socketsecurity 2.2.43__tar.gz → 2.2.55__tar.gz

{socketsecurity-2.2.43 → socketsecurity-2.2.55}/Dockerfile

@@ -57,7 +57,7 @@ RUN if [ "$DOTNET_VERSION" = "6" ]; then \
     fi
 
 # Install additional tools
-RUN npm install @coana-tech/cli -g && \
+RUN npm install @coana-tech/cli socket -g && \
     gem install bundler && \
     curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && \
     . ~/.cargo/env && \

{socketsecurity-2.2.43 → socketsecurity-2.2.55}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.2.43
+Version: 2.2.55
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -40,7 +40,7 @@ Requires-Dist: packaging
 Requires-Dist: prettytable
 Requires-Dist: python-dotenv
 Requires-Dist: requests
-Requires-Dist: socketdev<4.0.0,>=3.0.21
+Requires-Dist: socketdev<4.0.0,>=3.0.22
 Provides-Extra: dev
 Requires-Dist: hatch; extra == 'dev'
 Requires-Dist: pre-commit; extra == 'dev'

{socketsecurity-2.2.43 → socketsecurity-2.2.55}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.43"
+version = "2.2.55"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -16,7 +16,7 @@ dependencies = [
     'GitPython',
     'packaging',
     'python-dotenv',
-    'socketdev>=3.0.21,<4.0.0',
+    'socketdev>=3.0.22,<4.0.0',
     "bs4>=0.0.2",
 ]
 readme = "README.md"
@@ -165,3 +165,4 @@ include = ["socketsecurity", "LICENSE"]
 dev = [
     "pre-commit>=4.3.0",
 ]
+

{socketsecurity-2.2.43 → socketsecurity-2.2.55}/socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.43'
+__version__ = '2.2.55'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

{socketsecurity-2.2.43 → socketsecurity-2.2.55}/socketsecurity/config.py

@@ -77,6 +77,8 @@ class CliConfig:
     reach_concurrency: Optional[int] = None
     reach_additional_params: Optional[List[str]] = None
     only_facts_file: bool = False
+    reach_use_only_pregenerated_sboms: bool = False
+    max_purl_batch_size: int = 5000
     
     @classmethod
     def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
@@ -105,6 +107,7 @@ class CliConfig:
             'commit_sha': args.commit_sha,
             'generate_license': args.generate_license,
             'enable_debug': args.enable_debug,
+            'enable_diff': args.enable_diff,
             'allow_unverified': args.allow_unverified,
             'enable_json': args.enable_json,
             'enable_sarif': args.enable_sarif,
@@ -139,6 +142,8 @@ class CliConfig:
             'reach_concurrency': args.reach_concurrency,
             'reach_additional_params': args.reach_additional_params,
             'only_facts_file': args.only_facts_file,
+            'reach_use_only_pregenerated_sboms': args.reach_use_only_pregenerated_sboms,
+            'max_purl_batch_size': args.max_purl_batch_size,
             'version': __version__
         }
         try:
@@ -175,11 +180,21 @@ class CliConfig:
             logging.error("--only-facts-file requires --reach to be specified")
             exit(1)
 
+        # Validate that reach_use_only_pregenerated_sboms requires reach
+        if args.reach_use_only_pregenerated_sboms and not args.reach:
+            logging.error("--reach-use-only-pregenerated-sboms requires --reach to be specified")
+            exit(1)
+
         # Validate reach_concurrency is >= 1 if provided
         if args.reach_concurrency is not None and args.reach_concurrency < 1:
             logging.error("--reach-concurrency must be >= 1")
             exit(1)
 
+        # Validate max_purl_batch_size is within allowed range
+        if args.max_purl_batch_size < 1 or args.max_purl_batch_size > 9999:
+            logging.error("--max-purl-batch-size must be between 1 and 9999")
+            exit(1)
+
         return cls(**config_args)
 
     def to_dict(self) -> dict:
@@ -439,6 +454,13 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Exclude license details from the diff report (boosts performance for large repos)"
     )
+    output_group.add_argument(
+        "--max-purl-batch-size",
+        dest="max_purl_batch_size",
+        type=int,
+        default=5000,
+        help="Maximum batch size for PURL endpoint calls when generating license info (default: 5000, min: 1, max: 9999)"
+    )
 
     output_group.add_argument(
         "--disable-security-issue",
@@ -602,6 +624,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Submit only the .socket.facts.json file when creating full scan (requires --reach)"
     )
+    reachability_group.add_argument(
+        "--reach-use-only-pregenerated-sboms",
+        dest="reach_use_only_pregenerated_sboms",
+        action="store_true",
+        help="When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project. (requires --reach)"
+    )
 
     parser.add_argument(
         '--version',

{socketsecurity-2.2.43 → socketsecurity-2.2.55}/socketsecurity/core/__init__.py

@@ -281,12 +281,13 @@ class Core:
         except Exception as e:
             log.error(f"Failed to save manifest tar.gz to {output_path}: {e}")
 
-    def find_files(self, path: str) -> List[str]:
+    def find_files(self, path: str, ecosystems: Optional[List[str]] = None) -> List[str]:
         """
         Finds supported manifest files in the given path.
 
         Args:
             path: Path to search for manifest files.
+            ecosystems: Optional list of ecosystems to include. If None, all ecosystems are included.
 
         Returns:
             List of found manifest file paths.
@@ -299,6 +300,9 @@ class Core:
         patterns = self.get_supported_patterns()
 
         for ecosystem in patterns:
+            # If ecosystems filter is provided, only include specified ecosystems
+            if ecosystems is not None and ecosystem not in ecosystems:
+                continue
             if ecosystem in self.config.excluded_ecosystems:
                 continue
             log.debug(f'Scanning ecosystem: {ecosystem}')
@@ -343,6 +347,23 @@ class Core:
 
         return file_list
 
+    def find_sbom_files(self, path: str) -> List[str]:
+        """
+        Finds only pre-generated SBOM files (CDX and SPDX) in the given path.
+
+        This is used with --reach-use-only-pregenerated-sboms to find only
+        pre-computed CycloneDX and SPDX manifest files.
+
+        Args:
+            path: Path to search for SBOM files.
+
+        Returns:
+            List of found CDX and SPDX file paths.
+        """
+        log.debug("Starting Find SBOM Files (CDX and SPDX only)")
+        sbom_ecosystems = ['cdx', 'spdx']
+        return self.find_files(path, ecosystems=sbom_ecosystems)
+
     def get_supported_patterns(self) -> Dict:
         """
         Gets supported file patterns from the Socket API.
@@ -547,7 +568,8 @@ class Core:
             no_change: bool = False,
             save_files_list_path: Optional[str] = None,
             save_manifest_tar_path: Optional[str] = None,
-            base_paths: Optional[List[str]] = None
+            base_paths: Optional[List[str]] = None,
+            explicit_files: Optional[List[str]] = None
     ) -> Diff:
         """Create a new full scan and return with html_report_url.
 
@@ -558,6 +580,7 @@ class Core:
             save_files_list_path: Optional path to save submitted files list for debugging
             save_manifest_tar_path: Optional path to save manifest files tar.gz archive
             base_paths: List of base paths for the scan (optional)
+            explicit_files: Optional list of explicit files to use instead of discovering files
 
         Returns:
             Dict with full scan data including html_report_url
@@ -571,11 +594,15 @@ class Core:
         if no_change:
             return diff
 
-        # Find manifest files from all paths
-        all_files = []
-        for path in paths:
-            files = self.find_files(path)
-            all_files.extend(files)
+        # Use explicit files if provided, otherwise find manifest files from all paths
+        if explicit_files is not None:
+            all_files = explicit_files
+            log.debug(f"Using {len(all_files)} explicit files instead of discovering files")
+        else:
+            all_files = []
+            for path in paths:
+                files = self.find_files(path)
+                all_files.extend(files)
         
         # Save submitted files list if requested
         if save_files_list_path and all_files:
@@ -632,54 +659,6 @@ class Core:
         # Return result in the format expected by the user
         return diff
 
-    def check_full_scans_status(self, head_full_scan_id: str, new_full_scan_id: str) -> bool:
-        is_ready = False
-        current_timeout = self.config.timeout
-        self.sdk.set_timeout(0.5)
-        try:
-            self.sdk.fullscans.stream(self.config.org_slug, head_full_scan_id)
-        except Exception:
-            log.debug(f"Queued up full scan for processing ({head_full_scan_id})")
-
-        try:
-            self.sdk.fullscans.stream(self.config.org_slug, new_full_scan_id)
-        except Exception:
-            log.debug(f"Queued up full scan for processing ({new_full_scan_id})")
-        self.sdk.set_timeout(current_timeout)
-        start_check = time.time()
-        head_is_ready = False
-        new_is_ready = False
-        while not is_ready:
-            head_full_scan_metadata = self.sdk.fullscans.metadata(self.config.org_slug, head_full_scan_id)
-            if head_full_scan_metadata:
-                head_state = head_full_scan_metadata.get("scan_state")
-            else:
-                head_state = None
-            new_full_scan_metadata = self.sdk.fullscans.metadata(self.config.org_slug, new_full_scan_id)
-            if new_full_scan_metadata:
-                new_state = new_full_scan_metadata.get("scan_state")
-            else:
-                new_state = None
-            if head_state and head_state == "resolve":
-                head_is_ready = True
-            if new_state and new_state == "resolve":
-                new_is_ready = True
-            if head_is_ready and new_is_ready:
-                is_ready = True
-            current_time = time.time()
-            if current_time - start_check >= self.config.timeout:
-                log.debug(
-                    f"Timeout reached while waiting for full scans to be ready "
-                    f"({head_full_scan_id}, {new_full_scan_id})"
-                )
-                break
-        total_time = time.time() - start_check
-        if is_ready:
-            log.info(f"Full scans are ready in {total_time:.2f} seconds")
-        else:
-            log.warning(f"Full scans are not ready yet ({head_full_scan_id}, {new_full_scan_id})")
-        return is_ready
-
     def get_full_scan(self, full_scan_id: str) -> FullScan:
         """
         Get a FullScan object for an existing full scan including sbom_artifacts and packages.
@@ -819,28 +798,54 @@ class Core:
         pkg.url += f"/{pkg.name}/overview/{pkg.version}"
         return pkg
 
-    def get_license_text_via_purl(self, packages: dict[str, Package]) -> dict:
-        components = []
+    def get_license_text_via_purl(self, packages: dict[str, Package], batch_size: int = 5000) -> dict:
+        """Get license attribution and details via PURL endpoint in batches.
+        
+        Args:
+            packages: Dictionary of packages to get license info for
+            batch_size: Maximum number of packages to process per API call (1-9999)
+            
+        Returns:
+            Updated packages dictionary with licenseAttrib and licenseDetails populated
+        """
+        # Validate batch size
+        batch_size = max(1, min(9999, batch_size))
+        
+        # Build list of all components
+        all_components = []
         for purl in packages:
             full_purl = f"pkg:/{purl}"
-            components.append({"purl": full_purl})
-        results = self.sdk.purl.post(
-            license=True,
-            components=components,
-            licenseattrib=True,
-            licensedetails=True
-        )
-        purl_packages = []
-        for result in results:
-            ecosystem = result["type"]
-            name = result["name"]
-            package_version = result["version"]
-            licenseDetails = result.get("licenseDetails")
-            licenseAttrib = result.get("licenseAttrib")
-            purl = f"{ecosystem}/{name}@{package_version}"
-            if purl not in purl_packages and purl in packages:
-                packages[purl].licenseAttrib = licenseAttrib
-                packages[purl].licenseDetails = licenseDetails
+            all_components.append({"purl": full_purl})
+        
+        # Process in batches
+        total_components = len(all_components)
+        log.debug(f"Processing {total_components} packages in batches of {batch_size}")
+        
+        for i in range(0, total_components, batch_size):
+            batch_components = all_components[i:i + batch_size]
+            batch_num = (i // batch_size) + 1
+            total_batches = (total_components + batch_size - 1) // batch_size
+            log.debug(f"Processing batch {batch_num}/{total_batches} ({len(batch_components)} packages)")
+            
+            results = self.sdk.purl.post(
+                license=True,
+                components=batch_components,
+                licenseattrib=True,
+                licensedetails=True
+            )
+            
+            purl_packages = []
+            for result in results:
+                ecosystem = result["type"]
+                name = result["name"]
+                package_version = result["version"]
+                licenseDetails = result.get("licenseDetails")
+                licenseAttrib = result.get("licenseAttrib")
+                purl = f"{ecosystem}/{name}@{package_version}"
+                if purl not in purl_packages and purl in packages:
+                    packages[purl].licenseAttrib = licenseAttrib
+                    packages[purl].licenseDetails = licenseDetails
+        
         return packages
 
     def get_added_and_removed_packages(
@@ -933,7 +938,14 @@ class Core:
                 log.error(f"Artifact details - name: {artifact.name}, version: {artifact.version}")
                 log.error("No matching packages found in head_full_scan")
 
-        packages = self.get_license_text_via_purl(packages)
+        # Only fetch license details if generate_license is enabled
+        if self.cli_config and self.cli_config.generate_license:
+            log.debug("Fetching license details via PURL endpoint")
+            batch_size = self.cli_config.max_purl_batch_size if self.cli_config else 5000
+            packages = self.get_license_text_via_purl(packages, batch_size=batch_size)
+        else:
+            log.debug("Skipping PURL endpoint call (--generate-license not set)")
+        
         return added_packages, removed_packages, packages
 
     def create_new_diff(
@@ -943,7 +955,8 @@ class Core:
             no_change: bool = False,
             save_files_list_path: Optional[str] = None,
             save_manifest_tar_path: Optional[str] = None,
-            base_paths: Optional[List[str]] = None
+            base_paths: Optional[List[str]] = None,
+            explicit_files: Optional[List[str]] = None
     ) -> Diff:
         """Create a new diff using the Socket SDK.
 
@@ -954,16 +967,21 @@ class Core:
             save_files_list_path: Optional path to save submitted files list for debugging
             save_manifest_tar_path: Optional path to save manifest files tar.gz archive
             base_paths: List of base paths for the scan (optional)
+            explicit_files: Optional list of explicit files to use instead of discovering files
         """
         log.debug(f"starting create_new_diff with no_change: {no_change}")
         if no_change:
             return Diff(id="NO_DIFF_RAN", diff_url="", report_url="")
 
-        # Find manifest files from all paths
-        all_files = []
-        for path in paths:
-            files = self.find_files(path)
-            all_files.extend(files)
+        # Use explicit files if provided, otherwise find manifest files from all paths
+        if explicit_files is not None:
+            all_files = explicit_files
+            log.debug(f"Using {len(all_files)} explicit files instead of discovering files")
+        else:
+            all_files = []
+            for path in paths:
+                files = self.find_files(path)
+                all_files.extend(files)
         
         # Save submitted files list if requested
         if save_files_list_path and all_files:
@@ -1059,9 +1077,6 @@ class Core:
                     log.warning(f"Failed to clean up temporary file {temp_file}: {e}")
 
         # Handle diff generation - now we always have both scans
-        scans_ready = self.check_full_scans_status(head_full_scan_id, new_full_scan.id)
-        if scans_ready is False:
-            log.error(f"Full scans did not complete within {self.config.timeout} seconds")
         (
             added_packages,
             removed_packages,

{socketsecurity-2.2.43 → socketsecurity-2.2.55}/socketsecurity/core/tools/reachability.py

