socketsecurity 1.0.42__tar.gz → 1.0.43__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (23) hide show
  1. {socketsecurity-1.0.42/socketsecurity.egg-info → socketsecurity-1.0.43}/PKG-INFO +3 -2
  2. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/README.md +2 -1
  3. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/__init__.py +1 -1
  4. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/messages.py +123 -0
  5. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/socketcli.py +37 -2
  6. {socketsecurity-1.0.42 → socketsecurity-1.0.43/socketsecurity.egg-info}/PKG-INFO +3 -2
  7. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/LICENSE +0 -0
  8. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/pyproject.toml +0 -0
  9. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/setup.cfg +0 -0
  10. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/__init__.py +0 -0
  11. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/classes.py +0 -0
  12. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/exceptions.py +0 -0
  13. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/git_interface.py +0 -0
  14. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/github.py +0 -0
  15. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/gitlab.py +0 -0
  16. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/issues.py +0 -0
  17. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/licenses.py +0 -0
  18. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/scm_comments.py +0 -0
  19. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity.egg-info/SOURCES.txt +0 -0
  20. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity.egg-info/dependency_links.txt +0 -0
  21. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity.egg-info/entry_points.txt +0 -0
  22. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity.egg-info/requires.txt +0 -0
  23. {socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity.egg-info/top_level.txt +0 -0
{socketsecurity-1.0.42/socketsecurity.egg-info → socketsecurity-1.0.43}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.2
2
2
  Name: socketsecurity
3
- Version: 1.0.42
3
+ Version: 1.0.43
4
4
  Summary: Socket Security CLI for CI/CD
5
5
  Author-email: Douglas Coburn <douglas@socket.dev>
6
6
  Maintainer-email: Douglas Coburn <douglas@socket.dev>
@@ -31,7 +31,7 @@ The Socket Security CLI was created to enable integrations with other tools like
31
31
  ```` shell
32
32
  socketcli [-h] [--api_token API_TOKEN] [--repo REPO] [--branch BRANCH] [--committer COMMITTER] [--pr_number PR_NUMBER]
33
33
  [--commit_message COMMIT_MESSAGE] [--default_branch] [--target_path TARGET_PATH] [--scm {api,github,gitlab}] [--sbom-file SBOM_FILE]
34
- [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--disable-overview]
34
+ [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--enable-sarif] [--disable-overview]
35
35
  [--disable-security-issue] [--files FILES] [--ignore-commit-files] [--timeout]
36
36
  ````
37
37
 
@@ -57,6 +57,7 @@ If you don't want to provide the Socket API Token every time then you can use th
57
57
  | --commit-sha | | False | | The commit hash for the commit |
58
58
  | --generate-license | | False | False | If enabled with `--sbom-file` will include license details |
59
59
  | --enable-json | | False | False | If enabled will change the console output format to JSON |
60
+ | --enable-sarif | | False | False | If enabled will change the console output format to SARIF |
60
61
  | --disable-overview | | False | False | If enabled will disable Dependency Overview comments |
61
62
  | --disable-security-issue | | False | False | If enabled will disable Security Issue Comments |
62
63
  | --files | | False | | If provided in the format of `["file1", "file2"]` will be used to determine if there have been supported file changes. This is used if it isn't a git repo and you would like to only run if it supported files have changed. |
{socketsecurity-1.0.42 → socketsecurity-1.0.43}/README.md RENAMED
@@ -7,7 +7,7 @@ The Socket Security CLI was created to enable integrations with other tools like
7
7
  ```` shell
8
8
  socketcli [-h] [--api_token API_TOKEN] [--repo REPO] [--branch BRANCH] [--committer COMMITTER] [--pr_number PR_NUMBER]
9
9
  [--commit_message COMMIT_MESSAGE] [--default_branch] [--target_path TARGET_PATH] [--scm {api,github,gitlab}] [--sbom-file SBOM_FILE]
10
- [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--disable-overview]
10
+ [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--enable-sarif] [--disable-overview]
11
11
  [--disable-security-issue] [--files FILES] [--ignore-commit-files] [--timeout]
12
12
  ````
13
13
 
