socketsecurity 2.2.80__tar.gz → 2.2.81__tar.gz

socketsecurity-2.2.81/.github/workflows/e2e-test.yml

@@ -0,0 +1,99 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  e2e:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: scan
+            args: >-
+              --target-path tests/e2e/fixtures/simple-npm
+              --disable-blocking
+              --enable-debug
+            validate: tests/e2e/validate-scan.sh
+
+          - name: sarif
+            args: >-
+              --target-path tests/e2e/fixtures/simple-npm
+              --sarif-file /tmp/results.sarif
+              --disable-blocking
+            validate: tests/e2e/validate-sarif.sh
+
+          - name: reachability
+            args: >-
+              --target-path tests/e2e/fixtures/simple-npm
+              --reach
+              --disable-blocking
+              --enable-debug
+            validate: tests/e2e/validate-reachability.sh
+            setup-node: "true"
+
+          - name: gitlab
+            args: >-
+              --target-path tests/e2e/fixtures/simple-npm
+              --enable-gitlab-security
+              --disable-blocking
+            validate: tests/e2e/validate-gitlab.sh
+
+          - name: json
+            args: >-
+              --target-path tests/e2e/fixtures/simple-npm
+              --enable-json
+              --disable-blocking
+            validate: tests/e2e/validate-json.sh
+
+          - name: pypi
+            args: >-
+              --target-path tests/e2e/fixtures/simple-pypi
+              --disable-blocking
+              --enable-debug
+            validate: tests/e2e/validate-scan.sh
+
+    name: e2e-${{ matrix.name }}
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        with:
+          python-version: '3.12'
+
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+        if: matrix.setup-node == 'true'
+        with:
+          node-version: '20'
+
+      - name: Install CLI from local repo
+        run: |
+          python -m pip install --upgrade pip
+          pip install .
+
+      - name: Install uv
+        if: matrix.setup-node == 'true'
+        run: pip install uv
+
+      - name: Run Socket CLI
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+        run: |
+          set -o pipefail
+          socketcli ${{ matrix.args }} 2>&1 | tee /tmp/e2e-output.log
+
+      - name: Validate results
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+        run: bash ${{ matrix.validate }}

{socketsecurity-2.2.80 → socketsecurity-2.2.81}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.2.80
+Version: 2.2.81
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>

{socketsecurity-2.2.80 → socketsecurity-2.2.81}/docs/cli-reference.md

@@ -700,17 +700,44 @@ The GitLab report includes **actionable security alerts** based on your Socket p
 
 All alert types are included in the GitLab report if they're marked as `error` or `warn` by your Socket Security policy, ensuring the Security Dashboard shows only actionable findings.
 
+### Alert Population: GitLab vs JSON/SARIF
+
+The GitLab Security Dashboard report and the JSON/SARIF diff outputs use different alert selection strategies, reflecting their distinct purposes:
+
+| Output Format | Default Alerts | With `--strict-blocking` |
+|:---|:---|:---|
+| `--enable-gitlab-security` | **All** alerts (new + existing) | All alerts (same) |
+| `--enable-json` | New alerts only | New + existing alerts |
+| `--enable-sarif` (diff scope) | New alerts only | New + existing alerts |
+
+**Why the difference?** GitLab's Security Dashboard is designed to present the full security posture of a project. An empty dashboard on a scan with no dependency changes would be misleading -- the vulnerabilities still exist, they just didn't change. By contrast, JSON and SARIF in diff scope are designed to answer "what changed?" and only include existing alerts when `--strict-blocking` explicitly requests it.
+
+> **Tip:** If you use `--enable-json` alongside `--enable-gitlab-security`, the GitLab report may contain more vulnerabilities than the JSON output. This is expected. To make JSON output match, add `--strict-blocking`.
+
+### Alert Ignoring via PR/MR Comments
+
+When using the CLI with SCM integration (`--scm github` or `--scm gitlab`), users can ignore specific alerts by reacting to Socket's PR/MR comments. Ignored alerts are removed from `--enable-json`, `--enable-sarif`, and console output.
+
+However, the GitLab Security Dashboard report includes **all** alerts matching your security policy (new and existing), regardless of comment-based ignores. This ensures the Security Dashboard always reflects the full set of known issues. To suppress a vulnerability from the GitLab report, adjust the alert's policy in Socket's dashboard rather than ignoring it via a PR comment.
+
 ### Report Schema
 
