Skip to content

fix(scan): honor .socket.facts.json under --reach-use-only-pregenerated-sboms (1.1.134)#1393

Merged
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 1 commit into
v1.xfrom
jfblaa/rea-620-use-only-pregenerated-sboms-honor-facts
Jul 1, 2026
Merged

fix(scan): honor .socket.facts.json under --reach-use-only-pregenerated-sboms (1.1.134)#1393
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 1 commit into
v1.xfrom
jfblaa/rea-620-use-only-pregenerated-sboms-honor-facts

Conversation

@jfblaa

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

--reach-use-only-pregenerated-sboms restricted the scan to CycloneDX/SPDX files only, so a project whose sole pre-generated SBOM was a Socket facts file (.socket.facts.json) was silently ignored by the flag.

The reachability analyzer already treats .socket.facts.json as a pre-generated SBOM — its selection matches the supported-files cdx, spdx, and socket keys. socket-cli only matched cdx/spdx, so the two were inconsistent.

This aligns socket-cli with the analyzer:

  • Recognize the socket key (.socket.facts.json) as a pre-generated SBOM alongside CDX/SPDX (filterToCdxSpdxOnlyfilterToPregeneratedSboms), matching leading-dot filenames with dot: true.
  • Under the flag, the scan is built from the pre-generated SBOMs found in the package paths (CDX/SPDX/facts) rather than the facts-stripped list; coana's reachability report is appended once, de-duplicated so a facts input at the same path isn't uploaded twice.

Closes REA-620.

Verification

Type-check + lint clean; handle-create-new-scan and cmd-scan-create unit suites pass (39). Coana's side was audited to confirm it honors .socket.facts.json under --use-only-pregenerated-sboms (its extractPregeneratedSbomPatterns reads the cdx/spdx/socket keys).

Note for reviewers

The change to the scan-path assembly (building from packagePaths pre-generated SBOMs + de-duplicating the reachability report by resolved path) is the one spot worth a sanity check against the intended reachability-upload contract.


Note

Medium Risk
Changes which files are uploaded for reachability scans under --reach-use-only-pregenerated-sboms, including scan-path assembly and duplicate facts handling; behavior is intentional but worth validating against the upload contract.

Overview
--reach-use-only-pregenerated-sboms now treats Socket facts (.socket.facts.json) as a pre-generated SBOM alongside CycloneDX and SPDX, matching Coana’s --use-only-pregenerated-sboms behavior. Previously only cdx/spdx supported-files keys were used, so a repo whose only pre-generated SBOM was a facts file was effectively ignored by the flag.

In handle-create-new-scan, pre-generated SBOM filtering adds the socket key, enables micromatch dot: true so patterns like *.socket.facts.json match dotfiles, and renames the helpers to filterToPregeneratedSboms. When the flag is on, scan inputs come from those filtered paths instead of always stripping .socket.facts.json first; Coana’s reachability report is still appended once, with path de-duplication when a pre-generated facts file is the same file Coana wrote.

Reviewed by Cursor Bugbot for commit 4514953. Configure here.

…ed-sboms (1.1.134)

`--reach-use-only-pregenerated-sboms` restricted the scan to CycloneDX/SPDX files
only (CDX_SPDX_KEYS = ['cdx', 'spdx']), so a project whose only pre-generated SBOM
was a Socket facts file (`.socket.facts.json`) was ignored. The reachability
analyzer already treats facts as a pre-generated SBOM (its selection matches the
supported-files `cdx`, `spdx`, and `socket` keys), so socket-cli was inconsistent.

Recognize the `socket` key (facts) as a pre-generated SBOM too, matching the
analyzer, and match leading-dot filenames with `dot: true`. Under the flag the
scan is now built from packagePaths' pre-generated SBOMs (CDX/SPDX/facts) rather
than the facts-stripped list, with coana's reachability report de-duplicated so
it isn't uploaded twice. Closes REA-620.

@mtorp Martin Torp (mtorp) left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) merged commit 77bce16 into v1.x Jul 1, 2026
14 checks passed
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) deleted the jfblaa/rea-620-use-only-pregenerated-sboms-honor-facts branch July 1, 2026 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants