mobbdev 1.4.35 → 1.4.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/args/commands/upload_ai_blame.mjs +246 -1799
- package/dist/index.mjs +1061 -2709
- package/package.json +1 -1
package/dist/index.mjs
CHANGED
|
@@ -1377,26 +1377,26 @@ var init_getIssueType = __esm({
|
|
|
1377
1377
|
});
|
|
1378
1378
|
|
|
1379
1379
|
// src/features/analysis/scm/shared/src/types/shared.ts
|
|
1380
|
-
import { z as
|
|
1380
|
+
import { z as z2 } from "zod";
|
|
1381
1381
|
var ParsedSeverityZ, ScmSubmitFixRequestsZ;
|
|
1382
1382
|
var init_shared = __esm({
|
|
1383
1383
|
"src/features/analysis/scm/shared/src/types/shared.ts"() {
|
|
1384
1384
|
"use strict";
|
|
1385
1385
|
init_client_generates();
|
|
1386
|
-
ParsedSeverityZ =
|
|
1387
|
-
ScmSubmitFixRequestsZ =
|
|
1388
|
-
|
|
1389
|
-
scmSubmitFixRequest:
|
|
1390
|
-
submitFixRequest:
|
|
1391
|
-
createdByUser:
|
|
1392
|
-
email:
|
|
1386
|
+
ParsedSeverityZ = z2.nativeEnum(Vulnerability_Severity_Enum).nullish().transform((i) => i ?? "low" /* Low */);
|
|
1387
|
+
ScmSubmitFixRequestsZ = z2.array(
|
|
1388
|
+
z2.object({
|
|
1389
|
+
scmSubmitFixRequest: z2.object({
|
|
1390
|
+
submitFixRequest: z2.object({
|
|
1391
|
+
createdByUser: z2.object({
|
|
1392
|
+
email: z2.string()
|
|
1393
1393
|
}),
|
|
1394
|
-
targetBranchName:
|
|
1394
|
+
targetBranchName: z2.string().default("")
|
|
1395
1395
|
}),
|
|
1396
|
-
prUrl:
|
|
1397
|
-
prStatus:
|
|
1398
|
-
commitUrl:
|
|
1399
|
-
scmId:
|
|
1396
|
+
prUrl: z2.string().nullable(),
|
|
1397
|
+
prStatus: z2.nativeEnum(Pr_Status_Enum).nullable(),
|
|
1398
|
+
commitUrl: z2.string().nullable(),
|
|
1399
|
+
scmId: z2.string()
|
|
1400
1400
|
})
|
|
1401
1401
|
})
|
|
1402
1402
|
);
|
|
@@ -1404,105 +1404,106 @@ var init_shared = __esm({
|
|
|
1404
1404
|
});
|
|
1405
1405
|
|
|
1406
1406
|
// src/features/analysis/scm/shared/src/types/fix.ts
|
|
1407
|
-
import { z as
|
|
1407
|
+
import { z as z3 } from "zod";
|
|
1408
1408
|
var PackageInfoZ, ManifestActionRequiredZ, ExtraContextInternalZ, FixExtraContextZ, PatchAndQuestionsZ, FixRatingZ, IssueRatingZ, IssueSharedStateZ, FixSharedStateZ, FixQueryZ, FixPartsForFixScreenZ;
|
|
1409
1409
|
var init_fix = __esm({
|
|
1410
1410
|
"src/features/analysis/scm/shared/src/types/fix.ts"() {
|
|
1411
1411
|
"use strict";
|
|
1412
1412
|
init_client_generates();
|
|
1413
1413
|
init_shared();
|
|
1414
|
-
PackageInfoZ =
|
|
1415
|
-
name:
|
|
1416
|
-
version:
|
|
1417
|
-
envName:
|
|
1418
|
-
});
|
|
1419
|
-
ManifestActionRequiredZ =
|
|
1420
|
-
action:
|
|
1421
|
-
language:
|
|
1414
|
+
PackageInfoZ = z3.object({
|
|
1415
|
+
name: z3.string(),
|
|
1416
|
+
version: z3.string(),
|
|
1417
|
+
envName: z3.string().nullable()
|
|
1418
|
+
});
|
|
1419
|
+
ManifestActionRequiredZ = z3.object({
|
|
1420
|
+
action: z3.nativeEnum(ManifestAction),
|
|
1421
|
+
language: z3.nativeEnum(Language),
|
|
1422
1422
|
lib: PackageInfoZ,
|
|
1423
1423
|
typesLib: PackageInfoZ.nullable()
|
|
1424
1424
|
});
|
|
1425
|
-
ExtraContextInternalZ =
|
|
1426
|
-
key:
|
|
1427
|
-
value:
|
|
1428
|
-
|
|
1429
|
-
int:
|
|
1430
|
-
integer:
|
|
1431
|
-
string:
|
|
1432
|
-
date:
|
|
1425
|
+
ExtraContextInternalZ = z3.object({
|
|
1426
|
+
key: z3.string(),
|
|
1427
|
+
value: z3.string().or(z3.boolean()).or(
|
|
1428
|
+
z3.object({
|
|
1429
|
+
int: z3.boolean(),
|
|
1430
|
+
integer: z3.boolean(),
|
|
1431
|
+
string: z3.boolean(),
|
|
1432
|
+
date: z3.boolean()
|
|
1433
1433
|
})
|
|
1434
1434
|
)
|
|
1435
1435
|
});
|
|
1436
|
-
FixExtraContextZ =
|
|
1437
|
-
fixDescription:
|
|
1438
|
-
manifestActionsRequired:
|
|
1439
|
-
extraContext:
|
|
1440
|
-
// E-2015
|
|
1436
|
+
FixExtraContextZ = z3.object({
|
|
1437
|
+
fixDescription: z3.string(),
|
|
1438
|
+
manifestActionsRequired: z3.array(ManifestActionRequiredZ),
|
|
1439
|
+
extraContext: z3.array(ExtraContextInternalZ),
|
|
1440
|
+
// E-2015: analyzer-served fix-level guidance. default([]) so a query that
|
|
1441
1441
|
// omits it still parses, while the output type is a required string[] to match
|
|
1442
|
-
// the non-null GraphQL field.
|
|
1443
|
-
|
|
1444
|
-
|
|
1445
|
-
|
|
1446
|
-
|
|
1447
|
-
|
|
1448
|
-
|
|
1449
|
-
|
|
1450
|
-
|
|
1451
|
-
|
|
1452
|
-
|
|
1453
|
-
|
|
1454
|
-
|
|
1455
|
-
|
|
1456
|
-
|
|
1457
|
-
|
|
1458
|
-
|
|
1459
|
-
|
|
1460
|
-
//
|
|
1461
|
-
// the output type stays a required
|
|
1462
|
-
// fields.
|
|
1463
|
-
|
|
1464
|
-
|
|
1465
|
-
|
|
1442
|
+
// the non-null GraphQL field. The analyzer is the sole source; getFixGuidances
|
|
1443
|
+
// uses the served value directly (no fallback).
|
|
1444
|
+
guidances: z3.array(z3.string()).default([])
|
|
1445
|
+
});
|
|
1446
|
+
PatchAndQuestionsZ = z3.object({
|
|
1447
|
+
__typename: z3.literal("FixData"),
|
|
1448
|
+
patch: z3.string(),
|
|
1449
|
+
patchOriginalEncodingBase64: z3.string(),
|
|
1450
|
+
questions: z3.array(
|
|
1451
|
+
z3.object({
|
|
1452
|
+
name: z3.string(),
|
|
1453
|
+
key: z3.string(),
|
|
1454
|
+
index: z3.number(),
|
|
1455
|
+
defaultValue: z3.string(),
|
|
1456
|
+
value: z3.string().nullable(),
|
|
1457
|
+
extraContext: z3.array(ExtraContextInternalZ),
|
|
1458
|
+
inputType: z3.nativeEnum(FixQuestionInputType),
|
|
1459
|
+
options: z3.array(z3.string()),
|
|
1460
|
+
// E-2015: analyzer-served question text. default('') so a query that
|
|
1461
|
+
// omits these still parses (-> ''), while the output type stays a required
|
|
1462
|
+
// `string` to match the non-null GraphQL fields. The analyzer is the sole
|
|
1463
|
+
// source; consumers use the served value directly (no fallback).
|
|
1464
|
+
content: z3.string().default(""),
|
|
1465
|
+
description: z3.string().default(""),
|
|
1466
|
+
guidance: z3.string().default("")
|
|
1466
1467
|
})
|
|
1467
1468
|
),
|
|
1468
1469
|
extraContext: FixExtraContextZ
|
|
1469
1470
|
});
|
|
1470
|
-
FixRatingZ =
|
|
1471
|
-
voteScore:
|
|
1472
|
-
fixRatingTag:
|
|
1473
|
-
comment:
|
|
1474
|
-
updatedDate:
|
|
1475
|
-
user:
|
|
1476
|
-
email:
|
|
1477
|
-
name:
|
|
1471
|
+
FixRatingZ = z3.object({
|
|
1472
|
+
voteScore: z3.number(),
|
|
1473
|
+
fixRatingTag: z3.nativeEnum(Fix_Rating_Tag_Enum).nullable().default(null),
|
|
1474
|
+
comment: z3.string().nullable().default(null),
|
|
1475
|
+
updatedDate: z3.string().nullable(),
|
|
1476
|
+
user: z3.object({
|
|
1477
|
+
email: z3.string(),
|
|
1478
|
+
name: z3.string()
|
|
1478
1479
|
})
|
|
1479
1480
|
});
|
|
1480
|
-
IssueRatingZ =
|
|
1481
|
-
voteScore:
|
|
1482
|
-
comment:
|
|
1483
|
-
updatedDate:
|
|
1484
|
-
user:
|
|
1485
|
-
email:
|
|
1486
|
-
name:
|
|
1481
|
+
IssueRatingZ = z3.object({
|
|
1482
|
+
voteScore: z3.number(),
|
|
1483
|
+
comment: z3.string().nullable().default(null),
|
|
1484
|
+
updatedDate: z3.string().nullable(),
|
|
1485
|
+
user: z3.object({
|
|
1486
|
+
email: z3.string(),
|
|
1487
|
+
name: z3.string()
|
|
1487
1488
|
})
|
|
1488
1489
|
});
|
|
1489
|
-
IssueSharedStateZ =
|
|
1490
|
-
id:
|
|
1491
|
-
createdAt:
|
|
1492
|
-
isArchived:
|
|
1493
|
-
ticketIntegrationId:
|
|
1494
|
-
ticketIntegrations:
|
|
1495
|
-
|
|
1496
|
-
url:
|
|
1490
|
+
IssueSharedStateZ = z3.object({
|
|
1491
|
+
id: z3.string(),
|
|
1492
|
+
createdAt: z3.string(),
|
|
1493
|
+
isArchived: z3.boolean(),
|
|
1494
|
+
ticketIntegrationId: z3.string().nullable(),
|
|
1495
|
+
ticketIntegrations: z3.array(
|
|
1496
|
+
z3.object({
|
|
1497
|
+
url: z3.string()
|
|
1497
1498
|
})
|
|
1498
1499
|
),
|
|
1499
|
-
issueRatings:
|
|
1500
|
+
issueRatings: z3.array(IssueRatingZ).default([])
|
|
1500
1501
|
}).nullable();
|
|
1501
|
-
FixSharedStateZ =
|
|
1502
|
-
state:
|
|
1503
|
-
isArchived:
|
|
1502
|
+
FixSharedStateZ = z3.object({
|
|
1503
|
+
state: z3.nativeEnum(Fix_State_Enum),
|
|
1504
|
+
isArchived: z3.boolean(),
|
|
1504
1505
|
scmSubmitFixRequests: ScmSubmitFixRequestsZ,
|
|
1505
|
-
fixRatings:
|
|
1506
|
+
fixRatings: z3.array(FixRatingZ).default([])
|
|
1506
1507
|
}).nullish().transform(
|
|
1507
1508
|
(data) => data ? data : {
|
|
1508
1509
|
state: "Ready" /* Ready */,
|
|
@@ -1511,46 +1512,46 @@ var init_fix = __esm({
|
|
|
1511
1512
|
fixRatings: []
|
|
1512
1513
|
}
|
|
1513
1514
|
);
|
|
1514
|
-
FixQueryZ =
|
|
1515
|
-
__typename:
|
|
1516
|
-
id:
|
|
1515
|
+
FixQueryZ = z3.object({
|
|
1516
|
+
__typename: z3.literal("fix").optional(),
|
|
1517
|
+
id: z3.string().uuid(),
|
|
1517
1518
|
sharedState: FixSharedStateZ,
|
|
1518
|
-
modifiedBy:
|
|
1519
|
-
gitBlameLogin:
|
|
1520
|
-
safeIssueLanguage:
|
|
1521
|
-
safeIssueType:
|
|
1522
|
-
confidence:
|
|
1523
|
-
fixReportId:
|
|
1524
|
-
isExpired:
|
|
1525
|
-
fixFiles:
|
|
1526
|
-
|
|
1527
|
-
fileRepoRelativePath:
|
|
1519
|
+
modifiedBy: z3.string().nullable(),
|
|
1520
|
+
gitBlameLogin: z3.string().nullable(),
|
|
1521
|
+
safeIssueLanguage: z3.string(),
|
|
1522
|
+
safeIssueType: z3.string(),
|
|
1523
|
+
confidence: z3.number(),
|
|
1524
|
+
fixReportId: z3.string().uuid(),
|
|
1525
|
+
isExpired: z3.boolean().default(false),
|
|
1526
|
+
fixFiles: z3.array(
|
|
1527
|
+
z3.object({
|
|
1528
|
+
fileRepoRelativePath: z3.string()
|
|
1528
1529
|
})
|
|
1529
1530
|
),
|
|
1530
|
-
numberOfVulnerabilityIssues:
|
|
1531
|
-
severityText:
|
|
1532
|
-
vulnerabilityReportIssues:
|
|
1533
|
-
|
|
1534
|
-
vendorIssueId:
|
|
1535
|
-
issueLanguage:
|
|
1531
|
+
numberOfVulnerabilityIssues: z3.number(),
|
|
1532
|
+
severityText: z3.nativeEnum(Vulnerability_Severity_Enum),
|
|
1533
|
+
vulnerabilityReportIssues: z3.array(
|
|
1534
|
+
z3.object({
|
|
1535
|
+
vendorIssueId: z3.string(),
|
|
1536
|
+
issueLanguage: z3.string(),
|
|
1536
1537
|
parsedSeverity: ParsedSeverityZ,
|
|
1537
|
-
sharedState:
|
|
1538
|
-
id:
|
|
1539
|
-
isArchived:
|
|
1540
|
-
ticketIntegrationId:
|
|
1538
|
+
sharedState: z3.object({
|
|
1539
|
+
id: z3.string().uuid(),
|
|
1540
|
+
isArchived: z3.boolean(),
|
|
1541
|
+
ticketIntegrationId: z3.string().uuid().nullable()
|
|
1541
1542
|
}).nullable()
|
|
1542
1543
|
})
|
|
1543
1544
|
),
|
|
1544
1545
|
patchAndQuestions: PatchAndQuestionsZ,
|
|
1545
|
-
effortToApplyFix:
|
|
1546
|
+
effortToApplyFix: z3.nativeEnum(Effort_To_Apply_Fix_Enum).nullable()
|
|
1546
1547
|
});
|
|
1547
1548
|
FixPartsForFixScreenZ = FixQueryZ.merge(
|
|
1548
|
-
|
|
1549
|
-
vulnerabilityReportIssues:
|
|
1550
|
-
|
|
1551
|
-
vendorIssueId:
|
|
1552
|
-
issueType:
|
|
1553
|
-
issueLanguage:
|
|
1549
|
+
z3.object({
|
|
1550
|
+
vulnerabilityReportIssues: z3.array(
|
|
1551
|
+
z3.object({
|
|
1552
|
+
vendorIssueId: z3.string(),
|
|
1553
|
+
issueType: z3.string(),
|
|
1554
|
+
issueLanguage: z3.string(),
|
|
1554
1555
|
sharedState: IssueSharedStateZ
|
|
1555
1556
|
})
|
|
1556
1557
|
)
|
|
@@ -1560,24 +1561,24 @@ var init_fix = __esm({
|
|
|
1560
1561
|
});
|
|
1561
1562
|
|
|
1562
1563
|
// src/features/analysis/scm/shared/src/types/analysis.ts
|
|
1563
|
-
import { z as
|
|
1564
|
+
import { z as z4 } from "zod";
|
|
1564
1565
|
var FixPageFixReportZ;
|
|
1565
1566
|
var init_analysis = __esm({
|
|
1566
1567
|
"src/features/analysis/scm/shared/src/types/analysis.ts"() {
|
|
1567
1568
|
"use strict";
|
|
1568
1569
|
init_client_generates();
|
|
1569
1570
|
init_client_generates();
|
|
1570
|
-
FixPageFixReportZ =
|
|
1571
|
-
id:
|
|
1572
|
-
analysisUrl:
|
|
1573
|
-
createdOn:
|
|
1574
|
-
state:
|
|
1575
|
-
repo:
|
|
1576
|
-
name:
|
|
1577
|
-
originalUrl:
|
|
1578
|
-
reference:
|
|
1579
|
-
commitSha:
|
|
1580
|
-
isKnownBranch:
|
|
1571
|
+
FixPageFixReportZ = z4.object({
|
|
1572
|
+
id: z4.string().uuid(),
|
|
1573
|
+
analysisUrl: z4.string(),
|
|
1574
|
+
createdOn: z4.string(),
|
|
1575
|
+
state: z4.nativeEnum(Fix_Report_State_Enum),
|
|
1576
|
+
repo: z4.object({
|
|
1577
|
+
name: z4.string().nullable(),
|
|
1578
|
+
originalUrl: z4.string(),
|
|
1579
|
+
reference: z4.string(),
|
|
1580
|
+
commitSha: z4.string(),
|
|
1581
|
+
isKnownBranch: z4.boolean().nullish().default(true)
|
|
1581
1582
|
}).nullable().transform(
|
|
1582
1583
|
(repo) => repo ?? {
|
|
1583
1584
|
name: null,
|
|
@@ -1587,13 +1588,13 @@ var init_analysis = __esm({
|
|
|
1587
1588
|
isKnownBranch: true
|
|
1588
1589
|
}
|
|
1589
1590
|
),
|
|
1590
|
-
vulnerabilityReport:
|
|
1591
|
-
id:
|
|
1592
|
-
vendor:
|
|
1593
|
-
computedVendor:
|
|
1594
|
-
projectId:
|
|
1595
|
-
project:
|
|
1596
|
-
organizationId:
|
|
1591
|
+
vulnerabilityReport: z4.object({
|
|
1592
|
+
id: z4.string().uuid(),
|
|
1593
|
+
vendor: z4.nativeEnum(Vulnerability_Report_Vendor_Enum),
|
|
1594
|
+
computedVendor: z4.nativeEnum(Vulnerability_Report_Vendor_Enum),
|
|
1595
|
+
projectId: z4.string().uuid(),
|
|
1596
|
+
project: z4.object({
|
|
1597
|
+
organizationId: z4.string().uuid()
|
|
1597
1598
|
})
|
|
1598
1599
|
})
|
|
1599
1600
|
});
|
|
@@ -1601,7 +1602,7 @@ var init_analysis = __esm({
|
|
|
1601
1602
|
});
|
|
1602
1603
|
|
|
1603
1604
|
// src/features/analysis/scm/shared/src/types/issue.ts
|
|
1604
|
-
import { z as
|
|
1605
|
+
import { z as z5 } from "zod";
|
|
1605
1606
|
var MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES, VulnerabilityReportIssueRatingZ, VulnerabilityReportIssueSharedStateZ, BaseIssuePartsZ, FalsePositivePartsZ, UnfixablePartsZ, IssuePartsWithFixZ, IssuePartsFpZ, GeneralIssueZ, IssuePartsZ, GetIssueIndexesZ, GetIssueScreenDataZ, IssueBucketZ, mapCategoryToBucket, mapBucketTypeToCategory;
|
|
1606
1607
|
var init_issue = __esm({
|
|
1607
1608
|
"src/features/analysis/scm/shared/src/types/issue.ts"() {
|
|
@@ -1611,57 +1612,57 @@ var init_issue = __esm({
|
|
|
1611
1612
|
init_fix();
|
|
1612
1613
|
init_shared();
|
|
1613
1614
|
MAX_SOURCE_CODE_FILE_SIZE_IN_BYTES = 1e5;
|
|
1614
|
-
VulnerabilityReportIssueRatingZ =
|
|
1615
|
-
voteScore:
|
|
1616
|
-
comment:
|
|
1617
|
-
updatedDate:
|
|
1618
|
-
user:
|
|
1619
|
-
email:
|
|
1620
|
-
name:
|
|
1615
|
+
VulnerabilityReportIssueRatingZ = z5.object({
|
|
1616
|
+
voteScore: z5.number(),
|
|
1617
|
+
comment: z5.string().nullable().default(null),
|
|
1618
|
+
updatedDate: z5.string().nullable(),
|
|
1619
|
+
user: z5.object({
|
|
1620
|
+
email: z5.string(),
|
|
1621
|
+
name: z5.string()
|
|
1621
1622
|
})
|
|
1622
1623
|
});
|
|
1623
|
-
VulnerabilityReportIssueSharedStateZ =
|
|
1624
|
-
id:
|
|
1625
|
-
createdAt:
|
|
1626
|
-
isArchived:
|
|
1627
|
-
ticketIntegrationId:
|
|
1628
|
-
ticketIntegrations:
|
|
1629
|
-
|
|
1630
|
-
url:
|
|
1624
|
+
VulnerabilityReportIssueSharedStateZ = z5.object({
|
|
1625
|
+
id: z5.string().uuid(),
|
|
1626
|
+
createdAt: z5.string(),
|
|
1627
|
+
isArchived: z5.boolean(),
|
|
1628
|
+
ticketIntegrationId: z5.string().uuid().nullable(),
|
|
1629
|
+
ticketIntegrations: z5.array(
|
|
1630
|
+
z5.object({
|
|
1631
|
+
url: z5.string()
|
|
1631
1632
|
})
|
|
1632
1633
|
),
|
|
1633
|
-
issueRatings:
|
|
1634
|
+
issueRatings: z5.array(VulnerabilityReportIssueRatingZ).default([])
|
|
1634
1635
|
}).nullish();
|
|
1635
|
-
BaseIssuePartsZ =
|
|
1636
|
-
id:
|
|
1637
|
-
safeIssueType:
|
|
1638
|
-
safeIssueLanguage:
|
|
1639
|
-
createdAt:
|
|
1636
|
+
BaseIssuePartsZ = z5.object({
|
|
1637
|
+
id: z5.string().uuid(),
|
|
1638
|
+
safeIssueType: z5.string(),
|
|
1639
|
+
safeIssueLanguage: z5.string(),
|
|
1640
|
+
createdAt: z5.string(),
|
|
1640
1641
|
parsedSeverity: ParsedSeverityZ,
|
|
1641
|
-
category:
|
|
1642
|
-
extraData:
|
|
1643
|
-
missing_files:
|
|
1644
|
-
error_files:
|
|
1645
|
-
ai_cost_limit_exceeded:
|
|
1642
|
+
category: z5.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
|
|
1643
|
+
extraData: z5.object({
|
|
1644
|
+
missing_files: z5.string().array().nullish(),
|
|
1645
|
+
error_files: z5.string().array().nullish(),
|
|
1646
|
+
ai_cost_limit_exceeded: z5.string().nullish()
|
|
1646
1647
|
}),
|
|
1647
|
-
vulnerabilityReportIssueTags:
|
|
1648
|
-
|
|
1649
|
-
tag:
|
|
1648
|
+
vulnerabilityReportIssueTags: z5.array(
|
|
1649
|
+
z5.object({
|
|
1650
|
+
tag: z5.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
|
|
1650
1651
|
})
|
|
1651
1652
|
),
|
|
1652
|
-
codeNodes:
|
|
1653
|
-
|
|
1654
|
-
path:
|
|
1655
|
-
line:
|
|
1656
|
-
index:
|
|
1653
|
+
codeNodes: z5.array(
|
|
1654
|
+
z5.object({
|
|
1655
|
+
path: z5.string(),
|
|
1656
|
+
line: z5.number(),
|
|
1657
|
+
index: z5.number()
|
|
1657
1658
|
})
|
|
1658
1659
|
).transform((nodes) => nodes.sort((a, b) => b.index - a.index)),
|
|
1659
|
-
sourceCodeNodes:
|
|
1660
|
-
|
|
1661
|
-
sourceCodeFile:
|
|
1662
|
-
path:
|
|
1663
|
-
signedFile:
|
|
1664
|
-
url:
|
|
1660
|
+
sourceCodeNodes: z5.array(
|
|
1661
|
+
z5.object({
|
|
1662
|
+
sourceCodeFile: z5.object({
|
|
1663
|
+
path: z5.string(),
|
|
1664
|
+
signedFile: z5.object({
|
|
1665
|
+
url: z5.string()
|
|
1665
1666
|
})
|
|
1666
1667
|
})
|
|
1667
1668
|
}).transform(async ({ sourceCodeFile }) => {
|
|
@@ -1677,71 +1678,71 @@ var init_issue = __esm({
|
|
|
1677
1678
|
})
|
|
1678
1679
|
).transform((nodes) => nodes.filter((node) => node !== null)),
|
|
1679
1680
|
fix: FixPartsForFixScreenZ.nullish(),
|
|
1680
|
-
vulnerabilityReportIssueNodeDiffFile:
|
|
1681
|
-
signedFile:
|
|
1682
|
-
url:
|
|
1681
|
+
vulnerabilityReportIssueNodeDiffFile: z5.object({
|
|
1682
|
+
signedFile: z5.object({
|
|
1683
|
+
url: z5.string()
|
|
1683
1684
|
}).transform(async ({ url }) => {
|
|
1684
1685
|
const codeDiff = await fetch(url).then((res) => res.text());
|
|
1685
1686
|
return { codeDiff };
|
|
1686
1687
|
})
|
|
1687
1688
|
}).nullish(),
|
|
1688
1689
|
sharedState: VulnerabilityReportIssueSharedStateZ,
|
|
1689
|
-
unfixableId:
|
|
1690
|
+
unfixableId: z5.string().uuid().nullish()
|
|
1690
1691
|
});
|
|
1691
|
-
FalsePositivePartsZ =
|
|
1692
|
-
extraContext:
|
|
1693
|
-
fixDescription:
|
|
1692
|
+
FalsePositivePartsZ = z5.object({
|
|
1693
|
+
extraContext: z5.array(z5.object({ key: z5.string(), value: z5.string() })),
|
|
1694
|
+
fixDescription: z5.string()
|
|
1694
1695
|
});
|
|
1695
|
-
UnfixablePartsZ =
|
|
1696
|
-
extraContext:
|
|
1697
|
-
fixDescription:
|
|
1696
|
+
UnfixablePartsZ = z5.object({
|
|
1697
|
+
extraContext: z5.array(z5.object({ key: z5.string(), value: z5.string() })),
|
|
1698
|
+
fixDescription: z5.string()
|
|
1698
1699
|
});
|
|
1699
1700
|
IssuePartsWithFixZ = BaseIssuePartsZ.merge(
|
|
1700
|
-
|
|
1701
|
-
category:
|
|
1701
|
+
z5.object({
|
|
1702
|
+
category: z5.literal("Irrelevant" /* Irrelevant */),
|
|
1702
1703
|
fix: FixPartsForFixScreenZ.nullish()
|
|
1703
1704
|
})
|
|
1704
1705
|
);
|
|
1705
1706
|
IssuePartsFpZ = BaseIssuePartsZ.merge(
|
|
1706
|
-
|
|
1707
|
-
category:
|
|
1708
|
-
fpId:
|
|
1707
|
+
z5.object({
|
|
1708
|
+
category: z5.literal("FalsePositive" /* FalsePositive */),
|
|
1709
|
+
fpId: z5.string().uuid(),
|
|
1709
1710
|
getFalsePositive: FalsePositivePartsZ
|
|
1710
1711
|
})
|
|
1711
1712
|
);
|
|
1712
1713
|
GeneralIssueZ = BaseIssuePartsZ.merge(
|
|
1713
|
-
|
|
1714
|
-
category:
|
|
1715
|
-
|
|
1716
|
-
|
|
1717
|
-
|
|
1718
|
-
|
|
1719
|
-
|
|
1714
|
+
z5.object({
|
|
1715
|
+
category: z5.union([
|
|
1716
|
+
z5.literal("NoFix" /* NoFix */),
|
|
1717
|
+
z5.literal("Unsupported" /* Unsupported */),
|
|
1718
|
+
z5.literal("Fixable" /* Fixable */),
|
|
1719
|
+
z5.literal("Filtered" /* Filtered */),
|
|
1720
|
+
z5.literal("Pending" /* Pending */)
|
|
1720
1721
|
]),
|
|
1721
1722
|
getUnfixable: UnfixablePartsZ.nullish()
|
|
1722
1723
|
})
|
|
1723
1724
|
);
|
|
1724
|
-
IssuePartsZ =
|
|
1725
|
+
IssuePartsZ = z5.union([
|
|
1725
1726
|
IssuePartsFpZ,
|
|
1726
1727
|
IssuePartsWithFixZ,
|
|
1727
1728
|
GeneralIssueZ
|
|
1728
1729
|
]);
|
|
1729
|
-
GetIssueIndexesZ =
|
|
1730
|
-
currentIndex:
|
|
1731
|
-
totalIssues:
|
|
1732
|
-
nextIssue:
|
|
1733
|
-
id:
|
|
1730
|
+
GetIssueIndexesZ = z5.object({
|
|
1731
|
+
currentIndex: z5.number(),
|
|
1732
|
+
totalIssues: z5.number(),
|
|
1733
|
+
nextIssue: z5.object({
|
|
1734
|
+
id: z5.string().uuid()
|
|
1734
1735
|
}).nullish(),
|
|
1735
|
-
prevIssue:
|
|
1736
|
-
id:
|
|
1736
|
+
prevIssue: z5.object({
|
|
1737
|
+
id: z5.string().uuid()
|
|
1737
1738
|
}).nullish()
|
|
1738
1739
|
});
|
|
1739
|
-
GetIssueScreenDataZ =
|
|
1740
|
+
GetIssueScreenDataZ = z5.object({
|
|
1740
1741
|
fixReport_by_pk: FixPageFixReportZ,
|
|
1741
1742
|
vulnerability_report_issue_by_pk: IssuePartsZ,
|
|
1742
1743
|
issueIndexes: GetIssueIndexesZ
|
|
1743
1744
|
});
|
|
1744
|
-
IssueBucketZ =
|
|
1745
|
+
IssueBucketZ = z5.enum(["fixable", "irrelevant", "remaining"]);
|
|
1745
1746
|
mapCategoryToBucket = {
|
|
1746
1747
|
FalsePositive: "irrelevant",
|
|
1747
1748
|
Irrelevant: "irrelevant",
|
|
@@ -1768,19 +1769,19 @@ var init_issue = __esm({
|
|
|
1768
1769
|
});
|
|
1769
1770
|
|
|
1770
1771
|
// src/features/analysis/scm/shared/src/validations.ts
|
|
1771
|
-
import { z as
|
|
1772
|
+
import { z as z6 } from "zod";
|
|
1772
1773
|
var IssueTypeSettingZ, IssueTypeSettingsZ;
|
|
1773
1774
|
var init_validations = __esm({
|
|
1774
1775
|
"src/features/analysis/scm/shared/src/validations.ts"() {
|
|
1775
1776
|
"use strict";
|
|
1776
1777
|
init_getIssueType();
|
|
1777
1778
|
init_issueTypeCatalog();
|
|
1778
|
-
IssueTypeSettingZ =
|
|
1779
|
-
autoPrEnabled:
|
|
1780
|
-
enabled:
|
|
1779
|
+
IssueTypeSettingZ = z6.object({
|
|
1780
|
+
autoPrEnabled: z6.boolean(),
|
|
1781
|
+
enabled: z6.boolean(),
|
|
1781
1782
|
issueType: SafeIssueTypeStringZ
|
|
1782
1783
|
});
|
|
1783
|
-
IssueTypeSettingsZ =
|
|
1784
|
+
IssueTypeSettingsZ = z6.array(IssueTypeSettingZ).transform((issueTypeSettings) => {
|
|
1784
1785
|
const catalogValues = listIssueTypeCatalog().map((entry) => entry.value);
|
|
1785
1786
|
if (catalogValues.length === 0) {
|
|
1786
1787
|
throw new Error(
|
|
@@ -1805,7 +1806,7 @@ var init_validations = __esm({
|
|
|
1805
1806
|
});
|
|
1806
1807
|
|
|
1807
1808
|
// src/features/analysis/scm/shared/src/types/types.ts
|
|
1808
|
-
import { z as
|
|
1809
|
+
import { z as z7 } from "zod";
|
|
1809
1810
|
var OrganizationScreenQueryParamsZ, ProjectPageQueryParamsZ, AnalysisPageQueryParamsZ, FixPageQueryParamsZ, IssuePageQueryParamsZ, CliLoginPageQueryParamsZ, AnalysisReportDigestedZ, IssueSharedStateZ2, ReportQueryResultZ, ReportFixesQueryFixZ, BaseVulnerabilityReportIssueZ, VulnerabilityReportIssueZ, VulnerabilityReportIssueWithCodeFilePathZ, GetReportIssuesQueryZ, FixReportByProjectZ, FixScreenQueryResultZ, FixPageQueryZ, GetReportFixesQueryZ, GetFixReportStatsQueryZ, ProjectVulnerabilityReport, GetProjectsQueryZ, ProjectPageQueryResultZ, GetProjectMembersDataZ, RepoArgsZ, scmCloudUrl, ScmType, ConvertToSarifInputFileFormat;
|
|
1810
1811
|
var init_types = __esm({
|
|
1811
1812
|
"src/features/analysis/scm/shared/src/types/types.ts"() {
|
|
@@ -1816,117 +1817,117 @@ var init_types = __esm({
|
|
|
1816
1817
|
init_fix();
|
|
1817
1818
|
init_issue();
|
|
1818
1819
|
init_shared();
|
|
1819
|
-
OrganizationScreenQueryParamsZ =
|
|
1820
|
-
organizationId:
|
|
1820
|
+
OrganizationScreenQueryParamsZ = z7.object({
|
|
1821
|
+
organizationId: z7.string().uuid()
|
|
1821
1822
|
});
|
|
1822
|
-
ProjectPageQueryParamsZ =
|
|
1823
|
-
organizationId:
|
|
1824
|
-
projectId:
|
|
1823
|
+
ProjectPageQueryParamsZ = z7.object({
|
|
1824
|
+
organizationId: z7.string().uuid(),
|
|
1825
|
+
projectId: z7.string().uuid()
|
|
1825
1826
|
});
|
|
1826
1827
|
AnalysisPageQueryParamsZ = ProjectPageQueryParamsZ.extend({
|
|
1827
|
-
reportId:
|
|
1828
|
+
reportId: z7.string().uuid()
|
|
1828
1829
|
});
|
|
1829
1830
|
FixPageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
|
|
1830
|
-
fixId:
|
|
1831
|
+
fixId: z7.string().uuid()
|
|
1831
1832
|
});
|
|
1832
1833
|
IssuePageQueryParamsZ = AnalysisPageQueryParamsZ.extend({
|
|
1833
|
-
issueId:
|
|
1834
|
-
});
|
|
1835
|
-
CliLoginPageQueryParamsZ =
|
|
1836
|
-
loginId:
|
|
1837
|
-
});
|
|
1838
|
-
AnalysisReportDigestedZ =
|
|
1839
|
-
id:
|
|
1840
|
-
state:
|
|
1841
|
-
vulnerabilityReport:
|
|
1842
|
-
reportSummaryUrl:
|
|
1843
|
-
scanDate:
|
|
1844
|
-
supported:
|
|
1845
|
-
aggregate:
|
|
1846
|
-
count:
|
|
1834
|
+
issueId: z7.string().uuid()
|
|
1835
|
+
});
|
|
1836
|
+
CliLoginPageQueryParamsZ = z7.object({
|
|
1837
|
+
loginId: z7.string().uuid()
|
|
1838
|
+
});
|
|
1839
|
+
AnalysisReportDigestedZ = z7.object({
|
|
1840
|
+
id: z7.string().uuid(),
|
|
1841
|
+
state: z7.nativeEnum(Fix_Report_State_Enum),
|
|
1842
|
+
vulnerabilityReport: z7.object({
|
|
1843
|
+
reportSummaryUrl: z7.string().url().nullish(),
|
|
1844
|
+
scanDate: z7.string().nullable(),
|
|
1845
|
+
supported: z7.object({
|
|
1846
|
+
aggregate: z7.object({
|
|
1847
|
+
count: z7.number()
|
|
1847
1848
|
})
|
|
1848
1849
|
}),
|
|
1849
|
-
all:
|
|
1850
|
-
aggregate:
|
|
1851
|
-
count:
|
|
1850
|
+
all: z7.object({
|
|
1851
|
+
aggregate: z7.object({
|
|
1852
|
+
count: z7.number()
|
|
1852
1853
|
})
|
|
1853
1854
|
}),
|
|
1854
|
-
vendor:
|
|
1855
|
-
project:
|
|
1856
|
-
organizationId:
|
|
1855
|
+
vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum),
|
|
1856
|
+
project: z7.object({
|
|
1857
|
+
organizationId: z7.string().uuid()
|
|
1857
1858
|
})
|
|
1858
1859
|
})
|
|
1859
1860
|
});
|
|
1860
|
-
IssueSharedStateZ2 =
|
|
1861
|
-
id:
|
|
1862
|
-
createdAt:
|
|
1863
|
-
isArchived:
|
|
1864
|
-
ticketIntegrationId:
|
|
1865
|
-
ticketIntegrations:
|
|
1866
|
-
|
|
1867
|
-
url:
|
|
1861
|
+
IssueSharedStateZ2 = z7.object({
