mobbdev 1.4.35 → 1.4.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -342,10 +342,6 @@ var init_client_generates = __esm({
342
342
  inputType
343
343
  options
344
344
  index
345
- extraContext {
346
- key
347
- value
348
- }
349
345
  content
350
346
  description
351
347
  guidance
@@ -583,10 +579,6 @@ var init_client_generates = __esm({
583
579
  patchOriginalEncodingBase64
584
580
  questions {
585
581
  defaultValue
586
- extraContext {
587
- key
588
- value
589
- }
590
582
  index
591
583
  inputType
592
584
  key
@@ -1090,10 +1082,6 @@ var init_client_generates = __esm({
1090
1082
  inputType
1091
1083
  options
1092
1084
  index
1093
- extraContext {
1094
- key
1095
- value
1096
- }
1097
1085
  content
1098
1086
  description
1099
1087
  guidance
@@ -1335,9 +1323,10 @@ var init_fix = __esm({
1335
1323
  fixDescription: z2.string(),
1336
1324
  manifestActionsRequired: z2.array(ManifestActionRequiredZ),
1337
1325
  extraContext: z2.array(ExtraContextInternalZ),
1338
- // E-2015 PR5c: analyzer-served fix-level guidance. default([]) so a query that
1326
+ // E-2015: analyzer-served fix-level guidance. default([]) so a query that
1339
1327
  // omits it still parses, while the output type is a required string[] to match
1340
- // the non-null GraphQL field. getFixGuidances prefers served then falls back.
1328
+ // the non-null GraphQL field. The analyzer is the sole source; getFixGuidances
1329
+ // uses the served value directly (no fallback).
1341
1330
  guidances: z2.array(z2.string()).default([])
1342
1331
  });
1343
1332
  PatchAndQuestionsZ = z2.object({
@@ -1351,13 +1340,12 @@ var init_fix = __esm({
1351
1340
  index: z2.number(),
1352
1341
  defaultValue: z2.string(),
1353
1342
  value: z2.string().nullable(),
1354
- extraContext: z2.array(ExtraContextInternalZ),
1355
1343
  inputType: z2.nativeEnum(FixQuestionInputType),
1356
1344
  options: z2.array(z2.string()),
1357
- // E-2015 PR5: analyzer-served question copy. default('') so a query that
1358
- // omits these still parses (-> '' -> FE falls back to its own copy), while
1359
- // the output type stays a required `string` to match the non-null GraphQL
1360
- // fields. Consumers use `served || storedQuestionData`.
1345
+ // E-2015: analyzer-served question text. default('') so a query that
1346
+ // omits these still parses (-> ''), while the output type stays a required
1347
+ // `string` to match the non-null GraphQL fields. The analyzer is the sole
1348
+ // source; consumers use the served value directly (no fallback).
1361
1349
  content: z2.string().default(""),
1362
1350
  description: z2.string().default(""),
1363
1351
  guidance: z2.string().default("")
@@ -2208,7 +2196,7 @@ var init_types2 = __esm({
2208
2196
  });
2209
2197
 
2210
2198
  // src/features/analysis/scm/shared/src/urlParser/urlParser.ts
2211
- import { z as z12 } from "zod";
2199
+ import { z as z9 } from "zod";
2212
2200
  function computeCanonicalUrl(data) {
2213
2201
  const {
2214
2202
  scmType,
@@ -2250,7 +2238,7 @@ function detectAdoUrl(args) {
2250
2238
  scmType: "Ado" /* Ado */,
2251
2239
  organization,
2252
2240
  // project has single repo - repoName === projectName
2253
- projectName: z12.string().parse(projectName),
2241
+ projectName: z9.string().parse(projectName),
2254
2242
  repoName: projectName,
2255
2243
  prefixPath
2256
2244
  };
@@ -2261,7 +2249,7 @@ function detectAdoUrl(args) {
2261
2249
  return {
2262
2250
  scmType: "Ado" /* Ado */,
2263
2251
  organization,
2264
- projectName: z12.string().parse(projectName),
2252
+ projectName: z9.string().parse(projectName),
2265
2253
  repoName,
2266
2254
  prefixPath
2267
2255
  };
@@ -2275,7 +2263,7 @@ function detectAdoUrl(args) {
2275
2263
  scmType: "Ado" /* Ado */,
2276
2264
  organization,
2277
2265
  // project has only one repo - repoName === projectName
2278
- projectName: z12.string().parse(repoName),
2266
+ projectName: z9.string().parse(repoName),
2279
2267
  repoName,
2280
2268
  prefixPath
2281
2269
  };
@@ -2285,7 +2273,7 @@ function detectAdoUrl(args) {
2285
2273
  return {
2286
2274
  scmType: "Ado" /* Ado */,
2287
2275
  organization,
2288
- projectName: z12.string().parse(projectName),
2276
+ projectName: z9.string().parse(projectName),
2289
2277
  repoName,
2290
2278
  prefixPath
2291
2279
  };
@@ -2361,7 +2349,7 @@ function parseSshUrl(scmURL, scmType) {
2361
2349
  if (pathElements.length === 3) {
2362
2350
  const [organization2, projectName, repoName2] = pathElements;
2363
2351
  if (organization2?.match(NAME_REGEX) && projectName && repoName2?.match(NAME_REGEX)) {
2364
- const parsedProjectName = z12.string().parse(projectName);
2352
+ const parsedProjectName = z9.string().parse(projectName);
2365
2353
  return {
2366
2354
  scmType: "Ado" /* Ado */,
2367
2355
  hostname: normalizedHostname,
@@ -2589,17 +2577,17 @@ var init_urlParser2 = __esm({
2589
2577
  });
2590
2578
 
2591
2579
  // src/features/analysis/scm/env.ts
2592
- import { z as z15 } from "zod";
2580
+ import { z as z12 } from "zod";
2593
2581
  var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB, GITHUB_API_CONCURRENCY;
2594
2582
  var init_env = __esm({
2595
2583
  "src/features/analysis/scm/env.ts"() {
2596
2584
  "use strict";
2597
- EnvVariablesZod = z15.object({
2598
- GITLAB_API_TOKEN: z15.string().optional(),
2599
- GITHUB_API_TOKEN: z15.string().optional(),
2600
- GIT_PROXY_HOST: z15.string().optional().default("http://tinyproxy:8888"),
2601
- MAX_UPLOAD_FILE_SIZE_MB: z15.coerce.number().gt(0).default(2),
2602
- GITHUB_API_CONCURRENCY: z15.coerce.number().gt(0).optional().default(10)
2585
+ EnvVariablesZod = z12.object({
2586
+ GITLAB_API_TOKEN: z12.string().optional(),
2587
+ GITHUB_API_TOKEN: z12.string().optional(),
2588
+ GIT_PROXY_HOST: z12.string().optional().default("http://tinyproxy:8888"),
2589
+ MAX_UPLOAD_FILE_SIZE_MB: z12.coerce.number().gt(0).default(2),
2590
+ GITHUB_API_CONCURRENCY: z12.coerce.number().gt(0).optional().default(10)
2603
2591
  });
2604
2592
  ({
2605
2593
  GITLAB_API_TOKEN,
@@ -2633,7 +2621,7 @@ var init_configs = __esm({
2633
2621
  });
2634
2622
 
