Tags: SocketDev/socket-cli
Tags
feat(manifest): quieter JVM output + fail-closed manifest generation … …(1.1.133) (#1392) * feat(manifest): quiet JVM build-tool output behind a spinner (1.1.133) `socket manifest gradle|sbt|maven` (and `--auto-manifest`) streamed the build tool's full output to the terminal. Capture it by default and show a spinner instead, streaming live only under --verbose. On a build crash the captured output tail is surfaced so failures stay diagnosable without a rebuild. Also fix runNeverThrow: the registry's isSpawnError is unreliable (it never matches), so a non-zero build exit rethrew as an opaque "command failed" instead of returning the exit code. Duck-type the numeric exit code directly. * refactor(manifest): match the --pom path's spawn + error handling Align the JVM facts path with convertGradleToMaven (the `--pom` generator), which is the direct-spawn sibling of these commands rather than the coana dlx wrapper: - spinner + captured output by default, stream on --verbose (unchanged intent). - On failure use process.exitCode = 1 + logger.fail(...) + return instead of throwing, so the facts path behaves identically to the pom path — including under --auto-manifest, where both now set exit 1 and continue the sequence. - runNeverThrow classifies a non-zero build exit by a numeric `code` (the utils/dlx.mts convention), not the registry's isSpawnError, which is broken upstream and never matches. * docs(manifest): correct stale 'throws' in runManifestFacts comment * feat(manifest): fail closed under --auto-manifest on a JVM build failure Under --auto-manifest, a failed manifest generation now aborts the whole run instead of continuing with a partial or empty SBOM (which silently under-reports dependencies). This is enforced uniformly for every JVM path — Gradle, sbt, and Maven, in both Socket-facts and pom mode — in generate_auto_manifest, keying off the exit code each generator already sets. The standalone `socket manifest` commands are unchanged (they exit non-zero, as before). Failures the user opted to tolerate (ignoreUnresolved / --reach-continue-on-install-errors) warn without setting an exit code, so they continue. * fix(manifest): a crashed JVM build always fails, ignoring ignoreUnresolved ignoreUnresolved (and --ignore-unresolved) means 'the build ran but some dependencies could not be resolved; tolerate those'. It must not swallow the build process itself failing (missing JDK/build tool, unparseable project, OOM, plugin crash). Scope it to the blocking-resolution-failure branch only; a crashed build now fails regardless. * refactor(scan): decouple --reach-continue-on-install-errors from manifest ignoreUnresolved --reach-continue-on-install-errors is a Coana concern (it tells Coana to keep going past its own install errors) and is threaded to Coana in perform-reachability-analysis. It should not also decide whether socket-cli's manifest generation tolerates unresolved dependencies — that is a separate concern governed by the manifest's own ignoreUnresolved (socket.json / --ignore-unresolved). Drop the resolveIgnoreUnresolved coupling so the two are independent; the flag still reaches Coana unchanged.
fix(ci): build the Maven extension jar outside the Socket Firewall sh… …ims (#1390) * fix(ci): build the Maven extension jar outside the Socket Firewall shims The release build failed because `pnpm run build:maven-extension` runs the whole build subtree (pnpm -> bash -> mvnw -> wget) under Socket Firewall, which shims the package managers it wraps. sfw then intercepts the Maven wrapper's download of Maven from Maven Central and fails on that non-package fetch. Invoke build-jar.sh directly instead. bash/mvnw/wget aren't shimmed, so the Maven download runs outside the sfw-wrapped process tree and succeeds. * chore(ci): remove the unused maven-extension-jar workflow The standalone PR-time jar-build workflow doesn't run behind Socket Firewall, so it never exercised the environment the release actually uses (and gave false confidence). The jar is built in the release workflow and the version-compat matrix runs locally via run-compat.sh, so drop it. * bump coana cli version
fix(scan): ignore project .pnpmfile.cjs when launching tools via pnpm… … dlx (1.1.130) (#1383) Reachability scans launch Coana (and cdxgen/synp) via `pnpm dlx` with the target repo as cwd. In a pnpm workspace root, `pnpm dlx` evaluates that repo's root `.pnpmfile.cjs`, so a broken or environment-specific hook there (e.g. a `require()` of a file that is still an unresolved Git LFS pointer) crashes the launcher with a bare exit code before the tool ever starts. Set `npm_config_ignore_pnpmfile=true` on the pnpm dlx launch env so the project's pnpm hooks never run. The dlx tool installs into an isolated store, so those hooks are irrelevant to it. The `--ignore-pnpmfile` CLI flag is rejected by `pnpm dlx`; only the env/config form works.
fix(scan): exclude Python virtual environments from manifest collecti… …on + bump Coana CLI to 15.5.10 (1.1.128) (#1379) * fix(scan): exclude Python virtual environments from manifest collection (1.1.128) Recursive manifest discovery for `socket scan`, reachability, and `socket fix` walked into Python virtual environments and collected the thousands of dependency manifests (setup.py, pyproject.toml, requirements.txt, …) installed under their site-packages, bloating scans with packages that are not part of the user's project. Exclude venvs two ways: - Add `.venv` to IGNORED_DIRS for a cheap traversal-prune of the conventional directory name. - Detect arbitrarily-named venvs by their `pyvenv.cfg` marker (written at the environment root by stdlib `venv` per PEP 405 and by virtualenv >= 20). Discovery is folded into the existing `.gitignore` discovery walk, so it adds no extra full-tree traversal; each venv root contributes a `<dir>/**` ignore that all downstream glob paths honor. Bare `venv`/`env` are intentionally not name-excluded to avoid skipping a legitimately-named non-venv directory; the pyvenv.cfg check covers them. * chore: bump Coana CLI to 15.5.10
refactor(reachability): use full names instead of "tier 1/2/3" + bump… … Coana CLI to 15.5.7 (#1376) * refactor(reachability): use descriptive names instead of tier 1/2/3 Refer to the reachability analysis types by descriptive names in all user-facing text (command/flag help, output, error messages, log messages, comments, and docs): - Full application reachability (formerly Tier 1) - Precomputed reachability (formerly Tier 2) - Dependency reachability (formerly Tier 3) Backend wire contracts are unchanged: the scan_type value, the tier1-reachability-scan/finalize endpoint, request/response field names, and code identifiers retain their existing names. Only human-readable text is updated. A new Reachability analysis section in the README documents the names and notes the previous Tier 1/2/3 naming for users migrating. * refactor(reachability): apply descriptive names to merged changes and update tests Rename the 'tier 1' wording introduced by the --reach-retain-facts-file flag (merged from v1.x) to 'full application reachability', and update the reachability test snapshots and assertions to match the descriptive naming. * chore(deps): bump @coana-tech/cli to 15.5.7 (1.1.126) Pin @coana-tech/cli to the latest published 15.5.7 and bump the CLI patch version with a matching changelog entry. * docs: drop redundant tier-naming note from README The 'formerly Tier 1/2/3' mapping is already inline on each reachability type, so the trailing note is redundant.
feat(scan): add --reach-retain-facts-file to keep the reachability re… …port (1.1.124) (#1372) * feat(scan): add --reach-retain-facts-file to keep the reachability report (1.1.124) By default `socket scan create --reach` deletes the `.socket.facts.json` report from the scan directory after a successful scan. The new `--reach-retain-facts-file` flag opts out of that cleanup so the report can be inspected, with a clear warning that the file must be deleted before the next tier 1 scan: a stale facts file is picked up as a pre-generated input and would make those results unreliable. * upgrading coana to version 15.5.4
feat(scan): unit suffixes for reachability timeout/memory limits (1.1… ….123, Coana 15.5.0) (#1369) * feat(scan): unit suffixes for reachability timeout/memory limits (1.1.123, Coana 15.5.0) --reach-analysis-timeout and --reach-analysis-memory-limit now accept unit suffixes (s/m/h for duration, MB/GB for memory, case-insensitive). Coana owns the canonical parsing, so the CLI forwards the raw string verbatim instead of coercing to a number. A thin local validator gives fast errors before the Coana binary is spawned. Empty or zero-magnitude values are omitted when forwarding so Coana applies its own defaults, preserving the prior numeric-0 sentinel. Bare numbers keep working but are no longer documented. Bumps the bundled Coana CLI to 15.5.0, whose parser handles these units. * fix(scan): treat default-equivalent reach unit values as default in --reach guard The "reachability flags require --reach" guard compared the raw flag strings to the default string, so unit-equivalent inputs were wrongly flagged as non-default and rejected without --reach: 8GB / 8192MB (= the 8192MB default) and the zero/omit timeout sentinel 0 / 0s. The latter was a regression from the number→string change (numeric 0 used to equal the numeric default). Compare by resolved magnitude instead: reachMemoryLimitToMb normalizes 8192/8192MB/8GB to 8192, and the timeout uses the omit sentinel so any zero counts as default. * refactor(scan): drop local reach unit validation, defer to Coana Coana (@coana-tech/cli) is now the sole validator/parser of the --reach-analysis-timeout and --reach-analysis-memory-limit values, matching the Python CLI. Removes the local grammar mirror (isValid* regex fast-fail) that had already drifted from Coana twice (unit case-sensitivity, and a whitespace gap where Coana trims but the mirror did not). An invalid unit now surfaces as Coana's error instead of a fast local one. Kept the non-validation helpers, which Coana does not model: isOmittedReachValue (empty/zero -> omit the flag so Coana applies its default) and reachMemoryLimitToMb (unit-agnostic default-equivalence for the "requires --reach" guard). The raw string is still forwarded to Coana verbatim.
PreviousNext