@socketsecurity/cli-with-sentry 1.1.93 → 1.1.95

package/CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.95](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.95) - 2026-05-15
+
+### Changed
+- Updated the Coana CLI to v `15.2.7`.
+
+## [1.1.94](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.94) - 2026-05-12
+
+### Fixed
+- `socket manifest scala` now copies sbt-generated `.pom` files out of each subproject's `target/` directory to the project root as `pom.xml`, so Socket scan (which discovers `**/pom.xml` and respects `.gitignore`) picks them up automatically. Use `--out` to override the destination filename.
+
 ## [1.1.93](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.93) - 2026-05-08
 
 ### Changed

package/dist/cli.js

@@ -880,6 +880,143 @@ async function run$R(argv, importMeta, {
   });
 }
 
+function normalizeProjectIgnorePath(path) {
+  return utils.stripTrailingSlash(toPosixPath(path.startsWith('/') ? path.slice(1) : path));
+}
+
+/**
+ * Converts a Socket-scan-root anchored --exclude-paths pattern into the shape
+ * Coana expects for the current analysis target. Coana resolves --exclude-dirs
+ * relative to the path passed to `coana run`, not relative to this command's
+ * cwd. For a root target the pattern can pass through unchanged; for a nested
+ * target we strip the target prefix; documented match-anywhere globstar
+ * patterns remain meaningful relative to the nested target; and paths outside
+ * the target return undefined because Coana cannot exclude directories it is
+ * not analyzing.
+ */
+function pathRelativeToTarget(path, target) {
+  const normalized = normalizeProjectIgnorePath(path);
+  if (target === '.' || target === '') {
+    // Root target: the project root and Coana analysis root are the same directory.
+    return normalized;
+  }
+  if (normalized === target) {
+    // Whole target excluded: manifest discovery should stop before Coana runs.
+    return undefined;
+  }
+  if (normalized.startsWith('**/')) {
+    // Match-anywhere glob: keep matching at any depth under the Coana target.
+    return normalized;
+  }
+  const targetPrefix = `${target}/`;
+  if (normalized.startsWith(targetPrefix)) {
+    // Nested target: strip the target prefix to make the pattern target-relative.
+    return normalized.slice(targetPrefix.length);
+  }
+  // Outside the target: there is nothing for this Coana run to exclude.
+  return undefined;
+}
+function toPosixPath(path) {
+  return path.replaceAll('\\', '/');
+}
+
+/**
+ * Derives the two scan-time forms of --exclude-paths: anchored minimatch
+ * patterns for SCA manifest discovery, and target-relative paths for Coana's
+ * reachability analysis.
+ */
+function applyFullExcludePaths({
+  cwd,
+  reachabilityOptions,
+  target
+}) {
+  const {
+    excludePaths
+  } = reachabilityOptions;
+  const additionalScaIgnores = excludePaths.flatMap(excludePathToScanIgnores);
+  const coanaExcludeGlobs = projectIgnorePathsToReachExcludePaths(excludePaths, {
+    cwd,
+    target
+  });
+  const mergedReachabilityOptions = excludePaths.length ? {
+    ...reachabilityOptions,
+    reachExcludePaths: [...reachabilityOptions.reachExcludePaths, ...coanaExcludeGlobs]
+  } : reachabilityOptions;
+  return {
+    additionalScaIgnores,
+    mergedReachabilityOptions
+  };
+}
+
+// Patterns that resolve to "exclude the entire scan" or "exclude nothing