|
|
1862
|
+
id: z7.string().uuid(),
|
|
1863
|
+
createdAt: z7.string(),
|
|
1864
|
+
isArchived: z7.boolean(),
|
|
1865
|
+
ticketIntegrationId: z7.string().uuid().nullable(),
|
|
1866
|
+
ticketIntegrations: z7.array(
|
|
1867
|
+
z7.object({
|
|
1868
|
+
url: z7.string()
|
|
1868
1869
|
})
|
|
1869
1870
|
)
|
|
1870
1871
|
}).nullable();
|
|
1871
|
-
ReportQueryResultZ =
|
|
1872
|
-
fixReport_by_pk:
|
|
1873
|
-
id:
|
|
1874
|
-
analysisUrl:
|
|
1875
|
-
fixesCommitted:
|
|
1876
|
-
aggregate:
|
|
1872
|
+
ReportQueryResultZ = z7.object({
|
|
1873
|
+
fixReport_by_pk: z7.object({
|
|
1874
|
+
id: z7.string().uuid(),
|
|
1875
|
+
analysisUrl: z7.string(),
|
|
1876
|
+
fixesCommitted: z7.object({
|
|
1877
|
+
aggregate: z7.object({ count: z7.number() })
|
|
1877
1878
|
}),
|
|
1878
|
-
fixesDownloaded:
|
|
1879
|
-
aggregate:
|
|
1879
|
+
fixesDownloaded: z7.object({
|
|
1880
|
+
aggregate: z7.object({ count: z7.number() })
|
|
1880
1881
|
}),
|
|
1881
|
-
fixesDoneCount:
|
|
1882
|
-
fixesInprogressCount:
|
|
1883
|
-
fixesReadyCount:
|
|
1884
|
-
aggregate:
|
|
1882
|
+
fixesDoneCount: z7.number(),
|
|
1883
|
+
fixesInprogressCount: z7.number(),
|
|
1884
|
+
fixesReadyCount: z7.object({
|
|
1885
|
+
aggregate: z7.object({ count: z7.number() })
|
|
1885
1886
|
}),
|
|
1886
|
-
issueTypes:
|
|
1887
|
-
issueLanguages:
|
|
1888
|
-
fixesCountByEffort:
|
|
1889
|
-
vulnerabilitySeverities:
|
|
1890
|
-
createdOn:
|
|
1891
|
-
expirationOn:
|
|
1892
|
-
state:
|
|
1893
|
-
failReason:
|
|
1894
|
-
candidateToRerun:
|
|
1895
|
-
fixes:
|
|
1896
|
-
|
|
1897
|
-
id:
|
|
1898
|
-
safeIssueLanguage:
|
|
1899
|
-
safeIssueType:
|
|
1900
|
-
confidence:
|
|
1901
|
-
effortToApplyFix:
|
|
1902
|
-
modifiedBy:
|
|
1903
|
-
gitBlameLogin:
|
|
1904
|
-
fixReportId:
|
|
1905
|
-
filePaths:
|
|
1906
|
-
|
|
1907
|
-
fileRepoRelativePath:
|
|
1887
|
+
issueTypes: z7.record(z7.string(), z7.number()).nullable(),
|
|
1888
|
+
issueLanguages: z7.record(z7.string(), z7.number()).nullable(),
|
|
1889
|
+
fixesCountByEffort: z7.record(z7.string(), z7.number()).nullable(),
|
|
1890
|
+
vulnerabilitySeverities: z7.record(z7.string(), z7.number()).nullable(),
|
|
1891
|
+
createdOn: z7.string(),
|
|
1892
|
+
expirationOn: z7.string().nullable(),
|
|
1893
|
+
state: z7.nativeEnum(Fix_Report_State_Enum),
|
|
1894
|
+
failReason: z7.string().nullable(),
|
|
1895
|
+
candidateToRerun: z7.boolean(),
|
|
1896
|
+
fixes: z7.array(
|
|
1897
|
+
z7.object({
|
|
1898
|
+
id: z7.string().uuid(),
|
|
1899
|
+
safeIssueLanguage: z7.string(),
|
|
1900
|
+
safeIssueType: z7.string(),
|
|
1901
|
+
confidence: z7.number(),
|
|
1902
|
+
effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
|
|
1903
|
+
modifiedBy: z7.string().nullable(),
|
|
1904
|
+
gitBlameLogin: z7.string().nullable(),
|
|
1905
|
+
fixReportId: z7.string().uuid(),
|
|
1906
|
+
filePaths: z7.array(
|
|
1907
|
+
z7.object({
|
|
1908
|
+
fileRepoRelativePath: z7.string()
|
|
1908
1909
|
})
|
|
1909
1910
|
),
|
|
1910
1911
|
sharedState: FixSharedStateZ,
|
|
1911
|
-
numberOfVulnerabilityIssues:
|
|
1912
|
-
severityText:
|
|
1913
|
-
vulnerabilityReportIssues:
|
|
1914
|
-
|
|
1915
|
-
id:
|
|
1916
|
-
issueType:
|
|
1917
|
-
issueLanguage:
|
|
1918
|
-
category:
|
|
1912
|
+
numberOfVulnerabilityIssues: z7.number(),
|
|
1913
|
+
severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
|
|
1914
|
+
vulnerabilityReportIssues: z7.array(
|
|
1915
|
+
z7.object({
|
|
1916
|
+
id: z7.string().uuid(),
|
|
1917
|
+
issueType: z7.string(),
|
|
1918
|
+
issueLanguage: z7.string(),
|
|
1919
|
+
category: z7.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
|
|
1919
1920
|
sharedState: IssueSharedStateZ2
|
|
1920
1921
|
})
|
|
1921
1922
|
)
|
|
1922
1923
|
})
|
|
1923
1924
|
),
|
|
1924
|
-
repo:
|
|
1925
|
-
name:
|
|
1926
|
-
originalUrl:
|
|
1927
|
-
reference:
|
|
1928
|
-
commitSha:
|
|
1929
|
-
isKnownBranch:
|
|
1925
|
+
repo: z7.object({
|
|
1926
|
+
name: z7.string().nullable(),
|
|
1927
|
+
originalUrl: z7.string(),
|
|
1928
|
+
reference: z7.string(),
|
|
1929
|
+
commitSha: z7.string(),
|
|
1930
|
+
isKnownBranch: z7.boolean().nullish().default(true)
|
|
1930
1931
|
}).nullable().transform(
|
|
1931
1932
|
(repo) => repo ?? {
|
|
1932
1933
|
name: null,
|
|
@@ -1936,229 +1937,229 @@ var init_types = __esm({
|
|
|
1936
1937
|
isKnownBranch: true
|
|
1937
1938
|
}
|
|
1938
1939
|
),
|
|
1939
|
-
vulnerabilityReportIssuesFixedCount:
|
|
1940
|
-
vulnerabilityReportIssues_aggregate:
|
|
1941
|
-
aggregate:
|
|
1940
|
+
vulnerabilityReportIssuesFixedCount: z7.object({
|
|
1941
|
+
vulnerabilityReportIssues_aggregate: z7.object({
|
|
1942
|
+
aggregate: z7.object({ count: z7.number() })
|
|
1942
1943
|
})
|
|
1943
1944
|
}),
|
|
1944
|
-
vulnerabilityReport:
|
|
1945
|
-
id:
|
|
1946
|
-
reportSummaryUrl:
|
|
1947
|
-
computedVendor:
|
|
1948
|
-
vendor:
|
|
1949
|
-
issuesWithKnownLanguage:
|
|
1950
|
-
scanDate:
|
|
1951
|
-
vendorReportId:
|
|
1952
|
-
projectId:
|
|
1953
|
-
project:
|
|
1954
|
-
organizationId:
|
|
1945
|
+
vulnerabilityReport: z7.object({
|
|
1946
|
+
id: z7.string().uuid(),
|
|
1947
|
+
reportSummaryUrl: z7.string().url().nullish(),
|
|
1948
|
+
computedVendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
|
|
1949
|
+
vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
|
|
1950
|
+
issuesWithKnownLanguage: z7.number().nullable(),
|
|
1951
|
+
scanDate: z7.string().nullable(),
|
|
1952
|
+
vendorReportId: z7.string().uuid().nullable(),
|
|
1953
|
+
projectId: z7.string().uuid(),
|
|
1954
|
+
project: z7.object({
|
|
1955
|
+
organizationId: z7.string().uuid()
|
|
1955
1956
|
}),
|
|
1956
|
-
file:
|
|
1957
|
-
id:
|
|
1958
|
-
path:
|
|
1957
|
+
file: z7.object({
|
|
1958
|
+
id: z7.string().uuid(),
|
|
1959
|
+
path: z7.string()
|
|
1959
1960
|
}).nullable(),
|
|
1960
|
-
pending:
|
|
1961
|
-
aggregate:
|
|
1962
|
-
count:
|
|
1961
|
+
pending: z7.object({
|
|
1962
|
+
aggregate: z7.object({
|
|
1963
|
+
count: z7.number()
|
|
1963
1964
|
})
|
|
1964
1965
|
}),
|
|
1965
|
-
irrelevant:
|
|
1966
|
-
aggregate:
|
|
1967
|
-
count:
|
|
1966
|
+
irrelevant: z7.object({
|
|
1967
|
+
aggregate: z7.object({
|
|
1968
|
+
count: z7.number()
|
|
1968
1969
|
})
|
|
1969
1970
|
}),
|
|
1970
|
-
remaining:
|
|
1971
|
-
aggregate:
|
|
1972
|
-
count:
|
|
1971
|
+
remaining: z7.object({
|
|
1972
|
+
aggregate: z7.object({
|
|
1973
|
+
count: z7.number()
|
|
1973
1974
|
})
|
|
1974
1975
|
}),
|
|
1975
|
-
digested:
|
|
1976
|
-
aggregate:
|
|
1977
|
-
count:
|
|
1976
|
+
digested: z7.object({
|
|
1977
|
+
aggregate: z7.object({
|
|
1978
|
+
count: z7.number()
|
|
1978
1979
|
})
|
|
1979
1980
|
}),
|
|
1980
|
-
supported:
|
|
1981
|
-
aggregate:
|
|
1982
|
-
count:
|
|
1981
|
+
supported: z7.object({
|
|
1982
|
+
aggregate: z7.object({
|
|
1983
|
+
count: z7.number()
|
|
1983
1984
|
})
|
|
1984
1985
|
}),
|
|
1985
|
-
all:
|
|
1986
|
-
aggregate:
|
|
1987
|
-
count:
|
|
1986
|
+
all: z7.object({
|
|
1987
|
+
aggregate: z7.object({
|
|
1988
|
+
count: z7.number()
|
|
1988
1989
|
})
|
|
1989
1990
|
}),
|
|
1990
|
-
fixable:
|
|
1991
|
-
aggregate:
|
|
1992
|
-
count:
|
|
1991
|
+
fixable: z7.object({
|
|
1992
|
+
aggregate: z7.object({
|
|
1993
|
+
count: z7.number()
|
|
1993
1994
|
})
|
|
1994
1995
|
}),
|
|
1995
|
-
errors:
|
|
1996
|
-
aggregate:
|
|
1997
|
-
count:
|
|
1996
|
+
errors: z7.object({
|
|
1997
|
+
aggregate: z7.object({
|
|
1998
|
+
count: z7.number()
|
|
1998
1999
|
})
|
|
1999
2000
|
}),
|
|
2000
|
-
vulnerabilityReportIssues:
|
|
2001
|
-
id:
|
|
2002
|
-
extraData:
|
|
2003
|
-
missing_files:
|
|
2004
|
-
large_files:
|
|
2005
|
-
error_files:
|
|
2006
|
-
ai_cost_limit_exceeded:
|
|
2001
|
+
vulnerabilityReportIssues: z7.object({
|
|
2002
|
+
id: z7.string().uuid(),
|
|
2003
|
+
extraData: z7.object({
|
|
2004
|
+
missing_files: z7.string().array().nullish(),
|
|
2005
|
+
large_files: z7.string().array().nullish(),
|
|
2006
|
+
error_files: z7.string().array().nullish(),
|
|
2007
|
+
ai_cost_limit_exceeded: z7.string().nullish()
|
|
2007
2008
|
})
|
|
2008
2009
|
}).array()
|
|
2009
2010
|
})
|
|
2010
2011
|
})
|
|
2011
2012
|
});
|
|
2012
|
-
ReportFixesQueryFixZ =
|
|
2013
|
-
id:
|
|
2013
|
+
ReportFixesQueryFixZ = z7.object({
|
|
2014
|
+
id: z7.string().uuid(),
|
|
2014
2015
|
sharedState: FixSharedStateZ,
|
|
2015
|
-
confidence:
|
|
2016
|
-
gitBlameLogin:
|
|
2017
|
-
effortToApplyFix:
|
|
2018
|
-
safeIssueLanguage:
|
|
2019
|
-
safeIssueType:
|
|
2020
|
-
fixReportId:
|
|
2021
|
-
filePaths:
|
|
2022
|
-
|
|
2023
|
-
fileRepoRelativePath:
|
|
2016
|
+
confidence: z7.number(),
|
|
2017
|
+
gitBlameLogin: z7.string().nullable(),
|
|
2018
|
+
effortToApplyFix: z7.nativeEnum(Effort_To_Apply_Fix_Enum).nullable(),
|
|
2019
|
+
safeIssueLanguage: z7.string(),
|
|
2020
|
+
safeIssueType: z7.string(),
|
|
2021
|
+
fixReportId: z7.string().uuid(),
|
|
2022
|
+
filePaths: z7.array(
|
|
2023
|
+
z7.object({
|
|
2024
|
+
fileRepoRelativePath: z7.string()
|
|
2024
2025
|
})
|
|
2025
2026
|
),
|
|
2026
|
-
numberOfVulnerabilityIssues:
|
|
2027
|
-
severityText:
|
|
2028
|
-
vulnerabilityReportIssues:
|
|
2029
|
-
|
|
2030
|
-
issueType:
|
|
2031
|
-
issueLanguage:
|
|
2027
|
+
numberOfVulnerabilityIssues: z7.number(),
|
|
2028
|
+
severityText: z7.nativeEnum(Vulnerability_Severity_Enum),
|
|
2029
|
+
vulnerabilityReportIssues: z7.array(
|
|
2030
|
+
z7.object({
|
|
2031
|
+
issueType: z7.string(),
|
|
2032
|
+
issueLanguage: z7.string(),
|
|
2032
2033
|
sharedState: IssueSharedStateZ2
|
|
2033
2034
|
})
|
|
2034
2035
|
).min(1)
|
|
2035
2036
|
});
|
|
2036
|
-
BaseVulnerabilityReportIssueZ =
|
|
2037
|
-
id:
|
|
2038
|
-
createdAt:
|
|
2039
|
-
state:
|
|
2040
|
-
safeIssueType:
|
|
2041
|
-
safeIssueLanguage:
|
|
2042
|
-
extraData:
|
|
2043
|
-
missing_files:
|
|
2044
|
-
large_files:
|
|
2045
|
-
error_files:
|
|
2046
|
-
ai_cost_limit_exceeded:
|
|
2037
|
+
BaseVulnerabilityReportIssueZ = z7.object({
|
|
2038
|
+
id: z7.string().uuid(),
|
|
2039
|
+
createdAt: z7.string(),
|
|
2040
|
+
state: z7.nativeEnum(Vulnerability_Report_Issue_State_Enum),
|
|
2041
|
+
safeIssueType: z7.string(),
|
|
2042
|
+
safeIssueLanguage: z7.string(),
|
|
2043
|
+
extraData: z7.object({
|
|
2044
|
+
missing_files: z7.string().array().nullish(),
|
|
2045
|
+
large_files: z7.string().array().nullish(),
|
|
2046
|
+
error_files: z7.string().array().nullish(),
|
|
2047
|
+
ai_cost_limit_exceeded: z7.string().nullish()
|
|
2047
2048
|
}),
|
|
2048
2049
|
fix: ReportFixesQueryFixZ.nullable(),
|
|
2049
|
-
falsePositive:
|
|
2050
|
-
id:
|
|
2050
|
+
falsePositive: z7.object({
|
|
2051
|
+
id: z7.string().uuid()
|
|
2051
2052
|
}).nullable(),
|
|
2052
2053
|
parsedSeverity: ParsedSeverityZ,
|
|
2053
|
-
severity:
|
|
2054
|
-
severityValue:
|
|
2055
|
-
category:
|
|
2056
|
-
vulnerabilityReportIssueTags:
|
|
2057
|
-
|
|
2058
|
-
vulnerability_report_issue_tag_value:
|
|
2054
|
+
severity: z7.string(),
|
|
2055
|
+
severityValue: z7.number(),
|
|
2056
|
+
category: z7.string(),
|
|
2057
|
+
vulnerabilityReportIssueTags: z7.array(
|
|
2058
|
+
z7.object({
|
|
2059
|
+
vulnerability_report_issue_tag_value: z7.string()
|
|
2059
2060
|
})
|
|
2060
2061
|
),
|
|
2061
2062
|
sharedState: VulnerabilityReportIssueSharedStateZ
|
|
2062
2063
|
});
|
|
2063
2064
|
VulnerabilityReportIssueZ = BaseVulnerabilityReportIssueZ.merge(
|
|
2064
|
-
|
|
2065
|
-
codeNodes:
|
|
2065
|
+
z7.object({
|
|
2066
|
+
codeNodes: z7.array(z7.object({ path: z7.string() }))
|
|
2066
2067
|
})
|
|
2067
2068
|
);
|
|
2068
2069
|
VulnerabilityReportIssueWithCodeFilePathZ = BaseVulnerabilityReportIssueZ.merge(
|
|
2069
|
-
|
|
2070
|
-
codeFilePath:
|
|
2070
|
+
z7.object({
|
|
2071
|
+
codeFilePath: z7.string().nullable()
|
|
2071
2072
|
})
|
|
2072
2073
|
);
|
|
2073
|
-
GetReportIssuesQueryZ =
|
|
2074
|
-
fixReport:
|
|
2075
|
-
vulnerabilityReport:
|
|
2076
|
-
id:
|
|
2077
|
-
lastIssueUpdatedAt:
|
|
2078
|
-
vulnerabilityReportIssues_aggregate:
|
|
2079
|
-
aggregate:
|
|
2074
|
+
GetReportIssuesQueryZ = z7.object({
|
|
2075
|
+
fixReport: z7.object({
|
|
2076
|
+
vulnerabilityReport: z7.object({
|
|
2077
|
+
id: z7.string().uuid(),
|
|
2078
|
+
lastIssueUpdatedAt: z7.string(),
|
|
2079
|
+
vulnerabilityReportIssues_aggregate: z7.object({
|
|
2080
|
+
aggregate: z7.object({ count: z7.number() })
|
|
2080
2081
|
}),
|
|
2081
|
-
vulnerabilityReportIssues:
|
|
2082
|
+
vulnerabilityReportIssues: z7.array(
|
|
2082
2083
|
VulnerabilityReportIssueWithCodeFilePathZ
|
|
2083
2084
|
)
|
|
2084
2085
|
})
|
|
2085
2086
|
}).array()
|
|
2086
2087
|
}).nullish();
|
|
2087
|
-
FixReportByProjectZ =
|
|
2088
|
-
project_by_pk:
|
|
2089
|
-
vulnerabilityReports:
|
|
2090
|
-
|
|
2091
|
-
fixReport:
|
|
2088
|
+
FixReportByProjectZ = z7.object({
|
|
2089
|
+
project_by_pk: z7.object({
|
|
2090
|
+
vulnerabilityReports: z7.array(
|
|
2091
|
+
z7.object({
|
|
2092
|
+
fixReport: z7.object({ id: z7.string().uuid() }).nullable()
|
|
2092
2093
|
})
|
|
2093
2094
|
)
|
|
2094
2095
|
})
|
|
2095
2096
|
});
|
|
2096
|
-
FixScreenQueryResultZ =
|
|
2097
|
+
FixScreenQueryResultZ = z7.object({
|
|
2097
2098
|
fixReport_by_pk: FixPageFixReportZ,
|
|
2098
2099
|
fix_by_pk: FixPartsForFixScreenZ,
|
|
2099
|
-
fixesWithSameIssueType:
|
|
2100
|
-
|
|
2101
|
-
id:
|
|
2102
|
-
sharedState:
|
|
2100
|
+
fixesWithSameIssueType: z7.array(
|
|
2101
|
+
z7.object({
|
|
2102
|
+
id: z7.string().uuid(),
|
|
2103
|
+
sharedState: z7.object({ state: z7.nativeEnum(Fix_State_Enum) }).nullable().default({ state: "Ready" /* Ready */ })
|
|
2103
2104
|
})
|
|
2104
2105
|
),
|
|
2105
2106
|
relevantIssue: IssuePartsZ.nullish()
|
|
2106
2107
|
});
|
|
2107
|
-
FixPageQueryZ =
|
|
2108
|
+
FixPageQueryZ = z7.object({
|
|
2108
2109
|
data: FixScreenQueryResultZ
|
|
2109
2110
|
});
|
|
2110
|
-
GetReportFixesQueryZ =
|
|
2111
|
-
fixReport:
|
|
2112
|
-
|
|
2113
|
-
fixes:
|
|
2114
|
-
vulnerabilityReportIssuesTotalCount:
|
|
2115
|
-
vulnerabilityReportIssues_aggregate:
|
|
2116
|
-
aggregate:
|
|
2111
|
+
GetReportFixesQueryZ = z7.object({
|
|
2112
|
+
fixReport: z7.array(
|
|
2113
|
+
z7.object({
|
|
2114
|
+
fixes: z7.array(ReportFixesQueryFixZ),
|
|
2115
|
+
vulnerabilityReportIssuesTotalCount: z7.object({
|
|
2116
|
+
vulnerabilityReportIssues_aggregate: z7.object({
|
|
2117
|
+
aggregate: z7.object({ count: z7.number() })
|
|
2117
2118
|
})
|
|
2118
2119
|
}),
|
|
2119
|
-
vulnerabilityReportIssuesFixedCount:
|
|
2120
|
-
vulnerabilityReportIssues_aggregate:
|
|
2121
|
-
aggregate:
|
|
2120
|
+
vulnerabilityReportIssuesFixedCount: z7.object({
|
|
2121
|
+
vulnerabilityReportIssues_aggregate: z7.object({
|
|
2122
|
+
aggregate: z7.object({ count: z7.number() })
|
|
2122
2123
|
})
|
|
2123
2124
|
}),
|
|
2124
|
-
vulnerabilityReportIssuesIrrelevantCount:
|
|
2125
|
-
vulnerabilityReportIssues_aggregate:
|
|
2126
|
-
aggregate:
|
|
2125
|
+
vulnerabilityReportIssuesIrrelevantCount: z7.object({
|
|
2126
|
+
vulnerabilityReportIssues_aggregate: z7.object({
|
|
2127
|
+
aggregate: z7.object({ count: z7.number() })
|
|
2127
2128
|
})
|
|
2128
2129
|
}),
|
|
2129
|
-
vulnerabilityReportIssuesRemainingCount:
|
|
2130
|
-
vulnerabilityReportIssues_aggregate:
|
|
2131
|
-
aggregate:
|
|
2130
|
+
vulnerabilityReportIssuesRemainingCount: z7.object({
|
|
2131
|
+
vulnerabilityReportIssues_aggregate: z7.object({
|
|
2132
|
+
aggregate: z7.object({ count: z7.number() })
|
|
2132
2133
|
})
|
|
2133
2134
|
})
|
|
2134
2135
|
})
|
|
2135
2136
|
)
|
|
2136
2137
|
}).nullish();
|
|
2137
|
-
GetFixReportStatsQueryZ =
|
|
2138
|
-
fixReport_by_pk:
|
|
2139
|
-
id:
|
|
2140
|
-
vulnerabilitySeverities:
|
|
2141
|
-
vulnerabilityReportIrrelevantIssuesCount:
|
|
2142
|
-
vulnerabilityReportIssues_aggregate:
|
|
2143
|
-
aggregate:
|
|
2138
|
+
GetFixReportStatsQueryZ = z7.object({
|
|
2139
|
+
fixReport_by_pk: z7.object({
|
|
2140
|
+
id: z7.string().uuid(),
|
|
2141
|
+
vulnerabilitySeverities: z7.record(z7.nativeEnum(Vulnerability_Severity_Enum), z7.number()).nullable(),
|
|
2142
|
+
vulnerabilityReportIrrelevantIssuesCount: z7.object({
|
|
2143
|
+
vulnerabilityReportIssues_aggregate: z7.object({
|
|
2144
|
+
aggregate: z7.object({ count: z7.number() })
|
|
2144
2145
|
})
|
|
2145
2146
|
})
|
|
2146
2147
|
}).nullable()
|
|
2147
2148
|
});
|
|
2148
|
-
ProjectVulnerabilityReport =
|
|
2149
|
-
id:
|
|
2150
|
-
name:
|
|
2151
|
-
vendor:
|
|
2152
|
-
computedVendor:
|
|
2153
|
-
fixReport:
|
|
2154
|
-
id:
|
|
2155
|
-
createdOn:
|
|
2156
|
-
issueTypes:
|
|
2157
|
-
issueLanguages:
|
|
2158
|
-
repo:
|
|
2159
|
-
originalUrl:
|
|
2160
|
-
reference:
|
|
2161
|
-
name:
|
|
2149
|
+
ProjectVulnerabilityReport = z7.object({
|
|
2150
|
+
id: z7.string().uuid(),
|
|
2151
|
+
name: z7.string().nullable(),
|
|
2152
|
+
vendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
|
|
2153
|
+
computedVendor: z7.nativeEnum(Vulnerability_Report_Vendor_Enum).nullable(),
|
|
2154
|
+
fixReport: z7.object({
|
|
2155
|
+
id: z7.string().uuid(),
|
|
2156
|
+
createdOn: z7.string(),
|
|
2157
|
+
issueTypes: z7.record(z7.string(), z7.number()).nullable(),
|
|
2158
|
+
issueLanguages: z7.record(z7.nativeEnum(IssueLanguage_Enum), z7.number()).nullable(),
|
|
2159
|
+
repo: z7.object({
|
|
2160
|
+
originalUrl: z7.string(),
|
|
2161
|
+
reference: z7.string(),
|
|
2162
|
+
name: z7.string()
|
|
2162
2163
|
}).nullable().transform(
|
|
2163
2164
|
(repo) => repo ?? {
|
|
2164
2165
|
originalUrl: "",
|
|
@@ -2166,64 +2167,64 @@ var init_types = __esm({
|
|
|
2166
2167
|
name: ""
|
|
2167
2168
|
}
|
|
2168
2169
|
),
|
|
2169
|
-
createdByUser:
|
|
2170
|
-
email:
|
|
2170
|
+
createdByUser: z7.object({
|
|
2171
|
+
email: z7.string()
|
|
2171
2172
|
}).nullable(),
|
|
2172
|
-
state:
|
|
2173
|
-
expirationOn:
|
|
2173
|
+
state: z7.nativeEnum(Fix_Report_State_Enum),
|
|
2174
|
+
expirationOn: z7.string()
|
|
2174
2175
|
})
|
|
2175
2176
|
});
|
|
2176
|
-
GetProjectsQueryZ =
|
|
2177
|
-
organization:
|
|
2178
|
-
id:
|
|
2179
|
-
projects:
|
|
2180
|
-
|
|
2181
|
-
id:
|
|
2182
|
-
name:
|
|
2183
|
-
numberOfUniqueRepos:
|
|
2177
|
+
GetProjectsQueryZ = z7.object({
|
|
2178
|
+
organization: z7.object({
|
|
2179
|
+
id: z7.string(),
|
|
2180
|
+
projects: z7.array(
|
|
2181
|
+
z7.object({
|
|
2182
|
+
id: z7.string().uuid(),
|
|
2183
|
+
name: z7.string(),
|
|
2184
|
+
numberOfUniqueRepos: z7.number()
|
|
2184
2185
|
})
|
|
2185
2186
|
)
|
|
2186
2187
|
})
|
|
2187
2188
|
});
|
|
2188
|
-
ProjectPageQueryResultZ =
|
|
2189
|
-
name:
|
|
2190
|
-
id:
|
|
2191
|
-
isDefault:
|
|
2192
|
-
organizationId:
|
|
2193
|
-
vulnerabilityReports:
|
|
2194
|
-
autoPrIncludeAiFixes:
|
|
2189
|
+
ProjectPageQueryResultZ = z7.object({
|
|
2190
|
+
name: z7.string(),
|
|
2191
|
+
id: z7.string().uuid(),
|
|
2192
|
+
isDefault: z7.boolean().default(false),
|
|
2193
|
+
organizationId: z7.string().uuid(),
|
|
2194
|
+
vulnerabilityReports: z7.array(ProjectVulnerabilityReport),
|
|
2195
|
+
autoPrIncludeAiFixes: z7.preprocess(
|
|
2195
2196
|
(val) => val === null || val === void 0 ? false : val,
|
|
2196
|
-
|
|
2197
|
+
z7.boolean()
|
|
2197
2198
|
),
|
|
2198
|
-
projectIssueTypeSettings:
|
|
2199
|
-
IssueTypeSettingZ.merge(
|
|
2199
|
+
projectIssueTypeSettings: z7.array(
|
|
2200
|
+
IssueTypeSettingZ.merge(z7.object({ id: z7.string() }))
|
|
2200
2201
|
)
|
|
2201
2202
|
});
|
|
2202
|
-
GetProjectMembersDataZ =
|
|
2203
|
-
project_by_pk:
|
|
2204
|
-
name:
|
|
2205
|
-
id:
|
|
2206
|
-
projectUsers:
|
|
2207
|
-
|
|
2208
|
-
projectToRole:
|
|
2209
|
-
projectRole:
|
|
2210
|
-
type:
|
|
2203
|
+
GetProjectMembersDataZ = z7.object({
|
|
2204
|
+
project_by_pk: z7.object({
|
|
2205
|
+
name: z7.string(),
|
|
2206
|
+
id: z7.string(),
|
|
2207
|
+
projectUsers: z7.array(
|
|
2208
|
+
z7.object({
|
|
2209
|
+
projectToRole: z7.object({
|
|
2210
|
+
projectRole: z7.object({
|
|
2211
|
+
type: z7.nativeEnum(Project_Role_Type_Enum)
|
|
2211
2212
|
})
|
|
2212
2213
|
}),
|
|
2213
|
-
user:
|
|
2214
|
-
id:
|
|
2215
|
-
picture:
|
|
2216
|
-
name:
|
|
2217
|
-
email:
|
|
2214
|
+
user: z7.object({
|
|
2215
|
+
id: z7.string().uuid(),
|
|
2216
|
+
picture: z7.string().nullable().optional(),
|
|
2217
|
+
name: z7.string().nullish(),
|
|
2218
|
+
email: z7.string().email()
|
|
2218
2219
|
})
|
|
2219
2220
|
})
|
|
2220
2221
|
)
|
|
2221
2222
|
})
|
|
2222
2223
|
});
|
|
2223
|
-
RepoArgsZ =
|
|
2224
|
-
originalUrl:
|
|
2225
|
-
branch:
|
|
2226
|
-
commitSha:
|
|
2224
|
+
RepoArgsZ = z7.object({
|
|
2225
|
+
originalUrl: z7.string().url(),
|
|
2226
|
+
branch: z7.string(),
|
|
2227
|
+
commitSha: z7.string()
|
|
2227
2228
|
});
|
|
2228
2229
|
scmCloudUrl = {
|
|
2229
2230
|
GitLab: "https://gitlab.com",
|
|
@@ -2257,7 +2258,7 @@ var init_types2 = __esm({
|
|
|
2257
2258
|
});
|
|
2258
2259
|
|
|
2259
2260
|
// src/features/analysis/scm/shared/src/urlParser/urlParser.ts
|
|
2260
|
-
import { z as
|
|
2261
|
+
import { z as z8 } from "zod";
|
|
2261
2262
|
function computeCanonicalUrl(data) {
|
|
2262
2263
|
const {
|
|
2263
2264
|
scmType,
|
|
@@ -2299,7 +2300,7 @@ function detectAdoUrl(args) {
|
|
|
2299
2300
|
scmType: "Ado" /* Ado */,
|
|
2300
2301
|
organization,
|
|
2301
2302
|
// project has single repo - repoName === projectName
|
|
2302
|
-
projectName:
|
|
2303
|
+
projectName: z8.string().parse(projectName),
|
|
2303
2304
|
repoName: projectName,
|
|
2304
2305
|
prefixPath
|
|
2305
2306
|
};
|
|
@@ -2310,7 +2311,7 @@ function detectAdoUrl(args) {
|
|
|
2310
2311
|
return {
|
|
2311
2312
|
scmType: "Ado" /* Ado */,
|
|
2312
2313
|
organization,
|
|
2313
|
-
projectName:
|
|
2314
|
+
projectName: z8.string().parse(projectName),
|
|
2314
2315
|
repoName,
|
|
2315
2316
|
prefixPath
|
|
2316
2317
|
};
|
|
@@ -2324,7 +2325,7 @@ function detectAdoUrl(args) {
|
|
|
2324
2325
|
scmType: "Ado" /* Ado */,
|
|
2325
2326
|
organization,
|
|
2326
2327
|
// project has only one repo - repoName === projectName
|
|
2327
|
-
projectName:
|
|
2328
|
+
projectName: z8.string().parse(repoName),
|
|
2328
2329
|
repoName,
|
|
2329
2330
|
prefixPath
|
|
2330
2331
|
};
|
|
@@ -2334,7 +2335,7 @@ function detectAdoUrl(args) {
|
|
|
2334
2335
|
return {
|
|
2335
2336
|
scmType: "Ado" /* Ado */,
|
|
2336
2337
|
organization,
|
|
2337
|
-
projectName:
|
|
2338
|
+
projectName: z8.string().parse(projectName),
|
|
2338
2339
|
repoName,
|
|
2339
2340
|
prefixPath
|
|
2340
2341
|
};
|
|
@@ -2410,7 +2411,7 @@ function parseSshUrl(scmURL, scmType) {
|
|
|
2410
2411
|
if (pathElements.length === 3) {
|
|
2411
2412
|
const [organization2, projectName, repoName2] = pathElements;
|
|
2412
2413
|
if (organization2?.match(NAME_REGEX) && projectName && repoName2?.match(NAME_REGEX)) {
|
|
2413
|
-
const parsedProjectName =
|
|
2414
|
+
const parsedProjectName = z8.string().parse(projectName);
|
|
2414
2415
|
return {
|
|
2415
2416
|
scmType: "Ado" /* Ado */,
|
|
2416
2417
|
hostname: normalizedHostname,
|
|
@@ -2638,17 +2639,17 @@ var init_urlParser2 = __esm({
|
|
|
2638
2639
|
});
|
|
2639
2640
|
|
|
2640
2641
|
// src/features/analysis/scm/env.ts
|
|
2641
|
-
import { z as
|
|
2642
|
+
import { z as z11 } from "zod";
|
|
2642
2643
|
var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB, GITHUB_API_CONCURRENCY;
|
|
2643
2644
|
var init_env = __esm({
|
|
2644
2645
|
"src/features/analysis/scm/env.ts"() {
|
|
2645
2646
|
"use strict";
|
|
2646
|
-
EnvVariablesZod =
|
|
2647
|
-
GITLAB_API_TOKEN:
|
|
2648
|
-
GITHUB_API_TOKEN:
|
|
2649
|
-
GIT_PROXY_HOST:
|
|
2650
|
-
MAX_UPLOAD_FILE_SIZE_MB:
|
|
2651
|
-
GITHUB_API_CONCURRENCY:
|
|
2647
|
+
EnvVariablesZod = z11.object({
|
|
2648
|
+
GITLAB_API_TOKEN: z11.string().optional(),
|
|
2649
|
+
GITHUB_API_TOKEN: z11.string().optional(),
|
|
2650
|
+
GIT_PROXY_HOST: z11.string().optional().default("http://tinyproxy:8888"),
|
|
2651
|
+
MAX_UPLOAD_FILE_SIZE_MB: z11.coerce.number().gt(0).default(2),
|
|
2652
|
+
GITHUB_API_CONCURRENCY: z11.coerce.number().gt(0).optional().default(10)
|
|
2652
2653
|
});
|
|
2653
2654
|
({
|
|
2654
2655
|
GITLAB_API_TOKEN,
|
|
@@ -2685,7 +2686,7 @@ var init_configs = __esm({
|
|
|
2685
2686
|
});
|
|
2686
2687
|
|
|
2687
2688
|
// src/utils/blame/gitBlameTypes.ts
|
|
2688
|
-
import { z as
|
|
2689
|
+
import { z as z14 } from "zod";
|
|
2689
2690
|
function parseCoAuthorValue(raw) {
|
|
2690
2691
|
const trimmed = raw.trim();
|
|
2691
2692
|
if (!trimmed) {
|
|
@@ -2721,9 +2722,9 @@ var PrepareGitBlameMessageZ, PrepareGitBlameResponseMessageZ, CommitMetadataZ, L
|
|
|
2721
2722
|
var init_gitBlameTypes = __esm({
|
|
2722
2723
|
"src/utils/blame/gitBlameTypes.ts"() {
|
|
2723
2724
|
"use strict";
|
|
2724
|
-
PrepareGitBlameMessageZ =
|
|
2725
|
-
reportId:
|
|
2726
|
-
repoArchivePath:
|
|
2725
|
+
PrepareGitBlameMessageZ = z14.object({
|
|
2726
|
+
reportId: z14.string(),
|
|
2727
|
+
repoArchivePath: z14.string(),
|
|
2727
2728
|
// Optional list of file paths to blame. Producers must pick one of two modes:
|
|
2728
2729
|
//
|
|
2729
2730
|
// - **Omit `filePaths`** = "blame every file in the archive". Used by the
|
|
@@ -2739,132 +2740,132 @@ var init_gitBlameTypes = __esm({
|
|
|
2739
2740
|
// "Login.java" when the actual file is "src/main/java/Login.java") are
|
|
2740
2741
|
// tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
|
|
2741
2742
|
// strings are filtered out defensively.
