PyPI - socketsecurity - Versions diffs - 2.2.32__tar.gz → 2.2.35__tar.gz - Mend

socketsecurity 2.2.32tar.gz → 2.2.35tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/Dockerfile RENAMED Viewed

@@ -99,4 +99,8 @@ RUN if [ "$USE_LOCAL_INSTALL" = "true" ]; then \
 # Create workspace directory with proper permissions
 RUN mkdir -p /go/src && chmod -R 777 /go
-ENTRYPOINT ["socketcli"]
+# Copy and setup entrypoint script
+COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.2.32
+Version: 2.2.35
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -300,7 +300,9 @@ The CLI now automatically detects repository information from your git environme
 - **Committer information**: Git commit author details
 - **Default branch status**: Determined from git repository and CI environment
 - **Changed files**: Files modified in the current commit (for differential scanning)
+> **Note on merge commits**:
+> Standard merges (two parents) are supported.
+> For *octopus merges* (three or more parents), Git only reports changes relative to the first parent. This can lead to incomplete or empty file lists if changes only exist relative to other parents. In these cases, differential scanning may be skipped. To ensure coverage, use `--ignore-commit-files` to force a full scan or specify files explicitly with `--files`.
 ### Default Branch Detection
 The CLI uses intelligent default branch detection with the following priority:
@@ -485,6 +487,11 @@ The manifest archive feature is useful for:
 > **Note**: The tar.gz archive preserves the original directory structure, making it easy to extract and examine the files in their proper context.
+### Differential scan skipped on octopus merge
+When your repo uses an **octopus merge** (3+ parents), the CLI may not detect all changed files.
+This is expected Git behavior: the default diff only compares the merge result to the first parent.
 ## Development
 This project uses `pyproject.toml` as the primary dependency specification.

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/README.md RENAMED Viewed

@@ -243,7 +243,9 @@ The CLI now automatically detects repository information from your git environme
 - **Committer information**: Git commit author details
 - **Default branch status**: Determined from git repository and CI environment
 - **Changed files**: Files modified in the current commit (for differential scanning)
+> **Note on merge commits**:
+> Standard merges (two parents) are supported.
+> For *octopus merges* (three or more parents), Git only reports changes relative to the first parent. This can lead to incomplete or empty file lists if changes only exist relative to other parents. In these cases, differential scanning may be skipped. To ensure coverage, use `--ignore-commit-files` to force a full scan or specify files explicitly with `--files`.
 ### Default Branch Detection
 The CLI uses intelligent default branch detection with the following priority:
@@ -428,6 +430,11 @@ The manifest archive feature is useful for:
 > **Note**: The tar.gz archive preserves the original directory structure, making it easy to extract and examine the files in their proper context.
+### Differential scan skipped on octopus merge
+When your repo uses an **octopus merge** (3+ parents), the CLI may not detect all changed files.
+This is expected Git behavior: the default diff only compares the merge result to the first parent.
 ## Development
 This project uses `pyproject.toml` as the primary dependency specification.

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/pyproject.toml RENAMED Viewed

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 [project]
 name = "socketsecurity"
-version = "2.2.32"
+version = "2.2.35"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity-2.2.35/scripts/docker-entrypoint.sh ADDED Viewed

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Docker entrypoint script to support both patterns:
+# docker run socketdev/cli socketcli --params
+# docker run socketdev/cli --cli-params
+# Check if we have any arguments
+if [ $# -eq 0 ]; then
+    # No arguments provided, run socketcli with no args (will show help)
+    exec socketcli --help
+elif [ "$1" = "socketcli" ]; then
+    # If first argument is "socketcli", shift it out and pass the rest to socketcli
+    shift
+    exec socketcli "$@"
+else
+    # If first argument is not "socketcli", assume all arguments are for socketcli
+    exec socketcli "$@"
+fi

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/socketsecurity/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.32'
+__version__ = '2.2.35'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/socketsecurity/config.py RENAMED Viewed

