@socketsecurity/cli 0.6.0 → 0.7.2

package/README.md

@@ -26,9 +26,10 @@ socket report view QXU8PmK7LfH608RAwfIKdbcHgwEd_ZeWJ9QEGv05FJUQ
 
 * `socket report create <path(s)-to-folder-or-file>` - creates a report on [socket.dev](https://socket.dev/)
 
-  Uploads the specified `package.json` and lock files and, if any folder is specified, the ones found in there. Also includes the complementary `package.json` and lock file to any specified. Currently `package-lock.json` and `yarn.lock` are supported.
+  Uploads the specified `package.json` and lock files for JavaScript and Python dependency manifests.
+  If any folder is specified, the ones found in there recursively are uploaded.
 
-  Supports globbing such as `**/package.json`.
+  Supports globbing such as `**/package.json`, `**/requirements.txt`, and `**/pyproject.toml`.
 
   Ignores any file specified in your project's `.gitignore`, the `projectIgnorePaths` in your project's [`socket.yml`](https://docs.socket.dev/docs/socket-yml) and on top of that has a sensible set of [default ignores](https://www.npmjs.com/package/ignore-by-default)
 

package/lib/commands/index.js

@@ -2,3 +2,5 @@ export * from './info/index.js'
 export * from './report/index.js'
 export * from './npm/index.js'
 export * from './npx/index.js'
+export * from './login/index.js'
+export * from './logout/index.js'

package/lib/commands/login/index.js

@@ -0,0 +1,66 @@
+import isInteractive from 'is-interactive'
+import meow from 'meow'
+import ora from 'ora'
+import prompts from 'prompts'
+
+import { ChalkOrMarkdown } from '../../utils/chalk-markdown.js'
+import { AuthError, InputError } from '../../utils/errors.js'
+import { setupSdk } from '../../utils/sdk.js'
+import { getSetting, updateSetting } from '../../utils/settings.js'
+
+const description = 'Socket API login'
+
+/** @type {import('../../utils/meow-with-subcommands').CliSubcommand} */
+export const login = {
+  description,
+  run: async (argv, importMeta, { parentName }) => {
+    const name = parentName + ' login'
+    const cli = meow(`
+      Usage
+        $ ${name}
+
+      Logs into the Socket API by prompting for an API key
+
+      Examples
+        $ ${name}
+    `, {
+      argv,
+      description,
+      importMeta,
+    })
+
+    if (cli.input.length) cli.showHelp()
+
+    if (!isInteractive()) {
+      throw new InputError('cannot prompt for credentials in a non-interactive shell')
+    }
+    const format = new ChalkOrMarkdown(false)
+    const { apiKey } = await prompts({
+      type: 'password',
+      name: 'apiKey',
+      message: `Enter your ${format.hyperlink(
+        'Socket.dev API key',
+        'https://docs.socket.dev/docs/api-keys'
+      )}`,
+    })
+
+    if (!apiKey) {
+      ora('API key not updated').warn()
+      return
+    }
+
+    const spinner = ora('Verifying API key...').start()
+
+    const oldKey = getSetting('apiKey')
+    updateSetting('apiKey', apiKey)
+    try {
+      const sdk = await setupSdk()
+      const quota = await sdk.getQuota()
+      if (!quota.success) throw new AuthError()
+      spinner.succeed(`API key ${oldKey ? 'updated' : 'set'}`)
+    } catch (e) {
+      updateSetting('apiKey', oldKey)
+      spinner.fail('Invalid API key')
+    }
+  }
+}

package/lib/commands/logout/index.js

@@ -0,0 +1,32 @@
+import meow from 'meow'
+import ora from 'ora'
+
+import { updateSetting } from '../../utils/settings.js'
+
+const description = 'Socket API logout'
+
+/** @type {import('../../utils/meow-with-subcommands').CliSubcommand} */
+export const logout = {
+  description,
+  run: async (argv, importMeta, { parentName }) => {
+    const name = parentName + ' logout'
+    const cli = meow(`
+      Usage
+        $ ${name}
+
+      Logs out of the Socket API and clears all Socket credentials from disk
+
+      Examples
+        $ ${name}
+    `, {
+      argv,
+      description,
+      importMeta,
+    })
+
+    if (cli.input.length) cli.showHelp()
+
+    updateSetting('apiKey', null)
+    ora('Successfully logged out').succeed()
+  }
+}

package/lib/commands/report/create.js

@@ -107,12 +107,10 @@ async function setupCommand (name, description, argv, importMeta) {
     Usage
       $ ${name} <paths-to-package-folders-and-files>
 
-    Uploads the specified "package.json" and lock files and, if any folder is
-    specified, the ones found in there. Also includes the complementary
-    "package.json" and lock file to any specified. Currently "package-lock.json"
-    and "yarn.lock" are supported.
+    Uploads the specified "package.json" and lock files for JavaScript and Python dependency manifests.
+    If any folder is specified, the ones found in there recursively are uploaded.
 