@@ -101,10 +101,11 @@ class ReachabilityAnalyzer:
         additional_params: Optional[List[str]] = None,
         allow_unverified: bool = False,
         enable_debug: bool = False,
+        use_only_pregenerated_sboms: bool = False,
     ) -> Dict[str, Any]:
         """
         Run reachability analysis.
-        
+
         Args:
             org_slug: Socket organization slug
             target_directory: Directory to analyze
@@ -125,7 +126,8 @@ class ReachabilityAnalyzer:
             additional_params: Additional parameters to pass to coana CLI
             allow_unverified: Disable SSL certificate verification (sets NODE_TLS_REJECT_UNAUTHORIZED=0)
             enable_debug: Enable debug mode (passes -d flag to coana CLI)
-            
+            use_only_pregenerated_sboms: Use only pre-generated CDX and SPDX files for the scan
+
         Returns:
             Dict containing scan_id and report_path
         """
@@ -179,7 +181,10 @@ class ReachabilityAnalyzer:
         
         if enable_debug:
             cmd.append("-d")
-        
+
+        if use_only_pregenerated_sboms:
+            cmd.append("--use-only-pregenerated-sboms")
+
         # Add any additional parameters provided by the user
         if additional_params:
             cmd.extend(additional_params)

{socketsecurity-2.2.43 → socketsecurity-2.2.55}/socketsecurity/socketcli.py

@@ -167,6 +167,8 @@ def main_code():
     
     # Variable to track if we need to override files with facts file
     facts_file_to_submit = None
+    # Variable to track SBOM files to submit when using --reach-use-only-pregenerated-sboms
+    sbom_files_to_submit = None
     
     # Git setup
     is_repo = False
@@ -230,12 +232,14 @@ def main_code():
     # Run reachability analysis if enabled
     if config.reach:
         from socketsecurity.core.tools.reachability import ReachabilityAnalyzer
-        
+
         log.info("Starting reachability analysis...")
-        
+
         # Find manifest files in scan paths (excluding .socket.facts.json to avoid circular dependency)
         log.info("Finding manifest files for reachability analysis...")
         manifest_files = []
+
+        # Always find all manifest files for the tar hash upload
         for scan_path in scan_paths:
             scan_manifests = core.find_files(scan_path)
             # Filter out .socket.facts.json files from manifest upload
@@ -289,7 +293,8 @@ def main_code():
                     concurrency=config.reach_concurrency,
                     additional_params=config.reach_additional_params,
                     allow_unverified=config.allow_unverified,
-                    enable_debug=config.enable_debug
+                    enable_debug=config.enable_debug,
+                    use_only_pregenerated_sboms=config.reach_use_only_pregenerated_sboms
                 )
                 
                 log.info(f"Reachability analysis completed successfully")
@@ -301,6 +306,17 @@ def main_code():
                 if config.only_facts_file:
                     facts_file_to_submit = os.path.abspath(output_path)
                     log.info(f"Only-facts-file mode: will submit only {facts_file_to_submit}")
+
+                # If reach-use-only-pregenerated-sboms mode, submit CDX, SPDX, and facts file
+                if config.reach_use_only_pregenerated_sboms:
+                    # Find only CDX and SPDX files for the final scan submission
+                    sbom_files_to_submit = []
+                    for scan_path in scan_paths:
+                        sbom_files_to_submit.extend(core.find_sbom_files(scan_path))
+                    # Use relative path for facts file
+                    if os.path.exists(output_path):
+                        sbom_files_to_submit.append(output_path)
+                    log.info(f"Pre-generated SBOMs mode: will submit {len(sbom_files_to_submit)} files (CDX, SPDX, and facts file)")
                 
             except Exception as e:
                 log.error(f"Reachability analysis failed: {str(e)}")
@@ -331,9 +347,16 @@ def main_code():
         files_explicitly_specified = True
         log.debug(f"Overriding files to only submit facts file: {facts_file_to_submit}")
 
