npm - @socketsecurity/cli-with-sentry - Versions diffs - 1.1.101 → 1.1.102 - Mend

@socketsecurity/cli-with-sentry 1.1.101 → 1.1.102

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/CHANGELOG.md +8 -2
package/dist/cli.js +267 -40
package/dist/cli.js.map +1 -1
package/dist/constants.js +7 -3
package/dist/constants.js.map +1 -1
package/dist/socket-facts.init.gradle +353 -0
package/dist/tsconfig.dts.tsbuildinfo +1 -1
package/dist/types/commands/manifest/cmd-manifest-gradle.d.mts.map +1 -1
package/dist/types/commands/manifest/cmd-manifest-kotlin.d.mts.map +1 -1
package/dist/types/commands/manifest/convert-gradle-to-facts.d.mts +7 -0
package/dist/types/commands/manifest/convert-gradle-to-facts.d.mts.map +1 -0
package/dist/types/commands/manifest/convert_gradle_to_maven.d.mts.map +1 -1
package/dist/types/commands/manifest/generate_auto_manifest.d.mts.map +1 -1
package/dist/types/commands/scan/handle-create-new-scan.d.mts.map +1 -1
package/dist/types/commands/scan/perform-reachability-analysis.d.mts.map +1 -1
package/dist/types/constants.d.mts +4 -0
package/dist/types/constants.d.mts.map +1 -1
package/dist/types/utils/dlx.d.mts.map +1 -1
package/dist/types/utils/socket-json.d.mts +1 -0
package/dist/types/utils/socket-json.d.mts.map +1 -1
package/dist/utils.js.map +1 -1
package/package.json +1 -2

package/CHANGELOG.md CHANGED Viewed

@@ -5,11 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ## [Unreleased]
-### Added
 - **`socket manifest bazel [beta]`** — Generate Bazel JVM SBOM manifests by running `bazel query` against discovered Maven repos in a Bazel workspace. Closes the inline-Maven-declaration gap that lockfile-only parsing misses for repos like envoy, ray, tensorflow, tink-java, and or-tools. Auto-detects Bzlmod and legacy `WORKSPACE`.
 - **`socket scan create --auto-manifest`** now covers Bazel workspaces in addition to Gradle/Scala/Kotlin/Conda. Repos with `MODULE.bazel`, `WORKSPACE`, or `WORKSPACE.bazel` are detected automatically and their Maven dependencies extracted as part of the standard scan-create flow.
+## [1.1.98](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.98) - 2026-05-22
+### Added
+- **`socket manifest gradle --facts [beta]`** (and its `socket manifest kotlin --facts` alias) — Emit a `.socket.facts.json` dependency graph from a Gradle build, consumable by `socket scan create --reach` as pregenerated SBOM input for Tier 1 reachability. Toggle also exposed via the `socket manifest setup` wizard for use with `--auto-manifest`.
+### Changed
+- Updated the Coana CLI to v `15.3.8`.
 ## [1.1.101](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.101) - 2026-05-22
 ### Changed

package/dist/cli.js CHANGED Viewed

@@ -1763,14 +1763,16 @@ async function performReachabilityAnalysis(options) {
       return sockSdkCResult;
     }
     const sockSdk = sockSdkCResult.data;
-    // Exclude any .socket.facts.json files that happen to be in the scan
-    // folder before the analysis was run.
-    const filepathsToUpload = packagePaths.filter(p => path.basename(p).toLowerCase() !== constants.default.DOT_SOCKET_DOT_FACTS_JSON);
     spinner?.start('Uploading manifests for reachability analysis...');
     // Ensure uploaded manifest files are relative to analysis target as coana resolves SBOM manifest files relative to this path
-    const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, filepathsToUpload, path.resolve(cwd, analysisTarget)), {
+    // NOTE: previously stripped any `.socket.facts.json` from packagePaths
+    // here to avoid uploading leftover post-reachability output. With the
+    // producer flow (`socket manifest gradle --facts`) those files are
+    // legitimate INPUT to compute-artifacts, so we now upload them. Stale
+    // facts files are cleaned up downstream — see the post-success
+    // deletion in handle-create-new-scan.mts.
