diff --git a/CHANGELOG.md b/CHANGELOG.md index a870e606c..d58fbca88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). +## [1.1.126](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.126) - 2026-06-22 + +### Changed +- Reachability analysis types are now referred to by descriptive names in command help, output, and docs: Full application reachability (formerly Tier 1), Precomputed reachability (formerly Tier 2), and Dependency reachability (formerly Tier 3). +- Updated the Coana CLI to v `15.5.7`. + ## [1.1.125](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.125) - 2026-06-22 ### Added @@ -14,7 +20,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ## [1.1.124](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.124) - 2026-06-19 -- `socket scan create --reach` accepts a new `--reach-retain-facts-file` flag. By default the CLI deletes the `.socket.facts.json` reachability report from the scan directory after a successful scan; pass this flag to keep it (e.g. for inspection or debugging). **Important:** you must delete the retained `.socket.facts.json` before running a fresh tier 1 reachability scan — a stale file left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable. +- `socket scan create --reach` accepts a new `--reach-retain-facts-file` flag. By default the CLI deletes the `.socket.facts.json` reachability report from the scan directory after a successful scan; pass this flag to keep it (e.g. for inspection or debugging). **Important:** you must delete the retained `.socket.facts.json` before running a fresh full application reachability scan — a stale file left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable. ### Changed - Updated the Coana CLI to v `15.5.4`. diff --git a/README.md b/README.md index 2224b1dfa..7f897cc0e 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,14 @@ All aliases support the flags and arguments of the commands they alias. - `socket ci` - Alias for `socket scan create --report` (creates report and exits with error if unhealthy) +## Reachability analysis + +Socket reachability analysis comes in three forms: + +- **Full application reachability** (formerly Tier 1): Analyzes your application together with its dependencies to determine whether vulnerable code is actually invoked from your code through the full dependency graph — the highest-precision reachability analysis. Run it with `socket scan create --reach`. +- **Precomputed reachability** (formerly Tier 2): Determines whether vulnerable code in transitive dependencies is reachable through your direct dependencies, using precomputed static analysis of dependency chains (no access to your application code required). In the CLI this is the fallback used when full application reachability cannot complete (see the `--reach-continue-on-*` flags). +- **Dependency reachability** (formerly Tier 3): Package-level filtering that detects which dependencies are actually used, so CVEs in unused/dead dependencies can be filtered out. + ## Flags ### Output flags diff --git a/package.json b/package.json index 650cc06b4..80ac04cc1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "socket", - "version": "1.1.125", + "version": "1.1.126", "description": "CLI for Socket.dev", "homepage": "https://github.com/SocketDev/socket-cli", "license": "MIT", @@ -96,7 +96,7 @@ "@babel/preset-typescript": "7.27.1", "@babel/runtime": "7.28.4", "@biomejs/biome": "2.2.4", - "@coana-tech/cli": "15.5.5", + "@coana-tech/cli": "15.5.7", "@cyclonedx/cdxgen": "12.1.2", "@dotenvx/dotenvx": "1.49.0", "@eslint/compat": "1.3.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index d588dc211..97277cfae 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -128,8 +128,8 @@ importers: specifier: 2.2.4 version: 2.2.4 '@coana-tech/cli': - specifier: 15.5.5 - version: 15.5.5 + specifier: 15.5.7 + version: 15.5.7 '@cyclonedx/cdxgen': specifier: 12.1.2 version: 12.1.2 @@ -749,8 +749,8 @@ packages: resolution: {integrity: sha512-hAs5PPKPCQ3/Nha+1fo4A4/gL85fIfxZwHPehsjCJ+BhQH2/yw6/xReuaPA/RfNQr6iz1PcD7BZcE3ctyyl3EA==} cpu: [x64] - '@coana-tech/cli@15.5.5': - resolution: {integrity: sha512-eFZ1q1i7Xr8gEA80OfmzIoQXkDjrF3AUeRYaOvibVW6bJMJfDTBmxRkYtks6sloGgbNR9X/8Lwy4V+Z+D6llpA==} + '@coana-tech/cli@15.5.7': + resolution: {integrity: sha512-WVO66QAD/rp8hTZEkLr5fW+VXKH2GFxRWQVTueFw2EmfJnxcPUB2yfQr37qMyHVp9hUwS35OsoCrFMcWd4mqlA==} hasBin: true '@colors/colors@1.5.0': @@ -5385,7 +5385,7 @@ snapshots: '@cdxgen/cdxgen-plugins-bin@2.0.2': optional: true - '@coana-tech/cli@15.5.5': {} + '@coana-tech/cli@15.5.7': {} '@colors/colors@1.5.0': optional: true diff --git a/src/commands/scan/cmd-scan-create.mts b/src/commands/scan/cmd-scan-create.mts index 2ec87b857..a0fd7c6ce 100644 --- a/src/commands/scan/cmd-scan-create.mts +++ b/src/commands/scan/cmd-scan-create.mts @@ -116,7 +116,7 @@ const generalFlags: MeowFlags = { reach: { type: 'boolean', default: false, - description: 'Run tier 1 full application reachability analysis', + description: 'Run full application reachability analysis', }, readOnly: { type: 'boolean', diff --git a/src/commands/scan/cmd-scan-create.test.mts b/src/commands/scan/cmd-scan-create.test.mts index da51e683a..a02b1ead2 100644 --- a/src/commands/scan/cmd-scan-create.test.mts +++ b/src/commands/scan/cmd-scan-create.test.mts @@ -40,13 +40,13 @@ describe('socket scan create', async () => { --committers Committers --cwd working directory, defaults to process.cwd() --default-branch Set the default branch of the repository to the branch of this full-scan. Should only need to be done once, for example for the "main" or "master" branch. - --exclude-paths List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) Tier 1 reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (\`--cwd\` if set), not the reachability target: \`tests\` matches only \`/tests\`; use \`**/tests\` to match at any depth. Negation patterns (\`!path\`) are not supported. Accepts a comma-separated value or multiple flags. + --exclude-paths List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) full application reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (\`--cwd\` if set), not the reachability target: \`tests\` matches only \`/tests\`; use \`**/tests\` to match at any depth. Negation patterns (\`!path\`) are not supported. Accepts a comma-separated value or multiple flags. --interactive Allow for interactive elements, asking for input. Use --no-interactive to prevent any input questions, defaulting them to cancel/no. --json Output as JSON --markdown Output as Markdown --org Force override the organization slug, overrides the default org from config --pull-request Pull request number - --reach Run tier 1 full application reachability analysis + --reach Run full application reachability analysis --read-only Similar to --dry-run except it can read from remote, stops before it would create an actual report --repo Repository name --report Wait for the scan creation to complete, then basically run \`socket scan report\` on it @@ -59,8 +59,8 @@ describe('socket scan create', async () => { --reach-analysis-memory-limit The maximum memory for the reachability analysis as a whole number optionally followed by MB or GB (e.g. 512MB, 8GB). The default is 8GB. --reach-analysis-timeout Set the timeout for the reachability analysis as a whole number optionally followed by s, m or h (e.g. 90s, 10m, 1h). Defaults to 10m. Split analysis runs may cause the total scan time to exceed this timeout significantly. --reach-concurrency Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available. - --reach-continue-on-analysis-errors Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) results. By default, the CLI halts on analysis errors. - --reach-continue-on-install-errors Continue reachability analysis when package installation fails, falling back to precomputed (Tier 2) results. By default, the CLI halts on installation errors. + --reach-continue-on-analysis-errors Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed reachability results. By default, the CLI halts on analysis errors. + --reach-continue-on-install-errors Continue reachability analysis when package installation fails, falling back to precomputed reachability results. By default, the CLI halts on installation errors. --reach-continue-on-missing-lock-files Continue reachability analysis when a Gradle or SBT project is missing its lock file (or version catalog / pre-generated SBOM). By default, the CLI halts. --reach-continue-on-no-source-files Continue reachability analysis when a workspace contains no source files for its ecosystem. By default, the CLI halts. --reach-debug Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI. @@ -69,7 +69,7 @@ describe('socket scan create', async () => { --reach-disable-external-tool-checks Disable external tool checks during reachability analysis. --reach-ecosystems List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems. --reach-enable-analysis-splitting Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default. - --reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable. + --reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh full application reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable. --reach-skip-cache Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis. --reach-use-only-pregenerated-sboms When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project. --reach-version Override the version of @coana-tech/cli used for reachability analysis. Default: . diff --git a/src/commands/scan/cmd-scan-reach.mts b/src/commands/scan/cmd-scan-reach.mts index 229759ae1..5bd4e3b41 100644 --- a/src/commands/scan/cmd-scan-reach.mts +++ b/src/commands/scan/cmd-scan-reach.mts @@ -31,7 +31,7 @@ import type { export const CMD_NAME = 'reach' -const description = 'Compute tier 1 reachability' +const description = 'Compute full application reachability' const hidden = true diff --git a/src/commands/scan/cmd-scan-reach.test.mts b/src/commands/scan/cmd-scan-reach.test.mts index 82c820767..223821336 100644 --- a/src/commands/scan/cmd-scan-reach.test.mts +++ b/src/commands/scan/cmd-scan-reach.test.mts @@ -20,7 +20,7 @@ describe('socket scan reach', async () => { async cmd => { const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd) expect(stdout).toMatchInlineSnapshot(` - "Compute tier 1 reachability + "Compute full application reachability Usage $ socket scan reach [options] [CWD=.] @@ -37,12 +37,12 @@ describe('socket scan reach', async () => { --output Path to write the reachability report to (must end with .json). Defaults to .socket.facts.json in the current working directory. Reachability Options - --exclude-paths List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) Tier 1 reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (\`--cwd\` if set), not the reachability target: \`tests\` matches only \`/tests\`; use \`**/tests\` to match at any depth. Negation patterns (\`!path\`) are not supported. Accepts a comma-separated value or multiple flags. + --exclude-paths List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) full application reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (\`--cwd\` if set), not the reachability target: \`tests\` matches only \`/tests\`; use \`**/tests\` to match at any depth. Negation patterns (\`!path\`) are not supported. Accepts a comma-separated value or multiple flags. --reach-analysis-memory-limit The maximum memory for the reachability analysis as a whole number optionally followed by MB or GB (e.g. 512MB, 8GB). The default is 8GB. --reach-analysis-timeout Set the timeout for the reachability analysis as a whole number optionally followed by s, m or h (e.g. 90s, 10m, 1h). Defaults to 10m. Split analysis runs may cause the total scan time to exceed this timeout significantly. --reach-concurrency Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available. - --reach-continue-on-analysis-errors Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) results. By default, the CLI halts on analysis errors. - --reach-continue-on-install-errors Continue reachability analysis when package installation fails, falling back to precomputed (Tier 2) results. By default, the CLI halts on installation errors. + --reach-continue-on-analysis-errors Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed reachability results. By default, the CLI halts on analysis errors. + --reach-continue-on-install-errors Continue reachability analysis when package installation fails, falling back to precomputed reachability results. By default, the CLI halts on installation errors. --reach-continue-on-missing-lock-files Continue reachability analysis when a Gradle or SBT project is missing its lock file (or version catalog / pre-generated SBOM). By default, the CLI halts. --reach-continue-on-no-source-files Continue reachability analysis when a workspace contains no source files for its ecosystem. By default, the CLI halts. --reach-debug Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI. @@ -51,7 +51,7 @@ describe('socket scan reach', async () => { --reach-disable-external-tool-checks Disable external tool checks during reachability analysis. --reach-ecosystems List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems. --reach-enable-analysis-splitting Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default. - --reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable. + --reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh full application reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable. --reach-skip-cache Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis. --reach-use-only-pregenerated-sboms When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project. --reach-version Override the version of @coana-tech/cli used for reachability analysis. Default: . @@ -1143,7 +1143,7 @@ describe('socket scan reach', async () => { expect(output.length).toBeGreaterThan(0) }, // Non-dry-run invocation actually starts Coana, which under v15 - // performs more upfront work (tier1 scan registration, legacy-mode + // performs more upfront work (full application reachability scan registration, legacy-mode // resolution) before failing on the bad memory limit. The default // 30s cmdit timeout is too tight for that path on slower CI runners. { timeout: 60_000 }, @@ -1185,7 +1185,7 @@ describe('socket scan reach', async () => { 'should prioritize help over other flags', async cmd => { const { code, stdout } = await spawnSocketCli(binCliPath, cmd) - expect(stdout).toContain('Compute tier 1 reachability') + expect(stdout).toContain('Compute full application reachability') expect(code).toBe(0) }, ) diff --git a/src/commands/scan/finalize-tier1-scan.mts b/src/commands/scan/finalize-tier1-scan.mts index b74b0f43f..849e12381 100644 --- a/src/commands/scan/finalize-tier1-scan.mts +++ b/src/commands/scan/finalize-tier1-scan.mts @@ -8,11 +8,13 @@ export type FinalizeTier1ScanOptions = { } /** - * Finalize a tier1 reachability scan. - * - Associates the tier1 reachability scan metadata with the full scan + * Finalize a full application reachability scan (formerly known as "tier 1"; + * the wire endpoint and request fields below retain the legacy tier1 name as + * a backend contract). + * - Associates the reachability scan metadata with the full scan * (or with `null` when called from a standalone reachability flow that * has no full scan to bind to). - * - Transitions the tier1 reachability scan to its DONE terminal state. + * - Transitions the reachability scan to its DONE terminal state. */ export async function finalizeTier1Scan( tier1ReachabilityScanId: string, diff --git a/src/commands/scan/handle-create-new-scan.mts b/src/commands/scan/handle-create-new-scan.mts index f529ad3ef..7533e1657 100644 --- a/src/commands/scan/handle-create-new-scan.mts +++ b/src/commands/scan/handle-create-new-scan.mts @@ -320,13 +320,13 @@ export async function handleCreateNewScan({ scanId && !tier1ReachabilityScanId ) { - // Reachability analysis ran and a scan was created, but no tier 1 - // reachability scan id was extracted from the facts file. Surface this - // instead of silently skipping finalize — otherwise the tier 1 row stays - // stuck (e.g. at COANA_DONE) and the full scan is never linked to its - // reachability report. + // Reachability analysis ran and a scan was created, but no full + // application reachability scan id was extracted from the facts file. + // Surface this instead of silently skipping finalize — otherwise the + // reachability row stays stuck (e.g. at COANA_DONE) and the full scan is + // never linked to its reachability report. logger.warn( - 'Reachability analysis ran but no tier 1 reachability scan ID was found; skipping tier 1 finalize. The scan was created but its reachability report was not linked.', + 'Reachability analysis ran but no full application reachability scan ID was found; skipping reachability finalize. The scan was created but its reachability report was not linked.', ) } @@ -338,8 +338,9 @@ export async function handleCreateNewScan({ // the --reach path coana overwrites that file with its enriched output // anyway, so it's the same path that gets removed. `--reach-retain-facts-file` // opts out of this cleanup so the report can be inspected; the user is then - // responsible for deleting it before the next tier 1 scan (a stale file is - // picked up as pre-generated input and would make those results unreliable). + // responsible for deleting it before the next full application reachability + // scan (a stale file is picked up as pre-generated input and would make those + // results unreliable). if ( fullScanCResult.ok && scanId && diff --git a/src/commands/scan/handle-create-new-scan.test.mts b/src/commands/scan/handle-create-new-scan.test.mts index 2b271d651..633daba56 100644 --- a/src/commands/scan/handle-create-new-scan.test.mts +++ b/src/commands/scan/handle-create-new-scan.test.mts @@ -490,7 +490,7 @@ describe('handleCreateNewScan excludePaths', () => { }) }) -describe('handleCreateNewScan tier1 finalize', () => { +describe('handleCreateNewScan full application reachability finalize', () => { let warnSpy: ReturnType beforeEach(() => { @@ -512,7 +512,7 @@ describe('handleCreateNewScan tier1 finalize', () => { warnSpy.mockRestore() }) - it('finalizes the tier 1 scan when a scan id and tier 1 id are present', async () => { + it('finalizes the full application reachability scan when a scan id and reachability scan id are present', async () => { mockPerformReachabilityAnalysis.mockResolvedValue({ data: { reachabilityReport: '.socket.facts.json', @@ -530,7 +530,7 @@ describe('handleCreateNewScan tier1 finalize', () => { expect(warnSpy).not.toHaveBeenCalled() }) - it('warns instead of silently skipping finalize when no tier 1 id was extracted', async () => { + it('warns instead of silently skipping finalize when no full application reachability scan id was extracted', async () => { mockPerformReachabilityAnalysis.mockResolvedValue({ data: { reachabilityReport: '.socket.facts.json', @@ -547,7 +547,7 @@ describe('handleCreateNewScan tier1 finalize', () => { expect(finalizeTier1Scan).not.toHaveBeenCalled() expect(warnSpy).toHaveBeenCalledTimes(1) expect(String(warnSpy.mock.calls[0]![0])).toMatch( - /tier 1 finalize|reachability report was not linked/i, + /reachability finalize|reachability report was not linked/i, ) }) }) diff --git a/src/commands/scan/handle-scan-reach.mts b/src/commands/scan/handle-scan-reach.mts index 6542e06e0..60c4d07d1 100644 --- a/src/commands/scan/handle-scan-reach.mts +++ b/src/commands/scan/handle-scan-reach.mts @@ -106,9 +106,9 @@ export async function handleScanReach({ spinner.stop() - // Standalone reachability has no full scan to bind to, but the tier1 - // reachability scan row still needs to transition to its DONE terminal - // state — otherwise it sits at the post-Coana intermediate state forever + // Standalone reachability has no full scan to bind to, but the full + // application reachability scan row still needs to transition to its DONE + // terminal state — otherwise it sits at the post-Coana intermediate state forever // and looks indistinguishable from a stuck run. Pass `null` as the full // scan id; the endpoint accepts it for this flow. Best-effort: never // block the user-visible output on this. @@ -117,7 +117,7 @@ export async function handleScanReach({ const finalizeResult = await finalizeTier1Scan(tier1Id, null) if (!finalizeResult.ok) { logger.warn( - `Failed to finalize tier1 reachability scan: ${finalizeResult.message}${finalizeResult.cause ? ` — ${finalizeResult.cause}` : ''}`, + `Failed to finalize full application reachability scan: ${finalizeResult.message}${finalizeResult.cause ? ` — ${finalizeResult.cause}` : ''}`, ) } } diff --git a/src/commands/scan/handle-scan-reach.test.mts b/src/commands/scan/handle-scan-reach.test.mts index 8f18de4ce..c3252a75c 100644 --- a/src/commands/scan/handle-scan-reach.test.mts +++ b/src/commands/scan/handle-scan-reach.test.mts @@ -309,7 +309,7 @@ describe('handleScanReach', () => { ) }) - it('finalizes the tier1 reachability scan with a null report_run_id when Coana returned a scan id', async () => { + it('finalizes the full application reachability scan with a null report_run_id when Coana returned a scan id', async () => { mockPerformReachabilityAnalysis.mockResolvedValueOnce({ ok: true, data: { @@ -353,7 +353,7 @@ describe('handleScanReach', () => { expect(mockFinalizeTier1Scan).toHaveBeenCalledWith('tier1-id', null) }) - it('does not call finalize when Coana did not return a tier1 reachability scan id', async () => { + it('does not call finalize when Coana did not return a full application reachability scan id', async () => { const reachabilityOptions = { excludePaths: [], reachAnalysisMemoryLimit: '8192', @@ -390,7 +390,7 @@ describe('handleScanReach', () => { expect(mockFinalizeTier1Scan).not.toHaveBeenCalled() }) - it('warns but still produces scan output when tier1 finalize fails', async () => { + it('warns but still produces scan output when full application reachability finalize fails', async () => { mockPerformReachabilityAnalysis.mockResolvedValueOnce({ ok: true, data: { @@ -445,7 +445,9 @@ describe('handleScanReach', () => { // The failure is surfaced as a single warning carrying message and cause. expect(mockLoggerWarn).toHaveBeenCalledTimes(1) const { 0: warnMessage } = mockLoggerWarn.mock.calls[0] - expect(warnMessage).toContain('Failed to finalize tier1 reachability scan') + expect(warnMessage).toContain( + 'Failed to finalize full application reachability scan', + ) expect(warnMessage).toContain('Finalize request failed') expect(warnMessage).toContain('Socket API server error (503)') // Normal scan output is still produced; the command is not blocked. diff --git a/src/commands/scan/perform-reachability-analysis.mts b/src/commands/scan/perform-reachability-analysis.mts index b56e30076..c9cf0cf41 100644 --- a/src/commands/scan/perform-reachability-analysis.mts +++ b/src/commands/scan/perform-reachability-analysis.mts @@ -113,7 +113,7 @@ export async function performReachabilityAnalysis( if (!hasEnterpriseOrgPlan(organizations)) { return { ok: false, - message: 'Tier 1 Reachability analysis requires an enterprise plan', + message: 'Full application reachability analysis requires an enterprise plan', cause: `Please ${socketDevLink('upgrade your plan', '/pricing')}. This feature is only available for organizations with an enterprise plan.`, } } @@ -314,7 +314,7 @@ export async function performReachabilityAnalysis( // with `cwd` above), so resolve the read path against `cwd` too. Reading // the bare relative path would resolve against `process.cwd()` and miss // the file whenever `cwd !== process.cwd()` (e.g. `--cwd `), silently - // dropping the tier 1 scan id and skipping finalize downstream. + // dropping the full application reachability scan id and skipping finalize downstream. const resolvedReportPath = path.resolve(cwd, outputFilePath) return { diff --git a/src/commands/scan/perform-reachability-analysis.test.mts b/src/commands/scan/perform-reachability-analysis.test.mts index 7ea16170e..4e940ae78 100644 --- a/src/commands/scan/perform-reachability-analysis.test.mts +++ b/src/commands/scan/perform-reachability-analysis.test.mts @@ -3,7 +3,7 @@ * * Test Coverage: * - When the scan `cwd` differs from `process.cwd()` (e.g. the - * `--cwd ` flag), the tier 1 reachability scan id must be read from the + * `--cwd ` flag), the full application reachability scan id must be read from the * facts file Coana actually wrote at `/.socket.facts.json`, not from a * relative path resolved against `process.cwd()`. * @@ -117,7 +117,7 @@ describe('performReachabilityAnalysis facts-file resolution', () => { rmSync(scanCwd, { force: true, recursive: true }) }) - it('extracts the tier 1 scan id from the facts file under the scan cwd, not process.cwd()', async () => { + it('extracts the full application reachability scan id from the facts file under the scan cwd, not process.cwd()', async () => { // Coana (mocked) is spawned with `cwd`, so it writes the facts file under // the scan cwd. Pre-write it here to stand in for that output. writeFileSync( @@ -147,7 +147,7 @@ describe('performReachabilityAnalysis facts-file resolution', () => { ) }) - it('returns undefined tier 1 scan id when the facts file under cwd has none', async () => { + it('returns undefined full application reachability scan id when the facts file under cwd has none', async () => { writeFileSync( path.join(scanCwd, '.socket.facts.json'), JSON.stringify({ components: [] }), diff --git a/src/commands/scan/reachability-flags.mts b/src/commands/scan/reachability-flags.mts index 06abfe66d..1b50af689 100644 --- a/src/commands/scan/reachability-flags.mts +++ b/src/commands/scan/reachability-flags.mts @@ -29,13 +29,13 @@ export const reachabilityFlags: MeowFlags = { type: 'boolean', default: false, description: - 'Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) results. By default, the CLI halts on analysis errors.', + 'Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed reachability results. By default, the CLI halts on analysis errors.', }, reachContinueOnInstallErrors: { type: 'boolean', default: false, description: - 'Continue reachability analysis when package installation fails, falling back to precomputed (Tier 2) results. By default, the CLI halts on installation errors.', + 'Continue reachability analysis when package installation fails, falling back to precomputed reachability results. By default, the CLI halts on installation errors.', }, reachContinueOnMissingLockFiles: { type: 'boolean', @@ -108,7 +108,7 @@ export const reachabilityFlags: MeowFlags = { type: 'boolean', default: false, description: - 'Keep the `.socket.facts.json` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale `.socket.facts.json` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.', + 'Keep the `.socket.facts.json` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh full application reachability scan. A stale `.socket.facts.json` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.', }, reachSkipCache: { type: 'boolean', @@ -129,6 +129,6 @@ export const excludePathsFlag: MeowFlags = { type: 'string', isMultiple: true, description: - 'List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) Tier 1 reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (`--cwd` if set), not the reachability target: `tests` matches only `/tests`; use `**/tests` to match at any depth. Negation patterns (`!path`) are not supported. Accepts a comma-separated value or multiple flags.', + 'List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) full application reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (`--cwd` if set), not the reachability target: `tests` matches only `/tests`; use `**/tests` to match at any depth. Negation patterns (`!path`) are not supported. Accepts a comma-separated value or multiple flags.', }, } diff --git a/src/utils/coana.mts b/src/utils/coana.mts index e1777cd57..195a36a05 100644 --- a/src/utils/coana.mts +++ b/src/utils/coana.mts @@ -13,7 +13,7 @@ * Integration: * - Works with @coana-tech/cli for reachability analysis * - Processes socket facts JSON files - * - Extracts tier 1 reachability scan identifiers + * - Extracts full application reachability scan identifiers */ import { createReadStream, createWriteStream, existsSync } from 'node:fs'