socket 1.1.123 → 1.1.126

package/dist/cli.js

@@ -333,9 +333,9 @@ const hidden$x = false;
 const cmdAnalytics = {
   description: description$F,
   hidden: hidden$x,
-  run: run$T
+  run: run$U
 };
-async function run$T(argv, importMeta, {
+async function run$U(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -756,9 +756,9 @@ const hidden$w = false;
 const cmdAuditLog = {
   description: description$E,
   hidden: hidden$w,
-  run: run$S
+  run: run$T
 };
-async function run$S(argv, importMeta, {
+async function run$T(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -1110,11 +1110,13 @@ async function fetchSupportedScanFileNames(options) {
 }
 
 /**
- * Finalize a tier1 reachability scan.
- *  - Associates the tier1 reachability scan metadata with the full scan
+ * Finalize a full application reachability scan (formerly known as "tier 1";
+ * the wire endpoint and request fields below retain the legacy tier1 name as
+ * a backend contract).
+ *  - Associates the reachability scan metadata with the full scan
  *    (or with `null` when called from a standalone reachability flow that
  *    has no full scan to bind to).
- *  - Transitions the tier1 reachability scan to its DONE terminal state.
+ *  - Transitions the reachability scan to its DONE terminal state.
  */
 async function finalizeTier1Scan(tier1ReachabilityScanId, scanId) {
   // we do not use the SDK here because the tier1-reachability-scan/finalize is a hidden
@@ -1787,7 +1789,7 @@ async function performReachabilityAnalysis(options) {
   if (!utils.hasEnterpriseOrgPlan(organizations)) {
     return {
       ok: false,
-      message: 'Tier 1 Reachability analysis requires an enterprise plan',
+      message: 'Full application reachability analysis requires an enterprise plan',
       cause: `Please ${utils.socketDevLink('upgrade your plan', '/pricing')}. This feature is only available for organizations with an enterprise plan.`
     };
   }
@@ -1900,7 +1902,7 @@ async function performReachabilityAnalysis(options) {
     // with `cwd` above), so resolve the read path against `cwd` too. Reading
     // the bare relative path would resolve against `process.cwd()` and miss
     // the file whenever `cwd !== process.cwd()` (e.g. `--cwd <dir>`), silently
-    // dropping the tier 1 scan id and skipping finalize downstream.
+    // dropping the full application reachability scan id and skipping finalize downstream.
     const resolvedReportPath = path.resolve(cwd, outputFilePath);
     return {
       ok: true,
@@ -1938,6 +1940,7 @@ sockJson, cwd = process.cwd()) {
     count: 0,
     conda: false,
     gradle: false,
+    maven: false,
     sbt: false
   };
   if (sockJson?.defaults?.manifest?.bazel?.disabled) {
@@ -1961,6 +1964,13 @@ sockJson, cwd = process.cwd()) {
     output.gradle = true;
     output.count += 1;
   }
+  if (sockJson?.defaults?.manifest?.maven?.disabled) {
+    require$$9.debugLog('notice', `[DEBUG] - maven auto-detection is disabled in ${constants.SOCKET_JSON}`);
+  } else if (fs$1.existsSync(path.join(cwd, 'pom.xml'))) {
+    require$$9.debugLog('notice', '[DEBUG] - Detected a Maven pom.xml build file');
+    output.maven = true;
+    output.count += 1;
+  }
   if (sockJson?.defaults?.manifest?.conda?.disabled) {
     require$$9.debugLog('notice', `[DEBUG] - conda auto-detection is disabled in ${constants.SOCKET_JSON}`);
   } else {
@@ -4283,10 +4293,10 @@ async function extractBazelToMaven(opts) {
 // facts file.
 //
 // `spawnCoanaDlx` resolves the Coana CLI via dlx (or a local build when
-// `SOCKET_CLI_COANA_LOCAL_PATH` is set). `bin` (the gradle/sbt executable) is
-// always resolved by the caller to a concrete default (`<cwd>/gradlew`, or
-// `sbt` on PATH) before we get here, so it is forwarded verbatim; the empty
-// guard below is just a cheap safeguard against passing `--bin ''`.
+// `SOCKET_CLI_COANA_LOCAL_PATH` is set). `bin` (the gradle/maven/sbt executable)
+// is always resolved by the caller to a concrete default (`<cwd>/gradlew`, or
+// `mvn`/`sbt` on PATH) before we get here, so it is forwarded verbatim; the
+// empty guard below is just a cheap safeguard against passing `--bin ''`.
 async function runCoanaManifestFacts({
   bin,
   buildOpts,
@@ -4390,6 +4400,33 @@ async function convertGradleToFacts({
   });
 }
 
+// Generates a `.socket.facts.json` for a Maven project by delegating to the
+// Coana CLI's `manifest maven` command (which owns the Maven plugin that
+// resolves the dependency graph). socket-cli no longer runs maven itself; an
+// explicit `bin` is forwarded as `--bin`, otherwise Coana defaults to `mvn` on
+// PATH.
+async function convertMavenToFacts({
+  bin,
+  cwd,
+  excludeConfigs,
+  ignoreUnresolved,
+  includeConfigs,
+  mavenOpts,
+  verbose
+}) {
+  await runCoanaManifestFacts({
+    bin,
+    buildOpts: mavenOpts,
+    buildOptsFlag: '--maven-opts',
+    cwd,
+    ecosystem: 'maven',
+    excludeConfigs,
+    ignoreUnresolved,
+    includeConfigs,
+    verbose
+  });
+}
+
 // Generates a `.socket.facts.json` for an sbt project by delegating to the
 // Coana CLI's `manifest sbt` command (which owns the sbt plugin that resolves
 // the dependency graph). socket-cli no longer runs sbt itself; an explicit
@@ -4864,6 +4901,59 @@ async function handleManifestConda({
   await outputRequirements(data, outputKind, out);
 }
 
