You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(scan): honor .socket.facts.json under --reach-use-only-pregenerated-sboms (1.1.134) (#1393)
`--reach-use-only-pregenerated-sboms` restricted the scan to CycloneDX/SPDX files
only (CDX_SPDX_KEYS = ['cdx', 'spdx']), so a project whose only pre-generated SBOM
was a Socket facts file (`.socket.facts.json`) was ignored. The reachability
analyzer already treats facts as a pre-generated SBOM (its selection matches the
supported-files `cdx`, `spdx`, and `socket` keys), so socket-cli was inconsistent.
Recognize the `socket` key (facts) as a pre-generated SBOM too, matching the
analyzer, and match leading-dot filenames with `dot: true`. Under the flag the
scan is now built from packagePaths' pre-generated SBOMs (CDX/SPDX/facts) rather
than the facts-stripped list, with coana's reachability report de-duplicated so
it isn't uploaded twice. Closes REA-620.
-`--reach-use-only-pregenerated-sboms` now recognizes Socket facts files (`.socket.facts.json`) as pre-generated SBOMs, alongside CycloneDX and SPDX — matching what the reachability analyzer accepts. Previously a project whose only pre-generated SBOM was a `.socket.facts.json` was ignored by this flag.
0 commit comments