mobbdev 1.4.35 → 1.4.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/args/commands/upload_ai_blame.mjs +246 -1812
- package/dist/index.mjs +1303 -2641
- package/package.json +1 -1
|
@@ -342,10 +342,6 @@ var init_client_generates = __esm({
|
|
|
342
342
|
inputType
|
|
343
343
|
options
|
|
344
344
|
index
|
|
345
|
-
extraContext {
|
|
346
|
-
key
|
|
347
|
-
value
|
|
348
|
-
}
|
|
349
345
|
content
|
|
350
346
|
description
|
|
351
347
|
guidance
|
|
@@ -583,10 +579,6 @@ var init_client_generates = __esm({
|
|
|
583
579
|
patchOriginalEncodingBase64
|
|
584
580
|
questions {
|
|
585
581
|
defaultValue
|
|
586
|
-
extraContext {
|
|
587
|
-
key
|
|
588
|
-
value
|
|
589
|
-
}
|
|
590
582
|
index
|
|
591
583
|
inputType
|
|
592
584
|
key
|
|
@@ -1090,10 +1082,6 @@ var init_client_generates = __esm({
|
|
|
1090
1082
|
inputType
|
|
1091
1083
|
options
|
|
1092
1084
|
index
|
|
1093
|
-
extraContext {
|
|
1094
|
-
key
|
|
1095
|
-
value
|
|
1096
|
-
}
|
|
1097
1085
|
content
|
|
1098
1086
|
description
|
|
1099
1087
|
guidance
|
|
@@ -1335,9 +1323,10 @@ var init_fix = __esm({
|
|
|
1335
1323
|
fixDescription: z2.string(),
|
|
1336
1324
|
manifestActionsRequired: z2.array(ManifestActionRequiredZ),
|
|
1337
1325
|
extraContext: z2.array(ExtraContextInternalZ),
|
|
1338
|
-
// E-2015
|
|
1326
|
+
// E-2015: analyzer-served fix-level guidance. default([]) so a query that
|
|
1339
1327
|
// omits it still parses, while the output type is a required string[] to match
|
|
1340
|
-
// the non-null GraphQL field.
|
|
1328
|
+
// the non-null GraphQL field. The analyzer is the sole source; getFixGuidances
|
|
1329
|
+
// uses the served value directly (no fallback).
|
|
1341
1330
|
guidances: z2.array(z2.string()).default([])
|
|
1342
1331
|
});
|
|
1343
1332
|
PatchAndQuestionsZ = z2.object({
|
|
@@ -1351,13 +1340,12 @@ var init_fix = __esm({
|
|
|
1351
1340
|
index: z2.number(),
|
|
1352
1341
|
defaultValue: z2.string(),
|
|
1353
1342
|
value: z2.string().nullable(),
|
|
1354
|
-
extraContext: z2.array(ExtraContextInternalZ),
|
|
1355
1343
|
inputType: z2.nativeEnum(FixQuestionInputType),
|
|
1356
1344
|
options: z2.array(z2.string()),
|
|
1357
|
-
// E-2015
|
|
1358
|
-
// omits these still parses (-> ''
|
|
1359
|
-
//
|
|
1360
|
-
//
|
|
1345
|
+
// E-2015: analyzer-served question text. default('') so a query that
|
|
1346
|
+
// omits these still parses (-> ''), while the output type stays a required
|
|
1347
|
+
// `string` to match the non-null GraphQL fields. The analyzer is the sole
|
|
1348
|
+
// source; consumers use the served value directly (no fallback).
|
|
1361
1349
|
content: z2.string().default(""),
|
|
1362
1350
|
description: z2.string().default(""),
|
|
1363
1351
|
guidance: z2.string().default("")
|
|
@@ -2208,7 +2196,7 @@ var init_types2 = __esm({
|
|
|
2208
2196
|
});
|
|
2209
2197
|
|
|
2210
2198
|
// src/features/analysis/scm/shared/src/urlParser/urlParser.ts
|
|
2211
|
-
import { z as
|
|
2199
|
+
import { z as z9 } from "zod";
|
|
2212
2200
|
function computeCanonicalUrl(data) {
|
|
2213
2201
|
const {
|
|
2214
2202
|
scmType,
|
|
@@ -2250,7 +2238,7 @@ function detectAdoUrl(args) {
|
|
|
2250
2238
|
scmType: "Ado" /* Ado */,
|
|
2251
2239
|
organization,
|
|
2252
2240
|
// project has single repo - repoName === projectName
|
|
2253
|
-
projectName:
|
|
2241
|
+
projectName: z9.string().parse(projectName),
|
|
2254
2242
|
repoName: projectName,
|
|
2255
2243
|
prefixPath
|
|
2256
2244
|
};
|
|
@@ -2261,7 +2249,7 @@ function detectAdoUrl(args) {
|
|
|
2261
2249
|
return {
|
|
2262
2250
|
scmType: "Ado" /* Ado */,
|
|
2263
2251
|
organization,
|
|
2264
|
-
projectName:
|
|
2252
|
+
projectName: z9.string().parse(projectName),
|
|
2265
2253
|
repoName,
|
|
2266
2254
|
prefixPath
|
|
2267
2255
|
};
|
|
@@ -2275,7 +2263,7 @@ function detectAdoUrl(args) {
|
|
|
2275
2263
|
scmType: "Ado" /* Ado */,
|
|
2276
2264
|
organization,
|
|
2277
2265
|
// project has only one repo - repoName === projectName
|
|
2278
|
-
projectName:
|
|
2266
|
+
projectName: z9.string().parse(repoName),
|
|
2279
2267
|
repoName,
|
|
2280
2268
|
prefixPath
|
|
2281
2269
|
};
|
|
@@ -2285,7 +2273,7 @@ function detectAdoUrl(args) {
|
|
|
2285
2273
|
return {
|
|
2286
2274
|
scmType: "Ado" /* Ado */,
|
|
2287
2275
|
organization,
|
|
2288
|
-
projectName:
|
|
2276
|
+
projectName: z9.string().parse(projectName),
|
|
2289
2277
|
repoName,
|
|
2290
2278
|
prefixPath
|
|
2291
2279
|
};
|
|
@@ -2361,7 +2349,7 @@ function parseSshUrl(scmURL, scmType) {
|
|
|
2361
2349
|
if (pathElements.length === 3) {
|
|
2362
2350
|
const [organization2, projectName, repoName2] = pathElements;
|
|
2363
2351
|
if (organization2?.match(NAME_REGEX) && projectName && repoName2?.match(NAME_REGEX)) {
|
|
2364
|
-
const parsedProjectName =
|
|
2352
|
+
const parsedProjectName = z9.string().parse(projectName);
|
|
2365
2353
|
return {
|
|
2366
2354
|
scmType: "Ado" /* Ado */,
|
|
2367
2355
|
hostname: normalizedHostname,
|
|
@@ -2589,17 +2577,17 @@ var init_urlParser2 = __esm({
|
|
|
2589
2577
|
});
|
|
2590
2578
|
|
|
2591
2579
|
// src/features/analysis/scm/env.ts
|
|
2592
|
-
import { z as
|
|
2580
|
+
import { z as z12 } from "zod";
|
|
2593
2581
|
var EnvVariablesZod, GITLAB_API_TOKEN, GITHUB_API_TOKEN, GIT_PROXY_HOST, MAX_UPLOAD_FILE_SIZE_MB, GITHUB_API_CONCURRENCY;
|
|
2594
2582
|
var init_env = __esm({
|
|
2595
2583
|
"src/features/analysis/scm/env.ts"() {
|
|
2596
2584
|
"use strict";
|
|
2597
|
-
EnvVariablesZod =
|
|
2598
|
-
GITLAB_API_TOKEN:
|
|
2599
|
-
GITHUB_API_TOKEN:
|
|
2600
|
-
GIT_PROXY_HOST:
|
|
2601
|
-
MAX_UPLOAD_FILE_SIZE_MB:
|
|
2602
|
-
GITHUB_API_CONCURRENCY:
|
|
2585
|
+
EnvVariablesZod = z12.object({
|
|
2586
|
+
GITLAB_API_TOKEN: z12.string().optional(),
|
|
2587
|
+
GITHUB_API_TOKEN: z12.string().optional(),
|
|
2588
|
+
GIT_PROXY_HOST: z12.string().optional().default("http://tinyproxy:8888"),
|
|
2589
|
+
MAX_UPLOAD_FILE_SIZE_MB: z12.coerce.number().gt(0).default(2),
|
|
2590
|
+
GITHUB_API_CONCURRENCY: z12.coerce.number().gt(0).optional().default(10)
|
|
2603
2591
|
});
|
|
2604
2592
|
({
|
|
2605
2593
|
GITLAB_API_TOKEN,
|
|
@@ -2633,7 +2621,7 @@ var init_configs = __esm({
|
|
|
2633
2621
|
});
|
|
2634
2622
|
|
|
2635
2623
|
// src/utils/blame/gitBlameTypes.ts
|
|
2636
|
-
import { z as
|
|
2624
|
+
import { z as z15 } from "zod";
|
|
2637
2625
|
function parseCoAuthorValue(raw) {
|
|
2638
2626
|
const trimmed = raw.trim();
|
|
2639
2627
|
if (!trimmed) {
|
|
@@ -2669,9 +2657,9 @@ var PrepareGitBlameMessageZ, PrepareGitBlameResponseMessageZ, CommitMetadataZ, L
|
|
|
2669
2657
|
var init_gitBlameTypes = __esm({
|
|
2670
2658
|
"src/utils/blame/gitBlameTypes.ts"() {
|
|
2671
2659
|
"use strict";
|
|
2672
|
-
PrepareGitBlameMessageZ =
|
|
2673
|
-
reportId:
|
|
2674
|
-
repoArchivePath:
|
|
2660
|
+
PrepareGitBlameMessageZ = z15.object({
|
|
2661
|
+
reportId: z15.string(),
|
|
2662
|
+
repoArchivePath: z15.string(),
|
|
2675
2663
|
// Optional list of file paths to blame. Producers must pick one of two modes:
|
|
2676
2664
|
//
|
|
2677
2665
|
// - **Omit `filePaths`** = "blame every file in the archive". Used by the
|
|
@@ -2687,132 +2675,132 @@ var init_gitBlameTypes = __esm({
|
|
|
2687
2675
|
// "Login.java" when the actual file is "src/main/java/Login.java") are
|
|
2688
2676
|
// tolerated — scm_agent's filter matches exact-or-trailing-basename. Empty
|
|
2689
2677
|
// strings are filtered out defensively.
|
|
2690
|
-
filePaths:
|
|
2678
|
+
filePaths: z15.array(z15.string()).optional()
|
|
2691
2679
|
});
|
|
2692
|
-
PrepareGitBlameResponseMessageZ =
|
|
2693
|
-
reportId:
|
|
2680
|
+
PrepareGitBlameResponseMessageZ = z15.object({
|
|
2681
|
+
reportId: z15.string()
|
|
2694
2682
|
});
|
|
2695
|
-
CommitMetadataZ =
|
|
2696
|
-
author:
|
|
2697
|
-
"author-mail":
|
|
2698
|
-
"author-time":
|
|
2699
|
-
"author-tz":
|
|
2700
|
-
committer:
|
|
2701
|
-
"committer-mail":
|
|
2702
|
-
"committer-time":
|
|
2703
|
-
"committer-tz":
|
|
2704
|
-
summary:
|
|
2705
|
-
filename:
|
|
2683
|
+
CommitMetadataZ = z15.object({
|
|
2684
|
+
author: z15.string().optional(),
|
|
2685
|
+
"author-mail": z15.string().optional(),
|
|
2686
|
+
"author-time": z15.string().optional(),
|
|
2687
|
+
"author-tz": z15.string().optional(),
|
|
2688
|
+
committer: z15.string().optional(),
|
|
2689
|
+
"committer-mail": z15.string().optional(),
|
|
2690
|
+
"committer-time": z15.string().optional(),
|
|
2691
|
+
"committer-tz": z15.string().optional(),
|
|
2692
|
+
summary: z15.string().optional(),
|
|
2693
|
+
filename: z15.string().optional()
|
|
2706
2694
|
});
|
|
2707
|
-
LineToCommitMapZ =
|
|
2708
|
-
CommitMetadataMapZ =
|
|
2709
|
-
BlameInfoZ =
|
|
2695
|
+
LineToCommitMapZ = z15.record(z15.string(), z15.string());
|
|
2696
|
+
CommitMetadataMapZ = z15.record(z15.string(), CommitMetadataZ);
|
|
2697
|
+
BlameInfoZ = z15.object({
|
|
2710
2698
|
lineToCommit: LineToCommitMapZ,
|
|
2711
2699
|
commitMetadata: CommitMetadataMapZ
|
|
2712
2700
|
});
|
|
2713
|
-
LineRangeZ =
|
|
2701
|
+
LineRangeZ = z15.object({
|
|
2714
2702
|
/** First line in chunk (1-indexed) */
|
|
2715
|
-
start:
|
|
2703
|
+
start: z15.number(),
|
|
2716
2704
|
/** Last line in chunk (inclusive) */
|
|
2717
|
-
end:
|
|
2705
|
+
end: z15.number()
|
|
2718
2706
|
});
|
|
2719
|
-
PrContextZ =
|
|
2720
|
-
prNumber:
|
|
2721
|
-
repositoryUrl:
|
|
2722
|
-
organizationId:
|
|
2723
|
-
userEmail:
|
|
2724
|
-
source:
|
|
2725
|
-
githubContext:
|
|
2726
|
-
prNumber:
|
|
2727
|
-
installationId:
|
|
2728
|
-
repositoryURL:
|
|
2707
|
+
PrContextZ = z15.object({
|
|
2708
|
+
prNumber: z15.number(),
|
|
2709
|
+
repositoryUrl: z15.string(),
|
|
2710
|
+
organizationId: z15.string(),
|
|
2711
|
+
userEmail: z15.string(),
|
|
2712
|
+
source: z15.enum(["pr", "github"]),
|
|
2713
|
+
githubContext: z15.object({
|
|
2714
|
+
prNumber: z15.number(),
|
|
2715
|
+
installationId: z15.number(),
|
|
2716
|
+
repositoryURL: z15.string()
|
|
2729
2717
|
}).optional()
|
|
2730
2718
|
});
|
|
2731
|
-
PrepareCommitBlameMessageZ =
|
|
2719
|
+
PrepareCommitBlameMessageZ = z15.object({
|
|
2732
2720
|
/** Commit blame request ID from database (for tracking and updating status) */
|
|
2733
|
-
commitBlameRequestId:
|
|
2721
|
+
commitBlameRequestId: z15.string(),
|
|
2734
2722
|
/** Organization ID (for org-scoped caching) */
|
|
2735
|
-
organizationId:
|
|
2723
|
+
organizationId: z15.string(),
|
|
2736
2724
|
/** Full repository URL (e.g., https://github.com/org/repo) */
|
|
2737
|
-
repositoryUrl:
|
|
2725
|
+
repositoryUrl: z15.string(),
|
|
2738
2726
|
/** Commit SHA to analyze (typically PR head commit) */
|
|
2739
|
-
commitSha:
|
|
2727
|
+
commitSha: z15.string(),
|
|
2740
2728
|
/** Authentication headers for repository access (e.g., GitHub token) */
|
|
2741
|
-
extraHeaders:
|
|
2729
|
+
extraHeaders: z15.record(z15.string(), z15.string()).default({}),
|
|
2742
2730
|
// --- PR analysis fields ---
|
|
2743
2731
|
/** Target branch name (from getPr() base.ref). When set, enables PR analysis mode. */
|
|
2744
|
-
targetBranch:
|
|
2732
|
+
targetBranch: z15.string().optional(),
|
|
2745
2733
|
/** Context for triggering blame attribution analysis after SCM agent completes. */
|
|
2746
2734
|
prContext: PrContextZ.optional(),
|
|
2747
2735
|
/** User email for blame attribution analysis trigger context (used for both PR and single commit flows). */
|
|
2748
|
-
userEmail:
|
|
2736
|
+
userEmail: z15.string().optional()
|
|
2749
2737
|
});
|
|
2750
|
-
BlameLineInfoZ =
|
|
2738
|
+
BlameLineInfoZ = z15.object({
|
|
2751
2739
|
/** Line number as it appeared in the introducing commit */
|
|
2752
|
-
originalLineNumber:
|
|
2740
|
+
originalLineNumber: z15.number(),
|
|
2753
2741
|
/** Commit SHA that introduced this line */
|
|
2754
|
-
commitSha:
|
|
2742
|
+
commitSha: z15.string(),
|
|
2755
2743
|
/** Author name for this line */
|
|
2756
|
-
authorName:
|
|
2744
|
+
authorName: z15.string().optional(),
|
|
2757
2745
|
/** Author email for this line */
|
|
2758
|
-
authorEmail:
|
|
2746
|
+
authorEmail: z15.string().optional()
|
|
2759
2747
|
}).nullable();
|
|
2760
|
-
FileBlameDataZ =
|
|
2761
|
-
ChunkFetchResultZ =
|
|
2762
|
-
filePath:
|
|
2763
|
-
lines:
|
|
2748
|
+
FileBlameDataZ = z15.array(BlameLineInfoZ);
|
|
2749
|
+
ChunkFetchResultZ = z15.object({
|
|
2750
|
+
filePath: z15.string(),
|
|
2751
|
+
lines: z15.array(z15.number()),
|
|
2764
2752
|
data: FileBlameDataZ.nullable()
|
|
2765
2753
|
});
|
|
2766
|
-
FileBlameResponseEntryZ =
|
|
2754
|
+
FileBlameResponseEntryZ = z15.object({
|
|
2767
2755
|
/** Chunk index (0 for small files, 0-N for large file chunks) */
|
|
2768
|
-
chunkIndex:
|
|
2756
|
+
chunkIndex: z15.number(),
|
|
2769
2757
|
/** Blame data array (1-indexed, index 0 is null) */
|
|
2770
2758
|
blameData: FileBlameDataZ
|
|
2771
2759
|
});
|
|
2772
|
-
CommitBlameDataZ =
|
|
2773
|
-
|
|
2760
|
+
CommitBlameDataZ = z15.record(
|
|
2761
|
+
z15.string(),
|
|
2774
2762
|
// fileName
|
|
2775
|
-
|
|
2763
|
+
z15.array(FileBlameResponseEntryZ)
|
|
2776
2764
|
);
|
|
2777
|
-
CommitInfoZ =
|
|
2765
|
+
CommitInfoZ = z15.object({
|
|
2778
2766
|
/** Number of parent commits (1 = normal commit, 2+ = merge commit, null = failed to determine) */
|
|
2779
|
-
parentCount:
|
|
2767
|
+
parentCount: z15.number().nullable()
|
|
2780
2768
|
});
|
|
2781
|
-
GitIdentityZ =
|
|
2782
|
-
name:
|
|
2783
|
-
email:
|
|
2769
|
+
GitIdentityZ = z15.object({
|
|
2770
|
+
name: z15.string(),
|
|
2771
|
+
email: z15.string()
|
|
2784
2772
|
});
|
|
2785
2773
|
COMMIT_LOG_FORMAT = "%H%x00%ae%x00%an%x00%ce%x00%cn%x00%at%x00%s%x00%(trailers:key=Co-authored-by,valueonly,separator=%x00)";
|
|
2786
|
-
CommitDataZ =
|
|
2787
|
-
diff:
|
|
2774
|
+
CommitDataZ = z15.object({
|
|
2775
|
+
diff: z15.string(),
|
|
2788
2776
|
author: GitIdentityZ,
|
|
2789
2777
|
committer: GitIdentityZ,
|
|
2790
|
-
coAuthors:
|
|
2791
|
-
timestamp:
|
|
2778
|
+
coAuthors: z15.array(GitIdentityZ),
|
|
2779
|
+
timestamp: z15.number(),
|
|
2792
2780
|
// Unix timestamp in seconds
|
|
2793
|
-
message:
|
|
2794
|
-
parentCount:
|
|
2781
|
+
message: z15.string().optional(),
|
|
2782
|
+
parentCount: z15.number().nullable()
|
|
2795
2783
|
});
|
|
2796
|
-
PrDiffDataZ =
|
|
2797
|
-
diff:
|
|
2784
|
+
PrDiffDataZ = z15.object({
|
|
2785
|
+
diff: z15.string()
|
|
2798
2786
|
});
|
|
2799
|
-
PrStatsZ =
|
|
2800
|
-
additions:
|
|
2801
|
-
deletions:
|
|
2787
|
+
PrStatsZ = z15.object({
|
|
2788
|
+
additions: z15.number(),
|
|
2789
|
+
deletions: z15.number()
|
|
2802
2790
|
});
|
|
2803
|
-
CommitsManifestZ =
|
|
2804
|
-
commits:
|
|
2791
|
+
CommitsManifestZ = z15.object({
|
|
2792
|
+
commits: z15.array(z15.string())
|
|
2805
2793
|
// Array of commit SHAs in order
|
|
2806
2794
|
});
|
|
2807
|
-
BlameLineEntryZ =
|
|
2795
|
+
BlameLineEntryZ = z15.object({
|
|
2808
2796
|
/** Current file path in the PR head (what git blame was invoked on). */
|
|
2809
|
-
file:
|
|
2797
|
+
file: z15.string(),
|
|
2810
2798
|
/** Current line number in the PR head. */
|
|
2811
|
-
line:
|
|
2799
|
+
line: z15.number(),
|
|
2812
2800
|
/** SHA of the commit that originally authored this line. */
|
|
2813
|
-
originalCommitSha:
|
|
2801
|
+
originalCommitSha: z15.string(),
|
|
2814
2802
|
/** Line number as it was in `originalCommitSha`. */
|
|
2815
|
-
originalLineNumber:
|
|
2803
|
+
originalLineNumber: z15.number(),
|
|
2816
2804
|
/**
|
|
2817
2805
|
* File path as it was in `originalCommitSha` at the time that commit
|
|
2818
2806
|
* authored this line. When a file has been renamed since, this differs
|
|
@@ -2825,24 +2813,24 @@ var init_gitBlameTypes = __esm({
|
|
|
2825
2813
|
* must treat empty as "fall back to `file`" (see enrichDiffLines,
|
|
2826
2814
|
* targetedBlame).
