orgIdValidation = z28.string().uuid().nullish().safeParse(organizationId);
17211
15589
  if (!orgIdValidation.success) {
17212
15590
  throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
17213
15591
  }
@@ -19354,7 +17732,7 @@ function createLogger(config2) {
19354
17732
 
19355
17733
  // src/features/claude_code/hook_logger.ts
19356
17734
  var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
19357
- var CLI_VERSION = true ? "1.4.35" : "unknown";
17735
+ var CLI_VERSION = true ? "1.4.36" : "unknown";
19358
17736
  var NAMESPACE = "mobbdev-claude-code-hook-logs";
19359
17737
  var claudeCodeVersion;
19360
17738
  function buildDdTags() {
@@ -20884,150 +19262,151 @@ init_client_generates();
20884
19262
  init_configs();
20885
19263
 
20886
19264
  // src/mcp/types.ts
20887
- import { z as z32 } from "zod";
19265
+ import { z as z29 } from "zod";
20888
19266
  init_client_generates();
20889
- var ScanAndFixVulnerabilitiesToolSchema = z32.object({
20890
- path: z32.string()
19267
+ var ScanAndFixVulnerabilitiesToolSchema = z29.object({
19268
+ path: z29.string()
20891
19269
  });
20892
- var VulnerabilityReportIssueTagSchema = z32.object({
20893
- vulnerability_report_issue_tag_value: z32.nativeEnum(
19270
+ var VulnerabilityReportIssueTagSchema = z29.object({
19271
+ vulnerability_report_issue_tag_value: z29.nativeEnum(
20894
19272
  Vulnerability_Report_Issue_Tag_Enum
20895
19273
  )
20896
19274
  });
20897
- var VulnerabilityReportIssueSchema = z32.object({
20898
- category: z32.any().optional().nullable(),
19275
+ var VulnerabilityReportIssueSchema = z29.object({
19276
+ category: z29.any().optional().nullable(),
20899
19277
  parsedIssueType: SafeIssueTypeStringZ.nullable().optional(),
20900
- parsedSeverity: z32.nativeEnum(Vulnerability_Severity_Enum).nullable().optional(),
20901
- vulnerabilityReportIssueTags: z32.array(VulnerabilityReportIssueTagSchema)
19278
+ parsedSeverity: z29.nativeEnum(Vulnerability_Severity_Enum).nullable().optional(),
19279
+ vulnerabilityReportIssueTags: z29.array(VulnerabilityReportIssueTagSchema)
20902
19280
  });
20903
- var SharedStateSchema = z32.object({
20904
- __typename: z32.literal("fix_shared_state").optional(),
20905
- id: z32.any(),
19281
+ var SharedStateSchema = z29.object({
19282
+ __typename: z29.literal("fix_shared_state").optional(),
19283
+ id: z29.any(),
20906
19284
  // GraphQL uses `any` type for UUID
20907
- downloadedBy: z32.array(z32.any().nullable()).optional().nullable()
19285
+ downloadedBy: z29.array(z29.any().nullable()).optional().nullable()
20908
19286
  });
20909
- var UnstructuredFixExtraContextSchema = z32.object({
20910
- __typename: z32.literal("UnstructuredFixExtraContext").optional(),
20911
- key: z32.string(),
20912
- value: z32.any()
19287
+ var UnstructuredFixExtraContextSchema = z29.object({
19288
+ __typename: z29.literal("UnstructuredFixExtraContext").optional(),
19289
+ key: z29.string(),
19290
+ value: z29.any()
20913
19291
  // GraphQL JSON type
20914
19292
  });
20915
- var FixExtraContextResponseSchema = z32.object({
20916
- __typename: z32.literal("FixExtraContextResponse").optional(),
20917
- extraContext: z32.array(UnstructuredFixExtraContextSchema),
20918
- fixDescription: z32.string()
19293
+ var FixExtraContextResponseSchema = z29.object({
19294
+ __typename: z29.literal("FixExtraContextResponse").optional(),
19295
+ extraContext: z29.array(UnstructuredFixExtraContextSchema),
19296
+ fixDescription: z29.string()
20919
19297
  });
20920
- var FixQuestionSchema = z32.object({
20921
- __typename: z32.literal("FixQuestion").optional(),
20922
- key: z32.string(),
20923
- name: z32.string(),
20924
- defaultValue: z32.string(),
20925
- value: z32.string().nullable().optional(),
20926
- inputType: z32.nativeEnum(FixQuestionInputType),
20927
- options: z32.array(z32.string()),
20928
- index: z32.number(),
20929
- extraContext: z32.array(UnstructuredFixExtraContextSchema),
20930
- // E-2015 PR5: analyzer-served question copy. default('') -> FE falls back when
20931
- // a query omits it, while the output type stays a required string.
20932
- content: z32.string().default(""),
20933
- description: z32.string().default(""),
20934
- guidance: z32.string().default("")
19298
+ var FixQuestionSchema = z29.object({
19299
+ __typename: z29.literal("FixQuestion").optional(),
19300
+ key: z29.string(),
19301
+ name: z29.string(),
19302
+ defaultValue: z29.string(),
19303
+ value: z29.string().nullable().optional(),
19304
+ inputType: z29.nativeEnum(FixQuestionInputType),
19305
+ options: z29.array(z29.string()),
19306
+ index: z29.number(),
19307
+ extraContext: z29.array(UnstructuredFixExtraContextSchema),
19308
+ // E-2015: analyzer-served question text. default('') so a query that omits it
19309
+ // still parses, while the output type stays a required string. The analyzer is
19310
+ // the sole source; consumers use the served value directly (no fallback).
19311
+ content: z29.string().default(""),
19312
+ description: z29.string().default(""),
19313
+ guidance: z29.string().default("")
20935
19314
  });
20936
- var FixDataSchema = z32.object({
20937
- __typename: z32.literal("FixData"),
20938
- patch: z32.string(),
20939
- patchOriginalEncodingBase64: z32.string(),
20940
- questions: z32.array(FixQuestionSchema),
19315
+ var FixDataSchema = z29.object({
19316
+ __typename: z29.literal("FixData"),
19317
+ patch: z29.string(),
19318
+ patchOriginalEncodingBase64: z29.string(),
19319
+ questions: z29.array(FixQuestionSchema),
20941
19320
  extraContext: FixExtraContextResponseSchema
20942
19321
  });
20943
- var GetFixNoFixErrorSchema = z32.object({
20944
- __typename: z32.literal("GetFixNoFixError")
19322
+ var GetFixNoFixErrorSchema = z29.object({
19323
+ __typename: z29.literal("GetFixNoFixError")
20945
19324
  });
20946
- var PatchAndQuestionsSchema = z32.union([FixDataSchema, GetFixNoFixErrorSchema]);
20947
- var McpFixSchema = z32.object({
20948
- __typename: z32.literal("fix").optional(),
20949
- id: z32.any(),
19325
+ var PatchAndQuestionsSchema = z29.union([FixDataSchema, GetFixNoFixErrorSchema]);
19326
+ var McpFixSchema = z29.object({
19327
+ __typename: z29.literal("fix").optional(),
19328
+ id: z29.any(),
20950
19329
  // GraphQL uses `any` type for UUID
20951
- confidence: z32.number(),
20952
- safeIssueType: z32.string().nullable(),
20953
- safeIssueLanguage: z32.string().nullable().optional(),
20954
- severityText: z32.string().nullable(),
20955
- gitBlameLogin: z32.string().nullable().optional(),
19330
+ confidence: z29.number(),
19331
+ safeIssueType: z29.string().nullable(),
19332
+ safeIssueLanguage: z29.string().nullable().optional(),
19333
+ severityText: z29.string().nullable(),
19334
+ gitBlameLogin: z29.string().nullable().optional(),
20956
19335
  // Optional in GraphQL
20957
- severityValue: z32.number().nullable(),
20958
- vulnerabilityReportIssues: z32.array(VulnerabilityReportIssueSchema),
19336
+ severityValue: z29.number().nullable(),
19337
+ vulnerabilityReportIssues: z29.array(VulnerabilityReportIssueSchema),
20959
19338
  sharedState: SharedStateSchema.nullable().optional(),
20960
19339
  // Optional in GraphQL
20961
19340
  patchAndQuestions: PatchAndQuestionsSchema,
20962
19341
  // Additional field added by the client
20963
- fixUrl: z32.string().optional()
19342
+ fixUrl: z29.string().optional()
20964
19343
  });
20965
- var FixAggregateSchema = z32.object({
20966
- __typename: z32.literal("fix_aggregate").optional(),
20967
- aggregate: z32.object({
20968
- __typename: z32.literal("fix_aggregate_fields").optional(),
20969
- count: z32.number()
19344
+ var FixAggregateSchema = z29.object({
19345
+ __typename: z29.literal("fix_aggregate").optional(),
19346
+ aggregate: z29.object({
19347
+ __typename: z29.literal("fix_aggregate_fields").optional(),
19348
+ count: z29.number()
20970
19349
  }).nullable()
20971
19350
  });
20972
- var VulnerabilityReportIssueAggregateSchema = z32.object({
20973
- __typename: z32.literal("vulnerability_report_issue_aggregate").optional(),
20974
- aggregate: z32.object({
20975
- __typename: z32.literal("vulnerability_report_issue_aggregate_fields").optional(),
20976
- count: z32.number()
19351
+ var VulnerabilityReportIssueAggregateSchema = z29.object({
19352
+ __typename: z29.literal("vulnerability_report_issue_aggregate").optional(),
19353
+ aggregate: z29.object({
19354
+ __typename: z29.literal("vulnerability_report_issue_aggregate_fields").optional(),
19355
+ count: z29.number()
20977
19356
  }).nullable()
20978
19357
  });
20979
- var RepoSchema = z32.object({
20980
- __typename: z32.literal("repo").optional(),
20981
- originalUrl: z32.string()
19358
+ var RepoSchema = z29.object({
19359
+ __typename: z29.literal("repo").optional(),
19360
+ originalUrl: z29.string()
20982
19361
  });
20983
- var ProjectSchema = z32.object({
20984
- id: z32.any(),
19362
+ var ProjectSchema = z29.object({
19363
+ id: z29.any(),
20985
19364
  // GraphQL uses `any` type for UUID
20986
- organizationId: z32.any()
19365
+ organizationId: z29.any()
20987
19366
  // GraphQL uses `any` type for UUID
20988
19367
  });
20989
- var VulnerabilityReportSchema = z32.object({
20990
- scanDate: z32.any().nullable(),
19368
+ var VulnerabilityReportSchema = z29.object({
19369
+ scanDate: z29.any().nullable(),
20991
19370
  // GraphQL uses `any` type for timestamp
20992
- vendor: z32.string(),
19371
+ vendor: z29.string(),
20993
19372
  // GraphQL generates as string, not enum
20994
- projectId: z32.any().optional(),
19373
+ projectId: z29.any().optional(),
20995
19374
  // GraphQL uses `any` type for UUID
20996
19375
  project: ProjectSchema,
20997
19376
  totalVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema,
20998
19377
  notFixableVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema
20999
19378
  });
21000
- var FixReportSummarySchema = z32.object({
21001
- __typename: z32.literal("fixReport").optional(),
21002
- id: z32.any(),
19379
+ var FixReportSummarySchema = z29.object({
19380
+ __typename: z29.literal("fixReport").optional(),
19381
+ id: z29.any(),
21003
19382
  // GraphQL uses `any` type for UUID
21004
- createdOn: z32.any(),
19383
+ createdOn: z29.any(),
21005
19384
  // GraphQL uses `any` type for timestamp
21006
19385
  repo: RepoSchema.nullable(),
21007
- issueTypes: z32.any().nullable(),
19386
+ issueTypes: z29.any().nullable(),
21008
19387
  // GraphQL uses `any` type for JSON
21009
19388
  CRITICAL: FixAggregateSchema,
21010
19389
  HIGH: FixAggregateSchema,
21011
19390
  MEDIUM: FixAggregateSchema,
21012
19391
  LOW: FixAggregateSchema,
21013
- fixes: z32.array(McpFixSchema),
21014
- userFixes: z32.array(McpFixSchema).optional(),
19392
+ fixes: z29.array(McpFixSchema),
19393
+ userFixes: z29.array(McpFixSchema).optional(),
21015
19394
  // Present in some responses but can be omitted
21016
19395
  filteredFixesCount: FixAggregateSchema,
21017
19396
  totalFixesCount: FixAggregateSchema,
21018
19397
  vulnerabilityReport: VulnerabilityReportSchema
21019
19398
  });
21020
- var ExpiredReportSchema = z32.object({
21021
- __typename: z32.literal("fixReport").optional(),
21022
- id: z32.any(),
19399
+ var ExpiredReportSchema = z29.object({
19400
+ __typename: z29.literal("fixReport").optional(),
19401
+ id: z29.any(),
21023
19402
  // GraphQL uses `any` type for UUID
21024
- expirationOn: z32.any().nullable()
19403
+ expirationOn: z29.any().nullable()
21025
19404
  // GraphQL uses `any` type for timestamp
21026
19405
  });
21027
- var GetLatestReportByRepoUrlResponseSchema = z32.object({
21028
- __typename: z32.literal("query_root").optional(),
21029
- fixReport: z32.array(FixReportSummarySchema),
21030
- expiredReport: z32.array(ExpiredReportSchema)
19406
+ var GetLatestReportByRepoUrlResponseSchema = z29.object({
19407
+ __typename: z29.literal("query_root").optional(),
19408
+ fixReport: z29.array(FixReportSummarySchema),
19409
+ expiredReport: z29.array(ExpiredReportSchema)
21031
19410
  });
21032
19411
 
21033
19412
  // src/mcp/services/InteractiveFixFilter.ts
@@ -22837,10 +21216,10 @@ var McpServer = class {
22837
21216
  };
22838
21217
 
22839
21218
  // src/mcp/prompts/CheckForNewVulnerabilitiesPrompt.ts
22840
- import { z as z34 } from "zod";
21219
+ import { z as z31 } from "zod";
22841
21220
 
22842
21221
  // src/mcp/prompts/base/BasePrompt.ts
22843
- import { z as z33 } from "zod";
21222
+ import { z as z30 } from "zod";
22844
21223
  var BasePrompt = class {
22845
21224
  getDefinition() {
22846
21225
  return {
@@ -22869,7 +21248,7 @@ var BasePrompt = class {
22869
21248
  const argsToValidate = args === void 0 ? {} : args;
22870
21249
  return this.argumentsValidationSchema.parse(argsToValidate);
22871
21250
  } catch (error) {
22872
- if (error instanceof z33.ZodError) {
21251
+ if (error instanceof z30.ZodError) {
22873
21252
  const errorDetails = error.errors.map((e) => {
22874
21253
  const fieldPath = e.path.length > 0 ? e.path.join(".") : "root";
22875
21254
  const message = e.message === "Required" ? `Missing required argument '${fieldPath}'` : `Invalid value for '${fieldPath}': ${e.message}`;
@@ -22898,8 +21277,8 @@ var BasePrompt = class {
22898
21277
  };
22899
21278
 
22900
21279
  // src/mcp/prompts/CheckForNewVulnerabilitiesPrompt.ts
22901
- var CheckForNewVulnerabilitiesArgsSchema = z34.object({
22902
- path: z34.string().optional()
21280
+ var CheckForNewVulnerabilitiesArgsSchema = z31.object({
21281
+ path: z31.string().optional()
22903
21282
  });
22904
21283
  var CheckForNewVulnerabilitiesPrompt = class extends BasePrompt {
22905
21284
  constructor() {
@@ -23144,9 +21523,9 @@ Call the \`check_for_new_available_fixes\` tool now${args?.path ? ` for ${args.p
23144
21523
  };
23145
21524
 
23146
21525
  // src/mcp/prompts/FullSecurityAuditPrompt.ts
23147
- import { z as z35 } from "zod";
23148
- var FullSecurityAuditArgsSchema = z35.object({
23149
- path: z35.string().optional()
21526
+ import { z as z32 } from "zod";
21527
+ var FullSecurityAuditArgsSchema = z32.object({
21528
+ path: z32.string().optional()
23150
21529
  });
23151
21530
  var FullSecurityAuditPrompt = class extends BasePrompt {
23152
21531
  constructor() {
@@ -23597,9 +21976,9 @@ Begin the audit now${args?.path ? ` for ${args.path}` : ""}.
23597
21976
  };
23598
21977
 
23599
21978
  // src/mcp/prompts/ReviewAndFixCriticalPrompt.ts
23600
- import { z as z36 } from "zod";
23601
- var ReviewAndFixCriticalArgsSchema = z36.object({
23602
- path: z36.string().optional()
21979
+ import { z as z33 } from "zod";
21980
+ var ReviewAndFixCriticalArgsSchema = z33.object({
21981
+ path: z33.string().optional()
23603
21982
  });
23604
21983
  var ReviewAndFixCriticalPrompt = class extends BasePrompt {
23605
21984
  constructor() {
@@ -23903,9 +22282,9 @@ Start by scanning${args?.path ? ` ${args.path}` : " the repository"} and priorit
23903
22282
  };
23904
22283
 
23905
22284
  // src/mcp/prompts/ScanRecentChangesPrompt.ts
23906
- import { z as z37 } from "zod";
23907
- var ScanRecentChangesArgsSchema = z37.object({
23908
- path: z37.string().optional()
22285
+ import { z as z34 } from "zod";
22286
+ var ScanRecentChangesArgsSchema = z34.object({
22287
+ path: z34.string().optional()
23909
22288
  });
23910
22289
  var ScanRecentChangesPrompt = class extends BasePrompt {
23911
22290
  constructor() {
@@ -24116,9 +22495,9 @@ You now have the guidance needed to perform a fast, targeted security scan of re
24116
22495
  };
24117
22496
 
24118
22497
  // src/mcp/prompts/ScanRepositoryPrompt.ts
24119
- import { z as z38 } from "zod";
24120
- var ScanRepositoryArgsSchema = z38.object({
24121
- path: z38.string().optional()
22498
+ import { z as z35 } from "zod";
22499
+ var ScanRepositoryArgsSchema = z35.object({
22500
+ path: z35.string().optional()
24122
22501
  });
24123
22502
  var ScanRepositoryPrompt = class extends BasePrompt {
24124
22503
  constructor() {
@@ -24516,7 +22895,7 @@ import * as os15 from "os";
24516
22895
  import * as path29 from "path";
24517
22896
 
24518
22897
  // src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
24519
- import { z as z40 } from "zod";
22898
+ import { z as z37 } from "zod";
24520
22899
 
24521
22900
  // src/mcp/services/PathValidation.ts
24522
22901
  import fs21 from "fs";
@@ -24592,7 +22971,7 @@ async function validatePath(inputPath) {
24592
22971
  }
24593
22972
 
24594
22973
  // src/mcp/tools/base/BaseTool.ts
24595
- import { z as z39 } from "zod";
22974
+ import { z as z36 } from "zod";
24596
22975
  var BaseTool = class {
24597
22976
  getDefinition() {
24598
22977
  return {
@@ -24619,7 +22998,7 @@ var BaseTool = class {
24619
22998
  try {
24620
22999
  return this.inputValidationSchema.parse(args);
24621
23000
  } catch (error) {
24622
- if (error instanceof z39.ZodError) {
23001
+ if (error instanceof z36.ZodError) {
24623
23002
  const errorDetails = error.errors.map((e) => {
24624
23003
  const fieldPath = e.path.length > 0 ? e.path.join(".") : "root";
24625
23004
  const message = e.message === "Required" ? `Missing required parameter '${fieldPath}'` : `Invalid value for '${fieldPath}': ${e.message}`;
@@ -24658,39 +23037,12 @@ function friendlyType(s) {
24658
23037
  var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
24659
23038
  `;
24660
23039
  var resolveQuestionText = ({
24661
- fix,
24662
23040
  question
24663
23041
  }) => {
24664
- if (question.content || question.description) {
24665
- return {
24666
- content: question.content || question.name,
24667
- description: question.description ?? ""
24668
- };
24669
- }
24670
- const language = fix.safeIssueLanguage ?? void 0;
24671
- const issueType = fix.safeIssueType ?? void 0;
24672
- if (!language || !issueType) {
24673
- return { content: question.name, description: "" };
24674
- }
24675
- const item = storedQuestionData_default[language]?.[issueType]?.[question.name];
24676
- if (!item) {
24677
- return { content: question.name, description: "" };
24678
- }
24679
- const args = question.extraContext.reduce(
24680
- (acc, ctx) => {
24681
- acc[ctx.key] = ctx.value;
24682
- return acc;
24683
- },
24684
- {}
24685
- );
24686
- try {
24687
- return {
24688
- content: item.content(args) || question.name,
24689
- description: item.description(args) || ""
24690
- };
24691
- } catch {
24692
- return { content: question.name, description: "" };
24693
- }
23042
+ return {
23043
+ content: question.content || question.name,
23044
+ description: question.description ?? ""
23045
+ };
24694
23046
  };
24695
23047
  var formatQuestionInputContract = (question) => {
24696
23048
  switch (question.inputType) {
@@ -24707,7 +23059,7 @@ var renderInteractiveFix = (fix, index) => {
24707
23059
  const { questions, extraContext } = fix.patchAndQuestions;
24708
23060
  const vulnerabilityType = friendlyType(fix.safeIssueType ?? "Unknown");
24709
23061
  const questionsBlock = questions.slice().sort((a, b) => a.index - b.index).map((q, qIdx) => {
24710
- const { content, description } = resolveQuestionText({ fix, question: q });
23062
+ const { content, description } = resolveQuestionText({ question: q });
24711
23063
  const desc = description ? `
24712
23064
  *Why it matters:* ${description}` : "";
24713
23065
  const defaultLine = q.defaultValue ? `
@@ -28224,8 +26576,8 @@ Example payload:
28224
26576
  },
28225
26577
  required: ["path"]
28226
26578
  });
28227
- __publicField(this, "inputValidationSchema", z40.object({
28228
- path: z40.string().describe(
26579
+ __publicField(this, "inputValidationSchema", z37.object({
26580
+ path: z37.string().describe(
28229
26581
  "Full local path to the cloned git repository to check for new available fixes"
28230
26582
  )
28231
26583
  }));
@@ -28255,7 +26607,7 @@ Example payload:
28255
26607
 
