Skip to content

feat(cli): add scan --redirect hosted-vendored-patch mode#117

Open
Mikola Lysenko (mikolalysenko) wants to merge 1 commit into
mainfrom
feat/scan-redirect-mode
Open

feat(cli): add scan --redirect hosted-vendored-patch mode#117
Mikola Lysenko (mikolalysenko) wants to merge 1 commit into
mainfrom
feat/scan-redirect-mode

Conversation

@mikolalysenko

Copy link
Copy Markdown
Collaborator

What

Adds a new patch-apply mode to the CLI: scan --redirect. Instead of vendoring local artifact bytes or writing .socket/manifest.json, it rewrites lockfiles/manifests so only the patched dependencies resolve from Socket's hosted vendored patches (patch.socket.dev), with integrity pins matching the served bytes.

This is the CLI half of a two-repo change; the depscan companion PR adds the matching backend registry endpoints, the byte-identical TS rewriters, and the optional GitHub-app mode.

Changes

  • scan --redirect flag (conflicts_with_all = [apply, sync, vendor]); --detached/--prune compose as for vendor.
  • --patch-server-url / SOCKET_PATCH_SERVER_URL global arg, defaulting to https://patch.socket.dev (DEFAULT_PATCH_SERVER_URL in constants.rs).
  • api/client.rs::fetch_registry_references — resolves patch UUIDs to grant token + artifact URLs + per-dependency registryOverride + integrity (authed /v0/orgs/{org}/patches/package, or public proxy /patch/package).
  • patch/redirect/mod.rs — per-dependency rewriters for 9 ecosystems: npm package-lock, pnpm, yarn-classic, pip requirements, uv, cargo, composer, nuget, gem. Minimal per-dep overrides only (e.g. cargo registry = "socket-patches"), never a blanket fall-through proxy.

Known limitation

  • golang: a per-dependency remote redirect isn't expressible without a global GOPROXY (which would violate "only patched deps"), so golang stays on local-vendor mode. Documented on both the CLI and backend sides.

Cross-language consistency

The shared golden fixtures under tests/fixtures/redirect/** are consumed by both this crate's redirect_golden.rs and the depscan backend's golden.test.ts. The expected/ bytes were authored once and both implementations must reproduce them byte-for-byte — so a customer gets the identical lockfile whether Socket opens the PR (backend) or they run socket-patch scan --redirect locally.

Testing

  • cargo test -p socket-patch-core --test redirect_golden — all 9 implemented ecosystems byte-identical + deterministic re-run.
  • cargo test -p socket-patch-cli --test in_process_redirect — end-to-end scan --redirect against a mocked reference API rewrites the lockfile to the hosted patch.
  • cargo clippy -p socket-patch-core -p socket-patch-cli --tests -- -D warnings — clean.

Merge coordination

Merge this first. The depscan companion PR bumps its submodules/socket-patch pointer to this branch and must be re-pointed to the squash-merged commit before it lands.

Adds a new patch-apply mode that rewrites lockfiles/manifests so ONLY
patched dependencies resolve from Socket's hosted vendored patches
(patch.socket.dev), instead of vendoring local artifact bytes or
writing .socket/manifest.json.

- `scan --redirect` flag (conflicts_with_all apply/sync/vendor)
- `--patch-server-url` / `SOCKET_PATCH_SERVER_URL` global arg,
  defaulting to https://patch.socket.dev (DEFAULT_PATCH_SERVER_URL)
- api/client.rs `fetch_registry_references` (authed
  /v0/orgs/{org}/patches/package, or proxy /patch/package)
- patch/redirect/mod.rs rewriters for 9 ecosystems (npm package-lock,
  pnpm, yarn-classic, pypi requirements, uv, cargo, composer, nuget,
  gem); golang documented as a limitation (no per-dependency remote
  redirect without a global GOPROXY)

Shared golden fixtures (tests/fixtures/redirect/**) are consumed by
BOTH this crate's redirect_golden.rs and the depscan backend's
golden.test.ts, keeping the two rewriter implementations
byte-identical. Behavioral coverage: tests/in_process_redirect.rs.

Assisted-by: Claude Code:opus-4-8
@socket-security-staging

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgem/​puma@​6.0.09025100100100
Addednpm/​left-pad@​1.3.0100100795070
Addedcargo/​serde@​1.0.1908210093100100
Addedpypi/​flask@​2.0.19984100100100
Addedgem/​rails@​7.0.01009990100100
Addednuget/​newtonsoft.json@​13.0.39410090100100
Addedpypi/​requests@​2.28.19995100100100
Addedpypi/​requests@​2.34.299100100100100

View full report

@socket-security-staging

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Critical
Critical CVE: Puma HTTP Request/Response Smuggling vulnerability

CVE: GHSA-68xg-gqqm-vgj8 Puma HTTP Request/Response Smuggling vulnerability (CRITICAL)

Affected versions: < 5.6.7; >= 6.0.0 < 6.3.1

Patched version: 6.3.1

From: crates/socket-patch-core/tests/fixtures/redirect/gem/bundler/basic/expected/Gemfile.lockgem/puma@6.0.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore gem/puma@6.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

CVE: GHSA-2vqw-3mp8-cgmx Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections (HIGH)

Affected versions: >= 8.0.0 < 8.0.2; >= 5.5.0 < 7.2.1

Patched version: 7.2.1

From: crates/socket-patch-core/tests/fixtures/redirect/gem/bundler/basic/expected/Gemfile.lockgem/puma@6.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore gem/puma@6.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion

CVE: GHSA-qpgp-93vx-g8v8 Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion (HIGH)

Affected versions: >= 8.0.0 < 8.0.2; >= 5.5.0 < 7.2.1

Patched version: 7.2.1

From: crates/socket-patch-core/tests/fixtures/redirect/gem/bundler/basic/expected/Gemfile.lockgem/puma@6.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore gem/puma@6.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

CVE: GHSA-m2qf-hxjv-5gpq Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header (HIGH)

Affected versions: >= 2.3.0 < 2.3.2; < 2.2.5

Patched version: 2.2.5

From: crates/socket-patch-core/tests/fixtures/redirect/pypi/requirements/basic/expected/requirements.txtpypi/flask@2.0.1

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore pypi/flask@2.0.1. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm left-pad

Reason: use String.prototype.padStart()

From: crates/socket-patch-core/tests/fixtures/redirect/npm/package-lock-v3/basic/input/package-lock.jsonnpm/left-pad@1.3.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/left-pad@1.3.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgem/​puma@​6.0.09025100100100
Addednpm/​left-pad@​1.3.0100100795070
Addedcargo/​serde@​1.0.1908210093100100
Addedpypi/​flask@​2.0.19984100100100
Addedgem/​rails@​7.0.01009990100100
Addednuget/​newtonsoft.json@​13.0.39410090100100
Addedpypi/​requests@​2.28.19995100100100
Addedpypi/​requests@​2.34.299100100100100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Puma HTTP Request/Response Smuggling vulnerability

CVE: GHSA-68xg-gqqm-vgj8 Puma HTTP Request/Response Smuggling vulnerability (CRITICAL)

Affected versions: < 5.6.7; >= 6.0.0 < 6.3.1

Patched version: 6.3.1

From: crates/socket-patch-core/tests/fixtures/redirect/gem/bundler/basic/expected/Gemfile.lockgem/puma@6.0.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/puma@6.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants