wiz (new) #169
wiz (new) #169
Conversation
vtalas
force-pushed
the
wiz
branch
3 times, most recently
from
a261831 to
751d164
Compare
vtalas
force-pushed
the
wiz
branch
2 times, most recently
from
45fac38 to
ed7b792
Compare
WalkthroughThis pull request introduces several new modules and configuration files in the appmixer/wiz directory. New authentication, cloud resource retrieval, and security scan upload functionalities are implemented, including endpoints for token validation, GraphQL queries for cloud resources, and a complete file upload process with retry logic. Additionally, supporting component configuration files, input schemas, API call utilities, quota rules, and service metadata have been added to support these features. Changes
Sequence Diagram(s)UploadSecurityScan FlowsequenceDiagram
participant C as Client
participant U as UploadSecurityScan.receive
participant API as SecurityScan API
participant FS as File Server
C ->> U: Send security scan upload request
U ->> API: Initiate upload (RequestSecurityScanUpload)
API -->> U: Return upload token/info
U ->> U: Create document with scan data
U ->> FS: Upload file via HTTP PUT
FS -->> U: Acknowledge file upload
loop Retry (up to 5 times)
U ->> API: Query upload status (SystemActivity)
API -->> U: Return current status
end
U -->> C: Send final upload status response
FindCloudResources FlowsequenceDiagram
participant C as Client
participant F as FindCloudResources.receive
participant R as resources.getResources
C ->> F: Send request with filter and limit
F ->> F: Parse and validate filter input
F ->> R: Request resources with provided criteria
R -->> F: Return paginated resource data
F -->> C: Respond with the array of cloud resources
Suggested reviewers
Poem
✨ Finishing Touches
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (17)
src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js (1)
8-13: Consider adding error handling for invalid type values.The function correctly extracts the type from context.properties and uses it to select the appropriate inputs schema. However, there's no error handling if an invalid type is provided that doesn't exist in the inputs object.
async generateInspector(context) { const { type } = context.properties; + if (!inputs[type]) { + return context.sendJson({ error: `Invalid type: ${type}` }, 'out'); + } return context.sendJson({ inputs: inputs[type] }, 'out'); }src/appmixer/wiz/quota.js (3)
1-1: Remove redundant 'use strict' directive.The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
6-7: Update references to Salesforce in comments.The comments refer to Salesforce limits, but this appears to be for Wiz API quota management based on the PR objectives and module path.
- // According to salesforce limits are per 24-hour period - //https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm + // According to Wiz API documentation, limits are per 24-hour period + // See Wiz API documentation for more details
15-16: Update references to Salesforce in comments.Similar issue with the second rule comment.
- // According to salesforce limits are 25 requests per 20 seconds + // According to Wiz API documentation, limits are 25 requests per 20 secondssrc/appmixer/wiz/core/UploadSecurityScan/component.json (1)
84-85: Fix typo in tooltip text.There's a typo in the Analysis Date field tooltip.
- "tooltip": "The date the scan was performed. For examole 2025-01-14T00:05:11.463Z.", + "tooltip": "The date the scan was performed. For example 2025-01-14T00:05:11.463Z.",src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js (2)
15-21: Consider using a more appropriate input type for timestamps.
Currently, the timestamp field is defined as plain text, which may be prone to incorrect or inconsistent formatting. If the platform supports it, using a date or datetime field (or validating the input format) would help ensure accuracy and consistency.
35-41: Validate or constrain theexternalFindingLinkfield.
Declaring this as a simple text field may allow invalid or malformed URLs. Introducing a link validator or explicitly labeling it as a URL-type field could enhance usability and prevent errors.src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
1-1: Remove the redundant 'use strict' directive.
Modern JavaScript modules are already in strict mode, so this statement can be safely removed to comply with linting rules.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
1-1: Remove the redundant 'use strict' directive.
As in the previous file, this directive is unnecessary in JavaScript modules.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
110-116: Prevent potential runtime errors when splittingmitreTacticIdsormitreTechniqueIds.
If these fields are undefined,.split(',')will throw a runtime error. Consider a fallback or validation check to ensure they're valid strings.return events.map(event => { + const tacticIds = typeof event.mitreTacticIds === 'string' ? event.mitreTacticIds.split(',').map(item => item.trim()) : []; + const techniqueIds = typeof event.mitreTechniqueIds === 'string' ? event.mitreTechniqueIds.split(',').map(item => item.trim()) : []; return { ...event, - mitreTacticIds: event.mitreTacticIds.split(',').map(item => item.trim()), - mitreTechniqueIds: event.mitreTechniqueIds.split(',').map(item => item.trim()) + mitreTacticIds: tacticIds, + mitreTechniqueIds: techniqueIds }; });
139-152: Use optional chaining for safer property access.
Conditional checks likeif (events && events.AND.length)can throw an error ifANDis undefined. Optional chaining (events?.AND?.length) prevents such errors and improves readability.- if (events && events.AND.length) { + if (events?.AND?.length) { asset.events = normalizeEvents(events.AND); }🧰 Tools
🪛 Biome (1.9.4)
[error] 139-139: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 143-143: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 148-148: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
src/appmixer/wiz/core/FindCloudResources/resources.cloud.js (2)
7-46: Consider refining the fields in the GraphQL query.
If not all fields inCloudResourceFragmentare strictly necessary, narrowing the selection can help reduce the payload size and improve performance.
103-142: Enhance error resilience and partial handling.
Thedo { ... } while(...)loop logic is good, but we might strengthen resilience by handling unexpecteddatastructures (e.g., missingdata.data.cloudResources) gracefully. Returning partial results or a more descriptive error could improve user experience.src/appmixer/wiz/auth.js (2)
1-1: Remove the redundant 'use strict'.
Modules in modern JavaScript inherently run in strict mode, so this directive is generally unnecessary.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
3-55: Ensure robust error handling in token retrieval.
If the remote call fails or returns an unexpected structure (e.g., nodata.access_token), consider throwing a descriptive error or returning a clear indication of the failure so callers can handle it gracefully.src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (1)
68-176: Potential for reusing shared fields.
Many fields invulnerabilityFindingsmirror those inwebAppVulnerabilityFindings. A shared schema or helper could reduce duplication and improve maintainability.src/appmixer/wiz/lib.js (1)
35-35: Avoid using thedeleteoperator for performance reasons.
Usingdelete schema.title;can degrade performance and is flagged by the linter. Instead, consider an alternative approach that sets the property toundefinedor omits the title property when buildingoptions.Example replacement:
- delete schema.title; + schema.title = undefined;🧰 Tools
🪛 Biome (1.9.4)
[error] 35-35: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (15)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/bundle.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.cloud.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/component.json(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js(1 hunks)src/appmixer/wiz/lib.js(1 hunks)src/appmixer/wiz/quota.js(1 hunks)src/appmixer/wiz/service.json(1 hunks)
✅ Files skipped from review due to trivial changes (3)
- src/appmixer/wiz/bundle.json
- src/appmixer/wiz/core/FindCloudResources/resources.js
- src/appmixer/wiz/service.json
🧰 Additional context used
🪛 Biome (1.9.4)
src/appmixer/wiz/quota.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
[error] 139-139: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 143-143: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 148-148: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/lib.js
[error] 35-35: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
🪛 GitHub Check: build
src/appmixer/wiz/lib.js
[failure] 80-80:
'toCsv' is assigned a value but never used
🪛 ESLint
src/appmixer/wiz/lib.js
[error] 80-80: 'toCsv' is assigned a value but never used.
(no-unused-vars)
🪛 GitHub Actions: Node.js CI
src/appmixer/wiz/lib.js
[error] 80-80: 'toCsv' is assigned a value but never used no-unused-vars
🔇 Additional comments (10)
src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js (1)
1-4: LGTM: Module imports look good.The imports structure is clean and uses a well-organized approach of grouping related input schemas.
src/appmixer/wiz/quota.js (1)
5-23: LGTM: Quota rules are well structured.The quota rules are well-defined with clear limits, time windows, and appropriate throttling/queueing strategies. This implementation will help ensure the application stays within API rate limits.
src/appmixer/wiz/core/FindCloudResources/component.json (1)
1-79: LGTM: Well-structured component configuration.The component configuration is comprehensive and well-organized, with clear descriptions, appropriate authentication and quota settings, and well-defined input/output ports. The UI configuration with tooltips and options enhances usability.
src/appmixer/wiz/core/UploadSecurityScan/component.json (1)
1-140: LGTM: Component configuration is well structured.The component configuration is comprehensive and well-organized with appropriate authentication, quota settings, and well-defined input/output ports. The schema validation and UI configuration with tooltips and options will provide a good user experience.
src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js (1)
58-70: Enforce the requirement for Mitre Tactic/Technique IDs.
The tooltip states at least one value must be present, but there's no apparent runtime or form-level validation to ensure this requirement is met. Implementing a validation check or defaulting to an empty array (if missing) could make the code more robust.src/appmixer/wiz/core/FindCloudResources/resources.cloud.js (2)
1-4: Looks good!
The initial doc block provides a clear reference to the Wiz documentation.
48-101: Schema definitions appear consistent.
TheoutputSchemathoroughly covers the expected structure. No immediate concerns here.src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (1)
1-67: Web App Vulnerability Fields look comprehensive.
All the fields and tooltips provide a clear guide for data input. No major issues found.src/appmixer/wiz/lib.js (2)
5-26: Consider handling the case of empty records when outputType is 'first'.
If therecordsarray is empty,records[0]will be undefined, which may lead to unexpected behavior. It might be safer to check if the array is non-empty before sending the first record.
60-73: Implementation looks solid.
The HTTP request logic is straightforward, properly sets headers, and uses the token fromcontext.auth. No immediate issues found.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (5)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (5)
261-261: Validate required parameters at function start.The
getResourcesfunction usesfilterByas a key parameter but doesn't validate if it's provided or properly formed. This could lead to GraphQL errors when the query is executed.async getResources(context, { PAGE_SIZE = 500, limit, filterBy }) { + if (!filterBy) { + throw new context.CancelError('filterBy parameter is required'); + } + + // Provide a default for limit if not specified + const recordLimit = limit || 1000; let nextPageToken = null;
286-289: Improve error handling with more specificity.The current error handling throws a generic CancelError with all GraphQL errors. Consider providing more specific error messages to help with debugging.
if (data.errors) { - throw new context.CancelError(data.errors); + const errorMessage = data.errors.map(e => e.message).join('; '); + throw new context.CancelError(`GraphQL API error: ${errorMessage}`); }
290-290: Add defensive check before destructuring API response.The code assumes
data.data.cloudResourcesexists and has the expected structure. Add a defensive check to ensure the response has the expected format before destructuring.- const { pageInfo = {}, nodes } = data.data.cloudResources; + if (!data.data || !data.data.cloudResources) { + throw new context.CancelError('Unexpected API response format'); + } + + const { pageInfo = {}, nodes = [] } = data.data.cloudResources;
292-294: Consider returning an empty array instead of 'notFound' message.When no resources are found, returning a standardized empty array might be more consistent with the function's return type (which is an array of records). This would make it easier for the caller to handle the response.
if (nodes.length === 0) { - return context.sendJson({ filterBy }, 'notFound'); + return []; }
299-299: Add a safeguard against excessive API calls.The current loop condition relies on two checks, but consider adding a maximum iteration limit as a safeguard against potential excessive API calls in case of errors or unexpected pagination behavior.
+ let iterationCount = 0; + const MAX_ITERATIONS = 100; // Adjust based on expected maximum number of pages + do { // existing code... nextPageToken = pageInfo.hasNextPage ? pageInfo.endCursor : null; + iterationCount++; - } while (nextPageToken && totalRecordsCount < limit); + } while (nextPageToken && totalRecordsCount < (limit || 1000) && iterationCount < MAX_ITERATIONS); + + if (iterationCount >= MAX_ITERATIONS) { + context.logger.warn(`Reached maximum iteration limit (${MAX_ITERATIONS}) when fetching cloud resources`); + }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)
🔇 Additional comments (1)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (1)
269-271: Guard againstlimitbeing undefined or invalid.If
limitis not provided or zero, callinglimit - totalRecordsCountmay throw or produce unintended results. Consider providing a default value, or validatelimitbefore using it.const variables = { - first: Math.min(PAGE_SIZE, limit - totalRecordsCount), + first: Math.min(PAGE_SIZE, (limit || 1000) - totalRecordsCount), filterBy };
There was a problem hiding this comment.
Actionable comments posted: 4
♻️ Duplicate comments (1)
src/appmixer/wiz/lib.js (1)
80-96:⚠️ Potential issueRemove unused 'toCsv' function.
The
toCsvfunction is defined but never used, causing ESLint errors and pipeline failures. Either remove the function or use it where needed.-/** - * @param {array} array - * @returns {string} - */ -const toCsv = (array) => { - const headers = Object.keys(array[0]); - - return [ - headers.join(','), - - ...array.map(items => { - return Object.values(items).map(property => { - if (typeof property === 'object') { - return JSON.stringify(property); - } - return property; - }).join(','); - }) - - ].join('\n'); -};🧰 Tools
🪛 GitHub Check: build
[failure] 80-80:
'toCsv' is assigned a value but never used🪛 ESLint
[error] 80-80: 'toCsv' is assigned a value but never used.
(no-unused-vars)
🪛 GitHub Actions: Node.js CI
[error] 80-80: 'toCsv' is assigned a value but never used no-unused-vars
🧹 Nitpick comments (16)
src/appmixer/wiz/quota.js (2)
1-1: Remove redundant 'use strict' directive.ES modules operate in strict mode by default, making this directive unnecessary.
-'use strict'; module.exports = {🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
3-24: Consider adding error handling for quota exceeded scenarios.The quota rules define limits, but there's no visible handling for cases when the quota is exceeded. Consider adding a mechanism to gracefully handle rate limit errors, such as exponential backoff or user-friendly error messages.
Would you like me to provide an example implementation of quota exceeded error handling?
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (4)
1-1: Remove redundant 'use strict' directive.ES modules operate in strict mode by default, making this directive unnecessary.
-'use strict'; const lib = require('../../lib'); const resources = require('./resources');🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
10-10: Add validation for the limit parameter.The limit parameter is destructured with a default value, but there's no validation to ensure it's a positive number or within reasonable bounds. Consider adding validation to prevent potential issues.
const { outputType, filter, limit = 10 } = context.messages.in.content; + +if (limit <= 0 || !Number.isInteger(Number(limit))) { + throw new context.CancelError('Invalid Input: Limit must be a positive integer'); +}
16-23: Improve error handling for filter parameter.The current error handling for the filter parameter is good, but the error message could be more specific. Consider enhancing the error message to guide users on how to format the filter correctly.
let filterBy; if (filter) { try { filterBy = JSON.parse(filter); } catch (e) { - throw new context.CancelError('Invalid Input: Filter', e); + throw new context.CancelError('Invalid Input: Filter must be a valid JSON string. Example: {"field":"value"}', e); } }
25-25: Consider adding logging for resource retrieval.Adding logging before and after the resource retrieval can help with debugging and monitoring. This is particularly useful for operations that might take time or could fail.
+await context.log({ step: 'Retrieving cloud resources', filter: filterBy, limit }); const records = await resources.exposed.getResources(context, { filterBy, limit }); +await context.log({ step: 'Retrieved cloud resources', count: records.length });src/appmixer/wiz/lib.js (3)
5-26: Add error handling for empty records array.The
sendArrayOutputfunction doesn't handle the case when the records array is empty, which could lead to errors especially for the 'first' outputType. Consider adding a check to handle this case gracefully.async sendArrayOutput({ context, outputPortName = 'out', outputType = 'array', records = [] }) { + if (records.length === 0) { + await context.log({ step: 'No records to output', outputType }); + if (outputType === 'first') { + await context.sendJson({}, outputPortName); + return; + } else if (outputType === 'array') { + await context.sendJson({ result: [] }, outputPortName); + return; + } else if (outputType === 'file') { + // proceed to create empty file + } else if (outputType === 'object') { + await context.sendArray([], outputPortName); + return; + } + } + if (outputType === 'first') { // One by one. await context.sendJson(records[0], outputPortName);
35-35: Avoid using delete operator for performance reasons.Using the delete operator can impact performance as flagged by static analysis. Consider using assignment to undefined instead.
- delete schema.title; + schema.title = undefined;🧰 Tools
🪛 Biome (1.9.4)
[error] 35-35: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
60-73: Make API endpoint URL configurable.The
makeApiCallfunction uses a hardcoded fallback URL. Consider making this more configurable or loading it from a centralized configuration.async makeApiCall({ context, method = 'GET', data }) { - const url = context.config.apiEndpointUrl || 'https://api.us18.app.wiz.io/graphql'; + const url = context.config.apiEndpointUrl || context.config.wizApiEndpoint || 'https://api.us18.app.wiz.io/graphql'; + + await context.log({ step: 'Making API call', url, method }); return context.httpRequest({src/appmixer/wiz/auth.js (3)
1-1: Remove redundant 'use strict' directive.ES modules operate in strict mode by default, making this directive unnecessary.
