@socketsecurity/cli-with-sentry 1.0.89 → 1.0.91

package/external/@coana-tech/cli/reachability-analyzers-cli.mjs

@@ -94989,16 +94989,17 @@ import { join as join13, resolve as resolve10, sep } from "path";
 var { uniq: uniq5 } = import_lodash11.default;
 var GoCodeAwareVulnerabilityScanner = class {
   projectDir;
-  timeoutInSeconds;
+  options;
   name = "GOANA";
-  constructor(projectDir, timeoutInSeconds) {
+  constructor(projectDir, options = {}) {
     this.projectDir = projectDir;
-    this.timeoutInSeconds = timeoutInSeconds;
+    this.options = options;
   }
   async runAnalysis(vulns, heuristic, _analyzesAllVulns) {
     logger.info("Started instantiating Go code-aware analysis");
     if (!existsSync9(join13(this.projectDir, "go.mod")))
       throw new Error("go.mod file not found in the project directory");
+    const { timeoutInSeconds, memoryLimitInMB } = this.options;
     const tmpDir = await createTmpDirectory("goana-output");
     const vulnsOutputFile = join13(tmpDir, "vulns.json");
     const diagnosticsOutputFile = join13(tmpDir, "diagnostics.json");
@@ -95008,7 +95009,10 @@ var GoCodeAwareVulnerabilityScanner = class {
           -output-vulnerabilities ${vulnsOutputFile}
           -output-diagnostics ${diagnosticsOutputFile}
           -topk=4 ${heuristic.includeTests && "-tests"}
-          ${this.projectDir} ${vulnAccPaths}`, void 0, { timeout: this.timeoutInSeconds ? this.timeoutInSeconds * 1e3 : void 0 });
+          ${this.projectDir} ${vulnAccPaths}`, void 0, {
+        timeout: timeoutInSeconds ? timeoutInSeconds * 1e3 : void 0,
+        env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${memoryLimitInMB}MB` } : void 0
+      });
       if (error) {
         logger.error("Error running Go code-aware analysis", error);
         const timeout = !!error.killed;
@@ -95045,7 +95049,7 @@ ${stderr}`);
       await rm4(tmpDir, { recursive: true, force: true });
     }
   }
-  static async runOnDependencyChain([first2, ...rest], vuln, timeoutInSeconds) {
+  static async runOnDependencyChain([first2, ...rest], vuln, options = {}) {
     assert4(first2.version);
     const { Dir, GoMod } = JSON.parse(await runCommandResolveStdOut(cmdt`go mod download -json ${first2.packageName}@v${first2.version}`));
     const projectDir = await createTmpDirectory("go-run-on-dependency-chain-");
@@ -95062,7 +95066,7 @@ ${stderr}`);
         await runGoModTidy(projectDir);
       }
       const heuristic = GoanaHeuristics.NO_TESTS;
-      const result = await new this(projectDir, timeoutInSeconds).runAnalysis([vuln], heuristic, true);
+      const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, true);
       if (result.type === "error")
         return {
           error: result.message,
@@ -95078,7 +95082,7 @@ ${stderr}`);
       await rm4(projectDir, { recursive: true, force: true });
     }
   }
-  static async runOnAlreadyDownloadedPackages(packages, vuln, timeoutInSeconds) {
+  static async runOnAlreadyDownloadedPackages(packages, vuln, options = {}) {
     for (const pkg of packages)
       assert4(existsSync9(join13(pkg, "go.mod")), `${pkg} does not contain a go.mod file`);
     const [app, ...dependencies] = packages;
@@ -95095,7 +95099,7 @@ ${stderr}`);
         await runGoModTidy(projectDir);
       }
       const heuristic = GoanaHeuristics.NO_TESTS;
-      const result = await new this(projectDir, timeoutInSeconds).runAnalysis([vuln], heuristic, true);
+      const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, true);
       if (result.type === "error")
         return {
           error: result.message,
@@ -96170,7 +96174,10 @@ async function analyzePackages(ecosystem, packages, vulnerability, options) {
       break;
     case "GO":
       analysisName = "Goana";
-      result = await GoCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options?.timeoutInSeconds ?? 60);
+      result = await GoCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, {
+        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
+        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
+      });
       break;
     case "RUST":