2635
2623
  // src/utils/blame/gitBlameTypes.ts
2636
- import { z as z18 } from "zod";
2624
+ import { z as z15 } from "zod";
2637
2625
  function parseCoAuthorValue(raw) {
2638
2626
  const trimmed = raw.trim();
2639
2627
  if (!trimmed) {
@@ -2669,9 +2657,9 @@ var PrepareGitBlameMessageZ, PrepareGitBlameResponseMessageZ, CommitMetadataZ, L
2669
2657
  var init_gitBlameTypes = __esm({
2670
2658
  "src/utils/blame/gitBlameTypes.ts"() {
2671
2659
  "use strict";
2672
- PrepareGitBlameMessageZ = z18.object({
2673
- reportId: z18.string(),
2674
- repoArchivePath: z18.string(),
2660
+ PrepareGitBlameMessageZ = z15.object({
2661
+ reportId: z15.string(),
2662
+ repoArchivePath: z15.string(),
2675
2663
  // Optional list of file paths to blame. Producers must pick one of two modes:
2676
2664
  //
2677
2665
  // - **Omit `filePaths`** = "blame every file in the archive". Used by the
@@ -2687,132 +2675,132 @@ var init_gitBlameTypes = __esm({
2687
2675
  // "Login.java" when the actual file is "src/main/java/Login.java") are
2688
2676
  // tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
2689
2677
  // strings are filtered out defensively.
2690
- filePaths: z18.array(z18.string()).optional()
2678
+ filePaths: z15.array(z15.string()).optional()
2691
2679
  });
2692
- PrepareGitBlameResponseMessageZ = z18.object({
2693
- reportId: z18.string()
2680
+ PrepareGitBlameResponseMessageZ = z15.object({
2681
+ reportId: z15.string()
2694
2682
  });
2695
- CommitMetadataZ = z18.object({
2696
- author: z18.string().optional(),
2697
- "author-mail": z18.string().optional(),
2698
- "author-time": z18.string().optional(),
2699
- "author-tz": z18.string().optional(),
2700
- committer: z18.string().optional(),
2701
- "committer-mail": z18.string().optional(),
2702
- "committer-time": z18.string().optional(),
2703
- "committer-tz": z18.string().optional(),
2704
- summary: z18.string().optional(),
2705
- filename: z18.string().optional()
2683
+ CommitMetadataZ = z15.object({
2684
+ author: z15.string().optional(),
2685
+ "author-mail": z15.string().optional(),
2686
+ "author-time": z15.string().optional(),
2687
+ "author-tz": z15.string().optional(),
2688
+ committer: z15.string().optional(),
2689
+ "committer-mail": z15.string().optional(),
2690
+ "committer-time": z15.string().optional(),
2691
+ "committer-tz": z15.string().optional(),
2692
+ summary: z15.string().optional(),
2693
+ filename: z15.string().optional()
2706
2694
  });
2707
- LineToCommitMapZ = z18.record(z18.string(), z18.string());
2708
- CommitMetadataMapZ = z18.record(z18.string(), CommitMetadataZ);
2709
- BlameInfoZ = z18.object({
2695
+ LineToCommitMapZ = z15.record(z15.string(), z15.string());
2696
+ CommitMetadataMapZ = z15.record(z15.string(), CommitMetadataZ);
2697
+ BlameInfoZ = z15.object({
2710
2698
  lineToCommit: LineToCommitMapZ,
2711
2699
  commitMetadata: CommitMetadataMapZ
2712
2700
  });
2713
- LineRangeZ = z18.object({
2701
+ LineRangeZ = z15.object({
2714
2702
  /** First line in chunk (1-indexed) */
2715
- start: z18.number(),
2703
+ start: z15.number(),
2716
2704
  /** Last line in chunk (inclusive) */
2717
- end: z18.number()
2705
+ end: z15.number()
2718
2706
  });
2719
- PrContextZ = z18.object({
2720
- prNumber: z18.number(),
2721
- repositoryUrl: z18.string(),
2722
- organizationId: z18.string(),
2723
- userEmail: z18.string(),
2724
- source: z18.enum(["pr", "github"]),
2725
- githubContext: z18.object({
2726
- prNumber: z18.number(),
2727
- installationId: z18.number(),
2728
- repositoryURL: z18.string()
2707
+ PrContextZ = z15.object({
2708
+ prNumber: z15.number(),
2709
+ repositoryUrl: z15.string(),
2710
+ organizationId: z15.string(),
2711
+ userEmail: z15.string(),
2712
+ source: z15.enum(["pr", "github"]),
2713
+ githubContext: z15.object({
2714
+ prNumber: z15.number(),
2715
+ installationId: z15.number(),
2716
+ repositoryURL: z15.string()
2729
2717
  }).optional()
2730
2718
  });
2731
- PrepareCommitBlameMessageZ = z18.object({
2719
+ PrepareCommitBlameMessageZ = z15.object({
2732
2720
  /** Commit blame request ID from database (for tracking and updating status) */
2733
- commitBlameRequestId: z18.string(),
2721
+ commitBlameRequestId: z15.string(),
2734
2722
  /** Organization ID (for org-scoped caching) */
2735
- organizationId: z18.string(),
2723
+ organizationId: z15.string(),
2736
2724
  /** Full repository URL (e.g., https://github.com/org/repo) */
2737
- repositoryUrl: z18.string(),
2725
+ repositoryUrl: z15.string(),
2738
2726
  /** Commit SHA to analyze (typically PR head commit) */
2739
- commitSha: z18.string(),
2727
+ commitSha: z15.string(),
2740
2728
  /** Authentication headers for repository access (e.g., GitHub token) */
2741
- extraHeaders: z18.record(z18.string(), z18.string()).default({}),
2729
+ extraHeaders: z15.record(z15.string(), z15.string()).default({}),
2742
2730
  // --- PR analysis fields ---
2743
2731
  /** Target branch name (from getPr() base.ref). When set, enables PR analysis mode. */
2744
- targetBranch: z18.string().optional(),
2732
+ targetBranch: z15.string().optional(),
2745
2733
  /** Context for triggering blame attribution analysis after SCM agent completes. */
2746
2734
  prContext: PrContextZ.optional(),
2747
2735
  /** User email for blame attribution analysis trigger context (used for both PR and single commit flows). */
2748
- userEmail: z18.string().optional()
2736
+ userEmail: z15.string().optional()
2749
2737
  });
2750
- BlameLineInfoZ = z18.object({
2738
+ BlameLineInfoZ = z15.object({
2751
2739
  /** Line number as it appeared in the introducing commit */
2752
- originalLineNumber: z18.number(),
2740
+ originalLineNumber: z15.number(),
2753
2741
  /** Commit SHA that introduced this line */
2754
- commitSha: z18.string(),
2742
+ commitSha: z15.string(),
2755
2743
  /** Author name for this line */
2756
- authorName: z18.string().optional(),
2744
+ authorName: z15.string().optional(),
2757
2745
  /** Author email for this line */
2758
- authorEmail: z18.string().optional()
2746
+ authorEmail: z15.string().optional()
2759
2747
  }).nullable();
2760
- FileBlameDataZ = z18.array(BlameLineInfoZ);
2761
- ChunkFetchResultZ = z18.object({
2762
- filePath: z18.string(),
2763
- lines: z18.array(z18.number()),
2748
+ FileBlameDataZ = z15.array(BlameLineInfoZ);
2749
+ ChunkFetchResultZ = z15.object({
2750
+ filePath: z15.string(),
2751
+ lines: z15.array(z15.number()),
2764
2752
  data: FileBlameDataZ.nullable()
2765
2753
  });
2766
- FileBlameResponseEntryZ = z18.object({
2754
+ FileBlameResponseEntryZ = z15.object({
2767
2755
  /** Chunk index (0 for small files, 0-N for large file chunks) */
2768
- chunkIndex: z18.number(),
2756
+ chunkIndex: z15.number(),
2769
2757
  /** Blame data array (1-indexed, index 0 is null) */
2770
2758
  blameData: FileBlameDataZ
2771
2759
  });
2772
- CommitBlameDataZ = z18.record(
2773
- z18.string(),
2760
+ CommitBlameDataZ = z15.record(
2761
+ z15.string(),
2774
2762
  // fileName
2775
- z18.array(FileBlameResponseEntryZ)
2763
+ z15.array(FileBlameResponseEntryZ)
2776
2764
  );
2777
- CommitInfoZ = z18.object({
2765
+ CommitInfoZ = z15.object({
2778
2766
  /** Number of parent commits (1 = normal commit, 2+ = merge commit, null = failed to determine) */
2779
- parentCount: z18.number().nullable()
2767
+ parentCount: z15.number().nullable()
2780
2768
  });
2781
- GitIdentityZ = z18.object({
2782
- name: z18.string(),
2783
- email: z18.string()
2769
+ GitIdentityZ = z15.object({
2770
+ name: z15.string(),
2771
+ email: z15.string()
2784
2772
  });
2785
2773
  COMMIT_LOG_FORMAT = "%H%x00%ae%x00%an%x00%ce%x00%cn%x00%at%x00%s%x00%(trailers:key=Co-authored-by,valueonly,separator=%x00)";
2786
- CommitDataZ = z18.object({
2787
- diff: z18.string(),
2774
+ CommitDataZ = z15.object({
2775
+ diff: z15.string(),
2788
2776
  author: GitIdentityZ,
2789
2777
  committer: GitIdentityZ,
2790
- coAuthors: z18.array(GitIdentityZ),
2791
- timestamp: z18.number(),
2778
+ coAuthors: z15.array(GitIdentityZ),
2779
+ timestamp: z15.number(),
2792
2780
  // Unix timestamp in seconds
2793
- message: z18.string().optional(),
2794
- parentCount: z18.number().nullable()
2781
+ message: z15.string().optional(),
2782
+ parentCount: z15.number().nullable()
2795
2783
  });
2796
- PrDiffDataZ = z18.object({
2797
- diff: z18.string()
2784
+ PrDiffDataZ = z15.object({
2785
+ diff: z15.string()
2798
2786
  });
2799
- PrStatsZ = z18.object({
2800
- additions: z18.number(),
2801
- deletions: z18.number()
2787
+ PrStatsZ = z15.object({
2788
+ additions: z15.number(),
2789
+ deletions: z15.number()
2802
2790
  });
2803
- CommitsManifestZ = z18.object({
2804
- commits: z18.array(z18.string())
2791
+ CommitsManifestZ = z15.object({
2792
+ commits: z15.array(z15.string())
2805
2793
  // Array of commit SHAs in order
2806
2794
  });
2807
- BlameLineEntryZ = z18.object({
2795
+ BlameLineEntryZ = z15.object({
2808
2796
  /** Current file path in the PR head (what git blame was invoked on). */
2809
- file: z18.string(),
2797
+ file: z15.string(),
2810
2798
  /** Current line number in the PR head. */
2811
- line: z18.number(),
2799
+ line: z15.number(),
2812
2800
  /** SHA of the commit that originally authored this line. */
2813
- originalCommitSha: z18.string(),
2801
+ originalCommitSha: z15.string(),
2814
2802
  /** Line number as it was in `originalCommitSha`. */
2815
- originalLineNumber: z18.number(),
2803
+ originalLineNumber: z15.number(),
2816
2804
  /**
2817
2805
  * File path as it was in `originalCommitSha` at the time that commit
2818
2806
  * authored this line. When a file has been renamed since, this differs
@@ -2825,24 +2813,24 @@ var init_gitBlameTypes = __esm({
2825
2813
  * must treat empty as "fall back to `file`" (see enrichDiffLines,
2826
2814
  * targetedBlame).
2827
2815
  */
2828
- originalFile: z18.string().default("")
2816
+ originalFile: z15.string().default("")
2829
2817
  });
2830
- BlameLinesDataZ = z18.object({
2831
- lines: z18.array(BlameLineEntryZ)
2818
+ BlameLinesDataZ = z15.object({
2819
+ lines: z15.array(BlameLineEntryZ)
2832
2820
  });
2833
- PrepareCommitBlameResponseMessageZ = z18.object({
2821
+ PrepareCommitBlameResponseMessageZ = z15.object({
2834
2822
  /** Commit blame request ID (matches request, used to update specific DB record) */
2835
- commitBlameRequestId: z18.string(),
2823
+ commitBlameRequestId: z15.string(),
2836
2824
  /** Organization ID (matches request) */
2837
- organizationId: z18.string(),
2825
+ organizationId: z15.string(),
2838
2826
  /** Repository URL (matches request) */
2839
- repositoryUrl: z18.string(),
2827
+ repositoryUrl: z15.string(),
2840
2828
  /** Commit SHA analyzed (matches request) */
2841
- commitSha: z18.string(),
2829
+ commitSha: z15.string(),
2842
2830
  /** Processing status */
2843
- status: z18.enum(["success", "failure"]),
2831
+ status: z15.enum(["success", "failure"]),
2844
2832
  /** Error message (only present if status is 'failure') */
2845
- error: z18.string().optional(),
2833
+ error: z15.string().optional(),
2846
2834
  /**
2847
2835
  * Blame data for all processed files/chunks.
2848
2836
  * Empty dictionary if status is 'failure'.
@@ -2854,29 +2842,29 @@ var init_gitBlameTypes = __esm({
2854
2842
  * Keyed by commit SHA, deduplicated.
2855
2843
  * Empty dictionary if status is 'failure'.
2856
2844
  */
2857
- commits: z18.record(z18.string(), CommitInfoZ).default({}),
2845
+ commits: z15.record(z15.string(), CommitInfoZ).default({}),
2858
2846
  // --- New PR diff computation response fields ---
2859
2847
  /** S3 paths for commit-level data (commitSha → S3 key). Present in PR analysis mode and single commit mode. */
2860
- commitDataS3Paths: z18.record(z18.string(), z18.string()).optional(),
2848
+ commitDataS3Paths: z15.record(z15.string(), z15.string()).optional(),
2861
2849
  /** S3 key for PR diff JSON. Present in PR analysis mode. */
2862
- prDiffS3Path: z18.string().optional(),
2850
+ prDiffS3Path: z15.string().optional(),
2863
2851
  /** S3 key for commits manifest. Present in PR analysis mode. */
2864
- commitsManifestS3Path: z18.string().optional(),
2852
+ commitsManifestS3Path: z15.string().optional(),
2865
2853
  /** S3 key for per-line targeted blame data. Present in PR analysis mode. */
2866
- blameLinesS3Path: z18.string().optional(),
2854
+ blameLinesS3Path: z15.string().optional(),
2867
2855
  /** S3 key for PR stats (additions/deletions). Present in PR analysis mode. */
2868
- prStatsS3Path: z18.string().optional(),
2856
+ prStatsS3Path: z15.string().optional(),
2869
2857
  /** PR context passed through from request for response handler. */
2870
2858
  prContext: PrContextZ.optional(),
2871
2859
  /** PR title from the request metadata (passed through). */
2872
- prTitle: z18.string().optional(),
2860
+ prTitle: z15.string().optional(),
2873
2861
  /** User email passed through from request for single commit blame attribution analysis trigger. */
2874
- userEmail: z18.string().optional()
2862
+ userEmail: z15.string().optional()
2875
2863
  });
2876
- VulnerabilityAttributionMessageZ = z18.object({
2877
- fixReportId: z18.string().uuid(),
2878
- vulnerabilityAttributionRequestId: z18.string().uuid(),
2879
- userEmail: z18.string()
2864
+ VulnerabilityAttributionMessageZ = z15.object({
2865
+ fixReportId: z15.string().uuid(),
2866
+ vulnerabilityAttributionRequestId: z15.string().uuid(),
2867
+ userEmail: z15.string()
2880
2868
  });
2881
2869
  }
2882
2870
  });
@@ -4143,7 +4131,7 @@ import * as os3 from "os";
4143
4131
  import path6 from "path";
4144
4132
  import chalk3 from "chalk";
4145
4133
  import { withFile } from "tmp-promise";
4146
- import z26 from "zod";
4134
+ import z23 from "zod";
4147
4135
 
4148
4136
  // src/commands/handleMobbLogin.ts
4149
4137
  import chalk2 from "chalk";
@@ -4615,7 +4603,7 @@ import debugModule from "debug";
4615
4603
  var debug3 = debugModule("mobb:shared");
4616
4604
 
4617
4605
  // src/features/analysis/scm/utils/index.ts
4618
- import { z as z14 } from "zod";
4606
+ import { z as z11 } from "zod";
4619
4607
 
4620
4608
  // src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
4621
4609
  init_client_generates();
@@ -4633,1560 +4621,6 @@ init_getIssueType();
4633
4621
 
