@socketsecurity/cli 0.7.2 → 0.8.2

package/lib/shadow/tty-server.cjs

@@ -0,0 +1,222 @@
+const path = require('path')
+const { PassThrough } = require('stream')
+
+const ipc_version = require('../../package.json').version
+const { isErrnoException } = require('../utils/type-helpers.cjs')
+
+/**
+ * @typedef {import('stream').Readable} Readable
+ */
+/**
+ * @typedef {import('stream').Writable} Writable
+ */
+/**
+ * @param {import('chalk')['default']['level']} colorLevel
+ * @param {boolean} isInteractive
+ * @param {any} npmlog
+ * @returns {Promise<{ captureTTY<RET extends any>(mutexFn: (input: Readable | null, output?: Writable, colorLevel: import('chalk')['default']['level']) => Promise<RET>): Promise<RET> }>}
+ */
+module.exports = async function createTTYServer (colorLevel, isInteractive, npmlog) {
+  const TTY_IPC = process.env['SOCKET_SECURITY_TTY_IPC']
+  const net = require('net')
+  /**
+   * @type {import('readline')}
+   */
+  let readline
+  const isSTDINInteractive = isInteractive
+  if (!isSTDINInteractive && TTY_IPC) {
+    return {
+      async captureTTY (mutexFn) {
+        return new Promise((resolve, reject) => {
+          const conn = net.createConnection({
+            path: TTY_IPC
+          }).on('error', reject)
+          let captured = false
+          /**
+           * @type {Array<Buffer>}
+           */
+          const bufs = []
+          conn.on('data', function awaitCapture (chunk) {
+            bufs.push(chunk)
+            /**
+             * @type {Buffer | null}
+             */
+            let lineBuff = Buffer.concat(bufs)
+            try {
+              if (!captured) {
+                const EOL = lineBuff.indexOf('\n'.charCodeAt(0))
+                if (EOL !== -1) {
+                  conn.removeListener('data', awaitCapture)
+                  conn.push(lineBuff.slice(EOL + 1))
+                  const {
+                    ipc_version: remote_ipc_version,
+                    capabilities: { input: hasInput, output: hasOutput, colorLevel: ipcColorLevel }
+                  } = JSON.parse(lineBuff.slice(0, EOL).toString('utf-8'))
+                  lineBuff = null
+                  captured = true
+                  if (remote_ipc_version !== ipc_version) {
+                    throw new Error('Mismatched STDIO tunnel IPC version, ensure you only have 1 version of socket CLI being called.')
+                  }
+                  const input = hasInput ? new PassThrough() : null
+                  input?.pause()
+                  if (input) conn.pipe(input)
+                  const output = hasOutput ? new PassThrough() : null
+                  output?.pipe(conn)
+                  // make ora happy
+                  // @ts-ignore
+                  output.isTTY = true
+                  // @ts-ignore
+                  output.cursorTo = function cursorTo (x, y, callback) {
+                    readline = readline || require('readline')
+                    // @ts-ignore
+                    readline.cursorTo(this, x, y, callback)
+                  }
+                  // @ts-ignore
+                  output.clearLine = function clearLine (dir, callback) {
+                    readline = readline || require('readline')
+                    // @ts-ignore
+                    readline.clearLine(this, dir, callback)
+                  }
+                  mutexFn(hasInput ? input : null, hasOutput ? /** @type {Writable} */(output) : undefined, ipcColorLevel)
+                    .then(resolve, reject)
+                    .finally(() => {
+                      conn.unref()
+                      conn.end()
