Tags: SocketDev/socket-cli
Tags
fix(scan): exclude Python virtual environments from manifest collecti… …on + bump Coana CLI to 15.5.10 (1.1.128) (#1379) * fix(scan): exclude Python virtual environments from manifest collection (1.1.128) Recursive manifest discovery for `socket scan`, reachability, and `socket fix` walked into Python virtual environments and collected the thousands of dependency manifests (setup.py, pyproject.toml, requirements.txt, …) installed under their site-packages, bloating scans with packages that are not part of the user's project. Exclude venvs two ways: - Add `.venv` to IGNORED_DIRS for a cheap traversal-prune of the conventional directory name. - Detect arbitrarily-named venvs by their `pyvenv.cfg` marker (written at the environment root by stdlib `venv` per PEP 405 and by virtualenv >= 20). Discovery is folded into the existing `.gitignore` discovery walk, so it adds no extra full-tree traversal; each venv root contributes a `<dir>/**` ignore that all downstream glob paths honor. Bare `venv`/`env` are intentionally not name-excluded to avoid skipping a legitimately-named non-venv directory; the pyvenv.cfg check covers them. * chore: bump Coana CLI to 15.5.10
refactor(reachability): use full names instead of "tier 1/2/3" + bump… … Coana CLI to 15.5.7 (#1376) * refactor(reachability): use descriptive names instead of tier 1/2/3 Refer to the reachability analysis types by descriptive names in all user-facing text (command/flag help, output, error messages, log messages, comments, and docs): - Full application reachability (formerly Tier 1) - Precomputed reachability (formerly Tier 2) - Dependency reachability (formerly Tier 3) Backend wire contracts are unchanged: the scan_type value, the tier1-reachability-scan/finalize endpoint, request/response field names, and code identifiers retain their existing names. Only human-readable text is updated. A new Reachability analysis section in the README documents the names and notes the previous Tier 1/2/3 naming for users migrating. * refactor(reachability): apply descriptive names to merged changes and update tests Rename the 'tier 1' wording introduced by the --reach-retain-facts-file flag (merged from v1.x) to 'full application reachability', and update the reachability test snapshots and assertions to match the descriptive naming. * chore(deps): bump @coana-tech/cli to 15.5.7 (1.1.126) Pin @coana-tech/cli to the latest published 15.5.7 and bump the CLI patch version with a matching changelog entry. * docs: drop redundant tier-naming note from README The 'formerly Tier 1/2/3' mapping is already inline on each reachability type, so the trailing note is redundant.
feat(scan): add --reach-retain-facts-file to keep the reachability re… …port (1.1.124) (#1372) * feat(scan): add --reach-retain-facts-file to keep the reachability report (1.1.124) By default `socket scan create --reach` deletes the `.socket.facts.json` report from the scan directory after a successful scan. The new `--reach-retain-facts-file` flag opts out of that cleanup so the report can be inspected, with a clear warning that the file must be deleted before the next tier 1 scan: a stale facts file is picked up as a pre-generated input and would make those results unreliable. * upgrading coana to version 15.5.4
feat(scan): unit suffixes for reachability timeout/memory limits (1.1… ….123, Coana 15.5.0) (#1369) * feat(scan): unit suffixes for reachability timeout/memory limits (1.1.123, Coana 15.5.0) --reach-analysis-timeout and --reach-analysis-memory-limit now accept unit suffixes (s/m/h for duration, MB/GB for memory, case-insensitive). Coana owns the canonical parsing, so the CLI forwards the raw string verbatim instead of coercing to a number. A thin local validator gives fast errors before the Coana binary is spawned. Empty or zero-magnitude values are omitted when forwarding so Coana applies its own defaults, preserving the prior numeric-0 sentinel. Bare numbers keep working but are no longer documented. Bumps the bundled Coana CLI to 15.5.0, whose parser handles these units. * fix(scan): treat default-equivalent reach unit values as default in --reach guard The "reachability flags require --reach" guard compared the raw flag strings to the default string, so unit-equivalent inputs were wrongly flagged as non-default and rejected without --reach: 8GB / 8192MB (= the 8192MB default) and the zero/omit timeout sentinel 0 / 0s. The latter was a regression from the number→string change (numeric 0 used to equal the numeric default). Compare by resolved magnitude instead: reachMemoryLimitToMb normalizes 8192/8192MB/8GB to 8192, and the timeout uses the omit sentinel so any zero counts as default. * refactor(scan): drop local reach unit validation, defer to Coana Coana (@coana-tech/cli) is now the sole validator/parser of the --reach-analysis-timeout and --reach-analysis-memory-limit values, matching the Python CLI. Removes the local grammar mirror (isValid* regex fast-fail) that had already drifted from Coana twice (unit case-sensitivity, and a whitespace gap where Coana trims but the mirror did not). An invalid unit now surfaces as Coana's error instead of a fast local one. Kept the non-validation helpers, which Coana does not model: isOmittedReachValue (empty/zero -> omit the flag so Coana applies its default) and reachMemoryLimitToMb (unit-agnostic default-equivalence for the "requires --reach" guard). The raw string is still forwarded to Coana verbatim.