4634
4622
  // src/features/analysis/scm/shared/src/guidances.ts
4635
4623
  init_client_generates();
4636
- init_getIssueType();
4637
- import { z as z11 } from "zod";
4638
-
4639
- // src/features/analysis/scm/shared/src/storedFixData/index.ts
4640
- init_client_generates();
4641
- import { z as z9 } from "zod";
4642
-
4643
- // src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
4644
- var passwordInComment = {
4645
- guidance: () => "Removing sensitive information from the comments is not enough. To ensure the security of your data, you have to rotate passwords and tokens and update all places where they were used."
4646
- };
4647
-
4648
- // src/features/analysis/scm/shared/src/storedFixData/csharp/missingAntiForgeryValidation.ts
4649
- var missingAntiForgeryValidation = {
4650
- guidance: () => `The \`ValidateAntiForgeryToken\` attribute helps prevent cross-site request forgery (CSRF) attacks. The token is automatically injected into the view by the [FormTagHelper](https://learn.microsoft.com/en-us/aspnet/core/mvc/views/working-with-forms?view=aspnetcore-8.0#the-form-tag-helper)
4651
- and is included when the form is submitted by the user. The token is validated by the \`ValidateAntiForgeryToken\` attribute. The token could be also generated using the [Html.AntiForgeryToken](https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.htmlhelper.antiforgerytoken?view=aspnet-mvc-5.2) helper.
4652
-
4653
-  
4654
-
4655
-
4656
- ***Make sure this controller's client provides the validation token before approving this change.***
4657
-
4658
-  
4659
-
4660
-
4661
- This is an illustration of how the form will look like:
4662
-
4663
-  
4664
-
4665
- <form method="post" action="/Action">
4666
- <!-- Input and Submit elements -->
4667
- <input name="__RequestVerificationToken"
4668
- type="hidden" value="<removed for brevity>">
4669
- </form>
4670
-
4671
-
4672
- ***Notice the \`__RequestVerificationToken\` parameters.***
4673
- `
4674
- };
4675
-
4676
- // src/features/analysis/scm/shared/src/storedFixData/csharp/index.ts
4677
- var vulnerabilities = {
4678
- ["MISSING_ANTIFORGERY_VALIDATION"]: missingAntiForgeryValidation,
4679
- ["PASSWORD_IN_COMMENT"]: passwordInComment
4680
- };
4681
- var csharp_default = vulnerabilities;
4682
-
4683
- // src/features/analysis/scm/shared/src/storedFixData/dockerfile/index.ts
4684
- var vulnerabilities2 = {};
4685
- var dockerfile_default = vulnerabilities2;
4686
-
4687
- // src/features/analysis/scm/shared/src/storedFixData/go/index.ts
4688
- var vulnerabilities3 = {};
4689
- var go_default = vulnerabilities3;
4690
-
4691
- // src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
4692
- var vulnerabilities4 = {};
4693
- var hcl_default = vulnerabilities4;
4694
-
4695
- // src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
4696
- var insecureDeserialization = {
4697
- guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
4698
- };
4699
-
4700
- // src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
4701
- var j2eeGetConnection = {
4702
- guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
4703
-
4704
-
4705
- &nbsp;
4706
-
4707
- ***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
4708
-
4709
- - **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
4710
- - **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
4711
- - **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
4712
- - **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
4713
-
4714
-
4715
- &nbsp;
4716
-
4717
- Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
4718
-
4719
-
4720
- &nbsp;
4721
-
4722
- This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
4723
- };
4724
-
4725
- // src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
4726
- var systemInformationLeak = {
4727
- guidance: ({
4728
- clientMightBeAffected
4729
- }) => {
4730
- if (clientMightBeAffected) {
4731
- return "You should never expose error details to the client. We removed the error details from the response. Ensure the client application code does not rely on the removed information.";
4732
- }
4733
- return "";
4734
- }
4735
- };
4736
-
4737
- // src/features/analysis/scm/shared/src/storedFixData/java/index.ts
4738
- var vulnerabilities5 = {
4739
- ["PASSWORD_IN_COMMENT"]: passwordInComment,
4740
- ["INSECURE_DESERIALIZATION"]: insecureDeserialization,
4741
- ["J2EE_GET_CONNECTION"]: j2eeGetConnection,
4742
- ["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
4743
- };
4744
- var java_default = vulnerabilities5;
4745
-
4746
- // src/features/analysis/scm/shared/src/storedFixData/python/csrf.ts
4747
- var csrf = {
4748
- guidance: () => `Please make sure the CSRF middleware is activated by default in the MIDDLEWARE setting. If you override that setting, remember that \`django.middleware.csrf.CsrfViewMiddleware\` should come before any view middleware that assume that CSRF attacks have been dealt with.
4749
-
4750
-
4751
- If you disabled it, which is not recommended, you can use [\`csrf_protect()\`](https://docs.djangoproject.com/en/5.1/ref/csrf/#django.views.decorators.csrf.csrf_protect) annotation on this particular view.
4752
-
4753
-
4754
- See more information [here](https://docs.djangoproject.com/en/5.1/howto/csrf/).`
4755
- };
4756
-
4757
- // src/features/analysis/scm/shared/src/storedFixData/javascript/hardcodedSecrets.ts
4758
- var hardcodedSecrets = {
4759
- guidance: ({ questions }) => {
4760
- const envVarName = questions.find((q) => q.key === "env_var_name")?.value || "the";
4761
- const keepAsDefault = questions.find(
4762
- (q) => q.key === "keep_as_default"
4763
- )?.value;
4764
- let additionalText = "";
4765
- if (keepAsDefault === "yes") {
4766
- additionalText = "\n1. Remove the hardcoded secret from the code.\n";
4767
- }
4768
- return `Please follow the steps in this specific order:
4769
-
4770
- 1. Change the secret that was hardcoded. It is essential because even when you commit the changes, the secret will remain in the git history.${additionalText}
4771
- 1. Update the configuration of all your application environments and CI/CD pipelines to set \`${envVarName}\` environment variable.
4772
- 1. Commit the changes.`;
4773
- }
4774
- };
4775
-
4776
- // src/features/analysis/scm/shared/src/storedFixData/javascript/noLimitsOrThrottling.ts
4777
- var noLimitsOrThrottling = {
4778
- guidance: () => "We set the default limit to 60 requests per minute. To customize the rate limit settings, please read the documentation of the [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) package."
4779
- };
4780
-
4781
- // src/features/analysis/scm/shared/src/storedFixData/javascript/ssrf.ts
4782
- var ssrf = {
4783
- guidance: () => "The server-side validates the domains it has access to, otherwise it throws an error if validation failed. Please make sure you handled the error correctly."
4784
- };
4785
-
4786
- // src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
4787
- var vulnerabilities6 = {
4788
- ["SSRF"]: ssrf,
4789
- ["HARDCODED_SECRETS"]: hardcodedSecrets,
4790
- ["PASSWORD_IN_COMMENT"]: passwordInComment,
4791
- ["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling,
4792
- ["CSRF"]: csrf
4793
- };
4794
- var javascript_default = vulnerabilities6;
4795
-
4796
- // src/features/analysis/scm/shared/src/storedFixData/php/index.ts
4797
- var vulnerabilities7 = {};
4798
- var php_default = vulnerabilities7;
4799
-
4800
- // src/features/analysis/scm/shared/src/storedFixData/python/autoEscapeFalse.ts
4801
- var autoEscapeFalse = {
4802
- guidance: () => `This fix enables automatic escaping for HTML. When that's enabled, everything is escaped by default except for values explicitly marked as safe. Variables and expressions can be marked as safe either in:
4803
-
4804
- a. The context dictionary by the application with \`markupsafe.Markup\`
4805
-
4806
- b. The template, with the \`|safe\` filter.
4807
-
4808
- &nbsp;
4809
-
4810
-
4811
- See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates/#working-with-automatic-escaping) and [here](https://pypi.org/project/MarkupSafe/).
4812
-
4813
- &nbsp;
4814
-
4815
-
4816
- ***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
4817
- };
4818
-
4819
- // src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
4820
- var improperCertificateValidation = {
4821
- guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
4822
-
4823
- &nbsp;
4824
-
4825
- ***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
4826
-
4827
- &nbsp;
4828
-
4829
- See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
4830
- };
4831
-
4832
- // src/features/analysis/scm/shared/src/storedFixData/python/index.ts
4833
- var vulnerabilities8 = {
4834
- ["AUTO_ESCAPE_FALSE"]: autoEscapeFalse,
4835
- ["CSRF"]: csrf,
4836
- ["IMPROPER_CERTIFICATE_VALIDATION"]: improperCertificateValidation
4837
- };
4838
- var python_default = vulnerabilities8;
4839
-
4840
- // src/features/analysis/scm/shared/src/storedFixData/sql/defaultRightsInObjDefinition.ts
4841
- var defaultRightsInObjDefinition = {
4842
- guidance: () => "***Make sure the user who is supposed to run the procedure has sufficient permissions.***\n\nRead more details about the `EXECUTE AS` statement in [the official Microsoft documentation](https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-clause-transact-sql?view=sql-server-ver16&tabs=sqlserver).\n\n`EXECUTE AS CALLER` is the default behavior for SQL Server 2005 and later."
4843
- };
4844
-
4845
- // src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
4846
- var vulnerabilities9 = {
4847
- ["DEFAULT_RIGHTS_IN_OBJ_DEFINITION"]: defaultRightsInObjDefinition
4848
- };
4849
- var sql_default = vulnerabilities9;
4850
-
4851
- // src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
4852
- var vulnerabilities10 = {
4853
- ["PASSWORD_IN_COMMENT"]: passwordInComment
4854
- };
4855
- var xml_default = vulnerabilities10;
4856
-
4857
- // src/features/analysis/scm/shared/src/storedFixData/index.ts
4858
- var StoredFixDataItemZ = z9.object({
4859
- guidance: z9.function().args(z9.any()).returns(z9.string())
4860
- });
4861
- var languages = {
4862
- ["Java" /* Java */]: java_default,
4863
- ["JavaScript" /* JavaScript */]: javascript_default,
4864
- ["CSharp" /* CSharp */]: csharp_default,
4865
- ["SQL" /* Sql */]: sql_default,
4866
- ["XML" /* Xml */]: xml_default,
4867
- ["Python" /* Python */]: python_default,
4868
- ["PHP" /* Php */]: php_default,
4869
- ["Go" /* Go */]: go_default,
4870
- ["Dockerfile" /* Dockerfile */]: dockerfile_default,
4871
- ["Hcl" /* Hcl */]: hcl_default
4872
- };
4873
-
4874
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
4875
- init_client_generates();
4876
- import { z as z10 } from "zod";
4877
-
4878
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
4879
- var commandInjection = {
4880
- isUnixShellCommandPart: {
4881
- content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
4882
- description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
4883
-
4884
- - \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
4885
- - \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
4886
-
4887
- Answer **no** (the input is not plain data) when the input is:
4888
-
4889
- 1. The program/executable itself:
4890
- - \`system(input);\`
4891
- - \`sprintf(cmd, "%s -x", input);\`
4892
- 2. A command after a pipe or redirect:
4893
- - \`sprintf(cmd, "cat file.txt | %s", input);\`
4894
- 3. A part of a non-Unix or cross-platform shell command.
4895
- 4. A part of embedded code in another language:
4896
- - \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
4897
- - \`sprintf(cmd, "awk '%s' file", input);\`
4898
- 5. A flag/option that controls a tool's behaviour:
4899
- - \`sprintf(cmd, "git --upload-pack %s", input);\``,
4900
- guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
4901
- },
4902
- executableLocationPath: {
4903
- content: () => "What is the absolute path of the directory containing the executable?",
4904
- description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
4905
-
4906
- Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
4907
- guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
4908
- }
4909
- };
4910
-
4911
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/pathManipulation.ts
4912
- var pathManipulation = {
4913
- baseDirectory: {
4914
- content: ({ expression }) => `Which directory must \`${expression}\` stay within? Enter the absolute base directory file access is restricted to.`,
4915
- description: ({ expression }) => `The fix canonicalizes \`${expression}\` (resolving \`.\`, \`..\`, and symlinks) and verifies the result stays inside this base directory. Provide the **absolute** root the application is allowed to read or write under, for example \`/var/app/data\`. The directory must exist at runtime. A path that resolves outside it is rejected at runtime.`,
4916
- guidance: (_) => "You **must** set this to an absolute path that exists at runtime and that your application confines file access to. If you leave it unset (or give a relative path), the generated fix is emitted with a placeholder identifier (`MOBB_SET_ALLOWED_BASE_DIR`) that **deliberately does not compile**, so a missing security boundary cannot be overlooked \u2014 replace it with your absolute base directory. A relative path would otherwise resolve against the process working directory (moving the boundary). At runtime the guard aborts (C: `exit(EXIT_FAILURE)`) / throws (C++: `std::runtime_error`) on a path that escapes the base. Pick the narrowest directory that still contains every legitimate file the code opens."
4917
- }
4918
- };
4919
-
4920
- // src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
4921
- var vulnerabilities11 = {
4922
- ["CMDi"]: commandInjection,
4923
- ["PT"]: pathManipulation
4924
- };
4925
- var cpp_default = vulnerabilities11;
4926
-
4927
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
4928
- var httpOnlyCookie = {
4929
- httpOnlyCookie: {
4930
- content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
4931
- description: () => httpOnlyMessage,
4932
- guidance: () => ""
4933
- },
4934
- cookieVarName: {
4935
- content: () => "Please define a variable name",
4936
- description: () => `We need a variable for the new cookie instance`,
4937
- guidance: () => ""
4938
- }
4939
- };
4940
- var httpOnlyMessage = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
4941
- when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
4942
- be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
4943
-
4944
- &nbsp;
4945
-
4946
-
4947
- ***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
4948
-
4949
- &nbsp;
4950
-
4951
- `;
4952
-
4953
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureBinderConfiguration.ts
4954
- var insecureBinderConfiguration = {
4955
- bindAttributeParam: {
4956
- content: ({ func_param_name }) => `Which properties of the model should be included in model binding for \`${func_param_name}\`?`,
4957
- description: () => "Provide a comma-separated list of valid property names to be included in model binding. See [the official documentation](https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding?view=aspnetcore-8.0#bind-attribute) for more details.",
4958
- guidance: () => ""
4959
- }
4960
- };
4961
-
4962
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureCookie.ts
4963
- var insecureCookie = {
4964
- insecureCookie: {
4965
- content: () => "Will this cookie be used only in encrypted channels (https)?",
4966
- description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
4967
- In environments like local development or test, setting cookies as secure might have some consequences:
4968
-
4969
- &nbsp;
4970
- - Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
4971
- additional configuration and certificates. If cookies are marked as secure,
4972
- they won't be sent over HTTP, and this could potentially interfere with the normal
4973
- functioning of your application during development.
4974
-
4975
- &nbsp;
4976
- - Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
4977
- testing environment accurately simulates the production environment's security features.
4978
- This may involve setting up HTTPS in your local development environment.
4979
-
4980
- &nbsp;
4981
- - Debugging Challenges: Debugging may be more challenging when using secure cookies in a
4982
- development environment, especially if you need to inspect or manipulate the cookies during
4983
- development.`,
4984
- guidance: () => ""
4985
- },
4986
- cookieVarName: {
4987
- content: () => "Please define a variable name",
4988
- description: () => `We need a variable for the new cookie instance`,
4989
- guidance: () => ""
4990
- }
4991
- };
4992
-
4993
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureRandomness.ts
4994
- var insecureRandomness = {
4995
- isRandomNumberGeneratorAvailable: {
4996
- content: () => "We use the `RandomNumberGenerator` class from the `System.Security.Cryptography` package. Does this class exist for the .NET version you use?",
4997
- description: () => "See [the official documentation](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-8.0#applies-to) for more details.",
4998
- guidance: () => ""
4999
- },
5000
- isNetVersionGreaterThan6: {
5001
- content: () => "We are able to offer a more concise solution if the .NET version is greater then .NET 6",
5002
- description: () => "",
5003
- guidance: () => ""
5004
- }
5005
- };
5006
-
5007
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/insufficientLogging.ts
5008
- var insufficientLogging = {
5009
- logMessage: {
5010
- content: () => "Enter the message that you want to appear in the log",
5011
- description: () => "",
5012
- guidance: () => ""
5013
- }
5014
- };
5015
-
5016
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/logForging.ts
5017
- var logForging = {
5018
- isHtmlDisplay: {
5019
- content: () => "Is the text written to the log going to be displayed as HTML?",
5020
- description: () => "",
5021
- guidance: ({ userInputValue }) => {
5022
- switch (userInputValue) {
5023
- case "yes":
5024
- return "We use the `System.Web` `HttpUtility` to decode the HTML";
5025
- default:
5026
- return "";
5027
- }
5028
- }
5029
- }
5030
- };
5031
-
5032
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/overlyBroadCatch.ts
5033
- var overlyBroadCatch = {
5034
- defaultExceptionsInWhenFilter: {
5035
- content: () => "Exceptions to filter",
5036
- description: () => "Coma separated list of the Fully Qualified Exceptions names",
5037
- guidance: () => ""
5038
- }
5039
- };
5040
-
5041
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/pt.ts
5042
- var pt = {
5043
- taintedTermType: {
5044
- content: ({ expression }) => `Does \`${expression}\` represent a file name or a file path?`,
5045
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
5046
- guidance: () => ""
5047
- },
5048
- pathTargetDir: {
5049
- content: () => "Allowed file path",
5050
- description: () => "Provide the intended file path destination eg: /tmp/testfiles/users/",
5051
- guidance: () => ""
5052
- }
5053
- };
5054
-
5055
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/regexMissingTimeout.ts
5056
- var regexMissingTimeout = {
5057
- netVersionGreaterOrEqual7: {
5058
- content: () => "Is your target framework .NET 7 or greater?",
5059
- description: () => "",
5060
- guidance: () => ""
5061
- },
5062
- timeout: {
5063
- content: () => "Enter the timeout in milliseconds",
5064
- description: () => "If the limit is reached a RegexTimeoutException is thrown, this could be caused by excessive backtracking",
5065
- guidance: () => ""
5066
- },
5067
- useBacktrackingOption: {
5068
- content: () => "Use non backtracking option",
5069
- description: () => "If the regex does not need to use backtracking we can disable it using regex options",
5070
- guidance: () => ""
5071
- }
5072
- };
5073
-
5074
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/requestParametersBoundViaInput.ts
5075
- var requestParametersBoundViaInput = {
5076
- fieldsToCopy: {
5077
- content: () => "Please list all the fields you expect as input from the user. Use comma separated list.",
5078
- description: () => `This is meant to avoid mass assignment vulnerabilities, where the user would enter an inner unexpected field`,
5079
- guidance: () => ""
5080
- }
5081
- };
5082
-
5083
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
5084
- var sqlInjection = {
5085
- databaseProvider: {
5086
- content: () => "Select the database provider",
5087
- description: () => "",
5088
- guidance: () => ""
5089
- }
5090
- };
5091
-
5092
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/ssrf.ts
5093
- var ssrf2 = {
5094
- domainsAllowlist: {
5095
- content: () => "Allowed domains",
5096
- description: () => "Coma separated list of allowed domains.",
5097
- guidance: () => ""
5098
- }
5099
- };
5100
-
5101
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/sysLeak.ts
5102
- var sysLeak = {
5103
- errorMessage: {
5104
- content: () => "Enter the error message that you want to appear in the log",
5105
- description: () => "",
5106
- guidance: () => ""
5107
- },
5108
- noLoggerAction: {
5109
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5110
- description: () => "",
5111
- guidance: () => ""
5112
- }
5113
- };
5114
-
5115
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/trustBoundaryViolation.ts
5116
- var trustBoundaryViolation = {
5117
- validationPattern: {
5118
- content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
5119
- description: () => "We use regex to validate the input to avoid runtime surprises",
5120
- guidance: () => ""
5121
- },
5122
- otherPatternValue: {
5123
- content: () => `Enter the regex pattern you would like to use to validate the input`,
5124
- description: () => "See patterns at [the regex docs](https://learn.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference)",
5125
- guidance: () => ""
5126
- }
5127
- };
5128
-
5129
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/useOfSystemOutputStream.ts
5130
- var useOfSystemOutputStream = {
5131
- noLoggerAction: {
5132
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5133
- description: () => "",
5134
- guidance: () => ""
5135
- }
5136
- };
5137
-
5138
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/valueShadowing.ts
5139
- var valueShadowing = {
5140
- collectionName: {
5141
- content: () => "Please select the collection to search/index from",
5142
- description: () => `Accessing the root object eg Request["item"] searches across all available collections and returns the first item that matches. Potentially leading to the correct value being shadowed. Available collections include:
5143
- - QueryString: The values of variables in the HTTP query string.
5144
- - Form: The values of form elements in the HTTP request body.