-Socket CLI generates reports compliant with [GitLab Dependency Scanning schema version 15.0.0](https://docs.gitlab.com/ee/development/integrations/secure.html). The reports include:
+Socket CLI generates reports compliant with [GitLab Dependency Scanning schema version 15.0.0](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.0.0/dist/dependency-scanning-report-format.json). The reports include:
 
-- **Scan metadata**: Analyzer and scanner information
+- **Scan metadata**: Analyzer and scanner information with ISO 8601 timestamps
 - **Vulnerabilities**: Detailed vulnerability data with:
   - Unique deterministic UUIDs for tracking
   - Package location and dependency information
   - Severity levels mapped from Socket's analysis
   - Socket-specific alert types and CVE identifiers
   - Links to Socket.dev for detailed analysis
+- **Dependency files**: Manifest files and their dependencies discovered during the scan
+
+**Schema compatibility:** The v15.0.0 schema is supported across all GitLab versions 12.0+ (both self-hosted and cloud). The report includes the `dependency_files` field, which is required by v15.0.0 and accepted as an optional extra by newer schema versions, ensuring maximum compatibility across GitLab instances.
+
+### Performance Notes
+
+When `--enable-gitlab-security` (or `--enable-json` / `--enable-sarif`) is used with a full scan (non-diff mode), the CLI fetches package and alert data from the scan results to populate the report. This adds time proportional to the number of packages in the scan. Without these output flags, no additional data is fetched and scan performance is unchanged.
 
 ### Requirements
 
@@ -726,7 +753,9 @@ Socket CLI generates reports compliant with [GitLab Dependency Scanning schema v
 - Ensure the report file follows the correct schema format
 
 **Empty vulnerabilities array:**
-- This is normal if no new security issues were detected
+- The GitLab report includes both new and existing alerts, so repeated scans of the same repo should still populate the report as long as Socket detects actionable issues
+- If the report is empty, verify the Socket dashboard shows alerts for the scanned packages -- an empty report means no error/warn-level alerts exist
+- For full scans (non-diff mode), ensure you are using `--enable-gitlab-security` so alert data is fetched
 - Check Socket.dev dashboard for full analysis details
 
 ## Development

{socketsecurity-2.2.80 → socketsecurity-2.2.81}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.80"
+version = "2.2.81"
 requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [

{socketsecurity-2.2.80 → socketsecurity-2.2.81}/socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.80'
+__version__ = '2.2.81'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

{socketsecurity-2.2.80 → socketsecurity-2.2.81}/socketsecurity/core/__init__.py

@@ -659,9 +659,48 @@ class Core:
         diff.report_url = f"{base_socket}/{self.config.org_slug}/sbom/{new_full_scan.id}"
         diff.diff_url = diff.report_url
         diff.id = new_full_scan.id
-        diff.packages = {}
 
-        # Return result in the format expected by the user
+        needs_alerts = (
+            self.cli_config is not None
+            and (
+                self.cli_config.enable_gitlab_security
+                or self.cli_config.enable_json
+                or self.cli_config.enable_sarif
+            )
+        )
+
+        if needs_alerts:
+            log.info("Output format requires alerts, fetching SBOM data for full scan")
+            sbom_start = time.time()
+            sbom_artifacts_dict = self.get_sbom_data(new_full_scan.id)
+            sbom_artifacts = self.get_sbom_data_list(sbom_artifacts_dict)
+            packages = self._create_packages_dict_without_license_text(sbom_artifacts)
+            diff.packages = packages
+
+            all_alerts_collection: Dict[str, List[Issue]] = {}
+            for package_id, package in packages.items():
+                self.add_package_alerts_to_collection(
+                    package=package,
+                    alerts_collection=all_alerts_collection,
+                    packages=packages
+                )
+
+            consolidated: Set[str] = set()
+            for alert_key, alerts in all_alerts_collection.items():
+                for alert in alerts:
+                    alert_str = f"{alert.purl},{alert.type}"
+                    if (alert.error or alert.warn) and alert_str not in consolidated:
+                        diff.new_alerts.append(alert)
+                        consolidated.add(alert_str)
+
+            sbom_end = time.time()
+            log.info(
+                f"Fetched {len(packages)} packages and {len(diff.new_alerts)} alerts "
+                f"in {sbom_end - sbom_start:.2f}s"
+            )
+        else:
+            diff.packages = {}
+
         return diff
 