@@ -33,6 +33,7 @@ If you don't want to provide the Socket API Token every time then you can use th
33
33
  | --commit-sha | | False | | The commit hash for the commit |
34
34
  | --generate-license | | False | False | If enabled with `--sbom-file` will include license details |
35
35
  | --enable-json | | False | False | If enabled will change the console output format to JSON |
36
+ | --enable-sarif | | False | False | If enabled will change the console output format to SARIF |
36
37
  | --disable-overview | | False | False | If enabled will disable Dependency Overview comments |
37
38
  | --disable-security-issue | | False | False | If enabled will disable Security Issue Comments |
38
39
  | --files | | False | | If provided in the format of `["file1", "file2"]` will be used to determine if there have been supported file changes. This is used if it isn't a git repo and you would like to only run if it supported files have changed. |
{socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/__init__.py RENAMED
@@ -1,2 +1,2 @@
1
1
  __author__ = 'socket.dev'
2
- __version__ = '1.0.42'
2
+ __version__ = '1.0.43'
{socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/core/messages.py RENAMED
@@ -1,4 +1,5 @@
1
1
  import json
2
+ import os
2
3
 
3
4
  from mdutils import MdUtils
4
5
  from socketsecurity.core.classes import Diff, Purl, Issue
@@ -7,6 +8,128 @@ from prettytable import PrettyTable
7
8
 
8
9
  class Messages:
9
10
 
11
+ @staticmethod
12
+ def map_severity_to_sarif(severity: str) -> str:
13
+ """
14
+ Map Socket severity levels to SARIF levels (GitHub code scanning).
15
+ """
16
+ severity_mapping = {
17
+ "low": "note",
18
+ "medium": "warning",
19
+ "middle": "warning", # older data might say "middle"
20
+ "high": "error",
21
+ "critical": "error",
22
+ }
23
+ return severity_mapping.get(severity.lower(), "note")
24
+
25
+
26
+ @staticmethod
27
+ def find_line_in_file(pkg_name: str, manifest_file: str) -> tuple[int, str]:
28
+ """
29
+ Search 'manifest_file' for 'pkg_name'.
30
+ Return (line_number, line_content) if found, else (1, fallback).
31
+ """
32
+ if not manifest_file or not os.path.isfile(manifest_file):
33
+ return 1, f"[No {manifest_file or 'manifest'} found in repo]"
34
+ try:
35
+ with open(manifest_file, "r", encoding="utf-8") as f:
36
+ lines = f.readlines()
37
+ for i, line in enumerate(lines, start=1):
38
+ if pkg_name.lower() in line.lower():
39
+ return i, line.rstrip("\n")
40
+ except Exception as e:
41
+ return 1, f"[Error reading {manifest_file}: {e}]"
42
+ return 1, f"[Package '{pkg_name}' not found in {manifest_file}]"
43
+
44
+ @staticmethod
45
+ def create_security_comment_sarif(diff: Diff) -> dict:
46
+ """
47
+ Create SARIF-compliant output from the diff report.
48
+ """
49
+ scan_failed = False
50
+ if len(diff.new_alerts) == 0:
51
+ for alert in diff.new_alerts:
52
+ alert: Issue
53
+ if alert.error:
54
+ scan_failed = True
55
+ break
56
+
57
+ # Basic SARIF structure
58
+ sarif_data = {
59
+ "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
60
+ "version": "2.1.0",
61
+ "runs": [
62
+ {
63
+ "tool": {
64
+ "driver": {
65
+ "name": "Socket Security",
66
+ "informationUri": "https://socket.dev",
67
+ "rules": []
68
+ }
69
+ },
70
+ "results": []
71
+ }
72
+ ]
73
+ }
74
+
75
+ rules_map = {}
76
+ results_list = []
77
+
78
+ for alert in diff.new_alerts:
79
+ alert: Issue
80
+ pkg_name = alert.pkg_name
81
+ pkg_version = alert.pkg_version
82
+ rule_id = f"{pkg_name}=={pkg_version}"
83
+ severity = alert.severity
84
+
85
+ # Title and descriptions
86
+ title = f"Alert generated for {pkg_name}=={pkg_version} by Socket Security"
87
+ full_desc = f"{alert.title} - {alert.description}"
88
+ short_desc = f"{alert.props.get('note', '')}\r\n\r\nSuggested Action:\r\n{alert.suggestion}"
89
+
90
+ # Find the manifest file and line details
91
+ introduced_list = alert.introduced_by
92
+ if introduced_list and isinstance(introduced_list[0], list) and len(introduced_list[0]) > 1:
93
+ manifest_file = introduced_list[0][1]
94
+ else:
95
+ manifest_file = alert.manifests or "requirements.txt"
96
+
97
+ line_number, line_content = Messages.find_line_in_file(pkg_name, manifest_file)
98
+
99
+ # Define the rule if not already defined
100
+ if rule_id not in rules_map:
101
+ rules_map[rule_id] = {
102
+ "id": rule_id,
103
+ "name": f"{pkg_name}=={pkg_version}",
104
+ "shortDescription": {"text": title},
105
+ "fullDescription": {"text": full_desc},
106
+ "helpUri": alert.url,
107
+ "defaultConfiguration": {"level": Messages.map_severity_to_sarif(severity)},
108
+ }
109
+
110
+ # Add the result
111
+ result_obj = {
112
+ "ruleId": rule_id,
113
+ "message": {"text": short_desc},
114
+ "locations": [
115
+ {
116
+ "physicalLocation": {
117
+ "artifactLocation": {"uri": manifest_file},
118
+ "region": {
119
+ "startLine": line_number,
120
+ "snippet": {"text": line_content},
121
+ },
122
+ }
123
+ }
124
+ ],
125
+ }
126
+ results_list.append(result_obj)
127
+
128
+ sarif_data["runs"][0]["tool"]["driver"]["rules"] = list(rules_map.values())
129
+ sarif_data["runs"][0]["results"] = results_list
130
+
131
+ return sarif_data
132
+
10
133
  @staticmethod
11
134
  def create_security_comment_json(diff: Diff) -> dict:
12
135
  scan_failed = False
{socketsecurity-1.0.42 → socketsecurity-1.0.43}/socketsecurity/socketcli.py RENAMED
@@ -170,6 +170,14 @@ parser.add_argument(
170
170
  type=float
171
171
  )
172
172
 
