PyPI - socketsecurity - Versions diffs - 1.0.43__tar.gz → 1.0.47__tar.gz - Mend

socketsecurity 1.0.43tar.gz → 1.0.47tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

{socketsecurity-1.0.43/socketsecurity.egg-info → socketsecurity-1.0.47}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: socketsecurity
-Version: 1.0.43
+Version: 1.0.47
 Summary: Socket Security CLI for CI/CD
 Author-email: Douglas Coburn <douglas@socket.dev>
 Maintainer-email: Douglas Coburn <douglas@socket.dev>

{socketsecurity-1.0.43 → socketsecurity-1.0.47}/socketsecurity/__init__.py RENAMED Viewed

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '1.0.43'
+__version__ = '1.0.47'

{socketsecurity-1.0.43 → socketsecurity-1.0.47}/socketsecurity/core/messages.py RENAMED Viewed

@@ -1,6 +1,9 @@
 import json
 import os
+import re
+import json
+from pathlib import Path
 from mdutils import MdUtils
 from socketsecurity.core.classes import Diff, Purl, Issue
 from prettytable import PrettyTable
@@ -12,6 +15,10 @@ class Messages:
     def map_severity_to_sarif(severity: str) -> str:
         """
         Map Socket severity levels to SARIF levels (GitHub code scanning).
+        'low' -> 'note'
+        'medium' or 'middle' -> 'warning'
+        'high' or 'critical' -> 'error'
         """
         severity_mapping = {
             "low": "note",
@@ -22,39 +29,168 @@ class Messages:
         }
         return severity_mapping.get(severity.lower(), "note")
     @staticmethod
-    def find_line_in_file(pkg_name: str, manifest_file: str) -> tuple[int, str]:
+    def find_line_in_file(packagename: str, packageversion: str, manifest_file: str) -> tuple:
         """
-        Search 'manifest_file' for 'pkg_name'.
-        Return (line_number, line_content) if found, else (1, fallback).
+        Finds the line number and snippet of code for the given package/version in a manifest file.
+        Returns a 2-tuple: (line_number, snippet_or_message).
+        Supports:
+          1) JSON-based manifest files (package-lock.json, Pipfile.lock, composer.lock)
+             - Locates a dictionary entry with the matching package & version
+             - Does a rough line-based search to find the actual line in the raw text
+          2) Text-based (requirements.txt, package.json, yarn.lock, etc.)
+             - Uses compiled regex patterns to detect a match line by line
         """
-        if not manifest_file or not os.path.isfile(manifest_file):
-            return 1, f"[No {manifest_file or 'manifest'} found in repo]"
+        # Extract just the file name to detect manifest type
+        file_type = Path(manifest_file).name
+        # ----------------------------------------------------
+        # 1) JSON-based manifest files
+        # ----------------------------------------------------
+        if file_type in ["package-lock.json", "Pipfile.lock", "composer.lock"]:
+            try:
+                # Read entire file so we can parse JSON and also do raw line checks
+                with open(manifest_file, "r", encoding="utf-8") as f:
+                    raw_text = f.read()
+                # Attempt JSON parse
+                data = json.loads(raw_text)
+                # In practice, you may need to check data["dependencies"], data["default"], etc.
+                # This is an example approach.
+                packages_dict = (
+                    data.get("packages")
+                    or data.get("default")
+                    or data.get("dependencies")
+                    or {}
+                )
+                found_key = None
+                found_info = None
+                # Locate a dictionary entry whose 'version' matches
+                for key, value in packages_dict.items():
+                    # For NPM package-lock, keys might look like "node_modules/axios"
+                    if key.endswith(packagename) and "version" in value:
+                        if value["version"] == packageversion:
+                            found_key = key
+                            found_info = value
+                            break
+                if found_key and found_info:
+                    # Search lines to approximate the correct line number
+                    needle_key = f'"{found_key}":'               # e.g. "node_modules/axios":
+                    needle_version = f'"version": "{packageversion}"'
+                    lines = raw_text.splitlines()
+                    best_line = 1
+                    snippet = None
+                    for i, line in enumerate(lines, start=1):
+                        if (needle_key in line) or (needle_version in line):
+                            best_line = i
+                            snippet = line.strip()
+                            break  # On first match, stop
+                    # If we found an approximate line, return it; else fallback to line 1
+                    if best_line > 0 and snippet:
+                        return best_line, snippet
+                    else:
+                        return 1, f'"{found_key}": {found_info}'
