Tags: SocketDev/socket-cli
Tags
fix(scan): ignore project .pnpmfile.cjs when launching tools via pnpm… … dlx (1.1.130) (#1383) Reachability scans launch Coana (and cdxgen/synp) via `pnpm dlx` with the target repo as cwd. In a pnpm workspace root, `pnpm dlx` evaluates that repo's root `.pnpmfile.cjs`, so a broken or environment-specific hook there (e.g. a `require()` of a file that is still an unresolved Git LFS pointer) crashes the launcher with a bare exit code before the tool ever starts. Set `npm_config_ignore_pnpmfile=true` on the pnpm dlx launch env so the project's pnpm hooks never run. The dlx tool installs into an isolated store, so those hooks are irrelevant to it. The `--ignore-pnpmfile` CLI flag is rejected by `pnpm dlx`; only the env/config form works.
fix(scan): exclude Python virtual environments from manifest collecti… …on + bump Coana CLI to 15.5.10 (1.1.128) (#1379) * fix(scan): exclude Python virtual environments from manifest collection (1.1.128) Recursive manifest discovery for `socket scan`, reachability, and `socket fix` walked into Python virtual environments and collected the thousands of dependency manifests (setup.py, pyproject.toml, requirements.txt, …) installed under their site-packages, bloating scans with packages that are not part of the user's project. Exclude venvs two ways: - Add `.venv` to IGNORED_DIRS for a cheap traversal-prune of the conventional directory name. - Detect arbitrarily-named venvs by their `pyvenv.cfg` marker (written at the environment root by stdlib `venv` per PEP 405 and by virtualenv >= 20). Discovery is folded into the existing `.gitignore` discovery walk, so it adds no extra full-tree traversal; each venv root contributes a `<dir>/**` ignore that all downstream glob paths honor. Bare `venv`/`env` are intentionally not name-excluded to avoid skipping a legitimately-named non-venv directory; the pyvenv.cfg check covers them. * chore: bump Coana CLI to 15.5.10
refactor(reachability): use full names instead of "tier 1/2/3" + bump… … Coana CLI to 15.5.7 (#1376) * refactor(reachability): use descriptive names instead of tier 1/2/3 Refer to the reachability analysis types by descriptive names in all user-facing text (command/flag help, output, error messages, log messages, comments, and docs): - Full application reachability (formerly Tier 1) - Precomputed reachability (formerly Tier 2) - Dependency reachability (formerly Tier 3) Backend wire contracts are unchanged: the scan_type value, the tier1-reachability-scan/finalize endpoint, request/response field names, and code identifiers retain their existing names. Only human-readable text is updated. A new Reachability analysis section in the README documents the names and notes the previous Tier 1/2/3 naming for users migrating. * refactor(reachability): apply descriptive names to merged changes and update tests Rename the 'tier 1' wording introduced by the --reach-retain-facts-file flag (merged from v1.x) to 'full application reachability', and update the reachability test snapshots and assertions to match the descriptive naming. * chore(deps): bump @coana-tech/cli to 15.5.7 (1.1.126) Pin @coana-tech/cli to the latest published 15.5.7 and bump the CLI patch version with a matching changelog entry. * docs: drop redundant tier-naming note from README The 'formerly Tier 1/2/3' mapping is already inline on each reachability type, so the trailing note is redundant.
feat(scan): add --reach-retain-facts-file to keep the reachability re… …port (1.1.124) (#1372) * feat(scan): add --reach-retain-facts-file to keep the reachability report (1.1.124) By default `socket scan create --reach` deletes the `.socket.facts.json` report from the scan directory after a successful scan. The new `--reach-retain-facts-file` flag opts out of that cleanup so the report can be inspected, with a clear warning that the file must be deleted before the next tier 1 scan: a stale facts file is picked up as a pre-generated input and would make those results unreliable. * upgrading coana to version 15.5.4
feat(scan): unit suffixes for reachability timeout/memory limits (1.1… ….123, Coana 15.5.0) (#1369) * feat(scan): unit suffixes for reachability timeout/memory limits (1.1.123, Coana 15.5.0) --reach-analysis-timeout and --reach-analysis-memory-limit now accept unit suffixes (s/m/h for duration, MB/GB for memory, case-insensitive). Coana owns the canonical parsing, so the CLI forwards the raw string verbatim instead of coercing to a number. A thin local validator gives fast errors before the Coana binary is spawned. Empty or zero-magnitude values are omitted when forwarding so Coana applies its own defaults, preserving the prior numeric-0 sentinel. Bare numbers keep working but are no longer documented. Bumps the bundled Coana CLI to 15.5.0, whose parser handles these units. * fix(scan): treat default-equivalent reach unit values as default in --reach guard The "reachability flags require --reach" guard compared the raw flag strings to the default string, so unit-equivalent inputs were wrongly flagged as non-default and rejected without --reach: 8GB / 8192MB (= the 8192MB default) and the zero/omit timeout sentinel 0 / 0s. The latter was a regression from the number→string change (numeric 0 used to equal the numeric default). Compare by resolved magnitude instead: reachMemoryLimitToMb normalizes 8192/8192MB/8GB to 8192, and the timeout uses the omit sentinel so any zero counts as default. * refactor(scan): drop local reach unit validation, defer to Coana Coana (@coana-tech/cli) is now the sole validator/parser of the --reach-analysis-timeout and --reach-analysis-memory-limit values, matching the Python CLI. Removes the local grammar mirror (isValid* regex fast-fail) that had already drifted from Coana twice (unit case-sensitivity, and a whitespace gap where Coana trims but the mirror did not). An invalid unit now surfaces as Coana's error instead of a fast local one. Kept the non-validation helpers, which Coana does not model: isOmittedReachValue (empty/zero -> omit the flag so Coana applies its default) and reachMemoryLimitToMb (unit-agnostic default-equivalence for the "requires --reach" guard). The raw string is still forwarded to Coana verbatim.
fix(config): persist `config set` under an env token; fail on ephemer… …al overrides (1.1.121) (#1366) A Socket API token supplied via env (SOCKET_CLI_API_TOKEN / SOCKET_SECURITY_API_TOKEN and legacy aliases) used to put the entire config into read-only mode, so `socket config set <key> <value>` silently failed to save while still printing `OK`, and a later `socket config get` then showed nothing. A token from the environment now overrides authentication only: unrelated keys such as defaultOrg are written to disk as expected, while the env token itself is still never persisted (getDefaultApiToken resolves it straight from the environment, so it is no longer mirrored into the cached config). When the config is genuinely ephemeral, because it was fully overridden via --config, SOCKET_CLI_CONFIG, or SOCKET_CLI_NO_API_TOKEN, `socket config set` now fails with a clear error instead of pretending it succeeded; the in-memory-only change is a no-op for a one-shot command. `config get apiToken` still reports the env-supplied token, which takes precedence over persisted / --config values. Adds unit and command-level regression tests and bumps the CLI to 1.1.121.
PreviousNext