+                      input?.end()
+                      output?.end()
+                      // process.exit(13)
+                    })
+                }
+              }
+            } catch (e) {
+              reject(e)
+            }
+          })
+        })
+      }
+    }
+  }
+  /**
+   * @type {Array<{resolve(): void}>}}
+   */
+  const pendingCaptures = []
+  let captured = false
+  const sock = path.join(require('os').tmpdir(), `socket-security-tty-${process.pid}.sock`)
+  process.env['SOCKET_SECURITY_TTY_IPC'] = sock
+  try {
+    await require('fs/promises').unlink(sock)
+  } catch (e) {
+    if (isErrnoException(e) && e.code !== 'ENOENT') {
+      throw e
+    }
+  }
+  const input = isSTDINInteractive ? process.stdin : null
+  const output = process.stderr
+  if (input) {
+    await new Promise((resolve, reject) => {
+      const server = net.createServer(async (conn) => {
+        if (captured) {
+          const captured = new Promise((resolve) => {
+            pendingCaptures.push({
+              resolve () {
+                resolve(undefined)
+              }
+            })
+          })
+          await captured
+        } else {
+          captured = true
+        }
+        const wasProgressEnabled = npmlog.progressEnabled
+        npmlog.pause()
+        if (wasProgressEnabled) {
+          npmlog.disableProgress()
+        }
+        conn.write(`${JSON.stringify({
+          ipc_version,
+          capabilities: {
+            input: Boolean(input),
+            output: true,
+            colorLevel
+          }
+        })}\n`)
+        conn.on('data', (data) => {
+          output.write(data)
+        })
+        conn.on('error', (e) => {
+          output.write(`there was an error prompting from a subshell (${e.message}), socket npm closing`)
+          process.exit(1)
+        })
+        input.on('data', (data) => {
+          conn.write(data)
+        })
+        input.on('end', () => {
+          conn.unref()
+          conn.end()
+          if (wasProgressEnabled) {
+            npmlog.enableProgress()
+          }
+          npmlog.resume()
+          nextCapture()
+        })
+      }).listen(sock, () => resolve(server)).on('error', (err) => {
+        reject(err)
+      }).unref()
+      process.on('exit', () => {
+        server.close()
+        try {
+          require('fs').unlinkSync(sock)
+        } catch (e) {
+          if (isErrnoException(e) && e.code !== 'ENOENT') {
+            throw e
+          }
+        }
+      })
+      resolve(server)
+    })
+  }
+  /**
+   *
+   */
+  function nextCapture () {
+    if (pendingCaptures.length > 0) {
+      const nextCapture = pendingCaptures.shift()
+      if (nextCapture) {
+        nextCapture.resolve()
+      }
+    } else {
+      captured = false
+    }
+  }
+  return {
+    async captureTTY (mutexFn) {
+      if (captured) {
+        const captured = new Promise((resolve) => {
+          pendingCaptures.push({
+            resolve () {
+              resolve(undefined)
+            }
+          })
+        })
+        await captured
+      } else {
+        captured = true
+      }
+      const wasProgressEnabled = npmlog.progressEnabled
+      try {
+        npmlog.pause()
+        if (wasProgressEnabled) {
+          npmlog.disableProgress()
+        }
+        // need await here for proper finally timing
+        return await mutexFn(input, output, colorLevel)
+      } finally {
+        if (wasProgressEnabled) {
+          npmlog.enableProgress()
+        }
+        npmlog.resume()
+        nextCapture()
+      }
+    }
+  }
+}