28256
26608
  // src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesTool.ts
28257
26609
  init_GitService();
28258
- import { z as z41 } from "zod";
26610
+ import { z as z38 } from "zod";
28259
26611
 
28260
26612
  // src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesService.ts
28261
26613
  init_configs();
@@ -28401,16 +26753,16 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
28401
26753
  },
28402
26754
  required: ["path"]
28403
26755
  });
28404
- __publicField(this, "inputValidationSchema", z41.object({
28405
- path: z41.string().describe(
26756
+ __publicField(this, "inputValidationSchema", z38.object({
26757
+ path: z38.string().describe(
28406
26758
  "Full local path to the cloned git repository to check for available fixes"
28407
26759
  ),
28408
- offset: z41.number().optional().describe("Optional offset for pagination"),
28409
- limit: z41.number().optional().describe("Optional maximum number of fixes to return"),
28410
- fileFilter: z41.array(z41.string()).optional().describe(
26760
+ offset: z38.number().optional().describe("Optional offset for pagination"),
26761
+ limit: z38.number().optional().describe("Optional maximum number of fixes to return"),
26762
+ fileFilter: z38.array(z38.string()).optional().describe(
28411
26763
  "Optional list of file paths relative to the path parameter to filter fixes by. INCOMPATIBLE with fetchFixesFromAnyFile"
28412
26764
  ),
28413
- fetchFixesFromAnyFile: z41.boolean().optional().describe(
26765
+ fetchFixesFromAnyFile: z38.boolean().optional().describe(
28414
26766
  "Optional boolean to fetch fixes for all files. INCOMPATIBLE with fileFilter"
28415
26767
  )
28416
26768
  }));
@@ -28476,7 +26828,7 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
28476
26828
  };
28477
26829
 
28478
26830
  // src/mcp/tools/mcpChecker/mcpCheckerTool.ts
28479
- import z42 from "zod";
26831
+ import z39 from "zod";
28480
26832
 
28481
26833
  // src/mcp/tools/mcpChecker/mcpCheckerService.ts
28482
26834
  var _McpCheckerService = class _McpCheckerService {
@@ -28537,7 +26889,7 @@ var McpCheckerTool = class extends BaseTool {
28537
26889
  __publicField(this, "displayName", "MCP Checker");
28538
26890
  // A detailed description to guide the LLM on when and how to invoke this tool.
28539
26891
  __publicField(this, "description", "Check the MCP servers running on this IDE against organization policies.");
28540
- __publicField(this, "inputValidationSchema", z42.object({}));
26892
+ __publicField(this, "inputValidationSchema", z39.object({}));
28541
26893
  __publicField(this, "inputSchema", {
28542
26894
  type: "object",
28543
26895
  properties: {},
@@ -28563,7 +26915,7 @@ var McpCheckerTool = class extends BaseTool {
28563
26915
  };
28564
26916
 
28565
26917
  // src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesTool.ts
28566
- import z43 from "zod";
26918
+ import z40 from "zod";
28567
26919
  init_configs();
28568
26920
 