|
|
2827
2815
|
*/
|
|
2828
|
-
originalFile:
|
|
2816
|
+
originalFile: z15.string().default("")
|
|
2829
2817
|
});
|
|
2830
|
-
BlameLinesDataZ =
|
|
2831
|
-
lines:
|
|
2818
|
+
BlameLinesDataZ = z15.object({
|
|
2819
|
+
lines: z15.array(BlameLineEntryZ)
|
|
2832
2820
|
});
|
|
2833
|
-
PrepareCommitBlameResponseMessageZ =
|
|
2821
|
+
PrepareCommitBlameResponseMessageZ = z15.object({
|
|
2834
2822
|
/** Commit blame request ID (matches request, used to update specific DB record) */
|
|
2835
|
-
commitBlameRequestId:
|
|
2823
|
+
commitBlameRequestId: z15.string(),
|
|
2836
2824
|
/** Organization ID (matches request) */
|
|
2837
|
-
organizationId:
|
|
2825
|
+
organizationId: z15.string(),
|
|
2838
2826
|
/** Repository URL (matches request) */
|
|
2839
|
-
repositoryUrl:
|
|
2827
|
+
repositoryUrl: z15.string(),
|
|
2840
2828
|
/** Commit SHA analyzed (matches request) */
|
|
2841
|
-
commitSha:
|
|
2829
|
+
commitSha: z15.string(),
|
|
2842
2830
|
/** Processing status */
|
|
2843
|
-
status:
|
|
2831
|
+
status: z15.enum(["success", "failure"]),
|
|
2844
2832
|
/** Error message (only present if status is 'failure') */
|
|
2845
|
-
error:
|
|
2833
|
+
error: z15.string().optional(),
|
|
2846
2834
|
/**
|
|
2847
2835
|
* Blame data for all processed files/chunks.
|
|
2848
2836
|
* Empty dictionary if status is 'failure'.
|
|
@@ -2854,29 +2842,29 @@ var init_gitBlameTypes = __esm({
|
|
|
2854
2842
|
* Keyed by commit SHA, deduplicated.
|
|
2855
2843
|
* Empty dictionary if status is 'failure'.
|
|
2856
2844
|
*/
|
|
2857
|
-
commits:
|
|
2845
|
+
commits: z15.record(z15.string(), CommitInfoZ).default({}),
|
|
2858
2846
|
// --- New PR diff computation response fields ---
|
|
2859
2847
|
/** S3 paths for commit-level data (commitSha → S3 key). Present in PR analysis mode and single commit mode. */
|
|
2860
|
-
commitDataS3Paths:
|
|
2848
|
+
commitDataS3Paths: z15.record(z15.string(), z15.string()).optional(),
|
|
2861
2849
|
/** S3 key for PR diff JSON. Present in PR analysis mode. */
|
|
2862
|
-
prDiffS3Path:
|
|
2850
|
+
prDiffS3Path: z15.string().optional(),
|
|
2863
2851
|
/** S3 key for commits manifest. Present in PR analysis mode. */
|
|
2864
|
-
commitsManifestS3Path:
|
|
2852
|
+
commitsManifestS3Path: z15.string().optional(),
|
|
2865
2853
|
/** S3 key for per-line targeted blame data. Present in PR analysis mode. */
|
|
2866
|
-
blameLinesS3Path:
|
|
2854
|
+
blameLinesS3Path: z15.string().optional(),
|
|
2867
2855
|
/** S3 key for PR stats (additions/deletions). Present in PR analysis mode. */
|
|
2868
|
-
prStatsS3Path:
|
|
2856
|
+
prStatsS3Path: z15.string().optional(),
|
|
2869
2857
|
/** PR context passed through from request for response handler. */
|
|
2870
2858
|
prContext: PrContextZ.optional(),
|
|
2871
2859
|
/** PR title from the request metadata (passed through). */
|
|
2872
|
-
prTitle:
|
|
2860
|
+
prTitle: z15.string().optional(),
|
|
2873
2861
|
/** User email passed through from request for single commit blame attribution analysis trigger. */
|
|
2874
|
-
userEmail:
|
|
2862
|
+
userEmail: z15.string().optional()
|
|
2875
2863
|
});
|
|
2876
|
-
VulnerabilityAttributionMessageZ =
|
|
2877
|
-
fixReportId:
|
|
2878
|
-
vulnerabilityAttributionRequestId:
|
|
2879
|
-
userEmail:
|
|
2864
|
+
VulnerabilityAttributionMessageZ = z15.object({
|
|
2865
|
+
fixReportId: z15.string().uuid(),
|
|
2866
|
+
vulnerabilityAttributionRequestId: z15.string().uuid(),
|
|
2867
|
+
userEmail: z15.string()
|
|
2880
2868
|
});
|
|
2881
2869
|
}
|
|
2882
2870
|
});
|
|
@@ -4143,7 +4131,7 @@ import * as os3 from "os";
|
|
|
4143
4131
|
import path6 from "path";
|
|
4144
4132
|
import chalk3 from "chalk";
|
|
4145
4133
|
import { withFile } from "tmp-promise";
|
|
4146
|
-
import
|
|
4134
|
+
import z23 from "zod";
|
|
4147
4135
|
|
|
4148
4136
|
// src/commands/handleMobbLogin.ts
|
|
4149
4137
|
import chalk2 from "chalk";
|
|
@@ -4615,7 +4603,7 @@ import debugModule from "debug";
|
|
|
4615
4603
|
var debug3 = debugModule("mobb:shared");
|
|
4616
4604
|
|
|
4617
4605
|
// src/features/analysis/scm/utils/index.ts
|
|
4618
|
-
import { z as
|
|
4606
|
+
import { z as z11 } from "zod";
|
|
4619
4607
|
|
|
4620
4608
|
// src/features/analysis/scm/shared/src/commitDescriptionMarkup.ts
|
|
4621
4609
|
init_client_generates();
|
|
@@ -4633,1560 +4621,6 @@ init_getIssueType();
|
|
|
4633
4621
|
|
|
4634
4622
|
// src/features/analysis/scm/shared/src/guidances.ts
|
|
4635
4623
|
init_client_generates();
|
|
4636
|
-
init_getIssueType();
|
|
4637
|
-
import { z as z11 } from "zod";
|
|
4638
|
-
|
|
4639
|
-
// src/features/analysis/scm/shared/src/storedFixData/index.ts
|
|
4640
|
-
init_client_generates();
|
|
4641
|
-
import { z as z9 } from "zod";
|
|
4642
|
-
|
|
4643
|
-
// src/features/analysis/scm/shared/src/storedFixData/passwordInComment.ts
|
|
4644
|
-
var passwordInComment = {
|
|
4645
|
-
guidance: () => "Removing sensitive information from the comments is not enough. To ensure the security of your data, you have to rotate passwords and tokens and update all places where they were used."
|
|
4646
|
-
};
|
|
4647
|
-
|
|
4648
|
-
// src/features/analysis/scm/shared/src/storedFixData/csharp/missingAntiForgeryValidation.ts
|
|
4649
|
-
var missingAntiForgeryValidation = {
|
|
4650
|
-
guidance: () => `The \`ValidateAntiForgeryToken\` attribute helps prevent cross-site request forgery (CSRF) attacks. The token is automatically injected into the view by the [FormTagHelper](https://learn.microsoft.com/en-us/aspnet/core/mvc/views/working-with-forms?view=aspnetcore-8.0#the-form-tag-helper)
|
|
4651
|
-
and is included when the form is submitted by the user. The token is validated by the \`ValidateAntiForgeryToken\` attribute. The token could be also generated using the [Html.AntiForgeryToken](https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.htmlhelper.antiforgerytoken?view=aspnet-mvc-5.2) helper.
|
|
4652
|
-
|
|
4653
|
-
|
|
4654
|
-
|
|
4655
|
-
|
|
4656
|
-
***Make sure this controller's client provides the validation token before approving this change.***
|
|
4657
|
-
|
|
4658
|
-
|
|
4659
|
-
|
|
4660
|
-
|
|
4661
|
-
This is an illustration of how the form will look like:
|
|
4662
|
-
|
|
4663
|
-
|
|
4664
|
-
|
|
4665
|
-
<form method="post" action="/Action">
|
|
4666
|
-
<!-- Input and Submit elements -->
|
|
4667
|
-
<input name="__RequestVerificationToken"
|
|
4668
|
-
type="hidden" value="<removed for brevity>">
|
|
4669
|
-
</form>
|
|
4670
|
-
|
|
4671
|
-
|
|
4672
|
-
***Notice the \`__RequestVerificationToken\` parameters.***
|
|
4673
|
-
`
|
|
4674
|
-
};
|
|
4675
|
-
|
|
4676
|
-
// src/features/analysis/scm/shared/src/storedFixData/csharp/index.ts
|
|
4677
|
-
var vulnerabilities = {
|
|
4678
|
-
["MISSING_ANTIFORGERY_VALIDATION"]: missingAntiForgeryValidation,
|
|
4679
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment
|
|
4680
|
-
};
|
|
4681
|
-
var csharp_default = vulnerabilities;
|
|
4682
|
-
|
|
4683
|
-
// src/features/analysis/scm/shared/src/storedFixData/dockerfile/index.ts
|
|
4684
|
-
var vulnerabilities2 = {};
|
|
4685
|
-
var dockerfile_default = vulnerabilities2;
|
|
4686
|
-
|
|
4687
|
-
// src/features/analysis/scm/shared/src/storedFixData/go/index.ts
|
|
4688
|
-
var vulnerabilities3 = {};
|
|
4689
|
-
var go_default = vulnerabilities3;
|
|
4690
|
-
|
|
4691
|
-
// src/features/analysis/scm/shared/src/storedFixData/hcl/index.ts
|
|
4692
|
-
var vulnerabilities4 = {};
|
|
4693
|
-
var hcl_default = vulnerabilities4;
|
|
4694
|
-
|
|
4695
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/insecureDeserialization.ts
|
|
4696
|
-
var insecureDeserialization = {
|
|
4697
|
-
guidance: () => "Added a `@Consumes` annotation restricting the endpoint to common safe media types (JSON, XML, form, multipart, octet-stream, plain text). Requests with `Content-Type: application/x-java-serialized-object` are no longer routed to the RESTEasy `SerializableProvider`. If your endpoint legitimately accepts a content type not in this allowlist (e.g. `image/png`, a custom JSON variant), expect HTTP 415 from those clients and extend the `@Consumes` list to include it."
|
|
4698
|
-
};
|
|
4699
|
-
|
|
4700
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/j2eeGetConnection.ts
|
|
4701
|
-
var j2eeGetConnection = {
|
|
4702
|
-
guidance: () => `This fix replaces direct \`DriverManager.getConnection(...)\` calls with a container-managed JNDI \`DataSource\` lookup. The new code expects the app server (Tomcat / WildFly / WebSphere / etc.) to expose a configured connection pool under the JNDI name you specified.
|
|
4703
|
-
|
|
4704
|
-
|
|
4705
|
-
|
|
4706
|
-
|
|
4707
|
-
***Make sure the resource pool exists before merging.*** The patched code will throw a \`NamingException\` at runtime if the JNDI name does not resolve. Configure it in your container's resource definition:
|
|
4708
|
-
|
|
4709
|
-
- **Tomcat**: declare a \`<Resource>\` element in \`context.xml\` (or per-app \`META-INF/context.xml\`) with the same JNDI name, plus \`url\`, \`username\`, \`password\`, \`driverClassName\`, and any pool sizing.
|
|
4710
|
-
- **Spring Boot (embedded Tomcat)**: configure via \`spring.datasource.jndi-name\` and matching \`<Resource>\`, or use \`@ConfigurationProperties\` to bind a \`DataSource\` bean.
|
|
4711
|
-
- **WildFly / JBoss EAP**: declare a \`<datasource>\` in the standalone/domain XML and reference its JNDI binding.
|
|
4712
|
-
- **WebSphere / WebLogic**: define the JDBC provider and data source through the admin console; bind it to the JNDI name.
|
|
4713
|
-
|
|
4714
|
-
|
|
4715
|
-
|
|
4716
|
-
|
|
4717
|
-
Also add a matching \`<resource-ref>\` (or \`<data-source>\`) in your \`WEB-INF/web.xml\` if you use one. The original connection details (URL, user, password) move from the call site into the resource definition \u2014 remove them from any constants / properties files where they were duplicated.
|
|
4718
|
-
|
|
4719
|
-
|
|
4720
|
-
|
|
4721
|
-
|
|
4722
|
-
This fix is mandated by the J2EE / Jakarta EE specification (CWE-245) \u2014 direct driver management bypasses the container's pooling, retry, and failover policies.`
|
|
4723
|
-
};
|
|
4724
|
-
|
|
4725
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/systemInformationLeak.ts
|
|
4726
|
-
var systemInformationLeak = {
|
|
4727
|
-
guidance: ({
|
|
4728
|
-
clientMightBeAffected
|
|
4729
|
-
}) => {
|
|
4730
|
-
if (clientMightBeAffected) {
|
|
4731
|
-
return "You should never expose error details to the client. We removed the error details from the response. Ensure the client application code does not rely on the removed information.";
|
|
4732
|
-
}
|
|
4733
|
-
return "";
|
|
4734
|
-
}
|
|
4735
|
-
};
|
|
4736
|
-
|
|
4737
|
-
// src/features/analysis/scm/shared/src/storedFixData/java/index.ts
|
|
4738
|
-
var vulnerabilities5 = {
|
|
4739
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment,
|
|
4740
|
-
["INSECURE_DESERIALIZATION"]: insecureDeserialization,
|
|
4741
|
-
["J2EE_GET_CONNECTION"]: j2eeGetConnection,
|
|
4742
|
-
["SYSTEM_INFORMATION_LEAK"]: systemInformationLeak
|
|
4743
|
-
};
|
|
4744
|
-
var java_default = vulnerabilities5;
|
|
4745
|
-
|
|
4746
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/csrf.ts
|
|
4747
|
-
var csrf = {
|
|
4748
|
-
guidance: () => `Please make sure the CSRF middleware is activated by default in the MIDDLEWARE setting. If you override that setting, remember that \`django.middleware.csrf.CsrfViewMiddleware\` should come before any view middleware that assume that CSRF attacks have been dealt with.