package/lib/utils/api-helpers.js

@@ -25,18 +25,16 @@ export function handleUnsuccessfulApiResponse (_name, result, spinner) {
 /**
  * @template T
  * @param {Promise<T>} value
- * @param {import('ora').Ora} spinner
  * @param {string} description
  * @returns {Promise<T>}
  */
-export async function handleApiCall (value, spinner, description) {
+export async function handleApiCall (value, description) {
   /** @type {T} */
   let result
 
   try {
     result = await value
   } catch (cause) {
-    spinner.fail()
     throw new ErrorWithCause(`Failed ${description}`, { cause })
   }
 

package/lib/utils/issue-rules.cjs

@@ -0,0 +1,180 @@
+//#region UX Constants
+/**
+ * @typedef {{block: boolean, display: boolean}} RuleActionUX
+ */
+const IGNORE_UX = {
+  block: false,
+  display: false
+}
+const WARN_UX = {
+  block: false,
+  display: true
+}
+const ERROR_UX = {
+  block: true,
+  display: true
+}
+//#endregion
+//#region utils
+/**
+ * @typedef { NonNullable<NonNullable<NonNullable<(Awaited<ReturnType<import('@socketsecurity/sdk').SocketSdk['postSettings']>> & {success: true})['data']['entries'][number]['settings'][string]>['issueRules']>>[string] | boolean } NonNormalizedIssueRule
+ */
+/**
+ * @typedef { (NonNullable<NonNullable<(Awaited<ReturnType<import('@socketsecurity/sdk').SocketSdk['postSettings']>> & {success: true})['data']['defaults']['issueRules']>[string]> & { action: string }) | boolean } NonNormalizedResolvedIssueRule
+ */
+/**
+ * Iterates over all entries with ordered issue rule for deferal
+ * Iterates over all issue rules and finds the first defined value that does not defer otherwise uses the defaultValue
+ * Takes the value and converts into a UX workflow
+ *
+ * @param {Iterable<Iterable<NonNormalizedIssueRule>>} entriesOrderedIssueRules
+ * @param {NonNormalizedResolvedIssueRule} defaultValue
+ * @returns {RuleActionUX}
+ */
+function resolveIssueRuleUX (entriesOrderedIssueRules, defaultValue) {
+  if (defaultValue === true || defaultValue == null) {
+    defaultValue = {
+      action: 'error'
+    }
+  } else if (defaultValue === false) {
+    defaultValue = {
+      action: 'ignore'
+    }
+  }
+  let block = false
+  let display = false
+  let needDefault = true
+  iterate_entries:
+  for (const issueRuleArr of entriesOrderedIssueRules) {
+    for (const rule of issueRuleArr) {
+      if (issueRuleValueDoesNotDefer(rule)) {
+        // there was a rule, even if a defer, don't narrow to the default
+        needDefault = false
+        const narrowingFilter = uxForDefinedNonDeferValue(rule)
+        block = block || narrowingFilter.block
+        display = display || narrowingFilter.display
+        continue iterate_entries
+      }
+    }
+    // all rules defer, narrow
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue)
+    block = block || narrowingFilter.block
+    display = display || narrowingFilter.display
+  }
+  if (needDefault) {
+    // no config set a
+    const narrowingFilter = uxForDefinedNonDeferValue(defaultValue)
+    block = block || narrowingFilter.block
+    display = display || narrowingFilter.display
+  }
+  return {
+    block,
+    display
+  }
+}
+
+/**