-    Supports globbing such as "**/package.json".
+    Supports globbing such as "**/package.json", "**/requirements.txt", and "**/pyproject.toml".
 
     Ignores any file specified in your project's ".gitignore", your project's
     "socket.yml" file's "projectIgnorePaths" and also has a sensible set of
@@ -181,7 +179,17 @@ async function setupCommand (name, description, argv, importMeta) {
       }
     })
 
-  const packagePaths = await getPackageFiles(cwd, cli.input, config, debugLog)
+  // TODO: setupSdk(getDefaultKey() || FREE_API_KEY)
+  const socketSdk = await setupSdk()
+  const supportedFiles = await socketSdk.getReportSupportedFiles()
+    .then(res => {
+      if (!res.success) handleUnsuccessfulApiResponse('getReportSupportedFiles', res, ora())
+      return res.data
+    }).catch(cause => {
+      throw new ErrorWithCause('Failed getting supported files for report', { cause })
+    })
+
+  const packagePaths = await getPackageFiles(cwd, cli.input, config, supportedFiles, debugLog)
 
   return {
     config,

package/lib/shadow/npm-injection.cjs

@@ -12,6 +12,7 @@ const oraPromise = import('ora')
 const isInteractivePromise = import('is-interactive')
 const chalkPromise = import('chalk')
 const chalkMarkdownPromise = import('../utils/chalk-markdown.js')
+const settingsPromise = import('../utils/settings.js')
 const ipc_version = require('../../package.json').version
 
 try {
@@ -32,7 +33,9 @@ try {
  * @typedef {import('stream').Writable} Writable
  */
 
-const pubToken = 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
+const pubTokenPromise = settingsPromise.then(({ getSetting }) =>
+  getSetting('apiKey') || 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
+);
 
 // shadow `npm` and `npx` to mitigate subshells
 require('./link.cjs')(fs.realpathSync(path.join(__dirname, 'bin')), 'npm')
@@ -64,6 +67,7 @@ const pkgidParts = (pkgid) => {
 async function * batchScan (
   pkgids
 ) {
+  const pubToken = await pubTokenPromise
   const query = {
     packages: pkgids.map(pkgid => {
       const { name, version } = pkgidParts(pkgid)

package/lib/utils/api-helpers.js

@@ -8,7 +8,7 @@ import { AuthError } from './errors.js'
  * @param {T} _name
  * @param {import('@socketsecurity/sdk').SocketSdkErrorType<T>} result
  * @param {import('ora').Ora} spinner
- * @returns {void}
+ * @returns {never}
  */
 export function handleUnsuccessfulApiResponse (_name, result, spinner) {
   const resultError = 'error' in result && result.error && typeof result.error === 'object' ? result.error : {}

package/lib/utils/path-resolve.js

@@ -5,17 +5,12 @@ import { globby } from 'globby'
 import ignore from 'ignore'
 // @ts-ignore This package provides no types
 import { directories } from 'ignore-by-default'
+import micromatch from 'micromatch'
 import { ErrorWithCause } from 'pony-cause'
 
 import { InputError } from './errors.js'
 import { isErrnoException } from './type-helpers.js'
 
-/** @type {readonly string[]} */
-const SUPPORTED_LOCKFILES = [
-  'package-lock.json',
-  'yarn.lock',
-]
-
 /**
  * There are a lot of possible folders that we should not be looking in and "ignore-by-default" helps us with defining those
  *
@@ -23,10 +18,17 @@ const SUPPORTED_LOCKFILES = [
  */
 const ignoreByDefault = directories()
 
-/** @type {readonly string[]} */
-const GLOB_IGNORE = [
-  ...ignoreByDefault.map(item => '**/' + item)
-]
+/** @type {import('globby').Options} */
+const BASE_GLOBBY_OPTS = {
+  absolute: true,
+  expandDirectories: false,
+  gitignore: true,
+  ignore: [
+    ...ignoreByDefault.map(item => '**/' + item)
+  ],
+  markDirectories: true,
+  unique: true,
+}
 
 /**
  * Resolves package.json and lockfiles from (globbed) input paths, applying relevant ignores
@@ -34,28 +36,24 @@ const GLOB_IGNORE = [
  * @param {string} cwd The working directory to use when resolving paths
  * @param {string[]} inputPaths A list of paths to folders, package.json files and/or recognized lockfiles. Supports globs.
  * @param {import('@socketsecurity/config').SocketYml|undefined} config
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<"getReportSupportedFiles">['data']} supportedFiles
  * @param {typeof console.error} debugLog
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function getPackageFiles (cwd, inputPaths, config, debugLog) {
+export async function getPackageFiles (cwd, inputPaths, config, supportedFiles, debugLog) {
   debugLog(`Globbed resolving ${inputPaths.length} paths:`, inputPaths)
 
   // TODO: Does not support `~/` paths
   const entries = await globby(inputPaths, {
-    absolute: true,
+    ...BASE_GLOBBY_OPTS,
     cwd,
-    expandDirectories: false,
-    gitignore: true,
-    ignore: [...GLOB_IGNORE],
-    markDirectories: true,
-    onlyFiles: false,
-    unique: true,
+    onlyFiles: false
   })
 
   debugLog(`Globbed resolved ${inputPaths.length} paths to ${entries.length} paths:`, entries)
 
-  const packageFiles = await mapGlobResultToFiles(entries)
+  const packageFiles = await mapGlobResultToFiles(entries, supportedFiles)
 
   debugLog(`Mapped ${entries.length} entries to ${packageFiles.length} files:`, packageFiles)
 
@@ -73,11 +71,14 @@ export async function getPackageFiles (cwd, inputPaths, config, debugLog) {
  * Takes paths to folders, package.json and/or recognized lock files and resolves them to package.json + lockfile pairs (where possible)
  *
  * @param {string[]} entries
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<"getReportSupportedFiles">['data']} supportedFiles
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function mapGlobResultToFiles (entries) {
-  const packageFiles = await Promise.all(entries.map(mapGlobEntryToFiles))
+export async function mapGlobResultToFiles (entries, supportedFiles) {
+  const packageFiles = await Promise.all(
+    entries.map(entry => mapGlobEntryToFiles(entry, supportedFiles))
+  )
 
   const uniquePackageFiles = [...new Set(packageFiles.flat())]
 
@@ -88,46 +89,58 @@ export async function mapGlobResultToFiles (entries) {
  * Takes a single path to a folder, package.json or a recognized lock file and resolves to a package.json + lockfile pair (where possible)
  *
  * @param {string} entry
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<'getReportSupportedFiles'>['data']} supportedFiles
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function mapGlobEntryToFiles (entry) {
+export async function mapGlobEntryToFiles (entry, supportedFiles) {
   /** @type {string|undefined} */
-  let pkgFile
-  /** @type {string|undefined} */
-  let lockFile
-
+  let pkgJSFile
+  /** @type {string[]} */
+  let jsLockFiles = []
+  /** @type {string[]} */
+  let pyFiles = []
+
+  const jsSupported = supportedFiles['npm'] || {}
+  const jsLockFilePatterns = Object.keys(jsSupported)
+    .filter(key => key !== 'packagejson')
+    .map(key => /** @type {{ pattern: string }} */ (jsSupported[key]).pattern)
+
+  const pyFilePatterns = Object.values(supportedFiles['pypi'] || {}).map(p => p.pattern)
   if (entry.endsWith('/')) {
     // If the match is a folder and that folder contains a package.json file, then include it
     const filePath = path.resolve(entry, 'package.json')
-    pkgFile = await fileExists(filePath) ? filePath : undefined
-  } else if (path.basename(entry) === 'package.json') {
-    // If the match is a package.json file, then include it
-    pkgFile = entry
-  } else if (SUPPORTED_LOCKFILES.includes(path.basename(entry))) {
-    // If the match is a lock file, include both it and the corresponding package.json file
-    lockFile = entry
-    pkgFile = path.resolve(path.dirname(entry), 'package.json')
+    if (await fileExists(filePath)) pkgJSFile = filePath
+    pyFiles = await globby(pyFilePatterns, {
+      ...BASE_GLOBBY_OPTS,
+      cwd: entry
+    })
+  } else {
+    const entryFile = path.basename(entry)
+
+    if (entryFile === 'package.json') {
+      // If the match is a package.json file, then include it
+      pkgJSFile = entry
+    } else if (micromatch.isMatch(entryFile, jsLockFilePatterns)) {
+      jsLockFiles = [entry]
+      pkgJSFile = path.resolve(path.dirname(entry), 'package.json')
+      if (!(await fileExists(pkgJSFile))) return []
+    } else if (micromatch.isMatch(entryFile, pyFilePatterns)) {
+      pyFiles = [entry]
+    }
   }
 
   // If we will include a package.json file but don't already have a corresponding lockfile, then look for one
-  if (!lockFile && pkgFile) {
-    const pkgDir = path.dirname(pkgFile)
-
-    for (const name of SUPPORTED_LOCKFILES) {
-      const lockFileAlternative = path.resolve(pkgDir, name)
-      if (await fileExists(lockFileAlternative)) {
-        lockFile = lockFileAlternative
-        break
-      }
-    }
-  }
+  if (!jsLockFiles.length && pkgJSFile) {
+    const pkgDir = path.dirname(pkgJSFile)
 
-  if (pkgFile && lockFile) {
-    return [pkgFile, lockFile]
+    jsLockFiles = await globby(jsLockFilePatterns, {
+      ...BASE_GLOBBY_OPTS,
+      cwd: pkgDir
+    })
   }
 
-  return pkgFile ? [pkgFile] : []
+  return [...jsLockFiles, ...pyFiles].concat(pkgJSFile ? [pkgJSFile] : [])
 }
 
 /**

package/lib/utils/sdk.js

@@ -7,28 +7,27 @@ import isInteractive from 'is-interactive'
 import prompts from 'prompts'
 
 import { AuthError } from './errors.js'
+import { getSetting } from './settings.js'
 
 /**
- * The API key should be stored globally for the duration of the CLI execution
+ * This API key should be stored globally for the duration of the CLI execution
  *
  * @type {string | undefined}
  */
-let apiKey
+let sessionAPIKey
 
 /** @returns {Promise<import('@socketsecurity/sdk').SocketSdk>} */
 export async function setupSdk () {
-  if (!apiKey) {
-    apiKey = process.env['SOCKET_SECURITY_API_KEY']
-  }
+  let apiKey = getSetting('apiKey') || process.env['SOCKET_SECURITY_API_KEY'] || sessionAPIKey
 
   if (!apiKey && isInteractive()) {
     const input = await prompts({
       type: 'password',
       name: 'apiKey',
-      message: 'Enter your Socket.dev API key',
+      message: 'Enter your Socket.dev API key (not saved)',
     })
 
-    apiKey = input.apiKey
+    apiKey = sessionAPIKey = input.apiKey
   }
 
   if (!apiKey) {

package/lib/utils/settings.js

@@ -0,0 +1,57 @@
+import * as fs from 'fs'
+import * as os from 'os'
+import * as path from 'path'
+
+import ora from 'ora'
+
+let dataHome = process.platform === 'win32'
+  ? process.env['LOCALAPPDATA']
+  : process.env['XDG_DATA_HOME']
+
+if (!dataHome) {
+  if (process.platform === 'win32') throw new Error('missing %LOCALAPPDATA%')
+  const home = os.homedir()
+  dataHome = path.join(home, ...(process.platform === 'darwin'
+    ? ['Library', 'Application Support']
+    : ['.local', 'share']
+  ))
+}
+
+const settingsPath = path.join(dataHome, 'socket', 'settings')
+
+/** @type {{apiKey?: string | null}} */
+let settings = {}
+
+if (fs.existsSync(settingsPath)) {
+  const raw = fs.readFileSync(settingsPath, 'utf-8')
+  try {
+    settings = JSON.parse(Buffer.from(raw, 'base64').toString())
+  } catch (e) {
+    ora(`Failed to parse settings at ${settingsPath}`).warn()
+  }
+} else {
+  fs.mkdirSync(path.dirname(settingsPath), { recursive: true })
+}
+
+/**
+ * @template {keyof typeof settings} Key
+ * @param {Key} key
+ * @returns {typeof settings[Key]}
+ */
+export function getSetting (key) {
+  return settings[key]
+}
+
+/**
+ * @template {keyof typeof settings} Key
+ * @param {Key} key
+ * @param {typeof settings[Key]} value
+ * @returns {void}
+ */
+export function updateSetting (key, value) {
+  settings[key] = value
+  fs.writeFileSync(
+    settingsPath,
+    Buffer.from(JSON.stringify(settings)).toString('base64')
+  )
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli",
-  "version": "0.6.0",
+  "version": "0.7.2",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli-js",
   "repository": {
@@ -43,10 +43,11 @@
     "test": "run-s check test:*"
   },
   "devDependencies": {
-    "@socketsecurity/eslint-config": "^2.0.0",
+    "@socketsecurity/eslint-config": "^3.0.1",
     "@tsconfig/node14": "^1.0.3",
     "@types/chai": "^4.3.3",
     "@types/chai-as-promised": "^7.1.5",
+    "@types/micromatch": "^4.0.2",
     "@types/mocha": "^10.0.1",
     "@types/mock-fs": "^4.13.1",
     "@types/node": "^14.18.31",
@@ -84,7 +85,7 @@
   "dependencies": {
     "@apideck/better-ajv-errors": "^0.3.6",
     "@socketsecurity/config": "^2.0.0",
-    "@socketsecurity/sdk": "^0.5.4",
+    "@socketsecurity/sdk": "^0.6.0",
     "chalk": "^5.1.2",
     "globby": "^13.1.3",
     "hpagent": "^1.2.0",
@@ -93,6 +94,7 @@
     "is-interactive": "^2.0.0",
     "is-unicode-supported": "^1.3.0",
     "meow": "^11.0.0",
+    "micromatch": "^4.0.5",
     "ora": "^6.1.2",
     "pony-cause": "^2.1.8",
     "prompts": "^2.4.2",