PyPI - socketsecurity - Versions diffs - 2.0.56__tar.gz → 2.1.2__tar.gz - Mend

socketsecurity 2.0.56tar.gz → 2.1.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

{socketsecurity-2.0.56 → socketsecurity-2.1.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.0.56
+Version: 2.1.2
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -39,7 +39,7 @@ Requires-Dist: packaging
 Requires-Dist: prettytable
 Requires-Dist: python-dotenv
 Requires-Dist: requests
-Requires-Dist: socket-sdk-python>=2.0.21
+Requires-Dist: socket-sdk-python<3,>=2.1.2
 Provides-Extra: dev
 Requires-Dist: hatch; extra == 'dev'
 Requires-Dist: pip-tools>=7.4.0; extra == 'dev'
@@ -96,12 +96,12 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --commit-sha     | False    | ""      | Commit SHA          |
 #### Path and File
-| Parameter          | Required | Default | Description                                                                                                                                                                    |
-|:-------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| --target-path      | False    | ./      | Target path for analysis                                                                                                                                                       |
-| --sbom-file        | False    |         | SBOM file path                                                                                                                                                                 |
-| --files            | False    | []      | Files to analyze (JSON array string)                                                                                                                                           |
-| --exclude-patterns | False    | []      | List of patterns to exclude from analysis (JSON array string). You can get supported files form the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
+| Parameter             | Required | Default | Description                                                                                                                                                                    |
+|:----------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| --target-path         | False    | ./      | Target path for analysis                                                                                                                                                       |
+| --sbom-file           | False    |         | SBOM file path                                                                                                                                                                 |
+| --files               | False    | []      | Files to analyze (JSON array string)                                                                                                                                           |
+| --excluded-ecosystems | False    | []      | List of ecosystems to exclude from analysis (JSON array string). You can get supported files from the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
 #### Branch and Scan Configuration
 | Parameter        | Required | Default | Description                                                 |

{socketsecurity-2.0.56 → socketsecurity-2.1.2}/README.md RENAMED Viewed

@@ -40,12 +40,12 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --commit-sha     | False    | ""      | Commit SHA          |
 #### Path and File
-| Parameter          | Required | Default | Description                                                                                                                                                                    |
-|:-------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| --target-path      | False    | ./      | Target path for analysis                                                                                                                                                       |
-| --sbom-file        | False    |         | SBOM file path                                                                                                                                                                 |
-| --files            | False    | []      | Files to analyze (JSON array string)                                                                                                                                           |
-| --exclude-patterns | False    | []      | List of patterns to exclude from analysis (JSON array string). You can get supported files form the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
+| Parameter             | Required | Default | Description                                                                                                                                                                    |
+|:----------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| --target-path         | False    | ./      | Target path for analysis                                                                                                                                                       |
+| --sbom-file           | False    |         | SBOM file path                                                                                                                                                                 |
+| --files               | False    | []      | Files to analyze (JSON array string)                                                                                                                                           |
+| --excluded-ecosystems | False    | []      | List of ecosystems to exclude from analysis (JSON array string). You can get supported files from the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
 #### Branch and Scan Configuration
 | Parameter        | Required | Default | Description                                                 |

{socketsecurity-2.0.56 → socketsecurity-2.1.2}/pyproject.toml RENAMED Viewed

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 [project]
 name = "socketsecurity"
-version = "2.0.56"
+version = "2.1.2"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -16,7 +16,7 @@ dependencies = [
     'GitPython',
     'packaging',
     'python-dotenv',
-    'socket-sdk-python>=2.0.21'
+    'socket-sdk-python>=2.1.2,<3'
 ]
 readme = "README.md"
 description = "Socket Security CLI for CI/CD"
@@ -63,10 +63,6 @@ include = [
     "socketsecurity/**/*.py",
     "socketsecurity/**/__init__.py"
 ]
-omit = [
-    "socketsecurity/core/issues.py",  # Large data file
-    "socketsecurity/core/licenses.py"  # Large data file
-]
 [tool.coverage.report]
 exclude_lines = [