+// useful" are almost certainly typos. Rejecting them up front beats
+// silently producing an empty scan or a no-op exclusion.
+const DEGENERATE_EXCLUDE_PATHS = new Set(['', '.', './', './**', '/', '**', '/**']);
+
+/**
+ * Validates --exclude-paths entries before they reach either exclusion sink.
+ * Rejects gitignore-style negations (coana's --exclude-dirs has no negation
+ * form), absolute paths (the flag is scan-root relative), patterns escaping
+ * the scan root via `..`, and degenerate match-everything sentinels like `.`,
+ * `**`, `/`.
+ */
+function assertValidExcludePaths(paths) {
+  for (const p of paths) {
+    if (p.startsWith('!')) {
+      throw new utils.InputError(`--exclude-paths does not support negation patterns. Got: '${p}'.`);
+    }
+    const posix = toPosixPath(p).trim();
+    if (DEGENERATE_EXCLUDE_PATHS.has(utils.stripTrailingSlash(posix))) {
+      throw new utils.InputError(`--exclude-paths does not accept match-everything patterns. Got: '${p}'.`);
+    }
+    if (posix.startsWith('/')) {
+      throw new utils.InputError(`--exclude-paths must be relative to the scan root. Got absolute path: '${p}'.`);
+    }
+    if (posix === '..' || posix.startsWith('../') || posix.includes('/../')) {
+      throw new utils.InputError(`--exclude-paths cannot escape the scan root with '..'. Got: '${p}'.`);
+    }
+  }
+}
+
+/**
+ * Expands an anchored-micromatch --exclude-paths entry into the minimatch
+ * patterns fast-glob needs to skip both the matched entry itself (file-shaped
+ * matches like `packages/stray.json` against `packages/*`) and any subtree
+ * underneath it (`packages/a/foo.json`). Returned patterns are ready for
+ * fast-glob's `ignore` list — no gitignore translation involved.
+ */
+function excludePathToScanIgnores(input) {
+  const stripped = utils.stripTrailingSlash(toPosixPath(input));
+  // User already opted into "match everything under this dir" — one pattern
+  // is enough.
+  if (stripped.endsWith('/**')) {
+    return [stripped];
+  }
+  // Emit the entry itself (catches file-shaped hits) plus its subtree
+  // (catches descendants when the entry resolves to a directory).
+  return [stripped, `${stripped}/**`];
+}
+
+/**
+ * Re-anchors --exclude-paths patterns onto the reachability analysis target.
+ * Coana matches --exclude-dirs relative to whichever directory it was invoked
+ * on, so when the analysis target is a nested subdirectory, scan-root
+ * patterns need their target prefix stripped. Patterns that fall outside the
+ * target are dropped — coana cannot exclude what it isn't analyzing. Bails
+ * out entirely when any input contains a negation, since coana's --exclude-dirs
+ * has no negation form.
+ */
+function projectIgnorePathsToReachExcludePaths(paths, options) {
+  if (!Array.isArray(paths) || paths.some(p => p.startsWith('!'))) {
+    return [];
+  }
+  const targetPattern = normalizeProjectIgnorePath(path.relative(options.cwd, path.resolve(options.cwd, options.target)));
+  return paths.flatMap(p => {
+    const reachPath = pathRelativeToTarget(p, targetPattern);
+    return reachPath === undefined ? [] : [reachPath];
+  });
+}
+
 async function fetchCreateOrgFullScan(packagePaths, orgSlug, config, options) {
   const {
     branchName,
@@ -1857,6 +1994,23 @@ async function execGradleWithSpinner(bin, commandArgs, cwd) {
   }
 }
 
