@socketsecurity/cli-with-sentry 1.0.98 → 1.0.100
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +99 -26
- package/dist/cli.js.map +1 -1
- package/dist/constants.js +3 -3
- package/dist/constants.js.map +1 -1
- package/dist/tsconfig.dts.tsbuildinfo +1 -1
- package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
- package/dist/types/commands/fix/pull-request.d.mts +22 -0
- package/dist/types/commands/fix/pull-request.d.mts.map +1 -1
- package/package.json +3 -3
package/dist/cli.js
CHANGED
|
@@ -3371,6 +3371,62 @@ async function cacheFetch(key, fetcher, ttlMs) {
|
|
|
3371
3371
|
}
|
|
3372
3372
|
return data;
|
|
3373
3373
|
}
|
|
3374
|
+
async function fetchGhsaDetails(ids) {
|
|
3375
|
+
const results = new Map();
|
|
3376
|
+
if (!ids.length) {
|
|
3377
|
+
return results;
|
|
3378
|
+
}
|
|
3379
|
+
const octokitGraphql = getOctokitGraphql();
|
|
3380
|
+
try {
|
|
3381
|
+
const gqlCacheKey = `${ids.join('-')}-graphql-snapshot`;
|
|
3382
|
+
const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
|
|
3383
|
+
query($identifiers: [SecurityAdvisoryIdentifierFilter!]!) {
|
|
3384
|
+
securityAdvisories(first: ${ids.length}, identifiers: $identifiers) {
|
|
3385
|
+
nodes {
|
|
3386
|
+
ghsaId
|
|
3387
|
+
cveId
|
|
3388
|
+
summary
|
|
3389
|
+
severity
|
|
3390
|
+
publishedAt
|
|
3391
|
+
withdrawnAt
|
|
3392
|
+
references {
|
|
3393
|
+
url
|
|
3394
|
+
}
|
|
3395
|
+
vulnerabilities(first: 10) {
|
|
3396
|
+
nodes {
|
|
3397
|
+
package {
|
|
3398
|
+
ecosystem
|
|
3399
|
+
name
|
|
3400
|
+
}
|
|
3401
|
+
vulnerableVersionRange
|
|
3402
|
+
}
|
|
3403
|
+
}
|
|
3404
|
+
}
|
|
3405
|
+
}
|
|
3406
|
+
}`, {
|
|
3407
|
+
identifiers: ids.map(id => ({
|
|
3408
|
+
type: 'GHSA',
|
|
3409
|
+
value: id
|
|
3410
|
+
}))
|
|
3411
|
+
}));
|
|
3412
|
+
const advisories = gqlResp?.securityAdvisories?.nodes || [];
|
|
3413
|
+
for (const advisory of advisories) {
|
|
3414
|
+
if (advisory.ghsaId) {
|
|
3415
|
+
results.set(advisory.ghsaId, advisory);
|
|
3416
|
+
}
|
|
3417
|
+
}
|
|
3418
|
+
|
|
3419
|
+
// Log any missing advisories
|
|
3420
|
+
for (const id of ids) {
|
|
3421
|
+
if (!results.has(id)) {
|
|
3422
|
+
require$$8.debugFn('notice', `No advisory found for ${id}`);
|
|
3423
|
+
}
|
|
3424
|
+
}
|
|
3425
|
+
} catch (e) {
|
|
3426
|
+
require$$8.debugFn('error', `Failed to fetch GHSA details: ${e?.message || 'Unknown error'}`);
|
|
3427
|
+
}
|
|
3428
|
+
return results;
|
|
3429
|
+
}
|
|
3374
3430
|
async function cleanupPrs(owner, repo, options) {
|
|
3375
3431
|
const contextualMatches = await getSocketPrsWithContext(owner, repo, options);
|
|
3376
3432
|
if (!contextualMatches.length) {
|
|
@@ -3454,9 +3510,8 @@ async function enablePrAutoMerge({
|
|
|
3454
3510
|
node_id: prId
|
|
3455
3511
|
}) {
|
|
3456
3512
|
const octokitGraphql = getOctokitGraphql();
|
|
3457
|
-
let error;
|
|
3458
3513
|
try {
|
|
3459
|
-
const
|
|
3514
|
+
const gqlResp = await octokitGraphql(`
|
|
3460
3515
|
mutation EnableAutoMerge($pullRequestId: ID!) {
|
|
3461
3516
|
enablePullRequestAutoMerge(input: {
|
|
3462
3517
|
pullRequestId: $pullRequestId,
|
|
@@ -3469,23 +3524,22 @@ async function enablePrAutoMerge({
|
|
|
3469
3524
|
}`, {
|
|
3470
3525
|
pullRequestId: prId
|
|
3471
3526
|
});
|
|
3472
|
-
const respPrNumber =
|
|
3527
|
+