|
|
2742
|
-
filePaths:
|
|
2743
|
-
});
|
|
2744
|
-
PrepareGitBlameResponseMessageZ =
|
|
2745
|
-
reportId:
|
|
2746
|
-
});
|
|
2747
|
-
CommitMetadataZ =
|
|
2748
|
-
author:
|
|
2749
|
-
"author-mail":
|
|
2750
|
-
"author-time":
|
|
2751
|
-
"author-tz":
|
|
2752
|
-
committer:
|
|
2753
|
-
"committer-mail":
|
|
2754
|
-
"committer-time":
|
|
2755
|
-
"committer-tz":
|
|
2756
|
-
summary:
|
|
2757
|
-
filename:
|
|
2758
|
-
});
|
|
2759
|
-
LineToCommitMapZ =
|
|
2760
|
-
CommitMetadataMapZ =
|
|
2761
|
-
BlameInfoZ =
|
|
2743
|
+
filePaths: z14.array(z14.string()).optional()
|
|
2744
|
+
});
|
|
2745
|
+
PrepareGitBlameResponseMessageZ = z14.object({
|
|
2746
|
+
reportId: z14.string()
|
|
2747
|
+
});
|
|
2748
|
+
CommitMetadataZ = z14.object({
|
|
2749
|
+
author: z14.string().optional(),
|
|
2750
|
+
"author-mail": z14.string().optional(),
|
|
2751
|
+
"author-time": z14.string().optional(),
|
|
2752
|
+
"author-tz": z14.string().optional(),
|
|
2753
|
+
committer: z14.string().optional(),
|
|
2754
|
+
"committer-mail": z14.string().optional(),
|
|
2755
|
+
"committer-time": z14.string().optional(),
|
|
2756
|
+
"committer-tz": z14.string().optional(),
|
|
2757
|
+
summary: z14.string().optional(),
|
|
2758
|
+
filename: z14.string().optional()
|
|
2759
|
+
});
|
|
2760
|
+
LineToCommitMapZ = z14.record(z14.string(), z14.string());
|
|
2761
|
+
CommitMetadataMapZ = z14.record(z14.string(), CommitMetadataZ);
|
|
2762
|
+
BlameInfoZ = z14.object({
|
|
2762
2763
|
lineToCommit: LineToCommitMapZ,
|
|
2763
2764
|
commitMetadata: CommitMetadataMapZ
|
|
2764
2765
|
});
|
|
2765
|
-
LineRangeZ =
|
|
2766
|
+
LineRangeZ = z14.object({
|
|
2766
2767
|
/** First line in chunk (1-indexed) */
|
|
2767
|
-
start:
|
|
2768
|
+
start: z14.number(),
|
|
2768
2769
|
/** Last line in chunk (inclusive) */
|
|
2769
|
-
end:
|
|
2770
|
-
});
|
|
2771
|
-
PrContextZ =
|
|
2772
|
-
prNumber:
|
|
2773
|
-
repositoryUrl:
|
|
2774
|
-
organizationId:
|
|
2775
|
-
userEmail:
|
|
2776
|
-
source:
|
|
2777
|
-
githubContext:
|
|
2778
|
-
prNumber:
|
|
2779
|
-
installationId:
|
|
2780
|
-
repositoryURL:
|
|
2770
|
+
end: z14.number()
|
|
2771
|
+
});
|
|
2772
|
+
PrContextZ = z14.object({
|
|
2773
|
+
prNumber: z14.number(),
|
|
2774
|
+
repositoryUrl: z14.string(),
|
|
2775
|
+
organizationId: z14.string(),
|
|
2776
|
+
userEmail: z14.string(),
|
|
2777
|
+
source: z14.enum(["pr", "github"]),
|
|
2778
|
+
githubContext: z14.object({
|
|
2779
|
+
prNumber: z14.number(),
|
|
2780
|
+
installationId: z14.number(),
|
|
2781
|
+
repositoryURL: z14.string()
|
|
2781
2782
|
}).optional()
|
|
2782
2783
|
});
|
|
2783
|
-
PrepareCommitBlameMessageZ =
|
|
2784
|
+
PrepareCommitBlameMessageZ = z14.object({
|
|
2784
2785
|
/** Commit blame request ID from database (for tracking and updating status) */
|
|
2785
|
-
commitBlameRequestId:
|
|
2786
|
+
commitBlameRequestId: z14.string(),
|
|
2786
2787
|
/** Organization ID (for org-scoped caching) */
|
|
2787
|
-
organizationId:
|
|
2788
|
+
organizationId: z14.string(),
|
|
2788
2789
|
/** Full repository URL (e.g., https://github.com/org/repo) */
|
|
2789
|
-
repositoryUrl:
|
|
2790
|
+
repositoryUrl: z14.string(),
|
|
2790
2791
|
/** Commit SHA to analyze (typically PR head commit) */
|
|
2791
|
-
commitSha:
|
|
2792
|
+
commitSha: z14.string(),
|
|
2792
2793
|
/** Authentication headers for repository access (e.g., GitHub token) */
|
|
2793
|
-
extraHeaders:
|
|
2794
|
+
extraHeaders: z14.record(z14.string(), z14.string()).default({}),
|
|
2794
2795
|
// --- PR analysis fields ---
|
|
2795
2796
|
/** Target branch name (from getPr() base.ref). When set, enables PR analysis mode. */
|
|
2796
|
-
targetBranch:
|
|
2797
|
+
targetBranch: z14.string().optional(),
|
|
2797
2798
|
/** Context for triggering blame attribution analysis after SCM agent completes. */
|
|
2798
2799
|
prContext: PrContextZ.optional(),
|
|
2799
2800
|
/** User email for blame attribution analysis trigger context (used for both PR and single commit flows). */
|
|
2800
|
-
userEmail:
|
|
2801
|
+
userEmail: z14.string().optional()
|
|
2801
2802
|
});
|
|
2802
|
-
BlameLineInfoZ =
|
|
2803
|
+
BlameLineInfoZ = z14.object({
|
|
2803
2804
|
/** Line number as it appeared in the introducing commit */
|
|
2804
|
-
originalLineNumber:
|
|
2805
|
+
originalLineNumber: z14.number(),
|
|
2805
2806
|
/** Commit SHA that introduced this line */
|
|
2806
|
-
commitSha:
|
|
2807
|
+
commitSha: z14.string(),
|
|
2807
2808
|
/** Author name for this line */
|
|
2808
|
-
authorName:
|
|
2809
|
+
authorName: z14.string().optional(),
|
|
2809
2810
|
/** Author email for this line */
|
|
2810
|
-
authorEmail:
|
|
2811
|
+
authorEmail: z14.string().optional()
|
|
2811
2812
|
}).nullable();
|
|
2812
|
-
FileBlameDataZ =
|
|
2813
|
-
ChunkFetchResultZ =
|
|
2814
|
-
filePath:
|
|
2815
|
-
lines:
|
|
2813
|
+
FileBlameDataZ = z14.array(BlameLineInfoZ);
|
|
2814
|
+
ChunkFetchResultZ = z14.object({
|
|
2815
|
+
filePath: z14.string(),
|
|
2816
|
+
lines: z14.array(z14.number()),
|
|
2816
2817
|
data: FileBlameDataZ.nullable()
|
|
2817
2818
|
});
|
|
2818
|
-
FileBlameResponseEntryZ =
|
|
2819
|
+
FileBlameResponseEntryZ = z14.object({
|
|
2819
2820
|
/** Chunk index (0 for small files, 0-N for large file chunks) */
|
|
2820
|
-
chunkIndex:
|
|
2821
|
+
chunkIndex: z14.number(),
|
|
2821
2822
|
/** Blame data array (1-indexed, index 0 is null) */
|
|
2822
2823
|
blameData: FileBlameDataZ
|
|
2823
2824
|
});
|
|
2824
|
-
CommitBlameDataZ =
|
|
2825
|
-
|
|
2825
|
+
CommitBlameDataZ = z14.record(
|
|
2826
|
+
z14.string(),
|
|
2826
2827
|
// fileName
|
|
2827
|
-
|
|
2828
|
+
z14.array(FileBlameResponseEntryZ)
|
|
2828
2829
|
);
|
|
2829
|
-
CommitInfoZ =
|
|
2830
|
+
CommitInfoZ = z14.object({
|
|
2830
2831
|
/** Number of parent commits (1 = normal commit, 2+ = merge commit, null = failed to determine) */
|
|
2831
|
-
parentCount:
|
|
2832
|
+
parentCount: z14.number().nullable()
|
|
2832
2833
|
});
|
|
2833
|
-
GitIdentityZ =
|
|
2834
|
-
name:
|
|
2835
|
-
email:
|
|
2834
|
+
GitIdentityZ = z14.object({
|
|
2835
|
+
name: z14.string(),
|
|
2836
|
+
email: z14.string()
|
|
2836
2837
|
});
|
|
2837
2838
|
COMMIT_LOG_FORMAT = "%H%x00%ae%x00%an%x00%ce%x00%cn%x00%at%x00%s%x00%(trailers:key=Co-authored-by,valueonly,separator=%x00)";
|
|
2838
|
-
CommitDataZ =
|
|
2839
|
-
diff:
|
|
2839
|
+
CommitDataZ = z14.object({
|
|
2840
|
+
diff: z14.string(),
|
|
2840
2841
|
author: GitIdentityZ,
|
|
2841
2842
|
committer: GitIdentityZ,
|
|
2842
|
-
coAuthors:
|
|
2843
|
-
timestamp:
|
|
2843
|
+
coAuthors: z14.array(GitIdentityZ),
|
|
2844
|
+
timestamp: z14.number(),
|
|
2844
2845
|
// Unix timestamp in seconds
|
|
2845
|
-
message:
|
|
2846
|
-
parentCount:
|
|
2846
|
+
message: z14.string().optional(),
|
|
2847
|
+
parentCount: z14.number().nullable()
|
|
2847
2848
|
});
|
|
2848
|
-
PrDiffDataZ =
|
|
2849
|
-
diff:
|
|
2849
|
+
PrDiffDataZ = z14.object({
|
|
2850
|
+
diff: z14.string()
|
|
2850
2851
|
});
|
|
2851
|
-
PrStatsZ =
|
|
2852
|
-
additions:
|
|
2853
|
-
deletions:
|
|
2852
|
+
PrStatsZ = z14.object({
|
|
2853
|
+
additions: z14.number(),
|
|
2854
|
+
deletions: z14.number()
|
|
2854
2855
|
});
|
|
2855
|
-
CommitsManifestZ =
|
|
2856
|
-
commits:
|
|
2856
|
+
CommitsManifestZ = z14.object({
|
|
2857
|
+
commits: z14.array(z14.string())
|
|
2857
2858
|
// Array of commit SHAs in order
|
|
2858
2859
|
});
|
|
2859
|
-
BlameLineEntryZ =
|
|
2860
|
+
BlameLineEntryZ = z14.object({
|
|
2860
2861
|
/** Current file path in the PR head (what git blame was invoked on). */
|
|
2861
|
-
file:
|
|
2862
|
+
file: z14.string(),
|
|
2862
2863
|
/** Current line number in the PR head. */
|
|
2863
|
-
line:
|
|
2864
|
+
line: z14.number(),
|
|
2864
2865
|
/** SHA of the commit that originally authored this line. */
|
|
2865
|
-
originalCommitSha:
|
|
2866
|
+
originalCommitSha: z14.string(),
|
|
2866
2867
|
/** Line number as it was in `originalCommitSha`. */
|
|
2867
|
-
originalLineNumber:
|
|
2868
|
+
originalLineNumber: z14.number(),
|
|
2868
2869
|
/**
|
|
2869
2870
|
* File path as it was in `originalCommitSha` at the time that commit
|
|
2870
2871
|
* authored this line. When a file has been renamed since, this differs
|
|
@@ -2877,24 +2878,24 @@ var init_gitBlameTypes = __esm({
|
|
|
2877
2878
|
* must treat empty as "fall back to `file`" (see enrichDiffLines,
|
|
2878
2879
|
* targetedBlame).
|
|
2879
2880
|
*/
|
|
2880
|
-
originalFile:
|
|
2881
|
+
originalFile: z14.string().default("")
|
|
2881
2882
|
});
|
|
2882
|
-
BlameLinesDataZ =
|
|
2883
|
-
lines:
|
|
2883
|
+
BlameLinesDataZ = z14.object({
|
|
2884
|
+
lines: z14.array(BlameLineEntryZ)
|
|
2884
2885
|
});
|
|
2885
|
-
PrepareCommitBlameResponseMessageZ =
|
|
2886
|
+
PrepareCommitBlameResponseMessageZ = z14.object({
|
|
2886
2887
|
/** Commit blame request ID (matches request, used to update specific DB record) */
|
|
2887
|
-
commitBlameRequestId:
|
|
2888
|
+
commitBlameRequestId: z14.string(),
|
|
2888
2889
|
/** Organization ID (matches request) */
|
|
2889
|
-
organizationId:
|
|
2890
|
+
organizationId: z14.string(),
|
|
2890
2891
|
/** Repository URL (matches request) */
|
|
2891
|
-
repositoryUrl:
|
|
2892
|
+
repositoryUrl: z14.string(),
|
|
2892
2893
|
/** Commit SHA analyzed (matches request) */
|
|
2893
|
-
commitSha:
|
|
2894
|
+
commitSha: z14.string(),
|
|
2894
2895
|
/** Processing status */
|
|
2895
|
-
status:
|
|
2896
|
+
status: z14.enum(["success", "failure"]),
|
|
2896
2897
|
/** Error message (only present if status is 'failure') */
|
|
2897
|
-
error:
|
|
2898
|
+
error: z14.string().optional(),
|
|
2898
2899
|
/**
|
|
2899
2900
|
* Blame data for all processed files/chunks.
|
|
2900
2901
|
* Empty dictionary if status is 'failure'.
|
|
@@ -2906,29 +2907,29 @@ var init_gitBlameTypes = __esm({
|
|
|
2906
2907
|
* Keyed by commit SHA, deduplicated.
|
|
2907
2908
|
* Empty dictionary if status is 'failure'.
|
|
2908
2909
|
*/
|
|
2909
|
-
commits:
|
|
2910
|
+
commits: z14.record(z14.string(), CommitInfoZ).default({}),
|
|
2910
2911
|
// --- New PR diff computation response fields ---
|
|
2911
2912
|
/** S3 paths for commit-level data (commitSha → S3 key). Present in PR analysis mode and single commit mode. */
|
|
2912
|
-
commitDataS3Paths:
|
|
2913
|
+
commitDataS3Paths: z14.record(z14.string(), z14.string()).optional(),
|
|
2913
2914
|
/** S3 key for PR diff JSON. Present in PR analysis mode. */
|
|
2914
|
-
prDiffS3Path:
|
|
2915
|
+
prDiffS3Path: z14.string().optional(),
|
|
2915
2916
|
/** S3 key for commits manifest. Present in PR analysis mode. */
|
|
2916
|
-
commitsManifestS3Path:
|
|
2917
|
+
commitsManifestS3Path: z14.string().optional(),
|
|
2917
2918
|
/** S3 key for per-line targeted blame data. Present in PR analysis mode. */
|
|
2918
|
-
blameLinesS3Path:
|
|
2919
|
+
blameLinesS3Path: z14.string().optional(),
|
|
2919
2920
|
/** S3 key for PR stats (additions/deletions). Present in PR analysis mode. */
|
|
2920
|
-
prStatsS3Path:
|
|
2921
|
+
prStatsS3Path: z14.string().optional(),
|
|
2921
2922
|
/** PR context passed through from request for response handler. */
|
|
2922
2923
|
prContext: PrContextZ.optional(),
|
|
2923
2924
|
/** PR title from the request metadata (passed through). */
|
|
2924
|
-
prTitle:
|
|
2925
|
+
prTitle: z14.string().optional(),
|
|
2925
2926
|
/** User email passed through from request for single commit blame attribution analysis trigger. */
|
|
2926
|
-
userEmail:
|
|
2927
|
+
userEmail: z14.string().optional()
|
|
2927
2928
|
});
|
|
2928
|
-
VulnerabilityAttributionMessageZ =
|
|
2929
|
-
fixReportId:
|
|
2930
|
-
vulnerabilityAttributionRequestId:
|
|
2931
|
-
userEmail:
|
|
2929
|
+
VulnerabilityAttributionMessageZ = z14.object({
|
|
2930
|
+
fixReportId: z14.string().uuid(),
|
|
2931
|
+
vulnerabilityAttributionRequestId: z14.string().uuid(),
|
|
2932
|
+
userEmail: z14.string()
|
|
2932
2933
|
});
|
|
2933
2934
|
}
|
|
2934
2935
|
});
|
|
@@ -4262,1755 +4263,176 @@ var contextLogger = {
|
|
|
4262
4263
|
const logger3 = await createContextLogger();
|
|
4263
4264
|
return logger3.warn(message, data);
|
|
4264
4265
|
},
|
|
4265
|
-
error: async (message, data) => {
|
|
4266
|
-
const logger3 = await createContextLogger();
|
|
4267
|
-
return logger3.error(message, data);
|
|
4268
|
-
}
|
|
4269
|
-
};
|
|
4270
|
-
|
|
4271
|
-
// src/features/analysis/scm/errors.ts
|
|
4272
|
-
var InvalidAccessTokenError = class extends Error {
|
|
4273
|
-
constructor(m, scmType) {
|
|
4274
|
-
super(m);
|
|
4275
|
-
this.scmType = scmType;
|
|
4276
|
-
}
|
|
4277
|
-
};
|
|
4278
|
-
var InvalidUrlPatternError = class extends Error {
|
|
4279
|
-
constructor(m, scmType) {
|
|
4280
|
-
super(m);
|
|
4281
|
-
this.scmType = scmType;
|
|
4282
|
-
}
|
|
4283
|
-
};
|
|
4284
|
-
var RefNotFoundError = class extends Error {
|
|
4285
|
-
constructor(m) {
|
|
4286
|
-
super(m);
|
|
4287
|
-
}
|
|
4288
|
-
};
|
|
4289
|
-
var ScmBadCredentialsError = class extends Error {
|
|
4290
|
-
constructor(m, scmType) {
|
|
4291
|
-
super(m);
|
|
4292
|
-
this.scmType = scmType;
|
|
4293
|
-
}
|
|
4294
|
-
};
|
|
4295
|
-
var InvalidRepoUrlError = class extends Error {
|
|
4296
|
-
constructor(m, scmType) {
|
|
4297
|
-
super(m);
|
|
4298
|
-
this.scmType = scmType;
|
|
4299
|
-
}
|
|
4300
|
-
};
|
|
4301
|
-
var RepoNoTokenAccessError = class extends Error {
|
|
4302
|
-
constructor(m, scmType) {
|
|
4303
|
-
super(m);
|
|
4304
|
-
this.scmType = scmType;
|
|
4305
|
-
}
|
|
4306
|
-
};
|
|
4307
|
-
var RateLimitError = class extends Error {
|
|
4308
|
-
constructor(m, scmType, retryAfter) {
|
|
4309
|
-
super(m);
|
|
4310
|
-
this.scmType = scmType;
|
|
4311
|
-
this.retryAfter = retryAfter;
|
|
4312
|
-
}
|
|
4313
|
-
};
|
|
4314
|
-
var NetworkError = class extends Error {
|
|
4315
|
-
constructor(m, scmType, errorCode) {
|
|
4316
|
-
super(m);
|
|
4317
|
-
this.scmType = scmType;
|
|
4318
|
-
this.errorCode = errorCode;
|
|
4319
|
-
}
|
|
4320
|
-
};
|
|
4321
|
-
|
|
4322
|
-
// src/features/analysis/scm/utils/index.ts
|
|
4323
|
-
import { z as z13 } from "zod";
|
|
4324
|
-
|
|
4325
|
-
// src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
|
|
4326
|
-
init_client_generates();
|
|
4327
|
-
init_getIssueType();
|
|
4328
|
-
init_issueTypeCatalog();
|
|
4329
|
-
function capitalizeFirstLetter(str) {
|
|
4330
|
-
return str?.length ? str[0].toUpperCase() + str.slice(1) : "";
|
|
4331
|
-
}
|
|
4332
|
-
function lowercaseFirstLetter(str) {
|
|
4333
|
-
if (!str) return str;
|
|
4334
|
-
return `${str.charAt(0).toLowerCase()}${str.slice(1)}`;
|
|
4335
|
-
}
|
|
4336
|
-
var severityToEmoji = {
|
|
4337
|
-
["critical" /* Critical */]: "\u{1F6A8}",
|
|
4338
|
-
["high" /* High */]: "\u{1F6A9}",
|
|
4339
|
-
["medium" /* Medium */]: "\u{1F7E1}",
|
|
4340
|
-
["low" /* Low */]: "\u{1F7E2}"
|
|
4341
|
-
};
|
|
4342
|
-
var getCommitDescription = ({
|
|
4343
|
-
vendor,
|
|
4344
|
-
issueType,
|
|
4345
|
-
severity,
|
|
4346
|
-
guidances,
|
|
4347
|
-
fixUrl,
|
|
4348
|
-
irrelevantIssueWithTags
|
|
4349
|
-
}) => {
|
|
4350
|
-
const issueTypeString = getIssueTypeFriendlyString(issueType);
|
|
4351
|
-
let description = `This change fixes a **${severity} severity** (${severityToEmoji[severity]}) **${issueTypeString}** issue reported by **${capitalizeFirstLetter(
|
|
4352
|
-
vendor
|
|
4353
|
-
)}**.
|
|
4354
|
-
|
|
4355
|
-
`;
|
|
4356
|
-
if (issueType) {
|
|
4357
|
-
if (irrelevantIssueWithTags?.[0]?.tag) {
|
|
4358
|
-
description += `
|
|
4359
|
-
> [!tip]
|
|
4360
|
-
> This issue was found to be irrelevant to your project - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
|
|
4361
|
-
> Mobb recommends to ignore this issue, however fix is available if you think differently.
|
|
4362
|
-
|
|
4363
|
-
|
|
4364
|
-
## Justification
|
|
4365
|
-
${issueDescription[irrelevantIssueWithTags[0].tag]}
|
|
4366
|
-
`;
|
|
4367
|
-
}
|
|
4368
|
-
const catalogEntry = getIssueTypeCatalogEntry(issueType);
|
|
4369
|
-
if (catalogEntry?.issueDescription) {
|
|
4370
|
-
description += `## Issue description
|
|
4371
|
-
${catalogEntry.issueDescription}
|
|
4372
|
-
`;
|
|
4373
|
-
if (catalogEntry.fixInstructions) {
|
|
4374
|
-
description += `
|
|
4375
|
-
## Fix instructions
|
|
4376
|
-
${catalogEntry.fixInstructions}
|
|
4377
|
-
`;
|
|
4378
|
-
}
|
|
4379
|
-
}
|
|
4380
|
-
}
|
|
4381
|
-
description += `
|
|
4382
|
-
${guidances.map(({ guidance }) => `## Additional actions required
|
|
4383
|
-
${guidance}
|
|
4384
|
-
`).join("")}
|
|
4385
|
-
`;
|
|
4386
|
-
if (fixUrl) {
|
|
4387
|
-
description += `
|
|
4388
|
-
[More info and fix customization are available in the Mobb platform](${fixUrl})`;
|
|
4389
|
-
}
|
|
4390
|
-
return description;
|
|
4391
|
-
};
|
|
4392
|
-
var getCommitIssueDescription = ({
|
|
4393
|
-
vendor,
|
|
4394
|
-
issueType,
|
|
4395
|
-
irrelevantIssueWithTags,
|
|
4396
|
-
fpDescription,
|
|
4397
|
-
unfixableDescription
|
|
4398
|
-
}) => {
|
|
4399
|
-
const issueTypeString = getIssueTypeFriendlyString(issueType);
|
|
4400
|
-
let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
|
|
4401
|
-
`;
|
|
4402
|
-
if (issueType) {
|
|
4403
|
-
if (irrelevantIssueWithTags?.[0]?.tag) {
|
|
4404
|
-
description = `
|
|
4405
|
-
> [!tip]
|
|
4406
|
-
> The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
|
|
4407
|
-
> ${issueTypeString} - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
|
|
4408
|
-
> Mobb recommends to ignore this issue, however fix is available if you think differently.
|
|
4409
|
-
|
|
4410
|
-
|
|
4411
|
-
## Justification
|
|
4412
|
-
${fpDescription ?? unfixableDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
|
|
4413
|
-
`;
|
|
4414
|
-
}
|
|
4415
|
-
const catalogEntry = getIssueTypeCatalogEntry(issueType);
|
|
4416
|
-
if (catalogEntry?.issueDescription) {
|
|
4417
|
-
description += `## Issue description
|
|
4418
|
-
${catalogEntry.issueDescription}
|
|
4419
|
-
`;
|
|
4420
|
-
}
|
|
4421
|
-
}
|
|
4422
|
-
return description;
|
|
4423
|
-
};
|
|
4424
|
-
|
|
4425
|
-
// src/features/analysis/scm/shared/src/index.ts
|
|
4426
|
-
init_getIssueType();
|
|
4427
|
-
|
|
4428
|
-
// src/features/analysis/scm/shared/src/guidances.ts
|
|
4429
|
-
init_client_generates();
|
|
4430
|
-
init_getIssueType();
|
|
4431
|
-
import { z as z4 } from "zod";
|
|
4432
|
-
|
|
4433
|
-
// src/features/analysis/scm/shared/src/storedFixData/index.ts
|
|
4434
|
-
init_client_generates();
|
|
4435
|
-
import { z as z2 } from "zod";
|
|
4436
|
-
|
|
4437
|
-
// src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
|
|
4438
|
-
var passwordInComment = {
|
|
4439
|
-
guidance: () => "Removing sensitive information from the comments is not enough. To ensure the security of your data, you have to rotate passwords and tokens and update all places where they were used."
