fix(scan): honor .socket.facts.json under --reach-use-only-pregenerated-sboms (1.1.134)#1393
Merged
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 1 commit intoJul 1, 2026
Conversation
…ed-sboms (1.1.134) `--reach-use-only-pregenerated-sboms` restricted the scan to CycloneDX/SPDX files only (CDX_SPDX_KEYS = ['cdx', 'spdx']), so a project whose only pre-generated SBOM was a Socket facts file (`.socket.facts.json`) was ignored. The reachability analyzer already treats facts as a pre-generated SBOM (its selection matches the supported-files `cdx`, `spdx`, and `socket` keys), so socket-cli was inconsistent. Recognize the `socket` key (facts) as a pre-generated SBOM too, matching the analyzer, and match leading-dot filenames with `dot: true`. Under the flag the scan is now built from packagePaths' pre-generated SBOMs (CDX/SPDX/facts) rather than the facts-stripped list, with coana's reachability report de-duplicated so it isn't uploaded twice. Closes REA-620.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--reach-use-only-pregenerated-sbomsrestricted the scan to CycloneDX/SPDX files only, so a project whose sole pre-generated SBOM was a Socket facts file (.socket.facts.json) was silently ignored by the flag.The reachability analyzer already treats
.socket.facts.jsonas a pre-generated SBOM — its selection matches the supported-filescdx,spdx, andsocketkeys. socket-cli only matchedcdx/spdx, so the two were inconsistent.This aligns socket-cli with the analyzer:
socketkey (.socket.facts.json) as a pre-generated SBOM alongside CDX/SPDX (filterToCdxSpdxOnly→filterToPregeneratedSboms), matching leading-dot filenames withdot: true.Closes REA-620.
Verification
Type-check + lint clean;
handle-create-new-scanandcmd-scan-createunit suites pass (39). Coana's side was audited to confirm it honors.socket.facts.jsonunder--use-only-pregenerated-sboms(itsextractPregeneratedSbomPatternsreads thecdx/spdx/socketkeys).Note for reviewers
The change to the scan-path assembly (building from
packagePathspre-generated SBOMs + de-duplicating the reachability report by resolved path) is the one spot worth a sanity check against the intended reachability-upload contract.Note
Medium Risk
Changes which files are uploaded for reachability scans under
--reach-use-only-pregenerated-sboms, including scan-path assembly and duplicate facts handling; behavior is intentional but worth validating against the upload contract.Overview
--reach-use-only-pregenerated-sbomsnow treats Socket facts (.socket.facts.json) as a pre-generated SBOM alongside CycloneDX and SPDX, matching Coana’s--use-only-pregenerated-sbomsbehavior. Previously onlycdx/spdxsupported-files keys were used, so a repo whose only pre-generated SBOM was a facts file was effectively ignored by the flag.In
handle-create-new-scan, pre-generated SBOM filtering adds thesocketkey, enablesmicromatchdot: trueso patterns like*.socket.facts.jsonmatch dotfiles, and renames the helpers tofilterToPregeneratedSboms. When the flag is on, scan inputs come from those filtered paths instead of always stripping.socket.facts.jsonfirst; Coana’s reachability report is still appended once, with path de-duplication when a pre-generated facts file is the same file Coana wrote.Reviewed by Cursor Bugbot for commit 4514953. Configure here.