Skip to content

Tags: SocketDev/socket-cli

Tags

v1.1.133

Toggle v1.1.133's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
feat(manifest): quieter JVM output + fail-closed manifest generation …

…(1.1.133) (#1392)

* feat(manifest): quiet JVM build-tool output behind a spinner (1.1.133)

`socket manifest gradle|sbt|maven` (and `--auto-manifest`) streamed the build
tool's full output to the terminal. Capture it by default and show a spinner
instead, streaming live only under --verbose. On a build crash the captured
output tail is surfaced so failures stay diagnosable without a rebuild.

Also fix runNeverThrow: the registry's isSpawnError is unreliable (it never
matches), so a non-zero build exit rethrew as an opaque "command failed" instead
of returning the exit code. Duck-type the numeric exit code directly.

* refactor(manifest): match the --pom path's spawn + error handling

Align the JVM facts path with convertGradleToMaven (the `--pom` generator),
which is the direct-spawn sibling of these commands rather than the coana dlx
wrapper:

- spinner + captured output by default, stream on --verbose (unchanged intent).
- On failure use process.exitCode = 1 + logger.fail(...) + return instead of
  throwing, so the facts path behaves identically to the pom path — including
  under --auto-manifest, where both now set exit 1 and continue the sequence.
- runNeverThrow classifies a non-zero build exit by a numeric `code` (the
  utils/dlx.mts convention), not the registry's isSpawnError, which is broken
  upstream and never matches.

* docs(manifest): correct stale 'throws' in runManifestFacts comment

* feat(manifest): fail closed under --auto-manifest on a JVM build failure

Under --auto-manifest, a failed manifest generation now aborts the whole run
instead of continuing with a partial or empty SBOM (which silently under-reports
dependencies). This is enforced uniformly for every JVM path — Gradle, sbt, and
Maven, in both Socket-facts and pom mode — in generate_auto_manifest, keying off
the exit code each generator already sets. The standalone `socket manifest`
commands are unchanged (they exit non-zero, as before). Failures the user opted
to tolerate (ignoreUnresolved / --reach-continue-on-install-errors) warn without
setting an exit code, so they continue.

* fix(manifest): a crashed JVM build always fails, ignoring ignoreUnresolved

ignoreUnresolved (and --ignore-unresolved) means 'the build ran but some
dependencies could not be resolved; tolerate those'. It must not swallow the
build process itself failing (missing JDK/build tool, unparseable project, OOM,
plugin crash). Scope it to the blocking-resolution-failure branch only; a
crashed build now fails regardless.

* refactor(scan): decouple --reach-continue-on-install-errors from manifest ignoreUnresolved

--reach-continue-on-install-errors is a Coana concern (it tells Coana to keep
going past its own install errors) and is threaded to Coana in
perform-reachability-analysis. It should not also decide whether socket-cli's
manifest generation tolerates unresolved dependencies — that is a separate
concern governed by the manifest's own ignoreUnresolved (socket.json /
--ignore-unresolved). Drop the resolveIgnoreUnresolved coupling so the two are
independent; the flag still reaches Coana unchanged.

v1.1.132

Toggle v1.1.132's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
fix(ci): build the Maven extension jar outside the Socket Firewall sh…

…ims (#1390)

* fix(ci): build the Maven extension jar outside the Socket Firewall shims

The release build failed because `pnpm run build:maven-extension` runs the whole
build subtree (pnpm -> bash -> mvnw -> wget) under Socket Firewall, which shims
the package managers it wraps. sfw then intercepts the Maven wrapper's download
of Maven from Maven Central and fails on that non-package fetch.

Invoke build-jar.sh directly instead. bash/mvnw/wget aren't shimmed, so the
Maven download runs outside the sfw-wrapped process tree and succeeds.

* chore(ci): remove the unused maven-extension-jar workflow

The standalone PR-time jar-build workflow doesn't run behind Socket Firewall, so
it never exercised the environment the release actually uses (and gave false
confidence). The jar is built in the release workflow and the version-compat
matrix runs locally via run-compat.sh, so drop it.

* bump coana cli version

v1.1.131

Toggle v1.1.131's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
upgrading coana to version 15.6.2 (#1382)

Co-authored-by: socket-security-prs[bot] <294242679+socket-security-prs[bot]@users.noreply.github.com>
Co-authored-by: Martin Torp <martin@socket.dev>

v1.1.130

Toggle v1.1.130's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
fix(scan): ignore project .pnpmfile.cjs when launching tools via pnpm…

… dlx (1.1.130) (#1383)

Reachability scans launch Coana (and cdxgen/synp) via `pnpm dlx` with the
target repo as cwd. In a pnpm workspace root, `pnpm dlx` evaluates that
repo's root `.pnpmfile.cjs`, so a broken or environment-specific hook there
(e.g. a `require()` of a file that is still an unresolved Git LFS pointer)
crashes the launcher with a bare exit code before the tool ever starts.

Set `npm_config_ignore_pnpmfile=true` on the pnpm dlx launch env so the
project's pnpm hooks never run. The dlx tool installs into an isolated
store, so those hooks are irrelevant to it. The `--ignore-pnpmfile` CLI
flag is rejected by `pnpm dlx`; only the env/config form works.

v1.1.129

Toggle v1.1.129's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
upgrading coana to version 15.6.1 (#1381)

Co-authored-by: socket-release-bot[bot] <234652667+socket-release-bot[bot]@users.noreply.github.com>

v1.1.128

Toggle v1.1.128's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
fix(scan): exclude Python virtual environments from manifest collecti…

…on + bump Coana CLI to 15.5.10 (1.1.128) (#1379)

* fix(scan): exclude Python virtual environments from manifest collection (1.1.128)

Recursive manifest discovery for `socket scan`, reachability, and
`socket fix` walked into Python virtual environments and collected the
thousands of dependency manifests (setup.py, pyproject.toml,
requirements.txt, …) installed under their site-packages, bloating scans
with packages that are not part of the user's project.