|
|
4440
|
-
};
|
|
4441
|
-
|
|
4442
|
-
// src/features/analysis/scm/shared/src/storedFixData/csharp/missingAntiForgeryValidation.ts
|
|
4443
|
-
var missingAntiForgeryValidation = {
|
|
4444
|
-
guidance: () => `The \`ValidateAntiForgeryToken\` attribute helps prevent cross-site request forgery (CSRF) attacks. The token is automatically injected into the view by the [FormTagHelper](https://learn.microsoft.com/en-us/aspnet/core/mvc/views/working-with-forms?view=aspnetcore-8.0#the-form-tag-helper)
|
|
4445
|
-
and is included when the form is submitted by the user. The token is validated by the \`ValidateAntiForgeryToken\` attribute. The token could be also generated using the [Html.AntiForgeryToken](https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.htmlhelper.antiforgerytoken?view=aspnet-mvc-5.2) helper.
|
|
4446
|
-
|
|
4447
|
-
|
|
4448
|
-
|
|
4449
|
-
|
|
4450
|
-
***Make sure this controller's client provides the validation token before approving this change.***
|
|
4451
|
-
|
|
4452
|
-
|
|
4453
|
-
|
|
4454
|
-
|
|
4455
|
-
This is an illustration of how the form will look like:
|
|
4456
|
-
|
|
4457
|
-
|
|
4458
|
-
|
|
4459
|
-
<form method="post" action="/Action">
|
|
4460
|
-
<!-- Input and Submit elements -->
|
|
4461
|
-
<input name="__RequestVerificationToken"
|
|
4462
|
-
type="hidden" value="<removed for brevity>">
|
|
4463
|
-
</form>
|
|
4464
|
-
|
|
4465
|
-
|
|
4466
|
-
***Notice the \`__RequestVerificationToken\` parameters.***
|
|
4467
|
-
`
|
|
4468
|
-
};
|
|
4469
|
-
|
|
4470
|
-
// src/features/analysis/scm/shared/src/storedFixData/csharp/index.ts
|
|
4471
|
-
var vulnerabilities = {
|
|
4472
|
-
["MISSING_ANTIFORGERY_VALIDATION"]: missingAntiForgeryValidation,
|
|
4473
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment
|
|
4474
|
-
};
|
|
4475
|
-
var csharp_default = vulnerabilities;
|
|
4476
|
-
|
|
4477
|
-
// src/features/analysis/scm/shared/src/storedFixData/dockerfile/index.ts
|
|
4478
|
-
var vulnerabilities2 = {};
|
|
4479
|
-
var dockerfile_default = vulnerabilities2;
|
|
4480
|
-
|
|
4481
|
-
// src/features/analysis/scm/shared/src/storedFixData/go/index.ts
|
|
4482
|
-
var vulnerabilities3 = {};
|
|
4483
|
-
var go_default = vulnerabilities3;
|
|
4484
|
-
|
|
4485
|
-
// src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
|
|
4486
|
-
var vulnerabilities4 = {};
|
|
4487
|
-
var hcl_default = vulnerabilities4;
|
|
4488
|
-
|
|
4489
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
|
|
4490
|
-
var insecureDeserialization = {
|
|
4491
|
-
guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
|
|
4492
|
-
};
|
|
4493
|
-
|
|
4494
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
|
|
4495
|
-
var j2eeGetConnection = {
|
|
4496
|
-
guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
|
|
4497
|
-
|
|
4498
|
-
|
|
4499
|
-
|
|
4500
|
-
|
|
4501
|
-
***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
|
|
4502
|
-
|
|
4503
|
-
- **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
|
|
4504
|
-
- **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
|
|
4505
|
-
- **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
|
|
4506
|
-
- **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
|
|
4507
|
-
|
|
4508
|
-
|
|
4509
|
-
|
|
4510
|
-
|
|
4511
|
-
Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
|
|
4512
|
-
|
|
4513
|
-
|
|
4514
|
-
|
|
4515
|
-
|
|
4516
|
-
This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
|
|
4517
|
-
};
|
|
4518
|
-
|
|
4519
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
|
|
4520
|
-
var systemInformationLeak = {
|
|
4521
|
-
guidance: ({
|
|
4522
|
-
clientMightBeAffected
|
|
4523
|
-
}) => {
|
|
4524
|
-
if (clientMightBeAffected) {
|
|
4525
|
-
return "You should never expose error details to the client. We removed the error details from the response. Ensure the client application code does not rely on the removed information.";
|
|
4526
|
-
}
|
|
4527
|
-
return "";
|
|
4528
|
-
}
|
|
4529
|
-
};
|
|
4530
|
-
|
|
4531
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/index.ts
|
|
4532
|
-
var vulnerabilities5 = {
|
|
4533
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment,
|
|
4534
|
-
["INSECURE_DESERIALIZATION"]: insecureDeserialization,
|
|
4535
|
-
["J2EE_GET_CONNECTION"]: j2eeGetConnection,
|
|
4536
|
-
["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
|
|
4537
|
-
};
|
|
4538
|
-
var java_default = vulnerabilities5;
|
|
4539
|
-
|
|
4540
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/csrf.ts
|
|
4541
|
-
var csrf = {
|
|
4542
|
-
guidance: () => `Please make sure the CSRF middleware is activated by default in the MIDDLEWARE setting. If you override that setting, remember that \`django.middleware.csrf.CsrfViewMiddleware\` should come before any view middleware that assume that CSRF attacks have been dealt with.
|
|
4543
|
-
|
|
4544
|
-
|
|
4545
|
-
If you disabled it, which is not recommended, you can use [\`csrf_protect()\`](https://docs.djangoproject.com/en/5.1/ref/csrf/#django.views.decorators.csrf.csrf_protect) annotation on this particular view.
|
|
4546
|
-
|
|
4547
|
-
|
|
4548
|
-
See more information [here](https://docs.djangoproject.com/en/5.1/howto/csrf/).`
|
|
4549
|
-
};
|
|
4550
|
-
|
|
4551
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/hardcodedSecrets.ts
|
|
4552
|
-
var hardcodedSecrets = {
|
|
4553
|
-
guidance: ({ questions }) => {
|
|
4554
|
-
const envVarName = questions.find((q) => q.key === "env_var_name")?.value || "the";
|
|
4555
|
-
const keepAsDefault = questions.find(
|
|
4556
|
-
(q) => q.key === "keep_as_default"
|
|
4557
|
-
)?.value;
|
|
4558
|
-
let additionalText = "";
|
|
4559
|
-
if (keepAsDefault === "yes") {
|
|
4560
|
-
additionalText = "\n1. Remove the hardcoded secret from the code.\n";
|
|
4561
|
-
}
|
|
4562
|
-
return `Please follow the steps in this specific order:
|
|
4563
|
-
|
|
4564
|
-
1. Change the secret that was hardcoded. It is essential because even when you commit the changes, the secret will remain in the git history.${additionalText}
|
|
4565
|
-
1. Update the configuration of all your application environments and CI/CD pipelines to set \`${envVarName}\` environment variable.
|
|
4566
|
-
1. Commit the changes.`;
|
|
4567
|
-
}
|
|
4568
|
-
};
|
|
4569
|
-
|
|
4570
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/noLimitsOrThrottling.ts
|
|
4571
|
-
var noLimitsOrThrottling = {
|
|
4572
|
-
guidance: () => "We set the default limit to 60 requests per minute. To customize the rate limit settings, please read the documentation of the [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) package."
|
|
4573
|
-
};
|
|
4574
|
-
|
|
4575
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/ssrf.ts
|
|
4576
|
-
var ssrf = {
|
|
4577
|
-
guidance: () => "The server-side validates the domains it has access to, otherwise it throws an error if validation failed. Please make sure you handled the error correctly."
|
|
4578
|
-
};
|
|
4579
|
-
|
|
4580
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
|
|
4581
|
-
var vulnerabilities6 = {
|
|
4582
|
-
["SSRF"]: ssrf,
|
|
4583
|
-
["HARDCODED_SECRETS"]: hardcodedSecrets,
|
|
4584
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment,
|
|
4585
|
-
["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling,
|
|
4586
|
-
["CSRF"]: csrf
|
|
4587
|
-
};
|
|
4588
|
-
var javascript_default = vulnerabilities6;
|
|
4589
|
-
|
|
4590
|
-
// src/features/analysis/scm/shared/src/storedFixData/php/index.ts
|
|
4591
|
-
var vulnerabilities7 = {};
|
|
4592
|
-
var php_default = vulnerabilities7;
|
|
4593
|
-
|
|
4594
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/autoEscapeFalse.ts
|
|
4595
|
-
var autoEscapeFalse = {
|
|
4596
|
-
guidance: () => `This fix enables automatic escaping for HTML. When that's enabled, everything is escaped by default except for values explicitly marked as safe. Variables and expressions can be marked as safe either in:
|
|
4597
|
-
|
|
4598
|
-
a. The context dictionary by the application with \`markupsafe.Markup\`
|
|
4599
|
-
|
|
4600
|
-
b. The template, with the \`|safe\` filter.
|
|
4601
|
-
|
|
4602
|
-
|
|
4603
|
-
|
|
4604
|
-
|
|
4605
|
-
See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates/#working-with-automatic-escaping) and [here](https://pypi.org/project/MarkupSafe/).
|
|
4606
|
-
|
|
4607
|
-
|
|
4608
|
-
|
|
4609
|
-
|
|
4610
|
-
***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
|
|
4611
|
-
};
|
|
4612
|
-
|
|
4613
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
|
|
4614
|
-
var improperCertificateValidation = {
|
|
4615
|
-
guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
|
|
4616
|
-
|
|
4617
|
-
|
|
4618
|
-
|
|
4619
|
-
***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
|
|
4620
|
-
|
|
4621
|
-
|
|
4622
|
-
|
|
4623
|
-
See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
|
|
4624
|
-
};
|
|
4625
|
-
|
|
4626
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/index.ts
|
|
4627
|
-
var vulnerabilities8 = {
|
|
4628
|
-
["AUTO_ESCAPE_FALSE"]: autoEscapeFalse,
|
|
4629
|
-
["CSRF"]: csrf,
|
|
4630
|
-
["IMPROPER_CERTIFICATE_VALIDATION"]: improperCertificateValidation
|
|
4631
|
-
};
|
|
4632
|
-
var python_default = vulnerabilities8;
|
|
4633
|
-
|
|
4634
|
-
// src/features/analysis/scm/shared/src/storedFixData/sql/defaultRightsInObjDefinition.ts
|
|
4635
|
-
var defaultRightsInObjDefinition = {
|
|
4636
|
-
guidance: () => "***Make sure the user who is supposed to run the procedure has sufficient permissions.***\n\nRead more details about the `EXECUTE AS` statement in [the official Microsoft documentation](https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-clause-transact-sql?view=sql-server-ver16&tabs=sqlserver).\n\n`EXECUTE AS CALLER` is the default behavior for SQL Server 2005 and later."
|
|
4637
|
-
};
|
|
4638
|
-
|
|
4639
|
-
// src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
|
|
4640
|
-
var vulnerabilities9 = {
|
|
4641
|
-
["DEFAULT_RIGHTS_IN_OBJ_DEFINITION"]: defaultRightsInObjDefinition
|
|
4642
|
-
};
|
|
4643
|
-
var sql_default = vulnerabilities9;
|
|
4644
|
-
|
|
4645
|
-
// src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
|
|
4646
|
-
var vulnerabilities10 = {
|
|
4647
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment
|
|
4648
|
-
};
|
|
4649
|
-
var xml_default = vulnerabilities10;
|
|
4650
|
-
|
|
4651
|
-
// src/features/analysis/scm/shared/src/storedFixData/index.ts
|
|
4652
|
-
var StoredFixDataItemZ = z2.object({
|
|
4653
|
-
guidance: z2.function().args(z2.any()).returns(z2.string())
|
|
4654
|
-
});
|
|
4655
|
-
var languages = {
|
|
4656
|
-
["Java" /* Java */]: java_default,
|
|
4657
|
-
["JavaScript" /* JavaScript */]: javascript_default,
|
|
4658
|
-
["CSharp" /* CSharp */]: csharp_default,
|
|
4659
|
-
["SQL" /* Sql */]: sql_default,
|
|
4660
|
-
["XML" /* Xml */]: xml_default,
|
|
4661
|
-
["Python" /* Python */]: python_default,
|
|
4662
|
-
["PHP" /* Php */]: php_default,
|
|
4663
|
-
["Go" /* Go */]: go_default,
|
|
4664
|
-
["Dockerfile" /* Dockerfile */]: dockerfile_default,
|
|
4665
|
-
["Hcl" /* Hcl */]: hcl_default
|
|
4666
|
-
};
|
|
4667
|
-
|
|
4668
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/index.ts
|
|
4669
|
-
init_client_generates();
|
|
4670
|
-
import { z as z3 } from "zod";
|
|
4671
|
-
|
|
4672
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
|
|
4673
|
-
var commandInjection = {
|
|
4674
|
-
isUnixShellCommandPart: {
|
|
4675
|
-
content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
|
|
4676
|
-
description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
|
|
4677
|
-
|
|
4678
|
-
- \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
|
|
4679
|
-
- \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
|
|
4680
|
-
|
|
4681
|
-
Answer **no** (the input is not plain data) when the input is:
|
|
4682
|
-
|
|
4683
|
-
1. The program/executable itself:
|
|
4684
|
-
- \`system(input);\`
|
|
4685
|
-
- \`sprintf(cmd, "%s -x", input);\`
|
|
4686
|
-
2. A command after a pipe or redirect:
|
|
4687
|
-
- \`sprintf(cmd, "cat file.txt | %s", input);\`
|
|
4688
|
-
3. A part of a non-Unix or cross-platform shell command.
|
|
4689
|
-
4. A part of embedded code in another language:
|
|
4690
|
-
- \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
|
|
4691
|
-
- \`sprintf(cmd, "awk '%s' file", input);\`
|
|
4692
|
-
5. A flag/option that controls a tool's behaviour:
|
|
4693
|
-
- \`sprintf(cmd, "git --upload-pack %s", input);\``,
|
|
4694
|
-
guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
|
|
4695
|
-
},
|
|
4696
|
-
executableLocationPath: {
|
|
4697
|
-
content: () => "What is the absolute path of the directory containing the executable?",
|
|
4698
|
-
description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
|
|
4699
|
-
|
|
4700
|
-
Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
|
|
4701
|
-
guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
|
|
4702
|
-
}
|
|
4703
|
-
};
|
|
4704
|
-
|
|
4705
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/pathManipulation.ts
|
|
4706
|
-
var pathManipulation = {
|
|
4707
|
-
baseDirectory: {
|
|
4708
|
-
content: ({ expression }) => `Which directory must \`${expression}\` stay within? Enter the absolute base directory file access is restricted to.`,
|
|
4709
|
-
description: ({ expression }) => `The fix canonicalizes \`${expression}\` (resolving \`.\`, \`..\`, and symlinks) and verifies the result stays inside this base directory. Provide the **absolute** root the application is allowed to read or write under, for example \`/var/app/data\`. The directory must exist at runtime. A path that resolves outside it is rejected at runtime.`,
|
|
4710
|
-
guidance: (_) => "You **must** set this to an absolute path that exists at runtime and that your application confines file access to. If you leave it unset (or give a relative path), the generated fix is emitted with a placeholder identifier (`MOBB_SET_ALLOWED_BASE_DIR`) that **deliberately does not compile**, so a missing security boundary cannot be overlooked \u2014 replace it with your absolute base directory. A relative path would otherwise resolve against the process working directory (moving the boundary). At runtime the guard aborts (C: `exit(EXIT_FAILURE)`) / throws (C++: `std::runtime_error`) on a path that escapes the base. Pick the narrowest directory that still contains every legitimate file the code opens."
|
|
4711
|
-
}
|
|
4712
|
-
};
|
|
4713
|
-
|
|
4714
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
|
|
4715
|
-
var vulnerabilities11 = {
|
|
4716
|
-
["CMDi"]: commandInjection,
|
|
4717
|
-
["PT"]: pathManipulation
|
|
4718
|
-
};
|
|
4719
|
-
var cpp_default = vulnerabilities11;
|
|
4720
|
-
|
|
4721
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
|
|
4722
|
-
var httpOnlyCookie = {
|
|
4723
|
-
httpOnlyCookie: {
|
|
4724
|
-
content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
|
|
4725
|
-
description: () => httpOnlyMessage,
|
|
4726
|
-
guidance: () => ""
|
|
4727
|
-
},
|
|
4728
|
-
cookieVarName: {
|
|
4729
|
-
content: () => "Please define a variable name",
|
|
4730
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
4731
|
-
guidance: () => ""
|
|
4732
|
-
}
|
|
4733
|
-
};
|
|
4734
|
-
var httpOnlyMessage = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
|
|
4735
|
-
when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
|
|
4736
|
-
be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
|
|
4737
|
-
|
|
4738
|
-
|
|
4739
|
-
|
|
4740
|
-
|
|
4741
|
-
***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
|
|
4742
|
-
|
|
4743
|
-
|
|
4744
|
-
|
|
4745
|
-
`;
|
|
4746
|
-
|
|
4747
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureBinderConfiguration.ts
|
|
4748
|
-
var insecureBinderConfiguration = {
|
|
4749
|
-
bindAttributeParam: {
|
|
4750
|
-
content: ({ func_param_name }) => `Which properties of the model should be included in model binding for \`${func_param_name}\`?`,
|
|
4751
|
-
description: () => "Provide a comma-separated list of valid property names to be included in model binding. See [the official documentation](https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding?view=aspnetcore-8.0#bind-attribute) for more details.",
|
|
4752
|
-
guidance: () => ""
|
|
4753
|
-
}
|
|
4754
|
-
};
|
|
4755
|
-
|
|
4756
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureCookie.ts
|
|
4757
|
-
var insecureCookie = {
|
|
4758
|
-
insecureCookie: {
|
|
4759
|
-
content: () => "Will this cookie be used only in encrypted channels (https)?",
|
|
4760
|
-
description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
|
|
4761
|
-
In environments like local development or test, setting cookies as secure might have some consequences:
|
|
4762
|
-
|
|
4763
|
-
|
|
4764
|
-
- Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
|
|
4765
|
-
additional configuration and certificates. If cookies are marked as secure,
|
|
4766
|
-
they won't be sent over HTTP, and this could potentially interfere with the normal
|
|
4767
|
-
functioning of your application during development.
|
|
4768
|
-
|
|
4769
|
-
|
|
4770
|
-
- Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
|
|
4771
|
-
testing environment accurately simulates the production environment's security features.
|
|
4772
|
-
This may involve setting up HTTPS in your local development environment.
|
|
4773
|
-
|
|
4774
|
-
|
|
4775
|
-
- Debugging Challenges: Debugging may be more challenging when using secure cookies in a
|
|
4776
|
-
development environment, especially if you need to inspect or manipulate the cookies during
|
|
4777
|
-
development.`,
|
|
4778
|
-
guidance: () => ""
|
|
4779
|
-
},
|
|
4780
|
-
cookieVarName: {
|
|
4781
|
-
content: () => "Please define a variable name",
|
|
4782
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
4783
|
-
guidance: () => ""
|
|
4784
|
-
}
|
|
4785
|
-
};
|
|
4786
|
-
|
|
4787
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureRandomness.ts
|
|
4788
|
-
var insecureRandomness = {
|
|
4789
|
-
isRandomNumberGeneratorAvailable: {
|
|
4790
|
-
content: () => "We use the `RandomNumberGenerator` class from the `System.Security.Cryptography` package. Does this class exist for the .NET version you use?",
|
|
4791
|
-
description: () => "See [the official documentation](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-8.0#applies-to) for more details.",
|
|
4792
|
-
guidance: () => ""
|
|
4793
|
-
},
|
|
4794
|
-
isNetVersionGreaterThan6: {
|
|
4795
|
-
content: () => "We are able to offer a more concise solution if the .NET version is greater then .NET 6",
|
|
4796
|
-
description: () => "",
|
|
4797
|
-
guidance: () => ""
|
|
4798
|
-
}
|
|
4799
|
-
};
|
|
4800
|
-
|
|
4801
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insufficientLogging.ts
|
|
4802
|
-
var insufficientLogging = {
|
|
4803
|
-
logMessage: {
|
|
4804
|
-
content: () => "Enter the message that you want to appear in the log",
|
|
4805
|
-
description: () => "",
|
|
4806
|
-
guidance: () => ""
|
|
4807
|
-
}
|
|
4808
|
-
};
|
|
4809
|
-
|
|
4810
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/logForging.ts
|
|
4811
|
-
var logForging = {
|
|
4812
|
-
isHtmlDisplay: {
|
|
4813
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
4814
|
-
description: () => "",
|
|
4815
|
-
guidance: ({ userInputValue }) => {
|
|
4816
|
-
switch (userInputValue) {
|
|
4817
|
-
case "yes":
|
|
4818
|
-
return "We use the `System.Web` `HttpUtility` to decode the HTML";
|
|
4819
|
-
default:
|
|
4820
|
-
return "";
|
|
4821
|
-
}
|
|
4822
|
-
}
|
|
4823
|
-
}
|
|
4824
|
-
};
|
|
4825
|
-
|
|
4826
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/overlyBroadCatch.ts
|
|
4827
|
-
var overlyBroadCatch = {
|
|
4828
|
-
defaultExceptionsInWhenFilter: {
|
|
4829
|
-
content: () => "Exceptions to filter",
|
|
4830
|
-
description: () => "Coma separated list of the Fully Qualified Exceptions names",
|
|
4831
|
-
guidance: () => ""
|
|
4832
|
-
}
|
|
4833
|
-
};
|
|
4834
|
-
|
|
4835
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/pt.ts
|
|
4836
|
-
var pt = {
|
|
4837
|
-
taintedTermType: {
|
|
4838
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name or a file path?`,
|
|
4839
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
|
|
4840
|
-
guidance: () => ""
|
|
4841
|
-
},
|
|
4842
|
-
pathTargetDir: {
|
|
4843
|
-
content: () => "Allowed file path",
|
|
4844
|
-
description: () => "Provide the intended file path destination eg: /tmp/testfiles/users/",
|
|
4845
|
-
guidance: () => ""
|
|
4846
|
-
}
|
|
4847
|
-
};
|
|
4848
|
-
|
|
4849
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/regexMissingTimeout.ts
|
|
4850
|
-
var regexMissingTimeout = {
|
|
4851
|
-
netVersionGreaterOrEqual7: {
|
|
4852
|
-
content: () => "Is your target framework .NET 7 or greater?",
|
|
4853
|
-
description: () => "",
|
|
4854
|
-
guidance: () => ""
|
|
4855
|
-
},
|
|
4856
|
-
timeout: {
|
|
4857
|
-
content: () => "Enter the timeout in milliseconds",
|
|
4858
|
-
description: () => "If the limit is reached a RegexTimeoutException is thrown, this could be caused by excessive backtracking",
|
|
4859
|
-
guidance: () => ""
|
|
4860
|
-
},
|
|
4861
|
-
useBacktrackingOption: {
|
|
4862
|
-
content: () => "Use non backtracking option",
|
|
4863
|
-
description: () => "If the regex does not need to use backtracking we can disable it using regex options",
|
|
4864
|
-
guidance: () => ""
|
|
4865
|
-
}
|
|
4866
|
-
};
|
|
4867
|
-
|
|
4868
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/requestParametersBoundViaInput.ts
|
|
4869
|
-
var requestParametersBoundViaInput = {
|
|
4870
|
-
fieldsToCopy: {
|
|
4871
|
-
content: () => "Please list all the fields you expect as input from the user. Use comma separated list.",
|
|
4872
|
-
description: () => `This is meant to avoid mass assignment vulnerabilities, where the user would enter an inner unexpected field`,
|
|
4873
|
-
guidance: () => ""
|
|
4874
|
-
}
|
|
4875
|
-
};
|
|
4876
|
-
|
|
4877
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
|
|
4878
|
-
var sqlInjection = {
|
|
4879
|
-
databaseProvider: {
|
|
4880
|
-
content: () => "Select the database provider",
|
|
4881
|
-
description: () => "",
|
|
4882
|
-
guidance: () => ""
|
|
4883
|
-
}
|
|
4884
|
-
};
|
|
4885
|
-
|
|
4886
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/ssrf.ts
|
|
4887
|
-
var ssrf2 = {
|
|
4888
|
-
domainsAllowlist: {
|
|
4889
|
-
content: () => "Allowed domains",
|
|
4890
|
-
description: () => "Coma separated list of allowed domains.",
|
|
4891
|
-
guidance: () => ""
|
|
4892
|
-
}
|
|
4893
|
-
};
|
|
4894
|
-
|
|
4895
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/sysLeak.ts
|
|
4896
|
-
var sysLeak = {
|
|
4897
|
-
errorMessage: {
|
|
4898
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
4899
|
-
description: () => "",
|
|
4900
|
-
guidance: () => ""
|
|
4901
|
-
},
|
|
4902
|
-
noLoggerAction: {
|
|
4903
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
4904
|
-
description: () => "",
|
|
4905
|
-
guidance: () => ""
|
|
4906
|
-
}
|
|
4907
|
-
};
|
|
4908
|
-
|
|
4909
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/trustBoundaryViolation.ts
|
|
4910
|
-
var trustBoundaryViolation = {
|
|
4911
|
-
validationPattern: {
|
|
4912
|
-
content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
|
|
4913
|
-
description: () => "We use regex to validate the input to avoid runtime surprises",
|
|
4914
|
-
guidance: () => ""
|
|
4915
|
-
},
|
|
4916
|
-
otherPatternValue: {
|
|
4917
|
-
content: () => `Enter the regex pattern you would like to use to validate the input`,
|
|
4918
|
-
description: () => "See patterns at [the regex docs](https://learn.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference)",
|
|
4919
|
-
guidance: () => ""
|
|
4920
|
-
}
|
|
4921
|
-
};
|
|
4922
|
-
|
|
4923
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/useOfSystemOutputStream.ts
|
|
4924
|
-
var useOfSystemOutputStream = {
|
|
4925
|
-
noLoggerAction: {
|
|
4926
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
4927
|
-
description: () => "",
|
|
4928
|
-
guidance: () => ""
|
|
4929
|
-
}
|
|
4930
|
-
};
|
|
4931
|
-
|
|
4932
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/valueShadowing.ts
|
|
4933
|
-
var valueShadowing = {
|
|
4934
|
-
collectionName: {
|
|
4935
|
-
content: () => "Please select the collection to search/index from",
|
|
4936
|
-
description: () => `Accessing the root object eg Request["item"] searches across all available collections and returns the first item that matches. Potentially leading to the correct value being shadowed. Available collections include:
|
|
4937
|
-
- QueryString: The values of variables in the HTTP query string.
|
|
4938
|
-
- Form: The values of form elements in the HTTP request body.
|
|
4939
|
-
- Cookies: The values of cookies sent in the HTTP request.
|
|
4940
|
-
- ClientCertificate: The values of fields stored in the client certificate that is sent in the HTTP request.
|
|
4941
|
-
- ServerVariables: The values of predetermined environment variables.`,
|
|
4942
|
-
guidance: () => `See
|
|
4943
|
-
- https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524948(v=vs.90),
|
|
4944
|
-
- https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest?view=netframework-4.8.1`
|
|
4945
|
-
}
|
|
4946
|
-
};
|
|
4947
|
-
|
|
4948
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/wcfMisconfigurationThrottlingNotEnabled.ts
|
|
4949
|
-
var wcfMisconfigurationThrottlingNotEnabled = {
|
|
4950
|
-
maxConcurrentCalls: {
|
|
4951
|
-
content: () => "Please define the maximum concurrent calls",
|
|
4952
|
-
description: () => `A positive integer that limits the number of messages that currently process across a ServiceHost. Calls in excess of the limit are queued. Setting this value to 0 is equivalent to setting it to Int32.MaxValue.`,
|
|
4953
|
-
guidance: () => {
|
|
4954
|
-
return "";
|
|
4955
|
-
}
|
|
4956
|
-
},
|
|
4957
|
-
maxConcurrentInstances: {
|
|
4958
|
-
content: () => "Please define the maximum concurrent instances",
|
|
4959
|
-
description: () => `A positive integer that limits the number of InstanceContext objects that execute at one time across a ServiceHost. Requests to create additional instances are queued and complete when a slot below the limit becomes available.`,
|
|
4960
|
-
guidance: () => {
|
|
4961
|
-
return "";
|
|
4962
|
-
}
|
|
4963
|
-
},
|
|
4964
|
-
maxConcurrentSessions: {
|
|
4965
|
-
content: () => "Please define the maximum concurrent sessions",
|
|
4966
|
-
description: () => `A positive integer that limits the number of sessions a ServiceHost object can accept.`,
|
|
4967
|
-
guidance: () => {
|
|
4968
|
-
return "";
|
|
4969
|
-
}
|
|
4970
|
-
}
|
|
4971
|
-
};
|
|
4972
|
-
|
|
4973
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/xss.ts
|
|
4974
|
-
var xss = {
|
|
4975
|
-
allowSpecialCharacters: {
|
|
4976
|
-
content: ({ source_value }) => `Does your code allow encodable HTML characters like '&', '<', '"' etc. in: \`${source_value}\`?`,
|
|
4977
|
-
description: () => "",
|
|
4978
|
-
guidance: () => ""
|
|
4979
|
-
},
|
|
4980
|
-
containsHtml: {
|
|
4981
|
-
content: ({ prop_value }) => `Does your code allow having HTML tags in: \`${prop_value}\`?`,
|
|
4982
|
-
description: () => "",
|
|
4983
|
-
guidance: () => ""
|
|
4984
|
-
},
|
|
4985
|
-
netVersionGreaterOrEqual45: {
|
|
4986
|
-
content: () => "Is your target framework .NET 4.5 or greater?",
|
|
4987
|
-
description: () => "",
|
|
4988
|
-
guidance: () => ""
|
|
4989
|
-
},
|
|
4990
|
-
useHTML4NamedEntities: {
|
|
4991
|
-
content: () => "Would you like to use HTML 4.0 Named entities?",
|
|
4992
|
-
description: () => "See [examples](https://www.w3schools.com/charsets/ref_html_entities_4.asp) and [full description](https://www.w3.org/TR/WD-html40-970708/sgml/entities.html)",
|
|
4993
|
-
guidance: () => ""
|
|
4994
|
-
}
|
|
4995
|
-
};
|
|
4996
|
-
|
|
4997
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/xxe.ts
|
|
4998
|
-
var xxe = {
|
|
4999
|
-
netVersionGreaterOrEqual4: {
|
|
5000
|
-
content: () => "Is your target framework .NET 4.0.0 or greater?",
|
|
5001
|
-
description: () => "",
|
|
5002
|
-
guidance: ({ userInputValue }) => {
|
|
5003
|
-
switch (userInputValue) {
|
|
5004
|
-
case "yes":
|
|
5005
|
-
return "We set `DtdProcessing` to `DtdProcessing.Prohibit` in order to prevent DTD parsing.";
|
|
5006
|
-
default:
|
|
5007
|
-
return "We set `ProhibitDtd` to `true` in order to prevent DTD parsing.";
|
|
5008
|
-
}
|
|
5009
|
-
}
|
|
5010
|
-
}
|
|
5011
|
-
};
|
|
5012
|
-
|
|
5013
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
|
|
5014
|
-
var vulnerabilities12 = {
|
|
5015
|
-
["LOG_FORGING"]: logForging,
|
|
5016
|
-
["SSRF"]: ssrf2,
|
|
5017
|
-
["XXE"]: xxe,
|
|
5018
|
-
["XSS"]: xss,
|
|
5019
|
-
["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream,
|
|
5020
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak,
|
|
5021
|
-
["OVERLY_BROAD_CATCH"]: overlyBroadCatch,
|
|
5022
|
-
["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation,
|
|
5023
|
-
["PT"]: pt,
|
|
5024
|
-
["REGEX_MISSING_TIMEOUT"]: regexMissingTimeout,
|
|
5025
|
-
["HTTP_ONLY_COOKIE"]: httpOnlyCookie,
|
|
5026
|
-
["INSECURE_COOKIE"]: insecureCookie,
|
|
5027
|
-
["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED"]: wcfMisconfigurationThrottlingNotEnabled,
|
|
5028
|
-
["INSECURE_BINDER_CONFIGURATION"]: insecureBinderConfiguration,
|
|
5029
|
-
["VALUE_SHADOWING"]: valueShadowing,
|
|
5030
|
-
["INSECURE_RANDOMNESS"]: insecureRandomness,
|
|
5031
|
-
["INSUFFICIENT_LOGGING"]: insufficientLogging,
|
|
5032
|
-
["SQL_Injection"]: sqlInjection,
|
|
5033
|
-
["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
|
|
5034
|
-
};
|
|
5035
|
-
var csharp_default2 = vulnerabilities12;
|
|
5036
|
-
|
|
5037
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/logForging.ts
|
|
5038
|
-
var logForging2 = {
|
|
5039
|
-
isHtmlDisplay: {
|
|
5040
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5041
|
-
description: () => "",
|
|
5042
|
-
guidance: () => ""
|
|
5043
|
-
}
|
|
5044
|
-
};
|
|
5045
|
-
|
|
5046
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/missingSslMinversion.ts
|
|
5047
|
-
var missingSslMinversion = {
|
|
5048
|
-
minTlsVersion: {
|
|
5049
|
-
content: () => "What is the minimum version of Transport Layer Security (TLS) you allow? Ensure compatibility between the server and clients.",
|
|
5050
|
-
description: () => "",
|
|
5051
|
-
guidance: () => ""
|
|
5052
|
-
}
|
|
5053
|
-
};
|
|
5054
|
-
|
|
5055
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/websocketMissingOriginCheck.ts
|
|
5056
|
-
var websocketMissingOriginCheck = {
|
|
5057
|
-
minTlsVersion: {
|
|
5058
|
-
content: () => "Please provide a comma-separated list of valid hosts. This list will serve as an allow list to check the connection `Origin` header.",
|
|
5059
|
-
description: () => "",
|
|
5060
|
-
guidance: () => ""
|
|
5061
|
-
}
|
|
5062
|
-
};
|
|
5063
|
-
|
|
5064
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
|
|
5065
|
-
var vulnerabilities13 = {
|
|
5066
|
-
["LOG_FORGING"]: logForging2,
|
|
5067
|
-
["MISSING_SSL_MINVERSION"]: missingSslMinversion,
|
|
5068
|
-
["WEBSOCKET_MISSING_ORIGIN_CHECK"]: websocketMissingOriginCheck
|
|
5069
|
-
};
|
|
5070
|
-
var go_default2 = vulnerabilities13;
|
|
5071
|
-
|
|
5072
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
|
|
5073
|
-
var commandInjection2 = {
|
|
5074
|
-
isUnixShellCommandPart: {
|
|
5075
|
-
content: () => "Is the input part of Unix shell command?",
|
|
5076
|
-
description: () => `For example:
|
|
5077
|
-
|
|
5078
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", "ping -t 5 -c 5 " + input});\`
|
|
5079
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "curl " + input + " > file.txt"});\`
|
|
5080
|
-
|
|
5081
|
-
Make sure the input is not:
|
|
5082
|
-
|
|
5083
|
-
1. An executable name:
|
|
5084
|
-
- \`Runtime.getRuntime().exec(input);\`
|
|
5085
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", input});\`
|
|
5086
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", input + " param"});\`
|
|
5087
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "cat file.txt | " + input});\`
|
|
5088
|
-
- \`Runtime.getRuntime().exec(new String[] {"/usr/bin/git", "--upload-pack", input});\`
|
|
5089
|
-
2. A part of non-unix or cross platform shell command:
|
|
5090
|
-
- \`Runtime.getRuntime().exec(new String[] {"cmd.exe", "/c", "ping " + input});\`
|
|
5091
|
-
3. A part of programming language code:
|
|
5092
|
-
- \`Runtime.getRuntime().exec(new String[] {"php", "-r", "echo '" + input + "';"});\`
|
|
5093
|
-
- \`Runtime.getRuntime().exec(new String[] {"perl", "-e", "print '" + input + "'"});\``,
|
|
5094
|
-
guidance: () => ""
|
|
5095
|
-
},
|
|
5096
|
-
installApacheCommonsText: {
|
|
5097
|
-
content: () => "Is the Apache Commons library (org.apache.commons) included in your project, if not, can you add it?",
|
|
5098
|
-
description: () => "Apache Commons Text is a library focused on algorithms working on strings.",
|
|
5099
|
-
guidance: ({ userInputValue }) => userInputValue === "yes" ? "To add the library, modify your pom.xml or build.gradle to include the library. You can find the latest version here https://mvnrepository.com/artifact/org.apache.commons/commons-text" : ""
|
|
5100
|
-
},
|
|
5101
|
-
cmdAllowlist: {
|
|
5102
|
-
content: () => "Allowed Commands",
|
|
5103
|
-
description: () => "Make sure that the list of commands is separated by commas.",
|
|
5104
|
-
guidance: () => ""
|
|
5105
|
-
}
|
|
5106
|
-
};
|
|
5107
|
-
|
|
5108
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/confusingNaming.ts
|
|
5109
|
-
var confusingNaming = {
|
|
5110
|
-
newFieldName: {
|
|
5111
|
-
content: () => "Rename the existing field",
|
|
5112
|
-
description: () => "",
|
|
5113
|
-
guidance: () => ""
|
|
5114
|
-
}
|
|
5115
|
-
};
|
|
5116
|
-
|
|
5117
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/duplicatedStrings.ts
|
|
5118
|
-
var duplicatedStrings = {
|
|
5119
|
-
constantName: {
|
|
5120
|
-
content: () => "New constant name",
|
|
5121
|
-
description: () => "",
|
|
5122
|
-
guidance: () => ""
|
|
5123
|
-
}
|
|
5124
|
-
};
|
|
5125
|
-
|
|
5126
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/erroneousStringCompare.ts
|
|
5127
|
-
var erroneousStringCompare = {
|
|
5128
|
-
javaVersionGreaterOrEqual17: {
|
|
5129
|
-
content: () => "Is `java.util.Objects` package available in your runtime?",
|
|
5130
|
-
description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
|
|
5131
|
-
guidance: () => ""
|
|
5132
|
-
}
|
|
5133
|
-
};
|
|
5134
|
-
|
|
5135
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/errorConditionWithoutAction.ts
|
|
5136
|
-
var errorConditionWithoutAction = {
|
|
5137
|
-
errorMessage: {
|
|
5138
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5139
|
-
description: () => "",
|
|
5140
|
-
guidance: () => ""
|
|
5141
|
-
}
|
|
5142
|
-
};
|
|
5143
|
-
|
|
5144
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/httpOnlyCookie.ts
|
|
5145
|
-
var httpOnlyCookie2 = {
|
|
5146
|
-
httpOnlyCookie: {
|
|
5147
|
-
content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
|
|
5148
|
-
description: ({ class_name }) => class_name == "Cookie" ? `${httpOnlyMessage2} ${setHttpOnlyMethodMessage}` : httpOnlyMessage2,
|
|
5149
|
-
guidance: () => ""
|
|
5150
|
-
},
|
|
5151
|
-
cookieVarName: {
|
|
5152
|
-
content: () => "Please define a variable name",
|
|
5153
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
5154
|
-
guidance: () => ""
|
|
5155
|
-
}
|
|
5156
|
-
};
|
|
5157
|
-
var httpOnlyMessage2 = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
|
|
5158
|
-
when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
|
|
5159
|
-
be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
|
|
5160
|
-
|
|
5161
|
-
|
|
5162
|
-
|
|
5163
|
-
|
|
5164
|
-
***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
|
|
5165
|
-
|
|
5166
|
-
|
|
5167
|
-
|
|
5168
|
-
`;
|
|
5169
|
-
var setHttpOnlyMethodMessage = `Beware that if your application is using a version of the javax.servlet-api package < 3.0
|
|
5170
|
-
this change will not work since the method "setHttpOnly" is not present in previous of the package.`;
|
|
5171
|
-
|
|
5172
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/insecureCookie.ts
|
|
5173
|
-
var insecureCookie2 = {
|
|
5174
|
-
insecureCookie: {
|
|
5175
|
-
content: () => "Will this cookie be used only in encrypted channels (https)?",
|
|
5176
|
-
description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
|
|
5177
|
-
In environments like local development or test, setting cookies as secure might have some consequences:
|
|
5178
|
-
|
|
5179
|
-
|
|
5180
|
-
- Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
|
|
5181
|
-
additional configuration and certificates. If cookies are marked as secure,
|
|
5182
|
-
they won't be sent over HTTP, and this could potentially interfere with the normal
|
|
5183
|
-
functioning of your application during development.