+    const uploadCResult = await utils.handleApiCall(sockSdk.uploadManifestFiles(orgSlug, packagePaths, path.resolve(cwd, analysisTarget)), {
       description: 'upload manifests',
       spinner
     });
@@ -3057,6 +3059,130 @@ async function extractBazelToMaven(opts) {
   }
 }
+async function convertGradleToFacts({
+  bin,
+  cwd,
+  gradleOpts,
+  verbose
+}) {
+  const rBin = path.resolve(cwd, bin);
+  const binExists = fs$1.existsSync(rBin);
+  const cwdExists = fs$1.existsSync(cwd);
+  logger.logger.group('gradle2facts:');
+  logger.logger.info(`- executing: \`${rBin}\``);
+  if (!binExists) {
+    logger.logger.warn(`Warning: It appears the executable could not be found. An error might be printed later because of that.`);
+  }
+  logger.logger.info(`- src dir: \`${cwd}\``);
+  if (!cwdExists) {
+    logger.logger.warn(`Warning: It appears the src dir could not be found. An error might be printed later because of that.`);
+  }
+  logger.logger.groupEnd();
+  try {
+    // The init script is bundled alongside the existing pom-generating one.
+    // See .config/rollup.dist.config.mjs:copySocketFactsInitGradle.
+    const initLocation = path.join(constants.default.distPath, 'socket-facts.init.gradle');
+    const commandArgs = ['--init-script', initLocation, ...gradleOpts, 'socketFacts'];
+    if (verbose) {
+      logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs);
+    }
+    logger.logger.log(`Generating Socket facts from \`${bin}\` on \`${cwd}\` ...`);
+    const output = await execGradle$1(rBin, commandArgs, cwd, verbose);
+    if (output.code) {
+      process.exitCode = 1;
+      logger.logger.fail(`Gradle exited with exit code ${output.code}`);
+      if (!verbose) {
+        logger.logger.group('stderr:');
+        logger.logger.error(output.stderr);
+        logger.logger.groupEnd();
+      }
+      return;
+    }
+    logger.logger.success('Executed gradle successfully');
+    if (verbose) {
+      // Output already streamed; the "Reported exports:" summary lines were
+      // visible inline. No need to repeat them from a captured stdout.
+      logger.logger.log('');
+      logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
+      return;
+    }
+    const exports = Array.from(output.stdout.matchAll(/^Socket facts file written to: (.*)/gm), m => m[1]);
+    if (exports.length) {
+      logger.logger.log('Reported exports:');
+      for (const fn of exports) {
+        logger.logger.log('- ', fn);
+      }
+    } else {
+      // Gradle script may have skipped emission when no resolvable
+      // dependencies were found (see the `components.isEmpty()` branch in
+      // socket-facts.init.gradle). Surface the skip reason if present so
+      // the user understands why nothing was written.
+      const skipMatch = output.stdout.match(/^\[socket-facts\] no resolvable dependencies.*/m);
+      if (skipMatch) {
+        logger.logger.warn(skipMatch[0]);
+      }
+    }
+    logger.logger.log('');
+    logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory.');
+  } catch (e) {
+    process.exitCode = 1;
+    logger.logger.fail('There was an unexpected error while generating Socket facts' + (verbose ? '' : '  (use --verbose for details)'));
+    if (verbose) {
+      logger.logger.group('[VERBOSE] error:');
+      logger.logger.log(e);
+      logger.logger.groupEnd();
+    }
+  }
+}
+async function execGradle$1(bin, commandArgs, cwd, verbose) {
+  // When verbose, stream gradle stdout/stderr directly to the user's
+  // terminal — no spinner, no capture. The trade-off is that the post-run
+  // "Reported exports:" summary is skipped (the lines were already visible
+  // inline). For huge builds where the user wants to see progress, this is
+  // the right default. Non-verbose runs still get the spinner + summary.
+  if (verbose) {
+    logger.logger.info('(Running gradle with output streaming. This can take a while.)');
+    const output = await spawn.spawn(bin, commandArgs, {
+      cwd,
+      stdio: 'inherit'
+    });
+    return {
+      code: output.code,
+      stdout: '',
+      stderr: ''
+    };
+  }
+  const {
+    spinner
+  } = constants.default;
+  let pass = false;
+  try {
+    logger.logger.info('(Running gradle can take a while, depending on the size of the project)');
+    logger.logger.info('(No live output. Pass --verbose to stream gradle output instead.)');
+    spinner.start(`Running gradlew...`);
+    const output = await spawn.spawn(bin, commandArgs, {
+      cwd
+    });
+    pass = true;
+    const {
+      code,
+      stderr,
+      stdout
+    } = output;
+    return {
+      code,
+      stdout,
+      stderr
+    };
+  } finally {
+    if (pass) {
+      spinner.successAndStop('Gracefully completed gradlew execution.');
+    } else {
+      spinner.failAndStop('There was an error while trying to run gradlew.');
+    }
+  }
+}
 async function convertGradleToMaven({
   bin,
   cwd,
@@ -3093,16 +3219,10 @@ async function convertGradleToMaven({
       logger.logger.log('[VERBOSE] Executing:', [bin], ', args:', commandArgs);
     }
     logger.logger.log(`Converting gradle to maven from \`${bin}\` on \`${cwd}\` ...`);
-    const output = await execGradleWithSpinner(rBin, commandArgs, cwd);
-    if (verbose) {
-      logger.logger.group('[VERBOSE] gradle stdout:');
-      logger.logger.log(output);
-      logger.logger.groupEnd();
-    }
+    const output = await execGradle(rBin, commandArgs, cwd, verbose);
     if (output.code) {
       process.exitCode = 1;
       logger.logger.fail(`Gradle exited with exit code ${output.code}`);
-      // (In verbose mode, stderr was printed above, no need to repeat it)
       if (!verbose) {
         logger.logger.group('stderr:');
         logger.logger.error(output.stderr);
@@ -3111,6 +3231,13 @@ async function convertGradleToMaven({
       return;
     }
     logger.logger.success('Executed gradle successfully');
+    if (verbose) {
+      // Output already streamed; "POM file copied to:" lines were visible
+      // inline. Skip the captured-stdout summary.
+      logger.logger.log('');
+      logger.logger.log('Next step is to generate a Scan by running the `socket scan create` command on the same directory');
+      return;
+    }
     logger.logger.log('Reported exports:');
     output.stdout.replace(/^POM file copied to: (.*)/gm, (_all, fn) => {
       logger.logger.log('- ', fn);
@@ -3128,20 +3255,32 @@ async function convertGradleToMaven({
     }
   }
 }
-async function execGradleWithSpinner(bin, commandArgs, cwd) {
+async function execGradle(bin, commandArgs, cwd, verbose) {
+  // When verbose, stream gradle stdout/stderr directly to the user's
+  // terminal — no spinner, no capture. The trade-off is that the post-run
+  // "Reported exports:" summary is skipped (the lines were already visible
+  // inline). Non-verbose runs still get the spinner + summary.
+  if (verbose) {
+    logger.logger.info('(Running gradle with output streaming. This can take a while.)');
+    const output = await spawn.spawn(bin, commandArgs, {
+      cwd,
+      stdio: 'inherit'
+    });
+    return {
+      code: output.code,
+      stdout: '',
+      stderr: ''
+    };
+  }
   const {
     spinner
   } = constants.default;
   let pass = false;
   try {
-    logger.logger.info('(Running gradle can take a while, it depends on how long gradlew has to run)');
-    logger.logger.info('(It will show no output, you can use --verbose to see its output)');
+    logger.logger.info('(Running gradle can take a while, depending on the size of the project)');
+    logger.logger.info('(No live output. Pass --verbose to stream gradle output instead.)');
     spinner.start(`Running gradlew...`);
     const output = await spawn.spawn(bin, commandArgs, {
-      // We can pipe the output through to have the user see the result
-      // of running gradlew, but then we can't (easily) gather the output
-      // to discover the generated files... probably a flag we should allow?
-      // stdio: isDebug() ? 'inherit' : undefined,
       cwd
     });
     pass = true;
@@ -3512,8 +3651,7 @@ async function generateAutoManifest({
     });
   }
   if (!sockJson?.defaults?.manifest?.gradle?.disabled && detected.gradle) {
-    logger.logger.log('Detected a gradle build (Gradle, Kotlin, Scala), running default gradle generator...');
-    await convertGradleToMaven({
+    const gradleArgs = {
       // Note: `gradlew` is more likely to be resolved against cwd.
       // Note: .resolve() won't butcher an absolute path.
       // TODO: `gradlew` (or anything else given) may want to resolve against PATH.
@@ -3521,7 +3659,14 @@ async function generateAutoManifest({
       cwd,
       verbose: Boolean(sockJson.defaults?.manifest?.gradle?.verbose),
       gradleOpts: sockJson.defaults?.manifest?.gradle?.gradleOpts?.split(' ').map(s => s.trim()).filter(Boolean) ?? []
-    });
+    };
+    if (sockJson.defaults?.manifest?.gradle?.facts) {
+      logger.logger.log('Detected a gradle build (Gradle, Kotlin, Scala), generating Socket facts...');
+      await convertGradleToFacts(gradleArgs);
+    } else {
+      logger.logger.log('Detected a gradle build (Gradle, Kotlin, Scala), running default gradle generator...');
+      await convertGradleToMaven(gradleArgs);
+    }
   }
   if (!sockJson?.defaults?.manifest?.conda?.disabled && detected.conda) {
     logger.logger.log('Detected an environment.yml file, running default Conda generator...');
@@ -3575,19 +3720,11 @@ function getCdxSpdxPatterns(supportedFiles) {
   }
   return patterns;
 }
-function filterToCdxSpdxAndFactsFiles(filepaths, supportedFiles) {
+function filterToCdxSpdxOnly(filepaths, supportedFiles) {
   const patterns = getCdxSpdxPatterns(supportedFiles);
-  return filepaths.filter(filepath => {
-    const basename = path.basename(filepath).toLowerCase();
-    // Include .socket.facts.json files.
