Skip to content

Commit 77bce16

Browse files
authored
fix(scan): honor .socket.facts.json under --reach-use-only-pregenerated-sboms (1.1.134) (#1393)
`--reach-use-only-pregenerated-sboms` restricted the scan to CycloneDX/SPDX files only (CDX_SPDX_KEYS = ['cdx', 'spdx']), so a project whose only pre-generated SBOM was a Socket facts file (`.socket.facts.json`) was ignored. The reachability analyzer already treats facts as a pre-generated SBOM (its selection matches the supported-files `cdx`, `spdx`, and `socket` keys), so socket-cli was inconsistent. Recognize the `socket` key (facts) as a pre-generated SBOM too, matching the analyzer, and match leading-dot filenames with `dot: true`. Under the flag the scan is now built from packagePaths' pre-generated SBOMs (CDX/SPDX/facts) rather than the facts-stripped list, with coana's reachability report de-duplicated so it isn't uploaded twice. Closes REA-620.
1 parent 5b41564 commit 77bce16

3 files changed

Lines changed: 34 additions & 19 deletions

File tree

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
44

55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
66

7+
## [1.1.134](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.134) - 2026-07-01
8+
9+
### Fixed
10+
- `--reach-use-only-pregenerated-sboms` now recognizes Socket facts files (`.socket.facts.json`) as pre-generated SBOMs, alongside CycloneDX and SPDX — matching what the reachability analyzer accepts. Previously a project whose only pre-generated SBOM was a `.socket.facts.json` was ignored by this flag.
11+
712
## [1.1.133](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.133) - 2026-07-01
813

914
### Changed

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "socket",
3-
"version": "1.1.133",
3+
"version": "1.1.134",
44
"description": "CLI for Socket.dev",
55
"homepage": "https://github.com/SocketDev/socket-cli",
66
"license": "MIT",

src/commands/scan/handle-create-new-scan.mts

Lines changed: 28 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -31,14 +31,17 @@ import type { ResolvedPathsSidecar } from '../manifest/scripts/sidecar.mts'
3131
import type { Remap } from '@socketsecurity/registry/lib/objects'
3232
import type { SocketSdkSuccessResult } from '@socketsecurity/sdk'
3333

34-
// Keys for CDX and SPDX in the supported files response.
35-
const CDX_SPDX_KEYS = ['cdx', 'spdx']
34+
// Supported-files response keys whose files count as pre-generated SBOMs:
35+
// CycloneDX, SPDX, and Socket facts (`.socket.facts.json`, under `socket`).
36+
// Kept in sync with Coana's `--use-only-pregenerated-sboms` selection
37+
// (extractPregeneratedSbomPatterns), which matches the same three keys.
38+
const PREGENERATED_SBOM_KEYS = ['cdx', 'socket', 'spdx']
3639

37-
function getCdxSpdxPatterns(
40+
function getPregeneratedSbomPatterns(
3841
supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],
3942
): string[] {
4043
const patterns: string[] = []
41-
for (const key of CDX_SPDX_KEYS) {
44+
for (const key of PREGENERATED_SBOM_KEYS) {
4245
const supported = supportedFiles[key]
4346
if (supported) {
4447
for (const entry of Object.values(supported)) {
@@ -49,13 +52,15 @@ function getCdxSpdxPatterns(
4952
return patterns
5053
}
5154

52-
function filterToCdxSpdxOnly(
55+
function filterToPregeneratedSboms(
5356
filepaths: string[],
5457
supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],
5558
): string[] {
56-
const patterns = getCdxSpdxPatterns(supportedFiles)
59+
const patterns = getPregeneratedSbomPatterns(supportedFiles)
60+
// `dot: true` lets `*`-prefixed patterns match leading-dot filenames such as
61+
// `.socket.facts.json` (advertised as `*.socket.facts.json`).
5762
return filepaths.filter(filepath =>
58-
micromatch.some(filepath, patterns, { nocase: true }),
63+
micromatch.some(filepath, patterns, { dot: true, nocase: true }),
5964
)
6065
}
6166

@@ -263,19 +268,24 @@ export async function handleCreateNewScan({
263268

264269
reachabilityReport = reachResult.data?.reachabilityReport
265270

266-
// Ensure the .socket.facts.json isn't duplicated in case it happened
267-
// to be in the scan folder before the analysis was run.
268-
const filteredPackagePaths = packagePaths.filter(
269-
p => path.basename(p) !== constants.DOT_SOCKET_DOT_FACTS_JSON,
270-
)
271-
272-
// When using pregenerated SBOMs only, filter to CDX/SPDX files.
271+
// When using only pre-generated SBOMs, build the scan from those inputs —
272+
// CycloneDX, SPDX, and Socket facts (`.socket.facts.json`) — matching
273+
// Coana's `--use-only-pregenerated-sboms` selection. Otherwise drop any
274+
// stray `.socket.facts.json`; coana's fresh reachability report (appended
275+
// below) is the authoritative facts file for the scan.
273276
const pathsForScan = reach.reachUseOnlyPregeneratedSboms
274-
? filterToCdxSpdxOnly(filteredPackagePaths, supportedFiles)
275-
: filteredPackagePaths
276-
277+
? filterToPregeneratedSboms(packagePaths, supportedFiles)
278+
: packagePaths.filter(
279+
p => path.basename(p) !== constants.DOT_SOCKET_DOT_FACTS_JSON,
280+
)
281+
282+
// Append coana's reachability report, but not twice: a pre-generated facts
283+
// input can resolve to the same path coana wrote its report to.
284+
const reportPath = reachabilityReport
285+
? path.resolve(cwd, reachabilityReport)
286+
: undefined
277287
scanPaths = [
278-
...pathsForScan,
288+
...pathsForScan.filter(p => path.resolve(cwd, p) !== reportPath),
279289
...(reachabilityReport ? [reachabilityReport] : []),
280290
]
281291

0 commit comments

Comments
 (0)