@socketsecurity/cli 0.7.1 → 0.8.0

package/lib/shadow/tty-server.cjs

@@ -0,0 +1,221 @@
+const path = require('path')
+const { PassThrough } = require('stream')
+const { isErrnoException } = require('../utils/type-helpers.cjs')
+const ipc_version = require('../../package.json').version
+
+/**
+ * @typedef {import('stream').Readable} Readable
+ */
+/**
+ * @typedef {import('stream').Writable} Writable
+ */
+/**
+ * @param {import('chalk')['default']['level']} colorLevel
+ * @param {boolean} isInteractive
+ * @param {any} npmlog
+ * @returns {Promise<{ captureTTY<RET extends any>(mutexFn: (input: Readable | null, output?: Writable, colorLevel: import('chalk')['default']['level']) => Promise<RET>): Promise<RET> }>}
+ */
+module.exports = async function createTTYServer (colorLevel, isInteractive, npmlog) {
+  const TTY_IPC = process.env['SOCKET_SECURITY_TTY_IPC']
+  const net = require('net')
+  /**
+   * @type {import('readline')}
+   */
+  let readline
+  const isSTDINInteractive = true || isInteractive
+  if (!isSTDINInteractive && TTY_IPC) {
+    return {
+      async captureTTY (mutexFn) {
+        return new Promise((resolve, reject) => {
+          const conn = net.createConnection({
+            path: TTY_IPC
+          }).on('error', reject)
+          let captured = false
+          /**
+           * @type {Array<Buffer>}
+           */
+          const bufs = []
+          conn.on('data', function awaitCapture (chunk) {
+            bufs.push(chunk)
+            /**
+             * @type {Buffer | null}
+             */
+            let lineBuff = Buffer.concat(bufs)
+            try {
+              if (!captured) {
+                const EOL = lineBuff.indexOf('\n'.charCodeAt(0))
+                if (EOL !== -1) {
+                  conn.removeListener('data', awaitCapture)
+                  conn.push(lineBuff.slice(EOL + 1))
+                  const {
+                    ipc_version: remote_ipc_version,
+                    capabilities: { input: hasInput, output: hasOutput, colorLevel: ipcColorLevel }
+                  } = JSON.parse(lineBuff.slice(0, EOL).toString('utf-8'))
+                  lineBuff = null
+                  captured = true
+                  if (remote_ipc_version !== ipc_version) {
+                    throw new Error('Mismatched STDIO tunnel IPC version, ensure you only have 1 version of socket CLI being called.')
+                  }
+                  const input = hasInput ? new PassThrough() : null
+                  input?.pause()
+                  if (input) conn.pipe(input)
+                  const output = hasOutput ? new PassThrough() : null
+                  output?.pipe(conn)
+                  // make ora happy
+                  // @ts-ignore
+                  output.isTTY = true
+                  // @ts-ignore
+                  output.cursorTo = function cursorTo (x, y, callback) {
+                    readline = readline || require('readline')
+                    // @ts-ignore
+                    readline.cursorTo(this, x, y, callback)
+                  }
+                  // @ts-ignore
+                  output.clearLine = function clearLine (dir, callback) {
+                    readline = readline || require('readline')
+                    // @ts-ignore
+                    readline.clearLine(this, dir, callback)
+                  }
+                  mutexFn(hasInput ? input : null, hasOutput ? /** @type {Writable} */(output) : undefined, ipcColorLevel)
+                    .then(resolve, reject)
+                    .finally(() => {
+                      conn.unref()