+    # Override files if reach-use-only-pregenerated-sboms mode is active
+    if sbom_files_to_submit:
+        specified_files = sbom_files_to_submit
+        files_explicitly_specified = True
+        log.debug(f"Overriding files to submit only SBOM files (CDX, SPDX, and facts): {sbom_files_to_submit}")
+
     # Determine files to check based on the new logic
     files_to_check = []
     force_api_mode = False
+    force_diff_mode = False
     
     if files_explicitly_specified:
         # Case 2: Files are specified - use them and don't check commit details
@@ -343,10 +366,21 @@ def main_code():
         # Case 1: Files not specified and --ignore-commit-files not set - try to find changed files from commit
         files_to_check = git_repo.changed_files
         log.debug(f"Using changed files from commit: {files_to_check}")
+    elif config.ignore_commit_files and is_repo:
+        # Case 3: Git repo with --ignore-commit-files - force diff mode
+        files_to_check = []
+        force_diff_mode = True
+        log.debug("Git repo with --ignore-commit-files: forcing diff mode")
     else:
-        # ignore_commit_files is set or not a repo - scan everything but force API mode if no supported files
+        # Case 4: Not a git repo (ignore_commit_files was auto-set to True)
         files_to_check = []
-        log.debug("No files to check from commit (ignore_commit_files=True or not a repo)")
+        # If --enable-diff is set, force diff mode for non-git repos
+        log.debug(f"Case 4: Non-git repo - config.enable_diff={config.enable_diff}, type={type(config.enable_diff)}")
+        if config.enable_diff:
+            force_diff_mode = True
+            log.debug("Non-git repo with --enable-diff: forcing diff mode")
+        else:
+            log.debug("Non-git repo without --enable-diff: will use full scan mode")
 
     # Check if we have supported manifest files
     has_supported_files = files_to_check and core.has_manifest_files(files_to_check)
@@ -367,22 +401,21 @@ def main_code():
             has_supported_files = False
     
     # Case 3: If no supported files or files are empty, force API mode (no PR comments)
-    if not has_supported_files:
+    # BUT: Don't force API mode if we're in force_diff_mode
+    log.debug(f"files_to_check={files_to_check}, has_supported_files={has_supported_files}, force_diff_mode={force_diff_mode}, config.enable_diff={config.enable_diff}")
+    if not has_supported_files and not force_diff_mode:
         force_api_mode = True
         log.debug("No supported manifest files found, forcing API mode")
+    log.debug(f"force_api_mode={force_api_mode}")
     
     # Determine scan behavior
     should_skip_scan = False  # Always perform scan, but behavior changes based on supported files
-    if config.ignore_commit_files and not files_explicitly_specified:
-        # Force full scan when ignoring commit files and no explicit files
-        should_skip_scan = False
-        log.debug("Forcing full scan due to ignore_commit_files")
-    elif not has_supported_files:
-        # No supported files - still scan but in API mode
+    if not has_supported_files and not force_diff_mode:
+        # No supported files and not forcing diff - still scan but in API mode
         should_skip_scan = False
         log.debug("No supported files but will scan in API mode")
     else:
-        log.debug("Found supported manifest files, proceeding with normal scan")
+        log.debug("Found supported manifest files or forcing diff mode, proceeding with normal scan")
 
     org_slug = core.config.org_slug
     if config.repo_is_public:
@@ -435,6 +468,7 @@ def main_code():
     diff.report_url = ""
 
     # Handle SCM-specific flows
+    log.debug(f"Flow decision: scm={scm is not None}, force_diff_mode={force_diff_mode}, force_api_mode={force_api_mode}, enable_diff={config.enable_diff}")
     if scm is not None and scm.check_event_type() == "comment":
         # FIXME: This entire flow should be a separate command called "filter_ignored_alerts_in_comments"
         # It's not related to scanning or diff generation - it just:
@@ -452,7 +486,7 @@ def main_code():
         log.info("Push initiated flow")
         if scm.check_event_type() == "diff":
             log.info("Starting comment logic for PR/MR event")
-            diff = core.create_new_diff(scan_paths, params, no_change=should_skip_scan, save_files_list_path=config.save_submitted_files_list, save_manifest_tar_path=config.save_manifest_tar, base_paths=base_paths)
+            diff = core.create_new_diff(scan_paths, params, no_change=should_skip_scan, save_files_list_path=config.save_submitted_files_list, save_manifest_tar_path=config.save_manifest_tar, base_paths=base_paths, explicit_files=sbom_files_to_submit)
             comments = scm.get_comments_for_pr()
             log.debug("Removing comment alerts")
             