173
+ parser.add_argument(
174
+ '--enable-sarif',
175
+ help='Enable SARIF output of results instead of table or JSON format',
176
+ action='store_true',
177
+ default=False
178
+ )
179
+
180
+
173
181
  def output_console_comments(diff_report: Diff, sbom_file_name: str = None) -> None:
174
182
  if diff_report.id != "NO_DIFF_RAN":
175
183
  console_security_comment = Messages.create_console_security_alert_table(diff_report)
@@ -188,6 +196,25 @@ def output_console_comments(diff_report: Diff, sbom_file_name: str = None) -> No
188
196
  else:
189
197
  log.info("No New Security issues detected by Socket Security")
190
198
 
199
+ def output_console_sarif(diff_report: Diff, sbom_file_name: str = None) -> None:
200
+ """
201
+ Generate SARIF output from the diff report and save it to a file.
202
+ """
203
+ if diff_report.id != "NO_DIFF_RAN":
204
+ # Generate the SARIF structure using Messages
205
+ console_security_comment = Messages.create_security_comment_sarif(diff_report)
206
+
207
+ # Save the SARIF output to the specified SBOM file name or fallback to a default
208
+ save_sbom_file(diff_report, sbom_file_name)
209
+ # Print the SARIF output to the console in JSON format
210
+ print(json.dumps(console_security_comment, indent=2))
211
+
212
+ # Handle exit codes based on alert severity
213
+ if not report_pass(diff_report) and not blocking_disabled:
214
+ sys.exit(1)
215
+ elif len(diff_report.new_alerts) > 0 and not blocking_disabled:
216
+ # Warning alerts without blocking
217
+ sys.exit(5)
191
218
 