28569
26921
  // src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesService.ts
@@ -28943,26 +27295,26 @@ Example payload (Mode B \u2014 abstain from every interactive fix, no rescan):
28943
27295
  "interactiveAnswers": []
28944
27296
  }`);
28945
27297
  __publicField(this, "hasAuthentication", true);
28946
- __publicField(this, "inputValidationSchema", z43.object({
28947
- path: z43.string().describe(
27298
+ __publicField(this, "inputValidationSchema", z40.object({
27299
+ path: z40.string().describe(
28948
27300
  "Full local path to repository to scan and fix vulnerabilities"
28949
27301
  ),
28950
- offset: z43.number().optional().describe("Optional offset for pagination"),
28951
- limit: z43.number().optional().describe("Optional maximum number of results to return"),
28952
- maxFiles: z43.number().optional().describe(
27302
+ offset: z40.number().optional().describe("Optional offset for pagination"),
27303
+ limit: z40.number().optional().describe("Optional maximum number of results to return"),
27304
+ maxFiles: z40.number().optional().describe(
28953
27305
  `Optional maximum number of files to scan (default: ${MCP_DEFAULT_MAX_FILES_TO_SCAN}). Increase for comprehensive scans of larger codebases or decrease for faster focused scans.`
28954
27306
  ),
28955
- rescan: z43.boolean().optional().describe("Optional whether to rescan the repository"),
28956
- scanRecentlyChangedFiles: z43.boolean().optional().describe(
27307
+ rescan: z40.boolean().optional().describe("Optional whether to rescan the repository"),
27308
+ scanRecentlyChangedFiles: z40.boolean().optional().describe(
28957
27309
  "Optional whether to automatically scan recently changed files when no changed files are found in git status. If false, the tool will prompt the user instead."
28958
27310
  ),
28959
- interactiveAnswers: z43.array(
28960
- z43.object({
28961
- fixId: z43.string().min(1).describe('Fix id from a previous "Interactive fix" prompt block.'),
28962
- answers: z43.array(
28963
- z43.object({
28964
- key: z43.string().min(1).describe("FixQuestion key."),
28965
- value: z43.string().describe(
27311
+ interactiveAnswers: z40.array(
27312
+ z40.object({
27313
+ fixId: z40.string().min(1).describe('Fix id from a previous "Interactive fix" prompt block.'),
27314
+ answers: z40.array(
27315
+ z40.object({
27316
+ key: z40.string().min(1).describe("FixQuestion key."),
27317
+ value: z40.string().describe(
28966
27318
  "For SELECT questions MUST be one of the listed options; for TEXT/NUMBER, a free-form value."
28967
27319
  )
28968
27320
  })
@@ -29325,7 +27677,7 @@ async function addScmTokenHandler(args) {
29325
27677
  }
29326
27678
 
29327
27679
  // src/features/codeium_intellij/data_collector.ts
29328
- import { z as z44 } from "zod";
27680
+ import { z as z41 } from "zod";
29329
27681
 
29330
27682
  // src/utils/read-stdin.ts
29331
27683
  import { setTimeout as setTimeout4 } from "timers";
@@ -29442,12 +27794,12 @@ function promisifyClient(client) {
29442
27794
  }
29443
27795
  });
29444
27796
  }
29445
- async function getGrpcClient(port, csrf3) {
27797
+ async function getGrpcClient(port, csrf) {
29446
27798
  const client = promisifyClient(
29447
27799
  new PROTO.exa.language_server_pb.LanguageServerService(
29448
27800
  `localhost:${port}`,
29449
27801
  grpc.credentials.createInsecure(),
29450
- { interceptors: [createCsrfInterceptor(csrf3)] }
27802
+ { interceptors: [createCsrfInterceptor(csrf)] }
29451
27803
  )
29452
27804
  );
29453
27805
  try {
@@ -29527,8 +27879,8 @@ function findRunningCodeiumLanguageServers() {
29527
27879
  }
29528
27880
 
29529
27881
  // src/features/codeium_intellij/data_collector.ts
29530
- var HookDataSchema = z44.object({
29531
- trajectory_id: z44.string()
27882
+ var HookDataSchema = z41.object({
27883
+ trajectory_id: z41.string()
29532
27884
  });
29533
27885
  async function processAndUploadHookData() {
29534
27886
  const tracePayload = await getTraceDataForHook();