+// Tokenizes a build-tool options string (e.g. the value of `--gradle-opts`,
+// `--sbt-opts`, `--maven-opts`) into individual argv tokens. Splits on
+// whitespace but honors single and double quotes so a value containing spaces,
+// such as a settings path (`-s "my settings.xml"`), survives as one token
+// instead of being shredded into three. Quotes are consumed (not emitted), and
+// quoting is intra-token aware (`-Dkey="a b"` -> `-Dkey=a b`). For unquoted
+// input this is equivalent to the previous whitespace split.
+function parseBuildToolOpts(opts) {
+  if (!opts) {
+    return [];
+  }
+  const tokens = [];
+  let current = '';
+  let hasToken = false;
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0; i < opts.length; i += 1) {
+    const ch = opts[i];
+    if (inSingle) {
+      if (ch === "'") {
+        inSingle = false;
+      } else {
+        current += ch;
+      }
+    } else if (inDouble) {
+      if (ch === '"') {
+        inDouble = false;
+      } else {
+        current += ch;
+      }
+    } else if (ch === "'") {
+      inSingle = true;
+      hasToken = true;
+    } else if (ch === '"') {
+      inDouble = true;
+      hasToken = true;
+    } else if (ch === ' ' || ch === '\t') {
+      if (hasToken) {
+        tokens.push(current);
+        current = '';
+        hasToken = false;
+      }
+    } else {
+      current += ch;
+      hasToken = true;
+    }
+  }
+  if (hasToken) {
+    tokens.push(current);
+  }
+  return tokens;
+}
+
 async function generateAutoManifest({
   cwd,
   detected,
@@ -4883,7 +4973,7 @@ async function generateAutoManifest({
       // Note: `sbt` is more likely to be resolved against PATH env.
       bin: sockJson.defaults?.manifest?.sbt?.bin ?? 'sbt',
       cwd,
-      sbtOpts: sockJson.defaults?.manifest?.sbt?.sbtOpts?.split(' ').map(s => s.trim()).filter(Boolean) ?? [],
+      sbtOpts: parseBuildToolOpts(sockJson.defaults?.manifest?.sbt?.sbtOpts),
       verbose: Boolean(sockJson.defaults?.manifest?.sbt?.verbose)
     };
     // Socket facts is the default; opt into pom generation with
@@ -4912,7 +5002,7 @@ async function generateAutoManifest({
       bin: sockJson.defaults?.manifest?.gradle?.bin ? path.resolve(cwd, sockJson.defaults.manifest.gradle.bin) : path.join(cwd, 'gradlew'),
       cwd,
       verbose: Boolean(sockJson.defaults?.manifest?.gradle?.verbose),
-      gradleOpts: sockJson.defaults?.manifest?.gradle?.gradleOpts?.split(' ').map(s => s.trim()).filter(Boolean) ?? []
+      gradleOpts: parseBuildToolOpts(sockJson.defaults?.manifest?.gradle?.gradleOpts)
     };
     // Socket facts is the default; opt into pom generation with
     // `defaults.manifest.gradle.facts: false` in socket.json.
@@ -4929,6 +5019,19 @@ async function generateAutoManifest({
       await convertGradleToMaven(gradleArgs);
     }
   }
+  if (!sockJson?.defaults?.manifest?.maven?.disabled && detected.maven) {
+    logger.logger.log('Detected a Maven pom.xml build, generating Socket facts...');
+    await convertMavenToFacts({
+      // Note: `mvn` is more likely to be resolved against PATH env.
+      bin: sockJson.defaults?.manifest?.maven?.bin ?? 'mvn',
+      cwd,
+      excludeConfigs: sockJson.defaults?.manifest?.maven?.excludeConfigs ?? '',
+      ignoreUnresolved: Boolean(sockJson.defaults?.manifest?.maven?.ignoreUnresolved),
+      includeConfigs: sockJson.defaults?.manifest?.maven?.includeConfigs ?? '',
+      mavenOpts: parseBuildToolOpts(sockJson.defaults?.manifest?.maven?.mavenOpts),
+      verbose: Boolean(sockJson.defaults?.manifest?.maven?.verbose)
+    });
+  }
   if (!sockJson?.defaults?.manifest?.conda?.disabled && detected.conda) {
     logger.logger.log('Detected an environment.yml file, running default Conda generator...');
     await handleManifestConda({
@@ -5191,12 +5294,12 @@ async function handleCreateNewScan({
   if (reach && scanId && tier1ReachabilityScanId) {
     await finalizeTier1Scan(tier1ReachabilityScanId, scanId);
   } else if (reach.runReachabilityAnalysis && scanId && !tier1ReachabilityScanId) {
-    // Reachability analysis ran and a scan was created, but no tier 1
-    // reachability scan id was extracted from the facts file. Surface this
-    // instead of silently skipping finalize — otherwise the tier 1 row stays
-    // stuck (e.g. at COANA_DONE) and the full scan is never linked to its
-    // reachability report.
-    logger.logger.warn('Reachability analysis ran but no tier 1 reachability scan ID was found; skipping tier 1 finalize. The scan was created but its reachability report was not linked.');
+    // Reachability analysis ran and a scan was created, but no full
+    // application reachability scan id was extracted from the facts file.
+    // Surface this instead of silently skipping finalize — otherwise the
+    // reachability row stays stuck (e.g. at COANA_DONE) and the full scan is
+    // never linked to its reachability report.
+    logger.logger.warn('Reachability analysis ran but no full application reachability scan ID was found; skipping reachability finalize. The scan was created but its reachability report was not linked.');
   }
 