+                      conn.end()
+                      input?.end()
+                      output?.end()
+                      // process.exit(13)
+                    })
+                }
+              }
+            } catch (e) {
+              reject(e)
+            }
+          })
+        })
+      }
+    }
+  }
+  /**
+   * @type {Array<{resolve(): void}>}}
+   */
+  const pendingCaptures = []
+  let captured = false
+  const sock = path.join(require('os').tmpdir(), `socket-security-tty-${process.pid}.sock`)
+  process.env['SOCKET_SECURITY_TTY_IPC'] = sock
+  try {
+    await require('fs/promises').unlink(sock)
+  } catch (e) {
+    if (isErrnoException(e) && e.code !== 'ENOENT') {
+      throw e
+    }
+  }
+  const input = isSTDINInteractive ? process.stdin : null
+  const output = process.stderr
+  if (input) {
+    await new Promise((resolve, reject) => {
+      const server = net.createServer(async (conn) => {
+        if (captured) {
+          const captured = new Promise((resolve) => {
+            pendingCaptures.push({
+              resolve () {
+                resolve(undefined)
+              }
+            })
+          })
+          await captured
+        } else {
+          captured = true
+        }
+        const wasProgressEnabled = npmlog.progressEnabled
+        npmlog.pause()
+        if (wasProgressEnabled) {
+          npmlog.disableProgress()
+        }
+        conn.write(`${JSON.stringify({
+          ipc_version,
+          capabilities: {
+            input: Boolean(input),
+            output: true,
+            colorLevel
+          }
+        })}\n`)
+        conn.on('data', (data) => {
+          output.write(data)
+        })
+        conn.on('error', (e) => {
+          output.write(`there was an error prompting from a subshell (${e.message}), socket npm closing`)
+          process.exit(1)
+        })
+        input.on('data', (data) => {
+          conn.write(data)
+        })
+        input.on('end', () => {
+          conn.unref()
+          conn.end()
+          if (wasProgressEnabled) {
+            npmlog.enableProgress()
+          }
+          npmlog.resume()
+          nextCapture()
+        })
+      }).listen(sock, () => resolve(server)).on('error', (err) => {
+        reject(err)
+      }).unref()
+      process.on('exit', () => {
+        server.close()
+        try {
+          require('fs').unlinkSync(sock)
+        } catch (e) {
+          if (isErrnoException(e) && e.code !== 'ENOENT') {
+            throw e
+          }
+        }
+      })
+      resolve(server)
+    })
+  }
+  /**
+   *
+   */
+  function nextCapture () {
+    if (pendingCaptures.length > 0) {
+      const nextCapture = pendingCaptures.shift()
+      if (nextCapture) {
+        nextCapture.resolve()
+      }
+    } else {
+      captured = false
+    }
+  }
+  return {
+    async captureTTY (mutexFn) {
+      if (captured) {
+        const captured = new Promise((resolve) => {
+          pendingCaptures.push({
+            resolve () {
+              resolve(undefined)
+            }
+          })
+        })
+        await captured
+      } else {
+        captured = true
+      }
+      const wasProgressEnabled = npmlog.progressEnabled
+      try {
+        npmlog.pause()
+        if (wasProgressEnabled) {
+          npmlog.disableProgress()
+        }
+        // need await here for proper finally timing
+        return await mutexFn(input, output, colorLevel)
+      } finally {
+        if (wasProgressEnabled) {
+          npmlog.enableProgress()
+        }
+        npmlog.resume()
+        nextCapture()
+      }
+    }
+  }
+}

package/lib/utils/api-helpers.js

@@ -25,18 +25,16 @@ export function handleUnsuccessfulApiResponse (_name, result, spinner) {
 /**
  * @template T
  * @param {Promise<T>} value
- * @param {import('ora').Ora} spinner
  * @param {string} description
  * @returns {Promise<T>}
  */
-export async function handleApiCall (value, spinner, description) {
+export async function handleApiCall (value, description) {
   /** @type {T} */
   let result
 
   try {
     result = await value
   } catch (cause) {
-    spinner.fail()
     throw new ErrorWithCause(`Failed ${description}`, { cause })
   }
 

package/lib/utils/issue-rules.cjs

@@ -0,0 +1,180 @@
+//#region UX Constants
+/**
+ * @typedef {{block: boolean, display: boolean}} RuleActionUX
+ */
+const IGNORE_UX = {
+  block: false,
+  display: false
+}
+const WARN_UX = {
+  block: false,
+  display: true
+}
+const ERROR_UX = {
+  block: true,
+  display: true
+}
+//#endregion
+//#region utils
+/**
+ * @typedef { NonNullable<NonNullable<NonNullable<(Awaited<ReturnType<import('@socketsecurity/sdk').SocketSdk['postSettings']>> & {success: true})['data']['entries'][number]['settings'][string]>['issueRules']>>[string] | boolean } NonNormalizedIssueRule
+ */
+/**
+ * @typedef { (NonNullable<NonNullable<(Awaited<ReturnType<import('@socketsecurity/sdk').SocketSdk['postSettings']>> & {success: true})['data']['defaults']['issueRules']>[string]> & { action: string }) | boolean } NonNormalizedResolvedIssueRule
+ */
+/**
+ * Iterates over all entries with ordered issue rule for deferal
+ * Iterates over all issue rules and finds the first defined value that does not defer otherwise uses the defaultValue
+ * Takes the value and converts into a UX workflow
+ *
+ * @param {Iterable<Iterable<NonNormalizedIssueRule>>} entriesOrderedIssueRules
+ * @param {NonNormalizedResolvedIssueRule} defaultValue
+ * @returns {RuleActionUX}
+ */
+function resolveIssueRuleUX (entriesOrderedIssueRules, defaultValue) {
+  if (defaultValue === true || defaultValue == null) {
+    defaultValue = {
+      action: 'error'
+    }
+  } else if (defaultValue === false) {
+    defaultValue = {
+      action: 'ignore'
+    }
+  }
+  let block = false
+  let display = false
+  let needDefault = true
+  iterate_entries:
+  for (const issueRuleArr of entriesOrderedIssueRules) {
+    for (const rule of issueRuleArr) {
+      if (issueRuleValueDoesNotDefer(rule)) {
+        // there was a rule, even if a defer, don't narrow to the default
+        needDefault = false
+        const narrowingFilter = uxForDefinedNonDeferValue(rule)
+        block = block || narrowingFilter.block
+        display = display || narrowingFilter.display
+        continue iterate_entries
+      }
+    }
+    // all rules defer, narrow
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue)
+    block = block || narrowingFilter.block
+    display = display || narrowingFilter.display
+  }
+  if (needDefault) {
+    // no config set a
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue)
+    block = block || narrowingFilter.block
+    display = display || narrowingFilter.display
+  }
+  return {
+    block,
+    display
+  }
+}
+
+/**
+ * Negative form because it is narrowing the type
+ *
+ * @type {(issueRuleValue: NonNormalizedIssueRule) => issueRuleValue is NonNormalizedResolvedIssueRule}
+ */
+function issueRuleValueDoesNotDefer (issueRule) {
+  if (issueRule === undefined) {
+    return false
+  } else if (typeof issueRule === 'object' && issueRule) {
+    const { action } = issueRule
+    if (action === undefined || action === 'defer') {
+      return false
+    }
+  }
+  return true
+}
+
+/**
+ * Handles booleans for backwards compatibility
+ *
+ * @param {NonNormalizedResolvedIssueRule} issueRuleValue
+ * @returns {RuleActionUX}
+ */
+function uxForDefinedNonDeferValue (issueRuleValue) {
+  if (typeof issueRuleValue === 'boolean') {
+    return issueRuleValue ? ERROR_UX : IGNORE_UX
+  }
+  const { action } = issueRuleValue
+  if (action === 'warn') {
+    return WARN_UX
+  } else if (action === 'ignore') {
+    return IGNORE_UX
+  }
+  return ERROR_UX
+}
+//#endregion
+//#region exports
+module.exports = {
+  /**
+   *
+   * @param {(Awaited<ReturnType<import('@socketsecurity/sdk').SocketSdk['postSettings']>> & {success: true})['data']} settings
+   * @returns {(context: {package: {name: string, version: string}, issue: {type: string}}) => RuleActionUX}
+   */
+  createIssueUXLookup (settings) {
+    /**
+     * @type {Map<keyof (typeof settings.defaults.issueRules), RuleActionUX>}
+     */
+    const cachedUX = new Map()
+    return (context) => {
+      const key = context.issue.type
+      /**
+       * @type {RuleActionUX | undefined}
+       */
+      let ux = cachedUX.get(key)
+      if (ux) {
+        return ux
+      }
+      /**
+       * @type {Array<Array<NonNormalizedIssueRule>>}
+       */
+      const entriesOrderedIssueRules = []
+      for (const settingsEntry of settings.entries) {
+        /**
+         * @type {Array<NonNormalizedIssueRule>}
+         */
+        const orderedIssueRules = []
+        let target = settingsEntry.start
+        while (target !== null) {
+          const resolvedTarget = settingsEntry.settings[target]
+          if (!resolvedTarget) {
+            break
+          }
+          const issueRuleValue = resolvedTarget.issueRules?.[key]
+          if (typeof issueRuleValue !== 'undefined') {
+            orderedIssueRules.push(issueRuleValue)
+          }
+          target = resolvedTarget.deferTo ?? null
+        }
+        entriesOrderedIssueRules.push(orderedIssueRules)
+      }
+      const defaultValue = settings.defaults.issueRules[key]
+      /**
+       * @type {NonNormalizedResolvedIssueRule}
+       */
+      let resolvedDefaultValue = {
+        action: 'error'
+      }
+      // @ts-ignore backcompat, cover with tests
+      if (defaultValue === false) {
+        resolvedDefaultValue = {
+          action: 'ignore'
+        }
+      // @ts-ignore backcompat, cover with tests
+      } else if (defaultValue && defaultValue !== true) {
+        resolvedDefaultValue = {
+          action: defaultValue.action ?? 'error'
+        }
+      }
+      ux = resolveIssueRuleUX(entriesOrderedIssueRules, resolvedDefaultValue)
+      cachedUX.set(key, ux)
+      return ux
+    }
+  }
+}
+//#endregion

package/lib/utils/misc.js

@@ -7,7 +7,7 @@ import { logSymbols } from './chalk-markdown.js'
 export function createDebugLogger (printDebugLogs) {
   return printDebugLogs
     // eslint-disable-next-line no-console
-    ? (...params) => console.error(logSymbols.info, ...params)
+    ? /** @type { (...params: unknown[]) => void } */(...params) => console.error(logSymbols.info, ...params)
     : () => {}
 }
 

package/lib/utils/path-resolve.js

@@ -9,7 +9,7 @@ import micromatch from 'micromatch'
 import { ErrorWithCause } from 'pony-cause'
 
 import { InputError } from './errors.js'
-import { isErrnoException } from './type-helpers.js'
+import { isErrnoException } from './type-helpers.cjs'
 
 /**
  * There are a lot of possible folders that we should not be looking in and "ignore-by-default" helps us with defining those
@@ -100,17 +100,32 @@ export async function mapGlobEntryToFiles (entry, supportedFiles) {
   let jsLockFiles = []
   /** @type {string[]} */
   let pyFiles = []
+  /** @type {string|undefined} */
+  let pkgGoFile
+  /** @type {string[]} */
+  let goExtraFiles = []
 
   const jsSupported = supportedFiles['npm'] || {}
   const jsLockFilePatterns = Object.keys(jsSupported)
     .filter(key => key !== 'packagejson')
     .map(key => /** @type {{ pattern: string }} */ (jsSupported[key]).pattern)
 
-  const pyFilePatterns = Object.values(supportedFiles['pypi'] || {}).map(p => p.pattern)
+  const pyFilePatterns = Object.values(supportedFiles['pypi'] || {})
+    .map(p => /** @type {{ pattern: string }} */ (p).pattern)
+
+  const goSupported = supportedFiles['go'] || {}
+  const goSupplementalPatterns = Object.keys(goSupported)
+    .filter(key => key !== 'gomod')
+    .map(key => /** @type {{ pattern: string }} */ (goSupported[key]).pattern)
+
   if (entry.endsWith('/')) {
     // If the match is a folder and that folder contains a package.json file, then include it
-    const filePath = path.resolve(entry, 'package.json')
-    if (await fileExists(filePath)) pkgJSFile = filePath
+    const jsPkg = path.resolve(entry, 'package.json')
+    if (await fileExists(jsPkg)) pkgJSFile = jsPkg
+
+    const goPkg = path.resolve(entry, 'go.mod')
+    if (await fileExists(goPkg)) pkgGoFile = goPkg
+
     pyFiles = await globby(pyFilePatterns, {
       ...BASE_GLOBBY_OPTS,
       cwd: entry
@@ -125,6 +140,11 @@ export async function mapGlobEntryToFiles (entry, supportedFiles) {
       jsLockFiles = [entry]
       pkgJSFile = path.resolve(path.dirname(entry), 'package.json')
       if (!(await fileExists(pkgJSFile))) return []
+    } else if (entryFile === 'go.mod') {
+      pkgGoFile = entry
+    } else if (micromatch.isMatch(entryFile, goSupplementalPatterns)) {
+      goExtraFiles = [entry]
+      pkgGoFile = path.resolve(path.dirname(entry), 'go.mod')
     } else if (micromatch.isMatch(entryFile, pyFilePatterns)) {
       pyFiles = [entry]
     }
@@ -140,7 +160,19 @@ export async function mapGlobEntryToFiles (entry, supportedFiles) {
     })
   }
 