       analysisName = "Rustica";
@@ -96215,7 +96222,10 @@ async function analyzeAlreadyInstalledPackages(ecosystem, packages, vulnerabilit
       break;
     case "GO":
       analysisName = "Goana";
-      result = await GoCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, options?.timeoutInSeconds ?? 60);
+      result = await GoCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
+        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
+        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
+      });
       break;
     case "RUST":
       analysisName = "Rustica";
@@ -96270,7 +96280,7 @@ async function getVersion(analysisName) {
 // dist/whole-program-code-aware-vulnerability-scanner/python/python-code-aware-vulnerability-scanner.js
 var import_semver2 = __toESM(require_semver2(), 1);
 var { omit, once: once3, pick, sortedUniq, uniqBy } = import_lodash14.default;
-var PythonCodeAwareVulnerabilityScanner = class _PythonCodeAwareVulnerabilityScanner {
+var PythonCodeAwareVulnerabilityScanner = class {
   state;
   projectDir;
   name = "MAMBALADE";
@@ -96295,9 +96305,7 @@ var PythonCodeAwareVulnerabilityScanner = class _PythonCodeAwareVulnerabilitySca
   async runAnalysis(vulns, heuristic, analyzesAllVulns) {
     if (!this.virtualEnvInfo)
       throw new Error("Virtual environment not set up");
-    if (!this.mambaladeVenvPath) {
-      await this.setupMambalade();
-    }
+    this.mambaladeVenvPath ??= await setupMambalade();
     logger.info("Started instantiating Python code-aware analysis");
     logger.debug(`Trying to find files to analyze from projectDir: ${this.projectDir}`);
     const { rootWorkingDir, reachabilityAnalysisOptions } = this.state;
@@ -96429,7 +96437,7 @@ ${msg}`;
       logger.info(`Copying ${app} to ${projectDir}`);
       await cp5(app, projectDir, { recursive: true });
       fileMappings.set(projectDir, app);
-      const scanner = new _PythonCodeAwareVulnerabilityScanner({
+      const scanner = new this({
         rootWorkingDir: projectTmpDir,
         reachabilityAnalysisOptions: options
       }, projectTmpDir);
@@ -96608,22 +96616,6 @@ ${msg}`;
   getVirtualEnvInfo() {
     return this.virtualEnvInfo;
   }
-  async setupMambalade() {
-    const venvDir = await createTmpDirectory("mambalade-venv");
-    logger.info("Creating Mambalade virtual environment");
-    const pythonInterpreter = await getPythonInterpreter();
-    await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
-    const mambaladeWheelsPath = join15(COANA_REPOS_PATH(), "mambalade", "dist");
-    const wheelFiles = await readdir3(mambaladeWheelsPath);
-    const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join15(mambaladeWheelsPath, f2));
-    if (mambaladeWheels.length === 0) {
-      throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
-    }
-    logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
-    await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
-    this.mambaladeVenvPath = venvDir;
-    logger.info("Mambalade virtual environment setup complete");
-  }
   // async [Symbol.asyncDispose]() {
   async cleanup() {
     if (this.virtualEnvInfo?.temporary) {
@@ -96684,6 +96676,21 @@ async function getPythonInterpreter() {
     return "python3";
   throw new Error(`No Python ${pythonVersionRequired} interpreter found`);
 }
+async function setupMambalade() {
+  const venvDir = await createTmpDirectory("mambalade-venv");
+  logger.info("Creating Mambalade virtual environment");
+  const pythonInterpreter = await getPythonInterpreter();
+  await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
+  const mambaladeWheelsPath = join15(COANA_REPOS_PATH(), "mambalade", "dist");
+  const wheelFiles = await readdir3(mambaladeWheelsPath);
+  const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join15(mambaladeWheelsPath, f2));
+  if (!mambaladeWheels.length)
+    throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
+  logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
+  await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
+  logger.info("Mambalade virtual environment setup complete");