     def get_full_scan(self, full_scan_id: str) -> FullScan:
@@ -712,6 +751,30 @@ class Core:
 
         return packages
 
+    @staticmethod
+    def _create_packages_dict_without_license_text(
+        sbom_artifacts: list[SocketArtifact],
+    ) -> dict[str, Package]:
+        """Like create_packages_dict but skips the license-metadata API call.
+
+        Used when we only need packages for alert extraction (e.g. populating
+        GitLab/JSON/SARIF reports from a full scan) and don't need license text.
+        """
+        packages: dict[str, Package] = {}
+        top_level_count: dict[str, int] = {}
+        for artifact in sbom_artifacts:
+            package = Package.from_socket_artifact(asdict(artifact))
+            if package.id not in packages:
+                packages[package.id] = package
+                if package.topLevelAncestors:
+                    for top_id in package.topLevelAncestors:
+                        top_level_count[top_id] = top_level_count.get(top_id, 0) + 1
+
+        for package_id, package in packages.items():
+            package.transitives = top_level_count.get(package_id, 0)
+
+        return packages
+
     def get_package_license_text(self, package: Package) -> str:
         """
         Gets the license text for a package if available.

{socketsecurity-2.2.80 → socketsecurity-2.2.81}/socketsecurity/core/messages.py

@@ -3,7 +3,7 @@ import logging
 import os
 import re
 import uuid
-from datetime import datetime
+from datetime import datetime, timezone
 from pathlib import Path
 from mdutils import MdUtils
 from prettytable import PrettyTable
@@ -593,6 +593,20 @@ class Messages:
             output["new_alerts"].append(json.loads(str(alert)))
         return output
 
+    @staticmethod
+    def _pkg_type_to_package_manager(pkg_type: str) -> str:
+        """Map Socket pkg_type to GitLab package_manager name for dependency_files."""
+        mapping = {
+            "npm": "npm",
+            "pypi": "pip",
+            "go": "go",
+            "maven": "maven",
+            "gem": "bundler",
+            "nuget": "nuget",
+            "cargo": "cargo",
+        }
+        return mapping.get(pkg_type, pkg_type or "unknown")
+
     @staticmethod
     def map_socket_severity_to_gitlab(severity: str) -> str:
         """
@@ -743,15 +757,18 @@ class Messages:
                     }
                 },
                 "type": "dependency_scanning",
-                "start_time": datetime.utcnow().isoformat() + "Z",
-                "end_time": datetime.utcnow().isoformat() + "Z",
+                "start_time": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S"),
+                "end_time": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S"),
                 "status": "success"
             },
-            "vulnerabilities": []
+            "vulnerabilities": [],
+            "dependency_files": []
         }
 
-        # Process each alert
-        for alert in diff.new_alerts:
+        dep_files_map: dict = {}
+
+        all_alerts = list(diff.new_alerts) + list(getattr(diff, 'unchanged_alerts', []))
+        for alert in all_alerts:
             vulnerability = {
                 "id": Messages.generate_uuid_from_alert_gitlab(alert),
                 "category": "dependency_scanning",
@@ -764,12 +781,29 @@ class Messages:
                 "location": Messages.extract_location_gitlab(alert)
             }
 
-            # Add solution if available
             if hasattr(alert, 'suggestion') and alert.suggestion:
                 vulnerability["solution"] = alert.suggestion
 
             gitlab_report["vulnerabilities"].append(vulnerability)
 
+            file_path = vulnerability["location"]["file"]
+            if file_path != "unknown":
+                pkg_manager = Messages._pkg_type_to_package_manager(
+                    alert.pkg_type if hasattr(alert, 'pkg_type') else ""
+                )
+                if file_path not in dep_files_map:
+                    dep_files_map[file_path] = {
+                        "path": file_path,
+                        "package_manager": pkg_manager,
+                        "dependencies": []
+                    }
+                dep_files_map[file_path]["dependencies"].append({
+                    "package": {"name": alert.pkg_name},
+                    "version": alert.pkg_version
+                })
+
+        gitlab_report["dependency_files"] = list(dep_files_map.values())
+
         return gitlab_report
 
     @staticmethod

{socketsecurity-2.2.80 → socketsecurity-2.2.81}/socketsecurity/socketcli.py

@@ -649,11 +649,20 @@ def main_code():
             scm.enable_merge_pipeline_check()
             passed = output_handler.report_pass(diff)
             state = "success" if passed else "failed"
-            blocking_count = sum(1 for a in diff.new_alerts if a.error)
+            new_blocking = sum(1 for a in diff.new_alerts if a.error)
+            unchanged_blocking = 0
+            if config.strict_blocking and hasattr(diff, 'unchanged_alerts'):
+                unchanged_blocking = sum(1 for a in diff.unchanged_alerts if a.error)
+            blocking_count = new_blocking + unchanged_blocking
             if passed:
                 description = "No blocking issues"
             else:
-                description = f"{blocking_count} blocking alert(s) found"
+                parts = []
+                if new_blocking:
+                    parts.append(f"{new_blocking} new")
+                if unchanged_blocking:
+                    parts.append(f"{unchanged_blocking} existing")
+                description = f"{blocking_count} blocking alert(s) found ({', '.join(parts)})"
             target_url = diff.report_url or diff.diff_url or ""
             scm.set_commit_status(state, description, target_url)
 

{socketsecurity-2.2.80 → socketsecurity-2.2.81}/tests/e2e/fixtures/simple-npm/package.json

@@ -4,9 +4,9 @@
   "description": "Test fixture for reachability analysis",
   "main": "index.js",
   "dependencies": {
-    "lodash": "4.17.23",
+    "lodash": "4.18.1",
     "express": "4.22.0",
-    "axios": "1.13.5"
+    "axios": "1.15.0"
   },
   "devDependencies": {
     "typescript": "5.0.4",

socketsecurity-2.2.81/tests/e2e/fixtures/simple-pypi/requirements.txt

@@ -0,0 +1,3 @@
+requests==2.31.0
+flask==3.0.0
+pyyaml==6.0.1

socketsecurity-2.2.81/tests/e2e/validate-gitlab.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPORT="gl-dependency-scanning-report.json"
+
+if [ ! -f "$REPORT" ]; then
+  echo "FAIL: GitLab report not found at $REPORT"
+  exit 1
+fi
+
+python3 -c "
+import json, re, sys
+
+with open('$REPORT') as f:
+    data = json.load(f)
+
+errors = []
+
+# v15.0.0 required root-level keys
+for key in ('version', 'scan', 'vulnerabilities', 'dependency_files'):
+    if key not in data:
+        errors.append(f'Missing required root key: {key}')
+
+if 'scan' in data:
+    scan = data['scan']
+
+    # Timestamp format: YYYY-MM-DDTHH:MM:SS (no microseconds, no trailing Z)
+    ts_pattern = re.compile(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}$')
+    for field in ('start_time', 'end_time'):
+        val = scan.get(field, '')
+        if not ts_pattern.match(val):
+            errors.append(f'scan.{field} \"{val}\" does not match pattern YYYY-MM-DDTHH:MM:SS')
+
+    if scan.get('type') != 'dependency_scanning':
+        errors.append(f'scan.type is \"{scan.get(\"type\")}\" expected \"dependency_scanning\"')
+
+    analyzer_id = scan.get('analyzer', {}).get('id', '')
+    if analyzer_id != 'socket-security':
+        errors.append(f'scan.analyzer.id is \"{analyzer_id}\" expected \"socket-security\"')
+
+    scanner_id = scan.get('scanner', {}).get('id', '')
+    if scanner_id != 'socket-cli':
+        errors.append(f'scan.scanner.id is \"{scanner_id}\" expected \"socket-cli\"')
+
+    if scan.get('status') != 'success':
+        errors.append(f'scan.status is \"{scan.get(\"status\")}\" expected \"success\"')
+
+# dependency_files structure check
+if 'dependency_files' in data:
+    for i, df in enumerate(data['dependency_files']):
+        for req in ('path', 'package_manager', 'dependencies'):
+            if req not in df:
+                errors.append(f'dependency_files[{i}] missing required key: {req}')
+
+if errors:
+    for e in errors:
+        print(f'FAIL: {e}')
+    sys.exit(1)
+
+vuln_count = len(data.get('vulnerabilities', []))
+dep_file_count = len(data.get('dependency_files', []))
+print(f'PASS: Valid GitLab v15.0.0 report with {vuln_count} vulnerability(ies) and {dep_file_count} dependency file(s)')
+"