192
219
  def output_console_json(diff_report: Diff, sbom_file_name: str = None) -> None:
193
220
  if diff_report.id != "NO_DIFF_RAN":
@@ -257,6 +284,7 @@ def main_code():
257
284
  sbom_file = arguments.sbom_file
258
285
  license_mode = arguments.generate_license
259
286
  enable_json = arguments.enable_json
287
+ enable_sarif = arguments.enable_sarif
260
288
  disable_overview = arguments.disable_overview
261
289
  disable_security_issue = arguments.disable_security_issue
262
290
  ignore_commit_files = arguments.ignore_commit_files
@@ -401,7 +429,10 @@ def main_code():
401
429
  else:
402
430
  log.info("Starting non-PR/MR flow")
403
431
  diff = core.create_new_diff(target_path, params, workspace=target_path, no_change=no_change)
404
- if enable_json:
432
+ if enable_sarif:
433
+ log.debug("Outputting SARIF Results")
434
+ output_console_sarif(diff, sbom_file)
435
+ elif enable_json:
405
436
  log.debug("Outputting JSON Results")
406
437
  output_console_json(diff, sbom_file)
407
438
  else:
@@ -410,7 +441,11 @@ def main_code():
410
441
  log.info("API Mode")
411
442
  diff: Diff
412
443
  diff = core.create_new_diff(target_path, params, workspace=target_path, no_change=no_change)
413
- if enable_json:
444
+ if enable_sarif:
445
+ log.debug("Outputting SARIF Results")
446
+ output_console_sarif(diff, sbom_file)
447
+ elif enable_json:
448
+ log.debug("Outputting JSON Results")
414
449
  output_console_json(diff, sbom_file)
415
450
  else:
416
451
  output_console_comments(diff, sbom_file)
{socketsecurity-1.0.42 → socketsecurity-1.0.43/socketsecurity.egg-info}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.2
2
2
  Name: socketsecurity
3
- Version: 1.0.42
3
+ Version: 1.0.43
4
4
  Summary: Socket Security CLI for CI/CD
5
5
  Author-email: Douglas Coburn <douglas@socket.dev>
6
6
  Maintainer-email: Douglas Coburn <douglas@socket.dev>
@@ -31,7 +31,7 @@ The Socket Security CLI was created to enable integrations with other tools like
31
31
  ```` shell
32
32
  socketcli [-h] [--api_token API_TOKEN] [--repo REPO] [--branch BRANCH] [--committer COMMITTER] [--pr_number PR_NUMBER]
33
33
  [--commit_message COMMIT_MESSAGE] [--default_branch] [--target_path TARGET_PATH] [--scm {api,github,gitlab}] [--sbom-file SBOM_FILE]
34
- [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--disable-overview]
34
+ [--commit-sha COMMIT_SHA] [--generate-license GENERATE_LICENSE] [-v] [--enable-debug] [--enable-json] [--enable-sarif] [--disable-overview]
35
35
  [--disable-security-issue] [--files FILES] [--ignore-commit-files] [--timeout]
36
36
  ````
37
37
 
@@ -57,6 +57,7 @@ If you don't want to provide the Socket API Token every time then you can use th
57
57
  | --commit-sha | | False | | The commit hash for the commit |
58
58
  | --generate-license | | False | False | If enabled with `--sbom-file` will include license details |
59
59
  | --enable-json | | False | False | If enabled will change the console output format to JSON |
60
+ | --enable-sarif | | False | False | If enabled will change the console output format to SARIF |
60
61
  | --disable-overview | | False | False | If enabled will disable Dependency Overview comments |
61
62
  | --disable-security-issue | | False | False | If enabled will disable Security Issue Comments |
62
63
  | --files | | False | | If provided in the format of `["file1", "file2"]` will be used to determine if there have been supported file changes. This is used if it isn't a git repo and you would like to only run if it supported files have changed. |
{socketsecurity-1.0.42 → socketsecurity-1.0.43}/LICENSE RENAMED
File without changes