{socketsecurity-2.0.56 → socketsecurity-2.1.2}/socketsecurity/__init__.py RENAMED Viewed

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '2.0.56'
+__version__ = '2.1.2'

{socketsecurity-2.0.56 → socketsecurity-2.1.2}/socketsecurity/core/__init__.py RENAMED Viewed

@@ -2,10 +2,12 @@ import logging
 import os
 import sys
 import time
+import io
 from dataclasses import asdict
 from glob import glob
+from io import BytesIO
 from pathlib import PurePath
-from typing import BinaryIO, Dict, List, Tuple, Set
+from typing import BinaryIO, Dict, List, Tuple, Set, Union
 import re
 from socketdev import socketdev
 from socketdev.exceptions import APIFailure
@@ -13,7 +15,7 @@ from socketdev.fullscans import FullScanParams, SocketArtifact
 from socketdev.org import Organization
 from socketdev.repos import RepositoryInfo
 from socketdev.settings import SecurityPolicyRule
+import copy
 from socketsecurity import __version__
 from socketsecurity.core.classes import (
     Alert,
@@ -24,7 +26,6 @@ from socketsecurity.core.classes import (
     Purl
 )
 from socketsecurity.core.exceptions import APIResourceNotFound
-from socketsecurity.core.licenses import Licenses
 from .socket_config import SocketConfig
 from .utils import socket_globs
 import importlib
@@ -186,6 +187,7 @@ class Core:
         for ecosystem in patterns:
             if ecosystem in self.config.excluded_ecosystems:
                 continue
+            log.info(f'Scanning ecosystem: {ecosystem}')
             ecosystem_patterns = patterns[ecosystem]
             for file_name in ecosystem_patterns:
                 original_pattern = ecosystem_patterns[file_name]["pattern"]
@@ -208,7 +210,7 @@ class Core:
                     glob_end = time.time()
                     log.debug(f"Globbing took {glob_end - glob_start:.4f} seconds")
-        log.debug(f"Total files found: {len(files)}")
+        log.info(f"Total files found: {len(files)}")
         return sorted(files)
     def get_supported_patterns(self) -> Dict:
@@ -278,6 +280,14 @@ class Core:
         """
         return ''.join(f'[{char.lower()}{char.upper()}]' if char.isalpha() else char for char in input_string)
+    @staticmethod
+    def empty_head_scan_file() -> list[tuple[str, tuple[str, Union[BinaryIO, BytesIO]]]]:
+        # Create an empty file for when no head full scan so that the diff endpoint can always be used
+        empty_file_obj = io.BytesIO(b"")
+        empty_filename = "initial_head_scan"
+        empty_full_scan_file = [(empty_filename, (empty_filename, empty_file_obj))]
+        return empty_full_scan_file
     @staticmethod
     def load_files_for_sending(files: List[str], workspace: str) -> List[Tuple[str, Tuple[str, BinaryIO]]]:
         """
@@ -311,7 +321,7 @@ class Core:
         return send_files
-    def create_full_scan(self, files: List[str], params: FullScanParams, has_head_scan: bool = False) -> FullScan:
+    def create_full_scan(self, files: list[tuple[str, tuple[str, BytesIO]]], params: FullScanParams) -> FullScan:
         """
         Creates a new full scan via the Socket API.
@@ -322,7 +332,7 @@ class Core:
         Returns:
             FullScan object with scan results
         """
-        log.debug("Creating new full scan")
+        log.info("Creating new full scan")
         create_full_start = time.time()
         res = self.sdk.fullscans.post(files, params, use_types=True)
@@ -331,16 +341,60 @@ class Core:
             raise Exception(f"Error creating full scan: {res.message}, status: {res.status}")
         full_scan = FullScan(**asdict(res.data))
-        if not has_head_scan:
-            full_scan.sbom_artifacts = self.get_sbom_data(full_scan.id)
-            full_scan.packages = self.create_packages_dict(full_scan.sbom_artifacts)
         create_full_end = time.time()
         total_time = create_full_end - create_full_start
         log.debug(f"New Full Scan created in {total_time:.2f} seconds")