   // On a successful scan, clean up the `.socket.facts.json` coana wrote at
@@ -5205,8 +5308,12 @@ async function handleCreateNewScan({
   // (e.g. from `socket manifest gradle --facts`) are NOT touched here —
   // those are user-owned input that the user can clean up themselves; in
   // the --reach path coana overwrites that file with its enriched output
-  // anyway, so it's the same path that gets removed.
-  if (fullScanCResult.ok && scanId && reachabilityReport) {
+  // anyway, so it's the same path that gets removed. `--reach-retain-facts-file`
+  // opts out of this cleanup so the report can be inspected; the user is then
+  // responsible for deleting it before the next full application reachability
+  // scan (a stale file is picked up as pre-generated input and would make those
+  // results unreliable).
+  if (fullScanCResult.ok && scanId && reachabilityReport && !reach.reachRetainFactsFile) {
     try {
       await fs.unlink(path.resolve(cwd, reachabilityReport));
       require$$9.debugFn('notice', `[socket-facts] removed coana output after successful scan: ${reachabilityReport}`);
@@ -5304,6 +5411,7 @@ async function handleCi(autoManifest) {
       reachEnableAnalysisSplitting: false,
       reachExcludePaths: [],
       reachLazyMode: false,
+      reachRetainFactsFile: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -5319,7 +5427,7 @@ async function handleCi(autoManifest) {
   });
 }
 
-const config$l = {
+const config$m = {
   commandName: 'ci',
   description: 'Alias for `socket scan create --report` (creates report and exits with error if unhealthy)',
   hidden: false,
@@ -5337,7 +5445,7 @@ const config$l = {
       $ ${command} [options]
 
     Options
-      ${utils.getFlagListOutput(config$l.flags)}
+      ${utils.getFlagListOutput(config$m.flags)}
 
     This command is intended to use in CI runs to allow automated systems to
     accept or reject a current build. It will use the default org of the
@@ -5355,16 +5463,16 @@ const config$l = {
   `
 };
 const cmdCI = {
-  description: config$l.description,
-  hidden: config$l.hidden,
-  run: run$R
+  description: config$m.description,
+  hidden: config$m.hidden,
+  run: run$S
 };
-async function run$R(argv, importMeta, {
+async function run$S(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$l,
+    config: config$m,
     parentName,
     importMeta
   });
@@ -5607,9 +5715,9 @@ const hidden$v = false;
 const cmdConfigAuto = {
   description: description$D,
   hidden: hidden$v,
-  run: run$Q
+  run: run$R
 };
-async function run$Q(argv, importMeta, {
+async function run$R(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -5725,7 +5833,7 @@ async function handleConfigGet({
   await outputConfigGet(key, result, outputKind);
 }
 
-const config$k = {
+const config$l = {
   commandName: 'get',
   description: 'Get the value of a local CLI config item',
   hidden: false,
@@ -5755,16 +5863,16 @@ ${utils.getSupportedConfigEntries().map(({
   `
 };
 const cmdConfigGet = {
-  description: config$k.description,
-  hidden: config$k.hidden,
-  run: run$P
+  description: config$l.description,
+  hidden: config$l.hidden,
+  run: run$Q
 };
-async function run$P(argv, importMeta, {
+async function run$Q(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$k,
+    config: config$l,
     importMeta,
     parentName
   });
@@ -5866,7 +5974,7 @@ async function outputConfigList({
   }
 }
 
-const config$j = {
+const config$k = {
   commandName: 'list',
   description: 'Show all local CLI config items and their values',
   hidden: false,
@@ -5891,16 +5999,16 @@ const config$j = {
   `
 };
 const cmdConfigList = {
-  description: config$j.description,
-  hidden: config$j.hidden,
-  run: run$O
+  description: config$k.description,
+  hidden: config$k.hidden,
+  run: run$P
 };
-async function run$O(argv, importMeta, {
+async function run$P(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$j,
+    config: config$k,
     importMeta,
     parentName
   });
@@ -5990,9 +6098,9 @@ const hidden$u = false;
 const cmdConfigSet = {
   description: description$C,
   hidden: hidden$u,
-  run: run$N
+  run: run$O
 };
-async function run$N(argv, importMeta, {
+async function run$O(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -6117,9 +6225,9 @@ const hidden$t = false;
 const cmdConfigUnset = {
   description: description$B,
   hidden: hidden$t,
-  run: run$M
+  run: run$N
 };
-async function run$M(argv, importMeta, {
+async function run$N(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -7334,7 +7442,7 @@ const hidden$s = false;
 const cmdFix = {
   description: description$z,
   hidden: hidden$s,
-  run: run$L
+  run: run$M
 };
 const generalFlags$2 = {
   autopilot: {
@@ -7509,7 +7617,7 @@ const hiddenFlags = {
     hidden: true
   }
 };
-async function run$L(argv, importMeta, {
+async function run$M(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -7838,7 +7946,7 @@ async function handleInstallCompletion(targetName) {
   await outputInstallCompletion(result);
 }
 
