wiz (new) #169
wiz (new) #169
Conversation
vtalas
force-pushed
the
wiz
branch
3 times, most recently
from
a261831 to
751d164
Compare
vtalas
force-pushed
the
wiz
branch
2 times, most recently
from
45fac38 to
ed7b792
Compare
WalkthroughThis pull request introduces several new modules and configuration files in the appmixer/wiz directory. New functionalities for authentication, cloud resource retrieval, and security scan uploads are implemented, including endpoints for token validation, GraphQL queries for cloud resources, and a complete file upload process with retry logic. Additionally, supporting component configuration files, input schemas, API call utilities, quota rules, and service metadata have been added to support these features. Changes
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (17)
src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js (1)
8-13: Consider adding error handling for invalid type values.The function correctly extracts the type from context.properties and uses it to select the appropriate inputs schema. However, there's no error handling if an invalid type is provided that doesn't exist in the inputs object.
async generateInspector(context) { const { type } = context.properties; + if (!inputs[type]) { + return context.sendJson({ error: `Invalid type: ${type}` }, 'out'); + } return context.sendJson({ inputs: inputs[type] }, 'out'); }src/appmixer/wiz/quota.js (3)
1-1: Remove redundant 'use strict' directive.The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
6-7: Update references to Salesforce in comments.The comments refer to Salesforce limits, but this appears to be for Wiz API quota management based on the PR objectives and module path.
- // According to salesforce limits are per 24-hour period - //https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm + // According to Wiz API documentation, limits are per 24-hour period + // See Wiz API documentation for more details
15-16: Update references to Salesforce in comments.Similar issue with the second rule comment.
- // According to salesforce limits are 25 requests per 20 seconds + // According to Wiz API documentation, limits are 25 requests per 20 secondssrc/appmixer/wiz/core/UploadSecurityScan/component.json (1)
84-85: Fix typo in tooltip text.There's a typo in the Analysis Date field tooltip.
- "tooltip": "The date the scan was performed. For examole 2025-01-14T00:05:11.463Z.", + "tooltip": "The date the scan was performed. For example 2025-01-14T00:05:11.463Z.",src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js (2)
15-21: Consider using a more appropriate input type for timestamps.
Currently, the timestamp field is defined as plain text, which may be prone to incorrect or inconsistent formatting. If the platform supports it, using a date or datetime field (or validating the input format) would help ensure accuracy and consistency.
35-41: Validate or constrain theexternalFindingLinkfield.
Declaring this as a simple text field may allow invalid or malformed URLs. Introducing a link validator or explicitly labeling it as a URL-type field could enhance usability and prevent errors.src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
1-1: Remove the redundant 'use strict' directive.
Modern JavaScript modules are already in strict mode, so this statement can be safely removed to comply with linting rules.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
1-1: Remove the redundant 'use strict' directive.
As in the previous file, this directive is unnecessary in JavaScript modules.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
110-116: Prevent potential runtime errors when splittingmitreTacticIdsormitreTechniqueIds.
If these fields are undefined,.split(',')will throw a runtime error. Consider a fallback or validation check to ensure they're valid strings.return events.map(event => { + const tacticIds = typeof event.mitreTacticIds === 'string' ? event.mitreTacticIds.split(',').map(item => item.trim()) : []; + const techniqueIds = typeof event.mitreTechniqueIds === 'string' ? event.mitreTechniqueIds.split(',').map(item => item.trim()) : []; return { ...event, - mitreTacticIds: event.mitreTacticIds.split(',').map(item => item.trim()), - mitreTechniqueIds: event.mitreTechniqueIds.split(',').map(item => item.trim()) + mitreTacticIds: tacticIds, + mitreTechniqueIds: techniqueIds }; });
139-152: Use optional chaining for safer property access.
Conditional checks likeif (events && events.AND.length)can throw an error ifANDis undefined. Optional chaining (events?.AND?.length) prevents such errors and improves readability.- if (events && events.AND.length) { + if (events?.AND?.length) { asset.events = normalizeEvents(events.AND); }🧰 Tools
🪛 Biome (1.9.4)
[error] 139-139: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 143-143: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 148-148: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
src/appmixer/wiz/core/FindCloudResources/resources.cloud.js (2)
7-46: Consider refining the fields in the GraphQL query.
If not all fields inCloudResourceFragmentare strictly necessary, narrowing the selection can help reduce the payload size and improve performance.
103-142: Enhance error resilience and partial handling.
Thedo { ... } while(...)loop logic is good, but we might strengthen resilience by handling unexpecteddatastructures (e.g., missingdata.data.cloudResources) gracefully. Returning partial results or a more descriptive error could improve user experience.src/appmixer/wiz/auth.js (2)
1-1: Remove the redundant 'use strict'.
Modules in modern JavaScript inherently run in strict mode, so this directive is generally unnecessary.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
3-55: Ensure robust error handling in token retrieval.
If the remote call fails or returns an unexpected structure (e.g., nodata.access_token), consider throwing a descriptive error or returning a clear indication of the failure so callers can handle it gracefully.src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (1)
68-176: Potential for reusing shared fields.
Many fields invulnerabilityFindingsmirror those inwebAppVulnerabilityFindings. A shared schema or helper could reduce duplication and improve maintainability.src/appmixer/wiz/lib.js (1)
35-35: Avoid using thedeleteoperator for performance reasons.
Usingdelete schema.title;can degrade performance and is flagged by the linter. Instead, consider an alternative approach that sets the property toundefinedor omits the title property when buildingoptions.Example replacement:
- delete schema.title; + schema.title = undefined;🧰 Tools
🪛 Biome (1.9.4)
[error] 35-35: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (15)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/bundle.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.cloud.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/component.json(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js(1 hunks)src/appmixer/wiz/lib.js(1 hunks)src/appmixer/wiz/quota.js(1 hunks)src/appmixer/wiz/service.json(1 hunks)
✅ Files skipped from review due to trivial changes (3)
- src/appmixer/wiz/bundle.json
- src/appmixer/wiz/core/FindCloudResources/resources.js
- src/appmixer/wiz/service.json
🧰 Additional context used
🪛 Biome (1.9.4)
src/appmixer/wiz/quota.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
[error] 139-139: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 143-143: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 148-148: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/lib.js
[error] 35-35: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
🪛 GitHub Check: build
src/appmixer/wiz/lib.js
[failure] 80-80:
'toCsv' is assigned a value but never used
🪛 ESLint
src/appmixer/wiz/lib.js
[error] 80-80: 'toCsv' is assigned a value but never used.
(no-unused-vars)
🪛 GitHub Actions: Node.js CI
src/appmixer/wiz/lib.js
[error] 80-80: 'toCsv' is assigned a value but never used no-unused-vars
🔇 Additional comments (10)
src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js (1)
1-4: LGTM: Module imports look good.The imports structure is clean and uses a well-organized approach of grouping related input schemas.
src/appmixer/wiz/quota.js (1)
5-23: LGTM: Quota rules are well structured.The quota rules are well-defined with clear limits, time windows, and appropriate throttling/queueing strategies. This implementation will help ensure the application stays within API rate limits.
src/appmixer/wiz/core/FindCloudResources/component.json (1)
1-79: LGTM: Well-structured component configuration.The component configuration is comprehensive and well-organized, with clear descriptions, appropriate authentication and quota settings, and well-defined input/output ports. The UI configuration with tooltips and options enhances usability.
src/appmixer/wiz/core/UploadSecurityScan/component.json (1)
1-140: LGTM: Component configuration is well structured.The component configuration is comprehensive and well-organized with appropriate authentication, quota settings, and well-defined input/output ports. The schema validation and UI configuration with tooltips and options will provide a good user experience.
src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js (1)
58-70: Enforce the requirement for Mitre Tactic/Technique IDs.