         return full_scan
+    def check_full_scans_status(self, head_full_scan_id: str, new_full_scan_id: str) -> bool:
+        is_ready = False
+        current_timeout = self.config.timeout
+        self.sdk.set_timeout(0.5)
+        try:
+            self.sdk.fullscans.stream(self.config.org_slug, head_full_scan_id)
+        except Exception:
+            log.debug(f"Queued up full scan for processing ({head_full_scan_id})")
+        try:
+            self.sdk.fullscans.stream(self.config.org_slug, new_full_scan_id)
+        except Exception:
+            log.debug(f"Queued up full scan for processing ({new_full_scan_id})")
+        self.sdk.set_timeout(current_timeout)
+        start_check = time.time()
+        head_is_ready = False
+        new_is_ready = False
+        while not is_ready:
+            head_full_scan_metadata = self.sdk.fullscans.metadata(self.config.org_slug, head_full_scan_id)
+            if head_full_scan_metadata:
+                head_state = head_full_scan_metadata.get("scan_state")
+            else:
+                head_state = None
+            new_full_scan_metadata = self.sdk.fullscans.metadata(self.config.org_slug, new_full_scan_id)
+            if new_full_scan_metadata:
+                new_state = new_full_scan_metadata.get("scan_state")
+            else:
+                new_state = None
+            if head_state and head_state == "resolve":
+                head_is_ready = True
+            if new_state and new_state == "resolve":
+                new_is_ready = True
+            if head_is_ready and new_is_ready:
+                is_ready = True
+            current_time = time.time()
+            if current_time - start_check >= self.config.timeout:
+                log.debug(
+                    f"Timeout reached while waiting for full scans to be ready "
+                    f"({head_full_scan_id}, {new_full_scan_id})"
+                )
+                break
+        total_time = time.time() - start_check
+        if is_ready:
+            log.info(f"Full scans are ready in {total_time:.2f} seconds")
+        else:
+            log.warning(f"Full scans are not ready yet ({head_full_scan_id}, {new_full_scan_id})")
+        return is_ready
     def get_full_scan(self, full_scan_id: str) -> FullScan:
         """
         Get a FullScan object for an existing full scan including sbom_artifacts and packages.
@@ -403,14 +457,9 @@ class Core:
             return ""
         license_raw = package.license
-        all_licenses = Licenses()
-        license_str = Licenses.make_python_safe(license_raw)
-        if license_str is not None and hasattr(all_licenses, license_str):
-            license_obj = getattr(all_licenses, license_str)
-            return license_obj.licenseText
-        return ""
+        data = self.sdk.licensemetadata.post([license_raw], {'includetext': 'true'})
+        license_str = data.data[0].license if data and len(data) == 1 else ""
+        return license_str
     def get_repo_info(self, repo_slug: str, default_branch: str = "socket-default-branch") -> RepositoryInfo:
         """
@@ -485,7 +534,7 @@ class Core:
         pkg.url += f"/{pkg.name}/overview/{pkg.version}"
         return pkg
-    def get_added_and_removed_packages(self, head_full_scan_id: str, new_full_scan: FullScan) -> Tuple[Dict[str, Package], Dict[str, Package]]:
+    def get_added_and_removed_packages(self, head_full_scan_id: str, new_full_scan_id: str) -> Tuple[Dict[str, Package], Dict[str, Package]]:
         """
         Get packages that were added and removed between scans.
@@ -496,14 +545,11 @@ class Core:
         Returns:
             Tuple of (added_packages, removed_packages) dictionaries
         """
-        if head_full_scan_id is None:
-            log.info(f"No head scan found. New scan ID: {new_full_scan.id}")
-            return new_full_scan.packages, {}
-        log.info(f"Comparing scans - Head scan ID: {head_full_scan_id}, New scan ID: {new_full_scan.id}")
+        log.info(f"Comparing scans - Head scan ID: {head_full_scan_id}, New scan ID: {new_full_scan_id}")
         diff_start = time.time()
         try:
-            diff_report = self.sdk.fullscans.stream_diff(self.config.org_slug, head_full_scan_id, new_full_scan.id, use_types=True).data
+            diff_report = self.sdk.fullscans.stream_diff(self.config.org_slug, head_full_scan_id, new_full_scan_id, use_types=True).data
         except APIFailure as e:
             log.error(f"API Error: {e}")
             sys.exit(1)
@@ -572,22 +618,30 @@ class Core:
         # Find manifest files
         files = self.find_files(path)
         files_for_sending = self.load_files_for_sending(files, path)
-        has_head_scan = False
         if not files:
             return Diff(id="no_diff_id")
         try:
             # Get head scan ID
             head_full_scan_id = self.get_head_scan_for_repo(params.repo)
-            if head_full_scan_id is not None:
-                has_head_scan = True
         except APIResourceNotFound:
             head_full_scan_id = None
+        if head_full_scan_id is None:
+            new_params = copy.deepcopy(params.__dict__)
+            new_params.pop('include_license_details')
+            tmp_params = FullScanParams(**new_params)
+            tmp_params.include_license_details = params.include_license_details
+            tmp_params.tmp = True
+            tmp_params.set_as_pending_head = False
+            tmp_params.make_default_branch = False
+            head_full_scan = self.create_full_scan(Core.empty_head_scan_file(), tmp_params)
+            head_full_scan_id = head_full_scan.id
         # Create new scan
         try:
             new_scan_start = time.time()
-            new_full_scan = self.create_full_scan(files_for_sending, params, has_head_scan)
+            new_full_scan = self.create_full_scan(files_for_sending, params)
             new_full_scan.sbom_artifacts = self.get_sbom_data(new_full_scan.id)
             new_scan_end = time.time()
             log.info(f"Total time to create new full scan: {new_scan_end - new_scan_start:.2f}")
@@ -600,7 +654,10 @@ class Core:
             log.error(f"Stack trace:\n{traceback.format_exc()}")
             raise
-        added_packages, removed_packages = self.get_added_and_removed_packages(head_full_scan_id, new_full_scan)
+        scans_ready = self.check_full_scans_status(head_full_scan_id, new_full_scan.id)
+        if scans_ready is False:
+            log.error(f"Full scans did not complete within {self.config.timeout} seconds")
+        added_packages, removed_packages = self.get_added_and_removed_packages(head_full_scan_id, new_full_scan.id)
         diff = self.create_diff_report(added_packages, removed_packages)
@@ -742,6 +799,8 @@ class Core:
         introduced_by = []
         if package.direct:
             manifests = ""
+            if not hasattr(package, "manifestFiles"):
+                return introduced_by
             for manifest_data in package.manifestFiles:
                 manifest_file = manifest_data.get("file")
                 manifests += f"{manifest_file};"

{socketsecurity-2.0.56 → socketsecurity-2.1.2}/socketsecurity/core/socket_config.py RENAMED Viewed

@@ -4,7 +4,7 @@ from urllib.parse import urlparse
 from typing import Set, List
 import os
-from socketsecurity.core.issues import AllIssues
+from socketdev.core.issues import AllIssues
 from socketsecurity import __version__
@@ -48,7 +48,6 @@ class SocketConfig:
         # Initialize AllIssues if None
         if self.all_issues is None:
-            from socketsecurity.core.issues import AllIssues
             self.all_issues = AllIssues()
     @staticmethod

socketsecurity 2.0.56__tar.gz → 2.1.2__tar.gz

socketsecurity 2.0.56tar.gz → 2.1.2tar.gz