+// Walk up from a pom path to find a `target` directory ancestor and return
+// its parent (the project root). Returns undefined if no `target` ancestor
+// is found, which means we cannot safely lift the file out of the ignored
+// build dir.
+function findProjectRootAboveTarget(pomPath) {
+  let dir = path.dirname(pomPath);
+  const {
+    root
+  } = path.parse(dir);
+  while (dir !== root) {
+    if (path.basename(dir) === 'target') {
+      return path.dirname(dir);
+    }
+    dir = path.dirname(dir);
+  }
+  return undefined;
+}
 async function convertSbtToMaven({
   bin,
   cwd,
@@ -1933,18 +2087,43 @@ async function convertSbtToMaven({
       logger.logger.info('Exiting now...');
       return;
     } else {
-      // if (verbose) {
-      //   logger.log(
-      //     `Moving manifest file from \`${loc.replace(/^\/home\/[^/]*?\//, '~/')}\` to \`${out}\``
-      //   )
-      // } else {
-      //   logger.log('Moving output pom file')
-      // }
-      // TODO: Do we prefer fs-extra? Renaming can be gnarly on windows and fs-extra's version is better.
-      // await renamep(loc, out)
-      logger.logger.success(`Generated ${poms.length} pom files`);
-      poms.forEach(fn => logger.logger.log('-', fn));
-      logger.logger.success(`OK`);
+      // sbt writes poms inside each project's `target/` directory, which is
+      // typically gitignored. Copy them out to a sibling of `target/` so
+      // downstream SBOM/scan steps see them.
+      const copied = [];
+      const outBasename = path.basename(out) || 'pom.xml';
+      for (const pomPath of poms) {
+        let destPath;
+        if (poms.length === 1 && out !== outBasename) {
+          // Honor the full `--out` path verbatim when exactly one pom was
+          // produced and the user (or default) supplied a path, not just a
+          // bare filename.
+          destPath = path.resolve(cwd, out);
+        } else {
+          const projectRoot = findProjectRootAboveTarget(pomPath);
+          if (!projectRoot) {
+            logger.logger.warn(`Could not locate \`target/\` ancestor for \`${pomPath}\`, leaving in place`);
+            continue;
+          }
+          destPath = path.join(projectRoot, outBasename);
+        }
+        try {
+          // eslint-disable-next-line no-await-in-loop
+          await fs$1.promises.mkdir(path.dirname(destPath), {
+            recursive: true
+          });
+          // eslint-disable-next-line no-await-in-loop
+          await fs$1.promises.copyFile(pomPath, destPath);
+          copied.push(destPath);
+        } catch (e) {
+          logger.logger.warn(`Failed to copy \`${pomPath}\` to \`${destPath}\`: ${utils.getErrorCause(e)}`);
+        }
+      }
+      logger.logger.success(`Generated ${copied.length} pom file${copied.length === 1 ? '' : 's'}`);
+      logger.logger.log('Reported exports:');
+      for (const fn of copied) {
+        logger.logger.log('-', fn);
+      }
     }
   } catch (e) {
     process.exitCode = 1;
@@ -2156,7 +2335,7 @@ async function generateAutoManifest({
       // Note: `sbt` is more likely to be resolved against PATH env
       bin: sockJson.defaults?.manifest?.sbt?.bin ?? 'sbt',
       cwd,
-      out: sockJson.defaults?.manifest?.sbt?.outfile ?? './socket.sbt.pom.xml',
+      out: sockJson.defaults?.manifest?.sbt?.outfile ?? './pom.xml',
       sbtOpts: sockJson.defaults?.manifest?.sbt?.sbtOpts?.split(' ').map(s => s.trim()).filter(Boolean) ?? [],
       verbose: Boolean(sockJson.defaults?.manifest?.sbt?.verbose)
     });
@@ -2291,7 +2470,16 @@ async function handleCreateNewScan({
   // Load socket.yml to respect projectIgnorePaths when collecting files.
   const socketYmlResult = utils.findSocketYmlSync(cwd);
   const socketConfig = socketYmlResult.ok ? socketYmlResult.data?.parsed : undefined;
+  const {
+    additionalScaIgnores,
+    mergedReachabilityOptions
+  } = applyFullExcludePaths({
+    cwd,
+    reachabilityOptions: reach,
+    target: targets[0]
+  });
   const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
+    additionalIgnores: additionalScaIgnores,
     config: socketConfig,
     cwd
   });
@@ -2324,7 +2512,7 @@ async function handleCreateNewScan({
     logger.logger.info('Starting reachability analysis...');
     require$$9.debugFn('notice', 'Reachability analysis enabled');
     require$$9.debugDir('inspect', {
-      reachabilityOptions: reach
+      reachabilityOptions: mergedReachabilityOptions
     });
     spinner.start();
     const reachResult = await performReachabilityAnalysis({
@@ -2332,7 +2520,7 @@ async function handleCreateNewScan({
       cwd,
       orgSlug,
       packagePaths,
-      reachabilityOptions: reach,
+      reachabilityOptions: mergedReachabilityOptions,
       repoName,
       spinner,
       target: targets[0]
@@ -2450,6 +2638,7 @@ async function handleCi(autoManifest) {
     pendingHead: true,
     pullRequest: 0,
     reach: {
+      excludePaths: [],
       reachAnalysisMemoryLimit: 0,
       reachAnalysisTimeout: 0,
       reachConcurrency: 1,
@@ -6340,8 +6529,10 @@ const config$9 = {
 