The tooltip states at least one value must be present, but there's no apparent runtime or form-level validation to ensure this requirement is met. Implementing a validation check or defaulting to an empty array (if missing) could make the code more robust.src/appmixer/wiz/core/FindCloudResources/resources.cloud.js (2)
1-4: Looks good!
The initial doc block provides a clear reference to the Wiz documentation.
48-101: Schema definitions appear consistent.
TheoutputSchemathoroughly covers the expected structure. No immediate concerns here.src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (1)
1-67: Web App Vulnerability Fields look comprehensive.
All the fields and tooltips provide a clear guide for data input. No major issues found.src/appmixer/wiz/lib.js (2)
5-26: Consider handling the case of empty records when outputType is 'first'.
If therecordsarray is empty,records[0]will be undefined, which may lead to unexpected behavior. It might be safer to check if the array is non-empty before sending the first record.
60-73: Implementation looks solid.
The HTTP request logic is straightforward, properly sets headers, and uses the token fromcontext.auth. No immediate issues found.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (5)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (5)
261-261: Validate required parameters at function start.The
getResourcesfunction usesfilterByas a key parameter but doesn't validate if it's provided or properly formed. This could lead to GraphQL errors when the query is executed.async getResources(context, { PAGE_SIZE = 500, limit, filterBy }) { + if (!filterBy) { + throw new context.CancelError('filterBy parameter is required'); + } + + // Provide a default for limit if not specified + const recordLimit = limit || 1000; let nextPageToken = null;
286-289: Improve error handling with more specificity.The current error handling throws a generic CancelError with all GraphQL errors. Consider providing more specific error messages to help with debugging.
if (data.errors) { - throw new context.CancelError(data.errors); + const errorMessage = data.errors.map(e => e.message).join('; '); + throw new context.CancelError(`GraphQL API error: ${errorMessage}`); }
290-290: Add defensive check before destructuring API response.The code assumes
data.data.cloudResourcesexists and has the expected structure. Add a defensive check to ensure the response has the expected format before destructuring.- const { pageInfo = {}, nodes } = data.data.cloudResources; + if (!data.data || !data.data.cloudResources) { + throw new context.CancelError('Unexpected API response format'); + } + + const { pageInfo = {}, nodes = [] } = data.data.cloudResources;
292-294: Consider returning an empty array instead of 'notFound' message.When no resources are found, returning a standardized empty array might be more consistent with the function's return type (which is an array of records). This would make it easier for the caller to handle the response.
if (nodes.length === 0) { - return context.sendJson({ filterBy }, 'notFound'); + return []; }
299-299: Add a safeguard against excessive API calls.The current loop condition relies on two checks, but consider adding a maximum iteration limit as a safeguard against potential excessive API calls in case of errors or unexpected pagination behavior.
+ let iterationCount = 0; + const MAX_ITERATIONS = 100; // Adjust based on expected maximum number of pages + do { // existing code... nextPageToken = pageInfo.hasNextPage ? pageInfo.endCursor : null; + iterationCount++; - } while (nextPageToken && totalRecordsCount < limit); + } while (nextPageToken && totalRecordsCount < (limit || 1000) && iterationCount < MAX_ITERATIONS); + + if (iterationCount >= MAX_ITERATIONS) { + context.logger.warn(`Reached maximum iteration limit (${MAX_ITERATIONS}) when fetching cloud resources`); + }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)
🔇 Additional comments (1)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (1)
269-271: Guard againstlimitbeing undefined or invalid.If
limitis not provided or zero, callinglimit - totalRecordsCountmay throw or produce unintended results. Consider providing a default value, or validatelimitbefore using it.const variables = { - first: Math.min(PAGE_SIZE, limit - totalRecordsCount), + first: Math.min(PAGE_SIZE, (limit || 1000) - totalRecordsCount), filterBy };
There was a problem hiding this comment.
Actionable comments posted: 4
♻️ Duplicate comments (1)
src/appmixer/wiz/lib.js (1)
80-96:⚠️ Potential issueRemove unused 'toCsv' function.
The
toCsvfunction is defined but never used, causing ESLint errors and pipeline failures. Either remove the function or use it where needed.-/** - * @param {array} array - * @returns {string} - */ -const toCsv = (array) => { - const headers = Object.keys(array[0]); - - return [ - headers.join(','), - - ...array.map(items => { - return Object.values(items).map(property => { - if (typeof property === 'object') { - return JSON.stringify(property); - } - return property; - }).join(','); - }) - - ].join('\n'); -};🧰 Tools
🪛 GitHub Check: build
[failure] 80-80:
'toCsv' is assigned a value but never used🪛 ESLint
[error] 80-80: 'toCsv' is assigned a value but never used.
(no-unused-vars)
🪛 GitHub Actions: Node.js CI
[error] 80-80: 'toCsv' is assigned a value but never used no-unused-vars
🧹 Nitpick comments (16)
src/appmixer/wiz/quota.js (2)
1-1: Remove redundant 'use strict' directive.ES modules operate in strict mode by default, making this directive unnecessary.
-'use strict'; module.exports = {🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
3-24: Consider adding error handling for quota exceeded scenarios.The quota rules define limits, but there's no visible handling for cases when the quota is exceeded. Consider adding a mechanism to gracefully handle rate limit errors, such as exponential backoff or user-friendly error messages.
Would you like me to provide an example implementation of quota exceeded error handling?
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (4)
1-1: Remove redundant 'use strict' directive.ES modules operate in strict mode by default, making this directive unnecessary.
-'use strict'; const lib = require('../../lib'); const resources = require('./resources');🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
10-10: Add validation for the limit parameter.The limit parameter is destructured with a default value, but there's no validation to ensure it's a positive number or within reasonable bounds. Consider adding validation to prevent potential issues.
const { outputType, filter, limit = 10 } = context.messages.in.content; + +if (limit <= 0 || !Number.isInteger(Number(limit))) { + throw new context.CancelError('Invalid Input: Limit must be a positive integer'); +}
16-23: Improve error handling for filter parameter.The current error handling for the filter parameter is good, but the error message could be more specific. Consider enhancing the error message to guide users on how to format the filter correctly.
let filterBy; if (filter) { try { filterBy = JSON.parse(filter); } catch (e) { - throw new context.CancelError('Invalid Input: Filter', e); + throw new context.CancelError('Invalid Input: Filter must be a valid JSON string. Example: {"field":"value"}', e); } }
25-25: Consider adding logging for resource retrieval.Adding logging before and after the resource retrieval can help with debugging and monitoring. This is particularly useful for operations that might take time or could fail.
+await context.log({ step: 'Retrieving cloud resources', filter: filterBy, limit }); const records = await resources.exposed.getResources(context, { filterBy, limit }); +await context.log({ step: 'Retrieved cloud resources', count: records.length });src/appmixer/wiz/lib.js (3)
5-26: Add error handling for empty records array.The
sendArrayOutputfunction doesn't handle the case when the records array is empty, which could lead to errors especially for the 'first' outputType. Consider adding a check to handle this case gracefully.async sendArrayOutput({ context, outputPortName = 'out', outputType = 'array', records = [] }) { + if (records.length === 0) { + await context.log({ step: 'No records to output', outputType }); + if (outputType === 'first') { + await context.sendJson({}, outputPortName); + return; + } else if (outputType === 'array') { + await context.sendJson({ result: [] }, outputPortName); + return; + } else if (outputType === 'file') { + // proceed to create empty file + } else if (outputType === 'object') { + await context.sendArray([], outputPortName); + return; + } + } + if (outputType === 'first') { // One by one. await context.sendJson(records[0], outputPortName);
35-35: Avoid using delete operator for performance reasons.Using the delete operator can impact performance as flagged by static analysis. Consider using assignment to undefined instead.