5145
- - Cookies: The values of cookies sent in the HTTP request.
5146
- - ClientCertificate: The values of fields stored in the client certificate that is sent in the HTTP request.
5147
- - ServerVariables: The values of predetermined environment variables.`,
5148
- guidance: () => `See
5149
- - https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524948(v=vs.90),
5150
- - https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest?view=netframework-4.8.1`
5151
- }
5152
- };
5153
-
5154
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/wcfMisconfigurationThrottlingNotEnabled.ts
5155
- var wcfMisconfigurationThrottlingNotEnabled = {
5156
- maxConcurrentCalls: {
5157
- content: () => "Please define the maximum concurrent calls",
5158
- description: () => `A positive integer that limits the number of messages that currently process across a ServiceHost. Calls in excess of the limit are queued. Setting this value to 0 is equivalent to setting it to Int32.MaxValue.`,
5159
- guidance: () => {
5160
- return "";
5161
- }
5162
- },
5163
- maxConcurrentInstances: {
5164
- content: () => "Please define the maximum concurrent instances",
5165
- description: () => `A positive integer that limits the number of InstanceContext objects that execute at one time across a ServiceHost. Requests to create additional instances are queued and complete when a slot below the limit becomes available.`,
5166
- guidance: () => {
5167
- return "";
5168
- }
5169
- },
5170
- maxConcurrentSessions: {
5171
- content: () => "Please define the maximum concurrent sessions",
5172
- description: () => `A positive integer that limits the number of sessions a ServiceHost object can accept.`,
5173
- guidance: () => {
5174
- return "";
5175
- }
5176
- }
5177
- };
5178
-
5179
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/xss.ts
5180
- var xss = {
5181
- allowSpecialCharacters: {
5182
- content: ({ source_value }) => `Does your code allow encodable HTML characters like '&', '<', '"' etc. in: \`${source_value}\`?`,
5183
- description: () => "",
5184
- guidance: () => ""
5185
- },
5186
- containsHtml: {
5187
- content: ({ prop_value }) => `Does your code allow having HTML tags in: \`${prop_value}\`?`,
5188
- description: () => "",
5189
- guidance: () => ""
5190
- },
5191
- netVersionGreaterOrEqual45: {
5192
- content: () => "Is your target framework .NET 4.5 or greater?",
5193
- description: () => "",
5194
- guidance: () => ""
5195
- },
5196
- useHTML4NamedEntities: {
5197
- content: () => "Would you like to use HTML 4.0 Named entities?",
5198
- description: () => "See [examples](https://www.w3schools.com/charsets/ref_html_entities_4.asp) and [full description](https://www.w3.org/TR/WD-html40-970708/sgml/entities.html)",
5199
- guidance: () => ""
5200
- }
5201
- };
5202
-
5203
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/xxe.ts
5204
- var xxe = {
5205
- netVersionGreaterOrEqual4: {
5206
- content: () => "Is your target framework .NET 4.0.0 or greater?",
5207
- description: () => "",
5208
- guidance: ({ userInputValue }) => {
5209
- switch (userInputValue) {
5210
- case "yes":
5211
- return "We set `DtdProcessing` to `DtdProcessing.Prohibit` in order to prevent DTD parsing.";
5212
- default:
5213
- return "We set `ProhibitDtd` to `true` in order to prevent DTD parsing.";
5214
- }
5215
- }
5216
- }
5217
- };
5218
-
5219
- // src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
5220
- var vulnerabilities12 = {
5221
- ["LOG_FORGING"]: logForging,
5222
- ["SSRF"]: ssrf2,
5223
- ["XXE"]: xxe,
5224
- ["XSS"]: xss,
5225
- ["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream,
5226
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak,
5227
- ["OVERLY_BROAD_CATCH"]: overlyBroadCatch,
5228
- ["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation,
5229
- ["PT"]: pt,
5230
- ["REGEX_MISSING_TIMEOUT"]: regexMissingTimeout,
5231
- ["HTTP_ONLY_COOKIE"]: httpOnlyCookie,
5232
- ["INSECURE_COOKIE"]: insecureCookie,
5233
- ["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED"]: wcfMisconfigurationThrottlingNotEnabled,
5234
- ["INSECURE_BINDER_CONFIGURATION"]: insecureBinderConfiguration,
5235
- ["VALUE_SHADOWING"]: valueShadowing,
5236
- ["INSECURE_RANDOMNESS"]: insecureRandomness,
5237
- ["INSUFFICIENT_LOGGING"]: insufficientLogging,
5238
- ["SQL_Injection"]: sqlInjection,
5239
- ["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
5240
- };
5241
- var csharp_default2 = vulnerabilities12;
5242
-
5243
- // src/features/analysis/scm/shared/src/storedQuestionData/go/logForging.ts
5244
- var logForging2 = {
5245
- isHtmlDisplay: {
5246
- content: () => "Is the text written to the log going to be displayed as HTML?",
5247
- description: () => "",
5248
- guidance: () => ""
5249
- }
5250
- };
5251
-
5252
- // src/features/analysis/scm/shared/src/storedQuestionData/go/missingSslMinversion.ts
5253
- var missingSslMinversion = {
5254
- minTlsVersion: {
5255
- content: () => "What is the minimum version of Transport Layer Security (TLS) you allow? Ensure compatibility between the server and clients.",
5256
- description: () => "",
5257
- guidance: () => ""
5258
- }
5259
- };
5260
-
5261
- // src/features/analysis/scm/shared/src/storedQuestionData/go/websocketMissingOriginCheck.ts
5262
- var websocketMissingOriginCheck = {
5263
- minTlsVersion: {
5264
- content: () => "Please provide a comma-separated list of valid hosts. This list will serve as an allow list to check the connection `Origin` header.",
5265
- description: () => "",
5266
- guidance: () => ""
5267
- }
5268
- };
5269
-
5270
- // src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
5271
- var vulnerabilities13 = {
5272
- ["LOG_FORGING"]: logForging2,
5273
- ["MISSING_SSL_MINVERSION"]: missingSslMinversion,
5274
- ["WEBSOCKET_MISSING_ORIGIN_CHECK"]: websocketMissingOriginCheck
5275
- };
5276
- var go_default2 = vulnerabilities13;
5277
-
5278
- // src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
5279
- var commandInjection2 = {
5280
- isUnixShellCommandPart: {
5281
- content: () => "Is the input part of Unix shell command?",
5282
- description: () => `For example:
5283
-
5284
- - \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", "ping -t 5 -c 5 " + input});\`
5285
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "curl " + input + " > file.txt"});\`
5286
-
5287
- Make sure the input is not:
5288
-
5289
- 1. An executable name:
5290
- - \`Runtime.getRuntime().exec(input);\`
5291
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", input});\`
5292
- - \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", input + " param"});\`
5293
- - \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "cat file.txt | " + input});\`
5294
- - \`Runtime.getRuntime().exec(new String[] {"/usr/bin/git", "--upload-pack", input});\`
5295
- 2. A part of non-unix or cross platform shell command:
5296
- - \`Runtime.getRuntime().exec(new String[] {"cmd.exe", "/c", "ping " + input});\`
5297
- 3. A part of programming language code:
5298
- - \`Runtime.getRuntime().exec(new String[] {"php", "-r", "echo '" + input + "';"});\`
5299
- - \`Runtime.getRuntime().exec(new String[] {"perl", "-e", "print '" + input + "'"});\``,
5300
- guidance: () => ""
5301
- },
5302
- installApacheCommonsText: {
5303
- content: () => "Is the Apache Commons library (org.apache.commons) included in your project, if not, can you add it?",
5304
- description: () => "Apache Commons Text is a library focused on algorithms working on strings.",
5305
- guidance: ({ userInputValue }) => userInputValue === "yes" ? "To add the library, modify your pom.xml or build.gradle to include the library. You can find the latest version here https://mvnrepository.com/artifact/org.apache.commons/commons-text" : ""
5306
- },
5307
- cmdAllowlist: {
5308
- content: () => "Allowed Commands",
5309
- description: () => "Make sure that the list of commands is separated by commas.",
5310
- guidance: () => ""
5311
- }
5312
- };
5313
-
5314
- // src/features/analysis/scm/shared/src/storedQuestionData/java/confusingNaming.ts
5315
- var confusingNaming = {
5316
- newFieldName: {
5317
- content: () => "Rename the existing field",
5318
- description: () => "",
5319
- guidance: () => ""
5320
- }
5321
- };
5322
-
5323
- // src/features/analysis/scm/shared/src/storedQuestionData/java/duplicatedStrings.ts
5324
- var duplicatedStrings = {
5325
- constantName: {
5326
- content: () => "New constant name",
5327
- description: () => "",
5328
- guidance: () => ""
5329
- }
5330
- };
5331
-
5332
- // src/features/analysis/scm/shared/src/storedQuestionData/java/erroneousStringCompare.ts
5333
- var erroneousStringCompare = {
5334
- javaVersionGreaterOrEqual17: {
5335
- content: () => "Is `java.util.Objects` package available in your runtime?",
5336
- description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
5337
- guidance: () => ""
5338
- }
5339
- };
5340
-
5341
- // src/features/analysis/scm/shared/src/storedQuestionData/java/errorConditionWithoutAction.ts
5342
- var errorConditionWithoutAction = {
5343
- errorMessage: {
5344
- content: () => "Enter the error message that you want to appear in the log",
5345
- description: () => "",
5346
- guidance: () => ""
5347
- }
5348
- };
5349
-
5350
- // src/features/analysis/scm/shared/src/storedQuestionData/java/httpOnlyCookie.ts
5351
- var httpOnlyCookie2 = {
5352
- httpOnlyCookie: {
5353
- content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
5354
- description: ({ class_name }) => class_name == "Cookie" ? `${httpOnlyMessage2} ${setHttpOnlyMethodMessage}` : httpOnlyMessage2,
5355
- guidance: () => ""
5356
- },
5357
- cookieVarName: {
5358
- content: () => "Please define a variable name",
5359
- description: () => `We need a variable for the new cookie instance`,
5360
- guidance: () => ""
5361
- }
5362
- };
5363
- var httpOnlyMessage2 = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
5364
- when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
5365
- be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
5366
-
5367
- &nbsp;
5368
-
5369
-
5370
- ***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
5371
-
5372
- &nbsp;
5373
-
5374
- `;
5375
- var setHttpOnlyMethodMessage = `Beware that if your application is using a version of the javax.servlet-api package < 3.0
5376
- this change will not work since the method "setHttpOnly" is not present in previous of the package.`;
5377
-
5378
- // src/features/analysis/scm/shared/src/storedQuestionData/java/insecureCookie.ts
5379
- var insecureCookie2 = {
5380
- insecureCookie: {
5381
- content: () => "Will this cookie be used only in encrypted channels (https)?",
5382
- description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
5383
- In environments like local development or test, setting cookies as secure might have some consequences:
5384
-
5385
- &nbsp;
5386
- - Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
5387
- additional configuration and certificates. If cookies are marked as secure,
5388
- they won't be sent over HTTP, and this could potentially interfere with the normal
5389
- functioning of your application during development.
5390
-
5391
- &nbsp;
5392
- - Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
5393
- testing environment accurately simulates the production environment's security features.
5394
- This may involve setting up HTTPS in your local development environment.
5395
-
5396
- &nbsp;
5397
- - Debugging Challenges: Debugging may be more challenging when using secure cookies in a
5398
- development environment, especially if you need to inspect or manipulate the cookies during
5399
- development.`,
5400
- guidance: () => ""
5401
- },
5402
- cookieVarName: {
5403
- content: () => "Please define a variable name",
5404
- description: () => `We need a variable for the new cookie instance`,
5405
- guidance: () => ""
5406
- }
5407
- };
5408
-
5409
- // src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
5410
- var j2eeGetConnection2 = {
5411
- jndiResourceName: {
5412
- content: () => "What JNDI name is the database connection pool registered under?",
5413
- description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
5414
- guidance: () => ""
5415
- }
5416
- };
5417
-
5418
- // src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
5419
- var leftoverDebugCode = {
5420
- isCodeUsed: {
5421
- content: () => "The function seems to be a remnant of debug code. Is it still being used?",
5422
- description: () => "",
5423
- guidance: () => ""
5424
- }
5425
- };
5426
-
5427
- // src/features/analysis/scm/shared/src/storedQuestionData/java/localeDependentComparison.ts
5428
- var localeDependentComparison = {
5429
- localeType: {
5430
- content: ({ variable }) => `Is ${variable} locale dependent?`,
5431
- description: () => `Select "locale insensitive" for string comparisons that are not dependent on the locale.
5432
-
5433
- Select "default locale" for string comparisons that uses the default locale.
5434
-
5435
- Select "custom locale" for string comparisons that are dependent on a specific locale language.`,
5436
- guidance: () => ""
5437
- },
5438
- customLocaleLanguage: {
5439
- content: () => "What is your locale language?",
5440
- description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
5441
- guidance: () => ""
5442
- },
5443
- customLocaleCountry: {
5444
- content: () => "What is your locale country?",
5445
- description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
5446
- guidance: () => ""
5447
- }
5448
- };
5449
-
5450
- // src/features/analysis/scm/shared/src/storedQuestionData/java/logForging.ts
5451
- var logForging3 = {
5452
- isHtmlDisplay: {
5453
- content: () => "Is the text written to the log going to be displayed as HTML?",
5454
- description: () => "",
5455
- guidance: () => ""
5456
- },
5457
- htmlEscapingLib: {
5458
- content: () => "Which HTML escaping library would you like to use?",
5459
- description: () => `
5460
- - If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
5461
- - Another \`option is org.apache.commons.text.StringEscapeUtils\``,
5462
- guidance: () => ""
5463
- }
5464
- };
5465
-
5466
- // src/features/analysis/scm/shared/src/storedQuestionData/java/missingCheckAgainstNull.ts
5467
- var missingCheckAgainstNull = {
5468
- preferredAction: {
5469
- content: ({ tainted_expression }) => `What is expected behavior if \`${tainted_expression}\` returns null?`,
5470
- description: () => "",
5471
- guidance: () => ""
5472
- },
5473
- javaVersionGreaterOrEqual17: {
5474
- content: () => "Is `java.util.Objects` package available in your runtime?",
5475
- description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
5476
- guidance: () => ""
5477
- }
5478
- };
5479
-
5480
- // src/features/analysis/scm/shared/src/storedQuestionData/java/openRedirect.ts
5481
- var openRedirect = {
5482
- allowlist: {
5483
- content: () => "Allowed domains",
5484
- description: () => "Add a comma separated list of allowed domains (e.g. 'google.com,example.com')",
5485
- guidance: () => ""
5486
- }
5487
- };
5488
-
5489
- // src/features/analysis/scm/shared/src/storedQuestionData/java/overlyBroadCatch.ts
5490
- var overlyBroadCatch2 = {
5491
- handleRuntimeExceptions: {
5492
- content: () => "Does the code intentionally catch `RuntimeException` instances like `ArithmeticException` or `NullPointerException` in the `catch` block?",
5493
- description: () => "Usually, when catching the general `Exception` class catching of `RuntimeException` is implied and not necessarily the wanted/safe behavior. The application needs to deal with it explicitly in a different way, as the Mobb fix suggests.",
5494
- guidance: () => ""
5495
- }
5496
- };
5497
-
5498
- // src/features/analysis/scm/shared/src/storedQuestionData/java/privacyViolation.ts
5499
- var privacyViolation = {
5500
- remediationOption: {
5501
- content: () => "Preferred fix solution",
5502
- description: () => `
5503
- - Completely Remove the log message
5504
- - Replace the sensitive data with the string [Redacted]
5505
- - SHA 256 Hash the sensitive information in the log message`,
5506
- guidance: () => ""
5507
- }
5508
- };
5509
-
5510
- // src/features/analysis/scm/shared/src/storedQuestionData/java/pt.ts
5511
- var pt2 = {
5512
- isPathRelativeOnly: {
5513
- content: ({ expression }) => `Do you expect \`${expression}\` to be a relative path?`,
5514
- description: () => "You most likely want to serve files relative to the web server's static files folder in web applications. If so, your answer should be `yes`. In CLI applications, you probably would like to give the user more flexibility and allow them to specify absolute paths to any location on the disk \u2013 your answer should be `no` in such cases.",
5515
- guidance: () => ""
5516
- },
5517
- isFileName: {
5518
- content: ({ expression }) => `Does \`${expression}\` represent a file name or a file name part?`,
5519
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters. If \`${expression}\` is supposed to legitimately include such characters, the answer should be "no".`,
5520
- guidance: () => ""
5521
- }
5522
- };
5523
-
5524
- // src/features/analysis/scm/shared/src/storedQuestionData/java/relativePathCommand.ts
5525
- var relativePathCommand = {
5526
- executableLocationPath: {
5527
- content: () => "What is the absolute path of the directory containing the executable?",
5528
- description: () => "We need the absolute path to the executable to protect your application from command injection and ensure malicious actors cannot execute arbitrary commands on your system.",
5529
- guidance: () => ""
5530
- }
5531
- };
5532
-
5533
- // src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
5534
- var ssrf3 = {
5535
- domainsAllowlist: {
5536
- content: () => "Allowed URL prefixes",
5537
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
5538
- &nbsp;
5539
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
5540
- guidance: () => ""
5541
- }
5542
- };
5543
-
5544
- // src/features/analysis/scm/shared/src/storedQuestionData/java/sysLeak.ts
5545
- var sysLeak2 = {
5546
- errorMessage: {
5547
- content: () => "Enter the error message that you want to appear in the log",
5548
- description: () => "",
5549
- guidance: () => ""
5550
- },
5551
- noLoggerAction: {
5552
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5553
- description: () => "",
5554
- guidance: () => ""
5555
- }
5556
- };
5557
-
5558
- // src/features/analysis/scm/shared/src/storedQuestionData/java/trustBoundaryViolation.ts
5559
- var trustBoundaryViolation2 = {
5560
- validationPattern: {
5561
- content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
5562
- description: () => "We use regex to validate the input to avoid runtime surprises",
5563
- guidance: () => ""
5564
- },
5565
- otherPatternValue: {
5566
- content: () => `Enter the regex pattern you would like to use to validate the input`,
5567
- description: () => "See patterns at [the regex javadoc](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html)",
5568
- guidance: () => ""
5569
- }
5570
- };
5571
-
5572
- // src/features/analysis/scm/shared/src/storedQuestionData/java/uncheckedLoopCondition.ts
5573
- var uncheckedLoopCondition = {
5574
- loopLimit: {
5575
- content: () => "Please define a maximum loop limit",
5576
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5577
- guidance: () => ""
5578
- },
5579
- varName: {
5580
- content: () => "Please define a variable name",
5581
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5582
- guidance: () => ""
5583
- }
5584
- };
5585
-
5586
- // src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
5587
- var unsafeReflection = {
5588
- classAllowlist: {
5589
- content: () => "Allowed class names for reflection",
5590
- description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
5591
- guidance: () => ""
5592
- }
5593
- };
5594
-
5595
- // src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
5596
- var useOfSystemOutputStream2 = {
5597
- noLoggerAction: {
5598
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5599
- description: () => "",
5600
- guidance: () => ""
5601
- }
5602
- };
5603
-
5604
- // src/features/analysis/scm/shared/src/storedQuestionData/java/xss.ts
5605
- var xss2 = {
5606
- isHtmlOrSafeAttribute: {
5607
- content: ({ tainted_variable }) => `Where is \`${tainted_variable}\` written to?`,
5608
- description: () => `Answer examples:
5609
-
5610
- - a text in an HTML tag or a value of a safe HTML attribute:
5611
- - \`<li><%= name %></li>\`
5612
- - \`<div>Name: <%= name %></div>\`
5613
- - \`<input value="<%= name %>" name="name"/>\`
5614
- - \`<div data-name="<%= name %>"></div>\`
5615
- - a JavaScript code block:
5616
- - \`<script>const name = "<%= name %>";</script>\`
5617
- - an event attribute of an HTML tag:
5618
- - \`<a onclick="alert('<%= name %>')">click me</a>\`
5619
- - \`<img onmouseover="alert('<%= name %>')"/>\`
5620
- - a src-like attribute of an HTML tag:
5621
- - \`<a href="/user/<%= name %>">me</a>\`
5622
- - \`<img src="/img/<%= name %>"/>\`
5623
- - \`<form action="<%= name %>"></form>\`
5624
- - \`<iframe srcdoc="<%= name %>"/>\`
5625
- - a part of an HTML tag attributes list:
5626
- - \`<a <%= name %>>text</a>\`
5627
-
5628
- See more details about safe and unsafe HTML attributes:
5629
- - [PortSwigger cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
5630
- - [DOMPurify attributes filter implementation](https://github.com/cure53/DOMPurify/blob/c29aa900a1c286b82ee4f48a7ffab96cab3e84fa/src/attrs.js)
5631
- `,
5632
- guidance: () => ""
5633
- },
5634
- isHtmlEncoded: {
5635
- content: () => "Is the user input already encoded as HTML text?",
5636
- description: () => "If you are unsure, we will decode the user input and encode it again to ensure it is safe and the data is kept the same.",
5637
- guidance: () => ""
5638
- },
5639
- htmlEscapingLib: {
5640
- content: () => "Which HTML escaping library would you like to use?",
5641
- description: () => `
5642
- - If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
5643
- - Another option is \`org.apache.commons.text.StringEscapeUtils\``,
5644
- guidance: () => ""
5645
- }
5646
- };
5647
-
5648
- // src/features/analysis/scm/shared/src/storedQuestionData/java/xxe.ts
5649
- var xxe2 = {
5650
- factoryVarName: {
5651
- content: () => "Name the new Factory variable",
5652
- description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
5653
- guidance: () => ""
5654
- }
5655
- };
5656
-
5657
- // src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
5658
- var vulnerabilities14 = {
5659
- ["CMDi_relative_path_command"]: relativePathCommand,
5660
- ["CMDi"]: commandInjection2,
5661
- ["CONFUSING_NAMING"]: confusingNaming,
5662
- ["ERROR_CONDTION_WITHOUT_ACTION"]: errorConditionWithoutAction,
5663
- ["XXE"]: xxe2,
5664
- ["XSS"]: xss2,
5665
- ["PRIVACY_VIOLATION"]: privacyViolation,
5666
- ["PT"]: pt2,
5667
- ["SSRF"]: ssrf3,
5668
- ["LOG_FORGING"]: logForging3,
5669
- ["LOCALE_DEPENDENT_COMPARISON"]: localeDependentComparison,
5670
- ["MISSING_CHECK_AGAINST_NULL"]: missingCheckAgainstNull,
5671
- ["OPEN_REDIRECT"]: openRedirect,
5672
- ["OVERLY_BROAD_CATCH"]: overlyBroadCatch2,
5673
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak2,
5674
- ["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream2,
5675
- ["HTTP_ONLY_COOKIE"]: httpOnlyCookie2,
5676
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition,
5677
- ["INSECURE_COOKIE"]: insecureCookie2,
5678
- ["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation2,
5679
- ["UNSAFE_REFLECTION"]: unsafeReflection,
5680
- ["J2EE_GET_CONNECTION"]: j2eeGetConnection2,
5681
- ["LEFTOVER_DEBUG_CODE"]: leftoverDebugCode,
5682
- ["ERRONEOUS_STRING_COMPARE"]: erroneousStringCompare,
5683
- ["DUPLICATED_STRINGS"]: duplicatedStrings
5684
- };
5685
- var java_default2 = vulnerabilities14;
5686
-
5687
- // src/features/analysis/scm/shared/src/storedQuestionData/python/csrf.ts
5688
- var csrf2 = {
5689
- isPythonDjangoTemplate: {
5690
- content: () => "Is the reported file Python Django template?",
5691
- description: () => "",
5692
- guidance: () => ""
5693
- }
5694
- };
5695
-
5696
- // src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
5697
- var commandInjection3 = {
5698
- isCommandExecutable: {
5699
- content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
5700
- description: () => `Does the command fall into one of the following categories:
5701
-
5702
- 1. An executable name:
5703
- - \`exec(input);\`
5704
- - \`exec("/bin/bash " + input);\`
5705
- - \`exec("/bin/sh -c" + input + " param");\`
5706
- - \`exec("/bin/bash -c cat file.txt | " + input);\`
5707
- - \`exec("/usr/bin/git --upload-pack " + input);\`
5708
- 2. A part of non-unix or cross platform shell command:
5709
- - \`exec("cmd.exe /c ping " + input);\`
5710
- 3. A part of programming language code:
5711
- - \`exec("php -r echo '" + input + "';");\`
5712
- - \`exec("perl -e print '" + input + "'");\``,
5713
- guidance: () => ""
5714
- }
5715
- };
5716
-
5717
- // src/features/analysis/scm/shared/src/storedQuestionData/js/graphqlDepthLimit.ts
5718
- var graphqlDepthLimit = {
5719
- depthLimit: {
5720
- content: () => "Please define a maximum query depth",
5721
- description: () => `Setting this number to a reasonable value will prevent the attack.
5722
- Make sure to pick a value large enough to allowed the nessecary amount of nested queries.`,
5723
- guidance: () => {
5724
- return "We use `graphql-depth-limit` npm package to limit the depth of nested queries. Please make sure you install the package using `npm install graphql-depth-limit`.";
5725
- }
5726
- }
5727
- };
5728
-
5729
- // src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedDomainInHtml.ts
5730
- var hardcodedDomainInHtml = {
5731
- isCDNFixedVersion: {
5732
- content: ({ url }) => `Does the content of \`${url}\` change over time? If it does, we can't offer this fix.`,
5733
- description: () => "You need to make sure the content of the file you are loading from the external source is persistent. To guarantee the integrity hash does not change over time, please make sure you use a proper CDN and version of the script you are loading is pinned.",
5734
- guidance: () => ""
5735
- }
5736
- };
5737
-
5738
- // src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedSecrets.ts
5739
- var hardcodedSecrets2 = {
5740
- envVarName: {
5741
- content: () => "Please define an environment variable name",
5742
- description: () => `We will use this environment variable instead of the hardcoded secret`,
5743
- guidance: () => ""
5744
- },
5745
- keepAsDefault: {
5746
- content: () => "Do you want to keep the hardcoded secret in the code for now?",
5747
- description: () => 'Answer "yes" if you cannot set the environment variable in all environments right away.',
5748
- guidance: () => ""
5749
- }
5750
- };
5751
-
5752
- // src/features/analysis/scm/shared/src/storedQuestionData/js/iframeWithoutSandbox.ts
5753
- var iframeWithoutSandbox = {
5754
- iframeRestrictions: {
5755
- content: () => "Please define a comma-separated list of iframe sandbox restrictions (optional)",
5756
- description: () => `Possible values:
5757
- - allow-downloads
5758
- - allow-forms
5759
- - allow-modals
5760
- - allow-orientation-lock
5761
- - allow-pointer-lock
5762
- - allow-popups
5763
- - allow-popups-to-escape-sandbox
5764
- - allow-presentation
5765
- - allow-same-origin
5766
- - allow-scripts
5767
- - allow-storage-access-by-user-activation
5768
- - allow-top-navigation
5769
- - allow-top-navigation-by-user-activation
5770
- - allow-top-navigation-to-custom-protocols
5771
-
5772
- See more info [here](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox).`,
5773
- guidance: () => ""
5774
- }
5775
- };
5776
-
5777
- // src/features/analysis/scm/shared/src/storedQuestionData/js/incompleteUrlSanitization.ts
5778
- var incompleteUrlSanitization = {
5779
- allowedRootDomain: {
5780
- content: () => "The root domain of your application",
5781
- description: () => "We needed to strengthen the security check by ensuring that the url is under the root domain of your application.",
5782
- guidance: () => ""
5783
- }
5784
- };
5785
-
5786
- // src/features/analysis/scm/shared/src/storedQuestionData/js/insecureRandomness.ts
5787
- var insecureRandomness2 = {
5788
- isGetRandomValuesSupported: {
5789
- content: () => "Is getRandomValues() function supported by your JavaScript engine?",
5790
- description: () => "[getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is supported by [more than 97% of browsers](https://caniuse.com/?search=getRandomValues) and [Node.js >= 15.0.0](https://nodejs.org/api/webcrypto.html#cryptogetrandomvaluestypedarray).",
5791
- guidance: () => ""
5792
- }
5793
- };
5794
-
5795
- // src/features/analysis/scm/shared/src/storedQuestionData/js/logForging.ts
5796
- var logForging4 = {
5797
- isHtmlDisplay: {
5798
- content: () => "Is the text written to the log going to be displayed as HTML?",
5799
- description: () => "",
5800
- guidance: () => ""
5801
- }
5802
- };
5803
-
5804
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingCSPHeader.ts
5805
- var cspHeaderValue = {
5806
- cspHeaderValue: {
5807
- content: () => "Please provide the value for the Content-Security-Policy header",
5808
- description: () => `The Content-Security-Policy (CSP) header is a critical security measure that helps protect websites from various attacks, particularly Cross-Site Scripting (XSS) and other code injection attacks. Here's a concise explanation:
5809
-
5810
- &nbsp;
5811
- &nbsp;
5812
- **What it does**:
5813
-
5814
- &nbsp;
5815
- &nbsp;
5816
- CSP lets you specify which content sources the browser should consider valid, essentially creating a whitelist of trusted content. It controls things like:
5817
-
5818
- &nbsp;
5819
- &nbsp;
5820
- - Which scripts can execute.
5821
- &nbsp; - Where images can be loaded from.
5822
- &nbsp; - Which styles can be applied.
5823
- &nbsp; - Which forms can be submitted to.
5824
- &nbsp; - What domains can be connected to.
5825
- &nbsp;
5826
- &nbsp; Default value explanation:
5827
- &nbsp;
5828
- &nbsp; - default-src 'self: Only allows resources from the same origin by default.
5829
- &nbsp; - script-src 'self': Only allows scripts to be loaded from the same origin.
5830
- &nbsp; - style-src 'self': Only allows styles from the same origin.
5831
- &nbsp; - object-src 'none': Disallows <object>, <embed>, and <applet> elements.
5832
- &nbsp; - base-uri 'self': Restricts where the <base> tag can point to.
5833
- &nbsp; - frame-ancestors 'self': Ensures that only the same origin can embed the page using an iframe.
5834
-
5835
- &nbsp;
5836
- &nbsp; **This kind of \`CSP\` is more secure but may require adjustments for your specific application, especially if you need to load resources from external domains or use inline scripts/styles.**`,
5837
- guidance: () => ``
5838
- }
5839
- };
5840
-
5841
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingHSTSHeader.ts
5842
- var headerMaxAge = {
5843
- headerMaxAge: {
5844
- content: () => "Please provide the maximum age of the header",
5845
- description: () => `This is the time, in seconds, that the browser should remember that the site is only to be accessed using \`HTTPS\`.
5846
- &nbsp;
5847
- &nbsp;
5848
- Setting the \`max-age\` to \`0\` (over an https connection) will immediately expire the Strict-Transport-Security header, allowing access via \`HTTP\`.
5849
-
5850
-
5851
- &nbsp;
5852
- &nbsp;
5853
- The HTTP Strict-Transport-Security response header (\`HSTS\`) informs browsers that the site
5854
- should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically
5855
- be converted to HTTPS.
5856
-
5857
-
5858
- &nbsp;
5859
- &nbsp;
5860
- If a website accepts a connection through \`HTTP\` and redirects to \`HTTPS\`, visitors may initially communicate with
5861
- the non-encrypted version of the site before being redirected, if, for example, the visitor
5862
- types \`http://www.example.com\` or even just \`example.com\`. This creates an opportunity for a man-in-the-middle attack.
5863
- The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
5864
-
5865
- &nbsp;
5866
- &nbsp;
5867
- The \`HTTP\` Strict Transport Security header informs the browser that it should never load a site using \`HTTP\`
5868
- and should automatically convert all attempts to access the site using \`HTTP\` to \`HTTPS\` requests instead.`,
5869
- guidance: () => ``
5870
- }
5871
- };
5872
-
5873
- // src/features/analysis/scm/shared/src/storedQuestionData/js/missingXFrameOptions.ts
5874
- var xFrameOptionsValue = {
5875
- xFrameOptionsValue: {
5876
- content: () => "Please provide the value for the X-Frame-Options header",
5877
- description: () => `The \`X-Frame-Options\` HTTP response header tells the browser whether the page is allowed to be rendered inside a \`<frame>\`, \`<iframe>\`, \`<embed>\` or \`<object>\`. Without it, attackers can embed your application in an invisible iframe and trick users into clicking on it \u2014 a class of attacks known as clickjacking (UI redressing).
5878
- &nbsp;
5879
- &nbsp; **Allowed values:**
5880
- &nbsp; - \`DENY\` \u2014 the page cannot be framed by any site, including your own. Recommended default for any page that does not need to be embedded.
5881
- &nbsp; - \`SAMEORIGIN\` \u2014 the page can only be framed by pages served from the same origin. Use this only if your own application legitimately embeds this page in an iframe.`,
5882
- guidance: () => ``
5883
- }
5884
- };
5885
-
5886
- // src/features/analysis/scm/shared/src/storedQuestionData/js/noLimitsOrThrottling.ts
5887
- var noLimitsOrThrottling2 = {
5888
- setGlobalLimiter: {
5889
- content: () => "Would you like to use a global rate limit for all your endpoints within the same file?",
5890
- description: () => "",
5891
- guidance: () => ""
5892
- }
5893
- };
5894
-
5895
- // src/features/analysis/scm/shared/src/storedQuestionData/js/openRedirect.ts
5896
- var openRedirect2 = {
5897
- isExternal: {
5898
- content: () => "Does the redirect go to an external site?",
5899
- description: () => "",
5900
- guidance: () => ""
5901
- },
5902
- domainAllowlist: {
5903
- content: () => "Allowed domains names",
5904
- description: () => "please provide a coma separated list of allowed domains names (example.com, example.org, etc.)",
5905
- guidance: () => ""
5906
- },
5907
- pathAllowlist: {
5908
- content: () => "Allowed paths (URIs)",
5909
- description: () => "please provide a coma separated list of allowed path (/health, /api/v1/health, etc.)",
5910
- guidance: () => ""
5911
- },
5912
- includeProtocolValidation: {
5913
- content: () => "Should HTTP or HTTPS protocol be enforced?",
5914
- description: () => "please indicate if the protocol should be enforced",
5915
- guidance: () => ""
5916
- }
5917
- };
5918
-
5919
- // src/features/analysis/scm/shared/src/storedQuestionData/js/pt.ts
5920
- var pt3 = {
5921
- taintedTermType: {
5922
- content: ({ expression }) => `Does \`${expression}\` represent a file name, a relative path or an absolute path?`,
5923
- description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
5924
- guidance: () => ""
5925
- }
5926
- };
5927
-
5928
- // src/features/analysis/scm/shared/src/storedQuestionData/js/ssrf.ts
5929
- var ssrf4 = {
5930
- domainsAllowlist: {
5931
- content: () => "List of allowed domain names",
5932
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary domains.
5933
-
5934
- &nbsp;
5935
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of domains the server should be allowed to call.`,
5936
- guidance: () => ""
5937
- }
5938
- };
5939
-
5940
- // src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeak.ts
5941
- var sysLeak3 = {
5942
- errorMessage: {
5943
- content: () => "Enter the error message that you want to appear in the log",
5944
- description: () => "",
5945
- guidance: () => ""
5946
- },
5947
- noLoggerAction: {
5948
- content: () => "Which of the following you want to use instead of the vulnerable code?",
5949
- description: () => "",
5950
- guidance: () => ""
5951
- }
5952
- };
5953
-
5954
- // src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeakExternal.ts
5955
- var sysLeakExternal = {
5956
- errorMessage: {
5957
- content: () => "Enter the error message that you want to appear to the user",
5958
- description: () => "",
5959
- guidance: () => ""
5960
- }
5961
- };
5962
-
5963
- // src/features/analysis/scm/shared/src/storedQuestionData/js/typeConfusion.ts
5964
- var typeConfusion = {
5965
- argumentType: {
5966
- content: () => "What is the type of the HTTP argument?",
5967
- description: () => "What is the type of the HTTP argument?",
5968
- guidance: () => ""
5969
- }
5970
- };
5971
-
5972
- // src/features/analysis/scm/shared/src/storedQuestionData/js/uncheckedLoopCondition.ts
5973
- var uncheckedLoopCondition2 = {
5974
- loopLimit: {
5975
- content: () => "Please define a maximum loop limit",
5976
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
5977
- guidance: () => ""
5978
- },
5979
- varName: {
5980
- content: () => "Please define a variable name",
5981
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
5982
- guidance: () => ""
5983
- }
5984
- };
5985
-
5986
- // src/features/analysis/scm/shared/src/storedQuestionData/js/xss.ts
5987
- var xss3 = {
5988
- containsHtml: {
5989
- content: () => "Does the element or variable contain HTML formatting",
5990
- description: () => "",
5991
- guidance: () => ""
5992
- },
5993
- isParamTypeString: {
5994
- content: () => "Is the parameter passed to the $() function a string",
5995
- description: () => "",
5996
- guidance: () => ""
5997
- },
5998
- isSanitized: {
5999
- content: ({ expression }) => `Is the expression \`${expression}\` supposed to be not sanitized in this context?`,
6000
- description: () => "You are using unsafe string substitution in the template. This means that if the expression can contain maliciously crafted data, it may lead to XSS injection. To apply the fix, you have to make sure the expression is not sanitized on the backend already, and it does not represent an HTML code block.",
6001
- guidance: () => ""
6002
- },
6003
- isServerSideCode: {
6004
- content: () => "Is this code running on the server side (a NodeJS application)",
6005
- description: () => "The fix to this vulnerability is different is the code runs in the client (browser) or the server side (NodeJs)",
6006
- guidance: () => ""
6007
- }
6008
- };
6009
-
6010
- // src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
6011
- var vulnerabilities15 = {
6012
- ["CMDi"]: commandInjection3,
6013
- ["GRAPHQL_DEPTH_LIMIT"]: graphqlDepthLimit,
6014
- ["INSECURE_RANDOMNESS"]: insecureRandomness2,
6015
- ["SSRF"]: ssrf4,
6016
- ["TYPE_CONFUSION"]: typeConfusion,
6017
- ["INCOMPLETE_URL_SANITIZATION"]: incompleteUrlSanitization,
6018
- ["LOG_FORGING"]: logForging4,
6019
- ["XSS"]: xss3,
6020
- ["OPEN_REDIRECT"]: openRedirect2,
6021
- ["SYSTEM_INFORMATION_LEAK"]: sysLeak3,
6022
- ["SYSTEM_INFORMATION_LEAK_EXTERNAL"]: sysLeakExternal,
6023
- ["IFRAME_WITHOUT_SANDBOX"]: iframeWithoutSandbox,
6024
- ["PT"]: pt3,
6025
- ["HARDCODED_SECRETS"]: hardcodedSecrets2,
6026
- ["MISSING_HSTS_HEADER"]: headerMaxAge,
6027
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition2,
6028
- ["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling2,
6029
- ["MISSING_CSP_HEADER"]: cspHeaderValue,
6030
- ["MISSING_X_FRAME_OPTIONS"]: xFrameOptionsValue,
6031
- ["HARDCODED_DOMAIN_IN_HTML"]: hardcodedDomainInHtml,
6032
- ["CSRF"]: csrf2
6033
- };
6034
- var js_default = vulnerabilities15;
6035
-
6036
- // src/features/analysis/scm/shared/src/storedQuestionData/python/duplicatedStrings.ts
6037
- var duplicatedStrings2 = {
6038
- constantName: {
6039
- content: () => "New constant name",
6040
- description: () => "",
6041
- guidance: () => ""
6042
- }
6043
- };
6044
-
6045
- // src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
6046
- var logForging5 = {
6047
- isHtmlDisplay: {
6048
- content: () => "Is the text written to the log going to be displayed as HTML?",
6049
- description: () => "",
6050
- guidance: ({ userInputValue }) => {
6051
- switch (userInputValue) {
6052
- case "yes":
6053
- return "We use `html.escape` to decode the HTML";
6054
- default:
6055
- return "";
6056
- }
6057
- }
6058
- }
6059
- };
6060
-
6061
- // src/features/analysis/scm/shared/src/storedQuestionData/python/missingEncoding.ts
6062
- var missingEncoding = {
6063
- fEncoding: {
6064
- content: () => "Enter the encoding of the file",
6065
- description: () => "",
6066
- guidance: () => ""
6067
- }
6068
- };
6069
-
6070
- // src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
6071
- var openRedirect3 = {
6072
- allowed_hosts: {
6073
- content: () => "Allowed domains/paths",
6074
- description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
6075
- guidance: () => ""
6076
- }
6077
- };
6078
-
6079
- // src/features/analysis/scm/shared/src/storedQuestionData/python/ssrf.ts
6080
- var ssrf5 = {
6081
- domainsAllowlist: {
6082
- content: () => "Allowed URL prefixes",
6083
- description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
6084
- &nbsp;
6085
- &nbsp; To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
6086
- guidance: () => ""
6087
- }
6088
- };
6089
-
6090
- // src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
6091
- var uncheckedLoopCondition3 = {
6092
- loopLimit: {
6093
- content: () => "Please define a maximum loop limit",
6094
- description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
6095
- guidance: () => ""
6096
- },
6097
- varName: {
6098
- content: () => "Please define a variable name",
6099
- description: () => `We need to define a variable to be used as a counter to limit the loop`,
6100
- guidance: () => ""
6101
- }
6102
- };
6103
-
6104
- // src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
6105
- var vulnerabilities16 = {
6106
- ["CSRF"]: csrf2,
6107
- ["LOG_FORGING"]: logForging5,
6108
- ["OPEN_REDIRECT"]: openRedirect3,
6109
- ["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition3,
6110
- ["DUPLICATED_STRINGS"]: duplicatedStrings2,
6111
- ["MISSING_ENCODING_FILE_OPEN"]: missingEncoding,
6112
- ["SSRF"]: ssrf5
6113
- };
6114
- var python_default2 = vulnerabilities16;
6115
-
6116
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
6117
- var unboundedOccurrences = {
6118
- maxOccursLimit: {
6119
- content: () => "The number of allowed repetitions of the element.",
6120
- description: () => "",
6121
- guidance: () => `Setting this number to a reasonable value will prevent the attack.
6122
- A value too low will prevent valid XMLs from being processed.
6123
- A value too high will cause performance issues up to and including denial of service.`
6124
- }
6125
- };
6126
-
6127
- // src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
6128
- var vulnerabilities17 = {
6129
- ["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES"]: unboundedOccurrences
6130
- };
6131
- var xml_default2 = vulnerabilities17;
6132
-
6133
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/noNewPrivileges.ts
6134
- var noNewPrivileges = {
6135
- requireNewPrivileges: {
6136
- content: () => "Does the container require new privileges?",
6137
- description: () => "",
6138
- guidance: () => `If the container requires new privileges, setting the no-new-privileges option might harm the container functionality.`
6139
- }
6140
- };
6141
-
6142
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/portAllInterfaces.ts
6143
- var portAllInterfaces = {
6144
- trustedIP: {
6145
- content: () => "Enter trusted Network IP",
6146
- description: () => "",
6147
- guidance: () => `Properly set this value to prevent access from untrusted network adapters. Setting this to a wrong value would prevent accessing the container and might break the system.`
6148
- }
6149
- };
6150
-
6151
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/writableFilesystemService.ts
6152
- var writableFilesystemService = {
6153
- requireWriteAccess: {
6154
- content: () => "Does the container require writable filesystem access?",
6155
- description: () => "",
6156
- guidance: () => `If the container requires writable filesystem access, setting the filesystem as readonly might harm the container functionality.`
6157
- }
6158
- };
6159
-
6160
- // src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
6161
- var vulnerabilities18 = {
6162
- ["PORT_ALL_INTERFACES"]: portAllInterfaces,
6163
- ["WRITABLE_FILESYSTEM_SERVICE"]: writableFilesystemService,
6164
- ["NO_NEW_PRIVILEGES"]: noNewPrivileges
6165
- };
6166
- var yaml_default = vulnerabilities18;
6167
-
6168
- // src/features/analysis/scm/shared/src/storedQuestionData/index.ts
6169
- var StoredQuestionDataItemZ = z10.object({
6170
- content: z10.function().args(z10.any()).returns(z10.string()),
6171
- description: z10.function().args(z10.any()).returns(z10.string()),
6172
- guidance: z10.function().args(z10.any()).returns(z10.string())
6173
- });
6174
- var languages2 = {
6175
- ["Java" /* Java */]: java_default2,
6176
- ["JavaScript" /* JavaScript */]: js_default,
6177
- ["XML" /* Xml */]: xml_default2,
6178
- ["CSharp" /* CSharp */]: csharp_default2,
6179
- ["Python" /* Python */]: python_default2,
6180
- ["Go" /* Go */]: go_default2,
6181
- ["Cpp" /* Cpp */]: cpp_default,
6182
- ["YAML" /* Yaml */]: yaml_default
6183
- };
6184
-
6185
- // src/features/analysis/scm/shared/src/guidances.ts
6186
- var IssueTypeAndLanguageZ = z11.object({
6187
- issueType: SafeIssueTypeStringZ,
6188
- issueLanguage: z11.nativeEnum(IssueLanguage_Enum)
6189
- });
6190
4624
 
