socketsecurity 2.0.55__tar.gz → 2.1.0__tar.gz

{socketsecurity-2.0.55 → socketsecurity-2.1.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.0.55
+Version: 2.1.0
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -39,7 +39,7 @@ Requires-Dist: packaging
 Requires-Dist: prettytable
 Requires-Dist: python-dotenv
 Requires-Dist: requests
-Requires-Dist: socket-sdk-python>=2.0.21
+Requires-Dist: socket-sdk-python<3,>=2.1.2
 Provides-Extra: dev
 Requires-Dist: hatch; extra == 'dev'
 Requires-Dist: pip-tools>=7.4.0; extra == 'dev'
@@ -79,13 +79,14 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --api-token | False    |         | Socket Security API token (can also be set via SOCKET_SECURITY_API_KEY env var) |
 
 #### Repository
-| Parameter     | Required | Default | Description                                                             |
-|:--------------|:---------|:--------|:------------------------------------------------------------------------|
-| --repo        | False    |         | Repository name in owner/repo format                                    |
-| --integration | False    | api     | Integration type (api, github, gitlab)                                  |
-| --owner       | False    |         | Name of the integration owner, defaults to the socket organization slug |
-| --branch      | False    | ""      | Branch name                                                             |
-| --committers  | False    |         | Committer(s) to filter by                                               |
+| Parameter        | Required | Default | Description                                                             |
+|:-----------------|:---------|:--------|:------------------------------------------------------------------------|
+| --repo           | False    |         | Repository name in owner/repo format                                    |
+| --integration    | False    | api     | Integration type (api, github, gitlab)                                  |
+| --owner          | False    |         | Name of the integration owner, defaults to the socket organization slug |
+| --branch         | False    | ""      | Branch name                                                             |
+| --committers     | False    |         | Committer(s) to filter by                                               |
+| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.   |
 
 #### Pull Request and Commit
 | Parameter        | Required | Default | Description         |
@@ -95,11 +96,12 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --commit-sha     | False    | ""      | Commit SHA          |
 
 #### Path and File
-| Parameter     | Required | Default | Description                          |
-|:--------------|:---------|:--------|:-------------------------------------|
-| --target-path | False    | ./      | Target path for analysis             |
-| --sbom-file   | False    |         | SBOM file path                       |
-| --files       | False    | []      | Files to analyze (JSON array string) |
+| Parameter          | Required | Default | Description                                                                                                                                                                    |
+|:-------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| --target-path      | False    | ./      | Target path for analysis                                                                                                                                                       |
+| --sbom-file        | False    |         | SBOM file path                                                                                                                                                                 |
+| --files            | False    | []      | Files to analyze (JSON array string)                                                                                                                                           |
+| --exclude-patterns | False    | []      | List of patterns to exclude from analysis (JSON array string). You can get supported files form the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
 
 #### Branch and Scan Configuration
 | Parameter        | Required | Default | Description                                                 |

{socketsecurity-2.0.55 → socketsecurity-2.1.0}/README.md

@@ -23,13 +23,14 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --api-token | False    |         | Socket Security API token (can also be set via SOCKET_SECURITY_API_KEY env var) |
 
 #### Repository
-| Parameter     | Required | Default | Description                                                             |
-|:--------------|:---------|:--------|:------------------------------------------------------------------------|
-| --repo        | False    |         | Repository name in owner/repo format                                    |
-| --integration | False    | api     | Integration type (api, github, gitlab)                                  |
-| --owner       | False    |         | Name of the integration owner, defaults to the socket organization slug |
-| --branch      | False    | ""      | Branch name                                                             |
-| --committers  | False    |         | Committer(s) to filter by                                               |
+| Parameter        | Required | Default | Description                                                             |
+|:-----------------|:---------|:--------|:------------------------------------------------------------------------|
+| --repo           | False    |         | Repository name in owner/repo format                                    |
+| --integration    | False    | api     | Integration type (api, github, gitlab)                                  |
+| --owner          | False    |         | Name of the integration owner, defaults to the socket organization slug |
+| --branch         | False    | ""      | Branch name                                                             |
+| --committers     | False    |         | Committer(s) to filter by                                               |
+| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.   |
 
 #### Pull Request and Commit
 | Parameter        | Required | Default | Description         |
@@ -39,11 +40,12 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --commit-sha     | False    | ""      | Commit SHA          |
 