-    if (basename === constants.default.DOT_SOCKET_DOT_FACTS_JSON) {
-      return true;
-    }
-    // Include CDX and SPDX files.
-    return vendor.micromatchExports.some(filepath, patterns, {
-      nocase: true
-    });
-  });
+  return filepaths.filter(filepath => vendor.micromatchExports.some(filepath, patterns, {
+    nocase: true
+  }));
 }
 async function handleCreateNewScan({
   autoManifest,
@@ -3706,6 +3843,7 @@ async function handleCreateNewScan({
   }
   let scanPaths = packagePaths;
   let tier1ReachabilityScanId;
+  let reachabilityReport;
   // If reachability is enabled, perform reachability analysis.
   if (reach.runReachabilityAnalysis) {
@@ -3735,14 +3873,14 @@ async function handleCreateNewScan({
       return;
     }
     logger.logger.success('Reachability analysis completed successfully');
-    const reachabilityReport = reachResult.data?.reachabilityReport;
+    reachabilityReport = reachResult.data?.reachabilityReport;
     // Ensure the .socket.facts.json isn't duplicated in case it happened
     // to be in the scan folder before the analysis was run.
-    const filteredPackagePaths = packagePaths.filter(p => path.basename(p).toLowerCase() !== constants.default.DOT_SOCKET_DOT_FACTS_JSON);
+    const filteredPackagePaths = packagePaths.filter(p => path.basename(p) !== constants.default.DOT_SOCKET_DOT_FACTS_JSON);
     // When using pregenerated SBOMs only, filter to CDX/SPDX files.
-    const pathsForScan = reach.reachUseOnlyPregeneratedSboms ? filterToCdxSpdxAndFactsFiles(filteredPackagePaths, supportedFiles) : filteredPackagePaths;
+    const pathsForScan = reach.reachUseOnlyPregeneratedSboms ? filterToCdxSpdxOnly(filteredPackagePaths, supportedFiles) : filteredPackagePaths;
     scanPaths = [...pathsForScan, ...(reachabilityReport ? [reachabilityReport] : [])];
     tier1ReachabilityScanId = reachResult.data?.tier1ReachabilityScanId;
   }
@@ -3778,6 +3916,22 @@ async function handleCreateNewScan({
   if (reach && scanId && tier1ReachabilityScanId) {
     await finalizeTier1Scan(tier1ReachabilityScanId, scanId);
   }
+  // On a successful scan, clean up the `.socket.facts.json` coana wrote at
+  // the path we instructed it to write to (via `--socket-mode`). Failed
+  // scans leave the file in place for debugging. Producer-written files
+  // (e.g. from `socket manifest gradle --facts`) are NOT touched here —
+  // those are user-owned input that the user can clean up themselves; in
+  // the --reach path coana overwrites that file with its enriched output
+  // anyway, so it's the same path that gets removed.
+  if (fullScanCResult.ok && scanId && reachabilityReport) {
+    try {
+      await fs.unlink(path.resolve(cwd, reachabilityReport));
+      require$$9.debugFn('notice', `[socket-facts] removed coana output after successful scan: ${reachabilityReport}`);
+    } catch {
+      // Best-effort — file may already be gone or unwritable.