     There are some caveats with \`build.sbt\` to \`pom.xml\` conversion:
 
-    - the xml is exported as socket.pom.xml as to not confuse existing build tools
-      but it will first hit your /target/sbt<version> folder (as a different name)
+    - the xml is exported as pom.xml at the project root so Socket scan picks
+      it up; sbt itself first writes it inside your /target/sbt<version> folder
+      (as a different name). Use --out to override if you already have a
+      hand-authored pom.xml at the project root.
 
     - the pom.xml format (standard by Scala) does not support certain sbt features
       - \`excludeAll()\`, \`dependencyOverrides\`, \`force()\`, \`relativePath\`
@@ -6421,7 +6612,7 @@ async function run$A(argv, importMeta, {
       out = sockJson.defaults?.manifest?.sbt?.outfile;
       logger.logger.info(`Using default --out from ${constants.SOCKET_JSON}:`, out);
     } else {
-      out = './socket.pom.xml';
+      out = './pom.xml';
     }
   }
   if (!sbtOpts) {
@@ -11120,7 +11311,8 @@ const reachabilityFlags = {
   reachExcludePaths: {
     type: 'string',
     isMultiple: true,
-    description: 'List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.'
+    hidden: true,
+    description: 'Deprecated: use --exclude-paths instead. List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.'
   },
   reachLazyMode: {
     type: 'boolean',
@@ -11139,6 +11331,13 @@ const reachabilityFlags = {
     description: 'When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.'
   }
 };
+const excludePathsFlag = {
+  excludePaths: {
+    type: 'string',
+    isMultiple: true,
+    description: 'List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) Tier 1 reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (`--cwd` if set), not the reachability target: `tests` matches only `<cwd>/tests`; use `**/tests` to match at any depth. Negation patterns (`!path`) are not supported. Accepts a comma-separated value or multiple flags.'
+  }
+};
 
 async function suggestTarget() {
   // We could prefill this with sub-dirs of the current
@@ -11309,6 +11508,7 @@ async function run$d(argv, importMeta, {
     hidden: hidden$a,
     flags: {
       ...generalFlags$1,
+      ...excludePathsFlag,
       ...reachabilityFlags
     },
     help: command => `
@@ -11319,7 +11519,10 @@ async function run$d(argv, importMeta, {
       ${utils.getFlagApiRequirementsOutput(`${parentName}:${CMD_NAME$a}`)}
 
     Options
-      ${utils.getFlagListOutput(generalFlags$1)}
+      ${utils.getFlagListOutput({
+      ...generalFlags$1,
+      ...excludePathsFlag
+    })}
 
     Reachability Options (when --reach is used)
       ${utils.getFlagListOutput(reachabilityFlags)}
@@ -11527,6 +11730,8 @@ async function run$d(argv, importMeta, {
     logger.logger.info(`You can also run \`socket scan setup\` to persist these flag defaults to a ${constants.SOCKET_JSON} file.`);
     logger.logger.error('');
   }
+  const excludePaths = utils.cmdFlagValueToArray(cli.flags['excludePaths']);
+  assertValidExcludePaths(excludePaths);
   const reachExcludePaths = utils.cmdFlagValueToArray(cli.flags['reachExcludePaths']);
 
