PyPI - socketsecurity - Versions diffs - 1.0.39__tar.gz → 1.0.41__tar.gz - Mend

socketsecurity 1.0.39tar.gz → 1.0.41tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

{socketsecurity-1.0.39/socketsecurity.egg-info → socketsecurity-1.0.41}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: socketsecurity
-Version: 1.0.39
+Version: 1.0.41
 Summary: Socket Security CLI for CI/CD
 Author-email: Douglas Coburn <douglas@socket.dev>
 Maintainer-email: Douglas Coburn <douglas@socket.dev>
@@ -31,7 +31,7 @@ The Socket Security CLI was created to enable integrations with other tools like
 socketcli [-h] [--api_token API_TOKEN] [--repo REPO] [--branch BRANCH] [--committer COMMITTER] [--pr_number PR_NUMBER]
                  [--commit_message COMMIT_MESSAGE] [--default_branch] [--target_path TARGET_PATH] [--scm {api,github,gitlab}] [--sbom-file SBOM_FILE]
                  [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--disable-overview]
-                 [--disable-security-issue] [--files FILES] [--ignore-commit-files]
+                 [--disable-security-issue] [--files FILES] [--ignore-commit-files] [--timeout]
 ````
 If you don't want to provide the Socket API Token every time then you can use the environment variable `SOCKET_SECURITY_API_KEY`
@@ -61,3 +61,4 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --files                  |                | False    |         | If provided in the format of `["file1", "file2"]` will be used to determine if there have been supported file changes. This is used if it isn't a git repo and you would like to only run if it supported files have changed. |
 | --ignore-commit-files    |                | False    | False   | If enabled then the CLI will ignore what files are changed in the commit and look for all manifest files                                                                                                                      |
 | --disable-blocking       |                | False    | False   | Disables failing checks and will only exit with an exit code of 0                                                                                                                                                             |
+| --timeout                |                | False    | 1200    | The timeout per request for the CLI                                                                                                                                                                                           |

{socketsecurity-1.0.39 → socketsecurity-1.0.41}/README.md RENAMED Viewed

@@ -8,7 +8,7 @@ The Socket Security CLI was created to enable integrations with other tools like
 socketcli [-h] [--api_token API_TOKEN] [--repo REPO] [--branch BRANCH] [--committer COMMITTER] [--pr_number PR_NUMBER]
                  [--commit_message COMMIT_MESSAGE] [--default_branch] [--target_path TARGET_PATH] [--scm {api,github,gitlab}] [--sbom-file SBOM_FILE]
                  [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--disable-overview]
-                 [--disable-security-issue] [--files FILES] [--ignore-commit-files]
+                 [--disable-security-issue] [--files FILES] [--ignore-commit-files] [--timeout]
 ````
 If you don't want to provide the Socket API Token every time then you can use the environment variable `SOCKET_SECURITY_API_KEY`
@@ -38,3 +38,4 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --files                  |                | False    |         | If provided in the format of `["file1", "file2"]` will be used to determine if there have been supported file changes. This is used if it isn't a git repo and you would like to only run if it supported files have changed. |
 | --ignore-commit-files    |                | False    | False   | If enabled then the CLI will ignore what files are changed in the commit and look for all manifest files                                                                                                                      |
 | --disable-blocking       |                | False    | False   | Disables failing checks and will only exit with an exit code of 0                                                                                                                                                             |
+| --timeout                |                | False    | 1200    | The timeout per request for the CLI                                                                                                                                                                                           |

{socketsecurity-1.0.39 → socketsecurity-1.0.41}/socketsecurity/__init__.py RENAMED Viewed

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '1.0.39'
+__version__ = '1.0.41'

{socketsecurity-1.0.39 → socketsecurity-1.0.41}/socketsecurity/core/__init__.py RENAMED Viewed