|
|
4749
|
-
|
|
4750
|
-
|
|
4751
|
-
If you disabled it, which is not recommended, you can use [\`csrf_protect()\`](https://docs.djangoproject.com/en/5.1/ref/csrf/#django.views.decorators.csrf.csrf_protect) annotation on this particular view.
|
|
4752
|
-
|
|
4753
|
-
|
|
4754
|
-
See more information [here](https://docs.djangoproject.com/en/5.1/howto/csrf/).`
|
|
4755
|
-
};
|
|
4756
|
-
|
|
4757
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/hardcodedSecrets.ts
|
|
4758
|
-
var hardcodedSecrets = {
|
|
4759
|
-
guidance: ({ questions }) => {
|
|
4760
|
-
const envVarName = questions.find((q) => q.key === "env_var_name")?.value || "the";
|
|
4761
|
-
const keepAsDefault = questions.find(
|
|
4762
|
-
(q) => q.key === "keep_as_default"
|
|
4763
|
-
)?.value;
|
|
4764
|
-
let additionalText = "";
|
|
4765
|
-
if (keepAsDefault === "yes") {
|
|
4766
|
-
additionalText = "\n1. Remove the hardcoded secret from the code.\n";
|
|
4767
|
-
}
|
|
4768
|
-
return `Please follow the steps in this specific order:
|
|
4769
|
-
|
|
4770
|
-
1. Change the secret that was hardcoded. It is essential because even when you commit the changes, the secret will remain in the git history.${additionalText}
|
|
4771
|
-
1. Update the configuration of all your application environments and CI/CD pipelines to set \`${envVarName}\` environment variable.
|
|
4772
|
-
1. Commit the changes.`;
|
|
4773
|
-
}
|
|
4774
|
-
};
|
|
4775
|
-
|
|
4776
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/noLimitsOrThrottling.ts
|
|
4777
|
-
var noLimitsOrThrottling = {
|
|
4778
|
-
guidance: () => "We set the default limit to 60 requests per minute. To customize the rate limit settings, please read the documentation of the [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) package."
|
|
4779
|
-
};
|
|
4780
|
-
|
|
4781
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/ssrf.ts
|
|
4782
|
-
var ssrf = {
|
|
4783
|
-
guidance: () => "The server-side validates the domains it has access to, otherwise it throws an error if validation failed. Please make sure you handled the error correctly."
|
|
4784
|
-
};
|
|
4785
|
-
|
|
4786
|
-
// src/features/analysis/scm/shared/src/storedFixData/javascript/index.ts
|
|
4787
|
-
var vulnerabilities6 = {
|
|
4788
|
-
["SSRF"]: ssrf,
|
|
4789
|
-
["HARDCODED_SECRETS"]: hardcodedSecrets,
|
|
4790
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment,
|
|
4791
|
-
["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling,
|
|
4792
|
-
["CSRF"]: csrf
|
|
4793
|
-
};
|
|
4794
|
-
var javascript_default = vulnerabilities6;
|
|
4795
|
-
|
|
4796
|
-
// src/features/analysis/scm/shared/src/storedFixData/php/index.ts
|
|
4797
|
-
var vulnerabilities7 = {};
|
|
4798
|
-
var php_default = vulnerabilities7;
|
|
4799
|
-
|
|
4800
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/autoEscapeFalse.ts
|
|
4801
|
-
var autoEscapeFalse = {
|
|
4802
|
-
guidance: () => `This fix enables automatic escaping for HTML. When that's enabled, everything is escaped by default except for values explicitly marked as safe. Variables and expressions can be marked as safe either in:
|
|
4803
|
-
|
|
4804
|
-
a. The context dictionary by the application with \`markupsafe.Markup\`
|
|
4805
|
-
|
|
4806
|
-
b. The template, with the \`|safe\` filter.
|
|
4807
|
-
|
|
4808
|
-
|
|
4809
|
-
|
|
4810
|
-
|
|
4811
|
-
See more information [here](https://jinja.palletsprojects.com/en/3.1.x/templates/#working-with-automatic-escaping) and [here](https://pypi.org/project/MarkupSafe/).
|
|
4812
|
-
|
|
4813
|
-
|
|
4814
|
-
|
|
4815
|
-
|
|
4816
|
-
***Note: make sure that none of the data you're marking as safe is coming from user input, as this can lead to XSS vulnerabilities!***`
|
|
4817
|
-
};
|
|
4818
|
-
|
|
4819
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/improperCertificateValidation.ts
|
|
4820
|
-
var improperCertificateValidation = {
|
|
4821
|
-
guidance: () => `This fix re-enables TLS certificate validation by changing \`verify=False\` to \`verify=True\` on the HTTP request. Any call that was deliberately reaching a server with a self-signed, expired, or otherwise untrusted certificate will start raising \`ssl.SSLError\` / \`requests.exceptions.SSLError\` after this change.
|
|
4822
|
-
|
|
4823
|
-
|
|
4824
|
-
|
|
4825
|
-
***Before merging, confirm that every endpoint reached by this call presents a certificate signed by a trusted CA.*** If the call must talk to an internal service that uses a private CA, prefer pointing \`verify\` at the CA bundle (\`verify="/path/to/ca.pem"\`) over disabling validation. If the certificate cannot be trusted at all, the safe fix is to terminate that connection at a properly configured proxy, not to keep it unvalidated.
|
|
4826
|
-
|
|
4827
|
-
|
|
4828
|
-
|
|
4829
|
-
See the [\`requests\` SSL verification docs](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) for the supported \`verify\` values.`
|
|
4830
|
-
};
|
|
4831
|
-
|
|
4832
|
-
// src/features/analysis/scm/shared/src/storedFixData/python/index.ts
|
|
4833
|
-
var vulnerabilities8 = {
|
|
4834
|
-
["AUTO_ESCAPE_FALSE"]: autoEscapeFalse,
|
|
4835
|
-
["CSRF"]: csrf,
|
|
4836
|
-
["IMPROPER_CERTIFICATE_VALIDATION"]: improperCertificateValidation
|
|
4837
|
-
};
|
|
4838
|
-
var python_default = vulnerabilities8;
|
|
4839
|
-
|
|
4840
|
-
// src/features/analysis/scm/shared/src/storedFixData/sql/defaultRightsInObjDefinition.ts
|
|
4841
|
-
var defaultRightsInObjDefinition = {
|
|
4842
|
-
guidance: () => "***Make sure the user who is supposed to run the procedure has sufficient permissions.***\n\nRead more details about the `EXECUTE AS` statement in [the official Microsoft documentation](https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-clause-transact-sql?view=sql-server-ver16&tabs=sqlserver).\n\n`EXECUTE AS CALLER` is the default behavior for SQL Server 2005 and later."
|
|
4843
|
-
};
|
|
4844
|
-
|
|
4845
|
-
// src/features/analysis/scm/shared/src/storedFixData/sql/index.ts
|
|
4846
|
-
var vulnerabilities9 = {
|
|
4847
|
-
["DEFAULT_RIGHTS_IN_OBJ_DEFINITION"]: defaultRightsInObjDefinition
|
|
4848
|
-
};
|
|
4849
|
-
var sql_default = vulnerabilities9;
|
|
4850
|
-
|
|
4851
|
-
// src/features/analysis/scm/shared/src/storedFixData/xml/index.ts
|
|
4852
|
-
var vulnerabilities10 = {
|
|
4853
|
-
["PASSWORD_IN_COMMENT"]: passwordInComment
|
|
4854
|
-
};
|
|
4855
|
-
var xml_default = vulnerabilities10;
|
|
4856
|
-
|
|
4857
|
-
// src/features/analysis/scm/shared/src/storedFixData/index.ts
|
|
4858
|
-
var StoredFixDataItemZ = z9.object({
|
|
4859
|
-
guidance: z9.function().args(z9.any()).returns(z9.string())
|
|
4860
|
-
});
|
|
4861
|
-
var languages = {
|
|
4862
|
-
["Java" /* Java */]: java_default,
|
|
4863
|
-
["JavaScript" /* JavaScript */]: javascript_default,
|
|
4864
|
-
["CSharp" /* CSharp */]: csharp_default,
|
|
4865
|
-
["SQL" /* Sql */]: sql_default,
|
|
4866
|
-
["XML" /* Xml */]: xml_default,
|
|
4867
|
-
["Python" /* Python */]: python_default,
|
|
4868
|
-
["PHP" /* Php */]: php_default,
|
|
4869
|
-
["Go" /* Go */]: go_default,
|
|
4870
|
-
["Dockerfile" /* Dockerfile */]: dockerfile_default,
|
|
4871
|
-
["Hcl" /* Hcl */]: hcl_default
|
|
4872
|
-
};
|
|
4873
|
-
|
|
4874
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/index.ts
|
|
4875
|
-
init_client_generates();
|
|
4876
|
-
import { z as z10 } from "zod";
|
|
4877
|
-
|
|
4878
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/commandInjection.ts
|
|
4879
|
-
var commandInjection = {
|
|
4880
|
-
isUnixShellCommandPart: {
|
|
4881
|
-
content: () => "Is the input data interpolated into a shell command (not the program name or shell structure)?",
|
|
4882
|
-
description: () => `\`system()\` / \`popen()\` hand the whole string to \`/bin/sh -c\`. Answer **yes** when the input is *data* placed into a fixed command, for example:
|
|
4883
|
-
|
|
4884
|
-
- \`sprintf(cmd, "grep %s file.txt", input); system(cmd);\`
|
|
4885
|
-
- \`sprintf(cmd, "ping -c 5 %s", input); system(cmd);\`
|
|
4886
|
-
|
|
4887
|
-
Answer **no** (the input is not plain data) when the input is:
|
|
4888
|
-
|
|
4889
|
-
1. The program/executable itself:
|
|
4890
|
-
- \`system(input);\`
|
|
4891
|
-
- \`sprintf(cmd, "%s -x", input);\`
|
|
4892
|
-
2. A command after a pipe or redirect:
|
|
4893
|
-
- \`sprintf(cmd, "cat file.txt | %s", input);\`
|
|
4894
|
-
3. A part of a non-Unix or cross-platform shell command.
|
|
4895
|
-
4. A part of embedded code in another language:
|
|
4896
|
-
- \`sprintf(cmd, "php -r \\"echo '%s';\\"", input);\`
|
|
4897
|
-
- \`sprintf(cmd, "awk '%s' file", input);\`
|
|
4898
|
-
5. A flag/option that controls a tool's behaviour:
|
|
4899
|
-
- \`sprintf(cmd, "git --upload-pack %s", input);\``,
|
|
4900
|
-
guidance: () => "If yes and the command can run without a shell, it is rewritten to a no-shell argument-vector call (`posix_spawn`); if it needs the shell, the tainted argument is escaped in place so the shell keeps working. If the answer is no (the input controls the program or shell structure), there is no safe automatic rewrite, so the fix is withheld and the sink is left for manual review."
|
|
4901
|
-
},
|
|
4902
|
-
executableLocationPath: {
|
|
4903
|
-
content: () => "What is the absolute path of the directory containing the executable?",
|
|
4904
|
-
description: () => `When \`system()\` is rewritten to an \`execv()\` argument-vector call, the program is run by its path with **no \`$PATH\` search**, so a relative program name (e.g. \`tail\`) cannot be resolved and a poisoned \`PATH\` cannot be used to run a look-alike binary.
|
|
4905
|
-
|
|
4906
|
-
Provide the absolute directory that contains the executable (e.g. \`/usr/bin\`); the fix prepends it to the bare program name to form an absolute path.`,
|
|
4907
|
-
guidance: () => "Only asked when the program name in the command has no `/`. A program that is already an absolute or relative path (contains `/`) is used as written."
|
|
4908
|
-
}
|
|
4909
|
-
};
|
|
4910
|
-
|
|
4911
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/pathManipulation.ts
|
|
4912
|
-
var pathManipulation = {
|
|
4913
|
-
baseDirectory: {
|
|
4914
|
-
content: ({ expression }) => `Which directory must \`${expression}\` stay within? Enter the absolute base directory file access is restricted to.`,
|
|
4915
|
-
description: ({ expression }) => `The fix canonicalizes \`${expression}\` (resolving \`.\`, \`..\`, and symlinks) and verifies the result stays inside this base directory. Provide the **absolute** root the application is allowed to read or write under, for example \`/var/app/data\`. The directory must exist at runtime. A path that resolves outside it is rejected at runtime.`,
|
|
4916
|
-
guidance: (_) => "You **must** set this to an absolute path that exists at runtime and that your application confines file access to. If you leave it unset (or give a relative path), the generated fix is emitted with a placeholder identifier (`MOBB_SET_ALLOWED_BASE_DIR`) that **deliberately does not compile**, so a missing security boundary cannot be overlooked \u2014 replace it with your absolute base directory. A relative path would otherwise resolve against the process working directory (moving the boundary). At runtime the guard aborts (C: `exit(EXIT_FAILURE)`) / throws (C++: `std::runtime_error`) on a path that escapes the base. Pick the narrowest directory that still contains every legitimate file the code opens."
|
|
4917
|
-
}
|
|
4918
|
-
};
|
|
4919
|
-
|
|
4920
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/cpp/index.ts
|
|
4921
|
-
var vulnerabilities11 = {
|
|
4922
|
-
["CMDi"]: commandInjection,
|
|
4923
|
-
["PT"]: pathManipulation
|
|
4924
|
-
};
|
|
4925
|
-
var cpp_default = vulnerabilities11;
|
|
4926
|
-
|
|
4927
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/httpOnlyCookie.ts
|
|
4928
|
-
var httpOnlyCookie = {
|
|
4929
|
-
httpOnlyCookie: {
|
|
4930
|
-
content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
|
|
4931
|
-
description: () => httpOnlyMessage,
|
|
4932
|
-
guidance: () => ""
|
|
4933
|
-
},
|
|
4934
|
-
cookieVarName: {
|
|
4935
|
-
content: () => "Please define a variable name",
|
|
4936
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
4937
|
-
guidance: () => ""
|
|
4938
|
-
}
|
|
4939
|
-
};
|
|
4940
|
-
var httpOnlyMessage = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
|
|
4941
|
-
when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
|
|
4942
|
-
be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
|
|
4943
|
-
|
|
4944
|
-
|
|
4945
|
-
|
|
4946
|
-
|
|
4947
|
-
***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
|
|
4948
|
-
|
|
4949
|
-
|
|
4950
|
-
|
|
4951
|
-
`;
|
|
4952
|
-
|
|
4953
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureBinderConfiguration.ts
|
|
4954
|
-
var insecureBinderConfiguration = {
|
|
4955
|
-
bindAttributeParam: {
|
|
4956
|
-
content: ({ func_param_name }) => `Which properties of the model should be included in model binding for \`${func_param_name}\`?`,
|
|
4957
|
-
description: () => "Provide a comma-separated list of valid property names to be included in model binding. See [the official documentation](https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding?view=aspnetcore-8.0#bind-attribute) for more details.",
|
|
4958
|
-
guidance: () => ""
|
|
4959
|
-
}
|
|
4960
|
-
};
|
|
4961
|
-
|
|
4962
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureCookie.ts
|
|
4963
|
-
var insecureCookie = {
|
|
4964
|
-
insecureCookie: {
|
|
4965
|
-
content: () => "Will this cookie be used only in encrypted channels (https)?",
|
|
4966
|
-
description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
|
|
4967
|
-
In environments like local development or test, setting cookies as secure might have some consequences:
|
|
4968
|
-
|
|
4969
|
-
|
|
4970
|
-
- Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
|
|
4971
|
-
additional configuration and certificates. If cookies are marked as secure,
|
|
4972
|
-
they won't be sent over HTTP, and this could potentially interfere with the normal
|
|
4973
|
-
functioning of your application during development.
|
|
4974
|
-
|
|
4975
|
-
|
|
4976
|
-
- Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
|
|
4977
|
-
testing environment accurately simulates the production environment's security features.
|
|
4978
|
-
This may involve setting up HTTPS in your local development environment.
|
|
4979
|
-
|
|
4980
|
-
|
|
4981
|
-
- Debugging Challenges: Debugging may be more challenging when using secure cookies in a
|
|
4982
|
-
development environment, especially if you need to inspect or manipulate the cookies during
|
|
4983
|
-
development.`,
|
|
4984
|
-
guidance: () => ""
|
|
4985
|
-
},
|
|
4986
|
-
cookieVarName: {
|
|
4987
|
-
content: () => "Please define a variable name",
|
|
4988
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
4989
|
-
guidance: () => ""
|
|
4990
|
-
}
|
|
4991
|
-
};
|
|
4992
|
-
|
|
4993
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insecureRandomness.ts
|
|
4994
|
-
var insecureRandomness = {
|
|
4995
|
-
isRandomNumberGeneratorAvailable: {
|
|
4996
|
-
content: () => "We use the `RandomNumberGenerator` class from the `System.Security.Cryptography` package. Does this class exist for the .NET version you use?",
|
|
4997
|
-
description: () => "See [the official documentation](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-8.0#applies-to) for more details.",
|
|
4998
|
-
guidance: () => ""
|
|
4999
|
-
},
|
|
5000
|
-
isNetVersionGreaterThan6: {
|
|
5001
|
-
content: () => "We are able to offer a more concise solution if the .NET version is greater then .NET 6",
|
|
5002
|
-
description: () => "",
|
|
5003
|
-
guidance: () => ""
|
|
5004
|
-
}
|
|
5005
|
-
};
|
|
5006
|
-
|
|
5007
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/insufficientLogging.ts
|
|
5008
|
-
var insufficientLogging = {
|
|
5009
|
-
logMessage: {
|
|
5010
|
-
content: () => "Enter the message that you want to appear in the log",
|
|
5011
|
-
description: () => "",
|
|
5012
|
-
guidance: () => ""
|
|
5013
|
-
}
|
|
5014
|
-
};
|
|
5015
|
-
|
|
5016
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/logForging.ts
|
|
5017
|
-
var logForging = {
|
|
5018
|
-
isHtmlDisplay: {
|
|
5019
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5020
|
-
description: () => "",
|
|
5021
|
-
guidance: ({ userInputValue }) => {
|
|
5022
|
-
switch (userInputValue) {
|
|
5023
|
-
case "yes":
|
|
5024
|
-
return "We use the `System.Web` `HttpUtility` to decode the HTML";
|
|
5025
|
-
default:
|
|
5026
|
-
return "";
|
|
5027
|
-
}
|
|
5028
|
-
}
|
|
5029
|
-
}
|
|
5030
|
-
};
|
|
5031
|
-
|
|
5032
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/overlyBroadCatch.ts
|
|
5033
|
-
var overlyBroadCatch = {
|
|
5034
|
-
defaultExceptionsInWhenFilter: {
|
|
5035
|
-
content: () => "Exceptions to filter",
|
|
5036
|
-
description: () => "Coma separated list of the Fully Qualified Exceptions names",
|
|
5037
|
-
guidance: () => ""
|
|
5038
|
-
}
|
|
5039
|
-
};
|
|
5040
|
-
|
|
5041
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/pt.ts
|
|
5042
|
-
var pt = {
|
|
5043
|
-
taintedTermType: {
|
|
5044
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name or a file path?`,
|
|
5045
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
|
|
5046
|
-
guidance: () => ""
|
|
5047
|
-
},
|
|
5048
|
-
pathTargetDir: {
|
|
5049
|
-
content: () => "Allowed file path",
|
|
5050
|
-
description: () => "Provide the intended file path destination eg: /tmp/testfiles/users/",
|
|
5051
|
-
guidance: () => ""
|
|
5052
|
-
}
|
|
5053
|
-
};
|
|
5054
|
-
|
|
5055
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/regexMissingTimeout.ts
|
|
5056
|
-
var regexMissingTimeout = {
|
|
5057
|
-
netVersionGreaterOrEqual7: {
|
|
5058
|
-
content: () => "Is your target framework .NET 7 or greater?",
|
|
5059
|
-
description: () => "",
|
|
5060
|
-
guidance: () => ""
|
|
5061
|
-
},
|
|
5062
|
-
timeout: {
|
|
5063
|
-
content: () => "Enter the timeout in milliseconds",
|
|
5064
|
-
description: () => "If the limit is reached a RegexTimeoutException is thrown, this could be caused by excessive backtracking",
|
|
5065
|
-
guidance: () => ""
|
|
5066
|
-
},
|
|
5067
|
-
useBacktrackingOption: {
|
|
5068
|
-
content: () => "Use non backtracking option",
|
|
5069
|
-
description: () => "If the regex does not need to use backtracking we can disable it using regex options",
|
|
5070
|
-
guidance: () => ""
|
|
5071
|
-
}
|
|
5072
|
-
};
|
|
5073
|
-
|
|
5074
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/requestParametersBoundViaInput.ts
|
|
5075
|
-
var requestParametersBoundViaInput = {
|
|
5076
|
-
fieldsToCopy: {
|
|
5077
|
-
content: () => "Please list all the fields you expect as input from the user. Use comma separated list.",
|
|
5078
|
-
description: () => `This is meant to avoid mass assignment vulnerabilities, where the user would enter an inner unexpected field`,
|
|
5079
|
-
guidance: () => ""
|
|
5080
|
-
}
|
|
5081
|
-
};
|
|
5082
|
-
|
|
5083
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/sqlInjection.ts
|
|
5084
|
-
var sqlInjection = {
|
|
5085
|
-
databaseProvider: {
|
|
5086
|
-
content: () => "Select the database provider",
|
|
5087
|
-
description: () => "",
|
|
5088
|
-
guidance: () => ""
|
|
5089
|
-
}
|
|
5090
|
-
};
|
|
5091
|
-
|
|
5092
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/ssrf.ts
|
|
5093
|
-
var ssrf2 = {
|
|
5094
|
-
domainsAllowlist: {
|
|
5095
|
-
content: () => "Allowed domains",
|
|
5096
|
-
description: () => "Coma separated list of allowed domains.",
|
|
5097
|
-
guidance: () => ""
|
|
5098
|
-
}
|
|
5099
|
-
};
|
|
5100
|
-
|
|
5101
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/sysLeak.ts
|
|
5102
|
-
var sysLeak = {
|
|
5103
|
-
errorMessage: {
|
|
5104
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5105
|
-
description: () => "",
|
|
5106
|
-
guidance: () => ""
|
|
5107
|
-
},
|
|
5108
|
-
noLoggerAction: {
|
|
5109
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5110
|
-
description: () => "",
|
|
5111
|
-
guidance: () => ""
|
|
5112
|
-
}
|
|
5113
|
-
};
|
|
5114
|
-
|
|
5115
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/trustBoundaryViolation.ts
|
|
5116
|
-
var trustBoundaryViolation = {
|
|
5117
|
-
validationPattern: {
|
|
5118
|
-
content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
|
|
5119
|
-
description: () => "We use regex to validate the input to avoid runtime surprises",
|
|
5120
|
-
guidance: () => ""
|
|
5121
|
-
},
|
|
5122
|
-
otherPatternValue: {
|
|
5123
|
-
content: () => `Enter the regex pattern you would like to use to validate the input`,
|
|
5124
|
-
description: () => "See patterns at [the regex docs](https://learn.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference)",
|
|
5125
|
-
guidance: () => ""
|
|
5126
|
-
}
|
|
5127
|
-
};
|
|
5128
|
-
|
|
5129
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/useOfSystemOutputStream.ts
|
|
5130
|
-
var useOfSystemOutputStream = {
|
|
5131
|
-
noLoggerAction: {
|
|
5132
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5133
|
-
description: () => "",
|
|
5134
|
-
guidance: () => ""
|
|
5135
|
-
}
|
|
5136
|
-
};
|
|
5137
|
-
|
|
5138
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/valueShadowing.ts
|
|
5139
|
-
var valueShadowing = {
|
|
5140
|
-
collectionName: {
|
|
5141
|
-
content: () => "Please select the collection to search/index from",
|
|
5142
|
-
description: () => `Accessing the root object eg Request["item"] searches across all available collections and returns the first item that matches. Potentially leading to the correct value being shadowed. Available collections include:
|
|
5143
|
-
- QueryString: The values of variables in the HTTP query string.
|
|
5144
|
-
- Form: The values of form elements in the HTTP request body.
|
|
5145
|
-
- Cookies: The values of cookies sent in the HTTP request.
|
|
5146
|
-
- ClientCertificate: The values of fields stored in the client certificate that is sent in the HTTP request.
|
|
5147
|
-
- ServerVariables: The values of predetermined environment variables.`,
|
|
5148
|
-
guidance: () => `See
|
|
5149
|
-
- https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524948(v=vs.90),
|
|
5150
|
-
- https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest?view=netframework-4.8.1`
|
|
5151
|
-
}
|
|
5152
|
-
};
|
|
5153
|
-
|
|
5154
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/wcfMisconfigurationThrottlingNotEnabled.ts
|
|
5155
|
-
var wcfMisconfigurationThrottlingNotEnabled = {
|
|
5156
|
-
maxConcurrentCalls: {
|
|
5157
|
-
content: () => "Please define the maximum concurrent calls",
|
|
5158
|
-
description: () => `A positive integer that limits the number of messages that currently process across a ServiceHost. Calls in excess of the limit are queued. Setting this value to 0 is equivalent to setting it to Int32.MaxValue.`,
|
|
5159
|
-
guidance: () => {
|
|
5160
|
-
return "";
|
|
5161
|
-
}
|
|
5162
|
-
},
|
|
5163
|
-
maxConcurrentInstances: {
|
|
5164
|
-
content: () => "Please define the maximum concurrent instances",
|
|
5165
|
-
description: () => `A positive integer that limits the number of InstanceContext objects that execute at one time across a ServiceHost. Requests to create additional instances are queued and complete when a slot below the limit becomes available.`,
|
|
5166
|
-
guidance: () => {
|
|
5167
|
-
return "";
|
|
5168
|
-
}
|
|
5169
|
-
},
|
|
5170
|
-
maxConcurrentSessions: {
|
|
5171
|
-
content: () => "Please define the maximum concurrent sessions",
|
|
5172
|
-
description: () => `A positive integer that limits the number of sessions a ServiceHost object can accept.`,
|
|
5173
|
-
guidance: () => {
|
|
5174
|
-
return "";
|
|
5175
|
-
}
|
|
5176
|
-
}
|
|
5177
|
-
};
|
|
5178
|
-
|
|
5179
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/xss.ts
|
|
5180
|
-
var xss = {
|
|
5181
|
-
allowSpecialCharacters: {
|
|
5182
|
-
content: ({ source_value }) => `Does your code allow encodable HTML characters like '&', '<', '"' etc. in: \`${source_value}\`?`,
|
|
5183
|
-
description: () => "",
|
|
5184
|
-
guidance: () => ""
|
|
5185
|
-
},
|
|
5186
|
-
containsHtml: {
|
|
5187
|
-
content: ({ prop_value }) => `Does your code allow having HTML tags in: \`${prop_value}\`?`,
|
|
5188
|
-
description: () => "",
|
|
5189
|
-
guidance: () => ""
|
|
5190
|
-
},
|
|
5191
|
-
netVersionGreaterOrEqual45: {
|
|
5192
|
-
content: () => "Is your target framework .NET 4.5 or greater?",
|
|
5193
|
-
description: () => "",
|
|
5194
|
-
guidance: () => ""
|
|
5195
|
-
},
|
|
5196
|
-
useHTML4NamedEntities: {
|
|
5197
|
-
content: () => "Would you like to use HTML 4.0 Named entities?",
|
|
5198
|
-
description: () => "See [examples](https://www.w3schools.com/charsets/ref_html_entities_4.asp) and [full description](https://www.w3.org/TR/WD-html40-970708/sgml/entities.html)",
|
|
5199
|
-
guidance: () => ""
|
|
5200
|
-
}
|
|
5201
|
-
};
|
|
5202
|
-
|
|
5203
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/xxe.ts
|
|
5204
|
-
var xxe = {
|
|
5205
|
-
netVersionGreaterOrEqual4: {
|
|
5206
|
-
content: () => "Is your target framework .NET 4.0.0 or greater?",
|
|
5207
|
-
description: () => "",
|
|
5208
|
-
guidance: ({ userInputValue }) => {
|
|
5209
|
-
switch (userInputValue) {
|
|
5210
|
-
case "yes":
|
|
5211
|
-
return "We set `DtdProcessing` to `DtdProcessing.Prohibit` in order to prevent DTD parsing.";
|
|
5212
|
-
default:
|
|
5213
|
-
return "We set `ProhibitDtd` to `true` in order to prevent DTD parsing.";
|
|
5214
|
-
}
|
|
5215
|
-
}
|
|
5216
|
-
}
|
|
5217
|
-
};
|
|
5218
|
-
|
|
5219
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/csharp/index.ts
|
|
5220
|
-
var vulnerabilities12 = {
|
|
5221
|
-
["LOG_FORGING"]: logForging,
|
|
5222
|
-
["SSRF"]: ssrf2,
|
|
5223
|
-
["XXE"]: xxe,
|
|
5224
|
-
["XSS"]: xss,
|
|
5225
|
-
["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream,
|
|
5226
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak,
|
|
5227
|
-
["OVERLY_BROAD_CATCH"]: overlyBroadCatch,
|
|
5228
|
-
["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation,
|
|
5229
|
-
["PT"]: pt,
|
|
5230
|
-
["REGEX_MISSING_TIMEOUT"]: regexMissingTimeout,
|
|
5231
|
-
["HTTP_ONLY_COOKIE"]: httpOnlyCookie,
|
|
5232
|
-
["INSECURE_COOKIE"]: insecureCookie,
|
|
5233
|
-
["WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED"]: wcfMisconfigurationThrottlingNotEnabled,
|
|
5234
|
-
["INSECURE_BINDER_CONFIGURATION"]: insecureBinderConfiguration,
|
|
5235
|
-
["VALUE_SHADOWING"]: valueShadowing,
|
|
5236
|
-
["INSECURE_RANDOMNESS"]: insecureRandomness,
|
|
5237
|
-
["INSUFFICIENT_LOGGING"]: insufficientLogging,
|
|
5238
|
-
["SQL_Injection"]: sqlInjection,
|
|
5239
|
-
["REQUEST_PARAMETERS_BOUND_VIA_INPUT"]: requestParametersBoundViaInput
|
|
5240
|
-
};
|
|
5241
|
-
var csharp_default2 = vulnerabilities12;
|
|
5242
|
-
|
|
5243
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/logForging.ts
|
|
5244
|
-
var logForging2 = {
|
|
5245
|
-
isHtmlDisplay: {
|
|
5246
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5247
|
-
description: () => "",
|
|
5248
|
-
guidance: () => ""
|
|
5249
|
-
}
|
|
5250
|
-
};
|
|
5251
|
-
|
|
5252
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/missingSslMinversion.ts
|
|
5253
|
-
var missingSslMinversion = {
|
|
5254
|
-
minTlsVersion: {
|
|
5255
|
-
content: () => "What is the minimum version of Transport Layer Security (TLS) you allow? Ensure compatibility between the server and clients.",
|
|
5256
|
-
description: () => "",
|
|
5257
|
-
guidance: () => ""
|
|
5258
|
-
}
|
|
5259
|
-
};
|
|
5260
|
-
|
|
5261
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/websocketMissingOriginCheck.ts
|
|
5262
|
-
var websocketMissingOriginCheck = {
|
|
5263
|
-
minTlsVersion: {
|
|
5264
|
-
content: () => "Please provide a comma-separated list of valid hosts. This list will serve as an allow list to check the connection `Origin` header.",
|
|
5265
|
-
description: () => "",
|
|
5266
|
-
guidance: () => ""
|
|
5267
|
-
}
|
|
5268
|
-
};
|
|
5269
|
-
|
|
5270
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/go/index.ts
|
|
5271
|
-
var vulnerabilities13 = {
|
|
5272
|
-
["LOG_FORGING"]: logForging2,
|
|
5273
|
-
["MISSING_SSL_MINVERSION"]: missingSslMinversion,
|
|
5274
|
-
["WEBSOCKET_MISSING_ORIGIN_CHECK"]: websocketMissingOriginCheck
|
|
5275
|
-
};
|
|
5276
|
-
var go_default2 = vulnerabilities13;
|
|
5277
|
-
|
|
5278
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/commandInjection.ts
|
|
5279
|
-
var commandInjection2 = {
|
|
5280
|
-
isUnixShellCommandPart: {
|
|
5281
|
-
content: () => "Is the input part of Unix shell command?",
|
|
5282
|
-
description: () => `For example:
|
|
5283
|
-
|
|
5284
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", "ping -t 5 -c 5 " + input});\`
|
|
5285
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "curl " + input + " > file.txt"});\`
|
|
5286
|
-
|
|
5287
|
-
Make sure the input is not:
|
|
5288
|
-
|
|
5289
|
-
1. An executable name:
|
|
5290
|
-
- \`Runtime.getRuntime().exec(input);\`
|
|
5291
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", input});\`
|
|
5292
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/sh", "-c", input + " param"});\`
|
|
5293
|
-
- \`Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "cat file.txt | " + input});\`
|
|
5294
|
-
- \`Runtime.getRuntime().exec(new String[] {"/usr/bin/git", "--upload-pack", input});\`
|
|
5295
|
-
2. A part of non-unix or cross platform shell command:
|
|
5296
|
-
- \`Runtime.getRuntime().exec(new String[] {"cmd.exe", "/c", "ping " + input});\`
|
|
5297
|
-
3. A part of programming language code:
|
|
5298
|
-
- \`Runtime.getRuntime().exec(new String[] {"php", "-r", "echo '" + input + "';"});\`
|
|
5299
|
-
- \`Runtime.getRuntime().exec(new String[] {"perl", "-e", "print '" + input + "'"});\``,
|
|
5300
|
-
guidance: () => ""
|
|
5301
|
-
},
|
|
5302
|
-
installApacheCommonsText: {
|
|
5303
|
-
content: () => "Is the Apache Commons library (org.apache.commons) included in your project, if not, can you add it?",
|
|
5304
|
-
description: () => "Apache Commons Text is a library focused on algorithms working on strings.",
|
|
5305
|
-
guidance: ({ userInputValue }) => userInputValue === "yes" ? "To add the library, modify your pom.xml or build.gradle to include the library. You can find the latest version here https://mvnrepository.com/artifact/org.apache.commons/commons-text" : ""
|
|
5306
|
-
},
|
|
5307
|
-
cmdAllowlist: {
|
|
5308
|
-
content: () => "Allowed Commands",
|
|
5309
|
-
description: () => "Make sure that the list of commands is separated by commas.",
|
|
5310
|
-
guidance: () => ""
|
|
5311
|
-
}
|
|
5312
|
-
};
|
|
5313
|
-
|
|
5314
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/confusingNaming.ts
|
|
5315
|
-
var confusingNaming = {
|
|
5316
|
-
newFieldName: {
|
|
5317
|
-
content: () => "Rename the existing field",
|
|
5318
|
-
description: () => "",
|
|
5319
|
-
guidance: () => ""
|
|
5320
|
-
}
|
|
5321
|
-
};
|
|
5322
|
-
|
|
5323
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/duplicatedStrings.ts
|
|
5324
|
-
var duplicatedStrings = {
|
|
5325
|
-
constantName: {
|
|
5326
|
-
content: () => "New constant name",
|
|
5327
|
-
description: () => "",
|
|
5328
|
-
guidance: () => ""
|
|
5329
|
-
}
|
|
5330
|
-
};
|
|
5331
|
-
|
|
5332
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/erroneousStringCompare.ts
|
|
5333
|
-
var erroneousStringCompare = {
|
|
5334
|
-
javaVersionGreaterOrEqual17: {
|
|
5335
|
-
content: () => "Is `java.util.Objects` package available in your runtime?",
|
|
5336
|
-
description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
|
|
5337
|
-
guidance: () => ""
|
|
5338
|
-
}
|
|
5339
|
-
};
|
|
5340
|
-
|
|
5341
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/errorConditionWithoutAction.ts
|
|
5342
|
-
var errorConditionWithoutAction = {
|
|
5343
|
-
errorMessage: {
|
|
5344
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5345
|
-
description: () => "",
|
|
5346
|
-
guidance: () => ""
|
|
5347
|
-
}
|
|
5348
|
-
};
|
|
5349
|
-
|
|
5350
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/httpOnlyCookie.ts
|
|
5351
|
-
var httpOnlyCookie2 = {
|
|
5352
|
-
httpOnlyCookie: {
|
|
5353
|
-
content: () => "Is the cookie value supposed to be exposed to client-side scripting code?",
|
|
5354
|
-
description: ({ class_name }) => class_name == "Cookie" ? `${httpOnlyMessage2} ${setHttpOnlyMethodMessage}` : httpOnlyMessage2,
|
|
5355
|
-
guidance: () => ""
|
|
5356
|
-
},
|
|
5357
|
-
cookieVarName: {
|
|
5358
|
-
content: () => "Please define a variable name",
|
|
5359
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
5360
|
-
guidance: () => ""
|
|
5361
|
-
}
|
|
5362
|
-
};
|
|
5363
|
-
var httpOnlyMessage2 = `\`HttpOnly\` is a security feature for cookies that can be set by a web server
|
|
5364
|
-
when sending a Set-Cookie header in an HTTP response. When the HTTP Only flag is set for a cookie, it means that the cookie can only
|
|
5365
|
-
be accessed and modified by the server, and client-side scripts (like JavaScript) running in the browser are not allowed to access the cookie.
