socketsecurity 2.0.52__tar.gz → 2.0.55__tar.gz

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.0.52
+Version: 2.0.55
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.0.52"
+version = "2.0.55"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/socketsecurity/__init__.py

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '2.0.52'
+__version__ = '2.0.55'

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/socketsecurity/config.py

@@ -50,6 +50,7 @@ class CliConfig:
     timeout: Optional[int] = 1200
     exclude_license_details: bool = False
     include_module_folders: bool = False
+    repo_is_public: bool = False
     version: str = __version__
     jira_plugin: PluginConfig = field(default_factory=PluginConfig)
     slack_plugin: PluginConfig = field(default_factory=PluginConfig)
@@ -94,6 +95,7 @@ class CliConfig:
             'timeout': args.timeout,
             'exclude_license_details': args.exclude_license_details,
             'include_module_folders': args.include_module_folders,
+            'repo_is_public': args.repo_is_public,
             'version': __version__
         }
         config_args.update({
@@ -147,30 +149,32 @@ def create_argument_parser() -> argparse.ArgumentParser:
         required=False
     )
     repo_group.add_argument(
+        "--repo-is-public",
+        dest="repo_is_public",
+        action="store_true",
+        help="If set it will flag a new repository creation as public. Defaults to false."
+    )
+    repo_group.add_argument(
+        "--branch",
+        metavar="<name>",
+        help="Branch name",
+        default=""
+    )
+
+    integration_group = parser.add_argument_group('Integration')
+    integration_group.add_argument(
         "--integration",
         choices=INTEGRATION_TYPES,
         metavar="<type>",
-        help="Integration type",
+        help="Integration type of api, github, gitlab, azure, or bitbucket. Defaults to api",
         default="api"
     )
-    repo_group.add_argument(
+    integration_group.add_argument(
         "--owner",
         metavar="<name>",
         help="Name of the integration owner, defaults to the socket organization slug",
         required=False
     )
-    repo_group.add_argument(
-        "--branch",
-        metavar="<name>",
-        help="Branch name",
-        default=""
-    )
-    repo_group.add_argument(
-        "--committers",
-        metavar="<name>",
-        help="Committer(s) to filter by",
-        nargs="*"
-    )
 
     # Pull Request and Commit info
     pr_group = parser.add_argument_group('Pull Request and Commit')
@@ -209,6 +213,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         dest="commit_sha",
         help=argparse.SUPPRESS
     )
+    pr_group.add_argument(
+        "--committers",
+        metavar="<name>",
+        help="Committer for the commit (comma separated)",
+        nargs="*"
+    )
 
     # Path and File options
     path_group = parser.add_argument_group('Path and File')

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/socketsecurity/core/__init__.py

@@ -21,7 +21,7 @@ from socketsecurity.core.classes import (
     FullScan,
     Issue,
     Package,
-    Purl,
+    Purl
 )
 from socketsecurity.core.exceptions import APIResourceNotFound
 from socketsecurity.core.licenses import Licenses
@@ -439,7 +439,12 @@ class Core:
             log.warning(f"Failed to get repository {repo_slug}, attempting to create it")
             try:
 
-                create_response = self.sdk.repos.post(self.config.org_slug, name=repo_slug, default_branch=default_branch)
+                create_response = self.sdk.repos.post(
+                    self.config.org_slug,
+                    name=repo_slug,
+                    default_branch=default_branch,
+                    visibility=self.config.repo_visibility
+                )
 
                 # Check if the response is empty (failure) or has content (success)
                 if not create_response:
@@ -644,7 +649,7 @@ class Core:
         seen_removed_packages = set()
 
         for package_id, package in added_packages.items():
-            purl = Core.create_purl(package_id, added_packages)
+            purl = self.create_purl(package_id, added_packages)
             base_purl = f"{purl.ecosystem}/{purl.name}@{purl.version}"
 
             if (not direct_only or package.direct) and base_purl not in seen_new_packages:
@@ -658,7 +663,7 @@ class Core:
             )
 
         for package_id, package in removed_packages.items():
-            purl = Core.create_purl(package_id, removed_packages)
+            purl = self.create_purl(package_id, removed_packages)
             base_purl = f"{purl.ecosystem}/{purl.name}@{purl.version}"
 
             if (not direct_only or package.direct) and base_purl not in seen_removed_packages:
@@ -682,8 +687,13 @@ class Core:
 
         return diff
 
-    @staticmethod
-    def create_purl(package_id: str, packages: dict[str, Package]) -> Purl:
+    def get_all_scores(self, packages: dict[str, Package]) -> dict[str, Package]:
+        components = []
+        for package_id in packages:
+            package = packages[package_id]
+        return packages
+
+    def create_purl(self, package_id: str, packages: dict[str, Package]) -> Purl:
         """
         Creates the extended PURL data for package identification and tracking.
 
@@ -707,7 +717,8 @@ class Core:
             size=package.size,
             transitives=package.transitives,
             url=package.url,
-            purl=package.purl
+            purl=package.purl,
+            scores=package.score
         )
         return purl
 

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/socketsecurity/core/classes.py

@@ -370,7 +370,6 @@ class Repository:
     def __str__(self):
         return json.dumps(self.__dict__)
 
-
 class Purl:
     """
     Represents a Package URL (PURL) with extended metadata.
@@ -392,6 +391,7 @@ class Purl:
     author_url: str
     url: str
     purl: str
+    scores: dict[str, int]
 
     def __init__(self, **kwargs):
         if kwargs:

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/socketsecurity/core/messages.py

@@ -302,26 +302,95 @@ class Messages:
     @staticmethod
     def security_comment_template(diff: Diff) -> str:
         """
-        Creates the security comment template
-        :param diff: Diff - Diff report with the data needed for the template
-        :return:
+        Generates the security comment template in the new required format.
+        Dynamically determines placement of the alerts table if markers like `<!-- start-socket-alerts-table -->` are used.
+
+        :param diff: Diff - Contains the detected vulnerabilities and warnings.
+        :return: str - The formatted Markdown/HTML string.
         """
-        md = MdUtils(file_name="markdown_security_temp.md")
-        md.new_line("<!-- socket-security-comment-actions -->")
-        md.new_header(level=1, title="Socket Security: Issues Report")
-        md.new_line("Potential security issues detected. Learn more about [socket.dev](https://socket.dev)")
-        md.new_line("To accept the risk, merge this PR and you will not be notified again.")
-        md.new_line()
-        md.new_line("<!-- start-socket-alerts-table -->")
-        md, ignore_commands, next_steps = Messages.create_security_alert_table(diff, md)
-        md.new_line("<!-- end-socket-alerts-table -->")
-        md.new_line()
-        md = Messages.create_next_steps(md, next_steps)
-        md = Messages.create_deeper_look(md)
-        md = Messages.create_remove_package(md)
-        md = Messages.create_acceptable_risk(md, ignore_commands)
-        md.create_md_file()
-        return md.file_data_text.lstrip()
+        # Start of the comment