-  return [...jsLockFiles, ...pyFiles].concat(pkgJSFile ? [pkgJSFile] : [])
+  if (!goExtraFiles.length && pkgGoFile) {
+    // get go.sum whenever possible
+    const pkgDir = path.dirname(pkgGoFile)
+
+    goExtraFiles = await globby(goSupplementalPatterns, {
+      ...BASE_GLOBBY_OPTS,
+      cwd: pkgDir
+    })
+  }
+
+  return [...jsLockFiles, ...pyFiles, ...goExtraFiles]
+    .concat(pkgJSFile ? [pkgJSFile] : [])
+    .concat(pkgGoFile ? [pkgGoFile] : [])
 }
 
 /**

package/lib/utils/sdk.js

@@ -9,25 +9,37 @@ import prompts from 'prompts'
 import { AuthError } from './errors.js'
 import { getSetting } from './settings.js'
 
+export const FREE_API_KEY = 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
+
 /**
  * This API key should be stored globally for the duration of the CLI execution
  *
  * @type {string | undefined}
  */
-let sessionAPIKey
+let defaultKey
 
-/** @returns {Promise<import('@socketsecurity/sdk').SocketSdk>} */
-export async function setupSdk () {
-  let apiKey = getSetting('apiKey') || process.env['SOCKET_SECURITY_API_KEY'] || sessionAPIKey
+/** @returns {string | undefined} */
+export function getDefaultKey () {
+  defaultKey = getSetting('apiKey') || process.env['SOCKET_SECURITY_API_KEY'] || defaultKey
+  return defaultKey
+}
 
-  if (!apiKey && isInteractive()) {
+/**
+ * @param {string} [apiKey]
+ * @returns {Promise<import('@socketsecurity/sdk').SocketSdk>}
+ */
+export async function setupSdk (apiKey = getDefaultKey()) {
+  if (apiKey == null && isInteractive()) {
+    /**
+     * @type {{ apiKey: string }}
+     */
     const input = await prompts({
       type: 'password',
       name: 'apiKey',
-      message: 'Enter your Socket.dev API key (not saved)',
+      message: 'Enter your Socket.dev API key (not saved, use socket login to persist)',
     })
 
-    apiKey = sessionAPIKey = input.apiKey
+    apiKey = defaultKey = input.apiKey
   }
 
   if (!apiKey) {

package/lib/utils/settings.js

@@ -19,7 +19,11 @@ if (!dataHome) {
 
 const settingsPath = path.join(dataHome, 'socket', 'settings')
 
-/** @type {{apiKey?: string | null}} */
+/**
+ * @typedef {Record<string, boolean | {action: 'error' | 'warn' | 'ignore' | 'defer'}>} IssueRules
+ */
+
+/** @type {{apiKey?: string | null, enforcedOrgs?: string[] | null}} */
 let settings = {}
 
 if (fs.existsSync(settingsPath)) {
@@ -42,6 +46,8 @@ export function getSetting (key) {
   return settings[key]
 }
 
+let pendingSave = false
+
 /**
  * @template {keyof typeof settings} Key
  * @param {Key} key
@@ -50,8 +56,14 @@ export function getSetting (key) {
  */
 export function updateSetting (key, value) {
   settings[key] = value
-  fs.writeFileSync(
-    settingsPath,
-    Buffer.from(JSON.stringify(settings)).toString('base64')
-  )
+  if (!pendingSave) {
+    pendingSave = true
+    process.nextTick(() => {
+      pendingSave = false
+      fs.writeFileSync(
+        settingsPath,
+        Buffer.from(JSON.stringify(settings)).toString('base64')
+      )
+    })
+  }
 }

package/lib/utils/{type-helpers.js → type-helpers.cjs}

@@ -2,7 +2,7 @@
  * @param {unknown} value
  * @returns {value is NodeJS.ErrnoException}
  */
-export function isErrnoException (value) {
+exports.isErrnoException = function isErrnoException (value) {
   if (!(value instanceof Error)) {
     return false
   }

package/lib/utils/update-notifier.js

@@ -6,6 +6,9 @@ import updateNotifier from 'update-notifier'
 export function initUpdateNotifier () {
   readFile(new URL('../../package.json', import.meta.url), 'utf8')
     .then(rawPkg => {
+      /**
+       * @type {Exclude<Parameters<typeof updateNotifier>[0], undefined>['pkg']}
+       */
       const pkg = JSON.parse(rawPkg)
       updateNotifier({ pkg }).notify()
     })