@socketsecurity/cli 0.9.0 → 0.10.0

package/lib/commands/scan/metadata.js

@@ -0,0 +1,113 @@
+/* eslint-disable no-console */
+
+import chalk from 'chalk'
+import meow from 'meow'
+import ora from 'ora'
+
+import { outputFlags } from '../../flags/index.js'
+import { handleApiCall, handleUnsuccessfulApiResponse } from '../../utils/api-helpers.js'
+import { printFlagList } from '../../utils/formatting.js'
+import { getDefaultKey, setupSdk } from '../../utils/sdk.js'
+
+/** @type {import('../../utils/meow-with-subcommands.js').CliSubcommand} */
+export const metadata = {
+  description: 'Get a scan\'s metadata',
+  async run (argv, importMeta, { parentName }) {
+    const name = parentName + ' metadata'
+
+    const input = setupCommand(name, metadata.description, argv, importMeta)
+    if (input) {
+      const spinnerText = 'Getting scan\'s metadata... \n'
+      const spinner = ora(spinnerText).start()
+      await getOrgScanMetadata(input.orgSlug, input.scanID, spinner)
+    }
+  }
+}
+
+// Internal functions
+
+/**
+ * @typedef CommandContext
+ * @property {boolean} outputJson
+ * @property {boolean} outputMarkdown
+ * @property {string} orgSlug
+ * @property {string} scanID
+ */
+
+/**
+ * @param {string} name
+ * @param {string} description
+ * @param {readonly string[]} argv
+ * @param {ImportMeta} importMeta
+ * @returns {void|CommandContext}
+ */
+function setupCommand (name, description, argv, importMeta) {
+  const flags = {
+    ...outputFlags,
+  }
+
+  const cli = meow(`
+    Usage
+      $ ${name} <org slug> <scan id>
+
+    Options
+      ${printFlagList(flags, 6)}
+
+    Examples
+      $ ${name} FakeOrg 000aaaa1-0000-0a0a-00a0-00a0000000a0
+  `, {
+    argv,
+    description,
+    importMeta,
+    flags
+  })
+
+  const {
+    json: outputJson,
+    markdown: outputMarkdown,
+  } = cli.flags
+
+  if (cli.input.length < 2) {
+    console.error(`${chalk.bgRed('Input error')}: Please specify an organization slug and a scan ID.\n`)
+    cli.showHelp()
+    return
+  }
+
+  const [orgSlug = '', scanID = ''] = cli.input
+
+  return {
+    outputJson,
+    outputMarkdown,
+    orgSlug,
+    scanID
+  }
+}
+
+/**
+ * @typedef FullScansData
+ * @property {import('@socketsecurity/sdk').SocketSdkReturnType<'getOrgFullScanMetadata'>["data"]} data
+ */
+
+/**
+ * @param {string} orgSlug
+ * @param {string} scanId
+ * @param {import('ora').Ora} spinner
+ * @returns {Promise<void|FullScansData>}
+ */
+async function getOrgScanMetadata (orgSlug, scanId, spinner) {
+  const socketSdk = await setupSdk(getDefaultKey())
+  const result = await handleApiCall(socketSdk.getOrgFullScanMetadata(orgSlug, scanId), 'Listing scans')
+
+  if (!result.success) {
+    return handleUnsuccessfulApiResponse('getOrgFullScanMetadata', result, spinner)
+  }
+  spinner.stop()
+
+  console.log('\nScan metadata: \n')
+
+  console.log(result.data)
+
+  return {
+    data: result.data
+  }
+}

package/lib/commands/scan/stream.js

@@ -0,0 +1,115 @@
+/* eslint-disable no-console */
+
+import chalk from 'chalk'
+import meow from 'meow'
+import ora from 'ora'
+
+import { outputFlags } from '../../flags/index.js'
+import { handleApiCall, handleUnsuccessfulApiResponse } from '../../utils/api-helpers.js'
+import { printFlagList } from '../../utils/formatting.js'
+import { getDefaultKey, setupSdk } from '../../utils/sdk.js'
+
+/** @type {import('../../utils/meow-with-subcommands.js').CliSubcommand} */
+export const stream = {
+  description: 'Stream the output of a scan',
+  async run (argv, importMeta, { parentName }) {
+    const name = parentName + ' stream'
+
+    const input = setupCommand(name, stream.description, argv, importMeta)
+    if (input) {
+      const spinnerText = 'Streaming scan... \n'
+      const spinner = ora(spinnerText).start()
+      await getOrgFullScan(input.orgSlug, input.fullScanId, input.file, spinner)
+    }
+  }
+}
+
+// Internal functions
+
+/**
+ * @typedef CommandContext
+ * @property {boolean} outputJson
+ * @property {boolean} outputMarkdown
+ * @property {string} orgSlug
+ * @property {string} fullScanId
+ * @property {string | undefined} file
+ */
+
+/**
+ * @param {string} name
+ * @param {string} description
+ * @param {readonly string[]} argv
+ * @param {ImportMeta} importMeta
+ * @returns {void|CommandContext}
+ */
+function setupCommand (name, description, argv, importMeta) {
+  const flags = {
+    ...outputFlags
+  }
+
+  const cli = meow(`
+    Usage
+      $ ${name} <org slug> <scan ID> <path to output file>
+
+    Options
+      ${printFlagList(flags, 6)}
+
+    Examples
+      $ ${name} FakeOrg 000aaaa1-0000-0a0a-00a0-00a0000000a0 ./stream.txt
+  `, {
+    argv,
+    description,
+    importMeta,
+    flags
+  })
+
+  const {
+    json: outputJson,
+    markdown: outputMarkdown,
+  } = cli.flags
+
+  if (cli.input.length < 2) {
+    console.error(`${chalk.bgRed('Input error')}: Please specify an organization slug and a scan ID.\n`)
+    cli.showHelp()
+    return
+  }
+
+  const [orgSlug = '', fullScanId = '', file] = cli.input
+
+  return {
+    outputJson,
+    outputMarkdown,
+    orgSlug,
+    fullScanId,
+    file
+  }
+}
+
+/**
+ * @typedef FullScanData
+ * @property {import('@socketsecurity/sdk').SocketSdkReturnType<'getOrgFullScan'>["data"]} data
+ */
+
+/**
+ * @param {string} orgSlug
+ * @param {string} fullScanId
+ * @param {string | undefined} file
+ * @param {import('ora').Ora} spinner
+ * @returns {Promise<void|FullScanData>}
+ */
+async function getOrgFullScan (orgSlug, fullScanId, file, spinner) {
+  const socketSdk = await setupSdk(getDefaultKey())
+  const result = await handleApiCall(socketSdk.getOrgFullScan(orgSlug, fullScanId, file), 'Streaming a scan')
+
+  if (!result?.success) {
+    return handleUnsuccessfulApiResponse('getOrgFullScan', result, spinner)
+  }
+
+  spinner.stop()
+
+  console.log(file ? `\nFull scan details written to ${file} \n` : '\nFull scan details: \n')
+
+  return {
+    data: result.data
+  }
+}

package/lib/commands/wrapper/index.js

@@ -0,0 +1,199 @@
+/* eslint-disable no-console */
+import fs from 'fs'
+import homedir from 'os'
+import readline from 'readline'
+
+import meow from 'meow'
+
+import { commandFlags } from '../../flags/index.js'
+import { printFlagList } from '../../utils/formatting.js'
+
+const BASH_FILE = `${homedir.homedir()}/.bashrc`
+const ZSH_BASH_FILE = `${homedir.homedir()}/.zshrc`
+
+/** @type {import('../../utils/meow-with-subcommands.js').CliSubcommand} */
+export const wrapper = {
+  description: 'Enable or disable the Socket npm/npx wrapper',
+  async run (argv, importMeta, { parentName }) {
+    const name = parentName + ' wrapper'
+
+    setupCommand(name, wrapper.description, argv, importMeta)
+  }
+}
+
+/**
+ * @param {string} name
+ * @param {string} description
+ * @param {readonly string[]} argv
+ * @param {ImportMeta} importMeta
+ * @returns {void}
+ */
+function setupCommand (name, description, argv, importMeta) {
+  const flags = commandFlags
+
+  const cli = meow(`
+    Usage
+      $ ${name} <flag>
+
+    Options
+      ${printFlagList(flags, 6)}
+
+    Examples
+      $ ${name} --enable
+      $ ${name} --disable
+  `, {
+    argv,
+    description,
+    importMeta,
+    flags
+  })
+
+  const { enable, disable } = cli.flags
+
+  if (argv[0] === '--postinstall') {
+    // Check if the wrapper is already enabled before showing the postinstall prompt
+    const socketWrapperEnabled = (fs.existsSync(BASH_FILE) && checkSocketWrapperAlreadySetup(BASH_FILE)) || (fs.existsSync(ZSH_BASH_FILE) && checkSocketWrapperAlreadySetup(ZSH_BASH_FILE))
+
+    if (!socketWrapperEnabled) {
+      installSafeNpm(`The Socket CLI is now successfully installed! 🎉
+
+      To better protect yourself against supply-chain attacks, our "safe npm" wrapper can warn you about malicious packages whenever you run 'npm install'.
+
+      Do you want to install "safe npm" (this will create an alias to the socket-npm command)? (y/n)`)
+    }
+
+    return
+  }
+
+  if (!enable && !disable) {
+    cli.showHelp()
+    return
+  }
+
+  if (enable) {
+      if (fs.existsSync(BASH_FILE)) {
+        const socketWrapperEnabled = checkSocketWrapperAlreadySetup(BASH_FILE)
+        !socketWrapperEnabled && addAlias(BASH_FILE)
+      }
+      if (fs.existsSync(ZSH_BASH_FILE)) {
+        const socketWrapperEnabled = checkSocketWrapperAlreadySetup(ZSH_BASH_FILE)
+        !socketWrapperEnabled && addAlias(ZSH_BASH_FILE)
+      }
+  } else if (disable) {
+    if (fs.existsSync(BASH_FILE)) {
+      removeAlias(BASH_FILE)
+    }
+    if (fs.existsSync(ZSH_BASH_FILE)) {
+      removeAlias(ZSH_BASH_FILE)
+    }
+  }
+  if (!fs.existsSync(BASH_FILE) && !fs.existsSync(ZSH_BASH_FILE)) {
+    console.error('There was an issue setting up the alias in your bash profile')
+  }
+  return
+}
+
+/**
+ * @param {string} query
+ * @returns {void}
+ */
+const installSafeNpm = (query) => {
+  console.log(`
+ _____         _       _
+|   __|___ ___| |_ ___| |_
+|__   | . |  _| '_| -_|  _|
+|_____|___|___|_,_|___|_|
+
+`)
+
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  })
+  return askQuestion(rl, query)
+}
+
+/**
+ * @param {any} rl
+ * @param {string} query
+ * @returns {void}
+ */
+const askQuestion = (rl, query) => {
+  rl.question(query, (/** @type {string} */ ans) => {
+    if (ans.toLowerCase() === 'y') {
+      try {
+        if (fs.existsSync(BASH_FILE)) {
+          addAlias(BASH_FILE)
+        }
+        if (fs.existsSync(ZSH_BASH_FILE)) {
+          addAlias(ZSH_BASH_FILE)
+        }
+      } catch (e) {
+        throw new Error(`There was an issue setting up the alias: ${e}`)
+      }
+      rl.close()
+    } else if (ans.toLowerCase() !== 'n') {
+      askQuestion(rl, 'Incorrect input: please enter either y (yes) or n (no): ')
+    } else {
+      rl.close()
+    }
+  })
+}
+
+/**
+ * @param {string} file
+ * @returns {void}
+ */
+const addAlias = (file) => {
+  return fs.appendFile(file, 'alias npm="socket npm"\nalias npx="socket npx"\n', (err) => {
+    if (err) {
+      return new Error(`There was an error setting up the alias: ${err}`)
+    }
+    console.log(`
+The alias was added to ${file}. Running 'npm install' will now be wrapped in Socket's "safe npm" 🎉
+If you want to disable it at any time, run \`socket wrapper --disable\`
+`)
+  })
+}
+
+/**
+ * @param {string} file
+ * @returns {void}
+ */
+const removeAlias = (file) => {
+  return fs.readFile(file, 'utf8', function (err, data) {
+    if (err) {
+      console.error(`There was an error removing the alias: ${err}`)
+      return
+    }
+    const linesWithoutSocketAlias = data.split('\n').filter(l => l !== 'alias npm="socket npm"' && l !== 'alias npx="socket npx"')
+
+    const updatedFileContent = linesWithoutSocketAlias.join('\n')
+
+    fs.writeFile(file, updatedFileContent, function (err) {
+      if (err) {
+        console.log(err)
+        return
+      } else {
+         console.log(`
+The alias was removed from ${file}. Running 'npm install' will now run the standard npm command.
+`)
+      }
+    })
+  })
+}
+
+/**
+ * @param {string} file
+ * @returns {boolean}
+ */
+const checkSocketWrapperAlreadySetup = (file) => {
+  const fileContent = fs.readFileSync(file, 'utf-8')
+  const linesWithSocketAlias = fileContent.split('\n').filter(l => l === 'alias npm="socket npm"' || l === 'alias npx="socket npx"')
+
+  if (linesWithSocketAlias.length) {
+    console.log(`The Socket npm/npx wrapper is set up in your bash profile (${file}).`)
+    return true
+  }
+  return false
+}

package/lib/flags/command.js

@@ -0,0 +1,14 @@
+import { prepareFlags } from '../utils/flags.js'
+
+export const commandFlags = prepareFlags({
+  enable: {
+    type: 'boolean',
+    default: false,
+    description: 'Enables the Socket npm/npx wrapper',
+  },
+  disable: {
+    type: 'boolean',
+    default: false,
+    description: 'Disables the Socket npm/npx wrapper',
+  }
+})

package/lib/flags/index.js

@@ -1,2 +1,3 @@
 export { outputFlags } from './output.js'
 export { validationFlags } from './validation.js'
+export { commandFlags } from './command.js'

package/lib/shadow/npm-injection.cjs

@@ -268,7 +268,17 @@ function findRoot (filepath) {
 }
 const npmDir = findRoot(path.dirname(npmEntrypoint))
 const arboristLibClassPath = path.join(npmDir, 'node_modules', '@npmcli', 'arborist', 'lib', 'arborist', 'index.js')
-const npmlog = require(path.join(npmDir, 'node_modules', 'npmlog', 'lib', 'log.js'))
+
+const npmVersion = process.env.NPM_VERSION.split('.')
+let npmlog
+
+if(npmVersion[0] === '10' && npmVersion[1] >= '6'){
+  const { log } = require(path.join(npmDir, 'node_modules', 'proc-log', 'lib', 'index.js'))
+  npmlog = log
+} else {
+  npmlog = require(path.join(npmDir, 'node_modules', 'npmlog', 'lib', 'log.js'))
+}
+
 /**
  * @type {import('pacote')}
  */

package/lib/utils/format-issues.js

@@ -27,7 +27,7 @@ const SEVERITIES_BY_ORDER = /** @type {const} */ ([
 
   return result
 }
-
+/* TODO: Delete this function when we remove the report command */
 /**
  * @param {SocketIssueList} issues
  * @param {SocketIssue['severity']} [lowestToInclude]
@@ -54,6 +54,33 @@ export function getSeverityCount (issues, lowestToInclude) {
   return severityCount
 }
 
+/* The following function is the updated one */
+/**
+ * @param {Array<SocketIssue>} issues
+ * @param {SocketIssue['severity']} [lowestToInclude]
+ * @returns {Record<SocketIssue['severity'], number>}
+ */
+export function getCountSeverity (issues, lowestToInclude) {
+  const severityCount = pick(
+    { low: 0, middle: 0, high: 0, critical: 0 },
+    getDesiredSeverities(lowestToInclude)
+  )
+
+  for (const issue of issues) {
+    const severity = issue.severity
+
+    if (!severity) {
+      continue
+    }
+
+    if (severityCount[severity] !== undefined) {
+      severityCount[severity] += 1
+    }
+  }
+
+  return severityCount
+}
+
 /**
  * @param {Record<SocketIssue['severity'], number>} severityCount
  * @returns {string}

package/lib/utils/meow-with-subcommands.js

@@ -25,9 +25,8 @@ import { printFlagList, printHelpList } from './formatting.js'
  */
 
 /**
- * @template {import('meow').AnyFlags} Flags
  * @param {Record<string, CliSubcommand>} subcommands
- * @param {import('meow').Options<Flags> & { aliases?: CliAliases, argv: readonly string[], name: string }} options
+ * @param {import('meow').Options<any> & { aliases?: CliAliases, argv: readonly string[], name: string }} options
  * @returns {Promise<void>}
  */
 export async function meowWithSubcommands (subcommands, options) {

package/lib/utils/misc.js

@@ -30,7 +30,6 @@ export function stringJoinWithSeparateFinalSeparator (list, separator = ' and ')
 
 /**
  * Returns a new object with only the specified keys from the input object
- *
  * @template {Record<string,any>} T
  * @template {keyof T} K
  * @param {T} input

package/lib/utils/path-resolve.js

@@ -12,7 +12,6 @@ import { isErrnoException } from './type-helpers.cjs'
 