6191
4625
  // src/features/analysis/scm/shared/src/index.ts
6192
4626
  init_issueTypeCatalog();
@@ -6195,19 +4629,19 @@ init_urlParser2();
6195
4629
  init_validations();
6196
4630
 
6197
4631
  // src/features/analysis/scm/types.ts
6198
- import { z as z13 } from "zod";
4632
+ import { z as z10 } from "zod";
6199
4633
  var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
6200
4634
  ReferenceType2["BRANCH"] = "BRANCH";
6201
4635
  ReferenceType2["COMMIT"] = "COMMIT";
6202
4636
  ReferenceType2["TAG"] = "TAG";
6203
4637
  return ReferenceType2;
6204
4638
  })(ReferenceType || {});
6205
- var GithubFullShaZ = z13.string().regex(/^[a-f0-9]{40}$/);
6206
- var MergedPrSurvivalMetadataZ = z13.object({
6207
- mergeCommitShas: z13.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
4639
+ var GithubFullShaZ = z10.string().regex(/^[a-f0-9]{40}$/);
4640
+ var MergedPrSurvivalMetadataZ = z10.object({
4641
+ mergeCommitShas: z10.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
6208
4642
  message: "mergeCommitShas must contain unique SHAs"
6209
4643
  }),
6210
- targetBranch: z13.string().min(1)
4644
+ targetBranch: z10.string().min(1)
6211
4645
  });
6212
4646
  var scmCloudHostname = {
6213
4647
  ["GitLab" /* GitLab */]: new URL(scmCloudUrl.GitLab).hostname,
@@ -6227,10 +4661,10 @@ var scmTypeToScmLibScmType = {
6227
4661
  ["Ado" /* Ado */]: "ADO" /* ADO */,
6228
4662
  ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
6229
4663
  };
6230
- var GetReferenceResultZ = z13.object({
6231
- date: z13.date().optional(),
6232
- sha: z13.string(),
6233
- type: z13.nativeEnum(ReferenceType)
4664
+ var GetReferenceResultZ = z10.object({
4665
+ date: z10.date().optional(),
4666
+ sha: z10.string(),
4667
+ type: z10.nativeEnum(ReferenceType)
6234
4668
  });
6235
4669
 
6236
4670
  // src/features/analysis/scm/ado/constants.ts
@@ -6242,39 +4676,39 @@ init_env();
6242
4676
  import querystring from "querystring";
6243
4677
  import * as api from "azure-devops-node-api";
6244
4678
  import Debug3 from "debug";
6245
- import { z as z17 } from "zod";
4679
+ import { z as z14 } from "zod";
6246
4680
 
6247
4681
  // src/features/analysis/scm/ado/validation.ts
6248
- import { z as z16 } from "zod";
6249
- var ValidPullRequestStatusZ = z16.union([
6250
- z16.literal(1 /* Active */),
6251
- z16.literal(2 /* Abandoned */),
6252
- z16.literal(3 /* Completed */)
4682
+ import { z as z13 } from "zod";
4683
+ var ValidPullRequestStatusZ = z13.union([
4684
+ z13.literal(1 /* Active */),
4685
+ z13.literal(2 /* Abandoned */),
4686
+ z13.literal(3 /* Completed */)
6253
4687
  ]);
6254
- var AdoAuthResultZ = z16.object({
6255
- access_token: z16.string().min(1),
6256
- token_type: z16.string().min(1),
6257
- refresh_token: z16.string().min(1)
4688
+ var AdoAuthResultZ = z13.object({
4689
+ access_token: z13.string().min(1),
4690
+ token_type: z13.string().min(1),
4691
+ refresh_token: z13.string().min(1)
6258
4692
  });
6259
4693
  var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
6260
- scmOrgs: z16.array(z16.string())
4694
+ scmOrgs: z13.array(z13.string())
6261
4695
  });
6262
- var profileZ = z16.object({
6263
- displayName: z16.string(),
6264
- publicAlias: z16.string().min(1),
6265
- emailAddress: z16.string(),
6266
- coreRevision: z16.number(),
6267
- timeStamp: z16.string(),
6268
- id: z16.string(),
6269
- revision: z16.number()
4696
+ var profileZ = z13.object({
4697
+ displayName: z13.string(),
4698
+ publicAlias: z13.string().min(1),
4699
+ emailAddress: z13.string(),
4700
+ coreRevision: z13.number(),
4701
+ timeStamp: z13.string(),
4702
+ id: z13.string(),
4703
+ revision: z13.number()
6270
4704
  });
6271
- var accountsZ = z16.object({
6272
- count: z16.number(),
6273
- value: z16.array(
6274
- z16.object({
6275
- accountId: z16.string(),
6276
- accountUri: z16.string(),
6277
- accountName: z16.string()
4705
+ var accountsZ = z13.object({
4706
+ count: z13.number(),
4707
+ value: z13.array(
4708
+ z13.object({
4709
+ accountId: z13.string(),
4710
+ accountUri: z13.string(),
4711
+ accountName: z13.string()
6278
4712
  })
6279
4713
  )
6280
4714
  });
@@ -6295,39 +4729,39 @@ import querystring2 from "querystring";
6295
4729
  import * as bitbucketPkgNode from "bitbucket";
6296
4730
  import bitbucketPkg from "bitbucket";
6297
4731
  import Debug4 from "debug";
6298
- import { z as z20 } from "zod";
4732
+ import { z as z17 } from "zod";
6299
4733
 