-'use strict'; module.exports = {🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
20-28: Improve client ID masking for better security.The current implementation masks the client ID by showing the first 3 and last 3 characters. Consider a more secure approach by showing fewer characters or using a fixed mask pattern regardless of ID length.
accountNameFromProfileInfo: context => { const name = context.clientId; - const threshold = 10; - if (name.length > threshold) { - return name.slice(0, 3) + '....' + name.slice(-3); - } - return name; + // Always mask the client ID, regardless of length + if (!name) return 'Unknown client'; + if (name.length <= 6) return '******'; + return name.slice(0, 2) + '******' + name.slice(-2); },
32-32: Make authentication URL configurable.The authentication URL is hardcoded. Consider making it configurable, especially if different environments (testing, production) might use different endpoints.
- const url = 'https://auth.app.wiz.io/oauth/token'; + const url = context.config.authEndpointUrl || 'https://auth.app.wiz.io/oauth/token';src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (4)
1-1: Remove the redundant'use strict'directive.ES modules automatically run in strict mode, so there's no need to include
'use strict'. Removing it helps streamline the code.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
95-107: Consider a streaming or chunk-based upload approach for large files.The current code uploads the entire
fileContentusingapplication/json. If very large files are expected, a streaming approach or chunk-based upload might be more efficient.
105-105: Avoid logging full file content to prevent potential sensitive data leaks.Storing
fileContentin logs can lead to PII or proprietary data exposure. Consider logging only metadata (e.g., payload size) or a sanitized subset of the content:- await context.log({ stage: 'UPLOAD FINISHED', uploadData: upload.statusCode, fileContent }); + await context.log({ + stage: 'UPLOAD FINISHED', + uploadData: upload.statusCode, + fileContentSize: fileContent ? JSON.stringify(fileContent).length : 0 + });
139-139: Use optional chaining to simplify null checks.Refactor these conditions:
if (events && events.AND.length) { ... } if (vulnerabilityFindings && vulnerabilityFindings.AND.length) { ... } if (webAppVulnerabilityFindings && webAppVulnerabilityFindings.AND.length) { ... }By using optional chaining, the code becomes more concise and readable:
- if (events && events.AND.length) { + if (events?.AND?.length) { - if (vulnerabilityFindings && vulnerabilityFindings.AND.length) { + if (vulnerabilityFindings?.AND?.length) { - if (webAppVulnerabilityFindings && webAppVulnerabilityFindings.AND.length) { + if (webAppVulnerabilityFindings?.AND?.length) {Also applies to: 143-143, 148-148
🧰 Tools
🪛 Biome (1.9.4)
[error] 139-139: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (15)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/bundle.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.cloud.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/component.json(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js(1 hunks)src/appmixer/wiz/lib.js(1 hunks)src/appmixer/wiz/quota.js(1 hunks)src/appmixer/wiz/service.json(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (8)
- src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js
- src/appmixer/wiz/bundle.json
- src/appmixer/wiz/core/UploadSecurityScan/component.json
- src/appmixer/wiz/service.json
- src/appmixer/wiz/core/FindCloudResources/resources.js
- src/appmixer/wiz/core/FindCloudResources/resources.cloud.js
- src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js
- src/appmixer/wiz/core/FindCloudResources/component.json
🧰 Additional context used
🪛 Biome (1.9.4)
src/appmixer/wiz/lib.js
[error] 35-35: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
[error] 139-139: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 143-143: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 148-148: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/quota.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🪛 GitHub Check: build
src/appmixer/wiz/lib.js
[failure] 80-80:
'toCsv' is assigned a value but never used
🪛 ESLint
src/appmixer/wiz/lib.js
[error] 80-80: 'toCsv' is assigned a value but never used.
(no-unused-vars)
🪛 GitHub Actions: Node.js CI
src/appmixer/wiz/lib.js
[error] 80-80: 'toCsv' is assigned a value but never used no-unused-vars
🔇 Additional comments (3)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (2)
269-271: Guard against undefined or invalidlimit.This was previously noted. If
limitis not provided or is zero,limit - totalRecordsCountmay produce unexpected results or a negative number. Consider a fallback or validation:- first: Math.min(PAGE_SIZE, limit - totalRecordsCount), + first: Math.min(PAGE_SIZE, (limit ?? 1000) - totalRecordsCount),
293-293: Fix the undeclared variable reference.This was previously noted. The variable
filterdoes not exist in this scope; usefilterByinstead to avoid aReferenceErrorat runtime.- return context.sendJson({ filter }, 'notFound'); + return context.sendJson({ filterBy }, 'notFound');src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (1)
45-45: Avoid module-level retry counter to prevent concurrency issues.This issue was previously raised and remains relevant. If this code can be triggered by parallel calls, the shared
attemptsvariable may be updated unexpectedly across different invocations. Consider tracking the retry count in a local variable or resetting after each call.
| validate: async context => { | ||
|
|
||
| const url = 'https://auth.app.wiz.io/oauth/token'; | ||
|
|
||
| const { data } = await context.httpRequest({ | ||
| method: 'POST', | ||
| headers: { | ||
| 'content-type': 'application/x-www-form-urlencoded', | ||
| 'accept': 'application/json' | ||
| }, | ||
| data: { | ||
| grant_type: 'client_credentials', | ||
| audience: 'wiz-api', | ||
| client_id: context.clientId, | ||
| client_secret: context.clientSecret | ||
| }, | ||
| url | ||
| }); | ||
|
|
||
| return { | ||
| token: data.access_token, | ||
| expires: data.expires_in | ||
| }; | ||
| } |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Add error handling for failed authentication.
The validate function doesn't have explicit error handling for API failures. Consider adding try/catch and providing helpful error messages when authentication fails.
validate: async context => {
const url = 'https://auth.app.wiz.io/oauth/token';
+ try {
const { data } = await context.httpRequest({
method: 'POST',
headers: {
'content-type': 'application/x-www-form-urlencoded',
'accept': 'application/json'
},
data: {
grant_type: 'client_credentials',
audience: 'wiz-api',
client_id: context.clientId,
client_secret: context.clientSecret
},
url
});
return {
token: data.access_token,
expires: data.expires_in
};
+ } catch (error) {
+ const statusCode = error.response?.status;
+ const errorMessage = error.response?.data?.error_description || error.message;
+
+ if (statusCode === 401) {
+ throw new Error(`Authentication failed: Invalid client credentials. ${errorMessage}`);
+ } else if (statusCode === 403) {
+ throw new Error(`Authentication failed: Insufficient permissions. ${errorMessage}`);
+ } else {
+ throw new Error(`Authentication failed: ${errorMessage}`);
+ }
+ }
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| validate: async context => { | |
| const url = 'https://auth.app.wiz.io/oauth/token'; | |
| const { data } = await context.httpRequest({ | |
| method: 'POST', | |
| headers: { | |
| 'content-type': 'application/x-www-form-urlencoded', | |
| 'accept': 'application/json' | |
| }, | |
| data: { | |
| grant_type: 'client_credentials', | |
| audience: 'wiz-api', | |
| client_id: context.clientId, | |
| client_secret: context.clientSecret | |
| }, | |
| url | |
| }); | |
| return { | |
| token: data.access_token, | |
| expires: data.expires_in | |
| }; | |
| } | |
| validate: async context => { | |
| const url = 'https://auth.app.wiz.io/oauth/token'; | |
| try { | |
| const { data } = await context.httpRequest({ | |
| method: 'POST', | |
| headers: { | |
| 'content-type': 'application/x-www-form-urlencoded', | |
| 'accept': 'application/json' | |
| }, | |
| data: { | |
| grant_type: 'client_credentials', | |
| audience: 'wiz-api', | |
| client_id: context.clientId, | |
| client_secret: context.clientSecret | |
| }, | |
| url | |
| }); | |
| return { | |
| token: data.access_token, | |
| expires: data.expires_in | |
| }; | |
| } catch (error) { | |
| const statusCode = error.response?.status; | |
| const errorMessage = error.response?.data?.error_description || error.message; | |
| if (statusCode === 401) { | |
| throw new Error(`Authentication failed: Invalid client credentials. ${errorMessage}`); | |
| } else if (statusCode === 403) { | |
| throw new Error(`Authentication failed: Insufficient permissions. ${errorMessage}`); | |
| } else { | |
| throw new Error(`Authentication failed: ${errorMessage}`); | |
| } | |
| } | |
| } |
| index: 4, | ||
| label: 'External Detection Source', | ||
| defaultValue: 'Package', | ||
| tooltip: 'The severity of the vulnerability. Default is Medium', |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Correct the tooltip text to match the label and default value.