@@ -1,12 +1,18 @@
 import logging
 from pathlib import PurePath
+from requests.exceptions import ReadTimeout
 import requests
 from urllib.parse import urlencode
 import base64
 import json
 from socketsecurity.core.exceptions import (
-    APIFailure, APIKeyMissing, APIAccessDenied, APIInsufficientQuota, APIResourceNotFound, APICloudflareError
+    APIFailure,
+    APIKeyMissing,
+    APIAccessDenied,
+    APIInsufficientQuota,
+    APIResourceNotFound,
+    APICloudflareError,
+    RequestTimeoutExceeded
 )
 from socketsecurity import __version__
 from socketsecurity.core.licenses import Licenses
@@ -182,15 +188,18 @@ def do_request(
     verify = True
     if allow_unverified_ssl:
         verify = False
-    response = requests.request(
-        method.upper(),
-        url,
-        headers=headers,
-        data=payload,
-        files=files,
-        timeout=timeout,
-        verify=verify
-    )
+    try:
+        response = requests.request(
+            method.upper(),
+            url,
+            headers=headers,
+            data=payload,
+            files=files,
+            timeout=timeout,
+            verify=verify
+        )
+    except ReadTimeout:
+        raise RequestTimeoutExceeded(f"Configured timeout {timeout} reached for request for path {url}")
     output_headers = headers.copy()
     output_headers['Authorization'] = "API_KEY_REDACTED"
     output = {
@@ -437,25 +446,17 @@ class Core:
         for ecosystem in socket_globs:
             patterns = socket_globs[ecosystem]
             for file_name in patterns:
-                pattern = patterns[file_name]["pattern"]
-                # Keep path as-is but try filename variations
-                file_paths = [
-                    f"{path}/**/{pattern}",
-                    f"{path}/**/{pattern.lower()}",
-                    f"{path}/**/{pattern.upper()}",
-                    f"{path}/**/{pattern.capitalize()}"
-                ]
-                for file_path in file_paths:
-                    log.debug(f"Globbing {file_path}")
-                    glob_start = time.time()
-                    glob_files = glob(file_path, recursive=True)
-                    for glob_file in glob_files:
-                        if glob_file not in files:
-                            files.add(glob_file)
-                    glob_end = time.time()
-                    glob_total_time = glob_end - glob_start
-                    log.debug(f"Glob for pattern {file_path} took {glob_total_time:.2f} seconds")
+                pattern = Core.to_case_insensitive_regex(patterns[file_name]["pattern"])
+                file_path = f"{path}/**/{pattern}"
+                log.debug(f"Globbing {file_path}")
+                glob_start = time.time()
+                glob_files = glob(file_path, recursive=True)
+                for glob_file in glob_files:
+                    if glob_file not in files:
+                        files.add(glob_file)
+                glob_end = time.time()
+                glob_total_time = glob_end - glob_start
+                log.debug(f"Glob for pattern {file_path} took {glob_total_time:.2f} seconds")
         log.debug("Finished Find Files")
         end_time = time.time()
@@ -475,10 +476,6 @@ class Core:
         send_files = []
         create_full_start = time.time()
         log.debug("Creating new full scan")
-        # Track unique paths (case-insensitive) to avoid duplicates
-        seen_paths = {}
         for file in files:
             if platform.system() == "Windows":
                 file = file.replace("\\", "/")
@@ -488,27 +485,20 @@ class Core:
                 path = "."
                 name = file
             full_path = f"{path}/{name}"
             if full_path.startswith(workspace):
                 key = full_path[len(workspace):]
             else:
                 key = full_path
             key = key.lstrip("/")
             key = key.lstrip("./")
-            # Use lowercase version of key for deduplication
-            lower_key = key.lower()
-            if lower_key not in seen_paths:
-                seen_paths[lower_key] = key
-                payload = (
-                    key,
-                    (
-                        name,
-                        open(full_path, 'rb')
-                    )
+            payload = (
+                key,
+                (
+                    name,
+                    open(full_path, 'rb')
                 )
-                send_files.append(payload)
+            )
+            send_files.append(payload)
         query_params = urlencode(params.__dict__)
         full_uri = f"{full_scan_path}?{query_params}"
         response = do_request(full_uri, method="POST", files=send_files)
@@ -813,15 +803,18 @@ class Core:
         else:
             for top_id in package.topLevelAncestors:
                 top_package: Package
-                top_package = packages[top_id]
-                manifests = ""
-                top_purl = f"{top_package.type}/{top_package.name}@{top_package.version}"
-                for manifest_data in top_package.manifestFiles:
-                    manifest_file = manifest_data.get("file")
-                    manifests += f"{manifest_file};"
-                manifests = manifests.rstrip(";")
-                source = (top_purl, manifests)
-                introduced_by.append(source)
+                top_package = packages.get(top_id)
+                if top_package:
+                    manifests = ""
+                    top_purl = f"{top_package.type}/{top_package.name}@{top_package.version}"
+                    for manifest_data in top_package.manifestFiles:
+                        manifest_file = manifest_data.get("file")
+                        manifests += f"{manifest_file};"
+                    manifests = manifests.rstrip(";")
+                    source = (top_purl, manifests)
+                    introduced_by.append(source)
+                else:
+                    log.debug(f"Unable to get top level package info for {top_id}")
         return introduced_by
     @staticmethod
@@ -860,21 +853,29 @@ class Core:
         """
         packages = {}
         top_level_count = {}
+        top_levels = {}
         for item in sbom:
             package = Package(**item)
             if package.id in packages:
-                print("Duplicate package?")
+                log.debug("Duplicate package?")
             else:
                 package = Core.get_license_details(package)
                 packages[package.id] = package
                 for top_id in package.topLevelAncestors:
                     if top_id not in top_level_count:
                         top_level_count[top_id] = 1
+                        top_levels[top_id] = [package.id]
                     else:
                         top_level_count[top_id] += 1
+                        if package.id not in top_levels[top_id]:
+                            top_levels[top_id].append(package.id)
         if len(top_level_count) > 0:
             for package_id in top_level_count:
-                packages[package_id].transitives = top_level_count[package_id]
+                if package_id not in packages:
+                    details = top_levels.get(package_id)
+                    log.debug(f"Orphaned top level package id {package_id} for packages {details}")
+                else:
+                    packages[package_id].transitives = top_level_count[package_id]
         return packages
     @staticmethod
@@ -883,6 +884,16 @@ class Core:
         file.write(content)
         file.close()
+    @staticmethod
+    def to_case_insensitive_regex(input_string: str) -> str:
+        """
+        Converts a string into a case-insensitive regex format.
+        Example: "pipfile" -> "[Pp][Ii][Pp][Ff][Ii][Ll][Ee]"
+        :param input_string: The input string to convert.
+        :return: A case-insensitive regex string.
+        """
+        return ''.join(f'[{char.lower()}{char.upper()}]' if char.isalpha() else char for char in input_string)
     # @staticmethod
     # def create_license_file(diff: Diff) -> None:
     #     output = []