 #### Path and File
-| Parameter     | Required | Default | Description                          |
-|:--------------|:---------|:--------|:-------------------------------------|
-| --target-path | False    | ./      | Target path for analysis             |
-| --sbom-file   | False    |         | SBOM file path                       |
-| --files       | False    | []      | Files to analyze (JSON array string) |
+| Parameter          | Required | Default | Description                                                                                                                                                                    |
+|:-------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| --target-path      | False    | ./      | Target path for analysis                                                                                                                                                       |
+| --sbom-file        | False    |         | SBOM file path                                                                                                                                                                 |
+| --files            | False    | []      | Files to analyze (JSON array string)                                                                                                                                           |
+| --exclude-patterns | False    | []      | List of patterns to exclude from analysis (JSON array string). You can get supported files form the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
 
 #### Branch and Scan Configuration
 | Parameter        | Required | Default | Description                                                 |

{socketsecurity-2.0.55 → socketsecurity-2.1.0}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.0.55"
+version = "2.1.0"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -16,7 +16,7 @@ dependencies = [
     'GitPython',
     'packaging',
     'python-dotenv',
-    'socket-sdk-python>=2.0.21'
+    'socket-sdk-python>=2.1.2,<3'
 ]
 readme = "README.md"
 description = "Socket Security CLI for CI/CD"
@@ -63,10 +63,6 @@ include = [
     "socketsecurity/**/*.py",
     "socketsecurity/**/__init__.py"
 ]
-omit = [
-    "socketsecurity/core/issues.py",  # Large data file
-    "socketsecurity/core/licenses.py"  # Large data file
-]
 
 [tool.coverage.report]
 exclude_lines = [

{socketsecurity-2.0.55 → socketsecurity-2.1.0}/socketsecurity/__init__.py

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '2.0.55'
+__version__ = '2.1.0'

{socketsecurity-2.0.55 → socketsecurity-2.1.0}/socketsecurity/config.py

@@ -1,4 +1,5 @@
 import argparse
+import logging
 import os
 from dataclasses import asdict, dataclass, field
 from typing import List, Optional
@@ -51,6 +52,7 @@ class CliConfig:
     exclude_license_details: bool = False
     include_module_folders: bool = False
     repo_is_public: bool = False
+    excluded_ecosystems: list[str] = field(default_factory=lambda: [])
     version: str = __version__
     jira_plugin: PluginConfig = field(default_factory=PluginConfig)
     slack_plugin: PluginConfig = field(default_factory=PluginConfig)
@@ -96,8 +98,14 @@ class CliConfig:
             'exclude_license_details': args.exclude_license_details,
             'include_module_folders': args.include_module_folders,
             'repo_is_public': args.repo_is_public,
+            "excluded_ecosystems": args.excluded_ecosystems,
             'version': __version__
         }
+        try:
+            config_args["excluded_ecosystems"] = json.loads(config_args["excluded_ecosystems"].replace("'", '"'))
+        except json.JSONDecodeError:
+            logging.error(f"Unable to parse excluded_ecosystems: {config_args['excluded_ecosystems']}")
+            exit(1)
         config_args.update({
             "jira_plugin": PluginConfig(
                 enabled=os.getenv("SOCKET_JIRA_ENABLED", "false").lower() == "true",
@@ -252,6 +260,13 @@ def create_argument_parser() -> argparse.ArgumentParser:
         help="Files to analyze (JSON array string)"
     )
 
+    path_group.add_argument(
+        "--excluded-ecosystems",
+        default="[]",
+        dest="excluded_ecosystems",
+        help="List of ecosystems to exclude from analysis (JSON array string)"
+    )
+
     # Branch and Scan Configuration
     config_group = parser.add_argument_group('Branch and Scan Configuration')
     config_group.add_argument(

{socketsecurity-2.0.55 → socketsecurity-2.1.0}/socketsecurity/core/__init__.py

@@ -2,10 +2,12 @@ import logging
 import os
 import sys
 import time
+import io
 from dataclasses import asdict
 from glob import glob
+from io import BytesIO
 from pathlib import PurePath
-from typing import BinaryIO, Dict, List, Tuple, Set
+from typing import BinaryIO, Dict, List, Tuple, Set, Union
 import re
 from socketdev import socketdev
 from socketdev.exceptions import APIFailure
@@ -24,7 +26,6 @@ from socketsecurity.core.classes import (
     Purl
 )
 from socketsecurity.core.exceptions import APIResourceNotFound
-from socketsecurity.core.licenses import Licenses
 from .socket_config import SocketConfig
 from .utils import socket_globs
 import importlib
@@ -184,6 +185,8 @@ class Core:
             patterns = fallback_patterns
 
         for ecosystem in patterns:
+            if ecosystem in self.config.excluded_ecosystems:
+                continue
             ecosystem_patterns = patterns[ecosystem]
             for file_name in ecosystem_patterns:
                 original_pattern = ecosystem_patterns[file_name]["pattern"]
@@ -276,6 +279,14 @@ class Core:
         """
         return ''.join(f'[{char.lower()}{char.upper()}]' if char.isalpha() else char for char in input_string)
 