|
|
5184
|
-
|
|
5185
|
-
|
|
5186
|
-
- Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
|
|
5187
|
-
testing environment accurately simulates the production environment's security features.
|
|
5188
|
-
This may involve setting up HTTPS in your local development environment.
|
|
5189
|
-
|
|
5190
|
-
|
|
5191
|
-
- Debugging Challenges: Debugging may be more challenging when using secure cookies in a
|
|
5192
|
-
development environment, especially if you need to inspect or manipulate the cookies during
|
|
5193
|
-
development.`,
|
|
5194
|
-
guidance: () => ""
|
|
5195
|
-
},
|
|
5196
|
-
cookieVarName: {
|
|
5197
|
-
content: () => "Please define a variable name",
|
|
5198
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
5199
|
-
guidance: () => ""
|
|
5200
|
-
}
|
|
5201
|
-
};
|
|
5202
|
-
|
|
5203
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
|
|
5204
|
-
var j2eeGetConnection2 = {
|
|
5205
|
-
jndiResourceName: {
|
|
5206
|
-
content: () => "What JNDI name is the database connection pool registered under?",
|
|
5207
|
-
description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
|
|
5208
|
-
guidance: () => ""
|
|
5209
|
-
}
|
|
5210
|
-
};
|
|
5211
|
-
|
|
5212
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
|
|
5213
|
-
var leftoverDebugCode = {
|
|
5214
|
-
isCodeUsed: {
|
|
5215
|
-
content: () => "The function seems to be a remnant of debug code. Is it still being used?",
|
|
5216
|
-
description: () => "",
|
|
5217
|
-
guidance: () => ""
|
|
5218
|
-
}
|
|
5219
|
-
};
|
|
5220
|
-
|
|
5221
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/localeDependentComparison.ts
|
|
5222
|
-
var localeDependentComparison = {
|
|
5223
|
-
localeType: {
|
|
5224
|
-
content: ({ variable }) => `Is ${variable} locale dependent?`,
|
|
5225
|
-
description: () => `Select "locale insensitive" for string comparisons that are not dependent on the locale.
|
|
5226
|
-
|
|
5227
|
-
Select "default locale" for string comparisons that uses the default locale.
|
|
5228
|
-
|
|
5229
|
-
Select "custom locale" for string comparisons that are dependent on a specific locale language.`,
|
|
5230
|
-
guidance: () => ""
|
|
5231
|
-
},
|
|
5232
|
-
customLocaleLanguage: {
|
|
5233
|
-
content: () => "What is your locale language?",
|
|
5234
|
-
description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
|
|
5235
|
-
guidance: () => ""
|
|
5236
|
-
},
|
|
5237
|
-
customLocaleCountry: {
|
|
5238
|
-
content: () => "What is your locale country?",
|
|
5239
|
-
description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
|
|
5240
|
-
guidance: () => ""
|
|
5241
|
-
}
|
|
5242
|
-
};
|
|
5243
|
-
|
|
5244
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/logForging.ts
|
|
5245
|
-
var logForging3 = {
|
|
5246
|
-
isHtmlDisplay: {
|
|
5247
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5248
|
-
description: () => "",
|
|
5249
|
-
guidance: () => ""
|
|
5250
|
-
},
|
|
5251
|
-
htmlEscapingLib: {
|
|
5252
|
-
content: () => "Which HTML escaping library would you like to use?",
|
|
5253
|
-
description: () => `
|
|
5254
|
-
- If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
|
|
5255
|
-
- Another \`option is org.apache.commons.text.StringEscapeUtils\``,
|
|
5256
|
-
guidance: () => ""
|
|
5257
|
-
}
|
|
5258
|
-
};
|
|
5259
|
-
|
|
5260
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/missingCheckAgainstNull.ts
|
|
5261
|
-
var missingCheckAgainstNull = {
|
|
5262
|
-
preferredAction: {
|
|
5263
|
-
content: ({ tainted_expression }) => `What is expected behavior if \`${tainted_expression}\` returns null?`,
|
|
5264
|
-
description: () => "",
|
|
5265
|
-
guidance: () => ""
|
|
5266
|
-
},
|
|
5267
|
-
javaVersionGreaterOrEqual17: {
|
|
5268
|
-
content: () => "Is `java.util.Objects` package available in your runtime?",
|
|
5269
|
-
description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
|
|
5270
|
-
guidance: () => ""
|
|
5271
|
-
}
|
|
5272
|
-
};
|
|
5273
|
-
|
|
5274
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/openRedirect.ts
|
|
5275
|
-
var openRedirect = {
|
|
5276
|
-
allowlist: {
|
|
5277
|
-
content: () => "Allowed domains",
|
|
5278
|
-
description: () => "Add a comma separated list of allowed domains (e.g. 'google.com,example.com')",
|
|
5279
|
-
guidance: () => ""
|
|
5280
|
-
}
|
|
5281
|
-
};
|
|
5282
|
-
|
|
5283
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/overlyBroadCatch.ts
|
|
5284
|
-
var overlyBroadCatch2 = {
|
|
5285
|
-
handleRuntimeExceptions: {
|
|
5286
|
-
content: () => "Does the code intentionally catch `RuntimeException` instances like `ArithmeticException` or `NullPointerException` in the `catch` block?",
|
|
5287
|
-
description: () => "Usually, when catching the general `Exception` class catching of `RuntimeException` is implied and not necessarily the wanted/safe behavior. The application needs to deal with it explicitly in a different way, as the Mobb fix suggests.",
|
|
5288
|
-
guidance: () => ""
|
|
5289
|
-
}
|
|
5290
|
-
};
|
|
5291
|
-
|
|
5292
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/privacyViolation.ts
|
|
5293
|
-
var privacyViolation = {
|
|
5294
|
-
remediationOption: {
|
|
5295
|
-
content: () => "Preferred fix solution",
|
|
5296
|
-
description: () => `
|
|
5297
|
-
- Completely Remove the log message
|
|
5298
|
-
- Replace the sensitive data with the string [Redacted]
|
|
5299
|
-
- SHA 256 Hash the sensitive information in the log message`,
|
|
5300
|
-
guidance: () => ""
|
|
5301
|
-
}
|
|
5302
|
-
};
|
|
5303
|
-
|
|
5304
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/pt.ts
|
|
5305
|
-
var pt2 = {
|
|
5306
|
-
isPathRelativeOnly: {
|
|
5307
|
-
content: ({ expression }) => `Do you expect \`${expression}\` to be a relative path?`,
|
|
5308
|
-
description: () => "You most likely want to serve files relative to the web server's static files folder in web applications. If so, your answer should be `yes`. In CLI applications, you probably would like to give the user more flexibility and allow them to specify absolute paths to any location on the disk \u2013 your answer should be `no` in such cases.",
|
|
5309
|
-
guidance: () => ""
|
|
5310
|
-
},
|
|
5311
|
-
isFileName: {
|
|
5312
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name or a file name part?`,
|
|
5313
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters. If \`${expression}\` is supposed to legitimately include such characters, the answer should be "no".`,
|
|
5314
|
-
guidance: () => ""
|
|
5315
|
-
}
|
|
5316
|
-
};
|
|
5317
|
-
|
|
5318
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/relativePathCommand.ts
|
|
5319
|
-
var relativePathCommand = {
|
|
5320
|
-
executableLocationPath: {
|
|
5321
|
-
content: () => "What is the absolute path of the directory containing the executable?",
|
|
5322
|
-
description: () => "We need the absolute path to the executable to protect your application from command injection and ensure malicious actors cannot execute arbitrary commands on your system.",
|
|
5323
|
-
guidance: () => ""
|
|
5324
|
-
}
|
|
5325
|
-
};
|
|
5326
|
-
|
|
5327
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
|
|
5328
|
-
var ssrf3 = {
|
|
5329
|
-
domainsAllowlist: {
|
|
5330
|
-
content: () => "Allowed URL prefixes",
|
|
5331
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
|
|
5332
|
-
|
|
5333
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
|
|
5334
|
-
guidance: () => ""
|
|
5335
|
-
}
|
|
5336
|
-
};
|
|
5337
|
-
|
|
5338
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/sysLeak.ts
|
|
5339
|
-
var sysLeak2 = {
|
|
5340
|
-
errorMessage: {
|
|
5341
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5342
|
-
description: () => "",
|
|
5343
|
-
guidance: () => ""
|
|
5344
|
-
},
|
|
5345
|
-
noLoggerAction: {
|
|
5346
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5347
|
-
description: () => "",
|
|
5348
|
-
guidance: () => ""
|
|
5349
|
-
}
|
|
5350
|
-
};
|
|
5351
|
-
|
|
5352
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/trustBoundaryViolation.ts
|
|
5353
|
-
var trustBoundaryViolation2 = {
|
|
5354
|
-
validationPattern: {
|
|
5355
|
-
content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
|
|
5356
|
-
description: () => "We use regex to validate the input to avoid runtime surprises",
|
|
5357
|
-
guidance: () => ""
|
|
5358
|
-
},
|
|
5359
|
-
otherPatternValue: {
|
|
5360
|
-
content: () => `Enter the regex pattern you would like to use to validate the input`,
|
|
5361
|
-
description: () => "See patterns at [the regex javadoc](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html)",
|
|
5362
|
-
guidance: () => ""
|
|
5363
|
-
}
|
|
5364
|
-
};
|
|
5365
|
-
|
|
5366
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/uncheckedLoopCondition.ts
|
|
5367
|
-
var uncheckedLoopCondition = {
|
|
5368
|
-
loopLimit: {
|
|
5369
|
-
content: () => "Please define a maximum loop limit",
|
|
5370
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
5371
|
-
guidance: () => ""
|
|
5372
|
-
},
|
|
5373
|
-
varName: {
|
|
5374
|
-
content: () => "Please define a variable name",
|
|
5375
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
5376
|
-
guidance: () => ""
|
|
5377
|
-
}
|
|
5378
|
-
};
|
|
5379
|
-
|
|
5380
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
|
|
5381
|
-
var unsafeReflection = {
|
|
5382
|
-
classAllowlist: {
|
|
5383
|
-
content: () => "Allowed class names for reflection",
|
|
5384
|
-
description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
|
|
5385
|
-
guidance: () => ""
|
|
5386
|
-
}
|
|
5387
|
-
};
|
|
5388
|
-
|
|
5389
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
|
|
5390
|
-
var useOfSystemOutputStream2 = {
|
|
5391
|
-
noLoggerAction: {
|
|
5392
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5393
|
-
description: () => "",
|
|
5394
|
-
guidance: () => ""
|
|
5395
|
-
}
|
|
5396
|
-
};
|
|
5397
|
-
|
|
5398
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/xss.ts
|
|
5399
|
-
var xss2 = {
|
|
5400
|
-
isHtmlOrSafeAttribute: {
|
|
5401
|
-
content: ({ tainted_variable }) => `Where is \`${tainted_variable}\` written to?`,
|
|
5402
|
-
description: () => `Answer examples:
|
|
5403
|
-
|
|
5404
|
-
- a text in an HTML tag or a value of a safe HTML attribute:
|
|
5405
|
-
- \`<li><%= name %></li>\`
|
|
5406
|
-
- \`<div>Name: <%= name %></div>\`
|
|
5407
|
-
- \`<input value="<%= name %>" name="name"/>\`
|
|
5408
|
-
- \`<div data-name="<%= name %>"></div>\`
|
|
5409
|
-
- a JavaScript code block:
|
|
5410
|
-
- \`<script>const name = "<%= name %>";</script>\`
|
|
5411
|
-
- an event attribute of an HTML tag:
|
|
5412
|
-
- \`<a onclick="alert('<%= name %>')">click me</a>\`
|
|
5413
|
-
- \`<img onmouseover="alert('<%= name %>')"/>\`
|
|
5414
|
-
- a src-like attribute of an HTML tag:
|
|
5415
|
-
- \`<a href="/user/<%= name %>">me</a>\`
|
|
5416
|
-
- \`<img src="/img/<%= name %>"/>\`
|
|
5417
|
-
- \`<form action="<%= name %>"></form>\`
|
|
5418
|
-
- \`<iframe srcdoc="<%= name %>"/>\`
|
|
5419
|
-
- a part of an HTML tag attributes list:
|
|
5420
|
-
- \`<a <%= name %>>text</a>\`
|
|
5421
|
-
|
|
5422
|
-
See more details about safe and unsafe HTML attributes:
|
|
5423
|
-
- [PortSwigger cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
|
|
5424
|
-
- [DOMPurify attributes filter implementation](https://github.com/cure53/DOMPurify/blob/c29aa900a1c286b82ee4f48a7ffab96cab3e84fa/src/attrs.js)
|
|
5425
|
-
`,
|
|
5426
|
-
guidance: () => ""
|
|
5427
|
-
},
|
|
5428
|
-
isHtmlEncoded: {
|
|
5429
|
-
content: () => "Is the user input already encoded as HTML text?",
|
|
5430
|
-
description: () => "If you are unsure, we will decode the user input and encode it again to ensure it is safe and the data is kept the same.",
|
|
5431
|
-
guidance: () => ""
|
|
5432
|
-
},
|
|
5433
|
-
htmlEscapingLib: {
|
|
5434
|
-
content: () => "Which HTML escaping library would you like to use?",
|
|
5435
|
-
description: () => `
|
|
5436
|
-
- If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
|
|
5437
|
-
- Another option is \`org.apache.commons.text.StringEscapeUtils\``,
|
|
5438
|
-
guidance: () => ""
|
|
5439
|
-
}
|
|
5440
|
-
};
|
|
5441
|
-
|
|
5442
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/xxe.ts
|
|
5443
|
-
var xxe2 = {
|
|
5444
|
-
factoryVarName: {
|
|
5445
|
-
content: () => "Name the new Factory variable",
|
|
5446
|
-
description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
|
|
5447
|
-
guidance: () => ""
|
|
5448
|
-
}
|
|
5449
|
-
};
|
|
5450
|
-
|
|
5451
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
|
|
5452
|
-
var vulnerabilities14 = {
|
|
5453
|
-
["CMDi_relative_path_command"]: relativePathCommand,
|
|
5454
|
-
["CMDi"]: commandInjection2,
|
|
5455
|
-
["CONFUSING_NAMING"]: confusingNaming,
|
|
5456
|
-
["ERROR_CONDTION_WITHOUT_ACTION"]: errorConditionWithoutAction,
|
|
5457
|
-
["XXE"]: xxe2,
|
|
5458
|
-
["XSS"]: xss2,
|
|
5459
|
-
["PRIVACY_VIOLATION"]: privacyViolation,
|
|
5460
|
-
["PT"]: pt2,
|
|
5461
|
-
["SSRF"]: ssrf3,
|
|
5462
|
-
["LOG_FORGING"]: logForging3,
|
|
5463
|
-
["LOCALE_DEPENDENT_COMPARISON"]: localeDependentComparison,
|
|
5464
|
-
["MISSING_CHECK_AGAINST_NULL"]: missingCheckAgainstNull,
|
|
5465
|
-
["OPEN_REDIRECT"]: openRedirect,
|
|
5466
|
-
["OVERLY_BROAD_CATCH"]: overlyBroadCatch2,
|
|
5467
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak2,
|
|
5468
|
-
["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream2,
|
|
5469
|
-
["HTTP_ONLY_COOKIE"]: httpOnlyCookie2,
|
|
5470
|
-
["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition,
|
|
5471
|
-
["INSECURE_COOKIE"]: insecureCookie2,
|
|
5472
|
-
["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation2,
|
|
5473
|
-
["UNSAFE_REFLECTION"]: unsafeReflection,
|
|
5474
|
-
["J2EE_GET_CONNECTION"]: j2eeGetConnection2,
|
|
5475
|
-
["LEFTOVER_DEBUG_CODE"]: leftoverDebugCode,
|
|
5476
|
-
["ERRONEOUS_STRING_COMPARE"]: erroneousStringCompare,
|
|
5477
|
-
["DUPLICATED_STRINGS"]: duplicatedStrings
|
|
5478
|
-
};
|
|
5479
|
-
var java_default2 = vulnerabilities14;
|
|
5480
|
-
|
|
5481
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/csrf.ts
|
|
5482
|
-
var csrf2 = {
|
|
5483
|
-
isPythonDjangoTemplate: {
|
|
5484
|
-
content: () => "Is the reported file Python Django template?",
|
|
5485
|
-
description: () => "",
|
|
5486
|
-
guidance: () => ""
|
|
5487
|
-
}
|
|
5488
|
-
};
|
|
5489
|
-
|
|
5490
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
|
|
5491
|
-
var commandInjection3 = {
|
|
5492
|
-
isCommandExecutable: {
|
|
5493
|
-
content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
|
|
5494
|
-
description: () => `Does the command fall into one of the following categories:
|
|
5495
|
-
|
|
5496
|
-
1. An executable name:
|
|
5497
|
-
- \`exec(input);\`
|
|
5498
|
-
- \`exec("/bin/bash " + input);\`
|
|
5499
|
-
- \`exec("/bin/sh -c" + input + " param");\`
|
|
5500
|
-
- \`exec("/bin/bash -c cat file.txt | " + input);\`
|
|
5501
|
-
- \`exec("/usr/bin/git --upload-pack " + input);\`
|
|
5502
|
-
2. A part of non-unix or cross platform shell command:
|
|
5503
|
-
- \`exec("cmd.exe /c ping " + input);\`
|
|
5504
|
-
3. A part of programming language code:
|
|
5505
|
-
- \`exec("php -r echo '" + input + "';");\`
|
|
5506
|
-
- \`exec("perl -e print '" + input + "'");\``,
|
|
5507
|
-
guidance: () => ""
|
|
5508
|
-
}
|
|
5509
|
-
};
|
|
5510
|
-
|
|
5511
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/graphqlDepthLimit.ts
|
|
5512
|
-
var graphqlDepthLimit = {
|
|
5513
|
-
depthLimit: {
|
|
5514
|
-
content: () => "Please define a maximum query depth",
|
|
5515
|
-
description: () => `Setting this number to a reasonable value will prevent the attack.
|
|
5516
|
-
Make sure to pick a value large enough to allowed the nessecary amount of nested queries.`,
|
|
5517
|
-
guidance: () => {
|
|
5518
|
-
return "We use `graphql-depth-limit` npm package to limit the depth of nested queries. Please make sure you install the package using `npm install graphql-depth-limit`.";
|
|
5519
|
-
}
|
|
5520
|
-
}
|
|
5521
|
-
};
|
|
5522
|
-
|
|
5523
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedDomainInHtml.ts
|
|
5524
|
-
var hardcodedDomainInHtml = {
|
|
5525
|
-
isCDNFixedVersion: {
|
|
5526
|
-
content: ({ url }) => `Does the content of \`${url}\` change over time? If it does, we can't offer this fix.`,
|
|
5527
|
-
description: () => "You need to make sure the content of the file you are loading from the external source is persistent. To guarantee the integrity hash does not change over time, please make sure you use a proper CDN and version of the script you are loading is pinned.",
|
|
5528
|
-
guidance: () => ""
|
|
5529
|
-
}
|
|
5530
|
-
};
|
|
5531
|
-
|
|
5532
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedSecrets.ts
|
|
5533
|
-
var hardcodedSecrets2 = {
|
|
5534
|
-
envVarName: {
|
|
5535
|
-
content: () => "Please define an environment variable name",
|
|
5536
|
-
description: () => `We will use this environment variable instead of the hardcoded secret`,
|
|
5537
|
-
guidance: () => ""
|
|
5538
|
-
},
|
|
5539
|
-
keepAsDefault: {
|
|
5540
|
-
content: () => "Do you want to keep the hardcoded secret in the code for now?",
|
|
5541
|
-
description: () => 'Answer "yes" if you cannot set the environment variable in all environments right away.',
|
|
5542
|
-
guidance: () => ""
|
|
5543
|
-
}
|
|
5544
|
-
};
|
|
5545
|
-
|
|
5546
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/iframeWithoutSandbox.ts
|
|
5547
|
-
var iframeWithoutSandbox = {
|
|
5548
|
-
iframeRestrictions: {
|
|
5549
|
-
content: () => "Please define a comma-separated list of iframe sandbox restrictions (optional)",
|
|
5550
|
-
description: () => `Possible values:
|
|
5551
|
-
- allow-downloads
|
|
5552
|
-
- allow-forms
|
|
5553
|
-
- allow-modals
|
|
5554
|
-
- allow-orientation-lock
|
|
5555
|
-
- allow-pointer-lock
|
|
5556
|
-
- allow-popups
|
|
5557
|
-
- allow-popups-to-escape-sandbox
|
|
5558
|
-
- allow-presentation
|
|
5559
|
-
- allow-same-origin
|
|
5560
|
-
- allow-scripts
|
|
5561
|
-
- allow-storage-access-by-user-activation
|
|
5562
|
-
- allow-top-navigation
|
|
5563
|
-
- allow-top-navigation-by-user-activation
|
|
5564
|
-
- allow-top-navigation-to-custom-protocols
|
|
5565
|
-
|
|
5566
|
-
See more info [here](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox).`,
|
|
5567
|
-
guidance: () => ""
|
|
5568
|
-
}
|
|
5569
|
-
};
|
|
5570
|
-
|
|
5571
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/incompleteUrlSanitization.ts
|
|
5572
|
-
var incompleteUrlSanitization = {
|
|
5573
|
-
allowedRootDomain: {
|
|
5574
|
-
content: () => "The root domain of your application",
|
|
5575
|
-
description: () => "We needed to strengthen the security check by ensuring that the url is under the root domain of your application.",
|
|
5576
|
-
guidance: () => ""
|
|
5577
|
-
}
|
|
5578
|
-
};
|
|
5579
|
-
|
|
5580
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/insecureRandomness.ts
|
|
5581
|
-
var insecureRandomness2 = {
|
|
5582
|
-
isGetRandomValuesSupported: {
|
|
5583
|
-
content: () => "Is getRandomValues() function supported by your JavaScript engine?",
|
|
5584
|
-
description: () => "[getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is supported by [more than 97% of browsers](https://caniuse.com/?search=getRandomValues) and [Node.js >= 15.0.0](https://nodejs.org/api/webcrypto.html#cryptogetrandomvaluestypedarray).",
|
|
5585
|
-
guidance: () => ""
|
|
5586
|
-
}
|
|
5587
|
-
};
|
|
5588
|
-
|
|
5589
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/logForging.ts
|
|
5590
|
-
var logForging4 = {
|
|
5591
|
-
isHtmlDisplay: {
|
|
5592
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5593
|
-
description: () => "",
|
|
5594
|
-
guidance: () => ""
|
|
5595
|
-
}
|
|
5596
|
-
};
|
|
5597
|
-
|
|
5598
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingCSPHeader.ts
|
|
5599
|
-
var cspHeaderValue = {
|
|
5600
|
-
cspHeaderValue: {
|
|
5601
|
-
content: () => "Please provide the value for the Content-Security-Policy header",
|
|
5602
|
-
description: () => `The Content-Security-Policy (CSP) header is a critical security measure that helps protect websites from various attacks, particularly Cross-Site Scripting (XSS) and other code injection attacks. Here's a concise explanation:
|
|
5603
|
-
|
|
5604
|
-
|
|
5605
|
-
|
|
5606
|
-
**What it does**:
|
|
5607
|
-
|
|
5608
|
-
|
|
5609
|
-
|
|
5610
|
-
CSP lets you specify which content sources the browser should consider valid, essentially creating a whitelist of trusted content. It controls things like:
|
|
5611
|
-
|
|
5612
|
-
|
|
5613
|
-
|
|
5614
|
-
- Which scripts can execute.
|
|
5615
|
-
- Where images can be loaded from.
|
|
5616
|
-
- Which styles can be applied.
|
|
5617
|
-
- Which forms can be submitted to.
|
|
5618
|
-
- What domains can be connected to.
|
|
5619
|
-
|
|
5620
|
-
Default value explanation:
|
|
5621
|
-
|
|
5622
|
-
- default-src 'self: Only allows resources from the same origin by default.
|
|
5623
|
-
- script-src 'self': Only allows scripts to be loaded from the same origin.
|
|
5624
|
-
- style-src 'self': Only allows styles from the same origin.
|
|
5625
|
-
- object-src 'none': Disallows <object>, <embed>, and <applet> elements.
|
|
5626
|
-
- base-uri 'self': Restricts where the <base> tag can point to.
|
|
5627
|
-
- frame-ancestors 'self': Ensures that only the same origin can embed the page using an iframe.
|
|
5628
|
-
|
|
5629
|
-
|
|
5630
|
-
**This kind of \`CSP\` is more secure but may require adjustments for your specific application, especially if you need to load resources from external domains or use inline scripts/styles.**`,
|
|
5631
|
-
guidance: () => ``
|
|
5632
|
-
}
|
|
5633
|
-
};
|
|
5634
|
-
|
|
5635
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingHSTSHeader.ts
|
|
5636
|
-
var headerMaxAge = {
|
|
5637
|
-
headerMaxAge: {
|
|
5638
|
-
content: () => "Please provide the maximum age of the header",
|
|
5639
|
-
description: () => `This is the time, in seconds, that the browser should remember that the site is only to be accessed using \`HTTPS\`.
|
|
5640
|
-
|
|
5641
|
-
|
|
5642
|
-
Setting the \`max-age\` to \`0\` (over an https connection) will immediately expire the Strict-Transport-Security header, allowing access via \`HTTP\`.
|
|
5643
|
-
|
|
5644
|
-
|
|
5645
|
-
|
|
5646
|
-
|
|
5647
|
-
The HTTP Strict-Transport-Security response header (\`HSTS\`) informs browsers that the site
|
|
5648
|
-
should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically
|
|
5649
|
-
be converted to HTTPS.
|
|
5650
|
-
|
|
5651
|
-
|
|
5652
|
-
|
|
5653
|
-
|
|
5654
|
-
If a website accepts a connection through \`HTTP\` and redirects to \`HTTPS\`, visitors may initially communicate with
|
|
5655
|
-
the non-encrypted version of the site before being redirected, if, for example, the visitor
|
|
5656
|
-
types \`http://www.example.com\` or even just \`example.com\`. This creates an opportunity for a man-in-the-middle attack.
|
|
5657
|
-
The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
|
|
5658
|
-
|
|
5659
|
-
|
|
5660
|
-
|
|
5661
|
-
The \`HTTP\` Strict Transport Security header informs the browser that it should never load a site using \`HTTP\`
|
|
5662
|
-
and should automatically convert all attempts to access the site using \`HTTP\` to \`HTTPS\` requests instead.`,
|
|
5663
|
-
guidance: () => ``
|
|
5664
|
-
}
|
|
5665
|
-
};
|
|
5666
|
-
|
|
5667
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingXFrameOptions.ts
|
|
5668
|
-
var xFrameOptionsValue = {
|
|
5669
|
-
xFrameOptionsValue: {
|
|
5670
|
-
content: () => "Please provide the value for the X-Frame-Options header",
|
|
5671
|
-
description: () => `The \`X-Frame-Options\` HTTP response header tells the browser whether the page is allowed to be rendered inside a \`<frame>\`, \`<iframe>\`, \`<embed>\` or \`<object>\`. Without it, attackers can embed your application in an invisible iframe and trick users into clicking on it \u2014 a class of attacks known as clickjacking (UI redressing).
|
|
5672
|
-
|
|
5673
|
-
**Allowed values:**
|
|
5674
|
-
- \`DENY\` \u2014 the page cannot be framed by any site, including your own. Recommended default for any page that does not need to be embedded.