-const config$i = {
+const config$j = {
   commandName: 'completion',
   description: 'Install bash completion for Socket CLI',
   hidden: false,
@@ -7875,16 +7983,16 @@ const config$i = {
   `
 };
 const cmdInstallCompletion = {
-  description: config$i.description,
-  hidden: config$i.hidden,
-  run: run$K
+  description: config$j.description,
+  hidden: config$j.hidden,
+  run: run$L
 };
-async function run$K(argv, importMeta, {
+async function run$L(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$i,
+    config: config$j,
     parentName,
     importMeta
   });
@@ -7941,7 +8049,7 @@ async function handleCmdJson(cwd) {
   await outputCmdJson(cwd);
 }
 
-const config$h = {
+const config$i = {
   commandName: 'json',
   description: `Display the \`${constants.SOCKET_JSON}\` that would be applied for target folder`,
   hidden: true,
@@ -7960,16 +8068,16 @@ const config$h = {
   `
 };
 const cmdJson = {
-  description: config$h.description,
-  hidden: config$h.hidden,
-  run: run$J
+  description: config$i.description,
+  hidden: config$i.hidden,
+  run: run$K
 };
-async function run$J(argv, importMeta, {
+async function run$K(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$h,
+    config: config$i,
     parentName,
     importMeta
   });
@@ -8124,9 +8232,9 @@ const hidden$r = false;
 const cmdLogin = {
   description: description$x,
   hidden: hidden$r,
-  run: run$I
+  run: run$J
 };
-async function run$I(argv, importMeta, {
+async function run$J(argv, importMeta, {
   parentName
 }) {
   const config = {
@@ -8204,7 +8312,7 @@ function attemptLogout() {
   }
 }
 
-const config$g = {
+const config$h = {
   commandName: 'logout',
   description: 'Socket API logout',
   hidden: false,
@@ -8222,16 +8330,16 @@ const config$g = {
   `
 };
 const cmdLogout = {
-  description: config$g.description,
-  hidden: config$g.hidden,
-  run: run$H
+  description: config$h.description,
+  hidden: config$h.hidden,
+  run: run$I
 };
-async function run$H(argv, importMeta, {
+async function run$I(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$g,
+    config: config$h,
     importMeta,
     parentName
   });
@@ -8544,7 +8652,7 @@ const yargsConfig = {
   'usages-slices-file' // hidden
   ]
 };
-const config$f = {
+const config$g = {
   commandName: 'cdxgen',
   description: 'Run cdxgen for SBOM generation',
   hidden: false,
@@ -8554,11 +8662,11 @@ const config$f = {
   help: () => ''
 };
 const cmdManifestCdxgen = {
-  description: config$f.description,
-  hidden: config$f.hidden,
-  run: run$G
+  description: config$g.description,
+  hidden: config$g.hidden,
+  run: run$H
 };
-async function run$G(argv, importMeta, context) {
+async function run$H(argv, importMeta, context) {
   const {
     parentName
   } = {
@@ -8568,7 +8676,7 @@ async function run$G(argv, importMeta, context) {
   const cli = utils.meowOrExit({
     // Don't let meow take over --help.
     argv: argv.filter(a => !utils.isHelpFlag(a)),
-    config: config$f,
+    config: config$g,
     importMeta,
     parentName
   });
@@ -9607,7 +9715,7 @@ async function buildSpokeTagLookup(reached, queryOpts, verbose) {
   return lookup;
 }
 
-const config$e = {
+const config$f = {
   commandName: 'bazel',
   description: '[beta] Bazel SBOM support — generate manifest files for a Bazel project (Maven, PyPI)',
   hidden: false,
@@ -9691,9 +9799,9 @@ const config$e = {
 // shorter default lives in extract_bazel_to_maven.mts.
 const EXPLICIT_PER_REPO_TIMEOUT_MS = 120_000;
 const cmdManifestBazel = {
-  description: config$e.description,
-  hidden: config$e.hidden,
-  run: run$F
+  description: config$f.description,
+  hidden: config$f.hidden,
+  run: run$G
 };
 // Pure outcome-matrix evaluator. Exported so dispatcher behavior can be
 // unit-tested without spawning the CLI binary. Throws InputError on
@@ -9777,12 +9885,12 @@ function pypiOutcome(result) {
     status: 'hardFailure'
   };
 }
-async function run$F(argv, importMeta, {
+async function run$G(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$e,
+    config: config$f,
     importMeta,
     parentName
   });
@@ -9870,7 +9978,7 @@ async function run$F(argv, importMeta, {
     }
   }
   if (verbose) {
-    logger.logger.group('- ', parentName, config$e.commandName, ':');
+    logger.logger.group('- ', parentName, config$f.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -9947,7 +10055,7 @@ async function run$F(argv, importMeta, {
   evaluateEcosystemOutcomes(outcomes, wasExplicitEcosystemSelection);
 }
 