+    @staticmethod
+    def empty_head_scan_file() -> list[tuple[str, tuple[str, Union[BinaryIO, BytesIO]]]]:
+        # Create an empty file for when no head full scan so that the diff endpoint can always be used
+        empty_file_obj = io.BytesIO(b"")
+        empty_filename = "initial_head_scan"
+        empty_full_scan_file = [(empty_filename, (empty_filename, empty_file_obj))]
+        return empty_full_scan_file
+
     @staticmethod
     def load_files_for_sending(files: List[str], workspace: str) -> List[Tuple[str, Tuple[str, BinaryIO]]]:
         """
@@ -309,7 +320,7 @@ class Core:
 
         return send_files
 
-    def create_full_scan(self, files: List[str], params: FullScanParams, has_head_scan: bool = False) -> FullScan:
+    def create_full_scan(self, files: list[tuple[str, tuple[str, BytesIO]]], params: FullScanParams) -> FullScan:
         """
         Creates a new full scan via the Socket API.
 
@@ -329,16 +340,60 @@ class Core:
             raise Exception(f"Error creating full scan: {res.message}, status: {res.status}")
 
         full_scan = FullScan(**asdict(res.data))
-        if not has_head_scan:
-            full_scan.sbom_artifacts = self.get_sbom_data(full_scan.id)
-            full_scan.packages = self.create_packages_dict(full_scan.sbom_artifacts)
-
         create_full_end = time.time()
         total_time = create_full_end - create_full_start
         log.debug(f"New Full Scan created in {total_time:.2f} seconds")
 
         return full_scan
 
+    def check_full_scans_status(self, head_full_scan_id: str, new_full_scan_id: str) -> bool:
+        is_ready = False
+        current_timeout = self.config.timeout
+        self.sdk.set_timeout(0.5)
+        try:
+            self.sdk.fullscans.stream(self.config.org_slug, head_full_scan_id)
+        except Exception:
+            log.debug(f"Queued up full scan for processing ({head_full_scan_id})")
+
+        try:
+            self.sdk.fullscans.stream(self.config.org_slug, new_full_scan_id)
+        except Exception:
+            log.debug(f"Queued up full scan for processing ({new_full_scan_id})")
+        self.sdk.set_timeout(current_timeout)
+        start_check = time.time()
+        head_is_ready = False
+        new_is_ready = False
+        while not is_ready:
+            head_full_scan_metadata = self.sdk.fullscans.metadata(self.config.org_slug, head_full_scan_id)
+            if head_full_scan_metadata:
+                head_state = head_full_scan_metadata.get("scan_state")
+            else:
+                head_state = None
+            new_full_scan_metadata = self.sdk.fullscans.metadata(self.config.org_slug, new_full_scan_id)
+            if new_full_scan_metadata:
+                new_state = new_full_scan_metadata.get("scan_state")
+            else:
+                new_state = None
+            if head_state and head_state == "resolve":
+                head_is_ready = True
+            if new_state and new_state == "resolve":
+                new_is_ready = True
+            if head_is_ready and new_is_ready:
+                is_ready = True
+            current_time = time.time()
+            if current_time - start_check >= self.config.timeout:
+                log.debug(
+                    f"Timeout reached while waiting for full scans to be ready "
+                    f"({head_full_scan_id}, {new_full_scan_id})"
+                )
+                break
+        total_time = time.time() - start_check
+        if is_ready:
+            log.info(f"Full scans are ready in {total_time:.2f} seconds")
+        else:
+            log.warning(f"Full scans are not ready yet ({head_full_scan_id}, {new_full_scan_id})")
+        return is_ready
+
     def get_full_scan(self, full_scan_id: str) -> FullScan:
         """
         Get a FullScan object for an existing full scan including sbom_artifacts and packages.
@@ -401,14 +456,9 @@ class Core:
             return ""
 
         license_raw = package.license
-        all_licenses = Licenses()
-        license_str = Licenses.make_python_safe(license_raw)
-
-        if license_str is not None and hasattr(all_licenses, license_str):
-            license_obj = getattr(all_licenses, license_str)
-            return license_obj.licenseText
-
-        return ""
+        data = self.sdk.licensemetadata.post([license_raw], {'includetext': 'true'})
+        license_str = data.data[0].license if data and len(data) == 1 else ""
+        return license_str
 
     def get_repo_info(self, repo_slug: str, default_branch: str = "socket-default-branch") -> RepositoryInfo:
         """
@@ -483,7 +533,7 @@ class Core:
         pkg.url += f"/{pkg.name}/overview/{pkg.version}"
         return pkg
 
-    def get_added_and_removed_packages(self, head_full_scan_id: str, new_full_scan: FullScan) -> Tuple[Dict[str, Package], Dict[str, Package]]:
+    def get_added_and_removed_packages(self, head_full_scan_id: str, new_full_scan_id: str) -> Tuple[Dict[str, Package], Dict[str, Package]]:
         """
         Get packages that were added and removed between scans.
 