|
|
5675
|
-
- \`SAMEORIGIN\` \u2014 the page can only be framed by pages served from the same origin. Use this only if your own application legitimately embeds this page in an iframe.`,
|
|
5676
|
-
guidance: () => ``
|
|
5677
|
-
}
|
|
5678
|
-
};
|
|
5679
|
-
|
|
5680
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/noLimitsOrThrottling.ts
|
|
5681
|
-
var noLimitsOrThrottling2 = {
|
|
5682
|
-
setGlobalLimiter: {
|
|
5683
|
-
content: () => "Would you like to use a global rate limit for all your endpoints within the same file?",
|
|
5684
|
-
description: () => "",
|
|
5685
|
-
guidance: () => ""
|
|
5686
|
-
}
|
|
5687
|
-
};
|
|
5688
|
-
|
|
5689
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/openRedirect.ts
|
|
5690
|
-
var openRedirect2 = {
|
|
5691
|
-
isExternal: {
|
|
5692
|
-
content: () => "Does the redirect go to an external site?",
|
|
5693
|
-
description: () => "",
|
|
5694
|
-
guidance: () => ""
|
|
5695
|
-
},
|
|
5696
|
-
domainAllowlist: {
|
|
5697
|
-
content: () => "Allowed domains names",
|
|
5698
|
-
description: () => "please provide a coma separated list of allowed domains names (example.com, example.org, etc.)",
|
|
5699
|
-
guidance: () => ""
|
|
5700
|
-
},
|
|
5701
|
-
pathAllowlist: {
|
|
5702
|
-
content: () => "Allowed paths (URIs)",
|
|
5703
|
-
description: () => "please provide a coma separated list of allowed path (/health, /api/v1/health, etc.)",
|
|
5704
|
-
guidance: () => ""
|
|
5705
|
-
},
|
|
5706
|
-
includeProtocolValidation: {
|
|
5707
|
-
content: () => "Should HTTP or HTTPS protocol be enforced?",
|
|
5708
|
-
description: () => "please indicate if the protocol should be enforced",
|
|
5709
|
-
guidance: () => ""
|
|
5710
|
-
}
|
|
5711
|
-
};
|
|
5712
|
-
|
|
5713
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/pt.ts
|
|
5714
|
-
var pt3 = {
|
|
5715
|
-
taintedTermType: {
|
|
5716
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name, a relative path or an absolute path?`,
|
|
5717
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
|
|
5718
|
-
guidance: () => ""
|
|
5719
|
-
}
|
|
5720
|
-
};
|
|
5721
|
-
|
|
5722
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/ssrf.ts
|
|
5723
|
-
var ssrf4 = {
|
|
5724
|
-
domainsAllowlist: {
|
|
5725
|
-
content: () => "List of allowed domain names",
|
|
5726
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary domains.
|
|
5727
|
-
|
|
5728
|
-
|
|
5729
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of domains the server should be allowed to call.`,
|
|
5730
|
-
guidance: () => ""
|
|
5731
|
-
}
|
|
5732
|
-
};
|
|
5733
|
-
|
|
5734
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeak.ts
|
|
5735
|
-
var sysLeak3 = {
|
|
5736
|
-
errorMessage: {
|
|
5737
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5738
|
-
description: () => "",
|
|
5739
|
-
guidance: () => ""
|
|
5740
|
-
},
|
|
5741
|
-
noLoggerAction: {
|
|
5742
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5743
|
-
description: () => "",
|
|
5744
|
-
guidance: () => ""
|
|
5745
|
-
}
|
|
5746
|
-
};
|
|
5747
|
-
|
|
5748
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeakExternal.ts
|
|
5749
|
-
var sysLeakExternal = {
|
|
5750
|
-
errorMessage: {
|
|
5751
|
-
content: () => "Enter the error message that you want to appear to the user",
|
|
5752
|
-
description: () => "",
|
|
5753
|
-
guidance: () => ""
|
|
4266
|
+
error: async (message, data) => {
|
|
4267
|
+
const logger3 = await createContextLogger();
|
|
4268
|
+
return logger3.error(message, data);
|
|
5754
4269
|
}
|
|
5755
4270
|
};
|
|
5756
4271
|
|
|
5757
|
-
// src/features/analysis/scm/
|
|
5758
|
-
var
|
|
5759
|
-
|
|
5760
|
-
|
|
5761
|
-
|
|
5762
|
-
guidance: () => ""
|
|
4272
|
+
// src/features/analysis/scm/errors.ts
|
|
4273
|
+
var InvalidAccessTokenError = class extends Error {
|
|
4274
|
+
constructor(m, scmType) {
|
|
4275
|
+
super(m);
|
|
4276
|
+
this.scmType = scmType;
|
|
5763
4277
|
}
|
|
5764
4278
|
};
|
|
5765
|
-
|
|
5766
|
-
|
|
5767
|
-
|
|
5768
|
-
|
|
5769
|
-
content: () => "Please define a maximum loop limit",
|
|
5770
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
5771
|
-
guidance: () => ""
|
|
5772
|
-
},
|
|
5773
|
-
varName: {
|
|
5774
|
-
content: () => "Please define a variable name",
|
|
5775
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
5776
|
-
guidance: () => ""
|
|
4279
|
+
var InvalidUrlPatternError = class extends Error {
|
|
4280
|
+
constructor(m, scmType) {
|
|
4281
|
+
super(m);
|
|
4282
|
+
this.scmType = scmType;
|
|
5777
4283
|
}
|
|
5778
4284
|
};
|
|
5779
|
-
|
|
5780
|
-
|
|
5781
|
-
|
|
5782
|
-
containsHtml: {
|
|
5783
|
-
content: () => "Does the element or variable contain HTML formatting",
|
|
5784
|
-
description: () => "",
|
|
5785
|
-
guidance: () => ""
|
|
5786
|
-
},
|
|
5787
|
-
isParamTypeString: {
|
|
5788
|
-
content: () => "Is the parameter passed to the $() function a string",
|
|
5789
|
-
description: () => "",
|
|
5790
|
-
guidance: () => ""
|
|
5791
|
-
},
|
|
5792
|
-
isSanitized: {
|
|
5793
|
-
content: ({ expression }) => `Is the expression \`${expression}\` supposed to be not sanitized in this context?`,
|
|
5794
|
-
description: () => "You are using unsafe string substitution in the template. This means that if the expression can contain maliciously crafted data, it may lead to XSS injection. To apply the fix, you have to make sure the expression is not sanitized on the backend already, and it does not represent an HTML code block.",
|
|
5795
|
-
guidance: () => ""
|
|
5796
|
-
},
|
|
5797
|
-
isServerSideCode: {
|
|
5798
|
-
content: () => "Is this code running on the server side (a NodeJS application)",
|
|
5799
|
-
description: () => "The fix to this vulnerability is different is the code runs in the client (browser) or the server side (NodeJs)",
|
|
5800
|
-
guidance: () => ""
|
|
4285
|
+
var RefNotFoundError = class extends Error {
|
|
4286
|
+
constructor(m) {
|
|
4287
|
+
super(m);
|
|
5801
4288
|
}
|
|
5802
4289
|
};
|
|
5803
|
-
|
|
5804
|
-
|
|
5805
|
-
|
|
5806
|
-
|
|
5807
|
-
["GRAPHQL_DEPTH_LIMIT"]: graphqlDepthLimit,
|
|
5808
|
-
["INSECURE_RANDOMNESS"]: insecureRandomness2,
|
|
5809
|
-
["SSRF"]: ssrf4,
|
|
5810
|
-
["TYPE_CONFUSION"]: typeConfusion,
|
|
5811
|
-
["INCOMPLETE_URL_SANITIZATION"]: incompleteUrlSanitization,
|
|
5812
|
-
["LOG_FORGING"]: logForging4,
|
|
5813
|
-
["XSS"]: xss3,
|
|
5814
|
-
["OPEN_REDIRECT"]: openRedirect2,
|
|
5815
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak3,
|
|
5816
|
-
["SYSTEM_INFORMATION_LEAK_EXTERNAL"]: sysLeakExternal,
|
|
5817
|
-
["IFRAME_WITHOUT_SANDBOX"]: iframeWithoutSandbox,
|
|
5818
|
-
["PT"]: pt3,
|
|
5819
|
-
["HARDCODED_SECRETS"]: hardcodedSecrets2,
|
|
5820
|
-
["MISSING_HSTS_HEADER"]: headerMaxAge,
|
|
5821
|
-
["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition2,
|
|
5822
|
-
["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling2,
|
|
5823
|
-
["MISSING_CSP_HEADER"]: cspHeaderValue,
|
|
5824
|
-
["MISSING_X_FRAME_OPTIONS"]: xFrameOptionsValue,
|
|
5825
|
-
["HARDCODED_DOMAIN_IN_HTML"]: hardcodedDomainInHtml,
|
|
5826
|
-
["CSRF"]: csrf2
|
|
5827
|
-
};
|
|
5828
|
-
var js_default = vulnerabilities15;
|
|
5829
|
-
|
|
5830
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/duplicatedStrings.ts
|
|
5831
|
-
var duplicatedStrings2 = {
|
|
5832
|
-
constantName: {
|
|
5833
|
-
content: () => "New constant name",
|
|
5834
|
-
description: () => "",
|
|
5835
|
-
guidance: () => ""
|
|
4290
|
+
var ScmBadCredentialsError = class extends Error {
|
|
4291
|
+
constructor(m, scmType) {
|
|
4292
|
+
super(m);
|
|
4293
|
+
this.scmType = scmType;
|
|
5836
4294
|
}
|
|
5837
4295
|
};
|
|
5838
|
-
|
|
5839
|
-
|
|
5840
|
-
|
|
5841
|
-
|
|
5842
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5843
|
-
description: () => "",
|
|
5844
|
-
guidance: ({ userInputValue }) => {
|
|
5845
|
-
switch (userInputValue) {
|
|
5846
|
-
case "yes":
|
|
5847
|
-
return "We use `html.escape` to decode the HTML";
|
|
5848
|
-
default:
|
|
5849
|
-
return "";
|
|
5850
|
-
}
|
|
5851
|
-
}
|
|
4296
|
+
var InvalidRepoUrlError = class extends Error {
|
|
4297
|
+
constructor(m, scmType) {
|
|
4298
|
+
super(m);
|
|
4299
|
+
this.scmType = scmType;
|
|
5852
4300
|
}
|
|
5853
4301
|
};
|
|
5854
|
-
|
|
5855
|
-
|
|
5856
|
-
|
|
5857
|
-
|
|
5858
|
-
content: () => "Enter the encoding of the file",
|
|
5859
|
-
description: () => "",
|
|
5860
|
-
guidance: () => ""
|
|
4302
|
+
var RepoNoTokenAccessError = class extends Error {
|
|
4303
|
+
constructor(m, scmType) {
|
|
4304
|
+
super(m);
|
|
4305
|
+
this.scmType = scmType;
|
|
5861
4306
|
}
|
|
5862
4307
|
};
|
|
5863
|
-
|
|
5864
|
-
|
|
5865
|
-
|
|
5866
|
-
|
|
5867
|
-
|
|
5868
|
-
description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
|
|
5869
|
-
guidance: () => ""
|
|
4308
|
+
var RateLimitError = class extends Error {
|
|
4309
|
+
constructor(m, scmType, retryAfter) {
|
|
4310
|
+
super(m);
|
|
4311
|
+
this.scmType = scmType;
|
|
4312
|
+
this.retryAfter = retryAfter;
|
|
5870
4313
|
}
|
|
5871
4314
|
};
|
|
5872
|
-
|
|
5873
|
-
|
|
5874
|
-
|
|
5875
|
-
|
|
5876
|
-
|
|
5877
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
|
|
5878
|
-
|
|
5879
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
|
|
5880
|
-
guidance: () => ""
|
|
4315
|
+
var NetworkError = class extends Error {
|
|
4316
|
+
constructor(m, scmType, errorCode) {
|
|
4317
|
+
super(m);
|
|
4318
|
+
this.scmType = scmType;
|
|
4319
|
+
this.errorCode = errorCode;
|
|
5881
4320
|
}
|
|
5882
4321
|
};
|
|
5883
4322
|
|
|
5884
|
-
// src/features/analysis/scm/
|
|
5885
|
-
|
|
5886
|
-
loopLimit: {
|
|
5887
|
-
content: () => "Please define a maximum loop limit",
|
|
5888
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
5889
|
-
guidance: () => ""
|
|
5890
|
-
},
|
|
5891
|
-
varName: {
|
|
5892
|
-
content: () => "Please define a variable name",
|
|
5893
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
5894
|
-
guidance: () => ""
|
|
5895
|
-
}
|
|
5896
|
-
};
|
|
4323
|
+
// src/features/analysis/scm/utils/index.ts
|
|
4324
|
+
import { z as z10 } from "zod";
|
|
5897
4325
|
|
|
5898
|
-
// src/features/analysis/scm/shared/src/
|
|
5899
|
-
|
|
5900
|
-
|
|
5901
|
-
|
|
5902
|
-
|
|
5903
|
-
[
|
|
5904
|
-
|
|
5905
|
-
|
|
5906
|
-
|
|
4326
|
+
// src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
|
|
4327
|
+
init_client_generates();
|
|
4328
|
+
init_getIssueType();
|
|
4329
|
+
init_issueTypeCatalog();
|
|
4330
|
+
function capitalizeFirstLetter(str) {
|
|
4331
|
+
return str?.length ? str[0].toUpperCase() + str.slice(1) : "";
|
|
4332
|
+
}
|
|
4333
|
+
function lowercaseFirstLetter(str) {
|
|
4334
|
+
if (!str) return str;
|
|
4335
|
+
return `${str.charAt(0).toLowerCase()}${str.slice(1)}`;
|
|
4336
|
+
}
|
|
4337
|
+
var severityToEmoji = {
|
|
4338
|
+
["critical" /* Critical */]: "\u{1F6A8}",
|
|
4339
|
+
["high" /* High */]: "\u{1F6A9}",
|
|
4340
|
+
["medium" /* Medium */]: "\u{1F7E1}",
|
|
4341
|
+
["low" /* Low */]: "\u{1F7E2}"
|
|
5907
4342
|
};
|
|
5908
|
-
var
|
|
4343
|
+
var getCommitDescription = ({
|
|
4344
|
+
vendor,
|
|
4345
|
+
issueType,
|
|
4346
|
+
severity,
|
|
4347
|
+
guidances,
|
|
4348
|
+
fixUrl,
|
|
4349
|
+
irrelevantIssueWithTags
|
|
4350
|
+
}) => {
|
|
4351
|
+
const issueTypeString = getIssueTypeFriendlyString(issueType);
|
|
4352
|
+
let description = `This change fixes a **${severity} severity** (${severityToEmoji[severity]}) **${issueTypeString}** issue reported by **${capitalizeFirstLetter(
|
|
4353
|
+
vendor
|
|
4354
|
+
)}**.
|
|
5909
4355
|
|
|
5910
|
-
|
|
5911
|
-
|
|
5912
|
-
|
|
5913
|
-
|
|
5914
|
-
|
|
5915
|
-
|
|
5916
|
-
|
|
5917
|
-
A value too high will cause performance issues up to and including denial of service.`
|
|
5918
|
-
}
|
|
5919
|
-
};
|
|
4356
|
+
`;
|
|
4357
|
+
if (issueType) {
|
|
4358
|
+
if (irrelevantIssueWithTags?.[0]?.tag) {
|
|
4359
|
+
description += `
|
|
4360
|
+
> [!tip]
|
|
4361
|
+
> This issue was found to be irrelevant to your project - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
|
|
4362
|
+
> Mobb recommends to ignore this issue, however fix is available if you think differently.
|
|
5920
4363
|
|
|
5921
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
|
|
5922
|
-
var vulnerabilities17 = {
|
|
5923
|
-
["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES"]: unboundedOccurrences
|
|
5924
|
-
};
|
|
5925
|
-
var xml_default2 = vulnerabilities17;
|
|
5926
4364
|
|
|
5927
|
-
|
|
5928
|
-
|
|
5929
|
-
|
|
5930
|
-
|
|
5931
|
-
|
|
5932
|
-
|
|
4365
|
+
## Justification
|
|
4366
|
+
${issueDescription[irrelevantIssueWithTags[0].tag]}
|
|
4367
|
+
`;
|
|
4368
|
+
}
|
|
4369
|
+
const catalogEntry = getIssueTypeCatalogEntry(issueType);
|
|
4370
|
+
if (catalogEntry?.issueDescription) {
|
|
4371
|
+
description += `## Issue description
|
|
4372
|
+
${catalogEntry.issueDescription}
|
|
4373
|
+
`;
|
|
4374
|
+
if (catalogEntry.fixInstructions) {
|
|
4375
|
+
description += `
|
|
4376
|
+
## Fix instructions
|
|
4377
|
+
${catalogEntry.fixInstructions}
|
|
4378
|
+
`;
|
|
4379
|
+
}
|
|
4380
|
+
}
|
|
5933
4381
|
}
|
|
5934
|
-
|
|
5935
|
-
|
|
5936
|
-
|
|
5937
|
-
|
|
5938
|
-
|
|
5939
|
-
|
|
5940
|
-
description
|
|
5941
|
-
|
|
4382
|
+
description += `
|
|
4383
|
+
${guidances.map(({ guidance }) => `## Additional actions required
|
|
4384
|
+
${guidance}
|
|
4385
|
+
`).join("")}
|
|
4386
|
+
`;
|
|
4387
|
+
if (fixUrl) {
|
|
4388
|
+
description += `
|
|
4389
|
+
[More info and fix customization are available in the Mobb platform](${fixUrl})`;
|
|
5942
4390
|
}
|
|
4391
|
+
return description;
|
|
5943
4392
|
};
|
|
4393
|
+
var getCommitIssueDescription = ({
|
|
4394
|
+
vendor,
|
|
4395
|
+
issueType,
|
|
4396
|
+
irrelevantIssueWithTags,
|
|
4397
|
+
fpDescription,
|
|
4398
|
+
unfixableDescription
|
|
4399
|
+
}) => {
|
|
4400
|
+
const issueTypeString = getIssueTypeFriendlyString(issueType);
|
|
4401
|
+
let description = `The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
|
|
4402
|
+
`;
|
|
4403
|
+
if (issueType) {
|
|
4404
|
+
if (irrelevantIssueWithTags?.[0]?.tag) {
|
|
4405
|
+
description = `
|
|
4406
|
+
> [!tip]
|
|
4407
|
+
> The following issues reported by ${capitalizeFirstLetter(vendor)} on this PR were found to be irrelevant to your project:
|
|
4408
|
+
> ${issueTypeString} - ${lowercaseFirstLetter(getTagTooltip(irrelevantIssueWithTags[0].tag))}.
|
|
4409
|
+
> Mobb recommends to ignore this issue, however fix is available if you think differently.
|
|
5944
4410
|
|
|
5945
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/writableFilesystemService.ts
|
|
5946
|
-
var writableFilesystemService = {
|
|
5947
|
-
requireWriteAccess: {
|
|
5948
|
-
content: () => "Does the container require writable filesystem access?",
|
|
5949
|
-
description: () => "",
|
|
5950
|
-
guidance: () => `If the container requires writable filesystem access, setting the filesystem as readonly might harm the container functionality.`
|
|
5951
|
-
}
|
|
5952
|
-
};
|
|
5953
4411
|
|
|
5954
|
-
|
|
5955
|
-
|
|
5956
|
-
|
|
5957
|
-
|
|
5958
|
-
|
|
4412
|
+
## Justification
|
|
4413
|
+
${fpDescription ?? unfixableDescription ?? issueDescription[irrelevantIssueWithTags[0].tag]}
|
|
4414
|
+
`;
|
|
4415
|
+
}
|
|
4416
|
+
const catalogEntry = getIssueTypeCatalogEntry(issueType);
|
|
4417
|
+
if (catalogEntry?.issueDescription) {
|
|
4418
|
+
description += `## Issue description
|
|
4419
|
+
${catalogEntry.issueDescription}
|
|
4420
|
+
`;
|
|
4421
|
+
}
|
|
4422
|
+
}
|
|
4423
|
+
return description;
|
|
5959
4424
|
};
|
|
5960
|
-
var yaml_default = vulnerabilities18;
|
|
5961
4425
|
|
|
5962
|
-
// src/features/analysis/scm/shared/src/
|
|
5963
|
-
|
|
5964
|
-
content: z3.function().args(z3.any()).returns(z3.string()),
|
|
5965
|
-
description: z3.function().args(z3.any()).returns(z3.string()),
|
|
5966
|
-
guidance: z3.function().args(z3.any()).returns(z3.string())
|
|
5967
|
-
});
|
|
5968
|
-
var languages2 = {
|
|
5969
|
-
["Java" /* Java */]: java_default2,
|
|
5970
|
-
["JavaScript" /* JavaScript */]: js_default,
|
|
5971
|
-
["XML" /* Xml */]: xml_default2,
|
|
5972
|
-
["CSharp" /* CSharp */]: csharp_default2,
|
|
5973
|
-
["Python" /* Python */]: python_default2,
|
|
5974
|
-
["Go" /* Go */]: go_default2,
|
|
5975
|
-
["Cpp" /* Cpp */]: cpp_default,
|
|
5976
|
-
["YAML" /* Yaml */]: yaml_default
|
|
5977
|
-
};
|
|
5978
|
-
var storedQuestionData_default = languages2;
|
|
4426
|
+
// src/features/analysis/scm/shared/src/index.ts
|
|
4427
|
+
init_getIssueType();
|
|
5979
4428
|
|
|
5980
4429
|
// src/features/analysis/scm/shared/src/guidances.ts
|
|
4430
|
+
init_client_generates();
|
|
5981
4431
|
function toQuestion(userInput) {
|
|
5982
4432
|
const { key, defaultValue } = userInput;
|
|
5983
4433
|
const value = userInput.value || defaultValue;
|
|
5984
4434
|
return { ...userInput, defaultValue, value, key, error: false };
|
|
5985
4435
|
}
|
|
5986
|
-
function getQuestionInformation({
|
|
5987
|
-
fixQuestionData,
|
|
5988
|
-
issueType,
|
|
5989
|
-
language
|
|
5990
|
-
}) {
|
|
5991
|
-
const { name, content, description, guidance } = fixQuestionData;
|
|
5992
|
-
const storedQuestionDataItem = storedQuestionData_default[language]?.[issueType]?.[name] ?? {
|
|
5993
|
-
content: () => "",
|
|
5994
|
-
description: () => "",
|
|
5995
|
-
guidance: () => ""
|
|
5996
|
-
};
|
|
5997
|
-
const stored = StoredQuestionDataItemZ.parse(storedQuestionDataItem);
|
|
5998
|
-
return {
|
|
5999
|
-
content: (args) => content || stored.content(args),
|
|
6000
|
-
description: (args) => description || stored.description(args),
|
|
6001
|
-
guidance: (args) => guidance || stored.guidance(args)
|
|
6002
|
-
};
|
|
6003
|
-
}
|
|
6004
|
-
function curriedQuestionInformationByQuestion({
|
|
6005
|
-
issueType,
|
|
6006
|
-
language
|
|
6007
|
-
}) {
|
|
6008
|
-
return (fixQuestionData) => getQuestionInformation({
|
|
6009
|
-
issueType,
|
|
6010
|
-
language,
|
|
6011
|
-
fixQuestionData
|
|
6012
|
-
});
|
|
6013
|
-
}
|
|
6014
4436
|
function getPackageFixGuidance(actionsRequired) {
|
|
6015
4437
|
const actionRequiredStrings = actionsRequired.map((action) => {
|
|
6016
4438
|
if (action.language === "JS" /* Js */) {
|
|
@@ -6045,64 +4467,20 @@ function getPackageFixGuidance(actionsRequired) {
|
|
|
6045
4467
|
return actionRequiredStrings.filter((action) => !!action);
|
|
6046
4468
|
}
|
|
6047
4469
|
function getFixGuidances({
|
|
6048
|
-
|
|
6049
|
-
issueLanguage,
|
|
6050
|
-
fixExtraContext,
|
|
6051
|
-
questions
|
|
4470
|
+
fixExtraContext
|
|
6052
4471
|
}) {
|
|
6053
|
-
const storedFixGuidanceDataItem = languages[issueLanguage || ""]?.[issueType || ""] ?? {};
|
|
6054
|
-
const storeFixResult = StoredFixDataItemZ.safeParse(storedFixGuidanceDataItem);
|
|
6055
4472
|
const libGuidances = getPackageFixGuidance(
|
|
6056
4473
|
fixExtraContext.manifestActionsRequired
|
|
6057
4474
|
);
|
|
6058
|
-
const extraContext = fixExtraContext.extraContext.reduce(
|
|
6059
|
-
(acc, obj) => {
|
|
6060
|
-
acc[obj.key] = obj.value;
|
|
6061
|
-
return acc;
|
|
6062
|
-
},
|
|
6063
|
-
{}
|
|
6064
|
-
);
|
|
6065
4475
|
const servedFixGuidances = fixExtraContext.guidances ?? [];
|
|
6066
|
-
|
|
6067
|
-
return libGuidances.concat(fixGuidance).filter((guidance) => !!guidance);
|
|
4476
|
+
return libGuidances.concat(servedFixGuidances).filter((guidance) => !!guidance);
|
|
6068
4477
|
}
|
|
6069
|
-
var IssueTypeAndLanguageZ = z4.object({
|
|
6070
|
-
issueType: SafeIssueTypeStringZ,
|
|
6071
|
-
issueLanguage: z4.nativeEnum(IssueLanguage_Enum)
|
|
6072
|
-
});
|
|
6073
4478
|
function getGuidances(args) {
|
|
6074
|
-
const safeIssueTypeAndLanguage = IssueTypeAndLanguageZ.safeParse({
|
|
6075
|
-
issueType: args.issueType,
|
|
6076
|
-
issueLanguage: args.issueLanguage
|
|
6077
|
-
});
|
|
6078
|
-
if (!safeIssueTypeAndLanguage.success) {
|
|
6079
|
-
return [];
|
|
6080
|
-
}
|
|
6081
4479
|
const { questions, fixExtraContext } = args;
|
|
6082
|
-
const {
|
|
6083
|
-
|
|
6084
|
-
|
|
6085
|
-
|
|
6086
|
-
fixExtraContext,
|
|
6087
|
-
questions
|
|
6088
|
-
}).map((guidance, index) => ({ guidance, key: `fixGuidance_index_${index}` }));
|
|
6089
|
-
return questions.map((question) => {
|
|
6090
|
-
let questionGuidance = question.guidance;
|
|
6091
|
-
if (!questionGuidance && issueType && issueLanguage) {
|
|
6092
|
-
const getFixInformation = curriedQuestionInformationByQuestion({
|
|
6093
|
-
issueType,
|
|
6094
|
-
language: issueLanguage
|
|
6095
|
-
});
|
|
6096
|
-
const { guidance } = getFixInformation(question);
|
|
6097
|
-
questionGuidance = guidance({
|
|
6098
|
-
userInputValue: question.value
|
|
6099
|
-
});
|
|
6100
|
-
}
|
|
6101
|
-
return {
|
|
6102
|
-
...question,
|
|
6103
|
-
guidance: questionGuidance
|
|
6104
|
-
};
|
|
6105
|
-
}).filter(({ guidance }) => !!guidance).map(({ guidance, key }) => ({ guidance, key })).concat(fixGuidances);
|
|
4480
|
+
const fixGuidances = getFixGuidances({ fixExtraContext }).map(
|
|
4481
|
+
(guidance, index) => ({ guidance, key: `fixGuidance_index_${index}` })
|
|
4482
|
+
);
|
|
4483
|
+
return questions.map((question) => ({ guidance: question.guidance, key: question.key })).filter(({ guidance }) => !!guidance).concat(fixGuidances);
|
|
6106
4484
|
}
|
|
6107
4485
|
|
|
6108
4486
|
// src/features/analysis/scm/shared/src/index.ts
|
|
@@ -6134,19 +4512,19 @@ function getIssueUrl({
|
|
|
6134
4512
|
init_validations();
|
|
6135
4513
|
|
|
6136
4514
|
// src/features/analysis/scm/types.ts
|
|
6137
|
-
import { z as
|
|
4515
|
+
import { z as z9 } from "zod";
|
|
6138
4516
|
var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
|
|
6139
4517
|
ReferenceType2["BRANCH"] = "BRANCH";
|
|
6140
4518
|
ReferenceType2["COMMIT"] = "COMMIT";
|
|
6141
4519
|
ReferenceType2["TAG"] = "TAG";
|
|
6142
4520
|
return ReferenceType2;
|
|
6143
4521
|
})(ReferenceType || {});
|
|
6144
|
-
var GithubFullShaZ =
|
|
6145
|
-
var MergedPrSurvivalMetadataZ =
|
|
6146
|
-
mergeCommitShas:
|
|
4522
|
+
var GithubFullShaZ = z9.string().regex(/^[a-f0-9]{40}$/);
|
|
4523
|
+
var MergedPrSurvivalMetadataZ = z9.object({
|
|
4524
|
+
mergeCommitShas: z9.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
|
|
6147
4525
|
message: "mergeCommitShas must contain unique SHAs"
|
|
6148
4526
|
}),
|
|
6149
|
-
targetBranch:
|
|
4527
|
+
targetBranch: z9.string().min(1)
|
|
6150
4528
|
});
|
|
6151
4529
|
var ScmLibScmType = /* @__PURE__ */ ((ScmLibScmType2) => {
|
|
6152
4530
|
ScmLibScmType2["GITHUB"] = "GITHUB";
|
|
@@ -6173,10 +4551,10 @@ var scmTypeToScmLibScmType = {
|
|
|
6173
4551
|
["Ado" /* Ado */]: "ADO" /* ADO */,
|
|
6174
4552
|
["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
|
|
6175
4553
|
};
|
|
6176
|
-
var GetReferenceResultZ =
|
|
6177
|
-
date:
|
|
6178
|
-
sha:
|
|
6179
|
-
type:
|
|
4554
|
+
var GetReferenceResultZ = z9.object({
|
|
4555
|
+
date: z9.date().optional(),
|
|
4556
|
+
sha: z9.string(),
|
|
4557
|
+
type: z9.nativeEnum(ReferenceType)
|
|
6180
4558
|
});
|
|
6181
4559
|
|
|
6182
4560
|
// src/features/analysis/scm/utils/scm.ts
|
|
@@ -6323,7 +4701,7 @@ function shouldValidateUrl(repoUrl) {
|
|
|
6323
4701
|
return repoUrl && isUrlHasPath(repoUrl);
|
|
6324
4702
|
}
|
|
6325
4703
|
function isBrokerUrl(url) {
|
|
6326
|
-
return
|
|
4704
|
+
return z10.string().uuid().safeParse(new URL(url).host).success;
|
|
6327
4705
|
}
|
|
6328
4706
|
function buildAuthorizedRepoUrl(args) {
|
|
6329
4707
|
const { url, username, password } = args;
|
|
@@ -6359,7 +4737,7 @@ function getCloudScmLibTypeFromUrl(url) {
|
|
|
6359
4737
|
return void 0;
|
|
6360
4738
|
}
|
|
6361
4739
|
function getScmLibTypeFromScmType(scmType) {
|
|
6362
|
-
const parsedScmType =
|
|
4740
|
+
const parsedScmType = z10.nativeEnum(ScmType).parse(scmType);
|
|
6363
4741
|
return scmTypeToScmLibScmType[parsedScmType];
|
|
6364
4742
|
}
|
|
6365
4743
|
function getScmConfig({
|
|
@@ -6427,39 +4805,39 @@ init_env();
|
|
|
6427
4805
|
import querystring from "querystring";
|
|
6428
4806
|
import * as api from "azure-devops-node-api";
|
|
6429
4807
|
import Debug from "debug";
|
|
6430
|
-
import { z as
|
|
4808
|
+
import { z as z13 } from "zod";
|
|
6431
4809
|
|
|
6432
4810
|
// src/features/analysis/scm/ado/validation.ts
|
|
6433
|
-
import { z as
|
|
6434
|
-
var ValidPullRequestStatusZ =
|
|
6435
|
-
|
|
6436
|
-
|
|
6437
|
-
|
|
4811
|
+
import { z as z12 } from "zod";
|
|
4812
|
+
var ValidPullRequestStatusZ = z12.union([
|
|
4813
|
+
z12.literal(1 /* Active */),
|
|
4814
|
+
z12.literal(2 /* Abandoned */),
|
|
4815
|
+
z12.literal(3 /* Completed */)
|
|
6438
4816
|
]);
|
|
6439
|
-
var AdoAuthResultZ =
|
|
6440
|
-
access_token:
|
|
6441
|
-
token_type:
|
|
6442
|
-
refresh_token:
|
|
4817
|
+
var AdoAuthResultZ = z12.object({
|
|
4818
|
+
access_token: z12.string().min(1),
|
|
4819
|
+
token_type: z12.string().min(1),
|
|
4820
|
+
refresh_token: z12.string().min(1)
|
|
6443
4821
|
});
|
|
6444
4822
|
var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
|
|
6445
|
-
scmOrgs:
|
|
4823
|
+
scmOrgs: z12.array(z12.string())
|
|
6446
4824
|
});
|
|
6447
|
-
var profileZ =
|
|
6448
|
-
displayName:
|
|
6449
|
-
publicAlias:
|
|
6450
|
-
emailAddress:
|
|
6451
|
-
coreRevision:
|
|
6452
|
-
timeStamp:
|
|
6453
|
-
id:
|
|
6454
|
-
revision:
|
|
4825
|
+
var profileZ = z12.object({
|
|
4826
|
+
displayName: z12.string(),
|
|
4827
|
+
publicAlias: z12.string().min(1),
|
|
4828
|
+
