Merge branch 'master' into upgraded-cli-login

Signed-off-by: 101arrowz <arjunbarrett@gmail.com>

Author: 101arrowz

.npmrc

@@ -26,9 +26,10 @@ socket report view QXU8PmK7LfH608RAwfIKdbcHgwEd_ZeWJ9QEGv05FJUQ
 
 * `socket report create <path(s)-to-folder-or-file>` - creates a report on [socket.dev](https://socket.dev/)
 
-  Uploads the specified `package.json` and lock files and, if any folder is specified, the ones found in there. Also includes the complementary `package.json` and lock file to any specified. Currently `package-lock.json` and `yarn.lock` are supported.
+  Uploads the specified `package.json` and lock files for JavaScript and Python dependency manifests.
+  If any folder is specified, the ones found in there recursively are uploaded.
 
-  Supports globbing such as `**/package.json`.
+  Supports globbing such as `**/package.json`, `**/requirements.txt`, and `**/pyproject.toml`.
 
   Ignores any file specified in your project's `.gitignore`, the `projectIgnorePaths` in your project's [`socket.yml`](https://docs.socket.dev/docs/socket-yml) and on top of that has a sensible set of [default ignores](https://www.npmjs.com/package/ignore-by-default)
 

README.md

@@ -126,7 +126,7 @@ function setupCommand (name, description, argv, importMeta) {
 async function fetchPackageData (pkgName, pkgVersion, { includeAllIssues, strict }) {
   const socketSdk = await setupSdk(getDefaultKey() || FREE_API_KEY)
   const spinner = ora(`Looking up data for version ${pkgVersion} of ${pkgName}`).start()
-  const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), spinner, 'looking up package')
+  const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), 'looking up package')
 
   if (result.success === false) {
     return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result, spinner)

lib/commands/info/index.js

@@ -107,12 +107,10 @@ async function setupCommand (name, description, argv, importMeta) {
     Usage
       $ ${name} <paths-to-package-folders-and-files>
 
-    Uploads the specified "package.json" and lock files and, if any folder is
-    specified, the ones found in there. Also includes the complementary
-    "package.json" and lock file to any specified. Currently "package-lock.json"
-    and "yarn.lock" are supported.
+    Uploads the specified "package.json" and lock files for JavaScript and Python dependency manifests.
+    If any folder is specified, the ones found in there recursively are uploaded.
 
-    Supports globbing such as "**/package.json".
+    Supports globbing such as "**/package.json", "**/requirements.txt", and "**/pyproject.toml".
 
     Ignores any file specified in your project's ".gitignore", your project's
     "socket.yml" file's "projectIgnorePaths" and also has a sensible set of
@@ -181,7 +179,17 @@ async function setupCommand (name, description, argv, importMeta) {
       }
     })
 
-  const packagePaths = await getPackageFiles(cwd, cli.input, config, debugLog)
+  // TODO: setupSdk(getDefaultKey() || FREE_API_KEY)
+  const socketSdk = await setupSdk()
+  const supportedFiles = await socketSdk.getReportSupportedFiles()
+    .then(res => {
+      if (!res.success) handleUnsuccessfulApiResponse('getReportSupportedFiles', res, ora())
+      return res.data
+    }).catch(cause => {
+      throw new ErrorWithCause('Failed getting supported files for report', { cause })
+    })
+
+  const packagePaths = await getPackageFiles(cwd, cli.input, config, supportedFiles, debugLog)
 
   return {
     config,
@@ -212,7 +220,7 @@ async function createReport (packagePaths, { config, cwd, debugLog, dryRun }) {
   const socketSdk = await setupSdk()
   const spinner = ora(`Creating report with ${packagePaths.length} package files`).start()
   const apiCall = socketSdk.createReportFromFilePaths(packagePaths, cwd, config?.issueRules)
-  const result = await handleApiCall(apiCall, spinner, 'creating report')
+  const result = await handleApiCall(apiCall, 'creating report')
 
   if (result.success === false) {
     return handleUnsuccessfulApiResponse('createReport', result, spinner)

lib/commands/report/create.js

@@ -3,6 +3,7 @@
 import chalk from 'chalk'
 import meow from 'meow'
 import ora from 'ora'
+import { ErrorWithCause } from 'pony-cause'
 
 import { outputFlags, validationFlags } from '../../flags/index.js'
 import { handleApiCall, handleUnsuccessfulApiResponse } from '../../utils/api-helpers.js'
@@ -102,6 +103,8 @@ function setupCommand (name, description, argv, importMeta) {
  * @typedef {import('@socketsecurity/sdk').SocketSdkReturnType<'getReport'>["data"]} ReportData
  */
 