   // Validation helpers for better readability.
@@ -11622,6 +11827,7 @@ async function run$d(argv, importMeta, {
     pendingHead: Boolean(pendingHead),
     pullRequest: Number(pullRequest),
     reach: {
+      excludePaths,
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachConcurrency: Number(reachConcurrency),
@@ -12280,6 +12486,7 @@ async function scanOneRepo(repoSlug, {
     pendingHead: true,
     pullRequest: 0,
     reach: {
+      excludePaths: [],
       reachAnalysisMemoryLimit: 0,
       reachAnalysisTimeout: 0,
       reachConcurrency: 1,
@@ -13462,7 +13669,7 @@ async function handleScanReach({
     spinner
   } = constants.default;
 
-  // Get supported file names
+  // Get supported file names.
   const supportedFilesCResult = await fetchSupportedScanFileNames({
     spinner
   });
@@ -13479,7 +13686,16 @@ async function handleScanReach({
   // Load socket.yml to respect projectIgnorePaths when collecting files.
   const socketYmlResult = utils.findSocketYmlSync(cwd);
   const socketConfig = socketYmlResult.ok ? socketYmlResult.data?.parsed : undefined;
+  const {
+    additionalScaIgnores,
+    mergedReachabilityOptions
+  } = applyFullExcludePaths({
+    cwd,
+    reachabilityOptions,
+    target: targets[0]
+  });
   const packagePaths = await utils.getPackageFilesForScan(targets, supportedFiles, {
+    additionalIgnores: additionalScaIgnores,
     config: socketConfig,
     cwd
   });
@@ -13500,7 +13716,7 @@ async function handleScanReach({
     orgSlug,
     outputPath,
     packagePaths,
-    reachabilityOptions,
+    reachabilityOptions: mergedReachabilityOptions,
     spinner,
     target: targets[0],
     uploadManifests: true
@@ -13549,6 +13765,7 @@ async function run$7(argv, importMeta, {
     hidden: hidden$4,
     flags: {
       ...generalFlags,
+      ...excludePathsFlag,
       ...reachabilityFlags
     },
     help: command => `
@@ -13562,7 +13779,10 @@ async function run$7(argv, importMeta, {
       ${utils.getFlagListOutput(generalFlags)}
 
     Reachability Options
-      ${utils.getFlagListOutput(reachabilityFlags)}
+      ${utils.getFlagListOutput({
+      ...excludePathsFlag,
+      ...reachabilityFlags
+    })}
 
     Runs the Socket reachability analysis without creating a scan in Socket.
     The output is written to .socket.facts.json in the current working directory
@@ -13614,8 +13834,10 @@ async function run$7(argv, importMeta, {
   const dryRun = !!cli.flags['dryRun'];
 
   // Process comma-separated values for isMultiple flags.
+  const excludePaths = utils.cmdFlagValueToArray(cli.flags['excludePaths']);
   const reachEcosystemsRaw = utils.cmdFlagValueToArray(cli.flags['reachEcosystems']);
   const reachExcludePaths = utils.cmdFlagValueToArray(cli.flags['reachExcludePaths']);
+  assertValidExcludePaths(excludePaths);
 
   // Validate ecosystem values.
   const reachEcosystems = [];
@@ -13699,6 +13921,7 @@ async function run$7(argv, importMeta, {
     outputKind,
     outputPath: outputPath || '',
     reachabilityOptions: {
+      excludePaths,
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachConcurrency: Number(reachConcurrency),
@@ -15642,5 +15865,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=6d796b61-8e93-4815-b8ee-24e4641dd484
+//# debugId=1acf2006-28da-49e4-9572-412f961998c4
 //# sourceMappingURL=cli.js.map