+                else:
+                    return 1, f"{packagename} {packageversion} (not found in {manifest_file})"
+            except (FileNotFoundError, json.JSONDecodeError):
+                return 1, f"Error reading {manifest_file}"
+        # ----------------------------------------------------
+        # 2) Text-based / line-based manifests
+        # ----------------------------------------------------
+        # Define a dictionary of patterns for common manifest types
+        search_patterns = {
+            "package.json":         rf'"{packagename}":\s*"{packageversion}"',
+            "yarn.lock":            rf'{packagename}@{packageversion}',
+            "pnpm-lock.yaml":       rf'"{re.escape(packagename)}"\s*:\s*\{{[^}}]*"version":\s*"{re.escape(packageversion)}"',
+            "requirements.txt":     rf'^{re.escape(packagename)}\s*(?:==|===|!=|>=|<=|~=|\s+)?\s*{re.escape(packageversion)}(?:\s*;.*)?$',
+            "pyproject.toml":       rf'{packagename}\s*=\s*"{packageversion}"',
+            "Pipfile":              rf'"{packagename}"\s*=\s*"{packageversion}"',
+            "go.mod":               rf'require\s+{re.escape(packagename)}\s+{re.escape(packageversion)}',
+            "go.sum":               rf'{re.escape(packagename)}\s+{re.escape(packageversion)}',
+            "pom.xml":              rf'<artifactId>{re.escape(packagename)}</artifactId>\s*<version>{re.escape(packageversion)}</version>',
+            "build.gradle":         rf'implementation\s+"{re.escape(packagename)}:{re.escape(packageversion)}"',
+            "Gemfile":              rf'gem\s+"{re.escape(packagename)}",\s*"{re.escape(packageversion)}"',
+            "Gemfile.lock":         rf'\s+{re.escape(packagename)}\s+\({re.escape(packageversion)}\)',
+            ".csproj":              rf'<PackageReference\s+Include="{re.escape(packagename)}"\s+Version="{re.escape(packageversion)}"\s*/>',
+            ".fsproj":              rf'<PackageReference\s+Include="{re.escape(packagename)}"\s+Version="{re.escape(packageversion)}"\s*/>',
+            "paket.dependencies":   rf'nuget\s+{re.escape(packagename)}\s+{re.escape(packageversion)}',
+            "Cargo.toml":           rf'{re.escape(packagename)}\s*=\s*"{re.escape(packageversion)}"',
+            "build.sbt":            rf'"{re.escape(packagename)}"\s*%\s*"{re.escape(packageversion)}"',
+            "Podfile":              rf'pod\s+"{re.escape(packagename)}",\s*"{re.escape(packageversion)}"',
+            "Package.swift":        rf'\.package\(name:\s*"{re.escape(packagename)}",\s*url:\s*".*?",\s*version:\s*"{re.escape(packageversion)}"\)',
+            "mix.exs":              rf'\{{:{re.escape(packagename)},\s*"{re.escape(packageversion)}"\}}',
+            "composer.json":        rf'"{re.escape(packagename)}":\s*"{re.escape(packageversion)}"',
+            "conanfile.txt":        rf'{re.escape(packagename)}/{re.escape(packageversion)}',
+            "vcpkg.json":           rf'"{re.escape(packagename)}":\s*"{re.escape(packageversion)}"',
+        }
+        # If no specific pattern is found for this file name, fallback to a naive approach
+        searchstring = search_patterns.get(file_type, rf'{re.escape(packagename)}.*{re.escape(packageversion)}')
         try:
-            with open(manifest_file, "r", encoding="utf-8") as f:
-                lines = f.readlines()
-                for i, line in enumerate(lines, start=1):
-                    if pkg_name.lower() in line.lower():
-                        return i, line.rstrip("\n")
+            # Read file lines and search for a match
+            with open(manifest_file, 'r', encoding="utf-8") as file:
+                lines = [line.rstrip("\n") for line in file]
+                for line_number, line_content in enumerate(lines, start=1):
+                    # For Python conditional dependencies, ignore everything after first ';'
+                    line_main = line_content.split(";", 1)[0].strip()
+                    # Use a case-insensitive regex search
+                    if re.search(searchstring, line_main, re.IGNORECASE):
+                        return line_number, line_content.strip()
+        except FileNotFoundError:
+            return 1, f"{manifest_file} not found"
         except Exception as e:
-            return 1, f"[Error reading {manifest_file}: {e}]"
-        return 1, f"[Package '{pkg_name}' not found in {manifest_file}]"
+            return 1, f"Error reading {manifest_file}: {e}"
+        return 1, f"{packagename} {packageversion} (not found)"
     @staticmethod
-    def create_security_comment_sarif(diff: Diff) -> dict:
+    def get_manifest_type_url(manifest_file: str, pkg_name: str, pkg_version: str) -> str:
         """
-        Create SARIF-compliant output from the diff report.
+        Determine the correct URL path based on the manifest file type.
         """
-        scan_failed = False
-        if len(diff.new_alerts) == 0:
-            for alert in diff.new_alerts:
-                alert: Issue
-                if alert.error:
-                    scan_failed = True
-                    break
+        manifest_to_url_prefix = {
+            "package.json": "npm",
+            "package-lock.json": "npm",
+            "yarn.lock": "npm",
+            "pnpm-lock.yaml": "npm",
+            "requirements.txt": "pypi",
+            "pyproject.toml": "pypi",
+            "Pipfile": "pypi",
+            "go.mod": "go",
+            "go.sum": "go",
+            "pom.xml": "maven",
+            "build.gradle": "maven",
+            ".csproj": "nuget",
+            ".fsproj": "nuget",
+            "paket.dependencies": "nuget",
+            "Cargo.toml": "cargo",
+            "Gemfile": "rubygems",
+            "Gemfile.lock": "rubygems",
+            "composer.json": "composer",
+            "vcpkg.json": "vcpkg",
+        }
-        # Basic SARIF structure
+        file_type = Path(manifest_file).name
+        url_prefix = manifest_to_url_prefix.get(file_type, "unknown")
+        return f"https://socket.dev/{url_prefix}/package/{pkg_name}/alerts/{pkg_version}"
+    @staticmethod
+    def create_security_comment_sarif(diff) -> dict:
+        """
+        Create SARIF-compliant output from the diff report, including dynamic URL generation
+        based on manifest type and improved <br/> formatting for GitHub SARIF display.
+        """
         sarif_data = {
             "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
             "version": "2.1.0",
@@ -76,38 +212,39 @@ class Messages:
         results_list = []
         for alert in diff.new_alerts:
-            alert: Issue
             pkg_name = alert.pkg_name
             pkg_version = alert.pkg_version
             rule_id = f"{pkg_name}=={pkg_version}"
             severity = alert.severity
-            # Title and descriptions
-            title = f"Alert generated for {pkg_name}=={pkg_version} by Socket Security"
-            full_desc = f"{alert.title} - {alert.description}"
-            short_desc = f"{alert.props.get('note', '')}\r\n\r\nSuggested Action:\r\n{alert.suggestion}"
-            # Find the manifest file and line details
+            # Generate the correct URL for the alert based on manifest type
             introduced_list = alert.introduced_by
-            if introduced_list and isinstance(introduced_list[0], list) and len(introduced_list[0]) > 1:
-                manifest_file = introduced_list[0][1]
-            else:
-                manifest_file = alert.manifests or "requirements.txt"
+            manifest_file = introduced_list[0][1] if introduced_list and isinstance(introduced_list[0], list) else alert.manifests or "requirements.txt"
+            socket_url = Messages.get_manifest_type_url(manifest_file, pkg_name, pkg_version)
-            line_number, line_content = Messages.find_line_in_file(pkg_name, manifest_file)
+            # Prepare descriptions with <br/> replacements
+            short_desc = f"{alert.props.get('note', '')}<br/><br/>Suggested Action:<br/>{alert.suggestion}<br/><a href=\"{socket_url}\">{socket_url}</a>"
+            full_desc = f"{alert.title} - {alert.description.replace('\r\n', '<br/>')}"
-            # Define the rule if not already defined
+            # Identify the line and snippet in the manifest file
+            line_number, line_content = Messages.find_line_in_file(pkg_name, pkg_version, manifest_file)
+            if line_number < 1:
+                line_number = 1  # Ensure SARIF compliance
+            # Create the rule if not already defined
             if rule_id not in rules_map:
                 rules_map[rule_id] = {
                     "id": rule_id,
                     "name": f"{pkg_name}=={pkg_version}",
-                    "shortDescription": {"text": title},
+                    "shortDescription": {"text": f"Alert generated for {rule_id} by Socket Security"},
                     "fullDescription": {"text": full_desc},
-                    "helpUri": alert.url,
-                    "defaultConfiguration": {"level": Messages.map_severity_to_sarif(severity)},
+                    "helpUri": socket_url,
+                    "defaultConfiguration": {
+                        "level": Messages.map_severity_to_sarif(severity)
+                    },
                 }
-            # Add the result
+            # Add the SARIF result
             result_obj = {
                 "ruleId": rule_id,
                 "message": {"text": short_desc},
@@ -125,6 +262,7 @@ class Messages:
             }
             results_list.append(result_obj)
+        # Attach rules and results
         sarif_data["runs"][0]["tool"]["driver"]["rules"] = list(rules_map.values())
         sarif_data["runs"][0]["results"] = results_list

{socketsecurity-1.0.43 → socketsecurity-1.0.47/socketsecurity.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: socketsecurity
-Version: 1.0.43
+Version: 1.0.47
 Summary: Socket Security CLI for CI/CD
 Author-email: Douglas Coburn <douglas@socket.dev>
 Maintainer-email: Douglas Coburn <douglas@socket.dev>