@@ -494,14 +544,11 @@ class Core:
         Returns:
             Tuple of (added_packages, removed_packages) dictionaries
         """
-        if head_full_scan_id is None:
-            log.info(f"No head scan found. New scan ID: {new_full_scan.id}")
-            return new_full_scan.packages, {}
 
-        log.info(f"Comparing scans - Head scan ID: {head_full_scan_id}, New scan ID: {new_full_scan.id}")
+        log.info(f"Comparing scans - Head scan ID: {head_full_scan_id}, New scan ID: {new_full_scan_id}")
         diff_start = time.time()
         try:
-            diff_report = self.sdk.fullscans.stream_diff(self.config.org_slug, head_full_scan_id, new_full_scan.id, use_types=True).data
+            diff_report = self.sdk.fullscans.stream_diff(self.config.org_slug, head_full_scan_id, new_full_scan_id, use_types=True).data
         except APIFailure as e:
             log.error(f"API Error: {e}")
             sys.exit(1)
@@ -570,22 +617,27 @@ class Core:
         # Find manifest files
         files = self.find_files(path)
         files_for_sending = self.load_files_for_sending(files, path)
-        has_head_scan = False
         if not files:
             return Diff(id="no_diff_id")
 
         try:
             # Get head scan ID
             head_full_scan_id = self.get_head_scan_for_repo(params.repo)
-            if head_full_scan_id is not None:
-                has_head_scan = True
         except APIResourceNotFound:
             head_full_scan_id = None
 
+        if head_full_scan_id is None:
+            tmp_params = params
+            tmp_params.tmp = True
+            tmp_params.set_as_pending_head = False
+            tmp_params.make_default_branch = False
+            head_full_scan = self.create_full_scan(Core.empty_head_scan_file(), params)
+            head_full_scan_id = head_full_scan.id
+
         # Create new scan
         try:
             new_scan_start = time.time()
-            new_full_scan = self.create_full_scan(files_for_sending, params, has_head_scan)
+            new_full_scan = self.create_full_scan(files_for_sending, params)
             new_full_scan.sbom_artifacts = self.get_sbom_data(new_full_scan.id)
             new_scan_end = time.time()
             log.info(f"Total time to create new full scan: {new_scan_end - new_scan_start:.2f}")
@@ -598,7 +650,10 @@ class Core:
             log.error(f"Stack trace:\n{traceback.format_exc()}")
             raise
 
-        added_packages, removed_packages = self.get_added_and_removed_packages(head_full_scan_id, new_full_scan)
+        scans_ready = self.check_full_scans_status(head_full_scan_id, new_full_scan.id)
+        if scans_ready is False:
+            log.error(f"Full scans did not complete within {self.config.timeout} seconds")
+        added_packages, removed_packages = self.get_added_and_removed_packages(head_full_scan_id, new_full_scan.id)
 
         diff = self.create_diff_report(added_packages, removed_packages)
 

{socketsecurity-2.0.55 → socketsecurity-2.1.0}/socketsecurity/core/socket_config.py

@@ -1,10 +1,10 @@
 from dataclasses import dataclass, field
 from typing import Dict, Optional
 from urllib.parse import urlparse
-from typing import Set
+from typing import Set, List
 import os
 
-from socketsecurity.core.issues import AllIssues
+from socketdev.core.issues import AllIssues
 from socketsecurity import __version__
 
 
@@ -29,6 +29,7 @@ class SocketConfig:
     repo_visibility: Optional[str] = 'private'
     all_issues: Optional['AllIssues'] = None
     excluded_dirs: Set[str] = field(default_factory=lambda: default_exclude_dirs)
+    excluded_ecosystems: List[str] = field(default_factory=lambda: [])
     version: str = __version__
 
     def __post_init__(self):
@@ -47,7 +48,6 @@ class SocketConfig:
 
         # Initialize AllIssues if None
         if self.all_issues is None:
-            from socketsecurity.core.issues import AllIssues
             self.all_issues = AllIssues()
 
     @staticmethod

{socketsecurity-2.0.55 → socketsecurity-2.1.0}/socketsecurity/socketcli.py

@@ -150,6 +150,8 @@ def main_code():
     org_slug = core.config.org_slug
     if config.repo_is_public:
         core.config.repo_visibility = "public"
+    if config.excluded_ecosystems and len(config.excluded_ecosystems) > 0:
+        core.config.excluded_ecosystems = config.excluded_ecosystems
     integration_type = config.integration_type
     integration_org_slug = config.integration_org_slug or org_slug
     try: