@socketsecurity/cli 1.1.33 → 1.1.34

package/CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+
+## [1.1.34](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.33) - 2025-11-21
+
+### Fixed
+- The target path is now properly considered when conducting reachability analysis: `socket scan reach <target>` and `socket scan create --reach <target>`.
+- Fixed a bug where manifest files `<target>` were not included in a scan when the target was pointing to a directory.
+
 ## [1.1.33](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.33) - 2025-11-20
 
 ### Changed

package/dist/cli.js

@@ -1563,12 +1563,19 @@ async function performReachabilityAnalysis(options) {
     reachabilityOptions,
     repoName,
     spinner,
+    target,
     uploadManifests = true
   } = {
     __proto__: null,
     ...options
   };
 
+  // Determine the analysis target - make it relative to cwd if absolute.
+  let analysisTarget = target;
+  if (path.isAbsolute(analysisTarget)) {
+    analysisTarget = path.relative(cwd, analysisTarget) || '.';
+  }
+
   // Check if user has enterprise plan for reachability analysis.
   const orgsCResult = await utils.fetchOrganization();
   if (!orgsCResult.ok) {
@@ -1631,7 +1638,7 @@ async function performReachabilityAnalysis(options) {
   spinner?.infoAndStop('Running reachability analysis with Coana...');
 
   // Build Coana arguments.
-  const coanaArgs = ['run', cwd, '--output-dir', cwd, '--socket-mode', constants.default.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
+  const coanaArgs = ['run', analysisTarget, '--output-dir', cwd, '--socket-mode', constants.default.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
   ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : [])];
 
@@ -2260,7 +2267,8 @@ async function handleCreateNewScan({
       packagePaths,
       reachabilityOptions: reach,
       repoName,
-      spinner
+      spinner,
+      target: targets[0]
     });
     spinner.stop();
     if (!reachResult.ok) {
@@ -2372,6 +2380,7 @@ async function handleCi(autoManifest) {
       reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,
       reachConcurrency: 1,
+      reachDebug: false,
       reachDisableAnalytics: false,
       reachDisableAnalysisSplitting: false,
       reachEcosystems: [],
@@ -11062,6 +11071,11 @@ const reachabilityFlags = {
     default: 1,
     description: 'Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.'
   },
+  reachDebug: {
+    type: 'boolean',
+    default: false,
+    description: 'Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.'
+  },
   reachDisableAnalytics: {
     type: 'boolean',
     default: false,
@@ -11107,6 +11121,41 @@ async function suggestTarget() {
   return proceed ? ['.'] : [];
 }
 
+/**
+ * Validates that a target directory meets the requirements for reachability analysis.
+ *
+ * @param targets - Array of target paths to validate.
+ * @param cwd - Current working directory.
+ * @returns Validation result object with boolean flags.
+ */
+async function validateReachabilityTarget(targets, cwd) {
+  const result = {
+    isDirectory: false,
+    isInsideCwd: false,
+    isValid: targets.length === 1,
+    targetExists: false
+  };
+  if (!result.isValid || !targets[0]) {
+    return result;
+  }
+
+  // Resolve cwd to absolute path to handle relative cwd values.
+  const absoluteCwd = path.resolve(cwd);
+
+  // Resolve target path to absolute for validation.
+  const targetPath = path.isAbsolute(targets[0]) ? targets[0] : path.resolve(absoluteCwd, targets[0]);
+
+  // Check if target is inside cwd.
+  const relativePath = path.relative(absoluteCwd, targetPath);
+  result.isInsideCwd = !relativePath.startsWith('..') && !path.isAbsolute(relativePath);
+  result.targetExists = fs$1.existsSync(targetPath);
+  if (result.targetExists) {
+    const targetStat = await fs$1.promises.stat(targetPath);
+    result.isDirectory = targetStat.isDirectory();
+  }
+  return result;
+}
+
 const CMD_NAME$a = 'create';
 const description$c = 'Create a new Socket scan and report';
 const hidden$a = false;
@@ -11291,6 +11340,7 @@ async function run$d(argv, importMeta, {
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
     reachConcurrency,
+    reachDebug,
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache,
@@ -11422,6 +11472,14 @@ async function run$d(argv, importMeta, {
   const isUsingNonDefaultConcurrency = reachConcurrency !== reachabilityFlags['reachConcurrency']?.default;
   const isUsingNonDefaultAnalytics = reachDisableAnalytics !== reachabilityFlags['reachDisableAnalytics']?.default;
   const isUsingAnyReachabilityFlags = isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultConcurrency || isUsingNonDefaultAnalytics || hasReachEcosystems || hasReachExcludePaths || reachSkipCache || reachDisableAnalysisSplitting;
+
+  // Validate target constraints when --reach is enabled.
+  const reachTargetValidation = reach ? await validateReachabilityTarget(targets, cwd) : {
+    isDirectory: false,
+    isInsideCwd: false,
+    isValid: true,
+    targetExists: false
+  };
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: !!orgSlug,
@@ -11456,6 +11514,26 @@ async function run$d(argv, importMeta, {
     test: reach || !isUsingAnyReachabilityFlags,
     message: 'Reachability analysis flags require --reach to be enabled',
     fail: 'add --reach flag to use --reach-* options'
+  }, {
+    nook: true,
+    test: !reach || reachTargetValidation.isValid,
+    message: 'Reachability analysis requires exactly one target directory when --reach is enabled',
+    fail: 'provide exactly one directory path'
+  }, {
+    nook: true,
+    test: !reach || reachTargetValidation.isDirectory,
+    message: 'Reachability analysis target must be a directory when --reach is enabled',
+    fail: 'provide a directory path, not a file'
+  }, {
+    nook: true,
+    test: !reach || reachTargetValidation.targetExists,
+    message: 'Target directory must exist when --reach is enabled',
+    fail: 'provide an existing directory path'
+  }, {
+    nook: true,
+    test: !reach || reachTargetValidation.isInsideCwd,
+    message: 'Target directory must be inside the current working directory when --reach is enabled',
+    fail: 'provide a path inside the working directory'
   });
   if (!wasValidInput) {
     return;
@@ -11483,6 +11561,7 @@ async function run$d(argv, importMeta, {
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
       reachConcurrency: Number(reachConcurrency),
+      reachDebug: Boolean(reachDebug),
       reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
       reachEcosystems,
       reachExcludePaths,
@@ -12130,6 +12209,7 @@ async function scanOneRepo(repoSlug, {
       reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,
       reachConcurrency: 1,
+      reachDebug: false,
       reachDisableAnalysisSplitting: false,
       reachEcosystems: [],
       reachExcludePaths: [],
@@ -13319,6 +13399,7 @@ async function handleScanReach({
     packagePaths,
     reachabilityOptions,
     spinner,
+    target: targets[0],
     uploadManifests: true
   });
   spinner.stop();
@@ -13402,6 +13483,7 @@ async function run$7(argv, importMeta, {
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
     reachConcurrency,
+    reachDebug,
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache
@@ -13425,7 +13507,7 @@ async function run$7(argv, importMeta, {
   const cwd = cwdOverride && cwdOverride !== '.' && cwdOverride !== processCwd ? path.resolve(processCwd, cwdOverride) : processCwd;
 
   // Accept zero or more paths. Default to cwd() if none given.
-  let targets = cli.input || [cwd];
+  let targets = cli.input.length ? cli.input : [cwd];
 
   // Use suggestTarget if no targets specified and in interactive mode
   if (!targets.length && !dryRun && interactive) {
@@ -13436,6 +13518,9 @@ async function run$7(argv, importMeta, {
   } = await utils.determineOrgSlug(orgFlag, interactive, dryRun);
   const hasApiToken = utils.hasDefaultApiToken();
   const outputKind = utils.getOutputKind(json, markdown);
+
+  // Validate target constraints for reachability analysis.
+  const targetValidation = await validateReachabilityTarget(targets, cwd);
   const wasValidInput = utils.checkCommandInput(outputKind, {
     nook: true,
     test: !!orgSlug,
@@ -13451,6 +13536,26 @@ async function run$7(argv, importMeta, {
     test: !json || !markdown,
     message: 'The json and markdown flags cannot be both set, pick one',
     fail: 'omit one'
+  }, {
+    nook: true,
+    test: targetValidation.isValid,
+    message: 'Reachability analysis requires exactly one target directory',
+    fail: 'provide exactly one directory path'
+  }, {
+    nook: true,
+    test: targetValidation.isDirectory,
+    message: 'Reachability analysis target must be a directory',
+    fail: 'provide a directory path, not a file'
+  }, {
+    nook: true,
+    test: targetValidation.targetExists,
+    message: 'Target directory must exist',
+    fail: 'provide an existing directory path'
+  }, {
+    nook: true,
+    test: targetValidation.isInsideCwd,
+    message: 'Target directory must be inside the current working directory',
+    fail: 'provide a path inside the working directory'
   });
   if (!wasValidInput) {
     return;
@@ -13469,6 +13574,7 @@ async function run$7(argv, importMeta, {
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
       reachConcurrency: Number(reachConcurrency),
+      reachDebug: Boolean(reachDebug),
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
       reachEcosystems,
@@ -15311,5 +15417,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=24f79e28-d381-4303-8ec8-8eade398a936
+//# debugId=eed4ae6e-70d5-40a8-9ca4-86ec9e6e0d6c
 //# sourceMappingURL=cli.js.map