- delete schema.title; + schema.title = undefined;🧰 Tools
🪛 Biome (1.9.4)
[error] 35-35: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
60-73: Make API endpoint URL configurable.The
makeApiCallfunction uses a hardcoded fallback URL. Consider making this more configurable or loading it from a centralized configuration.async makeApiCall({ context, method = 'GET', data }) { - const url = context.config.apiEndpointUrl || 'https://api.us18.app.wiz.io/graphql'; + const url = context.config.apiEndpointUrl || context.config.wizApiEndpoint || 'https://api.us18.app.wiz.io/graphql'; + + await context.log({ step: 'Making API call', url, method }); return context.httpRequest({src/appmixer/wiz/auth.js (3)
1-1: Remove redundant 'use strict' directive.ES modules operate in strict mode by default, making this directive unnecessary.
-'use strict'; module.exports = {🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
20-28: Improve client ID masking for better security.The current implementation masks the client ID by showing the first 3 and last 3 characters. Consider a more secure approach by showing fewer characters or using a fixed mask pattern regardless of ID length.
accountNameFromProfileInfo: context => { const name = context.clientId; - const threshold = 10; - if (name.length > threshold) { - return name.slice(0, 3) + '....' + name.slice(-3); - } - return name; + // Always mask the client ID, regardless of length + if (!name) return 'Unknown client'; + if (name.length <= 6) return '******'; + return name.slice(0, 2) + '******' + name.slice(-2); },
32-32: Make authentication URL configurable.The authentication URL is hardcoded. Consider making it configurable, especially if different environments (testing, production) might use different endpoints.
- const url = 'https://auth.app.wiz.io/oauth/token'; + const url = context.config.authEndpointUrl || 'https://auth.app.wiz.io/oauth/token';src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (4)
1-1: Remove the redundant'use strict'directive.ES modules automatically run in strict mode, so there's no need to include
'use strict'. Removing it helps streamline the code.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
95-107: Consider a streaming or chunk-based upload approach for large files.The current code uploads the entire
fileContentusingapplication/json. If very large files are expected, a streaming approach or chunk-based upload might be more efficient.
105-105: Avoid logging full file content to prevent potential sensitive data leaks.Storing
fileContentin logs can lead to PII or proprietary data exposure. Consider logging only metadata (e.g., payload size) or a sanitized subset of the content:- await context.log({ stage: 'UPLOAD FINISHED', uploadData: upload.statusCode, fileContent }); + await context.log({ + stage: 'UPLOAD FINISHED', + uploadData: upload.statusCode, + fileContentSize: fileContent ? JSON.stringify(fileContent).length : 0 + });
139-139: Use optional chaining to simplify null checks.Refactor these conditions:
if (events && events.AND.length) { ... } if (vulnerabilityFindings && vulnerabilityFindings.AND.length) { ... } if (webAppVulnerabilityFindings && webAppVulnerabilityFindings.AND.length) { ... }By using optional chaining, the code becomes more concise and readable:
- if (events && events.AND.length) { + if (events?.AND?.length) { - if (vulnerabilityFindings && vulnerabilityFindings.AND.length) { + if (vulnerabilityFindings?.AND?.length) { - if (webAppVulnerabilityFindings && webAppVulnerabilityFindings.AND.length) { + if (webAppVulnerabilityFindings?.AND?.length) {Also applies to: 143-143, 148-148
🧰 Tools
🪛 Biome (1.9.4)
[error] 139-139: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (15)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/bundle.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.cloud.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/component.json(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js(1 hunks)src/appmixer/wiz/lib.js(1 hunks)src/appmixer/wiz/quota.js(1 hunks)src/appmixer/wiz/service.json(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (8)
- src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js
- src/appmixer/wiz/bundle.json
- src/appmixer/wiz/core/UploadSecurityScan/component.json
- src/appmixer/wiz/service.json
- src/appmixer/wiz/core/FindCloudResources/resources.js
- src/appmixer/wiz/core/FindCloudResources/resources.cloud.js
- src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js
- src/appmixer/wiz/core/FindCloudResources/component.json
🧰 Additional context used
🪛 Biome (1.9.4)
src/appmixer/wiz/lib.js
[error] 35-35: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
[error] 139-139: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 143-143: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 148-148: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/quota.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🪛 GitHub Check: build
src/appmixer/wiz/lib.js
[failure] 80-80:
'toCsv' is assigned a value but never used
🪛 ESLint
src/appmixer/wiz/lib.js
[error] 80-80: 'toCsv' is assigned a value but never used.
(no-unused-vars)
🪛 GitHub Actions: Node.js CI
src/appmixer/wiz/lib.js
[error] 80-80: 'toCsv' is assigned a value but never used no-unused-vars
🔇 Additional comments (3)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (2)
269-271: Guard against undefined or invalidlimit.This was previously noted. If
limitis not provided or is zero,limit - totalRecordsCountmay produce unexpected results or a negative number. Consider a fallback or validation:- first: Math.min(PAGE_SIZE, limit - totalRecordsCount), + first: Math.min(PAGE_SIZE, (limit ?? 1000) - totalRecordsCount),
293-293: Fix the undeclared variable reference.This was previously noted. The variable
filterdoes not exist in this scope; usefilterByinstead to avoid aReferenceErrorat runtime.- return context.sendJson({ filter }, 'notFound'); + return context.sendJson({ filterBy }, 'notFound');src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (1)
45-45: Avoid module-level retry counter to prevent concurrency issues.This issue was previously raised and remains relevant. If this code can be triggered by parallel calls, the shared
attemptsvariable may be updated unexpectedly across different invocations. Consider tracking the retry count in a local variable or resetting after each call.
| index: 4, | ||
| label: 'External Detection Source', | ||
| defaultValue: 'Package', | ||
| tooltip: 'The severity of the vulnerability. Default is Medium', |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Correct the tooltip text to match the label and default value.
Here, the label is "External Detection Source" with a default of "Package," but the tooltip mentions "The severity of the vulnerability. Default is Medium." This inconsistency can mislead users. Consider revising it:
- tooltip: 'The severity of the vulnerability. Default is Medium',
+ tooltip: 'Defines the external detection source. Default is Package',📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| tooltip: 'The severity of the vulnerability. Default is Medium', | |
| tooltip: 'Defines the external detection source. Default is Package', |
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (1)
src/appmixer/wiz/auth.js (1)
30-53:⚠️ Potential issueAdd error handling for failed authentication.