|
|
5366
|
-
|
|
5367
|
-
|
|
5368
|
-
|
|
5369
|
-
|
|
5370
|
-
***If your client-site application needs to access the value of this cookie, making this change might break the application logic.***
|
|
5371
|
-
|
|
5372
|
-
|
|
5373
|
-
|
|
5374
|
-
`;
|
|
5375
|
-
var setHttpOnlyMethodMessage = `Beware that if your application is using a version of the javax.servlet-api package < 3.0
|
|
5376
|
-
this change will not work since the method "setHttpOnly" is not present in previous of the package.`;
|
|
5377
|
-
|
|
5378
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/insecureCookie.ts
|
|
5379
|
-
var insecureCookie2 = {
|
|
5380
|
-
insecureCookie: {
|
|
5381
|
-
content: () => "Will this cookie be used only in encrypted channels (https)?",
|
|
5382
|
-
description: () => `When a cookie is marked as "secure" in a web environment, it means that the cookie should only be sent over secure, encrypted connections, like HTTPS.
|
|
5383
|
-
In environments like local development or test, setting cookies as secure might have some consequences:
|
|
5384
|
-
|
|
5385
|
-
|
|
5386
|
-
- Development Convenience: When developing locally, you might not always have HTTPS set up, as it often involves
|
|
5387
|
-
additional configuration and certificates. If cookies are marked as secure,
|
|
5388
|
-
they won't be sent over HTTP, and this could potentially interfere with the normal
|
|
5389
|
-
functioning of your application during development.
|
|
5390
|
-
|
|
5391
|
-
|
|
5392
|
-
- Testing for Secure Environments: If your application relies on secure cookies, you should ensure that your
|
|
5393
|
-
testing environment accurately simulates the production environment's security features.
|
|
5394
|
-
This may involve setting up HTTPS in your local development environment.
|
|
5395
|
-
|
|
5396
|
-
|
|
5397
|
-
- Debugging Challenges: Debugging may be more challenging when using secure cookies in a
|
|
5398
|
-
development environment, especially if you need to inspect or manipulate the cookies during
|
|
5399
|
-
development.`,
|
|
5400
|
-
guidance: () => ""
|
|
5401
|
-
},
|
|
5402
|
-
cookieVarName: {
|
|
5403
|
-
content: () => "Please define a variable name",
|
|
5404
|
-
description: () => `We need a variable for the new cookie instance`,
|
|
5405
|
-
guidance: () => ""
|
|
5406
|
-
}
|
|
5407
|
-
};
|
|
5408
|
-
|
|
5409
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/j2eeGetConnection.ts
|
|
5410
|
-
var j2eeGetConnection2 = {
|
|
5411
|
-
jndiResourceName: {
|
|
5412
|
-
content: () => "What JNDI name is the database connection pool registered under?",
|
|
5413
|
-
description: () => 'We need the JNDI name your app server uses to expose its container-managed `DataSource`. The fix performs `new InitialContext().lookup(<jndi-name>)` to retrieve the pool, so this value must exactly match the resource definition (e.g. `<Resource name="...">` in Tomcat `context.xml`, or the binding declared in WildFly / WebSphere / WebLogic). The default `java:comp/env/jdbc/myDataSource` is the canonical Tomcat / Spring convention; replace it with whatever your environment uses.',
|
|
5414
|
-
guidance: () => ""
|
|
5415
|
-
}
|
|
5416
|
-
};
|
|
5417
|
-
|
|
5418
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/leftoverDebugCode.ts
|
|
5419
|
-
var leftoverDebugCode = {
|
|
5420
|
-
isCodeUsed: {
|
|
5421
|
-
content: () => "The function seems to be a remnant of debug code. Is it still being used?",
|
|
5422
|
-
description: () => "",
|
|
5423
|
-
guidance: () => ""
|
|
5424
|
-
}
|
|
5425
|
-
};
|
|
5426
|
-
|
|
5427
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/localeDependentComparison.ts
|
|
5428
|
-
var localeDependentComparison = {
|
|
5429
|
-
localeType: {
|
|
5430
|
-
content: ({ variable }) => `Is ${variable} locale dependent?`,
|
|
5431
|
-
description: () => `Select "locale insensitive" for string comparisons that are not dependent on the locale.
|
|
5432
|
-
|
|
5433
|
-
Select "default locale" for string comparisons that uses the default locale.
|
|
5434
|
-
|
|
5435
|
-
Select "custom locale" for string comparisons that are dependent on a specific locale language.`,
|
|
5436
|
-
guidance: () => ""
|
|
5437
|
-
},
|
|
5438
|
-
customLocaleLanguage: {
|
|
5439
|
-
content: () => "What is your locale language?",
|
|
5440
|
-
description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
|
|
5441
|
-
guidance: () => ""
|
|
5442
|
-
},
|
|
5443
|
-
customLocaleCountry: {
|
|
5444
|
-
content: () => "What is your locale country?",
|
|
5445
|
-
description: () => "A list of locales can be found [here](https://www.oracle.com/java/technologies/javase/jdk8-jre8-suported-locales.html)",
|
|
5446
|
-
guidance: () => ""
|
|
5447
|
-
}
|
|
5448
|
-
};
|
|
5449
|
-
|
|
5450
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/logForging.ts
|
|
5451
|
-
var logForging3 = {
|
|
5452
|
-
isHtmlDisplay: {
|
|
5453
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5454
|
-
description: () => "",
|
|
5455
|
-
guidance: () => ""
|
|
5456
|
-
},
|
|
5457
|
-
htmlEscapingLib: {
|
|
5458
|
-
content: () => "Which HTML escaping library would you like to use?",
|
|
5459
|
-
description: () => `
|
|
5460
|
-
- If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
|
|
5461
|
-
- Another \`option is org.apache.commons.text.StringEscapeUtils\``,
|
|
5462
|
-
guidance: () => ""
|
|
5463
|
-
}
|
|
5464
|
-
};
|
|
5465
|
-
|
|
5466
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/missingCheckAgainstNull.ts
|
|
5467
|
-
var missingCheckAgainstNull = {
|
|
5468
|
-
preferredAction: {
|
|
5469
|
-
content: ({ tainted_expression }) => `What is expected behavior if \`${tainted_expression}\` returns null?`,
|
|
5470
|
-
description: () => "",
|
|
5471
|
-
guidance: () => ""
|
|
5472
|
-
},
|
|
5473
|
-
javaVersionGreaterOrEqual17: {
|
|
5474
|
-
content: () => "Is `java.util.Objects` package available in your runtime?",
|
|
5475
|
-
description: () => "`java.util.Objects` is supported in Java 1.7 or greater.",
|
|
5476
|
-
guidance: () => ""
|
|
5477
|
-
}
|
|
5478
|
-
};
|
|
5479
|
-
|
|
5480
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/openRedirect.ts
|
|
5481
|
-
var openRedirect = {
|
|
5482
|
-
allowlist: {
|
|
5483
|
-
content: () => "Allowed domains",
|
|
5484
|
-
description: () => "Add a comma separated list of allowed domains (e.g. 'google.com,example.com')",
|
|
5485
|
-
guidance: () => ""
|
|
5486
|
-
}
|
|
5487
|
-
};
|
|
5488
|
-
|
|
5489
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/overlyBroadCatch.ts
|
|
5490
|
-
var overlyBroadCatch2 = {
|
|
5491
|
-
handleRuntimeExceptions: {
|
|
5492
|
-
content: () => "Does the code intentionally catch `RuntimeException` instances like `ArithmeticException` or `NullPointerException` in the `catch` block?",
|
|
5493
|
-
description: () => "Usually, when catching the general `Exception` class catching of `RuntimeException` is implied and not necessarily the wanted/safe behavior. The application needs to deal with it explicitly in a different way, as the Mobb fix suggests.",
|
|
5494
|
-
guidance: () => ""
|
|
5495
|
-
}
|
|
5496
|
-
};
|
|
5497
|
-
|
|
5498
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/privacyViolation.ts
|
|
5499
|
-
var privacyViolation = {
|
|
5500
|
-
remediationOption: {
|
|
5501
|
-
content: () => "Preferred fix solution",
|
|
5502
|
-
description: () => `
|
|
5503
|
-
- Completely Remove the log message
|
|
5504
|
-
- Replace the sensitive data with the string [Redacted]
|
|
5505
|
-
- SHA 256 Hash the sensitive information in the log message`,
|
|
5506
|
-
guidance: () => ""
|
|
5507
|
-
}
|
|
5508
|
-
};
|
|
5509
|
-
|
|
5510
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/pt.ts
|
|
5511
|
-
var pt2 = {
|
|
5512
|
-
isPathRelativeOnly: {
|
|
5513
|
-
content: ({ expression }) => `Do you expect \`${expression}\` to be a relative path?`,
|
|
5514
|
-
description: () => "You most likely want to serve files relative to the web server's static files folder in web applications. If so, your answer should be `yes`. In CLI applications, you probably would like to give the user more flexibility and allow them to specify absolute paths to any location on the disk \u2013 your answer should be `no` in such cases.",
|
|
5515
|
-
guidance: () => ""
|
|
5516
|
-
},
|
|
5517
|
-
isFileName: {
|
|
5518
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name or a file name part?`,
|
|
5519
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters. If \`${expression}\` is supposed to legitimately include such characters, the answer should be "no".`,
|
|
5520
|
-
guidance: () => ""
|
|
5521
|
-
}
|
|
5522
|
-
};
|
|
5523
|
-
|
|
5524
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/relativePathCommand.ts
|
|
5525
|
-
var relativePathCommand = {
|
|
5526
|
-
executableLocationPath: {
|
|
5527
|
-
content: () => "What is the absolute path of the directory containing the executable?",
|
|
5528
|
-
description: () => "We need the absolute path to the executable to protect your application from command injection and ensure malicious actors cannot execute arbitrary commands on your system.",
|
|
5529
|
-
guidance: () => ""
|
|
5530
|
-
}
|
|
5531
|
-
};
|
|
5532
|
-
|
|
5533
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/ssrf.ts
|
|
5534
|
-
var ssrf3 = {
|
|
5535
|
-
domainsAllowlist: {
|
|
5536
|
-
content: () => "Allowed URL prefixes",
|
|
5537
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
|
|
5538
|
-
|
|
5539
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
|
|
5540
|
-
guidance: () => ""
|
|
5541
|
-
}
|
|
5542
|
-
};
|
|
5543
|
-
|
|
5544
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/sysLeak.ts
|
|
5545
|
-
var sysLeak2 = {
|
|
5546
|
-
errorMessage: {
|
|
5547
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5548
|
-
description: () => "",
|
|
5549
|
-
guidance: () => ""
|
|
5550
|
-
},
|
|
5551
|
-
noLoggerAction: {
|
|
5552
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5553
|
-
description: () => "",
|
|
5554
|
-
guidance: () => ""
|
|
5555
|
-
}
|
|
5556
|
-
};
|
|
5557
|
-
|
|
5558
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/trustBoundaryViolation.ts
|
|
5559
|
-
var trustBoundaryViolation2 = {
|
|
5560
|
-
validationPattern: {
|
|
5561
|
-
content: ({ expression }) => `What is the expected type of \`${expression}\`?`,
|
|
5562
|
-
description: () => "We use regex to validate the input to avoid runtime surprises",
|
|
5563
|
-
guidance: () => ""
|
|
5564
|
-
},
|
|
5565
|
-
otherPatternValue: {
|
|
5566
|
-
content: () => `Enter the regex pattern you would like to use to validate the input`,
|
|
5567
|
-
description: () => "See patterns at [the regex javadoc](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html)",
|
|
5568
|
-
guidance: () => ""
|
|
5569
|
-
}
|
|
5570
|
-
};
|
|
5571
|
-
|
|
5572
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/uncheckedLoopCondition.ts
|
|
5573
|
-
var uncheckedLoopCondition = {
|
|
5574
|
-
loopLimit: {
|
|
5575
|
-
content: () => "Please define a maximum loop limit",
|
|
5576
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
5577
|
-
guidance: () => ""
|
|
5578
|
-
},
|
|
5579
|
-
varName: {
|
|
5580
|
-
content: () => "Please define a variable name",
|
|
5581
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
5582
|
-
guidance: () => ""
|
|
5583
|
-
}
|
|
5584
|
-
};
|
|
5585
|
-
|
|
5586
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/unsafeReflection.ts
|
|
5587
|
-
var unsafeReflection = {
|
|
5588
|
-
classAllowlist: {
|
|
5589
|
-
content: () => "Allowed class names for reflection",
|
|
5590
|
-
description: () => `Provide a comma-separated list of fully-qualified class names that are permitted to be loaded via reflection (e.g. \`com.example.MyClass\`). Any other class name will be rejected at runtime.`,
|
|
5591
|
-
guidance: () => ""
|
|
5592
|
-
}
|
|
5593
|
-
};
|
|
5594
|
-
|
|
5595
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/useOfSystemOutputStream.ts
|
|
5596
|
-
var useOfSystemOutputStream2 = {
|
|
5597
|
-
noLoggerAction: {
|
|
5598
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5599
|
-
description: () => "",
|
|
5600
|
-
guidance: () => ""
|
|
5601
|
-
}
|
|
5602
|
-
};
|
|
5603
|
-
|
|
5604
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/xss.ts
|
|
5605
|
-
var xss2 = {
|
|
5606
|
-
isHtmlOrSafeAttribute: {
|
|
5607
|
-
content: ({ tainted_variable }) => `Where is \`${tainted_variable}\` written to?`,
|
|
5608
|
-
description: () => `Answer examples:
|
|
5609
|
-
|
|
5610
|
-
- a text in an HTML tag or a value of a safe HTML attribute:
|
|
5611
|
-
- \`<li><%= name %></li>\`
|
|
5612
|
-
- \`<div>Name: <%= name %></div>\`
|
|
5613
|
-
- \`<input value="<%= name %>" name="name"/>\`
|
|
5614
|
-
- \`<div data-name="<%= name %>"></div>\`
|
|
5615
|
-
- a JavaScript code block:
|
|
5616
|
-
- \`<script>const name = "<%= name %>";</script>\`
|
|
5617
|
-
- an event attribute of an HTML tag:
|
|
5618
|
-
- \`<a onclick="alert('<%= name %>')">click me</a>\`
|
|
5619
|
-
- \`<img onmouseover="alert('<%= name %>')"/>\`
|
|
5620
|
-
- a src-like attribute of an HTML tag:
|
|
5621
|
-
- \`<a href="/user/<%= name %>">me</a>\`
|
|
5622
|
-
- \`<img src="/img/<%= name %>"/>\`
|
|
5623
|
-
- \`<form action="<%= name %>"></form>\`
|
|
5624
|
-
- \`<iframe srcdoc="<%= name %>"/>\`
|
|
5625
|
-
- a part of an HTML tag attributes list:
|
|
5626
|
-
- \`<a <%= name %>>text</a>\`
|
|
5627
|
-
|
|
5628
|
-
See more details about safe and unsafe HTML attributes:
|
|
5629
|
-
- [PortSwigger cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
|
|
5630
|
-
- [DOMPurify attributes filter implementation](https://github.com/cure53/DOMPurify/blob/c29aa900a1c286b82ee4f48a7ffab96cab3e84fa/src/attrs.js)
|
|
5631
|
-
`,
|
|
5632
|
-
guidance: () => ""
|
|
5633
|
-
},
|
|
5634
|
-
isHtmlEncoded: {
|
|
5635
|
-
content: () => "Is the user input already encoded as HTML text?",
|
|
5636
|
-
description: () => "If you are unsure, we will decode the user input and encode it again to ensure it is safe and the data is kept the same.",
|
|
5637
|
-
guidance: () => ""
|
|
5638
|
-
},
|
|
5639
|
-
htmlEscapingLib: {
|
|
5640
|
-
content: () => "Which HTML escaping library would you like to use?",
|
|
5641
|
-
description: () => `
|
|
5642
|
-
- If you use the Spring framework, you likely already have \`org.springframework.web.util.HtmlUtils\`
|
|
5643
|
-
- Another option is \`org.apache.commons.text.StringEscapeUtils\``,
|
|
5644
|
-
guidance: () => ""
|
|
5645
|
-
}
|
|
5646
|
-
};
|
|
5647
|
-
|
|
5648
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/xxe.ts
|
|
5649
|
-
var xxe2 = {
|
|
5650
|
-
factoryVarName: {
|
|
5651
|
-
content: () => "Name the new Factory variable",
|
|
5652
|
-
description: () => "We needed to create a new variable for this fix. We actually like the name we picked, but maybe you follow different naming conventions, so you can change it here.",
|
|
5653
|
-
guidance: () => ""
|
|
5654
|
-
}
|
|
5655
|
-
};
|
|
5656
|
-
|
|
5657
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/java/index.ts
|
|
5658
|
-
var vulnerabilities14 = {
|
|
5659
|
-
["CMDi_relative_path_command"]: relativePathCommand,
|
|
5660
|
-
["CMDi"]: commandInjection2,
|
|
5661
|
-
["CONFUSING_NAMING"]: confusingNaming,
|
|
5662
|
-
["ERROR_CONDTION_WITHOUT_ACTION"]: errorConditionWithoutAction,
|
|
5663
|
-
["XXE"]: xxe2,
|
|
5664
|
-
["XSS"]: xss2,
|
|
5665
|
-
["PRIVACY_VIOLATION"]: privacyViolation,
|
|
5666
|
-
["PT"]: pt2,
|
|
5667
|
-
["SSRF"]: ssrf3,
|
|
5668
|
-
["LOG_FORGING"]: logForging3,
|
|
5669
|
-
["LOCALE_DEPENDENT_COMPARISON"]: localeDependentComparison,
|
|
5670
|
-
["MISSING_CHECK_AGAINST_NULL"]: missingCheckAgainstNull,
|
|
5671
|
-
["OPEN_REDIRECT"]: openRedirect,
|
|
5672
|
-
["OVERLY_BROAD_CATCH"]: overlyBroadCatch2,
|
|
5673
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak2,
|
|
5674
|
-
["USE_OF_SYSTEM_OUTPUT_STREAM"]: useOfSystemOutputStream2,
|
|
5675
|
-
["HTTP_ONLY_COOKIE"]: httpOnlyCookie2,
|
|
5676
|
-
["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition,
|
|
5677
|
-
["INSECURE_COOKIE"]: insecureCookie2,
|
|
5678
|
-
["TRUST_BOUNDARY_VIOLATION"]: trustBoundaryViolation2,
|
|
5679
|
-
["UNSAFE_REFLECTION"]: unsafeReflection,
|
|
5680
|
-
["J2EE_GET_CONNECTION"]: j2eeGetConnection2,
|
|
5681
|
-
["LEFTOVER_DEBUG_CODE"]: leftoverDebugCode,
|
|
5682
|
-
["ERRONEOUS_STRING_COMPARE"]: erroneousStringCompare,
|
|
5683
|
-
["DUPLICATED_STRINGS"]: duplicatedStrings
|
|
5684
|
-
};
|
|
5685
|
-
var java_default2 = vulnerabilities14;
|
|
5686
|
-
|
|
5687
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/csrf.ts
|
|
5688
|
-
var csrf2 = {
|
|
5689
|
-
isPythonDjangoTemplate: {
|
|
5690
|
-
content: () => "Is the reported file Python Django template?",
|
|
5691
|
-
description: () => "",
|
|
5692
|
-
guidance: () => ""
|
|
5693
|
-
}
|
|
5694
|
-
};
|
|
5695
|
-
|
|
5696
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/commandInjection.ts
|
|
5697
|
-
var commandInjection3 = {
|
|
5698
|
-
isCommandExecutable: {
|
|
5699
|
-
content: () => "Commands can be intrinsically unsafe if they call out to other executables or run arbitary code",
|
|
5700
|
-
description: () => `Does the command fall into one of the following categories:
|
|
5701
|
-
|
|
5702
|
-
1. An executable name:
|
|
5703
|
-
- \`exec(input);\`
|
|
5704
|
-
- \`exec("/bin/bash " + input);\`
|
|
5705
|
-
- \`exec("/bin/sh -c" + input + " param");\`
|
|
5706
|
-
- \`exec("/bin/bash -c cat file.txt | " + input);\`
|
|
5707
|
-
- \`exec("/usr/bin/git --upload-pack " + input);\`
|
|
5708
|
-
2. A part of non-unix or cross platform shell command:
|
|
5709
|
-
- \`exec("cmd.exe /c ping " + input);\`
|
|
5710
|
-
3. A part of programming language code:
|
|
5711
|
-
- \`exec("php -r echo '" + input + "';");\`
|
|
5712
|
-
- \`exec("perl -e print '" + input + "'");\``,
|
|
5713
|
-
guidance: () => ""
|
|
5714
|
-
}
|
|
5715
|
-
};
|
|
5716
|
-
|
|
5717
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/graphqlDepthLimit.ts
|
|
5718
|
-
var graphqlDepthLimit = {
|
|
5719
|
-
depthLimit: {
|
|
5720
|
-
content: () => "Please define a maximum query depth",
|
|
5721
|
-
description: () => `Setting this number to a reasonable value will prevent the attack.
|
|
5722
|
-
Make sure to pick a value large enough to allowed the nessecary amount of nested queries.`,
|
|
5723
|
-
guidance: () => {
|
|
5724
|
-
return "We use `graphql-depth-limit` npm package to limit the depth of nested queries. Please make sure you install the package using `npm install graphql-depth-limit`.";
|
|
5725
|
-
}
|
|
5726
|
-
}
|
|
5727
|
-
};
|
|
5728
|
-
|
|
5729
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedDomainInHtml.ts
|
|
5730
|
-
var hardcodedDomainInHtml = {
|
|
5731
|
-
isCDNFixedVersion: {
|
|
5732
|
-
content: ({ url }) => `Does the content of \`${url}\` change over time? If it does, we can't offer this fix.`,
|
|
5733
|
-
description: () => "You need to make sure the content of the file you are loading from the external source is persistent. To guarantee the integrity hash does not change over time, please make sure you use a proper CDN and version of the script you are loading is pinned.",
|
|
5734
|
-
guidance: () => ""
|
|
5735
|
-
}
|
|
5736
|
-
};
|
|
5737
|
-
|
|
5738
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/hardcodedSecrets.ts
|
|
5739
|
-
var hardcodedSecrets2 = {
|
|
5740
|
-
envVarName: {
|
|
5741
|
-
content: () => "Please define an environment variable name",
|
|
5742
|
-
description: () => `We will use this environment variable instead of the hardcoded secret`,
|
|
5743
|
-
guidance: () => ""
|
|
5744
|
-
},
|
|
5745
|
-
keepAsDefault: {
|
|
5746
|
-
content: () => "Do you want to keep the hardcoded secret in the code for now?",
|
|
5747
|
-
description: () => 'Answer "yes" if you cannot set the environment variable in all environments right away.',
|
|
5748
|
-
guidance: () => ""
|
|
5749
|
-
}
|
|
5750
|
-
};
|
|
5751
|
-
|
|
5752
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/iframeWithoutSandbox.ts
|
|
5753
|
-
var iframeWithoutSandbox = {
|
|
5754
|
-
iframeRestrictions: {
|
|
5755
|
-
content: () => "Please define a comma-separated list of iframe sandbox restrictions (optional)",
|
|
5756
|
-
description: () => `Possible values:
|
|
5757
|
-
- allow-downloads
|
|
5758
|
-
- allow-forms
|
|
5759
|
-
- allow-modals
|
|
5760
|
-
- allow-orientation-lock
|
|
5761
|
-
- allow-pointer-lock
|
|
5762
|
-
- allow-popups
|
|
5763
|
-
- allow-popups-to-escape-sandbox
|
|
5764
|
-
- allow-presentation
|
|
5765
|
-
- allow-same-origin
|
|
5766
|
-
- allow-scripts
|
|
5767
|
-
- allow-storage-access-by-user-activation
|
|
5768
|
-
- allow-top-navigation
|
|
5769
|
-
- allow-top-navigation-by-user-activation
|
|
5770
|
-
- allow-top-navigation-to-custom-protocols
|
|
5771
|
-
|
|
5772
|
-
See more info [here](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox).`,
|
|
5773
|
-
guidance: () => ""
|
|
5774
|
-
}
|
|
5775
|
-
};
|
|
5776
|
-
|
|
5777
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/incompleteUrlSanitization.ts
|
|
5778
|
-
var incompleteUrlSanitization = {
|
|
5779
|
-
allowedRootDomain: {
|
|
5780
|
-
content: () => "The root domain of your application",
|
|
5781
|
-
description: () => "We needed to strengthen the security check by ensuring that the url is under the root domain of your application.",
|
|
5782
|
-
guidance: () => ""
|
|
5783
|
-
}
|
|
5784
|
-
};
|
|
5785
|
-
|
|
5786
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/insecureRandomness.ts
|
|
5787
|
-
var insecureRandomness2 = {
|
|
5788
|
-
isGetRandomValuesSupported: {
|
|
5789
|
-
content: () => "Is getRandomValues() function supported by your JavaScript engine?",
|
|
5790
|
-
description: () => "[getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is supported by [more than 97% of browsers](https://caniuse.com/?search=getRandomValues) and [Node.js >= 15.0.0](https://nodejs.org/api/webcrypto.html#cryptogetrandomvaluestypedarray).",
|
|
5791
|
-
guidance: () => ""
|
|
5792
|
-
}
|
|
5793
|
-
};
|
|
5794
|
-
|
|
5795
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/logForging.ts
|
|
5796
|
-
var logForging4 = {
|
|
5797
|
-
isHtmlDisplay: {
|
|
5798
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
5799
|
-
description: () => "",
|
|
5800
|
-
guidance: () => ""
|
|
5801
|
-
}
|
|
5802
|
-
};
|
|
5803
|
-
|
|
5804
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingCSPHeader.ts
|
|
5805
|
-
var cspHeaderValue = {
|
|
5806
|
-
cspHeaderValue: {
|
|
5807
|
-
content: () => "Please provide the value for the Content-Security-Policy header",
|
|
5808
|
-
description: () => `The Content-Security-Policy (CSP) header is a critical security measure that helps protect websites from various attacks, particularly Cross-Site Scripting (XSS) and other code injection attacks. Here's a concise explanation:
|
|
5809
|
-
|
|
5810
|
-
|
|
5811
|
-
|
|
5812
|
-
**What it does**:
|
|
5813
|
-
|
|
5814
|
-
|
|
5815
|
-
|
|
5816
|
-
CSP lets you specify which content sources the browser should consider valid, essentially creating a whitelist of trusted content. It controls things like:
|
|
5817
|
-
|
|
5818
|
-
|
|
5819
|
-
|
|
5820
|
-
- Which scripts can execute.
|
|
5821
|
-
- Where images can be loaded from.
|
|
5822
|
-
- Which styles can be applied.
|
|
5823
|
-
- Which forms can be submitted to.
|
|
5824
|
-
- What domains can be connected to.
|
|
5825
|
-
|
|
5826
|
-
Default value explanation:
|
|
5827
|
-
|
|
5828
|
-
- default-src 'self: Only allows resources from the same origin by default.
|
|
5829
|
-
- script-src 'self': Only allows scripts to be loaded from the same origin.
|
|
5830
|
-
- style-src 'self': Only allows styles from the same origin.
|
|
5831
|
-
- object-src 'none': Disallows <object>, <embed>, and <applet> elements.
|
|
5832
|
-
- base-uri 'self': Restricts where the <base> tag can point to.
|
|
5833
|
-
- frame-ancestors 'self': Ensures that only the same origin can embed the page using an iframe.
|
|
5834
|
-
|
|
5835
|
-
|
|
5836
|
-
**This kind of \`CSP\` is more secure but may require adjustments for your specific application, especially if you need to load resources from external domains or use inline scripts/styles.**`,
|
|
5837
|
-
guidance: () => ``
|
|
5838
|
-
}
|
|
5839
|
-
};
|
|
5840
|
-
|
|
5841
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingHSTSHeader.ts
|
|
5842
|
-
var headerMaxAge = {
|
|
5843
|
-
headerMaxAge: {
|
|
5844
|
-
content: () => "Please provide the maximum age of the header",
|
|
5845
|
-
description: () => `This is the time, in seconds, that the browser should remember that the site is only to be accessed using \`HTTPS\`.
|
|
5846
|
-
|
|
5847
|
-
|
|
5848
|
-
Setting the \`max-age\` to \`0\` (over an https connection) will immediately expire the Strict-Transport-Security header, allowing access via \`HTTP\`.
|
|
5849
|
-
|
|
5850
|
-
|
|
5851
|
-
|
|
5852
|
-
|
|
5853
|
-
The HTTP Strict-Transport-Security response header (\`HSTS\`) informs browsers that the site
|
|
5854
|
-
should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically
|
|
5855
|
-
be converted to HTTPS.
|
|
5856
|
-
|
|
5857
|
-
|
|
5858
|
-
|
|
5859
|
-
|
|
5860
|
-
If a website accepts a connection through \`HTTP\` and redirects to \`HTTPS\`, visitors may initially communicate with
|
|
5861
|
-
the non-encrypted version of the site before being redirected, if, for example, the visitor
|
|
5862
|
-
types \`http://www.example.com\` or even just \`example.com\`. This creates an opportunity for a man-in-the-middle attack.
|
|
5863
|
-
The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
|
|
5864
|
-
|
|
5865
|
-
|
|
5866
|
-
|
|
5867
|
-
The \`HTTP\` Strict Transport Security header informs the browser that it should never load a site using \`HTTP\`
|
|
5868
|
-
and should automatically convert all attempts to access the site using \`HTTP\` to \`HTTPS\` requests instead.`,
|
|
5869
|
-
guidance: () => ``
|
|
5870
|
-
}
|
|
5871
|
-
};
|
|
5872
|
-
|
|
5873
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/missingXFrameOptions.ts
|
|
5874
|
-
var xFrameOptionsValue = {
|
|
5875
|
-
xFrameOptionsValue: {
|
|
5876
|
-
content: () => "Please provide the value for the X-Frame-Options header",
|
|
5877
|
-
description: () => `The \`X-Frame-Options\` HTTP response header tells the browser whether the page is allowed to be rendered inside a \`<frame>\`, \`<iframe>\`, \`<embed>\` or \`<object>\`. Without it, attackers can embed your application in an invisible iframe and trick users into clicking on it \u2014 a class of attacks known as clickjacking (UI redressing).
|
|
5878
|
-
|
|
5879
|
-
**Allowed values:**
|
|
5880
|
-
- \`DENY\` \u2014 the page cannot be framed by any site, including your own. Recommended default for any page that does not need to be embedded.
|
|
5881
|
-
- \`SAMEORIGIN\` \u2014 the page can only be framed by pages served from the same origin. Use this only if your own application legitimately embeds this page in an iframe.`,
|
|
5882
|
-
guidance: () => ``
|
|
5883
|
-
}
|
|
5884
|
-
};
|
|
5885
|
-
|
|
5886
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/noLimitsOrThrottling.ts
|
|
5887
|
-
var noLimitsOrThrottling2 = {
|
|
5888
|
-
setGlobalLimiter: {
|
|
5889
|
-
content: () => "Would you like to use a global rate limit for all your endpoints within the same file?",
|
|
5890
|
-
description: () => "",
|
|
5891
|
-
guidance: () => ""
|
|
5892
|
-
}
|
|
5893
|
-
};
|
|
5894
|
-
|
|
5895
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/openRedirect.ts
|
|
5896
|
-
var openRedirect2 = {
|
|
5897
|
-
isExternal: {
|
|
5898
|
-
content: () => "Does the redirect go to an external site?",
|
|
5899
|
-
description: () => "",
|
|
5900
|
-
guidance: () => ""
|
|
5901
|
-
},
|
|
5902
|
-
domainAllowlist: {
|
|
5903
|
-
content: () => "Allowed domains names",
|
|
5904
|
-
description: () => "please provide a coma separated list of allowed domains names (example.com, example.org, etc.)",
|
|
5905
|
-
guidance: () => ""
|
|
5906
|
-
},
|
|
5907
|
-
pathAllowlist: {
|
|
5908
|
-
content: () => "Allowed paths (URIs)",
|
|
5909
|
-
description: () => "please provide a coma separated list of allowed path (/health, /api/v1/health, etc.)",
|
|
5910
|
-
guidance: () => ""
|
|
5911
|
-
},
|
|
5912
|
-
includeProtocolValidation: {
|
|
5913
|
-
content: () => "Should HTTP or HTTPS protocol be enforced?",
|
|
5914
|
-
description: () => "please indicate if the protocol should be enforced",
|
|
5915
|
-
guidance: () => ""
|
|
5916
|
-
}
|
|
5917
|
-
};
|
|
5918
|
-
|
|
5919
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/pt.ts
|
|
5920
|
-
var pt3 = {
|
|
5921
|
-
taintedTermType: {
|
|
5922
|
-
content: ({ expression }) => `Does \`${expression}\` represent a file name, a relative path or an absolute path?`,
|
|
5923
|
-
description: ({ expression }) => `We replace all illegal file name characters for Unix, Windows, and macOS operation systems, including slashes. Ensure that \`${expression}\` isn't supposed to contain slashes or other illegal file name characters.`,
|
|
5924
|
-
guidance: () => ""
|
|
5925
|
-
}
|
|
5926
|
-
};
|
|
5927
|
-
|
|
5928
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/ssrf.ts
|
|
5929
|
-
var ssrf4 = {
|
|
5930
|
-
domainsAllowlist: {
|
|
5931
|
-
content: () => "List of allowed domain names",
|
|
5932
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary domains.
|
|
5933
|
-
|
|
5934
|
-
|
|
5935
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of domains the server should be allowed to call.`,
|
|
5936
|
-
guidance: () => ""
|
|
5937
|
-
}
|
|
5938
|
-
};
|
|
5939
|
-
|
|
5940
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeak.ts
|
|
5941
|
-
var sysLeak3 = {
|
|
5942
|
-
errorMessage: {
|
|
5943
|
-
content: () => "Enter the error message that you want to appear in the log",
|
|
5944
|
-
description: () => "",
|
|
5945
|
-
guidance: () => ""
|
|
5946
|
-
},
|
|
5947
|
-
noLoggerAction: {
|
|
5948
|
-
content: () => "Which of the following you want to use instead of the vulnerable code?",
|
|
5949
|
-
description: () => "",
|
|
5950
|
-
guidance: () => ""
|
|
5951
|
-
}
|
|
5952
|
-
};
|
|
5953
|
-
|
|
5954
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/sysLeakExternal.ts
|
|
5955
|
-
var sysLeakExternal = {
|
|
5956
|
-
errorMessage: {
|
|
5957
|
-
content: () => "Enter the error message that you want to appear to the user",
|
|
5958
|
-
description: () => "",
|
|
5959
|
-
guidance: () => ""
|
|
5960
|
-
}
|
|
5961
|
-
};
|
|
5962
|
-
|
|
5963
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/typeConfusion.ts
|
|
5964
|
-
var typeConfusion = {
|
|
5965
|
-
argumentType: {
|
|
5966
|
-
content: () => "What is the type of the HTTP argument?",
|
|
5967
|
-
description: () => "What is the type of the HTTP argument?",
|
|
5968
|
-
guidance: () => ""
|
|
5969
|
-
}
|
|
5970
|
-
};
|
|
5971
|
-
|
|
5972
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/uncheckedLoopCondition.ts
|
|
5973
|
-
var uncheckedLoopCondition2 = {
|
|
5974
|
-
loopLimit: {
|
|
5975
|
-
content: () => "Please define a maximum loop limit",
|
|
5976
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
5977
|
-
guidance: () => ""
|
|
5978
|
-
},
|
|
5979
|
-
varName: {
|
|
5980
|
-
content: () => "Please define a variable name",
|
|
5981
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
5982
|
-
guidance: () => ""
|
|
5983
|
-
}
|
|
5984
|
-
};
|
|
5985
|
-
|
|
5986
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/xss.ts
|
|
5987
|
-
var xss3 = {
|
|
5988
|
-
containsHtml: {
|
|
5989
|
-
content: () => "Does the element or variable contain HTML formatting",
|
|
5990
|
-
description: () => "",
|
|
5991
|
-
guidance: () => ""
|
|
5992
|
-
},
|
|
5993
|
-
isParamTypeString: {
|
|
5994
|
-
content: () => "Is the parameter passed to the $() function a string",
|
|
5995
|
-
description: () => "",
|
|
5996
|
-
guidance: () => ""
|
|
5997
|
-
},
|
|
5998
|
-
isSanitized: {
|
|
5999
|
-
content: ({ expression }) => `Is the expression \`${expression}\` supposed to be not sanitized in this context?`,
|
|
6000
|
-
description: () => "You are using unsafe string substitution in the template. This means that if the expression can contain maliciously crafted data, it may lead to XSS injection. To apply the fix, you have to make sure the expression is not sanitized on the backend already, and it does not represent an HTML code block.",
|
|
6001
|
-
guidance: () => ""
|
|
6002
|
-
},
|
|
6003
|
-
isServerSideCode: {
|
|
6004
|
-
content: () => "Is this code running on the server side (a NodeJS application)",
|
|
6005
|
-
description: () => "The fix to this vulnerability is different is the code runs in the client (browser) or the server side (NodeJs)",
|
|
6006
|
-
guidance: () => ""
|
|
6007
|
-
}
|
|
6008
|
-
};
|
|
6009
|
-
|
|
6010
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/js/index.ts
|
|
6011
|
-
var vulnerabilities15 = {
|
|
6012
|
-
["CMDi"]: commandInjection3,
|
|
6013
|
-
["GRAPHQL_DEPTH_LIMIT"]: graphqlDepthLimit,
|
|
6014
|
-
["INSECURE_RANDOMNESS"]: insecureRandomness2,
|
|
6015
|
-
["SSRF"]: ssrf4,
|
|
6016
|
-
["TYPE_CONFUSION"]: typeConfusion,
|
|
6017
|
-
["INCOMPLETE_URL_SANITIZATION"]: incompleteUrlSanitization,
|
|
6018
|
-
["LOG_FORGING"]: logForging4,
|
|
6019
|
-
["XSS"]: xss3,
|
|
6020
|
-
["OPEN_REDIRECT"]: openRedirect2,
|
|
6021
|
-
["SYSTEM_INFORMATION_LEAK"]: sysLeak3,
|
|
6022
|
-
["SYSTEM_INFORMATION_LEAK_EXTERNAL"]: sysLeakExternal,
|
|
6023
|
-
["IFRAME_WITHOUT_SANDBOX"]: iframeWithoutSandbox,
|
|
6024
|
-
["PT"]: pt3,
|
|
6025
|
-
["HARDCODED_SECRETS"]: hardcodedSecrets2,
|
|
6026
|
-
["MISSING_HSTS_HEADER"]: headerMaxAge,
|
|
6027
|
-
["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition2,
|
|
6028
|
-
["NO_LIMITS_OR_THROTTLING"]: noLimitsOrThrottling2,
|
|
6029
|
-
["MISSING_CSP_HEADER"]: cspHeaderValue,
|
|
6030
|
-
["MISSING_X_FRAME_OPTIONS"]: xFrameOptionsValue,
|
|
6031
|
-
["HARDCODED_DOMAIN_IN_HTML"]: hardcodedDomainInHtml,
|
|
6032
|
-
["CSRF"]: csrf2
|
|
6033
|
-
};
|
|
6034
|
-
var js_default = vulnerabilities15;
|
|
6035
|
-
|
|
6036
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/duplicatedStrings.ts
|
|
6037
|
-
var duplicatedStrings2 = {
|
|
6038
|
-
constantName: {
|
|
6039
|
-
content: () => "New constant name",
|
|
6040
|
-
description: () => "",
|
|
6041
|
-
guidance: () => ""
|
|
6042
|
-
}
|
|
6043
|
-
};
|
|
6044
|
-
|
|
6045
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/logForging.ts
|
|
6046
|
-
var logForging5 = {
|
|
6047
|
-
isHtmlDisplay: {
|
|
6048
|
-
content: () => "Is the text written to the log going to be displayed as HTML?",
|
|
6049
|
-
description: () => "",
|
|
6050
|
-
guidance: ({ userInputValue }) => {
|
|
6051
|
-
switch (userInputValue) {
|
|
6052
|
-
case "yes":
|
|
6053
|
-
return "We use `html.escape` to decode the HTML";
|
|
6054
|
-
default:
|
|
6055
|
-
return "";
|
|
6056
|
-
}
|
|
6057
|
-
}
|
|
6058
|
-
}
|
|
6059
|
-
};
|
|
6060
|
-
|
|
6061
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/missingEncoding.ts
|
|
6062
|
-
var missingEncoding = {
|
|
6063
|
-
fEncoding: {
|
|
6064
|
-
content: () => "Enter the encoding of the file",
|
|
6065
|
-
description: () => "",
|
|
6066
|
-
guidance: () => ""
|
|
6067
|
-
}
|
|
6068
|
-
};
|
|
6069
|
-
|
|
6070
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/openRedirect.ts
|
|
6071
|
-
var openRedirect3 = {
|
|
6072
|
-
allowed_hosts: {
|
|
6073
|
-
content: () => "Allowed domains/paths",
|
|
6074
|
-
description: () => "If external, provide a coma separated list of allowed domains. If internal, provide a coma seperated list of allowed paths",
|
|
6075
|
-
guidance: () => ""
|
|
6076
|
-
}
|
|
6077
|
-
};
|
|
6078
|
-
|
|
6079
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/ssrf.ts
|
|
6080
|
-
var ssrf5 = {
|
|
6081
|
-
domainsAllowlist: {
|
|
6082
|
-
content: () => "Allowed URL prefixes",
|
|
6083
|
-
description: () => `The security risk of this issue is the ability of an attacker to provide input that shoots HTTP requests from your server to arbitrary URLs, including internal ones, like \`https://admin.mycompany.com\`
|
|
6084
|
-
|
|
6085
|
-
To eliminate the risk and fix the issue, check out your app logic and make a whitelist of URLs this API should be allowed to call.`,
|
|
6086
|
-
guidance: () => ""
|
|
6087
|
-
}
|
|
6088
|
-
};
|
|
6089
|
-
|
|
6090
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/uncheckedLoopCondition.ts
|
|
6091
|
-
var uncheckedLoopCondition3 = {
|
|
6092
|
-
loopLimit: {
|
|
6093
|
-
content: () => "Please define a maximum loop limit",
|
|
6094
|
-
description: () => `Setting this number to a reasonable value will prevent the vulnerability`,
|
|
6095
|
-
guidance: () => ""
|
|
6096
|
-
},
|
|
6097
|
-
varName: {
|
|
6098
|
-
content: () => "Please define a variable name",
|
|
6099
|
-
description: () => `We need to define a variable to be used as a counter to limit the loop`,
|
|
6100
|
-
guidance: () => ""
|
|
6101
|
-
}
|
|
6102
|
-
};
|
|
6103
|
-
|
|
6104
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/python/index.ts
|
|
6105
|
-
var vulnerabilities16 = {
|
|
6106
|
-
["CSRF"]: csrf2,
|
|
6107
|
-
["LOG_FORGING"]: logForging5,
|
|
6108
|
-
["OPEN_REDIRECT"]: openRedirect3,
|
|
6109
|
-
["UNCHECKED_LOOP_CONDITION"]: uncheckedLoopCondition3,
|
|
6110
|
-
["DUPLICATED_STRINGS"]: duplicatedStrings2,
|
|
6111
|
-
["MISSING_ENCODING_FILE_OPEN"]: missingEncoding,
|
|
6112
|
-
["SSRF"]: ssrf5
|
|
6113
|
-
};
|
|
6114
|
-
var python_default2 = vulnerabilities16;
|
|
6115
|
-
|
|
6116
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/xml/unboundedOccurrences.ts
|
|
6117
|
-
var unboundedOccurrences = {
|
|
6118
|
-
maxOccursLimit: {
|
|
6119
|
-
content: () => "The number of allowed repetitions of the element.",
|
|
6120
|
-
description: () => "",
|
|
6121
|
-
guidance: () => `Setting this number to a reasonable value will prevent the attack.
|
|
6122
|
-
A value too low will prevent valid XMLs from being processed.
|
|
6123
|
-
A value too high will cause performance issues up to and including denial of service.`
|
|
6124
|
-
}
|
|
6125
|
-
};
|
|
6126
|
-
|
|
6127
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/xml/index.ts
|
|
6128
|
-
var vulnerabilities17 = {
|
|
6129
|
-
["WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES"]: unboundedOccurrences
|
|
6130
|
-
};
|
|
6131
|
-
var xml_default2 = vulnerabilities17;
|
|
6132
|
-
|
|
6133
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/noNewPrivileges.ts
|
|
6134
|
-
var noNewPrivileges = {
|
|
6135
|
-
requireNewPrivileges: {
|
|
6136
|
-
content: () => "Does the container require new privileges?",
|
|
6137
|
-
description: () => "",
|
|
6138
|
-
guidance: () => `If the container requires new privileges, setting the no-new-privileges option might harm the container functionality.`
|
|
6139
|
-
}
|
|
6140
|
-
};
|
|
6141
|
-
|
|
6142
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/portAllInterfaces.ts
|
|
6143
|
-
var portAllInterfaces = {
|
|
6144
|
-
trustedIP: {
|
|
6145
|
-
content: () => "Enter trusted Network IP",
|
|
6146
|
-
description: () => "",
|
|
6147
|
-
guidance: () => `Properly set this value to prevent access from untrusted network adapters. Setting this to a wrong value would prevent accessing the container and might break the system.`
|
|
6148
|
-
}
|
|
6149
|
-
};
|
|
6150
|
-
|
|
6151
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/writableFilesystemService.ts
|
|
6152
|
-
var writableFilesystemService = {
|
|
6153
|
-
requireWriteAccess: {
|
|
6154
|
-
content: () => "Does the container require writable filesystem access?",
|
|
6155
|
-
description: () => "",
|
|
6156
|
-
guidance: () => `If the container requires writable filesystem access, setting the filesystem as readonly might harm the container functionality.`
|
|
6157
|
-
}
|
|
6158
|
-
};
|
|
6159
|
-
|
|
6160
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/yaml/index.ts
|
|
6161
|
-
var vulnerabilities18 = {
|
|
6162
|
-
["PORT_ALL_INTERFACES"]: portAllInterfaces,
|
|
6163
|
-
["WRITABLE_FILESYSTEM_SERVICE"]: writableFilesystemService,
|
|
6164
|
-
["NO_NEW_PRIVILEGES"]: noNewPrivileges
|
|
6165
|
-
};
|
|
6166
|
-
var yaml_default = vulnerabilities18;
|
|
6167
|
-
|
|
6168
|
-
// src/features/analysis/scm/shared/src/storedQuestionData/index.ts
|
|
6169
|
-
var StoredQuestionDataItemZ = z10.object({
|
|
6170
|
-
content: z10.function().args(z10.any()).returns(z10.string()),
|
|
6171
|
-
description: z10.function().args(z10.any()).returns(z10.string()),
|
|
6172
|
-
guidance: z10.function().args(z10.any()).returns(z10.string())
|
|
6173
|
-
});
|
|
6174
|
-
var languages2 = {
|
|
6175
|
-
["Java" /* Java */]: java_default2,
|
|
6176
|
-
["JavaScript" /* JavaScript */]: js_default,
|
|
6177
|
-
["XML" /* Xml */]: xml_default2,
|
|
6178
|
-
["CSharp" /* CSharp */]: csharp_default2,
|
|
6179
|
-
["Python" /* Python */]: python_default2,
|
|
6180
|
-
["Go" /* Go */]: go_default2,
|
|
6181
|
-
["Cpp" /* Cpp */]: cpp_default,
|
|
6182
|
-
["YAML" /* Yaml */]: yaml_default
|
|
6183
|
-
};
|
|
6184
|
-
|
|
6185
|
-
// src/features/analysis/scm/shared/src/guidances.ts
|
|
6186
|
-
var IssueTypeAndLanguageZ = z11.object({
|
|
6187
|
-
issueType: SafeIssueTypeStringZ,
|
|
6188
|
-
issueLanguage: z11.nativeEnum(IssueLanguage_Enum)
|
|
6189
|
-
});
|
|
6190
4624
|
|
|
6191
4625
|
// src/features/analysis/scm/shared/src/index.ts
|
|
6192
4626
|
init_issueTypeCatalog();
|
|
@@ -6195,19 +4629,19 @@ init_urlParser2();
|
|
|
6195
4629
|
init_validations();
|
|
6196
4630
|
|
|
6197
4631
|
// src/features/analysis/scm/types.ts
|
|
6198
|
-
import { z as
|
|
4632
|
+
import { z as z10 } from "zod";
|
|
6199
4633
|
var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
|
|
6200
4634
|
ReferenceType2["BRANCH"] = "BRANCH";
|
|
6201
4635
|
ReferenceType2["COMMIT"] = "COMMIT";
|
|
6202
4636
|
ReferenceType2["TAG"] = "TAG";
|
|
6203
4637
|
return ReferenceType2;
|
|
6204
4638
|
})(ReferenceType || {});
|
|
6205
|
-
var GithubFullShaZ =
|
|
6206
|
-
var MergedPrSurvivalMetadataZ =
|
|
6207
|
-
mergeCommitShas:
|
|
4639
|
+
var GithubFullShaZ = z10.string().regex(/^[a-f0-9]{40}$/);
|
|
4640
|
+