 /**
  * There are a lot of possible folders that we should not be looking in and "ignore-by-default" helps us with defining those
- *
  * @type {readonly string[]}
  */
 const ignoreByDefault = directories()
@@ -31,7 +30,6 @@ const BASE_GLOBBY_OPTS = {
 
 /**
  * Resolves package.json and lockfiles from (globbed) input paths, applying relevant ignores
- *
  * @param {string} cwd The working directory to use when resolving paths
  * @param {string[]} inputPaths A list of paths to folders, package.json files and/or recognized lockfiles. Supports globs.
  * @param {import('@socketsecurity/config').SocketYml|undefined} config
@@ -57,18 +55,46 @@ export async function getPackageFiles (cwd, inputPaths, config, supportedFiles,
   debugLog(`Mapped ${entries.length} entries to ${packageFiles.length} files:`, packageFiles)
 
   const includedPackageFiles = config?.projectIgnorePaths?.length
+    // @ts-ignore
     ? ignore()
       .add(config.projectIgnorePaths)
       .filter(packageFiles.map(item => path.relative(cwd, item)))
-      .map(item => path.resolve(cwd, item))
+      .map((/** @type {string} */ item) => path.resolve(cwd, item))
     : packageFiles
 
   return includedPackageFiles
 }
 
+/**
+ * Resolves package.json and lockfiles from (globbed) input paths, applying relevant ignores
+ * @param {string} cwd The working directory to use when resolving paths
+ * @param {string[]} inputPaths A list of paths to folders, package.json files and/or recognized lockfiles. Supports globs.
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<"getReportSupportedFiles">['data']} supportedFiles
+ * @param {typeof console.error} debugLog
+ * @returns {Promise<string[]>}
+ * @throws {InputError}
+ */
+export async function getPackageFilesFullScans (cwd, inputPaths, supportedFiles, debugLog) {
+  debugLog(`Globbed resolving ${inputPaths.length} paths:`, inputPaths)
+
+  // TODO: Does not support `~/` paths
+  const entries = await globby(inputPaths, {
+    ...BASE_GLOBBY_OPTS,
+    cwd,
+    onlyFiles: false
+  })
+
+  debugLog(`Globbed resolved ${inputPaths.length} paths to ${entries.length} paths:`, entries)
+
+  const packageFiles = await mapGlobResultToFiles(entries, supportedFiles)
+
+  debugLog(`Mapped ${entries.length} entries to ${packageFiles.length} files:`, packageFiles)
+
+  return packageFiles
+}
+
 /**
  * Takes paths to folders, package.json and/or recognized lock files and resolves them to package.json + lockfile pairs (where possible)
- *
  * @param {string[]} entries
  * @param {import('@socketsecurity/sdk').SocketSdkReturnType<"getReportSupportedFiles">['data']} supportedFiles
  * @returns {Promise<string[]>}
@@ -86,7 +112,6 @@ export async function mapGlobResultToFiles (entries, supportedFiles) {
 
 /**
  * Takes a single path to a folder, package.json or a recognized lock file and resolves to a package.json + lockfile pair (where possible)
- *
  * @param {string} entry
  * @param {import('@socketsecurity/sdk').SocketSdkReturnType<'getReportSupportedFiles'>['data']} supportedFiles
  * @returns {Promise<string[]>}
@@ -101,7 +126,7 @@ export async function mapGlobEntryToFiles (entry, supportedFiles) {
   const pyFilePatterns = Object.values(supportedFiles['pypi'] || {})
     .map(p => `**/${/** @type {{ pattern: string }} */ (p).pattern}`)
 
-  const goSupported = supportedFiles['go'] || {}
+  const goSupported = supportedFiles['golang'] || {}
   const goSupplementalPatterns = Object.values(goSupported)
     // .filter(key => key !== 'gomod')
     .map(p => `**/${/** @type {{ pattern: string }} */ (p).pattern}`)

package/lib/utils/sdk.js

@@ -13,7 +13,6 @@ export const FREE_API_KEY = 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo
 
 /**
  * This API key should be stored globally for the duration of the CLI execution
- *
  * @type {string | undefined}
  */
 let defaultKey
@@ -26,7 +25,6 @@ export function getDefaultKey () {
 
 /**
  * The API server that should be used for operations
- *
  * @type {string | undefined}
  */
 let defaultAPIBaseUrl
@@ -41,7 +39,6 @@ export function getDefaultAPIBaseUrl () {
 
 /**
  * The API server that should be used for operations
- *
  * @type {string | undefined}
  */
 let defaultApiProxy