fix(config): persist `config set` under an env token; fail on ephemer… …al overrides (1.1.121) (#1366) A Socket API token supplied via env (SOCKET_CLI_API_TOKEN / SOCKET_SECURITY_API_TOKEN and legacy aliases) used to put the entire config into read-only mode, so `socket config set <key> <value>` silently failed to save while still printing `OK`, and a later `socket config get` then showed nothing. A token from the environment now overrides authentication only: unrelated keys such as defaultOrg are written to disk as expected, while the env token itself is still never persisted (getDefaultApiToken resolves it straight from the environment, so it is no longer mirrored into the cached config). When the config is genuinely ephemeral, because it was fully overridden via --config, SOCKET_CLI_CONFIG, or SOCKET_CLI_NO_API_TOKEN, `socket config set` now fails with a clear error instead of pretending it succeeded; the in-memory-only change is a no-op for a one-shot command. `config get apiToken` still reports the env-supplied token, which takes precedence over persisted / --config values. Adds unit and command-level regression tests and bumps the CLI to 1.1.121.
feat(scan): forward socket.json build-tool config into reachability (… …1.1.120, Coana 15.4.1) (#1362) * feat(scan): forward socket.json build-tool config into reachability socket scan create --reach now maps socket.json's per-ecosystem manifest build-tool options (bin, include/exclude-configs, gradle/sbt opts) into a Coana-defined AutoManifestConfig and passes it to `coana run` via --auto-manifest-config (a temp JSON file path Coana reads), so reach-time dependency resolution invokes the build tool the way the project is configured rather than with defaults. Under --auto-manifest the config also carries top-level failOnBuildToolError=true (fail-closed: Coana treats a build-tool step failure as fatal instead of tolerating it); plain --reach leaves it unset and stays permissive. This is the socket-cli side of the manifest-flag-propagation gap. The Coana `--auto-manifest-config` option is not yet released, so this must not ship until Coana publishes it and the pinned @coana-tech/cli is bumped; until then it is exercised via SOCKET_CLI_COANA_LOCAL_PATH. - add src/utils/auto-manifest-config.mts: BuildToolOptions/AutoManifestConfig types + buildAutoManifestConfig (socket.json -> config) + tests - ReachabilityOptions.autoManifestConfig; write the config to a temp file and pass its path to coana run, cleaning it up after - build the config at the cmd-scan-create assembly point * chore(release): 1.1.120 — Coana 15.4.1 and socket.json build-tool config forwarding Bump @coana-tech/cli to 15.4.1 (which ships the --auto-manifest-config option the feat commit depends on), bump the package version to 1.1.120, and add the changelog entry. * fix(scan): gate --auto-manifest-config on Coana version support Only forward the socket.json build-tool config to `coana run` when the resolved Coana version supports `--auto-manifest-config` (>= 15.4.1). Passing the flag to an older Coana, pinned via --reach-version, would abort the run on an unknown flag; we now skip it and warn instead. A local Coana build (SOCKET_CLI_COANA_LOCAL_PATH) has no resolvable version and is treated as supported. Also drop internal tracker references from source comments. * fix(scan): drop Coana version gate, clean up config temp file in finally Coana is pinned to a specific version in the CLI, so gating --auto-manifest-config on a minimum version added no real safety; remove coanaSupportsAutoManifestConfig and forward the config unconditionally when non-empty. Move the temp config file cleanup into a finally block so it runs even if the Coana run throws. * fix changelog entry * bump coana to 15.4.5
PreviousNext