-const config$d = {
+const config$e = {
   commandName: 'auto',
   description: 'Auto-detect build and attempt to generate manifest file',
   hidden: false,
@@ -9980,16 +10088,16 @@ const config$d = {
   `
 };
 const cmdManifestAuto = {
-  description: config$d.description,
-  hidden: config$d.hidden,
-  run: run$E
+  description: config$e.description,
+  hidden: config$e.hidden,
+  run: run$F
 };
-async function run$E(argv, importMeta, {
+async function run$F(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$d,
+    config: config$e,
     importMeta,
     parentName
   });
@@ -10007,7 +10115,7 @@ async function run$E(argv, importMeta, {
   cwd = path.resolve(process.cwd(), cwd);
   const outputKind = utils.getOutputKind(json, markdown);
   if (verbose) {
-    logger.logger.group('- ', parentName, config$d.commandName, ':');
+    logger.logger.group('- ', parentName, config$e.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -10041,7 +10149,7 @@ async function run$E(argv, importMeta, {
   logger.logger.success(`Finished. Should have attempted to generate manifest files for ${detected.count} targets.`);
 }
 
-const config$c = {
+const config$d = {
   commandName: 'conda',
   description: `[beta] Convert a Conda ${constants.ENVIRONMENT_YML} file to a python ${constants.REQUIREMENTS_TXT}`,
   hidden: false,
@@ -10094,16 +10202,16 @@ const config$c = {
   `
 };
 const cmdManifestConda = {
-  description: config$c.description,
-  hidden: config$c.hidden,
-  run: run$D
+  description: config$d.description,
+  hidden: config$d.hidden,
+  run: run$E
 };
-async function run$D(argv, importMeta, {
+async function run$E(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$c,
+    config: config$d,
     importMeta,
     parentName
   });
@@ -10161,7 +10269,7 @@ async function run$D(argv, importMeta, {
     verbose = false;
   }
   if (verbose) {
-    logger.logger.group('- ', parentName, config$c.commandName, ':');
+    logger.logger.group('- ', parentName, config$d.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- target:', cwd);
@@ -10197,7 +10305,7 @@ async function run$D(argv, importMeta, {
   });
 }
 
-const config$b = {
+const config$c = {
   commandName: 'gradle',
   description: '[beta] Generate a Socket facts file (or `pom.xml` with --pom) for a Gradle/Java/Kotlin/etc project',
   hidden: false,
@@ -10273,16 +10381,16 @@ const config$b = {
   `
 };
 const cmdManifestGradle = {
-  description: config$b.description,
-  hidden: config$b.hidden,
-  run: run$C
+  description: config$c.description,
+  hidden: config$c.hidden,
+  run: run$D
 };
-async function run$C(argv, importMeta, {
+async function run$D(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$b,
+    config: config$c,
     importMeta,
     parentName
   });
@@ -10386,7 +10494,7 @@ async function run$C(argv, importMeta, {
     logger.logger.warn('The `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` options only apply when generating Socket facts (not with `--pom`); ignoring them.');
   }
   if (verbose) {
-    logger.logger.group('- ', parentName, config$b.commandName, ':');
+    logger.logger.group('- ', parentName, config$c.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -10416,7 +10524,7 @@ async function run$C(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const parsedGradleOpts = String(gradleOpts || '').split(' ').map(s => s.trim()).filter(Boolean);
+  const parsedGradleOpts = parseBuildToolOpts(String(gradleOpts || ''));
   if (facts) {
     await convertGradleToFacts({
       bin: String(bin),
@@ -10442,7 +10550,7 @@ async function run$C(argv, importMeta, {
 //       sense for the help panels to note the requested language, rather than
 //       `socket manifest kotlin` to print help screens with `gradle` as the
 //       command. Room for improvement.
-const config$a = {
+const config$b = {
   commandName: 'kotlin',
   description: '[beta] Generate a Socket facts file (or `pom.xml` with --pom) for a Kotlin project',
   hidden: false,
@@ -10518,16 +10626,16 @@ const config$a = {
   `
 };
 const cmdManifestKotlin = {
-  description: config$a.description,
-  hidden: config$a.hidden,
-  run: run$B
+  description: config$b.description,
+  hidden: config$b.hidden,
+  run: run$C
 };
-async function run$B(argv, importMeta, {
+async function run$C(argv, importMeta, {
   parentName
 }) {
   const cli = utils.meowOrExit({
     argv,
-    config: config$a,
+    config: config$b,
     importMeta,
     parentName
   });
@@ -10629,7 +10737,7 @@ async function run$B(argv, importMeta, {
     logger.logger.warn('The `--include-configs`, `--exclude-configs`, and `--ignore-unresolved` options only apply when generating Socket facts (not with `--pom`); ignoring them.');
   }
   if (verbose) {
-    logger.logger.group('- ', parentName, config$a.commandName, ':');
+    logger.logger.group('- ', parentName, config$b.commandName, ':');
     logger.logger.group('- flags:', cli.flags);
     logger.logger.groupEnd();
     logger.logger.log('- input:', cli.input);
@@ -10659,7 +10767,7 @@ async function run$B(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const parsedGradleOpts = String(gradleOpts || '').split(' ').map(s => s.trim()).filter(Boolean);
+  const parsedGradleOpts = parseBuildToolOpts(String(gradleOpts || ''));
   if (facts) {
     await convertGradleToFacts({
       bin: String(bin),
@@ -10680,6 +10788,189 @@ async function run$B(argv, importMeta, {
   });
 }
 
+const config$a = {
+  commandName: 'maven',
+  description: '[beta] Generate a Socket facts file from a Maven `pom.xml` project',
+  hidden: false,
+  flags: {
+    ...flags.commonFlags,
+    bin: {
+      type: 'string',
+      description: 'Location of the maven binary to use, default: mvn on PATH'
+    },
+    includeConfigs: {
+      type: 'string',
+      description: 'Comma-separated glob patterns matched against Maven dependency scopes (case-sensitive, `*` and `?` wildcards). Only scopes matching at least one pattern are resolved. e.g. `compile,runtime`. Default: every scope'
+    },
+    excludeConfigs: {
+      type: 'string',
+      description: 'Comma-separated glob patterns; Maven scopes matching any pattern are skipped (applied after --include-configs)'
+    },
+    ignoreUnresolved: {
+      type: 'boolean',
+      description: 'Warn on unresolved dependencies instead of failing the run (unresolved deps are not emitted to the facts file)'
+    },
+    mavenOpts: {
+      type: 'string',
+      description: 'Additional options to pass on to maven, e.g. `-P <profile> -s <settings.xml>`'
+    },
+    verbose: {
+      type: 'boolean',
+      description: 'Print debug messages'
+    }
+  },
+  help: (command, config) => `
+    Usage
+      $ ${command} [options] [CWD=.]
+
+    Options
+      ${utils.getFlagListOutput(config.flags)}
+
+    Emits a single \`.socket.facts.json\` describing the resolved dependency
+    graph of your Maven project, using maven (\`mvn\` on PATH by default). It
+    reads dependency metadata only and never downloads artifacts; an unresolved
+    dependency is a fatal error. You can pass --include-configs /
+    --exclude-configs (comma-separated glob patterns) to control which Maven
+    scopes are resolved (e.g. --include-configs=\`compile,runtime\`), and
+    --ignore-unresolved to warn on unresolved dependencies instead of failing.
+
+    You can specify --bin to override the path to the \`mvn\` binary to invoke
+    (e.g. a project \`./mvnw\` wrapper), and --maven-opts to pass extra options
+    through to maven (e.g. \`-P <profile> -s <settings.xml>\`).
+
+    Support is beta. Please report issues or give us feedback on what's missing.
+
+    Examples
+
+      $ ${command} .
+      $ ${command} --bin=./mvnw .
+      $ ${command} --maven-opts="-P release" .
+  `
+};
+const cmdManifestMaven = {
+  description: config$a.description,
+  hidden: config$a.hidden,
+  run: run$B
+};
+async function run$B(argv, importMeta, {
+  parentName
+}) {
+  const cli = utils.meowOrExit({
+    argv,
+    config: config$a,
+    importMeta,
+    parentName
+  });
+  const {
+    json = false,
+    markdown = false
+  } = cli.flags;
+  const dryRun = !!cli.flags['dryRun'];
+
+  // TODO: Implement json/md further.
+  const outputKind = utils.getOutputKind(json, markdown);
+  let [cwd = '.'] = cli.input;
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd);
+  const sockJson = utils.readOrDefaultSocketJson(cwd);
+  require$$9.debugFn('inspect', `override: ${constants.SOCKET_JSON} maven`, sockJson?.defaults?.manifest?.maven);
+  let {
+    bin,
+    excludeConfigs,
+    ignoreUnresolved,
+    includeConfigs,
+    mavenOpts,
+    verbose
+  } = cli.flags;
+
+  // Set defaults for any flag/arg that is not given. Check socket.json first.
+  if (!bin) {
+    if (sockJson.defaults?.manifest?.maven?.bin) {
+      bin = sockJson.defaults?.manifest?.maven?.bin;
+      logger.logger.info(`Using default --bin from ${constants.SOCKET_JSON}:`, bin);
+    } else {
+      bin = 'mvn';
+    }
+  }
+  if (!mavenOpts) {
+    if (sockJson.defaults?.manifest?.maven?.mavenOpts) {
+      mavenOpts = sockJson.defaults?.manifest?.maven?.mavenOpts;
+      logger.logger.info(`Using default --maven-opts from ${constants.SOCKET_JSON}:`, mavenOpts);
+    } else {
+      mavenOpts = '';
+    }
+  }
+  if (includeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.maven?.includeConfigs !== undefined) {
+      includeConfigs = sockJson.defaults?.manifest?.maven?.includeConfigs;
+      logger.logger.info(`Using default --include-configs from ${constants.SOCKET_JSON}:`, includeConfigs);
+    } else {
+      includeConfigs = '';
+    }
+  }
+  if (excludeConfigs === undefined) {
+    if (sockJson.defaults?.manifest?.maven?.excludeConfigs !== undefined) {
+      excludeConfigs = sockJson.defaults?.manifest?.maven?.excludeConfigs;
+      logger.logger.info(`Using default --exclude-configs from ${constants.SOCKET_JSON}:`, excludeConfigs);
+    } else {
+      excludeConfigs = '';
+    }
+  }
+  if (ignoreUnresolved === undefined) {
+    if (sockJson.defaults?.manifest?.maven?.ignoreUnresolved !== undefined) {
+      ignoreUnresolved = sockJson.defaults?.manifest?.maven?.ignoreUnresolved;
+      logger.logger.info(`Using default --ignore-unresolved from ${constants.SOCKET_JSON}:`, ignoreUnresolved);
+    } else {
+      ignoreUnresolved = false;
+    }
+  }
+  if (verbose === undefined) {
+    if (sockJson.defaults?.manifest?.maven?.verbose !== undefined) {
+      verbose = sockJson.defaults?.manifest?.maven?.verbose;
+      logger.logger.info(`Using default --verbose from ${constants.SOCKET_JSON}:`, verbose);
+    } else {
+      verbose = false;
+    }
+  }
+  if (verbose) {
+    logger.logger.group('- ', parentName, config$a.commandName, ':');
+    logger.logger.group('- flags:', cli.flags);
+    logger.logger.groupEnd();
+    logger.logger.log('- input:', cli.input);
+    logger.logger.groupEnd();
+  }
+  const wasValidInput = utils.checkCommandInput(outputKind, {
+    nook: true,
+    test: cli.input.length <= 1,
+    message: 'Can only accept one DIR (make sure to escape spaces!)',
+    fail: 'received ' + cli.input.length
+  });
+  if (!wasValidInput) {
+    return;
+  }
+  if (verbose) {
+    logger.logger.group();
+    logger.logger.info('- cwd:', cwd);
+    logger.logger.info('- maven bin:', bin);