The
validatefunction doesn't have explicit error handling for API failures. Consider adding try/catch and providing helpful error messages when authentication fails.validate: async context => { const url = 'https://auth.app.wiz.io/oauth/token'; + try { const { data } = await context.httpRequest({ method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'accept': 'application/json' }, data: { grant_type: 'client_credentials', audience: 'wiz-api', client_id: context.clientId, client_secret: context.clientSecret }, url }); return { token: data.access_token, expires: data.expires_in }; + } catch (error) { + const statusCode = error.response?.status; + const errorMessage = error.response?.data?.error_description || error.message; + + if (statusCode === 401) { + throw new Error(`Authentication failed: Invalid client credentials. ${errorMessage}`); + } else if (statusCode === 403) { + throw new Error(`Authentication failed: Insufficient permissions. ${errorMessage}`); + } else { + throw new Error(`Authentication failed: ${errorMessage}`); + } + } }
🧹 Nitpick comments (8)
src/appmixer/wiz/core/FindCloudResources/component.json (3)
18-24: Consider making filter a required field or adding validation.The schema defines both properties as optional (empty required array). Consider making filter a required field if it's necessary for the component's operation, or ensure proper validation in the implementation code.
"schema": { "type": "object", "properties": { "filter": { "type": "string" }, "limit": { "type": "number" } }, - "required": [] + "required": ["filter"] },
25-32: Consider providing example filter JSON in the tooltip.The filter field could benefit from example JSON formats to guide users on the correct structure.
"filter": { "type": "textarea", "label": "Filter", - "tooltip": "This object defines query filters to narrow down search results and return specific cloud resources.", + "tooltip": "This object defines query filters to narrow down search results and return specific cloud resources. Example: {\"type\": \"VIRTUAL_MACHINE\", \"updatedAt\": {\"gte\": \"2023-01-01\"}}", "index": 0 },
144-151: Ensure consistent formatting for property titles.Some property titles like "Cloud Provider U R L" have spaces between letters, which seems to be a formatting issue. This appears in several places in the schema and should be fixed for consistency.
"cloudProviderURL": { "type": "null", - "title": "Graph Entity.Properties.Cloud Provider U R L" + "title": "Graph Entity.Properties.Cloud Provider URL" },src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (2)
1-1: Remove redundant 'use strict' directive.The 'use strict' directive is redundant in ES modules as they are automatically in strict mode.
-'use strict'; const lib = require('../../lib'); const resources = require('./resources');🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
21-21: Add logging for debugging and monitoring.Consider adding logging statements for tracking API calls, especially for production troubleshooting.
+ context.logger.info('Fetching Wiz cloud resources with filter:', JSON.stringify(filterBy)); const records = await resources.exposed.getResources(context, { filterBy, limit }); + context.logger.info(`Retrieved ${records.length} cloud resources`);src/appmixer/wiz/auth.js (3)
1-1: Remove redundant 'use strict' directive.The 'use strict' directive is redundant in ES modules as they are automatically in strict mode.
-'use strict'; module.exports = {🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
20-28: Extract the threshold value as a constant for better maintainability.The threshold of 10 is hardcoded inside the function. Consider extracting it as a named constant at the top of the file for better maintainability.
+'use strict'; + +const CLIENT_ID_MASK_THRESHOLD = 10; module.exports = { type: 'apiKey', definition: { auth: { clientId: { type: 'text', name: 'Client ID' }, clientSecret: { type: 'text', name: 'Client Secret' } }, accountNameFromProfileInfo: context => { const name = context.clientId; - const threshold = 10; - if (name.length > threshold) { + if (name.length > CLIENT_ID_MASK_THRESHOLD) { return name.slice(0, 3) + '....' + name.slice(-3); } return name; },
49-52: Add token caching and refreshing mechanism.Currently, the authentication flow will request a new token for each operation. Consider implementing a token caching mechanism that checks token expiration and only retrieves a new token when necessary.
This would improve performance and reduce the number of authentication calls to the Wiz API. You could use the
expiresvalue to determine when to refresh the token.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)
🧰 Additional context used
🪛 Biome (1.9.4)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🔇 Additional comments (4)
src/appmixer/wiz/core/FindCloudResources/component.json (2)
1-4: Component definition follows best practices.The component is properly namespaced and includes clear metadata with appropriate descriptions.
83-276:❌ Incorrect review comment
Consider adding pagination support for large result sets.
The GraphEntity schema is comprehensive, but there's no indication of pagination for results. When dealing with cloud resources, the number of results can be large. Consider adding pagination support or documenting any limits on the number of results returned.
🏁 Script executed:
#!/bin/bash # Check if pagination is implemented in the resources handler cat src/appmixer/wiz/core/FindCloudResources/resources.exposed.js | grep -A 15 getResourcesLength of output: 516
Pagination is already implemented in the resource handler.
ThegetResourcesfunction found insrc/appmixer/wiz/core/FindCloudResources/resources.exposed.jsclearly implements pagination usingPAGE_SIZE,limit, andnextPageToken. There's no need to add additional pagination support in the schema, though you might consider documenting the pagination limits for clarity.Likely an incorrect or invalid review comment.
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (2)
7-8: Good use of documentation reference.Including a reference to the API documentation is helpful for maintenance and understanding.
12-19: Good error handling for filter parsing.The try-catch block appropriately handles JSON parsing errors with a clear error message.
| // docs: https://win.wiz.io/reference/pull-cloud-resources | ||
| async receive(context) { | ||
|
|
||
| const { outputType, filter, limit = 10 } = context.messages.in.content; |
There was a problem hiding this comment.
Resolve inconsistent default limit value.
The default limit is set to 10 here, but in the component definition (component.json), it's set to 100. This inconsistency should be resolved to ensure predictable behavior.
- const { outputType, filter, limit = 10 } = context.messages.in.content;
+ const { outputType, filter, limit = 100 } = context.messages.in.content;📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| const { outputType, filter, limit = 10 } = context.messages.in.content; | |
| const { outputType, filter, limit = 100 } = context.messages.in.content; |
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
1-1: Remove redundant 'use strict' directive.JavaScript modules are automatically in strict mode, making this directive unnecessary.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/auth.js (2)
1-1: Remove redundant 'use strict' directive.JavaScript modules are automatically in strict mode, making this directive unnecessary.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
5-18: Enhance security settings for sensitive credentials.The authentication credentials are configured as simple text fields. Consider enhancing security by setting the
clientSecretfield to use a password type to mask the input.auth: { clientId: { type: 'text', name: 'Client ID' }, clientSecret: { - type: 'text', + type: 'password', name: 'Client Secret' } },
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)
🧰 Additional context used
🪛 Biome (1.9.4)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🔇 Additional comments (8)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (5)
7-8: Good use of documentation reference.Including the API documentation reference is a good practice for maintainability.
10-10: Resolve inconsistent default limit value.The default limit is set to 10 here, but in the component definition (component.json), it's set to 100. This inconsistency should be resolved to ensure predictable behavior.
- const { filter, limit = 10 } = context.messages.in.content; + const { filter, limit = 100 } = context.messages.in.content;
12-19: Good filter validation handling.The code properly validates and parses the filter parameter with appropriate error handling when the JSON is invalid.
21-23: Add error handling for resource retrieval.The call to
resources.exposed.getResourceslacks error handling. Consider wrapping it in a try-catch block to provide better error messages to users.- const records = await resources.exposed.getResources(context, { filterBy, limit }); - - return lib.sendArrayOutput({ context, records, outputType: 'object' }); + try { + const records = await resources.exposed.getResources(context, { filterBy, limit }); + return lib.sendArrayOutput({ context, records, outputType: 'object' }); + } catch (error) { + context.logger.error('Error retrieving cloud resources:', error); + throw new context.CancelError('Failed to retrieve cloud resources', error); + }
23-23:❓ Verification inconclusive
Verify if outputType should be configurable.