Here, the label is "External Detection Source" with a default of "Package," but the tooltip mentions "The severity of the vulnerability. Default is Medium." This inconsistency can mislead users. Consider revising it:
- tooltip: 'The severity of the vulnerability. Default is Medium',
+ tooltip: 'Defines the external detection source. Default is Package',📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| tooltip: 'The severity of the vulnerability. Default is Medium', | |
| tooltip: 'Defines the external detection source. Default is Package', |
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (1)
src/appmixer/wiz/auth.js (1)
30-53:⚠️ Potential issueAdd error handling for failed authentication.
The
validatefunction doesn't have explicit error handling for API failures. Consider adding try/catch and providing helpful error messages when authentication fails.validate: async context => { const url = 'https://auth.app.wiz.io/oauth/token'; + try { const { data } = await context.httpRequest({ method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'accept': 'application/json' }, data: { grant_type: 'client_credentials', audience: 'wiz-api', client_id: context.clientId, client_secret: context.clientSecret }, url }); return { token: data.access_token, expires: data.expires_in }; + } catch (error) { + const statusCode = error.response?.status; + const errorMessage = error.response?.data?.error_description || error.message; + + if (statusCode === 401) { + throw new Error(`Authentication failed: Invalid client credentials. ${errorMessage}`); + } else if (statusCode === 403) { + throw new Error(`Authentication failed: Insufficient permissions. ${errorMessage}`); + } else { + throw new Error(`Authentication failed: ${errorMessage}`); + } + } }
🧹 Nitpick comments (8)
src/appmixer/wiz/core/FindCloudResources/component.json (3)
18-24: Consider making filter a required field or adding validation.The schema defines both properties as optional (empty required array). Consider making filter a required field if it's necessary for the component's operation, or ensure proper validation in the implementation code.
"schema": { "type": "object", "properties": { "filter": { "type": "string" }, "limit": { "type": "number" } }, - "required": [] + "required": ["filter"] },
25-32: Consider providing example filter JSON in the tooltip.The filter field could benefit from example JSON formats to guide users on the correct structure.
"filter": { "type": "textarea", "label": "Filter", - "tooltip": "This object defines query filters to narrow down search results and return specific cloud resources.", + "tooltip": "This object defines query filters to narrow down search results and return specific cloud resources. Example: {\"type\": \"VIRTUAL_MACHINE\", \"updatedAt\": {\"gte\": \"2023-01-01\"}}", "index": 0 },
144-151: Ensure consistent formatting for property titles.Some property titles like "Cloud Provider U R L" have spaces between letters, which seems to be a formatting issue. This appears in several places in the schema and should be fixed for consistency.
"cloudProviderURL": { "type": "null", - "title": "Graph Entity.Properties.Cloud Provider U R L" + "title": "Graph Entity.Properties.Cloud Provider URL" },src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (2)
1-1: Remove redundant 'use strict' directive.The 'use strict' directive is redundant in ES modules as they are automatically in strict mode.
-'use strict'; const lib = require('../../lib'); const resources = require('./resources');🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
21-21: Add logging for debugging and monitoring.Consider adding logging statements for tracking API calls, especially for production troubleshooting.
+ context.logger.info('Fetching Wiz cloud resources with filter:', JSON.stringify(filterBy)); const records = await resources.exposed.getResources(context, { filterBy, limit }); + context.logger.info(`Retrieved ${records.length} cloud resources`);src/appmixer/wiz/auth.js (3)
1-1: Remove redundant 'use strict' directive.The 'use strict' directive is redundant in ES modules as they are automatically in strict mode.
-'use strict'; module.exports = {🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
20-28: Extract the threshold value as a constant for better maintainability.The threshold of 10 is hardcoded inside the function. Consider extracting it as a named constant at the top of the file for better maintainability.
+'use strict'; + +const CLIENT_ID_MASK_THRESHOLD = 10; module.exports = { type: 'apiKey', definition: { auth: { clientId: { type: 'text', name: 'Client ID' }, clientSecret: { type: 'text', name: 'Client Secret' } }, accountNameFromProfileInfo: context => { const name = context.clientId; - const threshold = 10; - if (name.length > threshold) { + if (name.length > CLIENT_ID_MASK_THRESHOLD) { return name.slice(0, 3) + '....' + name.slice(-3); } return name; },
49-52: Add token caching and refreshing mechanism.Currently, the authentication flow will request a new token for each operation. Consider implementing a token caching mechanism that checks token expiration and only retrieves a new token when necessary.
This would improve performance and reduce the number of authentication calls to the Wiz API. You could use the
expiresvalue to determine when to refresh the token.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)
🧰 Additional context used
🪛 Biome (1.9.4)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🔇 Additional comments (4)
src/appmixer/wiz/core/FindCloudResources/component.json (2)
1-4: Component definition follows best practices.The component is properly namespaced and includes clear metadata with appropriate descriptions.
83-276:❌ Incorrect review comment
Consider adding pagination support for large result sets.
The GraphEntity schema is comprehensive, but there's no indication of pagination for results. When dealing with cloud resources, the number of results can be large. Consider adding pagination support or documenting any limits on the number of results returned.
🏁 Script executed:
#!/bin/bash # Check if pagination is implemented in the resources handler cat src/appmixer/wiz/core/FindCloudResources/resources.exposed.js | grep -A 15 getResourcesLength of output: 516
Pagination is already implemented in the resource handler.
ThegetResourcesfunction found insrc/appmixer/wiz/core/FindCloudResources/resources.exposed.jsclearly implements pagination usingPAGE_SIZE,limit, andnextPageToken. There's no need to add additional pagination support in the schema, though you might consider documenting the pagination limits for clarity.Likely an incorrect or invalid review comment.
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (2)
7-8: Good use of documentation reference.Including a reference to the API documentation is helpful for maintenance and understanding.
12-19: Good error handling for filter parsing.The try-catch block appropriately handles JSON parsing errors with a clear error message.
| // docs: https://win.wiz.io/reference/pull-cloud-resources | ||
| async receive(context) { | ||
|
|
||
| const { outputType, filter, limit = 10 } = context.messages.in.content; |
There was a problem hiding this comment.
Resolve inconsistent default limit value.
The default limit is set to 10 here, but in the component definition (component.json), it's set to 100. This inconsistency should be resolved to ensure predictable behavior.
- const { outputType, filter, limit = 10 } = context.messages.in.content;
+ const { outputType, filter, limit = 100 } = context.messages.in.content;📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| const { outputType, filter, limit = 10 } = context.messages.in.content; | |
| const { outputType, filter, limit = 100 } = context.messages.in.content; |
| const records = await resources.exposed.getResources(context, { filterBy, limit }); | ||
|
|
||
| return lib.sendArrayOutput({ context, records, outputType }); |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Add error handling for resource retrieval.
The call to resources.exposed.getResources lacks error handling. Consider wrapping it in a try-catch block to provide better error messages to users.
- const records = await resources.exposed.getResources(context, { filterBy, limit });
-
- return lib.sendArrayOutput({ context, records, outputType });
+ try {
+ const records = await resources.exposed.getResources(context, { filterBy, limit });
+ return lib.sendArrayOutput({ context, records, outputType });
+ } catch (error) {
+ context.logger.error('Error retrieving cloud resources:', error);
+ throw new context.CancelError('Failed to retrieve cloud resources', error);
+ }📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| const records = await resources.exposed.getResources(context, { filterBy, limit }); | |
| return lib.sendArrayOutput({ context, records, outputType }); | |
| try { | |
| const records = await resources.exposed.getResources(context, { filterBy, limit }); | |
| return lib.sendArrayOutput({ context, records, outputType }); | |
| } catch (error) { | |
| context.logger.error('Error retrieving cloud resources:', error); | |
| throw new context.CancelError('Failed to retrieve cloud resources', error); | |
| } |
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
1-1: Remove redundant 'use strict' directive.JavaScript modules are automatically in strict mode, making this directive unnecessary.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/auth.js (2)
1-1: Remove redundant 'use strict' directive.JavaScript modules are automatically in strict mode, making this directive unnecessary.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
5-18: Enhance security settings for sensitive credentials.The authentication credentials are configured as simple text fields. Consider enhancing security by setting the
clientSecretfield to use a password type to mask the input.auth: { clientId: { type: 'text', name: 'Client ID' }, clientSecret: { - type: 'text', + type: 'password', name: 'Client Secret' } },
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)
🧰 Additional context used
🪛 Biome (1.9.4)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🔇 Additional comments (8)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (5)
7-8: Good use of documentation reference.Including the API documentation reference is a good practice for maintainability.