const respPrNumber = gqlResp?.enablePullRequestAutoMerge?.pullRequest?.number;
|
|
3473
3528
|
if (respPrNumber) {
|
|
3474
3529
|
return {
|
|
3475
3530
|
enabled: true
|
|
3476
3531
|
};
|
|
3477
3532
|
}
|
|
3478
3533
|
} catch (e) {
|
|
3479
|
-
|
|
3480
|
-
|
|
3481
|
-
|
|
3482
|
-
|
|
3483
|
-
|
|
3484
|
-
|
|
3485
|
-
|
|
3486
|
-
|
|
3487
|
-
|
|
3488
|
-
};
|
|
3534
|
+
if (e instanceof vendor.GraphqlResponseError && Array.isArray(e.errors) && e.errors.length) {
|
|
3535
|
+
const details = e.errors.map(({
|
|
3536
|
+
message: m
|
|
3537
|
+
}) => m.trim());
|
|
3538
|
+
return {
|
|
3539
|
+
enabled: false,
|
|
3540
|
+
details
|
|
3541
|
+
};
|
|
3542
|
+
}
|
|
3489
3543
|
}
|
|
3490
3544
|
return {
|
|
3491
3545
|
enabled: false
|
|
@@ -3654,7 +3708,8 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
|
|
|
3654
3708
|
}
|
|
3655
3709
|
async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
|
|
3656
3710
|
const {
|
|
3657
|
-
baseBranch = 'main'
|
|
3711
|
+
baseBranch = 'main',
|
|
3712
|
+
ghsaDetails
|
|
3658
3713
|
} = {
|
|
3659
3714
|
__proto__: null,
|
|
3660
3715
|
...options
|
|
@@ -3664,9 +3719,23 @@ async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
|
|
|
3664
3719
|
const prTitle = vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
|
|
3665
3720
|
let prBody = '';
|
|
3666
3721
|
if (vulnCount === 1) {
|
|
3667
|
-
|
|
3722
|
+
const ghsaId = ghsaIds[0];
|
|
3723
|
+
const details = ghsaDetails?.get(ghsaId);
|
|
3724
|
+
prBody = `[Socket](https://socket.dev/) fix for [${ghsaId}](https://github.com/advisories/${ghsaId}).`;
|
|
3725
|
+
if (details) {
|
|
3726
|
+
const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
|
|
3727
|
+
prBody += ['', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
|
|
3728
|
+
}
|
|
3668
3729
|
} else {
|
|
3669
|
-
prBody = `[Socket](https://socket.dev/) fixes for ${vulnCount} GHSAs
|
|
3730
|
+
prBody = [`[Socket](https://socket.dev/) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
|
|
3731
|
+
const details = ghsaDetails?.get(id);
|
|
3732
|
+
const item = `- [${id}](https://github.com/advisories/${id})`;
|
|
3733
|
+
if (details) {
|
|
3734
|
+
const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
|
|
3735
|
+
return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
|
|
3736
|
+
}
|
|
3737
|
+
return item;
|
|
3738
|
+
})].join('\n');
|
|
3670
3739
|
}
|
|
3671
3740
|
try {
|
|
3672
3741
|
const octokitPullsCreateParams = {
|
|
@@ -3869,6 +3938,9 @@ async function coanaFix(fixConfig) {
|
|
|
3869
3938
|
}
|
|
3870
3939
|
};
|
|
3871
3940
|
}
|
|
3941
|
+
require$$8.debugFn('notice', `fetch: ${ids.length} GHSA details for ${arrays.joinAnd(ids)}`);
|
|
3942
|
+
const ghsaDetails = await fetchGhsaDetails(ids);
|
|
3943
|
+
require$$8.debugFn('notice', `found: ${ghsaDetails.size} GHSA details`);
|
|
3872
3944
|
const scanBaseNames = new Set(scanFilepaths.map(p => path.basename(p)));
|
|
3873
3945
|
let count = 0;
|
|
3874
3946
|
let overallFixed = false;
|
|
@@ -3878,7 +3950,7 @@ async function coanaFix(fixConfig) {
|
|
|
3878
3950
|
length
|
|
3879
3951
|
} = ids; i < length; i += 1) {
|
|
3880
3952
|
const id = ids[i];
|
|
3881
|
-
require$$8.debugFn('notice', `
|
|
3953
|
+
require$$8.debugFn('notice', `check: ${id}`);
|
|
3882
3954
|
|
|
3883
3955
|
// Apply fix for single GHSA ID.
|
|
3884
3956
|
// eslint-disable-next-line no-await-in-loop
|
|
@@ -3900,25 +3972,25 @@ async function coanaFix(fixConfig) {
|
|
|
3900
3972
|
continue ghsaLoop;
|
|
3901
3973
|
}
|
|
3902
3974
|
overallFixed = true;
|
|
3903
|
-
|
|
3904
|
-
// Create PR if in CI environment
|
|
3975
|
+
const branch = `socket/fix/${id}`;
|
|
3905
3976
|
try {
|
|
3906
|
-
|
|
3907
|
-
|
|
3908
|
-
// Check if branch already exists
|
|
3977
|
+
// Check if branch already exists.
|
|
3909
3978
|
// eslint-disable-next-line no-await-in-loop
|
|
3910
3979
|
if (await utils.gitRemoteBranchExists(branch, cwd)) {
|
|
3911
3980
|
require$$8.debugFn('notice', `skip: remote branch "${branch}" exists`);
|
|
3912
3981
|
continue ghsaLoop;
|
|
3913
3982
|
}
|
|
3914
3983
|
require$$8.debugFn('notice', `pr: creating for ${id}`);
|
|
3984
|
+
const details = ghsaDetails.get(id);
|
|
3985
|
+
const summary = details?.summary;
|
|
3986
|
+
require$$8.debugFn('notice', `ghsa: ${id} details ${details ? 'found' : 'missing'}`);
|
|
3915
3987
|
const pushed =
|
|
3916
3988
|
// eslint-disable-next-line no-await-in-loop
|
|
3917
3989
|
(await utils.gitCreateBranch(branch, cwd)) && (
|
|
3918
3990
|
// eslint-disable-next-line no-await-in-loop
|
|
3919
3991
|
await utils.gitCheckoutBranch(branch, cwd)) && (
|
|
3920
3992
|
// eslint-disable-next-line no-await-in-loop
|
|
3921
|
-
await utils.gitCommit(`fix:
|
|
3993
|
+
await utils.gitCommit(`fix: ${id}${summary ? ` - ${summary}` : ''}`, modifiedFiles, {
|
|
3922
3994
|
cwd,
|
|
3923
3995
|
email: fixEnv.gitEmail,
|
|
3924
3996
|
user: fixEnv.gitUser
|
|
@@ -3945,7 +4017,8 @@ async function coanaFix(fixConfig) {
|
|
|
3945
4017
|
// Single GHSA ID.
|
|
3946
4018
|
[id], {
|
|
3947
4019
|
baseBranch: fixEnv.baseBranch,
|
|
3948
|
-
cwd
|
|
4020
|
+
cwd,
|
|
4021
|
+
ghsaDetails
|
|
3949
4022
|
});
|
|
3950
4023
|
if (prResponse) {
|
|
3951
4024
|
const {
|
|
@@ -3988,7 +4061,7 @@ async function coanaFix(fixConfig) {
|
|
|
3988
4061
|
await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
|
|
3989
4062
|
}
|
|
3990
4063
|
count += 1;
|
|
3991
|
-
require$$8.debugFn('notice', `
|
|
4064
|
+
require$$8.debugFn('notice', `increment: count ${count}/${Math.min(limit, ids.length)}`);
|
|
3992
4065
|
if (count >= limit) {
|
|
3993
4066
|
break ghsaLoop;
|
|
3994
4067
|
}
|
|
@@ -15460,5 +15533,5 @@ void (async () => {
|
|
|
15460
15533
|
await utils.captureException(e);
|
|
15461
15534
|
}
|
|
15462
15535
|
})();
|
|
15463
|
-
//# debugId=
|
|
15536
|
+
//# debugId=ae8893ee-c6c6-456e-8176-51ca01466ef5
|
|
15464
15537
|
//# sourceMappingURL=cli.js.map
|