The outputType is hardcoded to 'object', but the code suggests it should be configurable from the input message. Consider updating the code to extract outputType from the input or ensure this is the intended behavior.
🏁 Script executed:
#!/bin/bash # Description: Check if outputType is used as a configurable parameter in other places # Look for outputType references in related files echo "Checking if outputType is configurable in other files" rg -A 2 -B 2 "outputType" --glob "src/appmixer/wiz/**/*.js" --glob "!src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js" # Check component.json for this component to see if outputType is defined as an input parameter echo "Checking component.json for outputType configuration" fd -t f "component.json" --full-path --base-directory "src/appmixer/wiz/core/FindCloudResources" | xargs catLength of output: 2752
Clarify the Configurability of
outputTypein FindCloudResourcesThe
sendArrayOutputfunction in our library supports severaloutputTypeoptions (with its default set to'array'), yet the FindCloudResources component is explicitly using'object'. No configuration in a component file (like a corresponding component.json) indicates that this value should be driven from the input message. Please verify whether the hardcoded'object'value is intentional. If the output type is meant to be configurable, update the component logic to extract this parameter from the input or configuration; otherwise, add a clarifying comment to make the fixed behavior explicit.src/appmixer/wiz/auth.js (3)
20-28: Good account name masking implementation.The account name masking function properly handles different client ID lengths, providing good user experience while maintaining security by masking part of the ID.
30-53: Add error handling for failed authentication.The
validatefunction doesn't have explicit error handling for API failures. Consider adding try/catch and providing helpful error messages when authentication fails.validate: async context => { const url = 'https://auth.app.wiz.io/oauth/token'; + try { const { data } = await context.httpRequest({ method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'accept': 'application/json' }, data: { grant_type: 'client_credentials', audience: 'wiz-api', client_id: context.clientId, client_secret: context.clientSecret }, url }); return { token: data.access_token, expires: data.expires_in }; + } catch (error) { + const statusCode = error.response?.status; + const errorMessage = error.response?.data?.error_description || error.message; + + if (statusCode === 401) { + throw new Error(`Authentication failed: Invalid client credentials. ${errorMessage}`); + } else if (statusCode === 403) { + throw new Error(`Authentication failed: Insufficient permissions. ${errorMessage}`); + } else { + throw new Error(`Authentication failed: ${errorMessage}`); + } + } }
49-52:❓ Verification inconclusive
Verify token response structure.
Make sure the API response matches the expected structure with
access_tokenandexpires_infields. Also consider adding validation for these fields before returning.
🏁 Script executed:
#!/bin/bash # Description: Check if the Wiz API documentation confirms the expected response format echo "Checking if Wiz API is documented online..." curl -s "https://app.wiz.io/reference" > /dev/null if [ $? -eq 0 ]; then echo "Wiz API documentation is available online. Please check the documentation at https://app.wiz.io/reference for token response structure." else echo "Unable to verify Wiz API documentation online." fi # Check if the token and expires fields are accessed elsewhere in the codebase echo "Checking usage of token and expires fields in the codebase:" rg -A 3 -B 3 "token|expires" --glob "src/appmixer/wiz/**/*.js" --glob "!src/appmixer/wiz/auth.js"Length of output: 812
Token response validation: Confirm and add error checks
Please verify that the Wiz API response always delivers the documented structure (i.e. an
access_tokenand anexpires_infield) as detailed on Wiz API documentation. Additionally, add explicit validation and error handling before returning the token response to cover potential scenarios where the API response might be missing or return unexpected values.
- File:
src/appmixer/wiz/auth.js(Lines 49–52)- Action Items:
- Confirm that the API response includes both
access_tokenandexpires_in.- Implement checks to validate these fields before constructing the return object.
- Review the Wiz API documentation to ensure consistency with the expected token response.
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (11)
src/appmixer/wiz/core/UploadSecurityScan/component.json (2)
58-58: 🛠️ Refactor suggestionRemove deprecated "vulnerabilityFindings" property.
This property appears to be deprecated based on the implementation code, where it's commented out and marked as "Ignore vulnerabilityFindings".
"webAppVulnerabilityFindings": { "type": "object" }, - "vulnerabilityFindings": { "type": "object" }
28-30:⚠️ Potential issueFix inconsistency: Remove "vulnerabilityFindings" or align implementation.
According to the past review comments, there was a decision to remove "vulnerabilityFindings", but it's still present in the component options. This conflicts with the commented-out code in the implementation file.
Either:
- Remove the option entirely if it's no longer supported, or
- Ensure the implementation properly supports it
options": [ { "label": "Runtime Events", "value": "events" }, - { "label": "DAST & ASM Vulnerability Findings", "value": "vulnerabilityFindings" } ]src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
114-123:⚠️ Potential issueAdd defensive coding to normalizeEvents function.
The function assumes
mitreTacticIdsandmitreTechniqueIdsare always string values that can be split, which could cause runtime errors if these properties are missing or in a different format.const normalizeEvents = function(events) { - return events.map(event => { + const mitreTacticIds = typeof event.mitreTacticIds === 'string' ? + event.mitreTacticIds.split(',').map(item => item.trim()) : + (Array.isArray(event.mitreTacticIds) ? event.mitreTacticIds : []); + + const mitreTechniqueIds = typeof event.mitreTechniqueIds === 'string' ? + event.mitreTechniqueIds.split(',').map(item => item.trim()) : + (Array.isArray(event.mitreTechniqueIds) ? event.mitreTechniqueIds : []); + return { ...event, - mitreTacticIds: event.mitreTacticIds.split(',').map(item => item.trim()), - mitreTechniqueIds: event.mitreTechniqueIds.split(',').map(item => item.trim()) + mitreTacticIds, + mitreTechniqueIds }; }); };
176-192:⚠️ Potential issueAdd error handling to receive method.
The
receivemethod should include try/catch blocks to handle potential errors from the API calls and provide better error messages to users.module.exports = { // docs: https://win.wiz.io/reference/pull-cloud-resources async receive(context) { - const { filename } = context.messages.in.content; if (context.properties.generateInspector) { return generateInspector(context); } + try { const { url, systemActivityId } = await requestUpload(context, { filename }); const fileContent = createDocument(context); await uploadFile(context, { url, fileContent }); const status = await getStatus(context, systemActivityId); return context.sendJson(status, 'out'); + } catch (error) { + context.log({ stage: 'ERROR', error: error.message }); + throw new context.CancelError(`Failed to upload security scan: ${error.message}`); + } } };
102-111:⚠️ Potential issueAdd error handling to uploadFile function.
The function doesn't check the response status code or handle potential errors from the HTTP request.
const uploadFile = async function(context, { url, fileContent }) { - - const upload = await context.httpRequest({ - method: 'PUT', - url, - data: fileContent, // stream upload is not implemented on the wiz side - headers: { - 'Content-Type': 'application/json' - } - }); - await context.log({ stage: 'upload-finished', uploadData: upload.statusCode, fileContent }); + try { + const upload = await context.httpRequest({ + method: 'PUT', + url, + data: fileContent, // stream upload is not implemented on the wiz side + headers: { + 'Content-Type': 'application/json' + } + }); + + if (upload.statusCode >= 400) { + throw new Error(`Upload failed with status code: ${upload.statusCode}`); + } + + await context.log({ stage: 'upload-finished', uploadData: upload.statusCode, fileContent }); + } catch (error) { + context.log({ stage: 'upload-error', error: error.message }); + throw new context.CancelError(`Failed to upload file: ${error.message}`); + } };src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (3)
28-41: Add “Critical” severity level.Currently, the
severityfield includes “None,” “Low,” “Medium,” and “High.” In line with industry standards (e.g., CVSS), consider introducing a “Critical” level to handle the highest-severity vulnerabilities explicitly.
172-172:⚠️ Potential issueShorten or reformat this comment to comply with ESLint max-len requirements.
Similarly, line 172 exceeds the allowed length of 150 characters, causing the pipeline to fail. Please shorten or break it up into multiple lines:
- // tooltip: 'Indicates if the finding was detected during runtime (true), or if it was detected during offline or static scanning (false).' + // tooltip: 'Indicates if the finding was runtime-detected (true) or found during static scanning (false).'🧰 Tools
🪛 ESLint
[error] 172-172: This line has a comment length of 155. Maximum allowed is 150.
(max-len)
140-140:⚠️ Potential issueShorten the overly long comment to pass ESLint max-len checks.
The comment on this line exceeds 150 characters, causing pipeline failures. Consider breaking it into shorter sentences or removing extraneous details:
- // tooltip: 'The details of the externalDetectionSource, such as "Package," should include relevant information about the package. For instance, if ...' + // tooltip: 'Details of the externalDetectionSource. For example, if the source is "libncurses6," mention "libncurses6 package" here.'🧰 Tools
🪛 ESLint
[error] 140-140: This line has a comment length of 303. Maximum allowed is 150.
(max-len)
src/appmixer/wiz/auth.js (2)
24-32: Validatecontext.clientIdto avoid runtime errors.If
context.clientIdis undefined or not a string, thesliceoperations inaccountNameFromProfileInfomay throw an error.
34-57: Add error handling for failed authentication requests.The
validatefunction lacks explicit error handling forhttpRequestfailures. Wrap the request in a try/catch construct to provide clearer messages for common HTTP status codes.src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (1)
269-271: Guard againstlimitbeing undefined or invalid before subtraction.If
limitis not supplied or is zero,limit - totalRecordsCountcould produce unintended negative values or NaN. Provide a default or validate it.
🧹 Nitpick comments (6)
src/appmixer/wiz/quota.js (1)
1-1: Remove redundant 'use strict' directive.JavaScript modules are automatically in strict mode, so this directive is unnecessary.
-'use strict'; module.exports = {🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/UploadSecurityScan/component.json (1)
84-85: Fix typo in tooltip text.There's a typo in the analysis date tooltip text.
"label": "Analysis Date", - "tooltip": "The date the scan was performed. For examole 2025-01-14T00:05:11.463Z.", + "tooltip": "The date the scan was performed. For example 2025-01-14T00:05:11.463Z.",src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
1-1: Remove redundant 'use strict' directive.JavaScript modules are automatically in strict mode, so this directive is unnecessary.
-'use strict'; const lib = require('../../lib');🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
59-67: Improve error logging in getStatus function.When handling errors or in-progress status, the function would benefit from more detailed logging before retrying or throwing an error.
if (data.errors || data?.data?.systemActivity?.status === 'IN_PROGRESS') { attempts++; if (attempts <= 5) { + const status = data?.data?.systemActivity?.status || 'ERROR'; + const errorDetails = data.errors ? JSON.stringify(data.errors) : 'No errors, status in progress'; + context.log({ stage: 'status-retry', status, errorDetails, attempts }); await new Promise(r => setTimeout(r, 2000)); return await getStatus(context, id, attempts); } else { + context.log({ stage: 'status-max-attempts-reached', systemActivityId: id }); throw new context.CancelError(`Exceeded max attempts systemActivity: ${id}`); } }
151-158: Remove commented-out code.This commented block about vulnerabilityFindings should be removed since it's marked as "Ignore vulnerabilityFindings" and isn't being used.
- /* - Ignore vulnerabilityFindings - if (vulnerabilityFindings && vulnerabilityFindings.AND.length) { - asset.vulnerabilityFindings = vulnerabilityFindings.AND.map(finding => { - return { ...finding }; - }); - } - */src/appmixer/wiz/auth.js (1)
1-1: Remove the redundant 'use strict' directive.Modern JavaScript modules run in strict mode by default, so
'use strict';is unnecessary.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (13)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/bundle.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/component.json(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js(1 hunks)src/appmixer/wiz/lib.js(1 hunks)src/appmixer/wiz/quota.js(1 hunks)src/appmixer/wiz/service.json(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (6)
- src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js
- src/appmixer/wiz/lib.js
- src/appmixer/wiz/bundle.json
- src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js
- src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
- src/appmixer/wiz/service.json
🧰 Additional context used
🧬 Code Definitions (1)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (4)
lib(1-1)lib(277-284)query(3-42)data(290-290)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
context(8-8)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js (1)
context(10-10)
🪛 Biome (1.9.4)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/quota.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🪛 ESLint
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js
[error] 140-140: This line has a comment length of 303. Maximum allowed is 150.
(max-len)
[error] 172-172: This line has a comment length of 155. Maximum allowed is 150.
(max-len)
🔇 Additional comments (1)
src/appmixer/wiz/core/FindCloudResources/component.json (1)
1-291: Component configuration looks good.The component configuration is well structured with comprehensive property definitions, clear labels, and helpful tooltips. The previously reported issues regarding inconsistent limit values have been addressed.
| { | ||
| limit: 1000000, // application is allowed to send 1 000 000 queries per 24hrs | ||
| window: 1000 * 60 * 60 * 24, // 24 hours | ||
| throttling: 'window-sliding', | ||
| queueing: 'fifo', | ||
| resource: 'requests' | ||
| }, | ||
| { | ||
| limit: 2500, // the quota is 2 500 per 20 seconds | ||
| window: 1000 * 20, // 20 sec | ||
| throttling: 'window-sliding', | ||
| queueing: 'fifo', | ||
| resource: 'requests' | ||
| } | ||
| ] |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Verify Wiz API quota limits match documentation.
Ensure the quota rules match the current Wiz API rate limits. Consider adding a comment with a reference to the official Wiz API documentation.
rules: [
{
limit: 1000000, // application is allowed to send 1 000 000 queries per 24hrs
+ // Reference: [Wiz API documentation URL]
window: 1000 * 60 * 60 * 24, // 24 hours
throttling: 'window-sliding',
queueing: 'fifo',
resource: 'requests'
},
{
limit: 2500, // the quota is 2 500 per 20 seconds
+ // Reference: [Wiz API documentation URL]
window: 1000 * 20, // 20 sec
throttling: 'window-sliding',
queueing: 'fifo',
resource: 'requests'
}
]Let's verify the current rate limits for the Wiz API:
🌐 Web query:
What are the current rate limits for the Wiz API?
💡 Result:
Wiz imposes specific rate limits on its API to ensure system stability and prevent abuse. Based on current documentation:
Rate Limits
- General API requests: The Wiz API allows up to 3 requests per second per user or integration. Exceeding this limit results in HTTP 429 "Too Many Requests" errors[7].
Results Limits
Some endpoints have additional constraints on returned data:
| API Endpoint | Maximum Results |
|---|---|
| Audit Logs | 10,000 per call |
| Cloud Configuration | 10,000 per call |
| Issues | No limit |
| Vulnerabilities | No limit |
Best Practices
- Implement exponential backoff for retries, with recommended initial intervals of 1 second and a backoff multiplier of 2[7].
- Monitor response headers like
X-RateLimit-LimitandX-RateLimit-Remainingwhere available[1]. - For high-volume use cases, consider request batching or distributed processing across multiple API keys.