10-10: Resolve inconsistent default limit value.The default limit is set to 10 here, but in the component definition (component.json), it's set to 100. This inconsistency should be resolved to ensure predictable behavior.
- const { filter, limit = 10 } = context.messages.in.content; + const { filter, limit = 100 } = context.messages.in.content;
12-19: Good filter validation handling.The code properly validates and parses the filter parameter with appropriate error handling when the JSON is invalid.
21-23: Add error handling for resource retrieval.The call to
resources.exposed.getResourceslacks error handling. Consider wrapping it in a try-catch block to provide better error messages to users.- const records = await resources.exposed.getResources(context, { filterBy, limit }); - - return lib.sendArrayOutput({ context, records, outputType: 'object' }); + try { + const records = await resources.exposed.getResources(context, { filterBy, limit }); + return lib.sendArrayOutput({ context, records, outputType: 'object' }); + } catch (error) { + context.logger.error('Error retrieving cloud resources:', error); + throw new context.CancelError('Failed to retrieve cloud resources', error); + }
23-23:❓ Verification inconclusive
Verify if outputType should be configurable.
The outputType is hardcoded to 'object', but the code suggests it should be configurable from the input message. Consider updating the code to extract outputType from the input or ensure this is the intended behavior.
🏁 Script executed:
#!/bin/bash # Description: Check if outputType is used as a configurable parameter in other places # Look for outputType references in related files echo "Checking if outputType is configurable in other files" rg -A 2 -B 2 "outputType" --glob "src/appmixer/wiz/**/*.js" --glob "!src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js" # Check component.json for this component to see if outputType is defined as an input parameter echo "Checking component.json for outputType configuration" fd -t f "component.json" --full-path --base-directory "src/appmixer/wiz/core/FindCloudResources" | xargs catLength of output: 2752
Clarify the Configurability of
outputTypein FindCloudResourcesThe
sendArrayOutputfunction in our library supports severaloutputTypeoptions (with its default set to'array'), yet the FindCloudResources component is explicitly using'object'. No configuration in a component file (like a corresponding component.json) indicates that this value should be driven from the input message. Please verify whether the hardcoded'object'value is intentional. If the output type is meant to be configurable, update the component logic to extract this parameter from the input or configuration; otherwise, add a clarifying comment to make the fixed behavior explicit.src/appmixer/wiz/auth.js (3)
20-28: Good account name masking implementation.The account name masking function properly handles different client ID lengths, providing good user experience while maintaining security by masking part of the ID.
30-53: Add error handling for failed authentication.The
validatefunction doesn't have explicit error handling for API failures. Consider adding try/catch and providing helpful error messages when authentication fails.validate: async context => { const url = 'https://auth.app.wiz.io/oauth/token'; + try { const { data } = await context.httpRequest({ method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'accept': 'application/json' }, data: { grant_type: 'client_credentials', audience: 'wiz-api', client_id: context.clientId, client_secret: context.clientSecret }, url }); return { token: data.access_token, expires: data.expires_in }; + } catch (error) { + const statusCode = error.response?.status; + const errorMessage = error.response?.data?.error_description || error.message; + + if (statusCode === 401) { + throw new Error(`Authentication failed: Invalid client credentials. ${errorMessage}`); + } else if (statusCode === 403) { + throw new Error(`Authentication failed: Insufficient permissions. ${errorMessage}`); + } else { + throw new Error(`Authentication failed: ${errorMessage}`); + } + } }
49-52:❓ Verification inconclusive
Verify token response structure.
Make sure the API response matches the expected structure with
access_tokenandexpires_infields. Also consider adding validation for these fields before returning.
🏁 Script executed:
#!/bin/bash # Description: Check if the Wiz API documentation confirms the expected response format echo "Checking if Wiz API is documented online..." curl -s "https://app.wiz.io/reference" > /dev/null if [ $? -eq 0 ]; then echo "Wiz API documentation is available online. Please check the documentation at https://app.wiz.io/reference for token response structure." else echo "Unable to verify Wiz API documentation online." fi # Check if the token and expires fields are accessed elsewhere in the codebase echo "Checking usage of token and expires fields in the codebase:" rg -A 3 -B 3 "token|expires" --glob "src/appmixer/wiz/**/*.js" --glob "!src/appmixer/wiz/auth.js"Length of output: 812
Token response validation: Confirm and add error checks
Please verify that the Wiz API response always delivers the documented structure (i.e. an
access_tokenand anexpires_infield) as detailed on Wiz API documentation. Additionally, add explicit validation and error handling before returning the token response to cover potential scenarios where the API response might be missing or return unexpected values.
- File:
src/appmixer/wiz/auth.js(Lines 49–52)- Action Items:
- Confirm that the API response includes both
access_tokenandexpires_in.- Implement checks to validate these fields before constructing the return object.
- Review the Wiz API documentation to ensure consistency with the expected token response.
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (8)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (2)
10-10:⚠️ Potential issueUpdate default limit value for consistency.
The default limit is set to 10 here, but based on previous review comments, it should be 100 to match component.json.
- const { filter, limit = 10 } = context.messages.in.content; + const { filter, limit = 100 } = context.messages.in.content;
21-23: 🛠️ Refactor suggestionAdd error handling for resource retrieval and extract outputType from input.
The current implementation lacks error handling for the resource retrieval call and hardcodes the outputType instead of extracting it from the input.
- const records = await resources.exposed.getResources(context, { filterBy, limit }); - - return lib.sendArrayOutput({ context, records, outputType: 'object' }); + const { outputType = 'object' } = context.messages.in.content; + + try { + const records = await resources.exposed.getResources(context, { filterBy, limit }); + return lib.sendArrayOutput({ context, records, outputType }); + } catch (error) { + context.logger.error('Error retrieving cloud resources:', error); + throw new context.CancelError('Failed to retrieve cloud resources', error); + }src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (2)
94-105:⚠️ Potential issueAdd error handling to uploadFile function.
The
uploadFilefunction lacks error handling for HTTP request failures, which could lead to unhandled exceptions.const uploadFile = async function(context, { url, fileContent }) { - - const upload = await context.httpRequest({ - method: 'PUT', - url, - data: fileContent, // stream upload is not implemented on the wiz side - headers: { - 'Content-Type': 'application/json' - } - }); - await context.log({ stage: 'UPLOAD FINISHED', uploadData: upload.statusCode, fileContent }); + try { + const upload = await context.httpRequest({ + method: 'PUT', + url, + data: fileContent, // stream upload is not implemented on the wiz side + headers: { + 'Content-Type': 'application/json' + } + }); + + if (upload.statusCode >= 400) { + throw new Error(`Upload failed with status code: ${upload.statusCode}`); + } + + await context.log({ stage: 'UPLOAD FINISHED', uploadData: upload.statusCode, fileContent }); + } catch (error) { + context.log({ stage: 'UPLOAD ERROR', error: error.message }); + throw new context.CancelError(`Failed to upload file: ${error.message}`); + } };
163-179: 🛠️ Refactor suggestionAdd error handling to the receive method.
The receive method should handle potential errors from API calls to provide better error reporting and prevent unhandled exceptions.
module.exports = { // docs: https://win.wiz.io/reference/pull-cloud-resources async receive(context) { const { filename } = context.messages.in.content; if (context.properties.generateInspector) { return generateInspector(context); } + try { const { url, systemActivityId } = await requestUpload(context, { filename }); const fileContent = createDocument(context); await uploadFile(context, { url, fileContent }); const status = await getStatus(context, systemActivityId); return context.sendJson(status, 'out'); + } catch (error) { + context.log({ stage: 'ERROR', error: error.message }); + throw new context.CancelError(`Failed to upload security scan: ${error.message}`); + } } };src/appmixer/wiz/lib.js (1)
5-28:⚠️ Potential issueAdd validation for empty records array.
The
sendArrayOutputfunction doesn't check if the records array is empty before accessing elements, which could lead to runtime errors.async sendArrayOutput({ context, outputPortName = 'out', outputType = 'array', records = [] }) { if (outputType === 'first') { // One by one. + if (!records.length) { + throw new context.CancelError('Cannot send output: No records provided'); + } await context.sendJson(records[0], outputPortName); } else if (outputType === 'object') { // One by one. await context.sendArray(records, outputPortName); } else if (outputType === 'array') { // All at once. await context.sendJson({ result: records }, outputPortName); } else if (outputType === 'file') { // Into CSV file. + if (!records.length) { + throw new context.CancelError('Cannot create CSV file: No records provided'); + } const csvString = toCsv(records); const buffer = Buffer.from(csvString, 'utf8'); const componentName = context.flowDescriptor[context.componentId].label || context.componentId; const fileName = `${context.config.outputFilePrefix || 'wiz-objects-export'}-${componentName}.csv`; const savedFile = await context.saveFileStream(pathModule.normalize(fileName), buffer); await context.log({ step: 'File was saved', fileName, fileId: savedFile.fileId }); await context.sendJson({ fileId: savedFile.fileId }, outputPortName); } else { throw new context.CancelError('Unsupported outputType ' + outputType); } },src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (2)
139-141:⚠️ Potential issueFix comment length to comply with ESLint max-length rule.