+const MAX_TIMEOUT_RETRY = 5
+
 /**
  * @param {string} reportId
  * @param {Pick<CommandContext, 'includeAllIssues' | 'strict'>} context
@@ -111,8 +114,22 @@ export async function fetchReportData (reportId, { includeAllIssues, strict }) {
   // Do the API call
 
   const socketSdk = await setupSdk()
-  const spinner = ora(`Fetching report with ID ${reportId}`).start()
-  const result = await handleApiCall(socketSdk.getReport(reportId), spinner, 'fetching report')
+  const spinner = ora(`Fetching report with ID ${reportId} (this could take a while)`).start()
+  /** @type {import('@socketsecurity/sdk').SocketSdkResultType<'getReport'> | undefined} */
+  let result
+  for (let retry = 1; !result; ++retry) {
+    try {
+      result = await handleApiCall(socketSdk.getReport(reportId), 'fetching report')
+    } catch (err) {
+      if (
+        retry >= MAX_TIMEOUT_RETRY ||
+        !(err instanceof ErrorWithCause) ||
+        err.cause?.cause?.response?.statusCode !== 524
+      ) {
+        throw err
+      }
+    }
+  }
 
   if (result.success === false) {
     return handleUnsuccessfulApiResponse('getReport', result, spinner)
@@ -147,9 +164,7 @@ export function formatReportDataOutput (data, { name, outputJson, outputMarkdown
     console.log(JSON.stringify(data, undefined, 2))
   } else {
     const format = new ChalkOrMarkdown(!!outputMarkdown)
-    const url = `https://socket.dev/npm/reports/${encodeURIComponent(reportId)}`
-
-    console.log('\nDetailed info on socket.dev: ' + format.hyperlink(reportId, url, { fallbackToUrl: true }))
+    console.log('\nDetailed info on socket.dev: ' + format.hyperlink(reportId, data.url, { fallbackToUrl: true }))
     if (!outputMarkdown) {
       console.log(chalk.dim('\nOr rerun', chalk.italic(name), 'using the', chalk.italic('--json'), 'flag to get full JSON output'))
     }

lib/commands/report/view.js

@@ -8,7 +8,7 @@ import { AuthError } from './errors.js'
  * @param {T} _name
  * @param {import('@socketsecurity/sdk').SocketSdkErrorType<T>} result
  * @param {import('ora').Ora} spinner
- * @returns {void}
+ * @returns {never}
  */
 export function handleUnsuccessfulApiResponse (_name, result, spinner) {
   const resultError = 'error' in result && result.error && typeof result.error === 'object' ? result.error : {}
@@ -25,18 +25,16 @@ export function handleUnsuccessfulApiResponse (_name, result, spinner) {
 /**
  * @template T
  * @param {Promise<T>} value
- * @param {import('ora').Ora} spinner
  * @param {string} description
  * @returns {Promise<T>}
  */
-export async function handleApiCall (value, spinner, description) {
+export async function handleApiCall (value, description) {
   /** @type {T} */
   let result
 
   try {
     result = await value
   } catch (cause) {
-    spinner.fail()
     throw new ErrorWithCause(`Failed ${description}`, { cause })
   }
 

lib/utils/api-helpers.js

@@ -5,57 +5,55 @@ import { globby } from 'globby'
 import ignore from 'ignore'
 // @ts-ignore This package provides no types
 import { directories } from 'ignore-by-default'
+import micromatch from 'micromatch'
 import { ErrorWithCause } from 'pony-cause'
 
 import { InputError } from './errors.js'
 import { isErrnoException } from './type-helpers.js'
 
-/** @type {readonly string[]} */
-const SUPPORTED_LOCKFILES = [
-  'package-lock.json',
-  'yarn.lock',
-]
-
 /**
  * There are a lot of possible folders that we should not be looking in and "ignore-by-default" helps us with defining those
  *
  * @type {readonly string[]}
  */
 const ignoreByDefault = directories()
 
-/** @type {readonly string[]} */
-const GLOB_IGNORE = [
-  ...ignoreByDefault.map(item => '**/' + item)
-]
+/** @type {import('globby').Options} */
+const BASE_GLOBBY_OPTS = {
+  absolute: true,
+  expandDirectories: false,
+  gitignore: true,
+  ignore: [
+    ...ignoreByDefault.map(item => '**/' + item)
+  ],
+  markDirectories: true,
+  unique: true,
+}
 
 /**
  * Resolves package.json and lockfiles from (globbed) input paths, applying relevant ignores
  *
  * @param {string} cwd The working directory to use when resolving paths
  * @param {string[]} inputPaths A list of paths to folders, package.json files and/or recognized lockfiles. Supports globs.
  * @param {import('@socketsecurity/config').SocketYml|undefined} config
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<"getReportSupportedFiles">['data']} supportedFiles
  * @param {typeof console.error} debugLog
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function getPackageFiles (cwd, inputPaths, config, debugLog) {
+export async function getPackageFiles (cwd, inputPaths, config, supportedFiles, debugLog) {
   debugLog(`Globbed resolving ${inputPaths.length} paths:`, inputPaths)
 
   // TODO: Does not support `~/` paths
   const entries = await globby(inputPaths, {
-    absolute: true,
+    ...BASE_GLOBBY_OPTS,
     cwd,
-    expandDirectories: false,
-    gitignore: true,
-    ignore: [...GLOB_IGNORE],
-    markDirectories: true,
-    onlyFiles: false,
-    unique: true,
+    onlyFiles: false
   })
 
   debugLog(`Globbed resolved ${inputPaths.length} paths to ${entries.length} paths:`, entries)
 
-  const packageFiles = await mapGlobResultToFiles(entries)
+  const packageFiles = await mapGlobResultToFiles(entries, supportedFiles)
 
   debugLog(`Mapped ${entries.length} entries to ${packageFiles.length} files:`, packageFiles)
 
@@ -73,11 +71,14 @@ export async function getPackageFiles (cwd, inputPaths, config, debugLog) {
  * Takes paths to folders, package.json and/or recognized lock files and resolves them to package.json + lockfile pairs (where possible)
  *
  * @param {string[]} entries
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<"getReportSupportedFiles">['data']} supportedFiles
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function mapGlobResultToFiles (entries) {
-  const packageFiles = await Promise.all(entries.map(mapGlobEntryToFiles))
+export async function mapGlobResultToFiles (entries, supportedFiles) {
+  const packageFiles = await Promise.all(
+    entries.map(entry => mapGlobEntryToFiles(entry, supportedFiles))
+  )
 
   const uniquePackageFiles = [...new Set(packageFiles.flat())]
 
@@ -88,46 +89,58 @@ export async function mapGlobResultToFiles (entries) {
  * Takes a single path to a folder, package.json or a recognized lock file and resolves to a package.json + lockfile pair (where possible)
  *
  * @param {string} entry
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<'getReportSupportedFiles'>['data']} supportedFiles
  * @returns {Promise<string[]>}
  * @throws {InputError}
  */
-export async function mapGlobEntryToFiles (entry) {
+export async function mapGlobEntryToFiles (entry, supportedFiles) {
   /** @type {string|undefined} */
-  let pkgFile
-  /** @type {string|undefined} */
-  let lockFile
-
+  let pkgJSFile
+  /** @type {string[]} */
+  let jsLockFiles = []
+  /** @type {string[]} */
+  let pyFiles = []
+
+  const jsSupported = supportedFiles['npm'] || {}
+  const jsLockFilePatterns = Object.keys(jsSupported)
+    .filter(key => key !== 'packagejson')
+    .map(key => /** @type {{ pattern: string }} */ (jsSupported[key]).pattern)
+
+  const pyFilePatterns = Object.values(supportedFiles['pypi'] || {}).map(p => p.pattern)
   if (entry.endsWith('/')) {
     // If the match is a folder and that folder contains a package.json file, then include it
     const filePath = path.resolve(entry, 'package.json')
-    pkgFile = await fileExists(filePath) ? filePath : undefined
-  } else if (path.basename(entry) === 'package.json') {
-    // If the match is a package.json file, then include it
-    pkgFile = entry
-  } else if (SUPPORTED_LOCKFILES.includes(path.basename(entry))) {
-    // If the match is a lock file, include both it and the corresponding package.json file
-    lockFile = entry
-    pkgFile = path.resolve(path.dirname(entry), 'package.json')
+    if (await fileExists(filePath)) pkgJSFile = filePath
+    pyFiles = await globby(pyFilePatterns, {
+      ...BASE_GLOBBY_OPTS,
+      cwd: entry
+    })
+  } else {
+    const entryFile = path.basename(entry)
+
+    if (entryFile === 'package.json') {
+      // If the match is a package.json file, then include it
+      pkgJSFile = entry
+    } else if (micromatch.isMatch(entryFile, jsLockFilePatterns)) {
+      jsLockFiles = [entry]
+      pkgJSFile = path.resolve(path.dirname(entry), 'package.json')
+      if (!(await fileExists(pkgJSFile))) return []
+    } else if (micromatch.isMatch(entryFile, pyFilePatterns)) {
+      pyFiles = [entry]
+    }
   }
 
   // If we will include a package.json file but don't already have a corresponding lockfile, then look for one
-  if (!lockFile && pkgFile) {
-    const pkgDir = path.dirname(pkgFile)
-
-    for (const name of SUPPORTED_LOCKFILES) {
-      const lockFileAlternative = path.resolve(pkgDir, name)
-      if (await fileExists(lockFileAlternative)) {
-        lockFile = lockFileAlternative
-        break
-      }
-    }
-  }
+  if (!jsLockFiles.length && pkgJSFile) {
+    const pkgDir = path.dirname(pkgJSFile)
 
-  if (pkgFile && lockFile) {
-    return [pkgFile, lockFile]
+    jsLockFiles = await globby(jsLockFilePatterns, {
+      ...BASE_GLOBBY_OPTS,
+      cwd: pkgDir
+    })
   }
 
-  return pkgFile ? [pkgFile] : []
+  return [...jsLockFiles, ...pyFiles].concat(pkgJSFile ? [pkgJSFile] : [])
 }
 
 /**