@@ -68,6 +68,7 @@ class CliConfig:
     reach_analysis_memory_limit: Optional[int] = None
     reach_analysis_timeout: Optional[int] = None
     reach_disable_analytics: bool = False
+    reach_disable_analysis_splitting: bool = False
     reach_ecosystems: Optional[List[str]] = None
     reach_exclude_paths: Optional[List[str]] = None
     reach_skip_cache: bool = False
@@ -129,6 +130,7 @@ class CliConfig:
             'reach_analysis_timeout': args.reach_analysis_timeout,
             'reach_analysis_memory_limit': args.reach_analysis_memory_limit,
             'reach_disable_analytics': args.reach_disable_analytics,
+            'reach_disable_analysis_splitting': args.reach_disable_analysis_splitting,
             'reach_ecosystems': args.reach_ecosystems.split(',') if args.reach_ecosystems else None,
             'reach_exclude_paths': args.reach_exclude_paths.split(',') if args.reach_exclude_paths else None,
             'reach_skip_cache': args.reach_skip_cache,
@@ -567,6 +569,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Disable analytics sharing for reachability analysis"
     )
+    reachability_group.add_argument(
+        "--reach-disable-analysis-splitting",
+        dest="reach_disable_analysis_splitting",
+        action="store_true",
+        help="Disable analysis splitting/bucketing for reachability analysis"
+    )
     reachability_group.add_argument(
         "--reach-output-file",
         dest="reach_output_file",

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/socketsecurity/core/__init__.py RENAMED Viewed

@@ -442,12 +442,13 @@ class Core:
         Returns:
             List containing path to a temporary empty file
         """
-        # Create a temporary empty file
-        temp_fd, temp_path = tempfile.mkstemp(suffix='.empty', prefix='socket_baseline_')
+        # Create a temporary directory and then create our specific filename
+        temp_dir = tempfile.gettempdir()
+        temp_path = os.path.join(temp_dir, '.socket.facts.json')
-        # Close the file descriptor since we just need the path
-        # The file is already created and empty
-        os.close(temp_fd)
+        # Create the empty file
+        with open(temp_path, 'w') as f:
+            pass  # Creates an empty file
         log.debug(f"Created temporary empty file for baseline scan: {temp_path}")
         return [temp_path]
@@ -524,18 +525,42 @@ class Core:
         if save_manifest_tar_path and all_files and paths:
             self.save_manifest_tar(all_files, save_manifest_tar_path, paths[0])
+        # If no supported files found, create empty scan
         if not all_files:
-            return diff
-        try:
-            # Create new scan
-            new_scan_start = time.time()
-            new_full_scan = self.create_full_scan(all_files, params, base_paths=base_paths)
-            new_scan_end = time.time()
-            log.info(f"Total time to create new full scan: {new_scan_end - new_scan_start:.2f}")
-        except APIFailure as e:
-            log.error(f"Failed to create full scan: {e}")
-            raise
+            log.info("No supported manifest files found - creating empty scan")
+            empty_files = Core.empty_head_scan_file()
+            try:
+                # Create new scan
+                new_scan_start = time.time()
+                new_full_scan = self.create_full_scan(empty_files, params, base_paths=base_paths)
+                new_scan_end = time.time()
+                log.info(f"Total time to create empty full scan: {new_scan_end - new_scan_start:.2f}")
+                # Clean up the temporary empty file
+                for temp_file in empty_files:
+                    try:
+                        os.unlink(temp_file)
+                        log.debug(f"Cleaned up temporary file: {temp_file}")
+                    except OSError as e:
+                        log.warning(f"Failed to clean up temporary file {temp_file}: {e}")
+            except Exception as e:
+                # Clean up temp files even if scan creation fails
+                for temp_file in empty_files:
+                    try:
+                        os.unlink(temp_file)
+                    except OSError:
+                        pass
+                raise e
+        else:
+            try:
+                # Create new scan
+                new_scan_start = time.time()
+                new_full_scan = self.create_full_scan(all_files, params, base_paths=base_paths)
+                new_scan_end = time.time()
+                log.info(f"Total time to create new full scan: {new_scan_end - new_scan_start:.2f}")
+            except APIFailure as e:
+                log.error(f"Failed to create full scan: {e}")
+                raise
         # Construct report URL
         base_socket = "https://socket.dev/dashboard/org"
@@ -888,8 +913,11 @@ class Core:
         if save_manifest_tar_path and all_files and paths:
             self.save_manifest_tar(all_files, save_manifest_tar_path, paths[0])
+        # If no supported files found, create empty scan for comparison
+        scan_files = all_files
         if not all_files:
-            return Diff(id="NO_DIFF_RAN", diff_url="", report_url="")
+            log.info("No supported manifest files found - creating empty scan for diff comparison")
+            scan_files = Core.empty_head_scan_file()
         try:
             # Get head scan ID
@@ -932,19 +960,43 @@ class Core:
                 raise e
         # Create new scan
+        temp_files_to_cleanup = []
+        if not all_files:  # We're using empty scan files
+            temp_files_to_cleanup = scan_files
         try:
             new_scan_start = time.time()
-            new_full_scan = self.create_full_scan(all_files, params, base_paths=base_paths)
+            new_full_scan = self.create_full_scan(scan_files, params, base_paths=base_paths)
             new_scan_end = time.time()
             log.info(f"Total time to create new full scan: {new_scan_end - new_scan_start:.2f}")
         except APIFailure as e:
             log.error(f"API Error: {e}")
+            # Clean up temp files if any
+            for temp_file in temp_files_to_cleanup:
+                try:
+                    os.unlink(temp_file)
+                except OSError:
+                    pass
             sys.exit(1)
         except Exception as e:
             import traceback
             log.error(f"Error creating new full scan: {str(e)}")
             log.error(f"Stack trace:\n{traceback.format_exc()}")
+            # Clean up temp files if any
+            for temp_file in temp_files_to_cleanup:
+                try:
+                    os.unlink(temp_file)
+                except OSError:
+                    pass
             raise
+        finally:
+            # Clean up temporary empty files if they were created
+            for temp_file in temp_files_to_cleanup:
+                try:
+                    os.unlink(temp_file)
+                    log.debug(f"Cleaned up temporary file: {temp_file}")
+                except OSError as e:
+                    log.warning(f"Failed to clean up temporary file {temp_file}: {e}")
         # Handle diff generation - now we always have both scans
         scans_ready = self.check_full_scans_status(head_full_scan_id, new_full_scan.id)

