Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).

## [1.1.134](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.134) - 2026-07-01

### Fixed
- `--reach-use-only-pregenerated-sboms` now recognizes Socket facts files (`.socket.facts.json`) as pre-generated SBOMs, alongside CycloneDX and SPDX — matching what the reachability analyzer accepts. Previously a project whose only pre-generated SBOM was a `.socket.facts.json` was ignored by this flag.

## [1.1.133](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.133) - 2026-07-01

### Changed
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "socket",
"version": "1.1.133",
"version": "1.1.134",
"description": "CLI for Socket.dev",
"homepage": "https://github.com/SocketDev/socket-cli",
"license": "MIT",
Expand Down
46 changes: 28 additions & 18 deletions src/commands/scan/handle-create-new-scan.mts
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,17 @@ import type { ResolvedPathsSidecar } from '../manifest/scripts/sidecar.mts'
import type { Remap } from '@socketsecurity/registry/lib/objects'
import type { SocketSdkSuccessResult } from '@socketsecurity/sdk'

// Keys for CDX and SPDX in the supported files response.
const CDX_SPDX_KEYS = ['cdx', 'spdx']
// Supported-files response keys whose files count as pre-generated SBOMs:
// CycloneDX, SPDX, and Socket facts (`.socket.facts.json`, under `socket`).
// Kept in sync with Coana's `--use-only-pregenerated-sboms` selection
// (extractPregeneratedSbomPatterns), which matches the same three keys.
const PREGENERATED_SBOM_KEYS = ['cdx', 'socket', 'spdx']

function getCdxSpdxPatterns(
function getPregeneratedSbomPatterns(
supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],
): string[] {
const patterns: string[] = []
for (const key of CDX_SPDX_KEYS) {
for (const key of PREGENERATED_SBOM_KEYS) {
const supported = supportedFiles[key]
if (supported) {
for (const entry of Object.values(supported)) {
Expand All @@ -49,13 +52,15 @@ function getCdxSpdxPatterns(
return patterns
}

function filterToCdxSpdxOnly(
function filterToPregeneratedSboms(
filepaths: string[],
supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],
): string[] {
const patterns = getCdxSpdxPatterns(supportedFiles)
const patterns = getPregeneratedSbomPatterns(supportedFiles)
// `dot: true` lets `*`-prefixed patterns match leading-dot filenames such as
// `.socket.facts.json` (advertised as `*.socket.facts.json`).
return filepaths.filter(filepath =>
micromatch.some(filepath, patterns, { nocase: true }),
micromatch.some(filepath, patterns, { dot: true, nocase: true }),
)
}

Expand Down Expand Up @@ -263,19 +268,24 @@ export async function handleCreateNewScan({

reachabilityReport = reachResult.data?.reachabilityReport

// Ensure the .socket.facts.json isn't duplicated in case it happened
// to be in the scan folder before the analysis was run.
const filteredPackagePaths = packagePaths.filter(
p => path.basename(p) !== constants.DOT_SOCKET_DOT_FACTS_JSON,
)

// When using pregenerated SBOMs only, filter to CDX/SPDX files.
// When using only pre-generated SBOMs, build the scan from those inputs —
// CycloneDX, SPDX, and Socket facts (`.socket.facts.json`) — matching
// Coana's `--use-only-pregenerated-sboms` selection. Otherwise drop any
// stray `.socket.facts.json`; coana's fresh reachability report (appended
// below) is the authoritative facts file for the scan.
const pathsForScan = reach.reachUseOnlyPregeneratedSboms
? filterToCdxSpdxOnly(filteredPackagePaths, supportedFiles)
: filteredPackagePaths

? filterToPregeneratedSboms(packagePaths, supportedFiles)
: packagePaths.filter(
p => path.basename(p) !== constants.DOT_SOCKET_DOT_FACTS_JSON,
)

// Append coana's reachability report, but not twice: a pre-generated facts
// input can resolve to the same path coana wrote its report to.
const reportPath = reachabilityReport
? path.resolve(cwd, reachabilityReport)
: undefined
scanPaths = [
...pathsForScan,
...pathsForScan.filter(p => path.resolve(cwd, p) !== reportPath),
...(reachabilityReport ? [reachabilityReport] : []),
]

Expand Down
Loading