var MergedPrSurvivalMetadataZ = z10.object({
|
|
4641
|
+
mergeCommitShas: z10.array(GithubFullShaZ).min(1).refine((shas) => new Set(shas).size === shas.length, {
|
|
6208
4642
|
message: "mergeCommitShas must contain unique SHAs"
|
|
6209
4643
|
}),
|
|
6210
|
-
targetBranch:
|
|
4644
|
+
targetBranch: z10.string().min(1)
|
|
6211
4645
|
});
|
|
6212
4646
|
var scmCloudHostname = {
|
|
6213
4647
|
["GitLab" /* GitLab */]: new URL(scmCloudUrl.GitLab).hostname,
|
|
@@ -6227,10 +4661,10 @@ var scmTypeToScmLibScmType = {
|
|
|
6227
4661
|
["Ado" /* Ado */]: "ADO" /* ADO */,
|
|
6228
4662
|
["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
|
|
6229
4663
|
};
|
|
6230
|
-
var GetReferenceResultZ =
|
|
6231
|
-
date:
|
|
6232
|
-
sha:
|
|
6233
|
-
type:
|
|
4664
|
+
var GetReferenceResultZ = z10.object({
|
|
4665
|
+
date: z10.date().optional(),
|
|
4666
|
+
sha: z10.string(),
|
|
4667
|
+
type: z10.nativeEnum(ReferenceType)
|
|
6234
4668
|
});
|
|
6235
4669
|
|
|
6236
4670
|
// src/features/analysis/scm/ado/constants.ts
|
|
@@ -6242,39 +4676,39 @@ init_env();
|
|
|
6242
4676
|
import querystring from "querystring";
|
|
6243
4677
|
import * as api from "azure-devops-node-api";
|
|
6244
4678
|
import Debug3 from "debug";
|
|
6245
|
-
import { z as
|
|
4679
|
+
import { z as z14 } from "zod";
|
|
6246
4680
|
|
|
6247
4681
|
// src/features/analysis/scm/ado/validation.ts
|
|
6248
|
-
import { z as
|
|
6249
|
-
var ValidPullRequestStatusZ =
|
|
6250
|
-
|
|
6251
|
-
|
|
6252
|
-
|
|
4682
|
+
import { z as z13 } from "zod";
|
|
4683
|
+
var ValidPullRequestStatusZ = z13.union([
|
|
4684
|
+
z13.literal(1 /* Active */),
|
|
4685
|
+
z13.literal(2 /* Abandoned */),
|
|
4686
|
+
z13.literal(3 /* Completed */)
|
|
6253
4687
|
]);
|
|
6254
|
-
var AdoAuthResultZ =
|
|
6255
|
-
access_token:
|
|
6256
|
-
token_type:
|
|
6257
|
-
refresh_token:
|
|
4688
|
+
var AdoAuthResultZ = z13.object({
|
|
4689
|
+
access_token: z13.string().min(1),
|
|
4690
|
+
token_type: z13.string().min(1),
|
|
4691
|
+
refresh_token: z13.string().min(1)
|
|
6258
4692
|
});
|
|
6259
4693
|
var AdoAuthResultWithOrgsZ = AdoAuthResultZ.extend({
|
|
6260
|
-
scmOrgs:
|
|
4694
|
+
scmOrgs: z13.array(z13.string())
|
|
6261
4695
|
});
|
|
6262
|
-
var profileZ =
|
|
6263
|
-
displayName:
|
|
6264
|
-
publicAlias:
|
|
6265
|
-
emailAddress:
|
|
6266
|
-
coreRevision:
|
|
6267
|
-
timeStamp:
|
|
6268
|
-
id:
|
|
6269
|
-
revision:
|
|
4696
|
+
var profileZ = z13.object({
|
|
4697
|
+
displayName: z13.string(),
|
|
4698
|
+
publicAlias: z13.string().min(1),
|
|
4699
|
+
emailAddress: z13.string(),
|
|
4700
|
+
coreRevision: z13.number(),
|
|
4701
|
+
timeStamp: z13.string(),
|
|
4702
|
+
id: z13.string(),
|
|
4703
|
+
revision: z13.number()
|
|
6270
4704
|
});
|
|
6271
|
-
var accountsZ =
|
|
6272
|
-
count:
|
|
6273
|
-
value:
|
|
6274
|
-
|
|
6275
|
-
accountId:
|
|
6276
|
-
accountUri:
|
|
6277
|
-
accountName:
|
|
4705
|
+
var accountsZ = z13.object({
|
|
4706
|
+
count: z13.number(),
|
|
4707
|
+
value: z13.array(
|
|
4708
|
+
z13.object({
|
|
4709
|
+
accountId: z13.string(),
|
|
4710
|
+
accountUri: z13.string(),
|
|
4711
|
+
accountName: z13.string()
|
|
6278
4712
|
})
|
|
6279
4713
|
)
|
|
6280
4714
|
});
|
|
@@ -6295,39 +4729,39 @@ import querystring2 from "querystring";
|
|
|
6295
4729
|
import * as bitbucketPkgNode from "bitbucket";
|
|
6296
4730
|
import bitbucketPkg from "bitbucket";
|
|
6297
4731
|
import Debug4 from "debug";
|
|
6298
|
-
import { z as
|
|
4732
|
+
import { z as z17 } from "zod";
|
|
6299
4733
|
|
|
6300
4734
|
// src/features/analysis/scm/bitbucket/validation.ts
|
|
6301
|
-
import { z as
|
|
6302
|
-
var BitbucketAuthResultZ =
|
|
6303
|
-
access_token:
|
|
6304
|
-
token_type:
|
|
6305
|
-
refresh_token:
|
|
4735
|
+
import { z as z16 } from "zod";
|
|
4736
|
+
var BitbucketAuthResultZ = z16.object({
|
|
4737
|
+
access_token: z16.string(),
|
|
4738
|
+
token_type: z16.string(),
|
|
4739
|
+
refresh_token: z16.string()
|
|
6306
4740
|
});
|
|
6307
4741
|
|
|
6308
4742
|
// src/features/analysis/scm/bitbucket/bitbucket.ts
|
|
6309
4743
|
var debug5 = Debug4("scm:bitbucket");
|
|
6310
4744
|
var BITBUCKET_HOSTNAME = "bitbucket.org";
|
|
6311
|
-
var TokenExpiredErrorZ =
|
|
6312
|
-
status:
|
|
6313
|
-
error:
|
|
6314
|
-
type:
|
|
6315
|
-
error:
|
|
6316
|
-
message:
|
|
4745
|
+
var TokenExpiredErrorZ = z17.object({
|
|
4746
|
+
status: z17.number(),
|
|
4747
|
+
error: z17.object({
|
|
4748
|
+
type: z17.string(),
|
|
4749
|
+
error: z17.object({
|
|
4750
|
+
message: z17.string()
|
|
6317
4751
|
})
|
|
6318
4752
|
})
|
|
6319
4753
|
});
|
|
6320
4754
|
var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
|
|
6321
|
-
var BitbucketParseResultZ =
|
|
6322
|
-
organization:
|
|
6323
|
-
repoName:
|
|
6324
|
-
hostname:
|
|
4755
|
+
var BitbucketParseResultZ = z17.object({
|
|
4756
|
+
organization: z17.string(),
|
|
4757
|
+
repoName: z17.string(),
|
|
4758
|
+
hostname: z17.literal(BITBUCKET_HOSTNAME)
|
|
6325
4759
|
});
|
|
6326
|
-
var UserWorkspacePermissionsRepositoriesResponseZ =
|
|
6327
|
-
values:
|
|
6328
|
-
|
|
6329
|
-
repository:
|
|
6330
|
-
full_name:
|
|
4760
|
+
var UserWorkspacePermissionsRepositoriesResponseZ = z17.object({
|
|
4761
|
+
values: z17.array(
|
|
4762
|
+
z17.object({
|
|
4763
|
+
repository: z17.object({
|
|
4764
|
+
full_name: z17.string().optional()
|
|
6331
4765
|
}).optional()
|
|
6332
4766
|
})
|
|
6333
4767
|
).optional()
|
|
@@ -6335,7 +4769,7 @@ var UserWorkspacePermissionsRepositoriesResponseZ = z20.object({
|
|
|
6335
4769
|
|
|
6336
4770
|
// src/features/analysis/scm/bitbucket/BitbucketSCMLib.ts
|
|
6337
4771
|
import { setTimeout as setTimeout3 } from "timers/promises";
|
|
6338
|
-
import { z as
|
|
4772
|
+
import { z as z18 } from "zod";
|
|
6339
4773
|
|
|
6340
4774
|
// src/features/analysis/scm/constants.ts
|
|
6341
4775
|
var REPORT_DEFAULT_FILE_NAME = "report.json";
|
|
@@ -6345,7 +4779,7 @@ init_env();
|
|
|
6345
4779
|
|
|
6346
4780
|
// src/features/analysis/scm/github/GithubSCMLib.ts
|
|
6347
4781
|
import pLimit3 from "p-limit";
|
|
6348
|
-
import { z as
|
|
4782
|
+
import { z as z19 } from "zod";
|
|
6349
4783
|
init_client_generates();
|
|
6350
4784
|
|
|
6351
4785
|
// src/features/analysis/scm/github/github.ts
|
|
@@ -6378,11 +4812,11 @@ import {
|
|
|
6378
4812
|
init_env();
|
|
6379
4813
|
|
|
6380
4814
|
// src/features/analysis/scm/gitlab/types.ts
|
|
6381
|
-
import { z as
|
|
6382
|
-
var GitlabAuthResultZ =
|
|
6383
|
-
access_token:
|
|
6384
|
-
token_type:
|
|
6385
|
-
refresh_token:
|
|
4815
|
+
import { z as z20 } from "zod";
|
|
4816
|
+
var GitlabAuthResultZ = z20.object({
|
|
4817
|
+
access_token: z20.string(),
|
|
4818
|
+
token_type: z20.string(),
|
|
4819
|
+
refresh_token: z20.string()
|
|
6386
4820
|
});
|
|
6387
4821
|
|
|
6388
4822
|
// src/features/analysis/scm/gitlab/gitlab.ts
|
|
@@ -6393,69 +4827,69 @@ import pLimit5 from "p-limit";
|
|
|
6393
4827
|
init_client_generates();
|
|
6394
4828
|
|
|
6395
4829
|
// src/features/analysis/scm/scmFactory.ts
|
|
6396
|
-
import { z as
|
|
4830
|
+
import { z as z21 } from "zod";
|
|
6397
4831
|
|
|
6398
4832
|
// src/features/analysis/graphql/gql.ts
|
|
6399
4833
|
init_client_generates();
|
|
6400
4834
|
|
|
6401
4835
|
// src/features/analysis/graphql/types.ts
|
|
6402
4836
|
init_client_generates();
|
|
6403
|
-
import { z as
|
|
6404
|
-
var VulnerabilityReportIssueCodeNodeZ =
|
|
6405
|
-
vulnerabilityReportIssueId:
|
|
6406
|
-
path:
|
|
6407
|
-
startLine:
|
|
6408
|
-
vulnerabilityReportIssue:
|
|
6409
|
-
fixId:
|
|
6410
|
-
category:
|
|
6411
|
-
safeIssueType:
|
|
6412
|
-
vulnerabilityReportIssueTags:
|
|
6413
|
-
|
|
6414
|
-
tag:
|
|
4837
|
+
import { z as z22 } from "zod";
|
|
4838
|
+
var VulnerabilityReportIssueCodeNodeZ = z22.object({
|
|
4839
|
+
vulnerabilityReportIssueId: z22.string(),
|
|
4840
|
+
path: z22.string(),
|
|
4841
|
+
startLine: z22.number(),
|
|
4842
|
+
vulnerabilityReportIssue: z22.object({
|
|
4843
|
+
fixId: z22.string(),
|
|
4844
|
+
category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
|
|
4845
|
+
safeIssueType: z22.string(),
|
|
4846
|
+
vulnerabilityReportIssueTags: z22.array(
|
|
4847
|
+
z22.object({
|
|
4848
|
+
tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
|
|
6415
4849
|
})
|
|
6416
4850
|
)
|
|
6417
4851
|
})
|
|
6418
4852
|
});
|
|
6419
|
-
var VulnerabilityReportIssueNoFixCodeNodeZ =
|
|
6420
|
-
vulnerabilityReportIssues:
|
|
6421
|
-
|
|
6422
|
-
id:
|
|
6423
|
-
fixId:
|
|
6424
|
-
category:
|
|
6425
|
-
safeIssueType:
|
|
6426
|
-
fpId:
|
|
6427
|
-
codeNodes:
|
|
6428
|
-
|
|
6429
|
-
path:
|
|
6430
|
-
startLine:
|
|
4853
|
+
var VulnerabilityReportIssueNoFixCodeNodeZ = z22.object({
|
|
4854
|
+
vulnerabilityReportIssues: z22.array(
|
|
4855
|
+
z22.object({
|
|
4856
|
+
id: z22.string(),
|
|
4857
|
+
fixId: z22.string().nullable(),
|
|
4858
|
+
category: z22.nativeEnum(Vulnerability_Report_Issue_Category_Enum),
|
|
4859
|
+
safeIssueType: z22.string(),
|
|
4860
|
+
fpId: z22.string().uuid().nullable(),
|
|
4861
|
+
codeNodes: z22.array(
|
|
4862
|
+
z22.object({
|
|
4863
|
+
path: z22.string(),
|
|
4864
|
+
startLine: z22.number()
|
|
6431
4865
|
})
|
|
6432
4866
|
),
|
|
6433
|
-
vulnerabilityReportIssueTags:
|
|
6434
|
-
|
|
6435
|
-
tag:
|
|
4867
|
+
vulnerabilityReportIssueTags: z22.array(
|
|
4868
|
+
z22.object({
|
|
4869
|
+
tag: z22.nativeEnum(Vulnerability_Report_Issue_Tag_Enum)
|
|
6436
4870
|
})
|
|
6437
4871
|
)
|
|
6438
4872
|
})
|
|
6439
4873
|
)
|
|
6440
4874
|
});
|
|
6441
|
-
var GetVulByNodesMetadataZ =
|
|
6442
|
-
vulnerabilityReportIssueCodeNodes:
|
|
6443
|
-
nonFixablePrVuls:
|
|
6444
|
-
aggregate:
|
|
6445
|
-
count:
|
|
4875
|
+
var GetVulByNodesMetadataZ = z22.object({
|
|
4876
|
+
vulnerabilityReportIssueCodeNodes: z22.array(VulnerabilityReportIssueCodeNodeZ),
|
|
4877
|
+
nonFixablePrVuls: z22.object({
|
|
4878
|
+
aggregate: z22.object({
|
|
4879
|
+
count: z22.number()
|
|
6446
4880
|
})
|
|
6447
4881
|
}),
|
|
6448
|
-
fixablePrVuls:
|
|
6449
|
-
aggregate:
|
|
6450
|
-
count:
|
|
4882
|
+
fixablePrVuls: z22.object({
|
|
4883
|
+
aggregate: z22.object({
|
|
4884
|
+
count: z22.number()
|
|
6451
4885
|
})
|
|
6452
4886
|
}),
|
|
6453
|
-
totalScanVulnerabilities:
|
|
6454
|
-
aggregate:
|
|
6455
|
-
count:
|
|
4887
|
+
totalScanVulnerabilities: z22.object({
|
|
4888
|
+
aggregate: z22.object({
|
|
4889
|
+
count: z22.number()
|
|
6456
4890
|
})
|
|
6457
4891
|
}),
|
|
6458
|
-
irrelevantVulnerabilityReportIssue:
|
|
4892
|
+
irrelevantVulnerabilityReportIssue: z22.array(
|
|
6459
4893
|
VulnerabilityReportIssueNoFixCodeNodeZ
|
|
6460
4894
|
)
|
|
6461
4895
|
});
|
|
@@ -7755,8 +6189,8 @@ var defaultLogger2 = {
|
|
|
7755
6189
|
}
|
|
7756
6190
|
}
|
|
7757
6191
|
};
|
|
7758
|
-
var PromptItemZ =
|
|
7759
|
-
type:
|
|
6192
|
+
var PromptItemZ = z23.object({
|
|
6193
|
+
type: z23.enum([
|
|
7760
6194
|
"USER_PROMPT",
|
|
7761
6195
|
"AI_RESPONSE",
|
|
7762
6196
|
"TOOL_EXECUTION",
|
|
@@ -7764,32 +6198,32 @@ var PromptItemZ = z26.object({
|
|
|
7764
6198
|
"MCP_TOOL_CALL"
|
|
7765
6199
|
// MCP (Model Context Protocol) tool invocation
|
|
7766
6200
|
]),
|
|
7767
|
-
attachedFiles:
|
|
7768
|
-
|
|
7769
|
-
relativePath:
|
|
7770
|
-
startLine:
|
|
6201
|
+
attachedFiles: z23.array(
|
|
6202
|
+
z23.object({
|
|
6203
|
+
relativePath: z23.string(),
|
|
6204
|
+
startLine: z23.number().optional()
|
|
7771
6205
|
})
|
|
7772
6206
|
).optional(),
|
|
7773
|
-
tokens:
|
|
7774
|
-
inputCount:
|
|
7775
|
-
outputCount:
|
|
6207
|
+
tokens: z23.object({
|
|
6208
|
+
inputCount: z23.number(),
|
|
6209
|
+
outputCount: z23.number()
|
|
7776
6210
|
}).optional(),
|
|
7777
|
-
text:
|
|
7778
|
-
date:
|
|
7779
|
-
tool:
|
|
7780
|
-
name:
|
|
7781
|
-
parameters:
|
|
7782
|
-
result:
|
|
7783
|
-
rawArguments:
|
|
7784
|
-
accepted:
|
|
6211
|
+
text: z23.string().optional(),
|
|
6212
|
+
date: z23.date().optional(),
|
|
6213
|
+
tool: z23.object({
|
|
6214
|
+
name: z23.string(),
|
|
6215
|
+
parameters: z23.string(),
|
|
6216
|
+
result: z23.string(),
|
|
6217
|
+
rawArguments: z23.string().optional(),
|
|
6218
|
+
accepted: z23.boolean().optional(),
|
|
7785
6219
|
// MCP-specific fields (only populated for MCP_TOOL_CALL type)
|
|
7786
|
-
mcpServer:
|
|
6220
|
+
mcpServer: z23.string().optional(),
|
|
7787
6221
|
// MCP server name (e.g., "datadog", "mobb-mcp")
|
|
7788
|
-
mcpToolName:
|
|
6222
|
+
mcpToolName: z23.string().optional()
|
|
7789
6223
|
// MCP tool name without prefix (e.g., "scan_and_fix_vulnerabilities")
|
|
7790
6224
|
}).optional()
|
|
7791
6225
|
});
|
|
7792
|
-
var PromptItemArrayZ =
|
|
6226
|
+
var PromptItemArrayZ = z23.array(PromptItemZ);
|
|
7793
6227
|
var NULL_REPO_STATE = {
|
|
7794
6228
|
repositoryUrl: null,
|
|
7795
6229
|
branch: null,
|