6300
4734
  // src/features/analysis/scm/bitbucket/validation.ts
6301
- import { z as z19 } from "zod";
6302
- var BitbucketAuthResultZ = z19.object({
6303
- access_token: z19.string(),
6304
- token_type: z19.string(),
6305
- refresh_token: z19.string()
4735
+ import { z as z16 } from "zod";
4736
+ var BitbucketAuthResultZ = z16.object({
4737
+ access_token: z16.string(),
4738
+ token_type: z16.string(),
4739
+ refresh_token: z16.string()
6306
4740
  });
6307
4741
 
6308
4742
  // src/features/analysis/scm/bitbucket/bitbucket.ts
6309
4743
  var debug5 = Debug4("scm:bitbucket");
6310
4744
  var BITBUCKET_HOSTNAME = "bitbucket.org";
6311
- var TokenExpiredErrorZ = z20.object({
6312
- status: z20.number(),
6313
- error: z20.object({
6314
- type: z20.string(),
6315
- error: z20.object({
6316
- message: z20.string()
4745
+ var TokenExpiredErrorZ = z17.object({
4746
+ status: z17.number(),
4747
+ error: z17.object({
4748
+ type: z17.string(),
4749
+ error: z17.object({
4750
+ message: z17.string()
6317
4751
  })
6318
4752
  })
6319
4753
  });
6320
4754
  var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
6321
- var BitbucketParseResultZ = z20.object({
6322
- organization: z20.string(),
6323
- repoName: z20.string(),
6324
- hostname: z20.literal(BITBUCKET_HOSTNAME)
4755
+ var BitbucketParseResultZ = z17.object({
4756
+ organization: z17.string(),
4757
+ repoName: z17.string(),
4758
+ hostname: z17.literal(BITBUCKET_HOSTNAME)
6325
4759
  });
6326
- var UserWorkspacePermissionsRepositoriesResponseZ = z20.object({
6327
- values: z20.array(
6328
- z20.object({
6329
- repository: z20.object({
6330
- full_name: z20.string().optional()
4760
+ var UserWorkspacePermissionsRepositoriesResponseZ = z17.object({
4761
+ values: z17.array(
4762
+ z17.object({
4763
+ repository: z17.object({
4764
+ full_name: z17.string().optional()
6331
4765
  }).optional()
6332
4766
  })
6333
4767
  ).optional()
@@ -6335,7 +4769,7 @@ var UserWorkspacePermissionsRepositoriesResponseZ = z20.object({
6335
4769
 
6336
4770
  // src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
6337
4771
  import { setTimeout as setTimeout3 } from "timers/promises";
6338
- import { z as z21 } from "zod";
4772
+ import { z as z18 } from "zod";
6339
4773
 
6340
4774
  // src/features/analysis/scm/constants.ts
6341
4775
  var REPORT_DEFAULT_FILE_NAME = "report.json";
@@ -6345,7 +4779,7 @@ init_env();
6345
4779
 
6346
4780
  // src/features/analysis/scm/github/GithubSCMLib.ts
6347
4781
  import pLimit3 from "p-limit";
6348
- import { z as z22 } from "zod";
4782
+ import { z as z19 } from "zod";
6349
4783
  init_client_generates();
6350
4784
 
6351
4785
  // src/features/analysis/scm/github/github.ts
@@ -6378,11 +4812,11 @@ import {
6378
4812
  init_env();
6379
4813
 
6380
4814
  // src/features/analysis/scm/gitlab/types.ts
6381
- import { z as z23 } from "zod";
6382
- var GitlabAuthResultZ = z23.object({
6383
- access_token: z23.string(),
6384
- token_type: z23.string(),
6385
- refresh_token: z23.string()
4815
+ import { z as z20 } from "zod";
4816
+ var GitlabAuthResultZ = z20.object({
4817
+ access_token: z20.string(),
4818
+ token_type: z20.string(),
4819
+ refresh_token: z20.string()
6386
4820
  });
6387
4821
 
6388
4822
  // src/features/analysis/scm/gitlab/gitlab.ts
@@ -6393,69 +4827,69 @@ import pLimit5 from "p-limit";
6393
4827
  init_client_generates();
6394
4828
 
6395
4829
  // src/features/analysis/scm/scmFactory.ts
6396
- import { z as z24 } from "zod";
4830
+ import { z as z21 } from "zod";
6397
4831
 
6398
4832
  // src/features/analysis/graphql/gql.ts
6399
4833
  init_client_generates();
6400
4834
 
6401
4835
  // src/features/analysis/graphql/types.ts
6402
4836
  init_client_generates();
6403
- import { z as z25 } from "zod";
6404
- var VulnerabilityReportIssueCodeNodeZ = z25.object({
6405
- vulnerabilityReportIssueId: z25.string(),
6406
- path: z25.string(),
6407
- startLine: z25.number(),
6408
- vulnerabilityReportIssue: z25.object({
6409
- fixId: z25.string(),
6410
- category: z25.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
6411
- safeIssueType: z25.string(),
6412
- vulnerabilityReportIssueTags: z25.array(
6413
- z25.object({
6414
- tag: z25.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
4837
+ import { z as z22 } from "zod";
4838
+ var VulnerabilityReportIssueCodeNodeZ = z22.object({
4839
+ vulnerabilityReportIssueId: z22.string(),
4840
+ path: z22.string(),
4841
+ startLine: z22.number(),
4842
+ vulnerabilityReportIssue: z22.object({
4843
+ fixId: z22.string(),
4844
+ category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
4845
+ safeIssueType: z22.string(),
4846
+ vulnerabilityReportIssueTags: z22.array(
4847
+ z22.object({
4848
+ tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
6415
4849
  })
6416
4850
  )
6417
4851
  })
6418
4852
  });
6419
- var VulnerabilityReportIssueNoFixCodeNodeZ = z25.object({
6420
- vulnerabilityReportIssues: z25.array(
6421
- z25.object({
6422
- id: z25.string(),
6423
- fixId: z25.string().nullable(),
6424
- category: z25.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
6425
- safeIssueType: z25.string(),
6426
- fpId: z25.string().uuid().nullable(),
6427
- codeNodes: z25.array(
6428
- z25.object({
6429
- path: z25.string(),
6430
- startLine: z25.number()
4853
+ var VulnerabilityReportIssueNoFixCodeNodeZ = z22.object({
4854
+ vulnerabilityReportIssues: z22.array(
4855
+ z22.object({
4856
+ id: z22.string(),
4857
+ fixId: z22.string().nullable(),
4858
+ category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
4859
+ safeIssueType: z22.string(),
4860
+ fpId: z22.string().uuid().nullable(),
4861
+ codeNodes: z22.array(
4862
+ z22.object({
4863
+ path: z22.string(),
4864
+ startLine: z22.number()
6431
4865
  })
6432
4866
  ),
6433
- vulnerabilityReportIssueTags: z25.array(
6434
- z25.object({
6435
- tag: z25.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
4867
+ vulnerabilityReportIssueTags: z22.array(
4868
+ z22.object({
4869
+ tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
6436
4870
  })
6437
4871
  )
6438
4872
  })
6439
4873
  )
6440
4874
  });
6441
- var GetVulByNodesMetadataZ = z25.object({
6442
- vulnerabilityReportIssueCodeNodes: z25.array(VulnerabilityReportIssueCodeNodeZ),
6443
- nonFixablePrVuls: z25.object({
6444
- aggregate: z25.object({
6445
- count: z25.number()
4875
+ var GetVulByNodesMetadataZ = z22.object({
4876
+ vulnerabilityReportIssueCodeNodes: z22.array(VulnerabilityReportIssueCodeNodeZ),
4877
+ nonFixablePrVuls: z22.object({
4878
+ aggregate: z22.object({
4879
+ count: z22.number()
6446
4880
  })
6447
4881
  }),
6448
- fixablePrVuls: z25.object({
6449
- aggregate: z25.object({
6450
- count: z25.number()
4882
+ fixablePrVuls: z22.object({
4883
+ aggregate: z22.object({
4884
+ count: z22.number()
6451
4885
  })
6452
4886
  }),
6453
- totalScanVulnerabilities: z25.object({
6454
- aggregate: z25.object({
6455
- count: z25.number()
4887
+ totalScanVulnerabilities: z22.object({
4888
+ aggregate: z22.object({
4889
+ count: z22.number()
6456
4890
  })
6457
4891
  }),
6458
- irrelevantVulnerabilityReportIssue: z25.array(
4892
+ irrelevantVulnerabilityReportIssue: z22.array(
6459
4893
  VulnerabilityReportIssueNoFixCodeNodeZ
6460
4894
  )
6461
4895
  });
@@ -7755,8 +6189,8 @@ var defaultLogger2 = {
7755
6189
  }
7756
6190
  }
7757
6191
  };
7758
- var PromptItemZ = z26.object({
7759
- type: z26.enum([
6192
+ var PromptItemZ = z23.object({
6193
+ type: z23.enum([
7760
6194
  "USER_PROMPT",
7761
6195
  "AI_RESPONSE",
7762
6196
  "TOOL_EXECUTION",
@@ -7764,32 +6198,32 @@ var PromptItemZ = z26.object({
7764
6198
  "MCP_TOOL_CALL"
7765
6199
  // MCP (Model Context Protocol) tool invocation
7766
6200
  ]),
7767
- attachedFiles: z26.array(
7768
- z26.object({
7769
- relativePath: z26.string(),
7770
- startLine: z26.number().optional()
6201
+ attachedFiles: z23.array(
6202
+ z23.object({
6203
+ relativePath: z23.string(),
6204
+ startLine: z23.number().optional()
7771
6205
  })
7772
6206
  ).optional(),
7773
- tokens: z26.object({
7774
- inputCount: z26.number(),
7775
- outputCount: z26.number()
6207
+ tokens: z23.object({
6208
+ inputCount: z23.number(),
6209
+ outputCount: z23.number()
7776
6210
  }).optional(),
7777
- text: z26.string().optional(),
7778
- date: z26.date().optional(),
7779
- tool: z26.object({
7780
- name: z26.string(),
7781
- parameters: z26.string(),
7782
- result: z26.string(),
7783
- rawArguments: z26.string().optional(),
7784
- accepted: z26.boolean().optional(),
6211
+ text: z23.string().optional(),
6212
+ date: z23.date().optional(),
6213
+ tool: z23.object({
6214
+ name: z23.string(),
6215
+ parameters: z23.string(),
6216
+ result: z23.string(),
6217
+ rawArguments: z23.string().optional(),
6218
+ accepted: z23.boolean().optional(),
7785
6219
  // MCP-specific fields (only populated for MCP_TOOL_CALL type)
7786
- mcpServer: z26.string().optional(),
6220
+ mcpServer: z23.string().optional(),
7787
6221
  // MCP server name (e.g., "datadog", "mobb-mcp")
7788
- mcpToolName: z26.string().optional()
6222
+ mcpToolName: z23.string().optional()
7789
6223
  // MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
7790
6224
  }).optional()
7791
6225
  });
7792
- var PromptItemArrayZ = z26.array(PromptItemZ);
6226
+ var PromptItemArrayZ = z23.array(PromptItemZ);
7793
6227
  var NULL_REPO_STATE = {
7794
6228
  repositoryUrl: null,
7795
6229
  branch: null,