+        comment = """<!-- socket-security-comment-actions -->
+
+> **❗️ Caution**  
+> **Review the following alerts detected in dependencies.**  
+>  
+> According to your organization’s Security Policy, you **must** resolve all **“Block”** alerts before proceeding. It’s recommended to resolve **“Warn”** alerts too.  
+> Learn more about [Socket for GitHub](https://socket.dev?utm_medium=gh).
+
+<!-- start-socket-updated-alerts-table -->
+<table>
+  <thead>
+    <tr>
+      <th>Action</th>
+      <th>Severity</th>
+      <th align="left">Alert (click for details)</th>
+    </tr>
+  </thead>
+  <tbody>
+    """
+
+        # Loop through alerts, dynamically generating rows
+        for alert in diff.new_alerts:
+            severity_icon = Messages.get_severity_icon(alert.severity)
+            action = "Block" if alert.error else "Warn"
+            details_open = ""
+            # Generate a table row for each alert
+            comment += f"""
+<!-- start-socket-alert-{alert.pkg_name}@{alert.pkg_version} -->
+<tr>
+  <td><strong>{action}</strong></td>
+  <td align="center">
+      <img src="{severity_icon}" alt="{alert.severity}" width="20" height="20">
+  </td>
+  <td>
+    <details {details_open}>
+      <summary>{alert.pkg_name}@{alert.pkg_version} - {alert.title}</summary>
+      <p><strong>Note:</strong> {alert.description}</p>
+      <p><strong>Source:</strong> <a href="{alert.manifests}">Manifest File</a></p>
+      <p>ℹ️ Read more on:  
+      <a href="{alert.purl}">This package</a> |  
+      <a href="{alert.url}">This alert</a> |  
+      <a href="https://socket.dev/alerts/malware">What is known malware?</a></p>
+      <blockquote>
+        <p><em>Suggestion:</em> {alert.suggestion}</p>
+        <p><em>Mark as acceptable risk:</em> To ignore this alert only in this pull request, reply with:<br/>
+        <code>@SocketSecurity ignore {alert.pkg_name}@{alert.pkg_version}</code><br/>
+        Or ignore all future alerts with:<br/>
+        <code>@SocketSecurity ignore-all</code></p>
+      </blockquote>
+    </details>
+  </td>
+</tr>
+<!-- end-socket-alert-{alert.pkg_name}@{alert.pkg_version} -->
+    """
+
+        # Close table and comment
+        comment += """
+  </tbody>
+</table>
+<!-- end-socket-alerts-table -->
+
+[View full report](https://socket.dev/...&action=error%2Cwarn)
+    """
+
+        return comment
+
+    @staticmethod
+    def get_severity_icon(severity: str) -> str:
+        """
+        Maps severity levels to their corresponding badge/icon URLs.
+
+        :param severity: str - Severity level (e.g., "Critical", "High").
+        :return: str - Badge/icon URL.
+        """
+        severity_map = {
+            "critical": "https://github-app-statics.socket.dev/severity-3.svg",
+            "high": "https://github-app-statics.socket.dev/severity-2.svg",
+            "medium": "https://github-app-statics.socket.dev/severity-1.svg",
+            "low": "https://github-app-statics.socket.dev/severity-0.svg",
+        }
+        return severity_map.get(severity.lower(), "https://github-app-statics.socket.dev/severity-0.svg")
+
 
     @staticmethod
     def create_next_steps(md: MdUtils, next_steps: dict):
@@ -456,11 +525,9 @@ class Messages:
         md = MdUtils(file_name="markdown_overview_temp.md")
         md.new_line("<!-- socket-overview-comment-actions -->")
         md.new_header(level=1, title="Socket Security: Dependency Overview")
-        md.new_line("New and removed dependencies detected. Learn more about [socket.dev](https://socket.dev)")
+        md.new_line("Review the following changes in direct dependencies. Learn more about [socket.dev](https://socket.dev)")
         md.new_line()
         md = Messages.create_added_table(diff, md)
-        if len(diff.removed_packages) > 0:
-            md = Messages.create_remove_line(diff, md)
         md.create_md_file()
         if len(md.file_data_text.lstrip()) >= 65500:
             md = Messages.short_dependency_overview_comment(diff)
@@ -471,7 +538,7 @@ class Messages:
         md = MdUtils(file_name="markdown_overview_temp.md")
         md.new_line("<!-- socket-overview-comment-actions -->")
         md.new_header(level=1, title="Socket Security: Dependency Overview")
-        md.new_line("New and removed dependencies detected. Learn more about [socket.dev](https://socket.dev)")
+        md.new_line("Review the following changes in direct dependencies. Learn more about [socket.dev](https://socket.dev)")
         md.new_line()
         md.new_line("The amount of dependency changes were to long for this comment. Please check out the full report")
         md.new_line(f"To view more information about this report checkout the [Full Report]({diff.diff_url})")
@@ -498,40 +565,63 @@ class Messages:
     def create_added_table(diff: Diff, md: MdUtils) -> MdUtils:
         """
         Create the Added packages table for the Dependency Overview template
-        :param diff: Diff - Diff report with the Added packages information
+        :param diff: Diff - Diff report with the Added package information
         :param md: MdUtils - Main markdown variable
         :return:
         """
+        # Table column headers
         overview_table = [
+            "Diff",
             "Package",
-            "Direct",
-            "Capabilities",
-            "Transitives",
-            "Size",
-            "Author"
+            "Supply Chain<br/>Security",
+            "Vulnerability",
+            "Quality",
+            "Maintenance",
+            "License"
         ]
         num_of_overview_columns = len(overview_table)
+
         count = 0
         for added in diff.new_packages:
-            added: Purl
-            package_url = Messages.create_purl_link(added)
-            capabilities = ", ".join(added.capabilities)
+            added: Purl  # Ensure `added` has scores and relevant attributes.
+
+            package_url = f"[{added.purl}]({added.url})"
+            diff_badge = f"[![+](https://github-app-statics.socket.dev/diff-added.svg)]({added.url})"
+
+            # Scores dynamically converted to badge URLs and linked
+            def score_to_badge(score):
+                score_percent = int(score * 100)  # Convert to integer percentage
+                return f"[![{score_percent}](https://github-app-statics.socket.dev/score-{score_percent}.svg)]({added.url})"
+
+            # Generate badges for each score type
+            supply_chain_risk_badge = score_to_badge(added.scores.get("supplyChain", 100))
+            vulnerability_badge = score_to_badge(added.scores.get("vulnerability", 100))
+            quality_badge = score_to_badge(added.scores.get("quality", 100))
+            maintenance_badge = score_to_badge(added.scores.get("maintenance", 100))
+            license_badge = score_to_badge(added.scores.get("license", 100))
+
+            # Add the row for this package
             row = [
+                diff_badge,
                 package_url,
-                added.direct,
-                capabilities,
-                added.transitives,
-                f"{added.size} KB",
-                added.author_url
+                supply_chain_risk_badge,
+                vulnerability_badge,
+                quality_badge,
+                maintenance_badge,
+                license_badge
             ]
             overview_table.extend(row)
-            count += 1
-        num_of_overview_rows = count + 1
+            count += 1  # Count total packages
+
+        # Calculate total rows for table
+        num_of_overview_rows = count + 1  # Include header row
+
+        # Generate Markdown table
         md.new_table(
             columns=num_of_overview_columns,
             rows=num_of_overview_rows,
             text=overview_table,
-            text_align="left"
+            text_align="center"
         )
         return md
 

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/socketsecurity/core/scm_comments.py

@@ -84,9 +84,22 @@ class Comments:
 
     @staticmethod
     def process_security_comment(comment: Comment, comments) -> str:
-        lines = []
-        start = False
         ignore_all, ignore_commands = Comments.get_ignore_options(comments)
+        if "start-socket-alerts-table" in "".join(comment.body_list):
+            new_body = Comments.process_original_security_comment(comment, ignore_all, ignore_commands)
+        else:
+            new_body = Comments.process_updated_security_comment(comment, ignore_all, ignore_commands)
+
+        return new_body
+
+    @staticmethod
+    def process_original_security_comment(
+            comment: Comment,
+            ignore_all: bool,
+            ignore_commands: list[tuple[str, str]]
+    ) -> str:
+        start = False
+        lines = []
         for line in comment.body_list:
             line = line.strip()
             if "start-socket-alerts-table" in line:
@@ -110,8 +123,97 @@ class Comments:
                 lines.append(line)
             else:
                 lines.append(line)
-        new_body = "\n".join(lines)
-        return new_body
+        return "\n".join(lines)
+
+    @staticmethod
+    def process_updated_security_comment(
+            comment: Comment,
+            ignore_all: bool,
+            ignore_commands: list[tuple[str, str]]
+    ) -> str:
+        """
+        Processes an updated security comment containing an HTML table with alert sections.
+        Removes entire sections marked by start and end hidden comments if the alert matches
+        ignore conditions.
+
+        :param comment: Comment - The raw comment object containing the existing information.
+        :param ignore_all: bool - Flag to ignore all alerts.
+        :param ignore_commands: list of tuples - Specific ignore commands representing (pkg_name, pkg_version).
+        :return: str - The updated comment as a single string.
+        """
+        lines = []
+        ignore_section = False
+        pkg_name = pkg_version = ""  # Track current package and version
+
+        # Loop through the comment lines
+        for line in comment.body_list:
+            line = line.strip()
+
+            # Detect the start of an alert section
+            if line.startswith("<!-- start-socket-alert-"):
+                # Extract package name and version from the comment
+                try:
+                    start_marker = line[len("<!-- start-socket-alert-"):-4]  # Strip the comment markers
+                    pkg_name, pkg_version = start_marker.split("@")  # Extract pkg_name and pkg_version
+                except ValueError:
+                    pkg_name, pkg_version = "", ""
+
+                # Determine if we should ignore this alert
+                ignore_section = ignore_all or any(
+                    Comments.is_ignore(pkg_name, pkg_version, name, version)
+                    for name, version in ignore_commands
+                )
+
+                # If not ignored, include this start marker
+                if not ignore_section:
+                    lines.append(line)
+
+            # Detect the end of an alert section
+            elif line.startswith("<!-- end-socket-alert-"):
+                # Only include if we are not ignoring this section
+                if not ignore_section:
+                    lines.append(line)
+                ignore_section = False  # Reset ignore flag
+
+            # Include lines inside an alert section only if not ignored
+            elif not ignore_section:
+                lines.append(line)
+
+        return "\n".join(lines)
+
+    @staticmethod
+    def extract_alert_details_from_row(row: str, ignore_all: bool, ignore_commands: list[tuple[str, str]]) -> tuple:
+        """
+        Parses an HTML table row (<tr>) to extract alert details and determine if it should be ignored.
+
+        :param row: str - The HTML table row as a string.
+        :param ignore_all: bool - Flag to ignore all alerts.
+        :param ignore_commands: list of tuples - List of (pkg_name, pkg_version) to ignore.
+        :return: tuple - (pkg_name, pkg_version, ignore)
+        """
+        # Extract package details (pkg_name and pkg_version) from the HTML table row
+        try:
+            # Find the relevant <summary> element to extract package information
+            start_index = row.index("<summary>")
+            end_index = row.index("</summary>")
+            summary_content = row[start_index + 9:end_index]  # Extract content between <summary> tags
+
+            # Example: "npm/malicious-package@1.0.0 - Known Malware Alert"
+            pkg_info, _ = summary_content.split(" - ", 1)
+            pkg_name, pkg_version = pkg_info.split("@")
+        except ValueError:
+            # If parsing fails, skip this row
+            return "", "", False
+
+        # Check ignore logic
+        ignore = False
+        for name, version in ignore_commands:
+            if ignore_all or Comments.is_ignore(pkg_name, pkg_version, name, version):
+                ignore = True
+                break
+
+        return pkg_name, pkg_version, ignore
+
 
     @staticmethod
     def check_for_socket_comments(comments: dict):

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/socketsecurity/core/socket_config.py

@@ -26,6 +26,7 @@ class SocketConfig:
     full_scan_path: Optional[str] = None
     repository_path: Optional[str] = None
     security_policy: Dict = None
+    repo_visibility: Optional[str] = 'private'
     all_issues: Optional['AllIssues'] = None
     excluded_dirs: Set[str] = field(default_factory=lambda: default_exclude_dirs)
     version: str = __version__

{socketsecurity-2.0.52 → socketsecurity-2.0.55}/socketsecurity/socketcli.py

@@ -148,8 +148,14 @@ def main_code():
         log.debug("Found manifest files or forced scan, proceeding")
 
     org_slug = core.config.org_slug
+    if config.repo_is_public:
+        core.config.repo_visibility = "public"
     integration_type = config.integration_type
     integration_org_slug = config.integration_org_slug or org_slug
+    try:
+        pr_number = int(config.pr_number)
+    except (ValueError, TypeError):
+        pr_number = 0
 
     params = FullScanParams(
         org_slug=org_slug,
@@ -159,7 +165,7 @@ def main_code():
         branch=config.branch,
         commit_message=config.commit_message,
         commit_hash=config.commit_sha,
-        pull_request=config.pr_number,
+        pull_request=pr_number,
         committers=config.committers,
         make_default_branch=config.default_branch,
         set_as_pending_head=True