@@ -505,18 +539,19 @@ def main_code():
             )
         else:
             log.info("Starting non-PR/MR flow")
-            diff = core.create_new_diff(scan_paths, params, no_change=should_skip_scan, save_files_list_path=config.save_submitted_files_list, save_manifest_tar_path=config.save_manifest_tar, base_paths=base_paths)
+            diff = core.create_new_diff(scan_paths, params, no_change=should_skip_scan, save_files_list_path=config.save_submitted_files_list, save_manifest_tar_path=config.save_manifest_tar, base_paths=base_paths, explicit_files=sbom_files_to_submit)
 
         output_handler.handle_output(diff)
-    
-    elif config.enable_diff and not force_api_mode:
-        # New logic: --enable-diff forces diff mode even with --integration api (no SCM)
+
+    elif (config.enable_diff or force_diff_mode) and not force_api_mode:
+        # New logic: --enable-diff or force_diff_mode (from --ignore-commit-files in git repos) forces diff mode
         log.info("Diff mode enabled without SCM integration")
-        diff = core.create_new_diff(scan_paths, params, no_change=should_skip_scan, save_files_list_path=config.save_submitted_files_list, save_manifest_tar_path=config.save_manifest_tar, base_paths=base_paths)
+        diff = core.create_new_diff(scan_paths, params, no_change=should_skip_scan, save_files_list_path=config.save_submitted_files_list, save_manifest_tar_path=config.save_manifest_tar, base_paths=base_paths, explicit_files=sbom_files_to_submit)
         output_handler.handle_output(diff)
     
-    elif config.enable_diff and force_api_mode:
-        # User requested diff mode but no manifest files were detected
+    elif (config.enable_diff or force_diff_mode) and force_api_mode:
+        # User requested diff mode but no manifest files were detected - this should not happen with new logic
+        # but keeping as a safety net
         log.warning("--enable-diff was specified but no supported manifest files were detected in the changed files. Falling back to full scan mode.")
         log.info("Creating Socket Report (full scan)")
         serializable_params = {
@@ -530,12 +565,13 @@ def main_code():
             no_change=should_skip_scan,
             save_files_list_path=config.save_submitted_files_list,
             save_manifest_tar_path=config.save_manifest_tar,
-            base_paths=base_paths
+            base_paths=base_paths,
+            explicit_files=sbom_files_to_submit
         )
         log.info(f"Full scan created with ID: {diff.id}")
         log.info(f"Full scan report URL: {diff.report_url}")
         output_handler.handle_output(diff)
-    
+
     else:
         if force_api_mode:
             log.info("No Manifest files changed, creating Socket Report")
@@ -550,7 +586,8 @@ def main_code():
                 no_change=should_skip_scan,
                 save_files_list_path=config.save_submitted_files_list,
                 save_manifest_tar_path=config.save_manifest_tar,
-                base_paths=base_paths
+                base_paths=base_paths,
+                explicit_files=sbom_files_to_submit
             )
             log.info(f"Full scan created with ID: {diff.id}")
             log.info(f"Full scan report URL: {diff.report_url}")
@@ -561,7 +598,8 @@ def main_code():
                 no_change=should_skip_scan,
                 save_files_list_path=config.save_submitted_files_list,
                 save_manifest_tar_path=config.save_manifest_tar,
-                base_paths=base_paths
+                base_paths=base_paths,
+                explicit_files=sbom_files_to_submit
             )
             output_handler.handle_output(diff)