+  return venvDir;
+}
 
 // dist/whole-program-code-aware-vulnerability-scanner/python/phantom-deps.js
 var { uniq: uniq8 } = import_lodash15.default;
@@ -97208,7 +97215,7 @@ var GoAnalyzer = class {
     const vulnerablePackages = uniq9(vulns.flatMap((v) => v.vulnerabilityAccessPaths.map((vap) => vap.split(":")[0])));
     const irrelevantPackages = new Set(await getIrrelevantPackages(this.projectDir, vulnerablePackages));
     const [unreachableVulns, otherVulns] = partition2(vulns, (v) => v.vulnerabilityAccessPaths.every((vap) => irrelevantPackages.has(vap.split(":")[0])));
-    const res = otherVulns.length ? await analyzeWithHeuristics(this.state, otherVulns, [GoanaHeuristics.DEFAULT], false, new GoCodeAwareVulnerabilityScanner(this.projectDir, this.state.reachabilityAnalysisOptions.timeoutInSeconds), analysisMetadataCollector, statusUpdater) : [];
+    const res = otherVulns.length ? await analyzeWithHeuristics(this.state, otherVulns, [GoanaHeuristics.DEFAULT], false, new GoCodeAwareVulnerabilityScanner(this.projectDir, this.state.reachabilityAnalysisOptions), analysisMetadataCollector, statusUpdater) : [];
     if (unreachableVulns.length) {
       const heuristicName = GoanaHeuristics.IMPORT_REACHABILITY.name;
       const detectedOccurrences = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli-with-sentry",
-  "version": "1.0.89",
+  "version": "1.0.91",
   "description": "CLI for Socket.dev, includes Sentry error handling, otherwise identical to the regular `socket` package",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT",
@@ -85,8 +85,8 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.3",
     "@biomejs/biome": "2.2.0",
-    "@coana-tech/cli": "14.11.10",
-    "@cyclonedx/cdxgen": "11.5.0",
+    "@coana-tech/cli": "14.11.13",
+    "@cyclonedx/cdxgen": "11.6.0",
     "@dotenvx/dotenvx": "1.48.4",
     "@eslint/compat": "1.3.2",
     "@eslint/js": "9.33.0",
@@ -126,7 +126,7 @@
     "@types/semver": "7.7.0",
     "@types/which": "3.0.4",
     "@types/yargs-parser": "21.0.3",
-    "@typescript-eslint/parser": "8.39.1",
+    "@typescript-eslint/parser": "8.40.0",
     "@typescript/native-preview": "7.0.0-dev.20250529.1",
     "@vitest/coverage-v8": "3.2.4",
     "blessed": "0.1.81",
@@ -159,18 +159,18 @@
     "npm-package-arg": "13.0.0",
     "npm-run-all2": "8.0.4",
     "open": "10.2.0",
-    "oxlint": "1.11.2",
+    "oxlint": "1.12.0",
     "pony-cause": "2.1.11",
     "registry-auth-token": "5.1.0",
     "registry-url": "7.2.0",
-    "rollup": "4.46.2",
+    "rollup": "4.46.3",
     "semver": "7.7.2",
     "synp": "1.9.14",
     "terminal-link": "2.1.1",
     "tiny-updater": "3.5.3",
     "trash": "9.0.0",
     "type-coverage": "2.29.7",
-    "typescript-eslint": "8.39.1",
+    "typescript-eslint": "8.40.0",
     "unplugin-purge-polyfills": "0.1.0",
     "vitest": "3.2.4",
     "which": "5.0.0",

package/translations.json

@@ -169,7 +169,7 @@
       "emoji": "🎈"
     },
     "gitDependency": {
-      "description": "Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.",
+      "description": "Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable and can be used to inject untrusted code or reduce the likelihood of a reproducible install.",
       "suggestion": "Publish the git dependency to npm or a private package repository and consume it from there.",
       "title": "Git dependency",
       "emoji": "🍣"
@@ -212,7 +212,7 @@
     },
     "highEntropyStrings": {
       "description": "Contains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code.",
-      "suggestion": "Please inspect these strings to check if these strings are benign. Maintainers should clarify the purpose and existence of high entropy strings if there is a legitimate purpose.",
+      "suggestion": "Please inspect these strings to check if they are benign. Maintainers should clarify the purpose and existence of high entropy strings if there is a legitimate purpose.",
       "title": "High entropy strings",
       "emoji": "⚠️"
     },
@@ -277,7 +277,7 @@
       "emoji": "⚠️"
     },
     "malware": {
-      "description": "This package is malware. We have asked the package registry to remove it.",
+      "description": "This package is identified as malware. It has been flagged either by Socket's AI scanner and confirmed by our threat research team, or is listed as malicious in security databases and other sources.",
       "title": "Known malware",
       "suggestion": "It is strongly recommended that malware is removed from your codebase.",
       "emoji": "☠️"
@@ -391,7 +391,7 @@
       "emoji": "⚠️"
     },
     "noV1": {
-      "description": "Package is not semver >=1. This means it is not stable and does not support ^ ranges.",
+      "description": "Package is not semver \u003E=1. This means it is not stable and does not support ^ ranges.",
       "suggestion": "If the package sees any general use, it should begin releasing at version 1.0.0 or later to benefit from semver.",
       "title": "No v1",
       "emoji": "⚠️"
@@ -488,7 +488,7 @@
     },
     "suspiciousString": {
       "description": "This package contains suspicious text patterns which are commonly associated with bad behavior.",
-      "suggestion": "The package code should be reviewed before installing",
+      "suggestion": "The package code should be reviewed before installing.",
       "title": "Suspicious strings",
       "emoji": "⚠️"
     },
@@ -560,7 +560,7 @@
     },
     "unstableOwnership": {
       "description": "A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.",
-      "suggestion": "Try to reduce the amount of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.",
+      "suggestion": "Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.",
       "title": "Unstable ownership",
       "emoji": "⚠️"
     },
@@ -571,8 +571,8 @@
       "emoji": "⚠️"
     },
     "urlStrings": {
-      "description": "Package contains fragments of external URLs or IP addresses, which may indicate that it covertly exfiltrates data.",
-      "suggestion": "Avoid using packages that make connections to the network, since this helps to leak data.",
+      "description": "Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.",
+      "suggestion": "Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.",
       "title": "URL strings",
       "emoji": "⚠️"
     },
@@ -587,6 +587,30 @@
       "suggestion": "Packages should remove unnecessary zero width unicode characters and use their visible counterparts.",
       "title": "Zero width unicode chars",
       "emoji": "⚠️"
+    },
+    "chromePermission": {
+      "description": "This Chrome extension uses the '{permission}' permission.",
+      "suggestion": "Does this extensions need these permissions? Read more about what they mean at https://developer.chrome.com/docs/extensions/reference/permissions-list",
+      "title": "Chrome Extension Permission",
+      "emoji": "⚠️"
+    },
+    "chromeHostPermission": {
+      "description": "This Chrome extension requests access to '{host}'.",
+      "suggestion": "Review the host permission request and ensure it's necessary for the extension's functionality. Consider if the extension could work with more restrictive host permissions.",
+      "title": "Chrome Extension Host Permission",
+      "emoji": "⚠️"
+    },
+    "chromeWildcardHostPermission": {
+      "description": "This Chrome extension requests broad access to websites with the pattern '{host}'.",
+      "suggestion": "Wildcard host permissions like '*://*/*' give the extension access to all websites. This is a significant security risk and should be carefully reviewed. Consider if the extension could work with more restrictive host permissions.",
+      "title": "Chrome Extension Wildcard Host Permission",
+      "emoji": "⚠️"
+    },
+    "chromeContentScript": {
+      "description": "This Chrome extension includes a content script '{scriptFile}' that runs on websites matching '{matches}'.",
+      "suggestion": "Content scripts can modify web pages and access page content. Review the content script code to understand what it does on the websites it targets.",
+      "title": "Chrome Extension Content Script",
+      "emoji": "⚠️"
     }
   }
 }