+    logger.logger.groupEnd();
+  }
+  if (dryRun) {
+    logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
+    return;
+  }
+  const parsedMavenOpts = parseBuildToolOpts(String(mavenOpts || ''));
+  await convertMavenToFacts({
+    bin: String(bin),
+    cwd,
+    excludeConfigs: String(excludeConfigs || ''),
+    ignoreUnresolved: Boolean(ignoreUnresolved),
+    includeConfigs: String(includeConfigs || ''),
+    mavenOpts: parsedMavenOpts,
+    verbose: Boolean(verbose)
+  });
+}
+
 const config$9 = {
   commandName: 'scala',
   description: '[beta] Generate a Socket facts file (or `pom.xml` with --pom) from a Scala `build.sbt` project',
@@ -10944,7 +11235,7 @@ async function run$A(argv, importMeta, {
     logger.logger.log(constants.default.DRY_RUN_BAILING_NOW);
     return;
   }
-  const parsedSbtOpts = String(sbtOpts || '').split(' ').map(s => s.trim()).filter(Boolean);
+  const parsedSbtOpts = parseBuildToolOpts(String(sbtOpts || ''));
   if (facts) {
     await convertSbtToFacts({
       bin: String(bin),
@@ -11017,6 +11308,10 @@ async function setupManifestConfig(cwd, defaultOnReadError = false) {
     name: 'Kotlin (gradle)'.padEnd(30, ' '),
     value: 'gradle',
     description: 'Generate a Socket facts file or pom.xml (for Kotlin) through gradle'
+  }, {
+    name: 'Maven'.padEnd(30, ' '),
+    value: 'maven',
+    description: 'Generate a Socket facts file through maven'
   }, {
     name: 'Scala (gradle)'.padEnd(30, ' '),
     value: 'gradle',
@@ -11084,6 +11379,14 @@ async function setupManifestConfig(cwd, defaultOnReadError = false) {
         result = await setupGradle(sockJson.defaults.manifest.gradle);
         break;
       }
+    case 'maven':
+      {
+        if (!sockJson.defaults.manifest.maven) {
+          sockJson.defaults.manifest.maven = {};
+        }
+        result = await setupMaven(sockJson.defaults.manifest.maven);
+        break;
+      }
     case 'sbt':
       {
         if (!sockJson.defaults.manifest.sbt) {
@@ -11225,6 +11528,44 @@ async function setupGradle(config) {
   }
   return notCanceled$1();
 }
+async function setupMaven(config) {
+  const bin = await askForBin(config.bin || 'mvn');
+  if (bin === undefined) {
+    return canceledByUser$1();
+  } else if (bin) {
+    config.bin = bin;
+  } else {
+    delete config.bin;
+  }
+  const opts = await prompts.input({
+    message: '(--maven-opts) Enter maven options to pass through',
+    default: config.mavenOpts || '',
+    required: false
+  });
+  if (opts === undefined) {
+    return canceledByUser$1();
+  } else if (opts) {
+    config.mavenOpts = opts;
+  } else {
+    delete config.mavenOpts;
+  }
+
+  // Maven only generates Socket facts (no pom path), so always ask the
+  // facts-only options.
+  const factsOptions = await setupFactsOptions(config);
+  if (!factsOptions.ok || factsOptions.data.canceled) {
+    return factsOptions;
+  }
+  const verbose = await askForVerboseFlag(config.verbose);
+  if (verbose === undefined) {
+    return canceledByUser$1();
+  } else if (verbose === 'yes' || verbose === 'no') {
+    config.verbose = verbose === 'yes';
+  } else {
+    delete config.verbose;
+  }
+  return notCanceled$1();
+}
 async function setupSbt(config) {
   const bin = await askForBin(config.bin || 'sbt');
   if (bin === undefined) {
@@ -11580,6 +11921,7 @@ async function run$y(argv, importMeta, {
       conda: cmdManifestConda,
       gradle: cmdManifestGradle,
       kotlin: cmdManifestKotlin,
+      maven: cmdManifestMaven,
       scala: cmdManifestScala,
       setup: cmdManifestSetup
     }
@@ -15664,12 +16006,12 @@ const reachabilityFlags = {
   reachContinueOnAnalysisErrors: {
     type: 'boolean',
     default: false,
-    description: 'Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) results. By default, the CLI halts on analysis errors.'
+    description: 'Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed reachability results. By default, the CLI halts on analysis errors.'
   },
   reachContinueOnInstallErrors: {
     type: 'boolean',
     default: false,
-    description: 'Continue reachability analysis when package installation fails, falling back to precomputed (Tier 2) results. By default, the CLI halts on installation errors.'
+    description: 'Continue reachability analysis when package installation fails, falling back to precomputed reachability results. By default, the CLI halts on installation errors.'
   },
   reachContinueOnMissingLockFiles: {
     type: 'boolean',
@@ -15729,6 +16071,11 @@ const reachabilityFlags = {
     description: 'Enable lazy mode for reachability analysis.',
     hidden: true
   },
+  reachRetainFactsFile: {
+    type: 'boolean',
+    default: false,
+    description: 'Keep the `.socket.facts.json` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh full application reachability scan. A stale `.socket.facts.json` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.'
+  },
   reachSkipCache: {
     type: 'boolean',
     default: false,
@@ -15744,7 +16091,7 @@ const excludePathsFlag = {
   excludePaths: {
     type: 'string',
     isMultiple: true,
-    description: 'List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) Tier 1 reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (`--cwd` if set), not the reachability target: `tests` matches only `<cwd>/tests`; use `**/tests` to match at any depth. Negation patterns (`!path`) are not supported. Accepts a comma-separated value or multiple flags.'
+    description: 'List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) full application reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (`--cwd` if set), not the reachability target: `tests` matches only `<cwd>/tests`; use `**/tests` to match at any depth. Negation patterns (`!path`) are not supported. Accepts a comma-separated value or multiple flags.'
   }
 };
 
@@ -15864,7 +16211,7 @@ const generalFlags$1 = {
   reach: {
     type: 'boolean',
     default: false,
-    description: 'Run tier 1 full application reachability analysis'
+    description: 'Run full application reachability analysis'
   },
   readOnly: {
     type: 'boolean',
@@ -16004,6 +16351,7 @@ async function run$d(argv, importMeta, {
     reachDisableExternalToolChecks,
     reachEnableAnalysisSplitting,
     reachLazyMode,
+    reachRetainFactsFile,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion,
@@ -16271,6 +16619,7 @@ async function run$d(argv, importMeta, {
       reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
+      reachRetainFactsFile: Boolean(reachRetainFactsFile),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion,
@@ -16930,6 +17279,7 @@ async function scanOneRepo(repoSlug, {
       reachEnableAnalysisSplitting: false,
       reachExcludePaths: [],
       reachLazyMode: false,
+      reachRetainFactsFile: false,
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
@@ -18158,9 +18508,9 @@ async function handleScanReach({
   });
   spinner.stop();
 
-  // Standalone reachability has no full scan to bind to, but the tier1
-  // reachability scan row still needs to transition to its DONE terminal
-  // state — otherwise it sits at the post-Coana intermediate state forever
+  // Standalone reachability has no full scan to bind to, but the full
+  // application reachability scan row still needs to transition to its DONE
+  // terminal state — otherwise it sits at the post-Coana intermediate state forever
   // and looks indistinguishable from a stuck run. Pass `null` as the full
   // scan id; the endpoint accepts it for this flow. Best-effort: never
   // block the user-visible output on this.
@@ -18168,7 +18518,7 @@ async function handleScanReach({
   if (tier1Id) {
     const finalizeResult = await finalizeTier1Scan(tier1Id, null);
     if (!finalizeResult.ok) {
-      logger.logger.warn(`Failed to finalize tier1 reachability scan: ${finalizeResult.message}${finalizeResult.cause ? ` — ${finalizeResult.cause}` : ''}`);
+      logger.logger.warn(`Failed to finalize full application reachability scan: ${finalizeResult.message}${finalizeResult.cause ? ` — ${finalizeResult.cause}` : ''}`);
     }
   }
   await outputScanReach(result, {
@@ -18179,7 +18529,7 @@ async function handleScanReach({
 }
 
 const CMD_NAME$4 = 'reach';
-const description$6 = 'Compute tier 1 reachability';
+const description$6 = 'Compute full application reachability';
 const hidden$4 = true;
 const generalFlags = {
   ...flags.commonFlags,
@@ -18277,6 +18627,7 @@ async function run$7(argv, importMeta, {
     reachDisableExternalToolChecks,
     reachEnableAnalysisSplitting,
     reachLazyMode,
+    reachRetainFactsFile,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachVersion
@@ -18387,6 +18738,7 @@ async function run$7(argv, importMeta, {
       reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
+      reachRetainFactsFile: Boolean(reachRetainFactsFile),
       reachSkipCache: Boolean(reachSkipCache),
       reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion
@@ -20315,5 +20667,5 @@ process.on('unhandledRejection', async (reason, promise) => {
   // eslint-disable-next-line n/no-process-exit
   process.exit(1);
 });
-//# debugId=cab2a634-ac20-4b27-aff5-55f1c4df59bc
+//# debugId=6c799c7a-7beb-4a6d-a648-0638ba473165
 //# sourceMappingURL=cli.js.map