socketsecurity-2.2.81/tests/e2e/validate-json.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+LOG="/tmp/e2e-output.log"
+
+python3 -c "
+import json, sys
+
+# The JSON output may be prefixed with a logger timestamp (e.g. '2026-04-08 22:46:50,580: {...}').
+# Try parsing the full line first, then from the first '{' character.
+found = False
+with open('$LOG') as f:
+    for line in f:
+        line = line.strip()
+        if not line or '{' not in line:
+            continue
+        # Try full line first, then from the first brace
+        for candidate in (line, line[line.index('{'):]):
+            try:
+                data = json.loads(candidate)
+                if isinstance(data, dict):
+                    found = True
+                    print(f'PASS: Valid JSON output with {len(data)} top-level key(s)')
+                    break
+            except json.JSONDecodeError:
+                continue
+        if found:
+            break
+
+if not found:
+    print('FAIL: No valid JSON object found in output')
+    sys.exit(1)
+"

socketsecurity-2.2.81/tests/e2e/validate-reachability.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+LOG="/tmp/e2e-output.log"
+
+# 1. Verify reachability analysis completed
+if grep -q "Reachability analysis completed successfully" "$LOG"; then
+  echo "PASS: Reachability analysis completed"
+  grep "Reachability analysis completed successfully" "$LOG"
+  grep "Results written to:" "$LOG" || true
+else
+  echo "FAIL: Reachability analysis did not complete successfully"
+  cat "$LOG"
+  exit 1
+fi
+
+# 2. Verify scan produced a report URL
+if grep -q "Full scan report URL: https://socket.dev/" "$LOG"; then
+  echo "PASS: Full scan report URL found"
+  grep "Full scan report URL:" "$LOG"
+elif grep -q "Diff Url: https://socket.dev/" "$LOG"; then
+  echo "PASS: Diff URL found"
+  grep "Diff Url:" "$LOG"
+else
+  echo "FAIL: No report URL found in scan output"
+  cat "$LOG"
+  exit 1
+fi
+
+# 3. Run SARIF with --sarif-reachability all
+socketcli \
+  --target-path tests/e2e/fixtures/simple-npm \
+  --reach \
+  --sarif-file /tmp/sarif-all.sarif \
+  --sarif-scope full \
+  --sarif-reachability all \
+  --disable-blocking \
+  2>/dev/null
+
+# 4. Run SARIF with --sarif-reachability reachable (filtered)
+socketcli \
+  --target-path tests/e2e/fixtures/simple-npm \
+  --reach \
+  --sarif-file /tmp/sarif-reachable.sarif \
+  --sarif-scope full \
+  --sarif-reachability reachable \
+  --disable-blocking \
+  2>/dev/null
+
+# 5. Verify reachable-only results are a subset of all results
+test -f /tmp/sarif-all.sarif
+test -f /tmp/sarif-reachable.sarif
+
+python3 -c "
+import json
+with open('/tmp/sarif-all.sarif') as f:
+    all_data = json.load(f)
+with open('/tmp/sarif-reachable.sarif') as f:
+    reach_data = json.load(f)
+all_count = len(all_data['runs'][0]['results'])
+reach_count = len(reach_data['runs'][0]['results'])
+print(f'All results: {all_count}, Reachable-only results: {reach_count}')
+assert reach_count <= all_count, f'FAIL: reachable ({reach_count}) > all ({all_count})'
+print('PASS: Reachable-only results is a subset of all results')
+"

socketsecurity-2.2.81/tests/e2e/validate-sarif.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SARIF="/tmp/results.sarif"
+
+if [ ! -f "$SARIF" ]; then
+  echo "FAIL: SARIF file not found at $SARIF"
+  exit 1
+fi
+
+python3 -c "
+import json, sys
+with open('$SARIF') as f:
+    data = json.load(f)
+assert data['version'] == '2.1.0', f'Invalid version: {data[\"version\"]}'
+assert '\$schema' in data, 'Missing \$schema'
+count = len(data['runs'][0]['results'])
+print(f'PASS: Valid SARIF 2.1.0 with {count} result(s)')
+"

socketsecurity-2.2.81/tests/e2e/validate-scan.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+LOG="/tmp/e2e-output.log"
+
+if grep -q "Full scan report URL: https://socket.dev/" "$LOG"; then
+  echo "PASS: Full scan report URL found"
+  grep "Full scan report URL:" "$LOG"
+elif grep -q "Diff Url: https://socket.dev/" "$LOG"; then
+  echo "PASS: Diff URL found"
+  grep "Diff Url:" "$LOG"
+else
+  echo "FAIL: No report URL found in scan output"
+  cat "$LOG"
+  exit 1
+fi