+    }
+  }
   if (report && fullScanCResult.ok) {
     if (scanId) {
       await handleScanReport({
@@ -7583,6 +7737,10 @@ const config$b = {
       type: 'string',
       description: 'Location of gradlew binary to use, default: CWD/gradlew'
     },
+    facts: {
+      type: 'boolean',
+      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files'
+    },
     gradleOpts: {
       type: 'string',
       description: 'Additional options to pass on to ./gradlew, see `./gradlew --help`'
@@ -7655,6 +7813,7 @@ async function run$C(argv, importMeta, {
   require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} gradle`, sockJson?.defaults?.manifest?.gradle);
   let {
     bin,
+    facts,
     gradleOpts,
     verbose
   } = cli.flags;
@@ -7684,6 +7843,14 @@ async function run$C(argv, importMeta, {
       verbose = false;
     }
   }
+  if (facts === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.facts !== undefined) {
+      facts = sockJson.defaults?.manifest?.gradle?.facts;
+      logger.logger.info(`Using default --facts from ${constants.SOCKET_JSON}:`, facts);
+    } else {
+      facts = false;
+    }
+  }
   if (verbose) {
     logger.logger.group('- ', parentName, config$b.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
@@ -7715,10 +7882,20 @@ async function run$C(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
+  const parsedGradleOpts = String(gradleOpts || '').split(' ').map(s => s.trim()).filter(Boolean);
+  if (facts) {
+    await convertGradleToFacts({
+      bin: String(bin),
+      cwd,
+      gradleOpts: parsedGradleOpts,
+      verbose: Boolean(verbose)
+    });
+    return;
+  }
   await convertGradleToMaven({
     bin: String(bin),
     cwd,
-    gradleOpts: String(gradleOpts || '').split(' ').map(s => s.trim()).filter(Boolean),
+    gradleOpts: parsedGradleOpts,
     verbose: Boolean(verbose)
   });
 }
@@ -7738,6 +7915,10 @@ const config$a = {
       type: 'string',
       description: 'Location of gradlew binary to use, default: CWD/gradlew'
     },
+    facts: {
+      type: 'boolean',
+      description: 'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files'
+    },
     gradleOpts: {
       type: 'string',
       description: 'Additional options to pass on to ./gradlew, see `./gradlew --help`'
@@ -7810,6 +7991,7 @@ async function run$B(argv, importMeta, {
   require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} gradle`, sockJson?.defaults?.manifest?.gradle);
   let {
     bin,
+    facts,
     gradleOpts,
     verbose
   } = cli.flags;
@@ -7839,6 +8021,14 @@ async function run$B(argv, importMeta, {
       verbose = false;
     }
   }
+  if (facts === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.facts !== undefined) {
+      facts = sockJson.defaults?.manifest?.gradle?.facts;
+      logger.logger.info(`Using default --facts from ${constants.SOCKET_JSON}:`, facts);
+    } else {
+      facts = false;
+    }
+  }
   if (verbose) {
     logger.logger.group('- ', parentName, config$a.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
@@ -7870,10 +8060,20 @@ async function run$B(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
+  const parsedGradleOpts = String(gradleOpts || '').split(' ').map(s => s.trim()).filter(Boolean);
+  if (facts) {
+    await convertGradleToFacts({
+      bin: String(bin),
+      cwd,
+      gradleOpts: parsedGradleOpts,
+      verbose: Boolean(verbose)
+    });
+    return;
+  }
   await convertGradleToMaven({
     bin: String(bin),
     cwd,
-    gradleOpts: String(gradleOpts || '').split(' ').map(s => s.trim()).filter(Boolean),
+    gradleOpts: parsedGradleOpts,
     verbose: Boolean(verbose)
   });
 }
@@ -8291,6 +8491,14 @@ async function setupGradle(config) {
   } else {
     delete config.gradleOpts;
   }
+  const facts = await askForFactsFlag(config.facts);
+  if (facts === undefined) {
+    return canceledByUser$1();
+  } else if (facts === 'yes' || facts === 'no') {
+    config.facts = facts === 'yes';
+  } else {
+    delete config.facts;
+  }
   const verbose = await askForVerboseFlag(config.verbose);
   if (verbose === undefined) {
     return canceledByUser$1();
@@ -8439,6 +8647,25 @@ async function askForVerboseFlag(current) {
     default: current === true ? 'yes' : current === false ? 'no' : ''
   });
 }
+async function askForFactsFlag(current) {
+  return await prompts.select({
+    message: '(--facts) Emit a Socket facts JSON file instead of generating pom.xml?',
+    choices: [{
+      name: 'no',
+      value: 'no',
+      description: 'Generate pom.xml files (default behavior)'
+    }, {
+      name: 'yes',
+      value: 'yes',
+      description: 'Generate a .socket.facts.json file describing the resolved dependency graph'
+    }, {
+      name: '(leave default)',
+      value: '',
+      description: 'Do not store a setting for this'
+    }],
+    default: current === true ? 'yes' : current === false ? 'no' : ''
+  });
+}
 function canceledByUser$1() {
   logger.logger.log('');
   logger.logger.info('User canceled');
@@ -17255,5 +17482,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=70895ae2-8c82-49e4-a1fb-3cbc0ccb2c57
+//# debugId=d1f4c235-f351-4ff4-9652-79299095458b
 //# sourceMappingURL=cli.js.map