This commented line exceeds the maximum allowed length of 150 characters (currently 303), causing pipeline failures.
- // tooltip: 'The details of the externalDetectionSource, such as "Package," should include relevant information about the package. For instance, if the externalDetectionSource is "libncurses6," the "Details Name" should reflect details about the package, such as "libncurses6 package.".' + // tooltip: 'The details of the externalDetectionSource. For example, if source is "libncurses6," the "Details Name" should be "libncurses6 package."',🧰 Tools
🪛 ESLint
[error] 140-140: This line has a comment length of 303. Maximum allowed is 150.
(max-len)
🪛 GitHub Check: build
[failure] 140-140:
This line has a comment length of 303. Maximum allowed is 150🪛 GitHub Actions: Node.js CI
[error] 140-140: ESLint: This line has a comment length of 303. Maximum allowed is 150 (max-len)
171-173:⚠️ Potential issueFix comment length to comply with ESLint max-length rule.
This commented line exceeds the maximum allowed length of 150 characters (currently 155), causing pipeline failures.
- // tooltip: 'Indicates if the finding was detected during runtime (true), or if it was detected during offline or static scanning (false).' + // tooltip: 'Indicates if the finding was detected during runtime (true) or during offline/static scanning (false).'🧰 Tools
🪛 ESLint
[error] 172-172: This line has a comment length of 155. Maximum allowed is 150.
(max-len)
🪛 GitHub Check: build
[failure] 172-172:
This line has a comment length of 155. Maximum allowed is 150src/appmixer/wiz/auth.js (1)
34-57: 🛠️ Refactor suggestionAdd error handling for failed authentication.
The
validatefunction doesn't have explicit error handling for API failures, which could lead to unhelpful error messages when authentication fails.validate: async context => { const url = 'https://auth.app.wiz.io/oauth/token'; + try { const { data } = await context.httpRequest({ method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'accept': 'application/json' }, data: { grant_type: 'client_credentials', audience: 'wiz-api', client_id: context.clientId, client_secret: context.clientSecret }, url }); return { token: data.access_token, expires: data.expires_in }; + } catch (error) { + const statusCode = error.response?.status; + const errorMessage = error.response?.data?.error_description || error.message; + + if (statusCode === 401) { + throw new Error(`Authentication failed: Invalid client credentials. ${errorMessage}`); + } else if (statusCode === 403) { + throw new Error(`Authentication failed: Insufficient permissions. ${errorMessage}`); + } else { + throw new Error(`Authentication failed: ${errorMessage}`); + } + } }
🧹 Nitpick comments (11)
src/appmixer/wiz/quota.js (1)
1-1: Remove redundant 'use strict' directive.JavaScript modules are automatically in strict mode, making this directive unnecessary.
-'use strict'; module.exports = {🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
1-1: Remove redundant 'use strict' directive.JavaScript modules are automatically in strict mode, making this directive unnecessary.
-'use strict'; const lib = require('../../lib'); const resources = require('./resources');🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/UploadSecurityScan/component.json (1)
84-84: Fix typo in Analysis Date tooltip.There's a typo in the dataSourceAnalysisDate field tooltip.
- "tooltip": "The date the scan was performed. For examole 2025-01-14T00:05:11.463Z.", + "tooltip": "The date the scan was performed. For example 2025-01-14T00:05:11.463Z.",src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (4)
1-1: Remove redundant 'use strict' directive.JavaScript modules operate in strict mode by default, making this directive unnecessary.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
138-140: Use optional chaining to prevent potential null reference errors.When checking if events exist and have items, use optional chaining to prevent errors when accessing properties of undefined objects.
- if (events && events.AND.length) { + if (events?.AND?.length) { asset.events = normalizeEvents(events.AND); }🧰 Tools
🪛 Biome (1.9.4)
[error] 138-138: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
142-146: Use optional chaining for safer property access.Similar to the events check, use optional chaining when accessing vulnerabilityFindings properties.
- if (vulnerabilityFindings && vulnerabilityFindings.AND.length) { + if (vulnerabilityFindings?.AND?.length) { asset.vulnerabilityFindings = vulnerabilityFindings.AND.map(finding => { return { ...finding }; }); }🧰 Tools
🪛 Biome (1.9.4)
[error] 142-142: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
147-151: Use optional chaining for webAppVulnerabilityFindings.Follow the same pattern of using optional chaining for consistent and safer property access.
- if (webAppVulnerabilityFindings && webAppVulnerabilityFindings.AND.length) { + if (webAppVulnerabilityFindings?.AND?.length) { asset.webAppVulnerabilityFindings = webAppVulnerabilityFindings.AND.map(finding => { return { ...finding }; }); }🧰 Tools
🪛 Biome (1.9.4)
[error] 147-147: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
src/appmixer/wiz/lib.js (1)
37-37: Avoid using the delete operator for performance reasons.Using the delete operator can impact performance. Consider setting the property to undefined instead.
- delete schema.title; + schema.title = undefined;🧰 Tools
🪛 Biome (1.9.4)
[error] 37-37: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
src/appmixer/wiz/auth.js (1)
1-1: Remove redundant 'use strict' directive.JavaScript modules operate in strict mode by default, making this directive unnecessary.
-'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (2)
3-42: Consider extracting the GraphQL query into a separate file or module.
It may improve readability and maintainability, particularly if the query evolves over time or is reused elsewhere.
105-107: Fix spacing typo in the “Product I Ds” title.
The extra space between “I” and “Ds” is likely unintentional.Apply this diff to correct the title:
- title: 'Graph Entity.Properties.Product I Ds' + title: 'Graph Entity.Properties.Product IDs'
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (15)
src/appmixer/wiz/auth.js(1 hunks)src/appmixer/wiz/bundle.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.cloud.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/component.json(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js(1 hunks)src/appmixer/wiz/lib.js(1 hunks)src/appmixer/wiz/quota.js(1 hunks)src/appmixer/wiz/service.json(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (6)
- src/appmixer/wiz/core/FindCloudResources/resources.js
- src/appmixer/wiz/core/FindCloudResources/component.json
- src/appmixer/wiz/core/UploadSecurityScan/inputs.events.js
- src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js
- src/appmixer/wiz/core/FindCloudResources/resources.cloud.js
- src/appmixer/wiz/service.json
🧰 Additional context used
🧬 Code Definitions (3)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (4)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (2)
lib(2-2)context(10-10)src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (4)
lib(1-1)lib(277-284)query(3-42)data(290-290)src/appmixer/wiz/core/FindCloudResources/resources.cloud.js (4)
lib(5-5)lib(112-123)query(7-46)data(129-129)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js (1)
context(10-10)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (2)
src/appmixer/wiz/core/FindCloudResources/resources.cloud.js (8)
lib(5-5)lib(112-123)query(7-46)outputSchema(48-101)nextPageToken(107-107)totalRecordsCount(108-108)records(109-109)data(129-129)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (4)
lib(2-2)context(10-10)records(21-21)filterBy(12-12)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (3)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (2)
lib(1-1)lib(277-284)src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (5)
lib(2-2)lib(48-57)lib(74-83)require(3-3)context(167-167)src/appmixer/wiz/core/FindCloudResources/resources.cloud.js (2)
lib(5-5)lib(112-123)
🪛 Biome (1.9.4)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
[error] 138-138: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 142-142: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 147-147: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
src/appmixer/wiz/lib.js
[error] 37-37: Avoid the delete operator which can impact performance.
Unsafe fix: Use an undefined assignment instead.
(lint/performance/noDelete)
src/appmixer/wiz/auth.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
src/appmixer/wiz/quota.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
🪛 ESLint
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js
[error] 140-140: This line has a comment length of 303. Maximum allowed is 150.
(max-len)
[error] 172-172: This line has a comment length of 155. Maximum allowed is 150.