{socketsecurity-1.0.39 → socketsecurity-1.0.41}/socketsecurity/core/exceptions.py RENAMED Viewed

@@ -36,3 +36,7 @@ class APIInsufficientQuota(Exception):
 class APIResourceNotFound(Exception):
     """Raised when access is denied to the API"""
     pass
+class RequestTimeoutExceeded(Exception):
+    """Raised when access is denied to the API"""
+    pass

{socketsecurity-1.0.39 → socketsecurity-1.0.41}/socketsecurity/socketcli.py RENAMED Viewed

@@ -161,6 +161,16 @@ parser.add_argument(
     default=False
 )
+parser.add_argument(
+    '--timeout',
+    default=1200,
+    help='Timeout configuration for each request. Defaults to 1200 and applies to each unique HTTP request',
+    required=False,
+    type=float
+)
 def output_console_comments(diff_report: Diff, sbom_file_name: str = None) -> None:
     if diff_report.id != "NO_DIFF_RAN":
@@ -252,6 +262,8 @@ def main_code():
     ignore_commit_files = arguments.ignore_commit_files
     disable_blocking = arguments.disable_blocking
     allow_unverified = arguments.allow_unverified
+    timeout = arguments.timeout
     if disable_blocking:
         global blocking_disabled
         blocking_disabled = True
@@ -308,7 +320,7 @@ def main_code():
         default_branch = scm.is_default_branch
     base_api_url = os.getenv("BASE_API_URL") or None
-    core = Core(token=api_token, request_timeout=1200, base_api_url=base_api_url, allow_unverified=allow_unverified)
+    core = Core(token=api_token, request_timeout=timeout, base_api_url=base_api_url, allow_unverified=allow_unverified)
     no_change = True
     if ignore_commit_files:
         no_change = False

{socketsecurity-1.0.39 → socketsecurity-1.0.41/socketsecurity.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: socketsecurity
-Version: 1.0.39
+Version: 1.0.41
 Summary: Socket Security CLI for CI/CD
 Author-email: Douglas Coburn <douglas@socket.dev>
 Maintainer-email: Douglas Coburn <douglas@socket.dev>
@@ -31,7 +31,7 @@ The Socket Security CLI was created to enable integrations with other tools like
 socketcli [-h] [--api_token API_TOKEN] [--repo REPO] [--branch BRANCH] [--committer COMMITTER] [--pr_number PR_NUMBER]
                  [--commit_message COMMIT_MESSAGE] [--default_branch] [--target_path TARGET_PATH] [--scm {api,github,gitlab}] [--sbom-file SBOM_FILE]
                  [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--disable-overview]
-                 [--disable-security-issue] [--files FILES] [--ignore-commit-files]
+                 [--disable-security-issue] [--files FILES] [--ignore-commit-files] [--timeout]
 ````
 If you don't want to provide the Socket API Token every time then you can use the environment variable `SOCKET_SECURITY_API_KEY`
@@ -61,3 +61,4 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --files                  |                | False    |         | If provided in the format of `["file1", "file2"]` will be used to determine if there have been supported file changes. This is used if it isn't a git repo and you would like to only run if it supported files have changed. |
 | --ignore-commit-files    |                | False    | False   | If enabled then the CLI will ignore what files are changed in the commit and look for all manifest files                                                                                                                      |
 | --disable-blocking       |                | False    | False   | Disables failing checks and will only exit with an exit code of 0                                                                                                                                                             |
+| --timeout                |                | False    | 1200    | The timeout per request for the CLI                                                                                                                                                                                           |