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/socketsecurity/core/tools/reachability.py RENAMED Viewed

@@ -93,12 +93,14 @@ class ReachabilityAnalyzer:
         min_severity: Optional[str] = None,
         skip_cache: bool = False,
         disable_analytics: bool = False,
+        disable_analysis_splitting: bool = False,
         repo_name: Optional[str] = None,
         branch_name: Optional[str] = None,
         version: Optional[str] = None,
         concurrency: Optional[int] = None,
         additional_params: Optional[List[str]] = None,
         allow_unverified: bool = False,
+        enable_debug: bool = False,
     ) -> Dict[str, Any]:
         """
         Run reachability analysis.
@@ -115,12 +117,14 @@ class ReachabilityAnalyzer:
             min_severity: Minimum severity level (info, low, moderate, high, critical)
             skip_cache: Skip cache usage
             disable_analytics: Disable analytics sharing
+            disable_analysis_splitting: Disable analysis splitting
             repo_name: Repository name
             branch_name: Branch name
             version: Specific version of @coana-tech/cli to use
             concurrency: Concurrency level for analysis (must be >= 1)
             additional_params: Additional parameters to pass to coana CLI
             allow_unverified: Disable SSL certificate verification (sets NODE_TLS_REJECT_UNAUTHORIZED=0)
+            enable_debug: Enable debug mode (passes -d flag to coana CLI)
         Returns:
             Dict containing scan_id and report_path
@@ -149,6 +153,9 @@ class ReachabilityAnalyzer:
         if disable_analytics:
             cmd.append("--disable-analytics-sharing")
+        if disable_analysis_splitting:
+            cmd.append("--disable-analysis-splitting")
         # KEY POINT: Only add manifest tar hash if we have one
         if tar_hash:
             cmd.extend(["--run-without-docker", "--manifests-tar-hash", tar_hash])
@@ -168,6 +175,9 @@ class ReachabilityAnalyzer:
         if concurrency:
             cmd.extend(["--concurrency", str(concurrency)])
+        if enable_debug:
+            cmd.append("-d")
         # Add any additional parameters provided by the user
         if additional_params:
             cmd.extend(additional_params)

{socketsecurity-2.2.32 → socketsecurity-2.2.35}/socketsecurity/socketcli.py RENAMED Viewed

@@ -282,12 +282,14 @@ def main_code():
                     min_severity=config.reach_min_severity,
                     skip_cache=config.reach_skip_cache or False,
                     disable_analytics=config.reach_disable_analytics or False,
+                    disable_analysis_splitting=config.reach_disable_analysis_splitting or False,
                     repo_name=config.repo,
                     branch_name=config.branch,
                     version=config.reach_version,
                     concurrency=config.reach_concurrency,
                     additional_params=config.reach_additional_params,
-                    allow_unverified=config.allow_unverified
+                    allow_unverified=config.allow_unverified,
+                    enable_debug=config.enable_debug
                 )
                 log.info(f"Reachability analysis completed successfully")