diff --git a/CHANGELOG.md b/CHANGELOG.md index 5eefc37ef..e650d0300 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). +## [1.1.58](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.58) - 2026-01-14 + +### Changed +- Analysis splitting is now disabled by default for reachability scans. +- Added `--reach-enable-analysis-splitting` flag to opt-in to multiple analysis runs per workspace when needed. +- Deprecated `--reach-disable-analysis-splitting` flag (now a no-op for backwards compatibility). +- Updated the Coana CLI to v `14.12.154`. + + ## [1.1.57](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.57) - 2026-01-10 ### Changed diff --git a/package.json b/package.json index 5e84870c6..d7fbcd8c6 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "socket", - "version": "1.1.57", + "version": "1.1.58", "description": "CLI for Socket.dev", "homepage": "https://github.com/SocketDev/socket-cli", "license": "MIT AND OFL-1.1", @@ -94,7 +94,7 @@ "@babel/preset-typescript": "7.27.1", "@babel/runtime": "7.28.4", "@biomejs/biome": "2.2.4", - "@coana-tech/cli": "14.12.148", + "@coana-tech/cli": "14.12.154", "@cyclonedx/cdxgen": "11.11.0", "@dotenvx/dotenvx": "1.49.0", "@eslint/compat": "1.3.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 8524a5df3..0a634786b 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -124,8 +124,8 @@ importers: specifier: 2.2.4 version: 2.2.4 '@coana-tech/cli': - specifier: 14.12.148 - version: 14.12.148 + specifier: 14.12.154 + version: 14.12.154 '@cyclonedx/cdxgen': specifier: 11.11.0 version: 11.11.0 @@ -680,8 +680,8 @@ packages: '@bufbuild/protobuf@2.6.3': resolution: {integrity: sha512-w/gJKME9mYN7ZoUAmSMAWXk4hkVpxRKvEJCb3dV5g9wwWdxTJJ0ayOJAVcNxtdqaxDyFuC0uz4RSGVacJ030PQ==} - '@coana-tech/cli@14.12.148': - resolution: {integrity: sha512-UUUKFCa4KVpbuBrsyjK/bfgaP0ERSgPkA8BmklGxfjFGQKakTqQCW+OEQa4cJ4OWcmDFtGPNSO97jg0g2TcOIg==} + '@coana-tech/cli@14.12.154': + resolution: {integrity: sha512-cksXLHZjn1dxgggq6YadiD/o9XCtx7WBAxyKYHBG4o9ALa8g1FYQrItIqTLl2AAizJhmmwfDQkZhGJ+S+8mQyw==} hasBin: true '@colors/colors@1.5.0': @@ -5323,7 +5323,7 @@ snapshots: '@bufbuild/protobuf@2.6.3': optional: true - '@coana-tech/cli@14.12.148': {} + '@coana-tech/cli@14.12.154': {} '@colors/colors@1.5.0': optional: true diff --git a/src/commands/ci/handle-ci.mts b/src/commands/ci/handle-ci.mts index dca8ff37d..812785c7a 100644 --- a/src/commands/ci/handle-ci.mts +++ b/src/commands/ci/handle-ci.mts @@ -55,9 +55,10 @@ export async function handleCi(autoManifest: boolean): Promise { reachAnalysisTimeout: 0, reachConcurrency: 1, reachDebug: false, - reachDisableAnalysisSplitting: false, + reachDetailedAnalysisLogFile: false, reachDisableAnalytics: false, reachEcosystems: [], + reachEnableAnalysisSplitting: false, reachExcludePaths: [], reachLazyMode: false, reachSkipCache: false, diff --git a/src/commands/scan/cmd-scan-create.mts b/src/commands/scan/cmd-scan-create.mts index 7c4f4f3fd..2251438bc 100644 --- a/src/commands/scan/cmd-scan-create.mts +++ b/src/commands/scan/cmd-scan-create.mts @@ -241,8 +241,10 @@ async function run( reachAnalysisTimeout, reachConcurrency, reachDebug, - reachDisableAnalysisSplitting, + reachDetailedAnalysisLogFile, + reachDisableAnalysisSplitting: _reachDisableAnalysisSplitting, reachDisableAnalytics, + reachEnableAnalysisSplitting, reachLazyMode, reachSkipCache, reachUseOnlyPregeneratedSboms, @@ -272,8 +274,10 @@ async function run( reachAnalysisTimeout: number reachConcurrency: number reachDebug: boolean + reachDetailedAnalysisLogFile: boolean reachDisableAnalysisSplitting: boolean reachDisableAnalytics: boolean + reachEnableAnalysisSplitting: boolean reachLazyMode: boolean reachSkipCache: boolean reachUseOnlyPregeneratedSboms: boolean @@ -461,7 +465,7 @@ async function run( isUsingNonDefaultMemoryLimit || isUsingNonDefaultTimeout || isUsingNonDefaultVersion || - reachDisableAnalysisSplitting || + reachEnableAnalysisSplitting || reachLazyMode || reachSkipCache || reachUseOnlyPregeneratedSboms @@ -574,9 +578,10 @@ async function run( reachAnalysisTimeout: Number(reachAnalysisTimeout), reachConcurrency: Number(reachConcurrency), reachDebug: Boolean(reachDebug), - reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting), + reachDetailedAnalysisLogFile: Boolean(reachDetailedAnalysisLogFile), reachDisableAnalytics: Boolean(reachDisableAnalytics), reachEcosystems, + reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting), reachExcludePaths, reachLazyMode: Boolean(reachLazyMode), reachSkipCache: Boolean(reachSkipCache), diff --git a/src/commands/scan/cmd-scan-create.test.mts b/src/commands/scan/cmd-scan-create.test.mts index 4d4c00422..46e82ce7e 100644 --- a/src/commands/scan/cmd-scan-create.test.mts +++ b/src/commands/scan/cmd-scan-create.test.mts @@ -58,9 +58,10 @@ describe('socket scan create', async () => { --reach-analysis-timeout Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly. --reach-concurrency Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM. --reach-debug Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI. - --reach-disable-analysis-splitting Limits Coana to at most 1 reachability analysis run per workspace. + --reach-detailed-analysis-log-file A log file with detailed analysis logs is written to root of each analyzed workspace. --reach-disable-analytics Disable reachability analytics sharing with Socket. Also disables caching-based optimizations. --reach-ecosystems List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems. + --reach-enable-analysis-splitting Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default. --reach-exclude-paths List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags. --reach-skip-cache Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis. --reach-use-only-pregenerated-sboms When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project. diff --git a/src/commands/scan/cmd-scan-reach.mts b/src/commands/scan/cmd-scan-reach.mts index caa304e65..60350ca54 100644 --- a/src/commands/scan/cmd-scan-reach.mts +++ b/src/commands/scan/cmd-scan-reach.mts @@ -125,8 +125,10 @@ async function run( reachAnalysisTimeout, reachConcurrency, reachDebug, - reachDisableAnalysisSplitting, + reachDetailedAnalysisLogFile, + reachDisableAnalysisSplitting: _reachDisableAnalysisSplitting, reachDisableAnalytics, + reachEnableAnalysisSplitting, reachLazyMode, reachSkipCache, reachUseOnlyPregeneratedSboms, @@ -142,8 +144,10 @@ async function run( reachAnalysisTimeout: number reachConcurrency: number reachDebug: boolean + reachDetailedAnalysisLogFile: boolean reachDisableAnalysisSplitting: boolean reachDisableAnalytics: boolean + reachEnableAnalysisSplitting: boolean reachLazyMode: boolean reachSkipCache: boolean reachUseOnlyPregeneratedSboms: boolean @@ -262,9 +266,10 @@ async function run( reachAnalysisTimeout: Number(reachAnalysisTimeout), reachConcurrency: Number(reachConcurrency), reachDebug: Boolean(reachDebug), - reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting), + reachDetailedAnalysisLogFile: Boolean(reachDetailedAnalysisLogFile), reachDisableAnalytics: Boolean(reachDisableAnalytics), reachEcosystems, + reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting), reachExcludePaths, reachLazyMode: Boolean(reachLazyMode), reachSkipCache: Boolean(reachSkipCache), diff --git a/src/commands/scan/cmd-scan-reach.test.mts b/src/commands/scan/cmd-scan-reach.test.mts index b3cb1e4c8..4bf538211 100644 --- a/src/commands/scan/cmd-scan-reach.test.mts +++ b/src/commands/scan/cmd-scan-reach.test.mts @@ -41,9 +41,10 @@ describe('socket scan reach', async () => { --reach-analysis-timeout Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly. --reach-concurrency Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM. --reach-debug Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI. - --reach-disable-analysis-splitting Limits Coana to at most 1 reachability analysis run per workspace. + --reach-detailed-analysis-log-file A log file with detailed analysis logs is written to root of each analyzed workspace. --reach-disable-analytics Disable reachability analytics sharing with Socket. Also disables caching-based optimizations. --reach-ecosystems List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems. + --reach-enable-analysis-splitting Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default. --reach-exclude-paths List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags. --reach-skip-cache Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis. --reach-use-only-pregenerated-sboms When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project. @@ -195,7 +196,26 @@ describe('socket scan reach', async () => { FLAG_CONFIG, '{"apiToken":"fakeToken"}', ], - 'should accept --reach-disable-analysis-splitting flag', + 'should accept deprecated --reach-disable-analysis-splitting flag (noop)', + async cmd => { + const { code, stdout } = await spawnSocketCli(binCliPath, cmd) + expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`) + expect(code, 'should exit with code 0').toBe(0) + }, + ) + + cmdit( + [ + 'scan', + 'reach', + FLAG_DRY_RUN, + '--reach-enable-analysis-splitting', + '--org', + 'fakeOrg', + FLAG_CONFIG, + '{"apiToken":"fakeToken"}', + ], + 'should accept --reach-enable-analysis-splitting flag', async cmd => { const { code, stdout } = await spawnSocketCli(binCliPath, cmd) expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`) @@ -319,7 +339,7 @@ describe('socket scan reach', async () => { '3600', '--reach-concurrency', '2', - '--reach-disable-analysis-splitting', + '--reach-enable-analysis-splitting', '--reach-ecosystems', 'npm,pypi', '--reach-exclude-paths', diff --git a/src/commands/scan/create-scan-from-github.mts b/src/commands/scan/create-scan-from-github.mts index 933521ebb..0012dd432 100644 --- a/src/commands/scan/create-scan-from-github.mts +++ b/src/commands/scan/create-scan-from-github.mts @@ -253,9 +253,10 @@ async function scanOneRepo( reachAnalysisTimeout: 0, reachConcurrency: 1, reachDebug: false, - reachDisableAnalysisSplitting: false, + reachDetailedAnalysisLogFile: false, reachDisableAnalytics: false, reachEcosystems: [], + reachEnableAnalysisSplitting: false, reachExcludePaths: [], reachLazyMode: false, reachSkipCache: false, diff --git a/src/commands/scan/perform-reachability-analysis.mts b/src/commands/scan/perform-reachability-analysis.mts index ee71f5e4b..ba5bdcbbd 100644 --- a/src/commands/scan/perform-reachability-analysis.mts +++ b/src/commands/scan/perform-reachability-analysis.mts @@ -18,9 +18,10 @@ export type ReachabilityOptions = { reachAnalysisTimeout: number reachConcurrency: number reachDebug: boolean - reachDisableAnalysisSplitting: boolean + reachDetailedAnalysisLogFile: boolean reachDisableAnalytics: boolean reachEcosystems: PURL_Type[] + reachEnableAnalysisSplitting: boolean reachExcludePaths: string[] reachLazyMode: boolean reachSkipCache: boolean @@ -172,12 +173,15 @@ export async function performReachabilityAnalysis( ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), + ...(reachabilityOptions.reachDetailedAnalysisLogFile + ? ['--print-analysis-log-file'] + : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), - ...(reachabilityOptions.reachDisableAnalysisSplitting - ? ['--disable-analysis-splitting'] - : []), + ...(reachabilityOptions.reachEnableAnalysisSplitting + ? [] + : ['--disable-analysis-splitting']), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []), diff --git a/src/commands/scan/reachability-flags.mts b/src/commands/scan/reachability-flags.mts index 0e9a348df..ecd2145f4 100644 --- a/src/commands/scan/reachability-flags.mts +++ b/src/commands/scan/reachability-flags.mts @@ -31,6 +31,12 @@ export const reachabilityFlags: MeowFlags = { description: 'Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.', }, + reachDetailedAnalysisLogFile: { + type: 'boolean', + default: false, + description: + 'A log file with detailed analysis logs is written to root of each analyzed workspace.', + }, reachDisableAnalytics: { type: 'boolean', default: false, @@ -38,10 +44,17 @@ export const reachabilityFlags: MeowFlags = { 'Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.', }, reachDisableAnalysisSplitting: { + type: 'boolean', + default: false, + hidden: true, + description: + 'Deprecated: Analysis splitting is now disabled by default. This flag is a no-op.', + }, + reachEnableAnalysisSplitting: { type: 'boolean', default: false, description: - 'Limits Coana to at most 1 reachability analysis run per workspace.', + 'Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.', }, reachEcosystems: { type: 'string',