Exclude venvs two ways:
- Add `.venv` to IGNORED_DIRS for a cheap traversal-prune of the
  conventional directory name.
- Detect arbitrarily-named venvs by their `pyvenv.cfg` marker (written at
  the environment root by stdlib `venv` per PEP 405 and by virtualenv >=
  20). Discovery is folded into the existing `.gitignore` discovery walk,
  so it adds no extra full-tree traversal; each venv root contributes a
  `<dir>/**` ignore that all downstream glob paths honor.

Bare `venv`/`env` are intentionally not name-excluded to avoid skipping a
legitimately-named non-venv directory; the pyvenv.cfg check covers them.

* chore: bump Coana CLI to 15.5.10

v1.1.127

Toggle v1.1.127's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
chore: bump Coana CLI to 15.5.9 (1.1.127) (#1378)

v1.1.126

Toggle v1.1.126's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
refactor(reachability): use full names instead of "tier 1/2/3" + bump…

… Coana CLI to 15.5.7 (#1376)

* refactor(reachability): use descriptive names instead of tier 1/2/3

Refer to the reachability analysis types by descriptive names in all
user-facing text (command/flag help, output, error messages, log
messages, comments, and docs):

- Full application reachability (formerly Tier 1)
- Precomputed reachability (formerly Tier 2)
- Dependency reachability (formerly Tier 3)

Backend wire contracts are unchanged: the scan_type value, the
tier1-reachability-scan/finalize endpoint, request/response field
names, and code identifiers retain their existing names. Only
human-readable text is updated.

A new Reachability analysis section in the README documents the names
and notes the previous Tier 1/2/3 naming for users migrating.

* refactor(reachability): apply descriptive names to merged changes and update tests

Rename the 'tier 1' wording introduced by the --reach-retain-facts-file
flag (merged from v1.x) to 'full application reachability', and update
the reachability test snapshots and assertions to match the descriptive
naming.

* chore(deps): bump @coana-tech/cli to 15.5.7 (1.1.126)

Pin @coana-tech/cli to the latest published 15.5.7 and bump the CLI
patch version with a matching changelog entry.

* docs: drop redundant tier-naming note from README

The 'formerly Tier 1/2/3' mapping is already inline on each reachability
type, so the trailing note is redundant.

v1.1.124

Toggle v1.1.124's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
feat(scan): add --reach-retain-facts-file to keep the reachability re…

…port (1.1.124) (#1372)

* feat(scan): add --reach-retain-facts-file to keep the reachability report (1.1.124)

By default `socket scan create --reach` deletes the `.socket.facts.json` report from the scan directory after a successful scan. The new `--reach-retain-facts-file` flag opts out of that cleanup so the report can be inspected, with a clear warning that the file must be deleted before the next tier 1 scan: a stale facts file is picked up as a pre-generated input and would make those results unreliable.

* upgrading coana to version 15.5.4

v1.1.123

Toggle v1.1.123's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
feat(scan): unit suffixes for reachability timeout/memory limits (1.1…

….123, Coana 15.5.0) (#1369)

* feat(scan): unit suffixes for reachability timeout/memory limits (1.1.123, Coana 15.5.0)

--reach-analysis-timeout and --reach-analysis-memory-limit now accept unit
suffixes (s/m/h for duration, MB/GB for memory, case-insensitive). Coana owns
the canonical parsing, so the CLI forwards the raw string verbatim instead of
coercing to a number. A thin local validator gives fast errors before the Coana
binary is spawned.

Empty or zero-magnitude values are omitted when forwarding so Coana applies its
own defaults, preserving the prior numeric-0 sentinel. Bare numbers keep working
but are no longer documented. Bumps the bundled Coana CLI to 15.5.0, whose parser
handles these units.

* fix(scan): treat default-equivalent reach unit values as default in --reach guard

The "reachability flags require --reach" guard compared the raw flag strings to
the default string, so unit-equivalent inputs were wrongly flagged as non-default
and rejected without --reach: 8GB / 8192MB (= the 8192MB default) and the
zero/omit timeout sentinel 0 / 0s. The latter was a regression from the
number→string change (numeric 0 used to equal the numeric default).

Compare by resolved magnitude instead: reachMemoryLimitToMb normalizes
8192/8192MB/8GB to 8192, and the timeout uses the omit sentinel so any zero
counts as default.

* refactor(scan): drop local reach unit validation, defer to Coana

Coana (@coana-tech/cli) is now the sole validator/parser of the
--reach-analysis-timeout and --reach-analysis-memory-limit values, matching the
Python CLI. Removes the local grammar mirror (isValid* regex fast-fail) that had
already drifted from Coana twice (unit case-sensitivity, and a whitespace gap
where Coana trims but the mirror did not). An invalid unit now surfaces as
Coana's error instead of a fast local one.

Kept the non-validation helpers, which Coana does not model: isOmittedReachValue
(empty/zero -> omit the flag so Coana applies its default) and reachMemoryLimitToMb
(unit-agnostic default-equivalence for the "requires --reach" guard). The raw
string is still forwarded to Coana verbatim.