These limits apply to both REST and GraphQL API endpoints[8]. For enterprise needs requiring higher thresholds, Wiz recommends contacting their support team to discuss custom rate limit accommodations[7].
Citations:
- 1: https://developer.nrel.gov/docs/rate-limits/
- 2: https://docs.safe.security/docs/wizio
- 3: https://community.panopto.com/discussion/2265/current-rate-limits-for-the-rest-api
- 4: https://dev.wix.com/docs/rest/articles/getting-started/rate-limits
- 5: https://www.wiz.io/blog/automatically-discover-and-secure-your-apis-with-wiz-dynamic-scanner
- 6: https://www.logicmonitor.com/support/rest-api-developers-guide/overview/rest-api-rate-limit
- 7: https://docs.cribl.io/stream/sources-wiz/
- 8: https://docs.pro.wizconnected.com
- 9: https://www.wiz.io/academy/api-security-best-practices
- 10: https://wiz.readthedocs.io/en/latest/api_reference/index.html
Wiz API quota limits are currently misaligned with the latest documentation.
The current configuration in src/appmixer/wiz/quota.js permits 1,000,000 queries per 24 hours and 2,500 per 20 seconds. However, according to the most recent Wiz API documentation, the general rate limit is restricted to 3 requests per second. This equates to approximately 259,200 requests per day and 60 requests per 20-second window.
Please update the quota limits accordingly and add an inline comment referencing the official documentation so that future maintainers have clear guidance.
Proposed diff snippet:
rules: [
{
- limit: 1000000, // application is allowed to send 1 000 000 queries per 24hrs
+ limit: 259200, // updated: 259,200 queries per 24hrs (3 req/sec) as per Wiz API docs
+ // Reference: https://wiz.readthedocs.io/en/latest/api_reference/index.html
window: 1000 * 60 * 60 * 24, // 24 hours
throttling: 'window-sliding',
queueing: 'fifo',
resource: 'requests'
},
{
- limit: 2500, // the quota is 2 500 per 20 seconds
+ limit: 60, // updated: 60 queries per 20 seconds (3 req/sec) as per Wiz API docs
+ // Reference: https://wiz.readthedocs.io/en/latest/api_reference/index.html
window: 1000 * 20, // 20 sec
throttling: 'window-sliding',
queueing: 'fifo',
resource: 'requests'
}
]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| { | |
| limit: 1000000, // application is allowed to send 1 000 000 queries per 24hrs | |
| window: 1000 * 60 * 60 * 24, // 24 hours | |
| throttling: 'window-sliding', | |
| queueing: 'fifo', | |
| resource: 'requests' | |
| }, | |
| { | |
| limit: 2500, // the quota is 2 500 per 20 seconds | |
| window: 1000 * 20, // 20 sec | |
| throttling: 'window-sliding', | |
| queueing: 'fifo', | |
| resource: 'requests' | |
| } | |
| ] | |
| { | |
| limit: 259200, // updated: 259,200 queries per 24hrs (3 req/sec) as per Wiz API docs | |
| // Reference: https://wiz.readthedocs.io/en/latest/api_reference/index.html | |
| window: 1000 * 60 * 60 * 24, // 24 hours | |
| throttling: 'window-sliding', | |
| queueing: 'fifo', | |
| resource: 'requests' | |
| }, | |
| { | |
| limit: 60, // updated: 60 queries per 20 seconds (3 req/sec) as per Wiz API docs | |
| // Reference: https://wiz.readthedocs.io/en/latest/api_reference/index.html | |
| window: 1000 * 20, // 20 sec | |
| throttling: 'window-sliding', | |
| queueing: 'fifo', | |
| resource: 'requests' | |
| } | |
| ] |
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (3)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
112-121: 🛠️ Refactor suggestionAdd defensive coding to normalizeEvents function.
The function assumes
mitreTacticIdsandmitreTechniqueIdsare always string values that can be split. Add checks to handle cases where these properties might be missing or in a different format.const normalizeEvents = function(events) { - return events.map(event => { + const mitreTacticIds = typeof event.mitreTacticIds === 'string' ? + event.mitreTacticIds.split(',').map(item => item.trim()) : + (Array.isArray(event.mitreTacticIds) ? event.mitreTacticIds : []); + + const mitreTechniqueIds = typeof event.mitreTechniqueIds === 'string' ? + event.mitreTechniqueIds.split(',').map(item => item.trim()) : + (Array.isArray(event.mitreTechniqueIds) ? event.mitreTechniqueIds : []); + return { ...event, - mitreTacticIds: event.mitreTacticIds.split(',').map(item => item.trim()), - mitreTechniqueIds: event.mitreTechniqueIds.split(',').map(item => item.trim()) + mitreTacticIds, + mitreTechniqueIds }; }); };
176-189: 🛠️ Refactor suggestionAdd error handling to the receive method.
The receive method should include try/catch blocks to handle potential errors from the API calls more gracefully and provide better error messages to users.
async receive(context) { const { filename } = context.messages.in.content; if (context.properties.generateInspector) { return generateInspector(context); } + try { const { url, systemActivityId } = await requestUpload(context, { filename }); const fileContent = createDocument(context); await uploadFile(context, { url, fileContent }); const status = await getStatus(context, systemActivityId); return context.sendJson(status, 'out'); + } catch (error) { + context.log({ stage: 'ERROR', error: error.message }); + throw new context.CancelError(`Failed to upload security scan: ${error.message}`); + } }
99-110: 🛠️ Refactor suggestionAdd error handling for the upload HTTP request.
The
uploadFilefunction doesn't check the response status code or handle potential HTTP errors, which could lead to silent failures.const uploadFile = async function(context, { url, fileContent }) { - - const upload = await context.httpRequest({ - method: 'PUT', - url, - data: fileContent, // stream upload is not implemented on the wiz side - headers: { - 'Content-Type': 'application/json' - } - }); - await context.log({ stage: 'upload-finished', uploadData: upload.statusCode, fileContent }); + try { + const upload = await context.httpRequest({ + method: 'PUT', + url, + data: fileContent, // stream upload is not implemented on the wiz side + headers: { + 'Content-Type': 'application/json' + } + }); + + if (upload.statusCode >= 400) { + throw new Error(`Upload failed with status code: ${upload.statusCode}`); + } + + await context.log({ stage: 'upload-finished', uploadData: upload.statusCode, fileContent }); + } catch (error) { + context.log({ stage: 'upload-error', error: error.message }); + throw new context.CancelError(`Failed to upload file: ${error.message}`); + } };
🧹 Nitpick comments (2)
src/appmixer/wiz/lib.js (1)
18-34: Consider adding more defensive coding to handle edge cases.While the validation logic is solid, there's a potential for runtime errors when destructuring
incomingandhandledproperties if they don't exist in the result object.Object.keys(systemActivity.result).forEach(key => { - const { incoming, handled } = systemActivity.result[key]; - if (handled < incoming) { + const item = systemActivity.result[key] || {}; + const incoming = item.incoming || 0; + const handled = item.handled || 0; + if (incoming > 0 && handled < incoming) { throw new context.CancelError(`Invalid result. Not all findings has been handled, '${key}':.`, systemActivity); } });src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (1)
1-1: Remove redundant 'use strict' directive.The 'use strict' directive is redundant in ES modules as they are automatically in strict mode.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js(1 hunks)src/appmixer/wiz/lib.js(1 hunks)test/wiz/UploadSecurityScan.test.js(1 hunks)
🧰 Additional context used
🧬 Code Definitions (1)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (4)
lib(1-1)lib(277-284)query(3-42)data(290-290)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
context(8-8)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js (1)
context(10-10)
🪛 Biome (1.9.4)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🔇 Additional comments (4)
src/appmixer/wiz/lib.js (1)
3-16: Well-structured API call utility function.The
makeApiCallfunction provides a clean abstraction for making authenticated API calls to the Wiz service. It properly sets up the authorization header using the token from the context.test/wiz/UploadSecurityScan.test.js (1)
5-82: Comprehensive test coverage for upload status validation.The test suite thoroughly covers multiple scenarios for the
validateUploadStatusfunction:
- Success case with all findings properly handled
- Failure when handled < incoming counts
- Failure when status is not SUCCESS
- Failure with invalid response structure
This ensures the validation logic is robust and correctly identifies various error conditions.