emailAddress: z12.string(),
|
|
4829
|
+
coreRevision: z12.number(),
|
|
4830
|
+
timeStamp: z12.string(),
|
|
4831
|
+
id: z12.string(),
|
|
4832
|
+
revision: z12.number()
|
|
6455
4833
|
});
|
|
6456
|
-
var accountsZ =
|
|
6457
|
-
count:
|
|
6458
|
-
value:
|
|
6459
|
-
|
|
6460
|
-
accountId:
|
|
6461
|
-
accountUri:
|
|
6462
|
-
accountName:
|
|
4834
|
+
var accountsZ = z12.object({
|
|
4835
|
+
count: z12.number(),
|
|
4836
|
+
value: z12.array(
|
|
4837
|
+
z12.object({
|
|
4838
|
+
accountId: z12.string(),
|
|
4839
|
+
accountUri: z12.string(),
|
|
4840
|
+
accountName: z12.string()
|
|
6463
4841
|
})
|
|
6464
4842
|
)
|
|
6465
4843
|
});
|
|
@@ -6552,7 +4930,7 @@ async function getAdoConnectData({
|
|
|
6552
4930
|
oauthToken: adoTokenInfo.accessToken
|
|
6553
4931
|
});
|
|
6554
4932
|
return {
|
|
6555
|
-
org:
|
|
4933
|
+
org: z13.string().parse(org),
|
|
6556
4934
|
origin: DEFUALT_ADO_ORIGIN
|
|
6557
4935
|
};
|
|
6558
4936
|
}
|
|
@@ -6638,7 +5016,7 @@ async function getAdoClientParams(params) {
|
|
|
6638
5016
|
return {
|
|
6639
5017
|
tokenType: "PAT" /* PAT */,
|
|
6640
5018
|
accessToken: adoTokenInfo.accessToken,
|
|
6641
|
-
patTokenOrg:
|
|
5019
|
+
patTokenOrg: z13.string().parse(tokenOrg).toLowerCase(),
|
|
6642
5020
|
origin,
|
|
6643
5021
|
orgName: org.toLowerCase()
|
|
6644
5022
|
};
|
|
@@ -7778,40 +6156,40 @@ import querystring2 from "querystring";
|
|
|
7778
6156
|
import * as bitbucketPkgNode from "bitbucket";
|
|
7779
6157
|
import bitbucketPkg from "bitbucket";
|
|
7780
6158
|
import Debug2 from "debug";
|
|
7781
|
-
import { z as
|
|
6159
|
+
import { z as z16 } from "zod";
|
|
7782
6160
|
|
|
7783
6161
|
// src/features/analysis/scm/bitbucket/validation.ts
|
|
7784
|
-
import { z as
|
|
7785
|
-
var BitbucketAuthResultZ =
|
|
7786
|
-
access_token:
|
|
7787
|
-
token_type:
|
|
7788
|
-
refresh_token:
|
|
6162
|
+
import { z as z15 } from "zod";
|
|
6163
|
+
var BitbucketAuthResultZ = z15.object({
|
|
6164
|
+
access_token: z15.string(),
|
|
6165
|
+
token_type: z15.string(),
|
|
6166
|
+
refresh_token: z15.string()
|
|
7789
6167
|
});
|
|
7790
6168
|
|
|
7791
6169
|
// src/features/analysis/scm/bitbucket/bitbucket.ts
|
|
7792
6170
|
var debug3 = Debug2("scm:bitbucket");
|
|
7793
6171
|
var BITBUCKET_HOSTNAME = "bitbucket.org";
|
|
7794
|
-
var TokenExpiredErrorZ =
|
|
7795
|
-
status:
|
|
7796
|
-
error:
|
|
7797
|
-
type:
|
|
7798
|
-
error:
|
|
7799
|
-
message:
|
|
6172
|
+
var TokenExpiredErrorZ = z16.object({
|
|
6173
|
+
status: z16.number(),
|
|
6174
|
+
error: z16.object({
|
|
6175
|
+
type: z16.string(),
|
|
6176
|
+
error: z16.object({
|
|
6177
|
+
message: z16.string()
|
|
7800
6178
|
})
|
|
7801
6179
|
})
|
|
7802
6180
|
});
|
|
7803
6181
|
var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
|
|
7804
6182
|
var MAX_BITBUCKET_PR_BODY_LENGTH = 32768;
|
|
7805
|
-
var BitbucketParseResultZ =
|
|
7806
|
-
organization:
|
|
7807
|
-
repoName:
|
|
7808
|
-
hostname:
|
|
6183
|
+
var BitbucketParseResultZ = z16.object({
|
|
6184
|
+
organization: z16.string(),
|
|
6185
|
+
repoName: z16.string(),
|
|
6186
|
+
hostname: z16.literal(BITBUCKET_HOSTNAME)
|
|
7809
6187
|
});
|
|
7810
|
-
var UserWorkspacePermissionsRepositoriesResponseZ =
|
|
7811
|
-
values:
|
|
7812
|
-
|
|
7813
|
-
repository:
|
|
7814
|
-
full_name:
|
|
6188
|
+
var UserWorkspacePermissionsRepositoriesResponseZ = z16.object({
|
|
6189
|
+
values: z16.array(
|
|
6190
|
+
z16.object({
|
|
6191
|
+
repository: z16.object({
|
|
6192
|
+
full_name: z16.string().optional()
|
|
7815
6193
|
}).optional()
|
|
7816
6194
|
})
|
|
7817
6195
|
).optional()
|
|
@@ -7874,7 +6252,7 @@ function getBitbucketSdk(params) {
|
|
|
7874
6252
|
if (!res.data.values) {
|
|
7875
6253
|
return [];
|
|
7876
6254
|
}
|
|
7877
|
-
return res.data.values.filter((branch) => !!branch.name).map((branch) =>
|
|
6255
|
+
return res.data.values.filter((branch) => !!branch.name).map((branch) => z16.string().parse(branch.name));
|
|
7878
6256
|
},
|
|
7879
6257
|
async getIsUserCollaborator(params2) {
|
|
7880
6258
|
const { repoUrl } = params2;
|
|
@@ -7994,7 +6372,7 @@ function getBitbucketSdk(params) {
|
|
|
7994
6372
|
return GetReferenceResultZ.parse({
|
|
7995
6373
|
sha: tagRes.data.target?.hash,
|
|
7996
6374
|
type: "TAG" /* TAG */,
|
|
7997
|
-
date: new Date(
|
|
6375
|
+
date: new Date(z16.string().parse(tagRes.data.target?.date))
|
|
7998
6376
|
});
|
|
7999
6377
|
},
|
|
8000
6378
|
async getBranchRef(params2) {
|
|
@@ -8002,7 +6380,7 @@ function getBitbucketSdk(params) {
|
|
|
8002
6380
|
return GetReferenceResultZ.parse({
|
|
8003
6381
|
sha: getBranchRes.target?.hash,
|
|
8004
6382
|
type: "BRANCH" /* BRANCH */,
|
|
8005
|
-
date: new Date(
|
|
6383
|
+
date: new Date(z16.string().parse(getBranchRes.target?.date))
|
|
8006
6384
|
});
|
|
8007
6385
|
},
|
|
8008
6386
|
async getCommitRef(params2) {
|
|
@@ -8010,13 +6388,13 @@ function getBitbucketSdk(params) {
|
|
|
8010
6388
|
return GetReferenceResultZ.parse({
|
|
8011
6389
|
sha: getCommitRes.hash,
|
|
8012
6390
|
type: "COMMIT" /* COMMIT */,
|
|
8013
|
-
date: new Date(
|
|
6391
|
+
date: new Date(z16.string().parse(getCommitRes.date))
|
|
8014
6392
|
});
|
|
8015
6393
|
},
|
|
8016
6394
|
async getDownloadUrl({ url, sha }) {
|
|
8017
6395
|
this.getReferenceData({ ref: sha, url });
|
|
8018
6396
|
const repoRes = await this.getRepo({ repoUrl: url });
|
|
8019
|
-
const parsedRepoUrl =
|
|
6397
|
+
const parsedRepoUrl = z16.string().url().parse(repoRes.links?.html?.href);
|
|
8020
6398
|
return `${parsedRepoUrl}/get/${sha}.zip`;
|
|
8021
6399
|
},
|
|
8022
6400
|
async getPullRequest(params2) {
|
|
@@ -8174,7 +6552,7 @@ async function validateBitbucketParams(params) {
|
|
|
8174
6552
|
}
|
|
8175
6553
|
async function getUsersWorkspacesSlugs(bitbucketClient) {
|
|
8176
6554
|
const res = await bitbucketClient.workspaces.getWorkspaces({});
|
|
8177
|
-
return res.data.values?.map((v) =>
|
|
6555
|
+
return res.data.values?.map((v) => z16.string().parse(v.slug));
|
|
8178
6556
|
}
|
|
8179
6557
|
async function getAllUsersRepositories(bitbucketClient) {
|
|
8180
6558
|
const userWorkspacesSlugs = await getUsersWorkspacesSlugs(bitbucketClient);
|
|
@@ -8202,11 +6580,11 @@ async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
|
|
|
8202
6580
|
|
|
8203
6581
|
// src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
|
|
8204
6582
|
import { setTimeout as setTimeout3 } from "timers/promises";
|
|
8205
|
-
import { z as
|
|
6583
|
+
import { z as z17 } from "zod";
|
|
8206
6584
|
var BITBUCKET_API_TOKEN_GIT_USERNAME = "x-bitbucket-api-token-auth";
|
|
8207
6585
|
function getUserAndPassword(token) {
|
|
8208
6586
|
const [username, password] = token.split(":");
|
|
8209
|
-
const safePasswordAndUsername =
|
|
6587
|
+
const safePasswordAndUsername = z17.object({ username: z17.string(), password: z17.string() }).parse({ username, password });
|
|
8210
6588
|
return {
|
|
8211
6589
|
username: safePasswordAndUsername.username,
|
|
8212
6590
|
password: safePasswordAndUsername.password
|
|
@@ -8282,7 +6660,7 @@ var BitbucketSCMLib = class extends SCMLib {
|
|
|
8282
6660
|
return { username, password, authType };
|
|
8283
6661
|
}
|
|
8284
6662
|
case "token": {
|
|
8285
|
-
return { authType, token:
|
|
6663
|
+
return { authType, token: z17.string().parse(this.accessToken) };
|
|
8286
6664
|
}
|
|
8287
6665
|
case "public":
|
|
8288
6666
|
return { authType };
|
|
@@ -8296,7 +6674,7 @@ var BitbucketSCMLib = class extends SCMLib {
|
|
|
8296
6674
|
...params,
|
|
8297
6675
|
repoUrl: this.url
|
|
8298
6676
|
});
|
|
8299
|
-
return String(
|
|
6677
|
+
return String(z17.number().parse(pullRequestRes.id));
|
|
8300
6678
|
} catch (e) {
|
|
8301
6679
|
console.warn(
|
|
8302
6680
|
`error creating pull request for BB. Try number ${String(i + 1).replace(/\n|\r/g, "")}`,
|
|
@@ -8381,7 +6759,7 @@ var BitbucketSCMLib = class extends SCMLib {
|
|
|
8381
6759
|
async getUsername() {
|
|
8382
6760
|
this._validateAccessToken();
|
|
8383
6761
|
const res = await this.bitbucketSdk.getUser();
|
|
8384
|
-
return
|
|
6762
|
+
return z17.string().parse(res["username"]);
|
|
8385
6763
|
}
|
|
8386
6764
|
async getSubmitRequestStatus(_scmSubmitRequestId) {
|
|
8387
6765
|
this._validateAccessTokenAndUrl();
|
|
@@ -8407,7 +6785,7 @@ var BitbucketSCMLib = class extends SCMLib {
|
|
|
8407
6785
|
async getRepoDefaultBranch() {
|
|
8408
6786
|
this._validateUrl();
|
|
8409
6787
|
const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
|
|
8410
|
-
return
|
|
6788
|
+
return z17.string().parse(repoRes.mainbranch?.name);
|
|
8411
6789
|
}
|
|
8412
6790
|
getSubmitRequestUrl(submitRequestId) {
|
|
8413
6791
|
this._validateUrl();
|
|
@@ -8575,7 +6953,7 @@ init_env();
|
|
|
8575
6953
|
|
|
8576
6954
|
// src/features/analysis/scm/github/GithubSCMLib.ts
|
|
8577
6955
|
import pLimit3 from "p-limit";
|
|
8578
|
-
import { z as
|
|
6956
|
+
import { z as z18 } from "zod";
|
|
8579
6957
|
init_client_generates();
|
|
8580
6958
|
|
|
8581
6959
|
// src/features/analysis/scm/github/github.ts
|
|
@@ -9743,7 +8121,7 @@ var GithubSCMLib = class extends SCMLib {
|
|
|
9743
8121
|
owner,
|
|
9744
8122
|
repo
|
|
9745
8123
|
});
|
|
9746
|
-
return
|
|
8124
|
+
return z18.string().parse(prRes.data);
|
|
9747
8125
|
}
|
|
9748
8126
|
async getRepoList(_scmOrg) {
|
|
9749
8127
|
this._validateAccessToken();
|
|
@@ -10370,11 +8748,11 @@ import {
|
|
|
10370
8748
|
init_env();
|
|
10371
8749
|
|
|
10372
8750
|
// src/features/analysis/scm/gitlab/types.ts
|
|
10373
|
-
import { z as
|
|
10374
|
-
var GitlabAuthResultZ =
|
|
10375
|
-
access_token:
|
|
10376
|
-
token_type:
|
|
10377
|
-
refresh_token:
|
|
8751
|
+
import { z as z19 } from "zod";
|
|
8752
|
+
var GitlabAuthResultZ = z19.object({
|
|
8753
|
+
access_token: z19.string(),
|
|
8754
|
+
token_type: z19.string(),
|
|
8755
|
+
refresh_token: z19.string()
|
|
10378
8756
|
});
|
|
10379
8757
|
|
|
10380
8758
|
// src/features/analysis/scm/gitlab/gitlab.ts
|
|
@@ -10589,8 +8967,8 @@ async function getGitlabProjectLanguages({
|
|
|
10589
8967
|
}) {
|
|
10590
8968
|
try {
|
|
10591
8969
|
const api2 = getGitBeaker({ url, gitlabAuthToken: accessToken });
|
|
10592
|
-
const
|
|
10593
|
-
return Object.keys(
|
|
8970
|
+
const languages = await api2.Projects.showLanguages(projectId);
|
|
8971
|
+
return Object.keys(languages);
|
|
10594
8972
|
} catch (e) {
|
|
10595
8973
|
debug4(
|
|
10596
8974
|
"[getGitlabProjectLanguages] Failed for project %d: %s",
|
|
@@ -11592,7 +9970,7 @@ var GitlabSCMLib = class extends SCMLib {
|
|
|
11592
9970
|
};
|
|
11593
9971
|
|
|
11594
9972
|
// src/features/analysis/scm/scmFactory.ts
|
|
11595
|
-
import { z as
|
|
9973
|
+
import { z as z20 } from "zod";
|
|
11596
9974
|
|
|
11597
9975
|
// src/features/analysis/scm/StubSCMLib.ts
|
|
11598
9976
|
var StubSCMLib = class extends SCMLib {
|
|
@@ -11745,7 +10123,7 @@ async function createScmLib({ url, accessToken, scmType, scmOrg }, {
|
|
|
11745
10123
|
if (e instanceof InvalidRepoUrlError && url) {
|
|
11746
10124
|
throw new RepoNoTokenAccessError(
|
|
11747
10125
|
"no access to repo",
|
|
11748
|
-
scmLibScmTypeToScmType[
|
|
10126
|
+
scmLibScmTypeToScmType[z20.nativeEnum(ScmLibScmType).parse(scmType)]
|
|
11749
10127
|
);
|
|
11750
10128
|
}
|
|
11751
10129
|
console.error(`error validating scm: ${scmType} `, e);
|
|
@@ -12352,7 +10730,7 @@ import path6 from "path";
|
|
|
12352
10730
|
import chalk from "chalk";
|
|
12353
10731
|
import Debug4 from "debug";
|
|
12354
10732
|
import * as dotenv from "dotenv";
|
|
12355
|
-
import { z as
|
|
10733
|
+
import { z as z21 } from "zod";
|
|
12356
10734
|
var debug5 = Debug4("mobbdev:constants");
|
|
12357
10735
|
var runtimeConfigPath = path6.join(
|
|
12358
10736
|
getModuleRootDir(),
|
|
@@ -12399,17 +10777,17 @@ var scannerToVulnerabilityReportVendorEnum = {
|
|
|
12399
10777
|
[SCANNERS.Datadog]: "datadog" /* Datadog */,
|
|
12400
10778
|
[SCANNERS.BlackDuck]: "blackDuck" /* BlackDuck */
|
|
12401
10779
|
};
|
|
12402
|
-
var SupportedScannersZ =
|
|
12403
|
-
var envVariablesSchema =
|
|
10780
|
+
var SupportedScannersZ = z21.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
|
|
10781
|
+
var envVariablesSchema = z21.object({
|
|
12404
10782
|
// These have safe defaults for production - the VS Code extension passes explicit URLs
|
|
12405
|
-
WEB_APP_URL:
|
|
12406
|
-
API_URL:
|
|
10783
|
+
WEB_APP_URL: z21.string().optional().default(DEFAULT_WEB_APP_URL),
|
|
10784
|
+
API_URL: z21.string().optional().default(DEFAULT_API_URL),
|
|
12407
10785
|
// These are only needed for local development with Hasura
|
|
12408
|
-
HASURA_ACCESS_KEY:
|
|
12409
|
-
LOCAL_GRAPHQL_ENDPOINT:
|
|
10786
|
+
HASURA_ACCESS_KEY: z21.string().optional().default(""),
|
|
10787
|
+
LOCAL_GRAPHQL_ENDPOINT: z21.string().optional().default(""),
|
|
12410
10788
|
// Proxy settings
|
|
12411
|
-
HTTP_PROXY:
|
|
12412
|
-
HTTPS_PROXY:
|
|
10789
|
+
HTTP_PROXY: z21.string().optional().default(""),
|
|
10790
|
+
HTTPS_PROXY: z21.string().optional().default("")
|
|
12413
10791
|
});
|
|
12414
10792
|
var envVariables = envVariablesSchema.parse(process.env);
|
|
12415
10793
|
debug5("config %o", envVariables);
|
|
@@ -12667,7 +11045,7 @@ import { createSpinner as createSpinner4 } from "nanospinner";
|
|
|
12667
11045
|
import fetch4 from "node-fetch";
|
|
12668
11046
|
import open3 from "open";
|
|
12669
11047
|
import tmp2 from "tmp";
|
|
12670
|
-
import { z as
|
|
11048
|
+
import { z as z27 } from "zod";
|
|
12671
11049
|
|
|
12672
11050
|
// src/commands/AuthManager.ts
|
|
12673
11051
|
import crypto from "crypto";
|
|
@@ -12944,62 +11322,62 @@ init_client_generates();
|
|
|
12944
11322
|
|
|
12945
11323
|
// src/features/analysis/graphql/types.ts
|
|
12946
11324
|
init_client_generates();
|
|
12947
|
-
import { z as
|
|
12948
|
-
var VulnerabilityReportIssueCodeNodeZ =
|
|
12949
|
-
vulnerabilityReportIssueId:
|
|
12950
|
-
path:
|
|
12951
|
-
startLine:
|
|
12952
|
-
vulnerabilityReportIssue:
|
|
12953
|
-
fixId:
|
|
12954
|
-
category:
|
|
12955
|
-
safeIssueType:
|
|
12956
|
-
vulnerabilityReportIssueTags:
|
|
12957
|
-
|
|
12958
|
-
tag:
|
|
11325
|
+
import { z as z22 } from "zod";
|
|
11326
|
+
var VulnerabilityReportIssueCodeNodeZ = z22.object({
|
|
11327
|
+
vulnerabilityReportIssueId: z22.string(),
|
|
11328
|
+
path: z22.string(),
|
|
11329
|
+
startLine: z22.number(),
|
|
11330
|
+
vulnerabilityReportIssue: z22.object({
|
|
11331
|
+
fixId: z22.string(),
|
|
11332
|
+
category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
|
|
11333
|
+
safeIssueType: z22.string(),
|
|
11334
|
+
vulnerabilityReportIssueTags: z22.array(
|
|
11335
|
+
z22.object({
|
|
11336
|
+
tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
|
|
12959
11337
|
})
|
|
12960
11338
|
)
|
|
12961
11339
|
})
|
|
12962
11340
|
});
|
|
12963
|
-
var VulnerabilityReportIssueNoFixCodeNodeZ =
|
|
12964
|
-
vulnerabilityReportIssues:
|
|
12965
|
-
|
|
12966
|
-
id:
|
|
12967
|
-
fixId:
|
|
12968
|
-
category:
|
|
12969
|
-
safeIssueType:
|
|
12970
|
-
fpId:
|
|
12971
|
-
codeNodes:
|
|
12972
|
-
|
|
12973
|
-
path:
|
|
12974
|
-
startLine:
|
|
11341
|
+
var VulnerabilityReportIssueNoFixCodeNodeZ = z22.object({
|
|
11342
|
+
vulnerabilityReportIssues: z22.array(
|
|
11343
|
+
z22.object({
|
|
11344
|
+
id: z22.string(),
|
|
11345
|
+
fixId: z22.string().nullable(),
|
|
11346
|
+
category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
|
|
11347
|
+
safeIssueType: z22.string(),
|
|
11348
|
+
fpId: z22.string().uuid().nullable(),
|
|
11349
|
+
codeNodes: z22.array(
|
|
11350
|
+
z22.object({
|
|
11351
|
+
path: z22.string(),
|
|
11352
|
+
startLine: z22.number()
|
|
12975
11353
|
})
|
|
12976
11354
|
),
|
|
12977
|
-
vulnerabilityReportIssueTags:
|
|
12978
|
-
|
|
12979
|
-
tag:
|
|
11355
|
+
vulnerabilityReportIssueTags: z22.array(
|
|
11356
|
+
z22.object({
|
|
11357
|
+
tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
|
|
12980
11358
|
})
|
|
12981
11359
|
)
|
|
12982
11360
|
})
|
|
12983
11361
|
)
|
|
12984
11362
|
});
|
|
12985
|
-
var GetVulByNodesMetadataZ =
|
|
12986
|
-
vulnerabilityReportIssueCodeNodes:
|
|
12987
|
-
nonFixablePrVuls:
|
|
12988
|
-
aggregate:
|
|
12989
|
-
count:
|
|
11363
|
+
var GetVulByNodesMetadataZ = z22.object({
|
|
11364
|
+
vulnerabilityReportIssueCodeNodes: z22.array(VulnerabilityReportIssueCodeNodeZ),
|
|
11365
|
+
nonFixablePrVuls: z22.object({
|
|
11366
|
+
aggregate: z22.object({
|
|
11367
|
+
count: z22.number()
|
|
12990
11368
|
})
|
|
12991
11369
|
}),
|
|
12992
|
-
fixablePrVuls:
|
|
12993
|
-
aggregate:
|
|
12994
|
-
count:
|
|
11370
|
+
fixablePrVuls: z22.object({
|
|
11371
|
+
aggregate: z22.object({
|
|
11372
|
+
count: z22.number()
|
|
12995
11373
|
})
|
|
12996
11374
|
}),
|
|
12997
|
-
totalScanVulnerabilities:
|
|
12998
|
-
aggregate:
|
|
12999
|
-
count:
|
|
11375
|
+
totalScanVulnerabilities: z22.object({
|
|
11376
|
+
aggregate: z22.object({
|
|
11377
|
+
count: z22.number()
|
|
13000
11378
|
})
|
|
13001
11379
|
}),
|
|
13002
|
-
irrelevantVulnerabilityReportIssue:
|
|
11380
|
+
irrelevantVulnerabilityReportIssue: z22.array(
|
|
13003
11381
|
VulnerabilityReportIssueNoFixCodeNodeZ
|
|
13004
11382
|
)
|
|
13005
11383
|
});
|
|
@@ -13521,7 +11899,7 @@ import * as os2 from "os";
|
|
|
13521
11899
|
import path7 from "path";
|
|
13522
11900
|
import chalk4 from "chalk";
|
|
13523
11901
|
import { withFile } from "tmp-promise";
|
|
13524
|
-
import
|
|
11902
|
+
import z23 from "zod";
|
|
13525
11903
|
|
|
13526
11904
|
// src/commands/handleMobbLogin.ts
|
|
13527
11905
|
import chalk3 from "chalk";
|
|
@@ -14061,8 +12439,8 @@ var defaultLogger2 = {
|
|
|
14061
12439
|
}
|
|
14062
12440
|
}
|
|
14063
12441
|
};
|
|
14064
|
-
var PromptItemZ =
|
|
14065
|
-
type:
|
|
12442
|
+
var PromptItemZ = z23.object({
|
|
12443
|
+
type: z23.enum([
|
|
14066
12444
|
"USER_PROMPT",
|
|
14067
12445
|
"AI_RESPONSE",
|
|
14068
12446
|
"TOOL_EXECUTION",
|
|
@@ -14070,32 +12448,32 @@ var PromptItemZ = z26.object({
|
|
|
14070
12448
|
"MCP_TOOL_CALL"
|
|
14071
12449
|
// MCP (Model Context Protocol) tool invocation
|
|
14072
12450
|
]),
|
|
14073
|
-
attachedFiles:
|
|
14074
|
-
|
|
14075
|
-
relativePath:
|
|
14076
|
-
startLine:
|
|
12451
|
+
attachedFiles: z23.array(
|
|
12452
|
+
z23.object({
|
|
12453
|
+
relativePath: z23.string(),
|
|
12454
|
+
startLine: z23.number().optional()
|
|
14077
12455
|
})
|
|
14078
12456
|
).optional(),
|
|
14079
|
-
tokens:
|
|
14080
|
-
inputCount:
|
|
14081
|
-
outputCount:
|
|
12457
|
+
tokens: z23.object({
|
|
12458
|
+
inputCount: z23.number(),
|
|
12459
|
+
outputCount: z23.number()
|
|
14082
12460
|
}).optional(),
|
|
14083
|
-
text:
|
|
14084
|
-
date:
|
|
14085
|
-
tool:
|
|
14086
|
-
name:
|
|
14087
|
-
parameters:
|
|
14088
|
-
result:
|
|
14089
|
-
rawArguments:
|
|
14090
|
-
accepted:
|
|
12461
|
+
text: z23.string().optional(),
|
|
12462
|
+
date: z23.date().optional(),
|
|
12463
|
+
tool: z23.object({
|
|
12464
|
+
name: z23.string(),
|
|
12465
|
+
parameters: z23.string(),
|
|
12466
|
+
result: z23.string(),
|
|
12467
|
+
rawArguments: z23.string().optional(),
|
|
12468
|
+
accepted: z23.boolean().optional(),
|
|
14091
12469
|
// MCP-specific fields (only populated for MCP_TOOL_CALL type)
|
|
14092
|
-
mcpServer:
|
|
12470
|
+
mcpServer: z23.string().optional(),
|
|
14093
12471
|
// MCP server name (e.g., "datadog", "mobb-mcp")
|
|
14094
|
-
mcpToolName:
|
|
12472
|
+
mcpToolName: z23.string().optional()
|
|
14095
12473
|
// MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
|
|
14096
12474
|
}).optional()
|
|
14097
12475
|
});
|
|
14098
|
-
var PromptItemArrayZ =
|
|
12476
|
+
var PromptItemArrayZ = z23.array(PromptItemZ);
|
|
14099
12477
|
var NULL_REPO_STATE = {
|
|
14100
12478
|
repositoryUrl: null,
|
|
14101
12479
|
branch: null,
|
|
@@ -15033,7 +13411,7 @@ import Debug15 from "debug";
|
|
|
15033
13411
|
// src/features/analysis/add_fix_comments_for_pr/utils/utils.ts
|
|
15034
13412
|
import Debug14 from "debug";
|
|
15035
13413
|
import parseDiff from "parse-diff";
|
|
15036
|
-
import { z as
|
|
13414
|
+
import { z as z25 } from "zod";
|
|
15037
13415
|
|
|
15038
13416
|
// src/features/analysis/utils/by_key.ts
|
|
15039
13417
|
function keyBy(array, keyBy2) {
|
|
@@ -15122,7 +13500,7 @@ var scannerToFriendlyString = {
|
|
|
15122
13500
|
|
|
15123
13501
|
// src/features/analysis/add_fix_comments_for_pr/utils/buildCommentBody.ts
|
|
15124
13502
|
import Debug13 from "debug";
|
|
15125
|
-
import { z as
|
|
13503
|
+
import { z as z24 } from "zod";
|
|
15126
13504
|
init_client_generates();
|
|
15127
13505
|
var debug14 = Debug13("mobbdev:handle-finished-analysis");
|
|
15128
13506
|
var getCommitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
|
|
@@ -15168,10 +13546,10 @@ function buildFixCommentBody({
|
|
|
15168
13546
|
});
|
|
15169
13547
|
const issueType = getIssueTypeFriendlyString(fix.safeIssueType);
|
|
15170
13548
|
const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
|
|
15171
|
-
const validFixParseRes =
|
|
13549
|
+
const validFixParseRes = z24.object({
|
|
15172
13550
|
patchAndQuestions: PatchAndQuestionsZ,
|
|
15173
|
-
safeIssueLanguage:
|
|
15174
|
-
severityText:
|
|
13551
|
+
safeIssueLanguage: z24.nativeEnum(IssueLanguage_Enum),
|
|
13552
|
+
severityText: z24.nativeEnum(Vulnerability_Severity_Enum),
|
|
15175
13553
|
safeIssueType: SafeIssueTypeStringZ
|
|
15176
13554
|
}).safeParse(fix);
|
|
15177
13555
|
if (!validFixParseRes.success) {
|
|
@@ -15406,7 +13784,7 @@ async function getRelevantVulenrabilitiesFromDiff(params) {
|
|
|
15406
13784
|
});
|
|
15407
13785
|
const lineAddedRanges = calculateRanges(fileNumbers);
|
|
15408
13786
|
const fileFilter = {
|
|
15409
|
-
path:
|
|
13787
|
+
path: z25.string().parse(file.to),
|
|
15410
13788
|
ranges: lineAddedRanges.map(([startLine, endLine]) => ({
|
|
15411
13789
|
endLine,
|
|
15412
13790
|
startLine
|
|
@@ -15718,15 +14096,15 @@ import { globby } from "globby";
|
|
|
15718
14096
|
import { isBinary as isBinary2 } from "istextorbinary";
|
|
15719
14097
|
import { simpleGit as simpleGit3 } from "simple-git";
|
|
15720
14098
|
import { parseStringPromise } from "xml2js";
|
|
15721
|
-
import { z as
|
|
14099
|
+
import { z as z26 } from "zod";
|
|
15722
14100
|
var debug19 = Debug18("mobbdev:pack");
|
|
15723
|
-
var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA =
|
|
15724
|
-
properties:
|
|
15725
|
-
entry:
|
|
15726
|
-
|
|
15727
|
-
_:
|
|
15728
|
-
$:
|
|
15729
|
-
key:
|
|
14101
|
+
var FPR_SOURCE_CODE_FILE_MAPPING_SCHEMA = z26.object({
|
|
14102
|
+
properties: z26.object({
|
|
14103
|
+
entry: z26.array(
|
|
14104
|
+
z26.object({
|
|
14105
|
+
_: z26.string(),
|
|
14106
|
+
$: z26.object({
|
|
14107
|
+
key: z26.string()
|
|
15730
14108
|
})
|
|
15731
14109
|
})
|
|
15732
14110
|
)
|
|
@@ -16510,7 +14888,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
|
|
|
16510
14888
|
spinner: mobbSpinner,
|
|
16511
14889
|
submitVulnerabilityReportVariables: {
|
|
16512
14890
|
fixReportId: reportUploadInfo.fixReportId,
|
|
16513
|
-
repoUrl:
|
|
14891
|
+
repoUrl: z27.string().parse(repo),
|
|
16514
14892
|
reference,
|
|
16515
14893
|
projectId,
|
|
16516
14894
|
vulnerabilityReportFileName: shouldScan ? void 0 : REPORT_DEFAULT_FILE_NAME,
|
|
@@ -16850,9 +15228,9 @@ async function waitForAnaysisAndReviewPr({
|
|
|
16850
15228
|
gqlClient,
|
|
16851
15229
|
polling
|
|
16852
15230
|
}) {
|
|
16853
|
-
const params =
|
|
16854
|
-
repo:
|
|
16855
|
-
githubActionToken:
|
|
15231
|
+
const params = z27.object({
|
|
15232
|
+
repo: z27.string().url(),
|
|
15233
|
+
githubActionToken: z27.string()
|
|
16856
15234
|
}).parse({ repo, githubActionToken });
|
|
16857
15235
|
const scm = await createScmLib(
|
|
16858
15236
|
{
|
|
@@ -16870,7 +15248,7 @@ async function waitForAnaysisAndReviewPr({
|
|
|
16870
15248
|
analysisId: analysisId2,
|
|
16871
15249
|
gqlClient,
|
|
16872
15250
|
scm,
|
|
16873
|
-
scanner:
|
|
15251
|
+
scanner: z27.nativeEnum(SCANNERS).parse(scanner)
|
|
16874
15252
|
});
|
|
16875
15253
|
};
|
|
16876
15254
|
if (polling) {
|
|
@@ -17186,7 +15564,7 @@ async function scanSkill(options) {
|
|
|
17186
15564
|
// src/args/validation.ts
|
|
17187
15565
|
import chalk9 from "chalk";
|
|
17188
15566
|
import path12 from "path";
|
|
17189
|
-
import { z as
|
|
15567
|
+
import { z as z28 } from "zod";
|
|
17190
15568
|
function throwRepoUrlErrorMessage({
|
|
17191
15569
|
error,
|
|
17192
15570
|
repoUrl,
|
|
@@ -17203,11 +15581,11 @@ Example:
|
|
|
17203
15581
|
)}`;
|
|
17204
15582
|
throw new CliError(formattedErrorMessage);
|
|
17205
15583
|
}
|
|
17206
|
-
var UrlZ =
|
|
15584
|
+
var UrlZ = z28.string({
|
|
17207
15585
|
invalid_type_error: `is not a valid ${Object.values(ScmType).join("/ ")} URL`
|
|
17208
15586
|
});
|
|
17209
15587
|
function validateOrganizationId(organizationId) {
|
|
17210
|
-
const orgIdValidation =
|
|
15588
|
+
const orgIdValidation = z28.string().uuid().nullish().safeParse(organizationId);
|
|
17211
15589
|
if (!orgIdValidation.success) {
|
|
17212
15590
|
throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
|
|
17213
15591
|
}
|
|
@@ -19354,7 +17732,7 @@ function createLogger(config2) {
|
|
|
19354
17732
|
|
|
19355
17733
|
// src/features/claude_code/hook_logger.ts
|
|
19356
17734
|
var DD_RUM_TOKEN = true ? "pubf59c0182545bfb4c299175119f1abf9b" : "";
|
|
19357
|
-
var CLI_VERSION = true ? "1.4.
