@socketsecurity/cli-with-sentry 1.0.98 → 1.0.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +95 -26
- package/dist/cli.js.map +1 -1
- package/dist/constants.js +3 -3
- package/dist/constants.js.map +1 -1
- package/dist/tsconfig.dts.tsbuildinfo +1 -1
- package/dist/types/commands/fix/coana-fix.d.mts.map +1 -1
- package/dist/types/commands/fix/pull-request.d.mts +22 -0
- package/dist/types/commands/fix/pull-request.d.mts.map +1 -1
- package/package.json +3 -3
package/dist/cli.js
CHANGED
|
@@ -3371,6 +3371,62 @@ async function cacheFetch(key, fetcher, ttlMs) {
|
|
|
3371
3371
|
}
|
|
3372
3372
|
return data;
|
|
3373
3373
|
}
|
|
3374
|
+
async function fetchGhsaDetails(ids) {
|
|
3375
|
+
const results = new Map();
|
|
3376
|
+
if (!ids.length) {
|
|
3377
|
+
return results;
|
|
3378
|
+
}
|
|
3379
|
+
const octokitGraphql = getOctokitGraphql();
|
|
3380
|
+
try {
|
|
3381
|
+
const gqlCacheKey = `${ids.join('-')}-graphql-snapshot`;
|
|
3382
|
+
const gqlResp = await cacheFetch(gqlCacheKey, () => octokitGraphql(`
|
|
3383
|
+
query($identifiers: [SecurityAdvisoryIdentifierFilter!]!) {
|
|
3384
|
+
securityAdvisories(first: ${ids.length}, identifiers: $identifiers) {
|
|
3385
|
+
nodes {
|
|
3386
|
+
ghsaId
|
|
3387
|
+
cveId
|
|
3388
|
+
summary
|
|
3389
|
+
severity
|
|
3390
|
+
publishedAt
|
|
3391
|
+
withdrawnAt
|
|
3392
|
+
references {
|
|
3393
|
+
url
|
|
3394
|
+
}
|
|
3395
|
+
vulnerabilities(first: 10) {
|
|
3396
|
+
nodes {
|
|
3397
|
+
package {
|
|
3398
|
+
ecosystem
|
|
3399
|
+
name
|
|
3400
|
+
}
|
|
3401
|
+
vulnerableVersionRange
|
|
3402
|
+
}
|
|
3403
|
+
}
|
|
3404
|
+
}
|
|
3405
|
+
}
|
|
3406
|
+
}`, {
|
|
3407
|
+
identifiers: ids.map(id => ({
|
|
3408
|
+
type: 'GHSA',
|
|
3409
|
+
value: id
|
|
3410
|
+
}))
|
|
3411
|
+
}));
|
|
3412
|
+
const advisories = gqlResp?.securityAdvisories?.nodes || [];
|
|
3413
|
+
for (const advisory of advisories) {
|
|
3414
|
+
if (advisory.ghsaId) {
|
|
3415
|
+
results.set(advisory.ghsaId, advisory);
|
|
3416
|
+
}
|
|
3417
|
+
}
|
|
3418
|
+
|
|
3419
|
+
// Log any missing advisories
|
|
3420
|
+
for (const id of ids) {
|
|
3421
|
+
if (!results.has(id)) {
|
|
3422
|
+
require$$8.debugFn('notice', `No advisory found for ${id}`);
|
|
3423
|
+
}
|
|
3424
|
+
}
|
|
3425
|
+
} catch (e) {
|
|
3426
|
+
require$$8.debugFn('error', `Failed to fetch GHSA details: ${e?.message || 'Unknown error'}`);
|
|
3427
|
+
}
|
|
3428
|
+
return results;
|
|
3429
|
+
}
|
|
3374
3430
|
async function cleanupPrs(owner, repo, options) {
|
|
3375
3431
|
const contextualMatches = await getSocketPrsWithContext(owner, repo, options);
|
|
3376
3432
|
if (!contextualMatches.length) {
|
|
@@ -3454,9 +3510,8 @@ async function enablePrAutoMerge({
|
|
|
3454
3510
|
node_id: prId
|
|
3455
3511
|
}) {
|
|
3456
3512
|
const octokitGraphql = getOctokitGraphql();
|
|
3457
|
-
let error;
|
|
3458
3513
|
try {
|
|
3459
|
-
const
|
|
3514
|
+
const gqlResp = await octokitGraphql(`
|
|
3460
3515
|
mutation EnableAutoMerge($pullRequestId: ID!) {
|
|
3461
3516
|
enablePullRequestAutoMerge(input: {
|
|
3462
3517
|
pullRequestId: $pullRequestId,
|
|
@@ -3469,23 +3524,22 @@ async function enablePrAutoMerge({
|
|
|
3469
3524
|
}`, {
|
|
3470
3525
|
pullRequestId: prId
|
|
3471
3526
|
});
|
|
3472
|
-
const respPrNumber =
|
|
3527
|
+
const respPrNumber = gqlResp?.enablePullRequestAutoMerge?.pullRequest?.number;
|
|
3473
3528
|
if (respPrNumber) {
|
|
3474
3529
|
return {
|
|
3475
3530
|
enabled: true
|
|
3476
3531
|
};
|
|
3477
3532
|
}
|
|
3478
3533
|
} catch (e) {
|
|
3479
|
-
|
|
3480
|
-
|
|
3481
|
-
|
|
3482
|
-
|
|
3483
|
-
|
|
3484
|
-
|
|
3485
|
-
|
|
3486
|
-
|
|
3487
|
-
|
|
3488
|
-
};
|
|
3534
|
+
if (e instanceof vendor.GraphqlResponseError && Array.isArray(e.errors) && e.errors.length) {
|
|
3535
|
+
const details = e.errors.map(({
|
|
3536
|
+
message: m
|
|
3537
|
+
}) => m.trim());
|
|
3538
|
+
return {
|
|
3539
|
+
enabled: false,
|
|
3540
|
+
details
|
|
3541
|
+
};
|
|
3542
|
+
}
|
|
3489
3543
|
}
|
|
3490
3544
|
return {
|
|
3491
3545
|
enabled: false
|
|
@@ -3654,7 +3708,8 @@ async function openPr(owner, repo, branch, purl, newVersion, options) {
|
|
|
3654
3708
|
}
|
|
3655
3709
|
async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
|
|
3656
3710
|
const {
|
|
3657
|
-
baseBranch = 'main'
|
|
3711
|
+
baseBranch = 'main',
|
|
3712
|
+
ghsaDetails
|
|
3658
3713
|
} = {
|
|
3659
3714
|
__proto__: null,
|
|
3660
3715
|
...options
|
|
@@ -3664,9 +3719,23 @@ async function openCoanaPr(owner, repo, branch, ghsaIds, options) {
|
|
|
3664
3719
|
const prTitle = vulnCount === 1 ? `Fix for ${ghsaIds[0]}` : `Fixes for ${vulnCount} GHSAs`;
|
|
3665
3720
|
let prBody = '';
|
|
3666
3721
|
if (vulnCount === 1) {
|
|
3667
|
-
|
|
3722
|
+
const ghsaId = ghsaIds[0];
|
|
3723
|
+
const details = ghsaDetails?.get(ghsaId);
|
|
3724
|
+
prBody = `[Socket](https://socket.dev/) fix for [${ghsaId}](https://github.com/advisories/${ghsaId}).`;
|
|
3725
|
+
if (details) {
|
|
3726
|
+
const packages = details.vulnerabilities.nodes.map(v => `${v.package.name} (${v.package.ecosystem})`);
|
|
3727
|
+
prBody += ['', '', `**Vulnerability Summary:** ${details.summary}`, '', `**Severity:** ${details.severity}`, '', `**Affected Packages:** ${arrays.joinAnd(packages)}`].join('\n');
|
|
3728
|
+
}
|
|
3668
3729
|
} else {
|
|
3669
|
-
prBody = `[Socket](https://socket.dev/) fixes for ${vulnCount} GHSAs
|
|
3730
|
+
prBody = [`[Socket](https://socket.dev/) fixes for ${vulnCount} GHSAs.`, '', '**Fixed Vulnerabilities:**', ...ghsaIds.map(id => {
|
|
3731
|
+
const details = ghsaDetails?.get(id);
|
|
3732
|
+
const item = `- [${id}](https://github.com/advisories/${id})`;
|
|
3733
|
+
if (details) {
|
|
3734
|
+
const packages = details.vulnerabilities.nodes.map(v => `${v.package.name}`);
|
|
3735
|
+
return `${item} - ${details.summary} (${arrays.joinAnd(packages)})`;
|
|
3736
|
+
}
|
|
3737
|
+
return item;
|
|
3738
|
+
})].join('\n');
|
|
3670
3739
|
}
|
|
3671
3740
|
try {
|
|
3672
3741
|
const octokitPullsCreateParams = {
|
|
@@ -3869,6 +3938,7 @@ async function coanaFix(fixConfig) {
|
|
|
3869
3938
|
}
|
|
3870
3939
|
};
|
|
3871
3940
|
}
|
|
3941
|
+
const ghsaDetails = await fetchGhsaDetails(ids);
|
|
3872
3942
|
const scanBaseNames = new Set(scanFilepaths.map(p => path.basename(p)));
|
|
3873
3943
|
let count = 0;
|
|
3874
3944
|
let overallFixed = false;
|
|
@@ -3878,7 +3948,7 @@ async function coanaFix(fixConfig) {
|
|
|
3878
3948
|
length
|
|
3879
3949
|
} = ids; i < length; i += 1) {
|
|
3880
3950
|
const id = ids[i];
|
|
3881
|
-
require$$8.debugFn('notice', `
|
|
3951
|
+
require$$8.debugFn('notice', `check: ${id}`);
|
|
3882
3952
|
|
|
3883
3953
|
// Apply fix for single GHSA ID.
|
|
3884
3954
|
// eslint-disable-next-line no-await-in-loop
|
|
@@ -3900,25 +3970,23 @@ async function coanaFix(fixConfig) {
|
|
|
3900
3970
|
continue ghsaLoop;
|
|
3901
3971
|
}
|
|
3902
3972
|
overallFixed = true;
|
|
3903
|
-
|
|
3904
|
-
// Create PR if in CI environment
|
|
3973
|
+
const branch = `socket/fix/${id}`;
|
|
3905
3974
|
try {
|
|
3906
|
-
|
|
3907
|
-
|
|
3908
|
-
// Check if branch already exists
|
|
3975
|
+
// Check if branch already exists.
|
|
3909
3976
|
// eslint-disable-next-line no-await-in-loop
|
|
3910
3977
|
if (await utils.gitRemoteBranchExists(branch, cwd)) {
|
|
3911
3978
|
require$$8.debugFn('notice', `skip: remote branch "${branch}" exists`);
|
|
3912
3979
|
continue ghsaLoop;
|
|
3913
3980
|
}
|
|
3914
3981
|
require$$8.debugFn('notice', `pr: creating for ${id}`);
|
|
3982
|
+
const summary = ghsaDetails.get(id)?.summary;
|
|
3915
3983
|
const pushed =
|
|
3916
3984
|
// eslint-disable-next-line no-await-in-loop
|
|
3917
3985
|
(await utils.gitCreateBranch(branch, cwd)) && (
|
|
3918
3986
|
// eslint-disable-next-line no-await-in-loop
|
|
3919
3987
|
await utils.gitCheckoutBranch(branch, cwd)) && (
|
|
3920
3988
|
// eslint-disable-next-line no-await-in-loop
|
|
3921
|
-
await utils.gitCommit(`fix:
|
|
3989
|
+
await utils.gitCommit(`fix: ${id}${summary ? ` - ${summary}` : ''}`, modifiedFiles, {
|
|
3922
3990
|
cwd,
|
|
3923
3991
|
email: fixEnv.gitEmail,
|
|
3924
3992
|
user: fixEnv.gitUser
|
|
@@ -3945,7 +4013,8 @@ async function coanaFix(fixConfig) {
|
|
|
3945
4013
|
// Single GHSA ID.
|
|
3946
4014
|
[id], {
|
|
3947
4015
|
baseBranch: fixEnv.baseBranch,
|
|
3948
|
-
cwd
|
|
4016
|
+
cwd,
|
|
4017
|
+
ghsaDetails
|
|
3949
4018
|
});
|
|
3950
4019
|
if (prResponse) {
|
|
3951
4020
|
const {
|
|
@@ -3988,7 +4057,7 @@ async function coanaFix(fixConfig) {
|
|
|
3988
4057
|
await utils.gitCheckoutBranch(fixEnv.baseBranch, cwd);
|
|
3989
4058
|
}
|
|
3990
4059
|
count += 1;
|
|
3991
|
-
require$$8.debugFn('notice', `
|
|
4060
|
+
require$$8.debugFn('notice', `increment: count ${count}/${Math.min(limit, ids.length)}`);
|
|
3992
4061
|
if (count >= limit) {
|
|
3993
4062
|
break ghsaLoop;
|
|
3994
4063
|
}
|
|
@@ -15460,5 +15529,5 @@ void (async () => {
|
|
|
15460
15529
|
await utils.captureException(e);
|
|
15461
15530
|
}
|
|
15462
15531
|
})();
|
|
15463
|
-
//# debugId=
|
|
15532
|
+
//# debugId=dc11ece4-8083-4322-9e08-9883c0bc7831
|
|
15464
15533
|
//# sourceMappingURL=cli.js.map
|