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (2)
45-75: Good implementation of retry logic in getStatus function.The function properly implements a retry mechanism with appropriate timeouts and maximum attempt limits. It also correctly passes the attempt counter to recursive calls, avoiding potential issues with shared state.
77-97: Clear error handling in requestUpload function.The function correctly checks for errors in the API response and throws an appropriate error with the error details. It also logs the upload request status for debugging purposes.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
src/appmixer/wiz/bundle.json (1)
4-20: Changelog Structure and Content VerificationThe changelog is well-structured, listing all previous versions with descriptive messages. The new entry for version "1.0.9" clearly specifies that the UploadSecurityScan functionality now validates system activity by throwing an error if the number of 'handled' vulnerabilities is less than the 'incoming' ones. This aligns with the PR objectives and documented requirements.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
src/appmixer/wiz/bundle.json(1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
`**/*/bundle.json`: Every pull request should include changes to the related `bundle.json` file. This file contains version information, so all changes must also include a version ...
**/*/bundle.json: Every pull request should include changes to the relatedbundle.jsonfile. This file contains version information, so all changes must also include a version update.
src/appmixer/wiz/bundle.json
🔇 Additional comments (1)
src/appmixer/wiz/bundle.json (1)
1-3: Version Field Update ConfirmedThe
"version": "1.0.9"field is correctly updated, matching the intended release version for this PR.
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (4)
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (4)
107-107: Correct the tooltip text to match the label and default value.The tooltip text incorrectly refers to severity instead of detection source.
- tooltip: 'The severity of the vulnerability. Default is Medium', + tooltip: 'Defines the external detection source. Default is Package',
28-41: 🛠️ Refactor suggestionAdd Critical severity level to align with industry standards.
The severity options only include None, Low, Medium, and High, but common vulnerability scanning tools and frameworks like CVSS also include a Critical level for the most severe vulnerabilities (typically CVSS scores 9.0-10.0).
options: [ { label: 'None', value: 'None' }, { label: 'Low', value: 'Low' }, { label: 'Medium', value: 'Medium' }, { label: 'High', value: 'High' } + { label: 'Critical', value: 'Critical' } ]
174-175:⚠️ Potential issueFix comment length to meet ESLint requirements (if uncommented)
If this commented-out code becomes active, this tooltip text will need to be shortened to comply with the 150-character limit.
- tooltip: 'Indicates if the finding was detected during runtime (true), or if it was detected - during offline or static scanning (false).' + tooltip: 'Indicates if the finding was detected during runtime (true) or during offline/static scanning (false).'
140-143:⚠️ Potential issueFix comment length to meet ESLint requirements (if uncommented)
If this commented-out code becomes active, the long tooltip text will need to be shortened to comply with the 150-character limit.
- tooltip: 'The details of the externalDetectionSource, such as "Package," should include relevant - information about the package. For instance, if the externalDetectionSource is "libncurses6," the - "Details Name" should reflect details about the package, such as "libncurses6 package.".' + tooltip: 'The details of the externalDetectionSource. For example, if source is "libncurses6," the "Details Name" should be "libncurses6 package."',🧰 Tools
🪛 ESLint
[error] 140-140: This line has a comment length of 303. Maximum allowed is 150.
(max-len)
🧹 Nitpick comments (1)
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (1)
95-100: Add Critical severity level to the commented-out code.If this commented-out code is intended for future use, consider adding the Critical severity level here as well.
options: [ { label: 'None', value: 'None' }, { label: 'Low', value: 'Low' }, { label: 'Medium', value: 'Medium' }, { label: 'High', value: 'High' } + { label: 'Critical', value: 'Critical' } ]
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js(1 hunks)
🧰 Additional context used
🪛 ESLint
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js
[error] 140-140: This line has a comment length of 303. Maximum allowed is 150.
(max-len)
[error] 172-172: This line has a comment length of 155. Maximum allowed is 150.
(max-len)
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (2)
src/appmixer/wiz/core/UploadSecurityScan/component.json (2)
22-32:⚠️ Potential issueAddress 'vulnerabilityFindings' Option in Inspector Inputs
The inspector options for the"type"field include both"events"and"vulnerabilityFindings". According to the changelog (v1.0.6), the"vulnerabilityFindings"option is slated for removal. Please confirm if this option should be removed; if so, update the configuration to eliminate it to maintain consistency.
48-61:⚠️ Potential issueValidate Input Schema for Redundant Vulnerability Findings Fields
The input schema for the in-port includes both"webAppVulnerabilityFindings"and"vulnerabilityFindings". Given the removal guidance for"vulnerabilityFindings", please verify whether both fields are necessary or if"vulnerabilityFindings"should be removed to avoid redundancy.
🧹 Nitpick comments (3)
src/appmixer/wiz/core/UploadSecurityScan/component.json (3)
48-61: Consider Specifying Required Input Fields
The"required"array in the in-port schema is currently empty. If fields such as"filename","integrationId", or"dataSourceId"are critical for the operation of this component, consider marking them as required to enforce proper data validation.
81-86: Correct Typographical Error in Tooltip
The tooltip for"dataSourceAnalysisDate"contains a typo ("examole" instead of "example"). Please correct this spelling error to improve clarity for users.
139-140: Evaluate Icon Embedding Strategy
The component uses an inline base64 encoded SVG icon. While this approach supports self-containment, consider externalizing the icon asset if it is reused in multiple components for easier updates and improved maintainability.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
src/appmixer/wiz/core/UploadSecurityScan/component.json(1 hunks)
🔇 Additional comments (1)
src/appmixer/wiz/core/UploadSecurityScan/component.json (1)
1-5: Review Component Metadata and Description
The metadata is well-defined with proper versioning, author, and visibility settings. However, the description still references the "Vulnerability Findings Schema," which may conflict with the changelog indicating the removal of the"vulnerabilityFindings"option. Please verify that the description accurately reflects the current intended behavior.
Rationale
Implement "External Enrichment" flow (https://win.wiz.io/docs/third-party-security-graph-enrichment-tutorial#upload-the-file-to-the-presigned-aws-s3-bucket-url)
OAuth app admin:
Create/Edit OAuth App
https://app.wiz.io/settings/service-accounts
Base URL:
https://app.wiz.io/tenant-info/data-center-and-regions
set the app url to backoffice under the
appmixer:wiz:Required Scopes:
Resources
read:resourcesupdate:resourcesSecurity Scans
create:security_scansSystem Activities
read:system_activitiesExamples:
FindCloudResources - https://win.wiz.io/reference/pull-cloud-resources
UploadSecurityScan
steps:
IN_PROGESSSummary by CodeRabbit