|
|
17735
|
+
var CLI_VERSION = true ? "1.4.36" : "unknown";
|
|
19358
17736
|
var NAMESPACE = "mobbdev-claude-code-hook-logs";
|
|
19359
17737
|
var claudeCodeVersion;
|
|
19360
17738
|
function buildDdTags() {
|
|
@@ -20884,150 +19262,151 @@ init_client_generates();
|
|
|
20884
19262
|
init_configs();
|
|
20885
19263
|
|
|
20886
19264
|
// src/mcp/types.ts
|
|
20887
|
-
import { z as
|
|
19265
|
+
import { z as z29 } from "zod";
|
|
20888
19266
|
init_client_generates();
|
|
20889
|
-
var ScanAndFixVulnerabilitiesToolSchema =
|
|
20890
|
-
path:
|
|
19267
|
+
var ScanAndFixVulnerabilitiesToolSchema = z29.object({
|
|
19268
|
+
path: z29.string()
|
|
20891
19269
|
});
|
|
20892
|
-
var VulnerabilityReportIssueTagSchema =
|
|
20893
|
-
vulnerability_report_issue_tag_value:
|
|
19270
|
+
var VulnerabilityReportIssueTagSchema = z29.object({
|
|
19271
|
+
vulnerability_report_issue_tag_value: z29.nativeEnum(
|
|
20894
19272
|
Vulnerability_Report_Issue_Tag_Enum
|
|
20895
19273
|
)
|
|
20896
19274
|
});
|
|
20897
|
-
var VulnerabilityReportIssueSchema =
|
|
20898
|
-
category:
|
|
19275
|
+
var VulnerabilityReportIssueSchema = z29.object({
|
|
19276
|
+
category: z29.any().optional().nullable(),
|
|
20899
19277
|
parsedIssueType: SafeIssueTypeStringZ.nullable().optional(),
|
|
20900
|
-
parsedSeverity:
|
|
20901
|
-
vulnerabilityReportIssueTags:
|
|
19278
|
+
parsedSeverity: z29.nativeEnum(Vulnerability_Severity_Enum).nullable().optional(),
|
|
19279
|
+
vulnerabilityReportIssueTags: z29.array(VulnerabilityReportIssueTagSchema)
|
|
20902
19280
|
});
|
|
20903
|
-
var SharedStateSchema =
|
|
20904
|
-
__typename:
|
|
20905
|
-
id:
|
|
19281
|
+
var SharedStateSchema = z29.object({
|
|
19282
|
+
__typename: z29.literal("fix_shared_state").optional(),
|
|
19283
|
+
id: z29.any(),
|
|
20906
19284
|
// GraphQL uses `any` type for UUID
|
|
20907
|
-
downloadedBy:
|
|
19285
|
+
downloadedBy: z29.array(z29.any().nullable()).optional().nullable()
|
|
20908
19286
|
});
|
|
20909
|
-
var UnstructuredFixExtraContextSchema =
|
|
20910
|
-
__typename:
|
|
20911
|
-
key:
|
|
20912
|
-
value:
|
|
19287
|
+
var UnstructuredFixExtraContextSchema = z29.object({
|
|
19288
|
+
__typename: z29.literal("UnstructuredFixExtraContext").optional(),
|
|
19289
|
+
key: z29.string(),
|
|
19290
|
+
value: z29.any()
|
|
20913
19291
|
// GraphQL JSON type
|
|
20914
19292
|
});
|
|
20915
|
-
var FixExtraContextResponseSchema =
|
|
20916
|
-
__typename:
|
|
20917
|
-
extraContext:
|
|
20918
|
-
fixDescription:
|
|
19293
|
+
var FixExtraContextResponseSchema = z29.object({
|
|
19294
|
+
__typename: z29.literal("FixExtraContextResponse").optional(),
|
|
19295
|
+
extraContext: z29.array(UnstructuredFixExtraContextSchema),
|
|
19296
|
+
fixDescription: z29.string()
|
|
20919
19297
|
});
|
|
20920
|
-
var FixQuestionSchema =
|
|
20921
|
-
__typename:
|
|
20922
|
-
key:
|
|
20923
|
-
name:
|
|
20924
|
-
defaultValue:
|
|
20925
|
-
value:
|
|
20926
|
-
inputType:
|
|
20927
|
-
options:
|
|
20928
|
-
index:
|
|
20929
|
-
extraContext:
|
|
20930
|
-
// E-2015
|
|
20931
|
-
//
|
|
20932
|
-
|
|
20933
|
-
|
|
20934
|
-
|
|
19298
|
+
var FixQuestionSchema = z29.object({
|
|
19299
|
+
__typename: z29.literal("FixQuestion").optional(),
|
|
19300
|
+
key: z29.string(),
|
|
19301
|
+
name: z29.string(),
|
|
19302
|
+
defaultValue: z29.string(),
|
|
19303
|
+
value: z29.string().nullable().optional(),
|
|
19304
|
+
inputType: z29.nativeEnum(FixQuestionInputType),
|
|
19305
|
+
options: z29.array(z29.string()),
|
|
19306
|
+
index: z29.number(),
|
|
19307
|
+
extraContext: z29.array(UnstructuredFixExtraContextSchema),
|
|
19308
|
+
// E-2015: analyzer-served question text. default('') so a query that omits it
|
|
19309
|
+
// still parses, while the output type stays a required string. The analyzer is
|
|
19310
|
+
// the sole source; consumers use the served value directly (no fallback).
|
|
19311
|
+
content: z29.string().default(""),
|
|
19312
|
+
description: z29.string().default(""),
|
|
19313
|
+
guidance: z29.string().default("")
|
|
20935
19314
|
});
|
|
20936
|
-
var FixDataSchema =
|
|
20937
|
-
__typename:
|
|
20938
|
-
patch:
|
|
20939
|
-
patchOriginalEncodingBase64:
|
|
20940
|
-
questions:
|
|
19315
|
+
var FixDataSchema = z29.object({
|
|
19316
|
+
__typename: z29.literal("FixData"),
|
|
19317
|
+
patch: z29.string(),
|
|
19318
|
+
patchOriginalEncodingBase64: z29.string(),
|
|
19319
|
+
questions: z29.array(FixQuestionSchema),
|
|
20941
19320
|
extraContext: FixExtraContextResponseSchema
|
|
20942
19321
|
});
|
|
20943
|
-
var GetFixNoFixErrorSchema =
|
|
20944
|
-
__typename:
|
|
19322
|
+
var GetFixNoFixErrorSchema = z29.object({
|
|
19323
|
+
__typename: z29.literal("GetFixNoFixError")
|
|
20945
19324
|
});
|
|
20946
|
-
var PatchAndQuestionsSchema =
|
|
20947
|
-
var McpFixSchema =
|
|
20948
|
-
__typename:
|
|
20949
|
-
id:
|
|
19325
|
+
var PatchAndQuestionsSchema = z29.union([FixDataSchema, GetFixNoFixErrorSchema]);
|
|
19326
|
+
var McpFixSchema = z29.object({
|
|
19327
|
+
__typename: z29.literal("fix").optional(),
|
|
19328
|
+
id: z29.any(),
|
|
20950
19329
|
// GraphQL uses `any` type for UUID
|
|
20951
|
-
confidence:
|
|
20952
|
-
safeIssueType:
|
|
20953
|
-
safeIssueLanguage:
|
|
20954
|
-
severityText:
|
|
20955
|
-
gitBlameLogin:
|
|
19330
|
+
confidence: z29.number(),
|
|
19331
|
+
safeIssueType: z29.string().nullable(),
|
|
19332
|
+
safeIssueLanguage: z29.string().nullable().optional(),
|
|
19333
|
+
severityText: z29.string().nullable(),
|
|
19334
|
+
gitBlameLogin: z29.string().nullable().optional(),
|
|
20956
19335
|
// Optional in GraphQL
|
|
20957
|
-
severityValue:
|
|
20958
|
-
vulnerabilityReportIssues:
|
|
19336
|
+
severityValue: z29.number().nullable(),
|
|
19337
|
+
vulnerabilityReportIssues: z29.array(VulnerabilityReportIssueSchema),
|
|
20959
19338
|
sharedState: SharedStateSchema.nullable().optional(),
|
|
20960
19339
|
// Optional in GraphQL
|
|
20961
19340
|
patchAndQuestions: PatchAndQuestionsSchema,
|
|
20962
19341
|
// Additional field added by the client
|
|
20963
|
-
fixUrl:
|
|
19342
|
+
fixUrl: z29.string().optional()
|
|
20964
19343
|
});
|
|
20965
|
-
var FixAggregateSchema =
|
|
20966
|
-
__typename:
|
|
20967
|
-
aggregate:
|
|
20968
|
-
__typename:
|
|
20969
|
-
count:
|
|
19344
|
+
var FixAggregateSchema = z29.object({
|
|
19345
|
+
__typename: z29.literal("fix_aggregate").optional(),
|
|
19346
|
+
aggregate: z29.object({
|
|
19347
|
+
__typename: z29.literal("fix_aggregate_fields").optional(),
|
|
19348
|
+
count: z29.number()
|
|
20970
19349
|
}).nullable()
|
|
20971
19350
|
});
|
|
20972
|
-
var VulnerabilityReportIssueAggregateSchema =
|
|
20973
|
-
__typename:
|
|
20974
|
-
aggregate:
|
|
20975
|
-
__typename:
|
|
20976
|
-
count:
|
|
19351
|
+
var VulnerabilityReportIssueAggregateSchema = z29.object({
|
|
19352
|
+
__typename: z29.literal("vulnerability_report_issue_aggregate").optional(),
|
|
19353
|
+
aggregate: z29.object({
|
|
19354
|
+
__typename: z29.literal("vulnerability_report_issue_aggregate_fields").optional(),
|
|
19355
|
+
count: z29.number()
|
|
20977
19356
|
}).nullable()
|
|
20978
19357
|
});
|
|
20979
|
-
var RepoSchema =
|
|
20980
|
-
__typename:
|
|
20981
|
-
originalUrl:
|
|
19358
|
+
var RepoSchema = z29.object({
|
|
19359
|
+
__typename: z29.literal("repo").optional(),
|
|
19360
|
+
originalUrl: z29.string()
|
|
20982
19361
|
});
|
|
20983
|
-
var ProjectSchema =
|
|
20984
|
-
id:
|
|
19362
|
+
var ProjectSchema = z29.object({
|
|
19363
|
+
id: z29.any(),
|
|
20985
19364
|
// GraphQL uses `any` type for UUID
|
|
20986
|
-
organizationId:
|
|
19365
|
+
organizationId: z29.any()
|
|
20987
19366
|
// GraphQL uses `any` type for UUID
|
|
20988
19367
|
});
|
|
20989
|
-
var VulnerabilityReportSchema =
|
|
20990
|
-
scanDate:
|
|
19368
|
+
var VulnerabilityReportSchema = z29.object({
|
|
19369
|
+
scanDate: z29.any().nullable(),
|
|
20991
19370
|
// GraphQL uses `any` type for timestamp
|
|
20992
|
-
vendor:
|
|
19371
|
+
vendor: z29.string(),
|
|
20993
19372
|
// GraphQL generates as string, not enum
|
|
20994
|
-
projectId:
|
|
19373
|
+
projectId: z29.any().optional(),
|
|
20995
19374
|
// GraphQL uses `any` type for UUID
|
|
20996
19375
|
project: ProjectSchema,
|
|
20997
19376
|
totalVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema,
|
|
20998
19377
|
notFixableVulnerabilityReportIssuesCount: VulnerabilityReportIssueAggregateSchema
|
|
20999
19378
|
});
|
|
21000
|
-
var FixReportSummarySchema =
|
|
21001
|
-
__typename:
|
|
21002
|
-
id:
|
|
19379
|
+
var FixReportSummarySchema = z29.object({
|
|
19380
|
+
__typename: z29.literal("fixReport").optional(),
|
|
19381
|
+
id: z29.any(),
|
|
21003
19382
|
// GraphQL uses `any` type for UUID
|
|
21004
|
-
createdOn:
|
|
19383
|
+
createdOn: z29.any(),
|
|
21005
19384
|
// GraphQL uses `any` type for timestamp
|
|
21006
19385
|
repo: RepoSchema.nullable(),
|
|
21007
|
-
issueTypes:
|
|
19386
|
+
issueTypes: z29.any().nullable(),
|
|
21008
19387
|
// GraphQL uses `any` type for JSON
|
|
21009
19388
|
CRITICAL: FixAggregateSchema,
|
|
21010
19389
|
HIGH: FixAggregateSchema,
|
|
21011
19390
|
MEDIUM: FixAggregateSchema,
|
|
21012
19391
|
LOW: FixAggregateSchema,
|
|
21013
|
-
fixes:
|
|
21014
|
-
userFixes:
|
|
19392
|
+
fixes: z29.array(McpFixSchema),
|
|
19393
|
+
userFixes: z29.array(McpFixSchema).optional(),
|
|
21015
19394
|
// Present in some responses but can be omitted
|
|
21016
19395
|
filteredFixesCount: FixAggregateSchema,
|
|
21017
19396
|
totalFixesCount: FixAggregateSchema,
|
|
21018
19397
|
vulnerabilityReport: VulnerabilityReportSchema
|
|
21019
19398
|
});
|
|
21020
|
-
var ExpiredReportSchema =
|
|
21021
|
-
__typename:
|
|
21022
|
-
id:
|
|
19399
|
+
var ExpiredReportSchema = z29.object({
|
|
19400
|
+
__typename: z29.literal("fixReport").optional(),
|
|
19401
|
+
id: z29.any(),
|
|
21023
19402
|
// GraphQL uses `any` type for UUID
|
|
21024
|
-
expirationOn:
|
|
19403
|
+
expirationOn: z29.any().nullable()
|
|
21025
19404
|
// GraphQL uses `any` type for timestamp
|
|
21026
19405
|
});
|
|
21027
|
-
var GetLatestReportByRepoUrlResponseSchema =
|
|
21028
|
-
__typename:
|
|
21029
|
-
fixReport:
|
|
21030
|
-
expiredReport:
|
|
19406
|
+
var GetLatestReportByRepoUrlResponseSchema = z29.object({
|
|
19407
|
+
__typename: z29.literal("query_root").optional(),
|
|
19408
|
+
fixReport: z29.array(FixReportSummarySchema),
|
|
19409
|
+
expiredReport: z29.array(ExpiredReportSchema)
|
|
21031
19410
|
});
|
|
21032
19411
|
|
|
21033
19412
|
// src/mcp/services/InteractiveFixFilter.ts
|
|
@@ -22837,10 +21216,10 @@ var McpServer = class {
|
|
|
22837
21216
|
};
|
|
22838
21217
|
|
|
22839
21218
|
// src/mcp/prompts/CheckForNewVulnerabilitiesPrompt.ts
|
|
22840
|
-
import { z as
|
|
21219
|
+
import { z as z31 } from "zod";
|
|
22841
21220
|
|
|
22842
21221
|
// src/mcp/prompts/base/BasePrompt.ts
|
|
22843
|
-
import { z as
|
|
21222
|
+
import { z as z30 } from "zod";
|
|
22844
21223
|
var BasePrompt = class {
|
|
22845
21224
|
getDefinition() {
|
|
22846
21225
|
return {
|
|
@@ -22869,7 +21248,7 @@ var BasePrompt = class {
|
|
|
22869
21248
|
const argsToValidate = args === void 0 ? {} : args;
|
|
22870
21249
|
return this.argumentsValidationSchema.parse(argsToValidate);
|
|
22871
21250
|
} catch (error) {
|
|
22872
|
-
if (error instanceof
|
|
21251
|
+
if (error instanceof z30.ZodError) {
|
|
22873
21252
|
const errorDetails = error.errors.map((e) => {
|
|
22874
21253
|
const fieldPath = e.path.length > 0 ? e.path.join(".") : "root";
|
|
22875
21254
|
const message = e.message === "Required" ? `Missing required argument '${fieldPath}'` : `Invalid value for '${fieldPath}': ${e.message}`;
|
|
@@ -22898,8 +21277,8 @@ var BasePrompt = class {
|
|
|
22898
21277
|
};
|
|
22899
21278
|
|
|
22900
21279
|
// src/mcp/prompts/CheckForNewVulnerabilitiesPrompt.ts
|
|
22901
|
-
var CheckForNewVulnerabilitiesArgsSchema =
|
|
22902
|
-
path:
|
|
21280
|
+
var CheckForNewVulnerabilitiesArgsSchema = z31.object({
|
|
21281
|
+
path: z31.string().optional()
|
|
22903
21282
|
});
|
|
22904
21283
|
var CheckForNewVulnerabilitiesPrompt = class extends BasePrompt {
|
|
22905
21284
|
constructor() {
|
|
@@ -23144,9 +21523,9 @@ Call the \`check_for_new_available_fixes\` tool now${args?.path ? ` for ${args.p
|
|
|
23144
21523
|
};
|
|
23145
21524
|
|
|
23146
21525
|
// src/mcp/prompts/FullSecurityAuditPrompt.ts
|
|
23147
|
-
import { z as
|
|
23148
|
-
var FullSecurityAuditArgsSchema =
|
|
23149
|
-
path:
|
|
21526
|
+
import { z as z32 } from "zod";
|
|
21527
|
+
var FullSecurityAuditArgsSchema = z32.object({
|
|
21528
|
+
path: z32.string().optional()
|
|
23150
21529
|
});
|
|
23151
21530
|
var FullSecurityAuditPrompt = class extends BasePrompt {
|
|
23152
21531
|
constructor() {
|
|
@@ -23597,9 +21976,9 @@ Begin the audit now${args?.path ? ` for ${args.path}` : ""}.
|
|
|
23597
21976
|
};
|
|
23598
21977
|
|
|
23599
21978
|
// src/mcp/prompts/ReviewAndFixCriticalPrompt.ts
|
|
23600
|
-
import { z as
|
|
23601
|
-
var ReviewAndFixCriticalArgsSchema =
|
|
23602
|
-
path:
|
|
21979
|
+
import { z as z33 } from "zod";
|
|
21980
|
+
var ReviewAndFixCriticalArgsSchema = z33.object({
|
|
21981
|
+
path: z33.string().optional()
|
|
23603
21982
|
});
|
|
23604
21983
|
var ReviewAndFixCriticalPrompt = class extends BasePrompt {
|
|
23605
21984
|
constructor() {
|
|
@@ -23903,9 +22282,9 @@ Start by scanning${args?.path ? ` ${args.path}` : " the repository"} and priorit
|
|
|
23903
22282
|
};
|
|
23904
22283
|
|
|
23905
22284
|
// src/mcp/prompts/ScanRecentChangesPrompt.ts
|
|
23906
|
-
import { z as
|
|
23907
|
-
var ScanRecentChangesArgsSchema =
|
|
23908
|
-
path:
|
|
22285
|
+
import { z as z34 } from "zod";
|
|
22286
|
+
var ScanRecentChangesArgsSchema = z34.object({
|
|
22287
|
+
path: z34.string().optional()
|
|
23909
22288
|
});
|
|
23910
22289
|
var ScanRecentChangesPrompt = class extends BasePrompt {
|
|
23911
22290
|
constructor() {
|
|
@@ -24116,9 +22495,9 @@ You now have the guidance needed to perform a fast, targeted security scan of re
|
|
|
24116
22495
|
};
|
|
24117
22496
|
|
|
24118
22497
|
// src/mcp/prompts/ScanRepositoryPrompt.ts
|
|
24119
|
-
import { z as
|
|
24120
|
-
var ScanRepositoryArgsSchema =
|
|
24121
|
-
path:
|
|
22498
|
+
import { z as z35 } from "zod";
|
|
22499
|
+
var ScanRepositoryArgsSchema = z35.object({
|
|
22500
|
+
path: z35.string().optional()
|
|
24122
22501
|
});
|
|
24123
22502
|
var ScanRepositoryPrompt = class extends BasePrompt {
|
|
24124
22503
|
constructor() {
|
|
@@ -24516,7 +22895,7 @@ import * as os15 from "os";
|
|
|
24516
22895
|
import * as path29 from "path";
|
|
24517
22896
|
|
|
24518
22897
|
// src/mcp/tools/checkForNewAvailableFixes/CheckForNewAvailableFixesTool.ts
|
|
24519
|
-
import { z as
|
|
22898
|
+
import { z as z37 } from "zod";
|
|
24520
22899
|
|
|
24521
22900
|
// src/mcp/services/PathValidation.ts
|
|
24522
22901
|
import fs21 from "fs";
|
|
@@ -24592,7 +22971,7 @@ async function validatePath(inputPath) {
|
|
|
24592
22971
|
}
|
|
24593
22972
|
|
|
24594
22973
|
// src/mcp/tools/base/BaseTool.ts
|
|
24595
|
-
import { z as
|
|
22974
|
+
import { z as z36 } from "zod";
|
|
24596
22975
|
var BaseTool = class {
|
|
24597
22976
|
getDefinition() {
|
|
24598
22977
|
return {
|
|
@@ -24619,7 +22998,7 @@ var BaseTool = class {
|
|
|
24619
22998
|
try {
|
|
24620
22999
|
return this.inputValidationSchema.parse(args);
|
|
24621
23000
|
} catch (error) {
|
|
24622
|
-
if (error instanceof
|
|
23001
|
+
if (error instanceof z36.ZodError) {
|
|
24623
23002
|
const errorDetails = error.errors.map((e) => {
|
|
24624
23003
|
const fieldPath = e.path.length > 0 ? e.path.join(".") : "root";
|
|
24625
23004
|
const message = e.message === "Required" ? `Missing required parameter '${fieldPath}'` : `Invalid value for '${fieldPath}': ${e.message}`;
|
|
@@ -24658,39 +23037,12 @@ function friendlyType(s) {
|
|
|
24658
23037
|
var noFixesReturnedForParameters = `No fixes returned for the given offset and limit parameters.
|
|
24659
23038
|
`;
|
|
24660
23039
|
var resolveQuestionText = ({
|
|
24661
|
-
fix,
|
|
24662
23040
|
question
|
|
24663
23041
|
}) => {
|
|
24664
|
-
|
|
24665
|
-
|
|
24666
|
-
|
|
24667
|
-
|
|
24668
|
-
};
|
|
24669
|
-
}
|
|
24670
|
-
const language = fix.safeIssueLanguage ?? void 0;
|
|
24671
|
-
const issueType = fix.safeIssueType ?? void 0;
|
|
24672
|
-
if (!language || !issueType) {
|
|
24673
|
-
return { content: question.name, description: "" };
|
|
24674
|
-
}
|
|
24675
|
-
const item = storedQuestionData_default[language]?.[issueType]?.[question.name];
|
|
24676
|
-
if (!item) {
|
|
24677
|
-
return { content: question.name, description: "" };
|
|
24678
|
-
}
|
|
24679
|
-
const args = question.extraContext.reduce(
|
|
24680
|
-
(acc, ctx) => {
|
|
24681
|
-
acc[ctx.key] = ctx.value;
|
|
24682
|
-
return acc;
|
|
24683
|
-
},
|
|
24684
|
-
{}
|
|
24685
|
-
);
|
|
24686
|
-
try {
|
|
24687
|
-
return {
|
|
24688
|
-
content: item.content(args) || question.name,
|
|
24689
|
-
description: item.description(args) || ""
|
|
24690
|
-
};
|
|
24691
|
-
} catch {
|
|
24692
|
-
return { content: question.name, description: "" };
|
|
24693
|
-
}
|
|
23042
|
+
return {
|
|
23043
|
+
content: question.content || question.name,
|
|
23044
|
+
description: question.description ?? ""
|
|
23045
|
+
};
|
|
24694
23046
|
};
|
|
24695
23047
|
var formatQuestionInputContract = (question) => {
|
|
24696
23048
|
switch (question.inputType) {
|
|
@@ -24707,7 +23059,7 @@ var renderInteractiveFix = (fix, index) => {
|
|
|
24707
23059
|
const { questions, extraContext } = fix.patchAndQuestions;
|
|
24708
23060
|
const vulnerabilityType = friendlyType(fix.safeIssueType ?? "Unknown");
|
|
24709
23061
|
const questionsBlock = questions.slice().sort((a, b) => a.index - b.index).map((q, qIdx) => {
|
|
24710
|
-
const { content, description } = resolveQuestionText({
|
|
23062
|
+
const { content, description } = resolveQuestionText({ question: q });
|
|
24711
23063
|
const desc = description ? `
|
|
24712
23064
|
*Why it matters:* ${description}` : "";
|
|
24713
23065
|
const defaultLine = q.defaultValue ? `
|
|
@@ -28224,8 +26576,8 @@ Example payload:
|
|
|
28224
26576
|
},
|
|
28225
26577
|
required: ["path"]
|
|
28226
26578
|
});
|
|
28227
|
-
__publicField(this, "inputValidationSchema",
|
|
28228
|
-
path:
|
|
26579
|
+
__publicField(this, "inputValidationSchema", z37.object({
|
|
26580
|
+
path: z37.string().describe(
|
|
28229
26581
|
"Full local path to the cloned git repository to check for new available fixes"
|
|
28230
26582
|
)
|
|
28231
26583
|
}));
|
|
@@ -28255,7 +26607,7 @@ Example payload:
|
|
|
28255
26607
|
|
|
28256
26608
|
// src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesTool.ts
|
|
28257
26609
|
init_GitService();
|
|
28258
|
-
import { z as
|
|
26610
|
+
import { z as z38 } from "zod";
|
|
28259
26611
|
|
|
28260
26612
|
// src/mcp/tools/fetchAvailableFixes/FetchAvailableFixesService.ts
|
|
28261
26613
|
init_configs();
|
|
@@ -28401,16 +26753,16 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
|
|
|
28401
26753
|
},
|
|
28402
26754
|
required: ["path"]
|
|
28403
26755
|
});
|
|
28404
|
-
__publicField(this, "inputValidationSchema",
|
|
28405
|
-
path:
|
|
26756
|
+
__publicField(this, "inputValidationSchema", z38.object({
|
|
26757
|
+
path: z38.string().describe(
|
|
28406
26758
|
"Full local path to the cloned git repository to check for available fixes"
|
|
28407
26759
|
),
|
|
28408
|
-
offset:
|
|
28409
|
-
limit:
|
|
28410
|
-
fileFilter:
|
|
26760
|
+
offset: z38.number().optional().describe("Optional offset for pagination"),
|
|
26761
|
+
limit: z38.number().optional().describe("Optional maximum number of fixes to return"),
|
|
26762
|
+
fileFilter: z38.array(z38.string()).optional().describe(
|
|
28411
26763
|
"Optional list of file paths relative to the path parameter to filter fixes by. INCOMPATIBLE with fetchFixesFromAnyFile"
|
|
28412
26764
|
),
|
|
28413
|
-
fetchFixesFromAnyFile:
|
|
26765
|
+
fetchFixesFromAnyFile: z38.boolean().optional().describe(
|
|
28414
26766
|
"Optional boolean to fetch fixes for all files. INCOMPATIBLE with fileFilter"
|
|
28415
26767
|
)
|
|
28416
26768
|
}));
|
|
@@ -28476,7 +26828,7 @@ Call this tool instead of ${MCP_TOOL_SCAN_AND_FIX_VULNERABILITIES} when you only
|
|
|
28476
26828
|
};
|
|
28477
26829
|
|
|
28478
26830
|
// src/mcp/tools/mcpChecker/mcpCheckerTool.ts
|
|
28479
|
-
import
|
|
26831
|
+
import z39 from "zod";
|
|
28480
26832
|
|
|
28481
26833
|
// src/mcp/tools/mcpChecker/mcpCheckerService.ts
|
|
28482
26834
|
var _McpCheckerService = class _McpCheckerService {
|
|
@@ -28537,7 +26889,7 @@ var McpCheckerTool = class extends BaseTool {
|
|
|
28537
26889
|
__publicField(this, "displayName", "MCP Checker");
|
|
28538
26890
|
// A detailed description to guide the LLM on when and how to invoke this tool.
|
|
28539
26891
|
__publicField(this, "description", "Check the MCP servers running on this IDE against organization policies.");
|
|
28540
|
-
__publicField(this, "inputValidationSchema",
|
|
26892
|
+
__publicField(this, "inputValidationSchema", z39.object({}));
|
|
28541
26893
|
__publicField(this, "inputSchema", {
|
|
28542
26894
|
type: "object",
|
|
28543
26895
|
properties: {},
|
|
@@ -28563,7 +26915,7 @@ var McpCheckerTool = class extends BaseTool {
|
|
|
28563
26915
|
};
|
|
28564
26916
|
|
|
28565
26917
|
// src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesTool.ts
|
|
28566
|
-
import
|
|
26918
|
+
import z40 from "zod";
|
|
28567
26919
|
init_configs();
|
|
28568
26920
|
|
|
28569
26921
|
// src/mcp/tools/scanAndFixVulnerabilities/ScanAndFixVulnerabilitiesService.ts
|
|
@@ -28943,26 +27295,26 @@ Example payload (Mode B \u2014 abstain from every interactive fix, no rescan):
|
|
|
28943
27295
|
"interactiveAnswers": []
|
|
28944
27296
|
}`);
|
|
28945
27297
|
__publicField(this, "hasAuthentication", true);
|
|
28946
|
-
__publicField(this, "inputValidationSchema",
|
|
28947
|
-
path:
|
|
27298
|
+
__publicField(this, "inputValidationSchema", z40.object({
|
|
27299
|
+
path: z40.string().describe(
|
|
28948
27300
|
"Full local path to repository to scan and fix vulnerabilities"
|
|
28949
27301
|
),
|
|
28950
|
-
offset:
|
|
28951
|
-
limit:
|
|
28952
|
-
maxFiles:
|
|
27302
|
+
offset: z40.number().optional().describe("Optional offset for pagination"),
|
|
27303
|
+
limit: z40.number().optional().describe("Optional maximum number of results to return"),
|
|
27304
|
+
maxFiles: z40.number().optional().describe(
|
|
28953
27305
|
`Optional maximum number of files to scan (default: ${MCP_DEFAULT_MAX_FILES_TO_SCAN}). Increase for comprehensive scans of larger codebases or decrease for faster focused scans.`
|
|
28954
27306
|
),
|
|
28955
|
-
rescan:
|
|
28956
|
-
scanRecentlyChangedFiles:
|
|
27307
|
+
rescan: z40.boolean().optional().describe("Optional whether to rescan the repository"),
|
|
27308
|
+
scanRecentlyChangedFiles: z40.boolean().optional().describe(
|
|
28957
27309
|
"Optional whether to automatically scan recently changed files when no changed files are found in git status. If false, the tool will prompt the user instead."
|
|
28958
27310
|
),
|
|
28959
|
-
interactiveAnswers:
|
|
28960
|
-
|
|
28961
|
-
fixId:
|
|
28962
|
-
answers:
|
|
28963
|
-
|
|
28964
|
-
key:
|
|
28965
|
-
value:
|
|
27311
|
+
interactiveAnswers: z40.array(
|
|
27312
|
+
z40.object({
|
|
27313
|
+
fixId: z40.string().min(1).describe('Fix id from a previous "Interactive fix" prompt block.'),
|
|
27314
|
+
answers: z40.array(
|
|
27315
|
+
z40.object({
|
|
27316
|
+
key: z40.string().min(1).describe("FixQuestion key."),
|
|
27317
|
+
value: z40.string().describe(
|
|
28966
27318
|
"For SELECT questions MUST be one of the listed options; for TEXT/NUMBER, a free-form value."
|
|
28967
27319
|
)
|
|
28968
27320
|
})
|
|
@@ -29325,7 +27677,7 @@ async function addScmTokenHandler(args) {
|
|
|
29325
27677
|
}
|
|
29326
27678
|
|
|
29327
27679
|
// src/features/codeium_intellij/data_collector.ts
|
|
29328
|
-
import { z as
|
|
27680
|
+
import { z as z41 } from "zod";
|
|
29329
27681
|
|
|
29330
27682
|
// src/utils/read-stdin.ts
|
|
29331
27683
|
import { setTimeout as setTimeout4 } from "timers";
|
|
@@ -29442,12 +27794,12 @@ function promisifyClient(client) {
|
|
|
29442
27794
|
}
|
|
29443
27795
|
});
|
|
29444
27796
|
}
|
|
29445
|
-
async function getGrpcClient(port,
|
|
27797
|
+
async function getGrpcClient(port, csrf) {
|
|
29446
27798
|
const client = promisifyClient(
|
|
29447
27799
|
new PROTO.exa.language_server_pb.LanguageServerService(
|
|
29448
27800
|
`localhost:${port}`,
|
|
29449
27801
|
grpc.credentials.createInsecure(),
|
|
29450
|
-
{ interceptors: [createCsrfInterceptor(
|
|
27802
|
+
{ interceptors: [createCsrfInterceptor(csrf)] }
|
|
29451
27803
|
)
|
|
29452
27804
|
);
|
|
29453
27805
|
try {
|
|
@@ -29527,8 +27879,8 @@ function findRunningCodeiumLanguageServers() {
|
|
|
29527
27879
|
}
|
|
29528
27880
|
|
|
29529
27881
|
// src/features/codeium_intellij/data_collector.ts
|
|
29530
|
-
var HookDataSchema =
|
|
29531
|
-
trajectory_id:
|
|
27882
|
+
var HookDataSchema = z41.object({
|
|
27883
|
+
trajectory_id: z41.string()
|
|
29532
27884
|
});
|
|
29533
27885
|
async function processAndUploadHookData() {
|
|
29534
27886
|
const tracePayload = await getTraceDataForHook();
|