+ * Negative form because it is narrowing the type
+ *
+ * @type {(issueRuleValue: NonNormalizedIssueRule) => issueRuleValue is NonNormalizedResolvedIssueRule}
+ */
+function issueRuleValueDoesNotDefer (issueRule) {
+  if (issueRule === undefined) {
+    return false
+  } else if (typeof issueRule === 'object' && issueRule) {
+    const { action } = issueRule
+    if (action === undefined || action === 'defer') {
+      return false
+    }
+  }
+  return true
+}
+
+/**
+ * Handles booleans for backwards compatibility
+ *
+ * @param {NonNormalizedResolvedIssueRule} issueRuleValue
+ * @returns {RuleActionUX}
+ */
+function uxForDefinedNonDeferValue (issueRuleValue) {
+  if (typeof issueRuleValue === 'boolean') {
+    return issueRuleValue ? ERROR_UX : IGNORE_UX
+  }
+  const { action } = issueRuleValue
+  if (action === 'warn') {
+    return WARN_UX
+  } else if (action === 'ignore') {
+    return IGNORE_UX
+  }
+  return ERROR_UX
+}
+//#endregion
+//#region exports
+module.exports = {
+  /**
+   *
+   * @param {(Awaited<ReturnType<import('@socketsecurity/sdk').SocketSdk['postSettings']>> & {success: true})['data']} settings
+   * @returns {(context: {package: {name: string, version: string}, issue: {type: string}}) => RuleActionUX}
+   */
+  createIssueUXLookup (settings) {
+    /**
+     * @type {Map<keyof (typeof settings.defaults.issueRules), RuleActionUX>}
+     */
+    const cachedUX = new Map()
+    return (context) => {
+      const key = context.issue.type
+      /**
+       * @type {RuleActionUX | undefined}
+       */
+      let ux = cachedUX.get(key)
+      if (ux) {
+        return ux
+      }
+      /**
+       * @type {Array<Array<NonNormalizedIssueRule>>}
+       */
+      const entriesOrderedIssueRules = []
+      for (const settingsEntry of settings.entries) {
+        /**
+         * @type {Array<NonNormalizedIssueRule>}
+         */
+        const orderedIssueRules = []
+        let target = settingsEntry.start
+        while (target !== null) {
+          const resolvedTarget = settingsEntry.settings[target]
+          if (!resolvedTarget) {
+            break
+          }
+          const issueRuleValue = resolvedTarget.issueRules?.[key]
+          if (typeof issueRuleValue !== 'undefined') {
+            orderedIssueRules.push(issueRuleValue)
+          }
+          target = resolvedTarget.deferTo ?? null
+        }
+        entriesOrderedIssueRules.push(orderedIssueRules)
+      }
+      const defaultValue = settings.defaults.issueRules[key]
+      /**
+       * @type {NonNormalizedResolvedIssueRule}
+       */
+      let resolvedDefaultValue = {
+        action: 'error'
+      }
+      // @ts-ignore backcompat, cover with tests
+      if (defaultValue === false) {
+        resolvedDefaultValue = {
+          action: 'ignore'
+        }
+      // @ts-ignore backcompat, cover with tests
+      } else if (defaultValue && defaultValue !== true) {
+        resolvedDefaultValue = {
+          action: defaultValue.action ?? 'error'
+        }
+      }
+      ux = resolveIssueRuleUX(entriesOrderedIssueRules, resolvedDefaultValue)
+      cachedUX.set(key, ux)
+      return ux
+    }
+  }
+}
+//#endregion

package/lib/utils/misc.js

@@ -7,7 +7,7 @@ import { logSymbols } from './chalk-markdown.js'
 export function createDebugLogger (printDebugLogs) {
   return printDebugLogs
     // eslint-disable-next-line no-console
-    ? (...params) => console.error(logSymbols.info, ...params)
+    ? /** @type { (...params: unknown[]) => void } */(...params) => console.error(logSymbols.info, ...params)
     : () => {}
 }
 

package/lib/utils/path-resolve.js

@@ -5,11 +5,10 @@ import { globby } from 'globby'
 import ignore from 'ignore'
 // @ts-ignore This package provides no types
 import { directories } from 'ignore-by-default'
-import micromatch from 'micromatch'
 import { ErrorWithCause } from 'pony-cause'
 
 import { InputError } from './errors.js'
-import { isErrnoException } from './type-helpers.js'
+import { isErrnoException } from './type-helpers.cjs'
 
 /**
  * There are a lot of possible folders that we should not be looking in and "ignore-by-default" helps us with defining those
@@ -94,53 +93,65 @@ export async function mapGlobResultToFiles (entries, supportedFiles) {
  * @throws {InputError}
  */
 export async function mapGlobEntryToFiles (entry, supportedFiles) {
-  /** @type {string|undefined} */
-  let pkgJSFile
-  /** @type {string[]} */
-  let jsLockFiles = []
-  /** @type {string[]} */
-  let pyFiles = []
-
   const jsSupported = supportedFiles['npm'] || {}
-  const jsLockFilePatterns = Object.keys(jsSupported)
-    .filter(key => key !== 'packagejson')
-    .map(key => /** @type {{ pattern: string }} */ (jsSupported[key]).pattern)
-
-  const pyFilePatterns = Object.values(supportedFiles['pypi'] || {}).map(p => p.pattern)
-  if (entry.endsWith('/')) {
-    // If the match is a folder and that folder contains a package.json file, then include it
-    const filePath = path.resolve(entry, 'package.json')
-    if (await fileExists(filePath)) pkgJSFile = filePath
-    pyFiles = await globby(pyFilePatterns, {
-      ...BASE_GLOBBY_OPTS,
-      cwd: entry
-    })
-  } else {
-    const entryFile = path.basename(entry)
-
-    if (entryFile === 'package.json') {
-      // If the match is a package.json file, then include it
-      pkgJSFile = entry
-    } else if (micromatch.isMatch(entryFile, jsLockFilePatterns)) {
-      jsLockFiles = [entry]
-      pkgJSFile = path.resolve(path.dirname(entry), 'package.json')
-      if (!(await fileExists(pkgJSFile))) return []
-    } else if (micromatch.isMatch(entryFile, pyFilePatterns)) {
-      pyFiles = [entry]
-    }
-  }
-
-  // If we will include a package.json file but don't already have a corresponding lockfile, then look for one
-  if (!jsLockFiles.length && pkgJSFile) {
-    const pkgDir = path.dirname(pkgJSFile)
-
-    jsLockFiles = await globby(jsLockFilePatterns, {
-      ...BASE_GLOBBY_OPTS,
-      cwd: pkgDir
-    })
-  }
-
-  return [...jsLockFiles, ...pyFiles].concat(pkgJSFile ? [pkgJSFile] : [])
+  const jsLockFilePatterns = Object.values(jsSupported)
+    // .filter(key => key !== 'packagejson')
+    .map(p => `**/${/** @type {{ pattern: string }} */ (p).pattern}`)
+
+  const pyFilePatterns = Object.values(supportedFiles['pypi'] || {})
+    .map(p => `**/${/** @type {{ pattern: string }} */ (p).pattern}`)
+
+  const goSupported = supportedFiles['go'] || {}
+  const goSupplementalPatterns = Object.values(goSupported)
+    // .filter(key => key !== 'gomod')
+    .map(p => `**/${/** @type {{ pattern: string }} */ (p).pattern}`)
+
+  const files = await globby([
+    ...jsLockFilePatterns,
+    ...pyFilePatterns,
+    ...goSupplementalPatterns
+  ], {
+    ...BASE_GLOBBY_OPTS,
+    onlyFiles: true,
+    cwd: path.resolve((await stat(entry)).isDirectory() ? entry : path.dirname(entry))
+  })
+  return files
+
+  // if (entry.endsWith('/')) {
+  //   // If the match is a folder and that folder contains a package.json file, then include it
+  //   const jsPkg = path.resolve(entry, 'package.json')
+  //   if (await fileExists(jsPkg)) pkgJSFile = jsPkg
+
+  //   const goPkg = path.resolve(entry, 'go.mod')
+  //   if (await fileExists(goPkg)) pkgGoFile = goPkg
+
+  //   pyFiles = await globby(pyFilePatterns, {
+  //     ...BASE_GLOBBY_OPTS,
+  //     cwd: entry
+  //   })
+  // } else {
+  //   const entryFile = path.basename(entry)
+
+  //   if (entryFile === 'package.json') {
+  //     // If the match is a package.json file, then include it
+  //     pkgJSFile = entry
+  //   } else if (micromatch.isMatch(entryFile, jsLockFilePatterns)) {
+  //     jsLockFiles = [entry]
+  //     pkgJSFile = path.resolve(path.dirname(entry), 'package.json')
+  //     if (!(await fileExists(pkgJSFile))) return []
+  //   } else if (entryFile === 'go.mod') {
+  //     pkgGoFile = entry
+  //   } else if (micromatch.isMatch(entryFile, goSupplementalPatterns)) {
+  //     goExtraFiles = [entry]
+  //     pkgGoFile = path.resolve(path.dirname(entry), 'go.mod')
+  //   } else if (micromatch.isMatch(entryFile, pyFilePatterns)) {
+  //     pyFiles = [entry]
+  //   }
+  // }
+
+  // return [...jsLockFiles, ...pyFiles, ...goExtraFiles]
+  //   .concat(pkgJSFile ? [pkgJSFile] : [])
+  //   .concat(pkgGoFile ? [pkgGoFile] : [])
 }
 
 /**

package/lib/utils/sdk.js

@@ -9,25 +9,69 @@ import prompts from 'prompts'
 import { AuthError } from './errors.js'
 import { getSetting } from './settings.js'
 
+export const FREE_API_KEY = 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
+
 /**
  * This API key should be stored globally for the duration of the CLI execution
  *
  * @type {string | undefined}
  */
-let sessionAPIKey
+let defaultKey
+
+/** @returns {string | undefined} */
+export function getDefaultKey () {
+  defaultKey = process.env['SOCKET_SECURITY_API_KEY'] || getSetting('apiKey') || defaultKey
+  return defaultKey
+}
+
+/**
+ * The API server that should be used for operations
+ *
+ * @type {string | undefined}
+ */
+let defaultAPIBaseUrl
+
+/**
+ * @returns {string | undefined}
+ */
+export function getDefaultAPIBaseUrl () {
+  defaultAPIBaseUrl = process.env['SOCKET_SECURITY_API_BASE_URL'] || getSetting('apiBaseUrl') || undefined
+  return defaultAPIBaseUrl
+}
+
+/**
+ * The API server that should be used for operations
+ *
+ * @type {string | undefined}
+ */
+let defaultApiProxy
 
-/** @returns {Promise<import('@socketsecurity/sdk').SocketSdk>} */
-export async function setupSdk () {
-  let apiKey = getSetting('apiKey') || process.env['SOCKET_SECURITY_API_KEY'] || sessionAPIKey
+/**
+ * @returns {string | undefined}
+ */
+export function getDefaultHTTPProxy () {
+  defaultApiProxy = process.env['SOCKET_SECURITY_API_PROXY'] || getSetting('apiProxy') || undefined
+  return defaultApiProxy
+}
 
-  if (!apiKey && isInteractive()) {
+/**
+ * @param {string} [apiKey]
+ * @param {string} [apiBaseUrl]
+ * @param {string} [proxy]
+ * @returns {Promise<import('@socketsecurity/sdk').SocketSdk>}
+ */
+export async function setupSdk (apiKey = getDefaultKey(), apiBaseUrl = getDefaultAPIBaseUrl(), proxy = getDefaultHTTPProxy()) {
+  if (apiKey == null && isInteractive()) {
+    /**
+     * @type {{ apiKey: string }}
+     */
     const input = await prompts({
       type: 'password',
       name: 'apiKey',
-      message: 'Enter your Socket.dev API key (not saved)',
+      message: 'Enter your Socket.dev API key (not saved, use socket login to persist)',
     })
 
-    apiKey = sessionAPIKey = input.apiKey
+    apiKey = defaultKey = input.apiKey
   }
 
   if (!apiKey) {
@@ -37,11 +81,11 @@ export async function setupSdk () {
   /** @type {import('@socketsecurity/sdk').SocketSdkOptions["agent"]} */
   let agent
 
-  if (process.env['SOCKET_SECURITY_API_PROXY']) {
+  if (proxy) {
     const { HttpProxyAgent, HttpsProxyAgent } = await import('hpagent')
     agent = {
-      http: new HttpProxyAgent({ proxy: process.env['SOCKET_SECURITY_API_PROXY'] }),
-      https: new HttpsProxyAgent({ proxy: process.env['SOCKET_SECURITY_API_PROXY'] }),
+      http: new HttpProxyAgent({ proxy }),
+      https: new HttpsProxyAgent({ proxy }),
     }
   }
   const packageJsonPath = join(dirname(fileURLToPath(import.meta.url)), '../../package.json')
@@ -50,7 +94,7 @@ export async function setupSdk () {
   /** @type {import('@socketsecurity/sdk').SocketSdkOptions} */
   const sdkOptions = {
     agent,
-    baseUrl: process.env['SOCKET_SECURITY_API_BASE_URL'],
+    baseUrl: apiBaseUrl,
     userAgent: createUserAgentFromPkgJson(JSON.parse(packageJson))
   }