socket 1.1.38 → 1.1.40

package/CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.40](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.40) - 2025-12-02
+
+### Fixed
+- Fix a bug where vulnerabilities were not found correctly during `socket fix`.
+
+### Changed
+- Updated the Coana CLI to v `14.12.110`.
+
+## [1.1.39](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.39) - 2025-12-01
+
+### Added
+- Added the `--output <scan-report.json>` flag to `socket scan reach`.
+
+### Changed
+- Updated the Coana CLI to v `14.12.107`.
+
 ## [1.1.38](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.38) - 2025-11-26
 
 ### Changed

package/dist/cli.js

@@ -1559,6 +1559,7 @@ async function performReachabilityAnalysis(options) {
     branchName,
     cwd = process.cwd(),
     orgSlug,
+    outputPath,
     packagePaths,
     reachabilityOptions,
     repoName,
@@ -1638,9 +1639,9 @@ async function performReachabilityAnalysis(options) {
   }
   spinner?.start();
   spinner?.infoAndStop('Running reachability analysis with Coana...');
-
+  const outputFilePath = outputPath || constants.default.DOT_SOCKET_DOT_FACTS_JSON;
   // Build Coana arguments.
-  const coanaArgs = ['run', analysisTarget, '--output-dir', cwd, '--socket-mode', constants.default.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
+  const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
   ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : [])];
 
@@ -1668,9 +1669,9 @@ async function performReachabilityAnalysis(options) {
   return coanaResult.ok ? {
     ok: true,
     data: {
-      // Use the DOT_SOCKET_DOT_FACTS_JSON file for the scan.
-      reachabilityReport: constants.default.DOT_SOCKET_DOT_FACTS_JSON,
-      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(constants.default.DOT_SOCKET_DOT_FACTS_JSON)
+      // Use the actual output filename for the scan.
+      reachabilityReport: outputFilePath,
+      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(outputFilePath)
     }
   } : coanaResult;
 }
@@ -3688,7 +3689,7 @@ async function getFixEnv() {
  * Discovers GHSA IDs by running coana without applying fixes.
  * Returns a list of GHSA IDs, optionally limited.
  */
-async function discoverGhsaIds(orgSlug, tarHash, fixConfig, options) {
+async function discoverGhsaIds(orgSlug, tarHash, options) {
   const {
     cwd = process.cwd(),
     limit,
@@ -3697,12 +3698,21 @@ async function discoverGhsaIds(orgSlug, tarHash, fixConfig, options) {
     __proto__: null,
     ...options
   };
-  const foundCResult = await utils.spawnCoanaDlx(['compute-fixes-and-upgrade-purls', cwd, '--manifests-tar-hash', tarHash, ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []), ...(fixConfig.minimumReleaseAge ? ['--minimum-release-age', fixConfig.minimumReleaseAge] : []), ...(fixConfig.include.length ? ['--include', ...fixConfig.include] : []), ...(fixConfig.exclude.length ? ['--exclude', ...fixConfig.exclude] : []), ...(fixConfig.disableMajorUpdates ? ['--disable-major-updates'] : []), ...(fixConfig.showAffectedDirectDependencies ? ['--show-affected-direct-dependencies'] : []), ...fixConfig.unknownFlags], orgSlug, {
+  const foundCResult = await utils.spawnCoanaDlx(['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash], orgSlug, {
     cwd,
     spinner
+  }, {
+    stdio: 'pipe'
   });
   if (foundCResult.ok) {
-    const foundIds = utils.cmdFlagValueToArray(/(?<=Vulnerabilities found:).*/.exec(foundCResult.data));
+    // Coana prints ghsaIds as json-formatted string on the final line of the output
+    const foundIds = [];
+    try {
+      const ghsaIdsRaw = foundCResult.data.trim().split('\n').pop();
+      if (ghsaIdsRaw) {
+        foundIds.push(...JSON.parse(ghsaIdsRaw));
+      }
+    } catch {}
     return limit !== undefined ? foundIds.slice(0, limit) : foundIds;
   }
   return [];
@@ -3780,7 +3790,7 @@ async function coanaFix(fixConfig) {
     }
     let ids;
     if (isAll && limit > 0) {
-      ids = await discoverGhsaIds(orgSlug, tarHash, fixConfig, {
+      ids = await discoverGhsaIds(orgSlug, tarHash, {
         cwd,
         limit,
         spinner
@@ -3863,7 +3873,7 @@ async function coanaFix(fixConfig) {
   const shouldSpawnCoana = adjustedLimit > 0;
   let ids;
   if (shouldSpawnCoana && isAll) {
-    ids = await discoverGhsaIds(orgSlug, tarHash, fixConfig, {
+    ids = await discoverGhsaIds(orgSlug, tarHash, {
       cwd,
       limit: adjustedLimit,
       spinner
@@ -13336,8 +13346,8 @@ async function run$8(argv, importMeta, {
 }
 
 async function outputScanReach(result, {
-  cwd,
-  outputKind
+  outputKind,
+  outputPath
 }) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
@@ -13350,9 +13360,10 @@ async function outputScanReach(result, {
     logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
     return;
   }
+  const actualOutputPath = outputPath || constants.default.DOT_SOCKET_DOT_FACTS_JSON;
   logger.logger.log('');
   logger.logger.success('Reachability analysis completed successfully!');
-  logger.logger.info(`Reachability report has been written to: ${path.join(cwd, constants.default.DOT_SOCKET_DOT_FACTS_JSON)}`);
+  logger.logger.info(`Reachability report has been written to: ${actualOutputPath}`);
 }
 
 async function handleScanReach({
@@ -13360,6 +13371,7 @@ async function handleScanReach({
   interactive: _interactive,
   orgSlug,
   outputKind,
+  outputPath,
   reachabilityOptions,
   targets
 }) {
@@ -13373,8 +13385,8 @@ async function handleScanReach({
   });
   if (!supportedFilesCResult.ok) {
     await outputScanReach(supportedFilesCResult, {
-      cwd,
-      outputKind
+      outputKind,
+      outputPath
     });
     return;
   }
@@ -13398,6 +13410,7 @@ async function handleScanReach({
   const result = await performReachabilityAnalysis({
     cwd,
     orgSlug,
+    outputPath,
     packagePaths,
     reachabilityOptions,
     spinner,
@@ -13406,8 +13419,8 @@ async function handleScanReach({
   });
   spinner.stop();
   await outputScanReach(result, {
-    cwd,
-    outputKind
+    outputKind,
+    outputPath
   });
 }
 
@@ -13426,6 +13439,12 @@ const generalFlags = {
     type: 'string',
     default: '',
     description: 'Force override the organization slug, overrides the default org from config'
+  },
+  output: {
+    type: 'string',
+    default: '',
+    description: 'Path to write the reachability report to (must end with .json). Defaults to .socket.facts.json in the current working directory.',
+    shortFlag: 'o'
   }
 };
 const cmdScanReach = {
@@ -13458,7 +13477,8 @@ async function run$7(argv, importMeta, {
       ${utils.getFlagListOutput(reachabilityFlags)}
 
     Runs the Socket reachability analysis without creating a scan in Socket.
-    The output is written to .socket.facts.json in the current working directory.
+    The output is written to .socket.facts.json in the current working directory
+    unless the --output flag is specified.
 
     Note: Manifest files are uploaded to Socket's backend services because the
     reachability analysis requires creating a Software Bill of Materials (SBOM)
@@ -13468,6 +13488,8 @@ async function run$7(argv, importMeta, {
       $ ${command}
       $ ${command} ./proj
       $ ${command} ./proj --reach-ecosystems npm,pypi
+      $ ${command} --output custom-report.json
+      $ ${command} ./proj --output ./reports/analysis.json
   `
   };
   const cli = utils.meowOrExit({
@@ -13482,6 +13504,7 @@ async function run$7(argv, importMeta, {
     json,
     markdown,
     org: orgFlag,
+    output: outputPath,
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
     reachConcurrency,
@@ -13538,6 +13561,11 @@ async function run$7(argv, importMeta, {
     test: !json || !markdown,
     message: 'The json and markdown flags cannot be both set, pick one',
     fail: 'omit one'
+  }, {
+    nook: true,
+    test: !outputPath || outputPath.endsWith('.json'),
+    message: 'The --output path must end with .json',
+    fail: 'use a path ending with .json'
   }, {
     nook: true,
     test: targetValidation.isValid,
@@ -13568,10 +13596,10 @@ async function run$7(argv, importMeta, {
   }
   await handleScanReach({
     cwd,
+    interactive,
     orgSlug,
     outputKind,
-    targets,
-    interactive,
+    outputPath: outputPath || '',
     reachabilityOptions: {
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
@@ -13582,7 +13610,8 @@ async function run$7(argv, importMeta, {
       reachEcosystems,
       reachExcludePaths,
       reachSkipCache: Boolean(reachSkipCache)
-    }
+    },
+    targets
   });
 }
 
@@ -15419,5 +15448,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=39010d7c-ef10-4b4e-b008-38ac722e7d5d
+//# debugId=abe9e0d9-90ff-4e73-99b1-648bc5ca3347
 //# sourceMappingURL=cli.js.map