(max-len)
🪛 GitHub Check: build
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js
[failure] 140-140:
This line has a comment length of 303. Maximum allowed is 150
[failure] 172-172:
This line has a comment length of 155. Maximum allowed is 150
🪛 GitHub Actions: Node.js CI
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js
[error] 140-140: ESLint: This line has a comment length of 303. Maximum allowed is 150 (max-len)
🔇 Additional comments (9)
src/appmixer/wiz/bundle.json (1)
1-12: LGTM: Bundle version and changelog properly set up.The bundle file correctly establishes the version and changelog history for the Wiz connector. The version increment to 1.0.6 with a specific changelog entry about removing the vulnerabilityFindings part from UploadSecurityScan aligns with the PR objective of implementing External Enrichment flow.
src/appmixer/wiz/quota.js (1)
3-21: LGTM: Quota rules properly defined for the Wiz API.The quota rules are well structured with appropriate limits based on Wiz API constraints:
- 1,000,000 queries per 24 hours (daily limit)
- 2,500 requests per 20 seconds (short-term rate limit)
Both rules use appropriate throttling and queueing strategies.
src/appmixer/wiz/core/UploadSecurityScan/component.json (2)
56-58: Clarify schema requirements for vulnerabilityFindings property.Line 58 includes "vulnerabilityFindings" in the schema properties, but according to the bundle.json changelog, this part was removed in version 1.0.6. Additionally, lines 56-57 include "events" and "webAppVulnerabilityFindings" properties.
If "vulnerabilityFindings" is being removed, consider:
- Removing it from the schema properties
- Clarifying the relationship between these three properties
- Updating required fields if necessary
35-138: LGTM: Component configuration is well-structured.The component configuration is comprehensive and well-organized:
- Clear input/output ports definition
- Detailed property schema with appropriate UI elements
- Comprehensive cloud platform options
- Helpful tooltips for complex fields
- Proper authentication and quota management
This provides a solid foundation for the External Enrichment flow implementation.
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js (1)
35-40:✅ Verification successful
Add 'Critical' severity level for better alignment with industry standards.
The severity options should include "Critical" as it's a standard level in the Common Vulnerability Scoring System (CVSS) and many security scanners.
options: [ { label: 'None', value: 'None' }, { label: 'Low', value: 'Low' }, { label: 'Medium', value: 'Medium' }, - { label: 'High', value: 'High' } + { label: 'High', value: 'High' }, + { label: 'Critical', value: 'Critical' } ]
🌐 Web query:
Do common vulnerability scanners include Critical as a severity level?💡 Result:
Common vulnerability scanners typically include Critical as a severity level, aligning with industry-standard frameworks like the Common Vulnerability Scoring System (CVSS). Here's a breakdown of how prominent tools and standards incorporate this classification:
CVSS-Based Severity Levels
Most scanners use CVSS scores (0–10 scale) to categorize vulnerabilities, with Critical defined as 9.0–10.0. Examples include:
- Atlassian[2], GitLab[9], and NIST NVD[11], which categorize Critical as the highest severity for flaws like remote code execution or catastrophic data breaches.
- Tenable[6][12] and Code Insight[3], which map CVSS scores directly to severity tiers (Critical, High, Medium, Low).
Scanner-Specific Implementations
- Ivanti Neurons: Uses Vulnerability Risk Rating (VRR), which mirrors CVSS scoring and includes Critical[1].
- Tenable: Combines CVSS with Vulnerability Priority Rating (VPR), where Critical corresponds to 9.0–10.0 in both systems[6][12].
- Invicti: Directly labels vulnerabilities like SQL injection or remote code execution as Critical[13].
- GitLab: Flags Critical-severity vulnerabilities (e.g., command injection) with CVSS 9.0–10.0[9].
Exceptions and Variations
- CVSS v2.0 (older versions) labeled 7.0–10.0 as "High," but modern implementations (CVSS v3.x/v4.0) explicitly define 9.0–10.0 as Critical[11].
- Some tools, like Burp Suite or Nessus, may use proprietary metrics but still align with CVSS severity ranges for consistency[4][12].
In summary, Critical is a widely adopted severity level in vulnerability scanning tools, reflecting the highest risk tier for exploitable flaws with catastrophic impact.
Citations:
- 1: https://help.ivanti.com/iv/help/en_US/RS/vNow/Vulnerability-Risk-Rating-VRR-Severity-CVSS-and-Scanner-Severity.htm
- 2: https://www.atlassian.com/trust/security/security-severity-levels
- 3: https://docs.revenera.com/fnci2021r3/Content/helplibrary/Understanding_Severity_Levels_for_Security_Vulnerabilities.htm
- 4: https://www.bitlyft.com/resources/vulnerability-scanning
- 5: https://www.threatngsecurity.com/glossary/vulnerability-severity
- 6: https://docs.tenable.com/vulnerability-management/Content/Explore/Findings/RiskMetrics.htm
- 7: https://it.wvu.edu/policies-and-procedures/security/vulnerability-management-standard
- 8: https://www.balbix.com/insights/understanding-cvss-scores/
- 9: https://docs.gitlab.com/user/application_security/vulnerabilities/severities/
- 10: https://openclarity.io/docs/concepts/vulnerability-scanning/
- 11: https://nvd.nist.gov/vuln-metrics/cvss
- 12: https://docs.tenable.com/nessus/Content/RiskMetrics.htm
- 13: https://www.invicti.com/support/vulnerability-severity-levels-invicti/
- 14: https://www.redlegg.com/blog/vulnerability-categories-severity-levels
Action: Add 'Critical' Severity Level to Vulnerability Scanner Inputs
The web query confirms that most common vulnerability scanners incorporate a "Critical" severity level (aligned with CVSS 9.0–10.0), so including it will better meet industry standards.
- File:
src/appmixer/wiz/core/UploadSecurityScan/inputs.vulnerabilityFindings.js- Lines: 35–40
options: [ { label: 'None', value: 'None' }, { label: 'Low', value: 'Low' }, { label: 'Medium', value: 'Medium' }, - { label: 'High', value: 'High' } + { label: 'High', value: 'High' }, + { label: 'Critical', value: 'Critical' } ]src/appmixer/wiz/auth.js (1)
24-32: Add validation for clientId before usage.The
accountNameFromProfileInfofunction assumescontext.clientIdis always a string. Add validation to handle cases where it might be undefined or not a string.accountNameFromProfileInfo: context => { - const name = context.clientId; + const name = context.clientId || ''; const threshold = 10; if (name.length > threshold) { return name.slice(0, 3) + '....' + name.slice(-3); } return name; },src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (3)
72-75: Verify JSON schema usage oftype: 'null'.
In many JSON schema validators, specifying"type": "null"alone may not allow actual null values unless combined with other types (e.g.,["null", "string"]). Confirm that this accurately reflects the desired constraints.
261-261: Guard againstlimitbeing undefined or invalid.
Iflimitisn’t provided or is zero, the expressionlimit - totalRecordsCountcan become negative or NaN, leading to inconsistent behavior. Consider providing a default value or validatinglimitprior to use.Here’s a sample fix:
async getResources(context, { PAGE_SIZE = 500, limit, filterBy }) { + // Provide a fallback if limit is falsy + if (!limit || limit < 0) { + limit = 1000; + } let nextPageToken = null; let totalRecordsCount = 0; ... const variables = { - first: Math.min(PAGE_SIZE, limit - totalRecordsCount), + first: Math.min(PAGE_SIZE, Math.max(0, limit - totalRecordsCount)), filterBy }; ...Also applies to: 269-271
292-293: Usage of the correct variable name looks good.
You have successfully replaced the undefinedfilterreference withfilter: filterBy, preventing a potential runtime error.
| { "label": "Runtime Events", "value": "events" }, | ||
| { "label": "DAST & ASM Vulnerability Findings", "value": "vulnerabilityFindings" } | ||
| ] |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Verify component type options against bundle.json changelog.
The component.json still includes "vulnerabilityFindings" as an option in the type selection, but the bundle.json changelog (v1.0.6) mentions removing "vulnerabilityFindings part" from UploadSecurityScan.
🏁 Script executed:
#!/bin/bash
# Check if vulnerabilityFindings is actually being removed from other files
grep -r "vulnerabilityFindings" src/appmixer/wiz/core/UploadSecurityScan/ --include="*.js"
# Check the UploadSecurityScan.js file to understand its implementation
cat src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.jsLength of output: 5803
Fix Required: Align the removal of "vulnerabilityFindings" across the component
It appears that while the bundle.json changelog (v1.0.6) indicates that the "vulnerabilityFindings" option should be removed from UploadSecurityScan, the codebase still contains several references:
- Component Options: In
src/appmixer/wiz/core/UploadSecurityScan/component.json, the option"vulnerabilityFindings"remains listed. - Implementation References: In
UploadSecurityScan.js(as well as ingenerateInspector.jsandinputs.vulnerabilityFindings.js), the property is still being accessed and processed.
Please verify whether the intended change was to completely drop "vulnerabilityFindings" from UploadSecurityScan. If so, update all related files by removing both the component option and any corresponding internal usage. Otherwise, update the changelog to reflect the current implementation.
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (2)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
8-8: 🛠️ Refactor suggestionSet default limit value to match component definition.
The default limit is set to 100 in the component definition (component.json), but no default value is provided here. This inconsistency could lead to unpredictable behavior.
- const { filter, limit } = context.messages.in.content; + const { filter, limit = 100 } = context.messages.in.content;src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (1)
268-271: 🛠️ Refactor suggestionGuard against
limitbeing undefined or invalid.If
limitis not provided or is zero, the calculationlimit - totalRecordsCountcould result in NaN or a negative number, leading to unexpected behavior in the GraphQL query.const variables = { - first: Math.min(PAGE_SIZE, limit - totalRecordsCount), + first: Math.min(PAGE_SIZE, (limit || Infinity) - totalRecordsCount), filterBy };
🧹 Nitpick comments (1)
src/appmixer/wiz/core/FindCloudResources/component.json (1)
23-23: Consider making parameters required in schema.Neither
filternorlimitare marked as required in the schema, despite being essential parameters for the component to function properly. If either parameter is missing, it might lead to unexpected behavior.- "required": [] + "required": ["limit"]
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (4)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/resources.exposed.js(1 hunks)src/appmixer/wiz/lib.js(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- src/appmixer/wiz/lib.js
🔇 Additional comments (2)
src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
19-20: Add error handling for resource retrieval.The call to
resources.getResourceslacks error handling. If the API request fails, the error will propagate without providing a meaningful message to users.- const records = await resources.getResources(context, { filterBy, limit }); - return context.sendArray(records, 'out'); + try { + const records = await resources.getResources(context, { filterBy, limit }); + return context.sendArray(records, 'out'); + } catch (error) { + context.logger.error('Error retrieving cloud resources:', error); + throw new context.CancelError('Failed to retrieve cloud resources', error); + }src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (1)
293-293: Use consistent variable naming in notFound response.The key in the JSON response is
filterbut the value isfilterBy. For consistency and clarity, use the same name for both or include both the original filter string and the parsed object.- return context.sendJson({ filter: filterBy }, 'notFound'); + return context.sendJson({ filterBy }, 'notFound');
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (4)
src/appmixer/wiz/core/FindCloudResources/component.json (1)
43-289: Thorough Review of OutPorts Definition
The"outPorts"section is comprehensive, particularly the"out"port and its detailed"Graph Entity"schema. A couple of points to verify:
- Duplicate
providerUniqueIdProperty: The property"providerUniqueId"is defined at the top level of the"Graph Entity"schema (lines 88–95) and again within its nested"properties"(lines 236–239). If both are required to capture different aspects, consider renaming one to avoid confusion.- **Usage of
"type": "null":** Several fields are declared with"type": "null". Ensure that this meets the intended data model expectations. In cases where a value might either be a specific type ornull, using a union type (e.g.,["string", "null"]`) could provide more clarity.
Overall, the output schema is detailed and appears to cover all necessary information, but aligning these aspects with backend expectations is essential.src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
1-1: Remove redundant'use strict'directive.
Since this file is an ES module,'use strict'is enabled by default and can be safely removed.- 'use strict';🧰 Tools
🪛 Biome (1.9.4)
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.(lint/suspicious/noRedundantUseStrict)
59-67: Consider separate handling fordata.errors.
Currently, the retry logic for both'IN_PROGRESS'statuses and request errors is combined, which may obscure permanent vs. transient failures. A more explicit conditional path fordata.errorsmight improve debuggability and reduce unnecessary retry attempts for non-recoverable errors.
145-158: Use optional chaining for safer property access.
Replacingif (events && events.AND.length)withif (events?.AND?.length)simplifies checks and prevents runtime errors wheneventsorevents.ANDare undefined. Similar patterns can be applied forvulnerabilityFindingsandwebAppVulnerabilityFindings.- if (events && events.AND.length) { + if (events?.AND?.length) { asset.events = normalizeEvents(events.AND); }🧰 Tools
🪛 Biome (1.9.4)
[error] 145-145: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 149-149: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 154-154: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (4)
src/appmixer/wiz/bundle.json(1 hunks)src/appmixer/wiz/core/FindCloudResources/component.json(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js(1 hunks)src/appmixer/wiz/core/UploadSecurityScan/component.json(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (2)
- src/appmixer/wiz/bundle.json
- src/appmixer/wiz/core/UploadSecurityScan/component.json
🧰 Additional context used
🧬 Code Definitions (1)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (4)
src/appmixer/wiz/core/FindCloudResources/resources.exposed.js (4)
lib(1-1)lib(277-284)query(3-42)data(290-290)src/appmixer/wiz/auth.js (1)
context(38-51)src/appmixer/wiz/core/FindCloudResources/FindCloudResources.js (1)
context(8-8)src/appmixer/wiz/core/UploadSecurityScan/generateInspector.js (1)
context(10-10)
🪛 Biome (1.9.4)
src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js
[error] 1-1: Redundant use strict directive.
The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.
(lint/suspicious/noRedundantUseStrict)
[error] 145-145: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 149-149: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
[error] 154-154: Change to an optional chain.
Unsafe fix: Change to an optional chain.
(lint/complexity/useOptionalChain)
🔇 Additional comments (7)
src/appmixer/wiz/core/FindCloudResources/component.json (4)
1-13: Component Metadata is Well Defined
The metadata section (lines 1-13) includes essential fields such as"name","author","description", and"version". The values appear consistent with the component's role, and version"1.0.7"is appropriately specified.
14-42: Review of Input Ports Configuration
The"inPorts"section defines the input schema correctly by specifying the types forfilterandlimit. However, notice that in the inspector (lines 25–40) thelimithas a default value of 100. Given that downstream documentation and the implementation inFindCloudResources.jsdefault the limit to 10, please verify that this discrepancy is intentional and aligns with your business logic.
280-288: NotFound OutPort Configuration Looks Good
The"notFound"port (lines 280-288) is succinctly configured with a single option for"Filter". This simple configuration is clear and appropriately defined.
290-292: Icon Declaration is Correct
The base64-encoded SVG icon provided (lines 290-292) is correctly set up. Just ensure that the icon’s size and design meet the display requirements of your application.src/appmixer/wiz/core/UploadSecurityScan/UploadSecurityScan.js (3)
101-112: Add error handling to theuploadFilefunction (repeated concern).
This code lacks error checking for potential network or server issues. Enclosing the request in atry/catchblock and verifyingupload.statusCodeensures that failures are surfaced more gracefully.const uploadFile = async function(context, { url, fileContent }) { + try { const upload = await context.httpRequest({ method: 'PUT', url, data: fileContent, // stream upload is not implemented on the wiz side headers: { 'Content-Type': 'application/json' } }); - await context.log({ stage: 'upload-finished', uploadData: upload.statusCode, fileContent }); + if (upload.statusCode >= 400) { + throw new Error(`Upload failed with status code: ${upload.statusCode}`); + } + + context.log({ stage: 'upload-finished', uploadData: upload.statusCode, fileContent }); + } catch (error) { + context.log({ stage: 'upload-error', error: error.message }); + throw new context.CancelError(`Failed to upload file: ${error.message}`); + } };
119-120: Verify thatmitreTacticIdsandmitreTechniqueIdsare always defined.
Calling.split(',')on potentially undefined fields can lead to runtime errors. If these fields might be missing, consider optional chaining or default strings.- mitreTacticIds: event.mitreTacticIds.split(',').map(item => item.trim()), + mitreTacticIds: event.mitreTacticIds + ? event.mitreTacticIds.split(',').map(item => item.trim()) + : [],
170-187: Overall flow looks good!
Thereceivemethod cleanly orchestrates therequestUpload,createDocument,uploadFile, andgetStatussteps, returning final status to the output port.
Rationale
Implement "External Enrichment" flow (https://win.wiz.io/docs/third-party-security-graph-enrichment-tutorial#upload-the-file-to-the-presigned-aws-s3-bucket-url)
OAuth app admin:
Create/Edit OAuth App
https://app.wiz.io/settings/service-accounts
Base URL:
https://app.wiz.io/tenant-info/data-center-and-regions
set the app url to backoffice under the
appmixer:wiz:Required Scopes:
Resources
read:resourcesupdate:resourcesSecurity Scans
create:security_scansSystem Activities
read:system_activitiesExamples:
FindCloudResources - https://win.wiz.io/reference/pull-cloud-resources
UploadSecurityScan
steps:
IN_PROGESSSummary by CodeRabbit