diff --git a/.github/actions/setup-docker/action.yml b/.github/actions/setup-docker/action.yml new file mode 100644 index 0000000..846efd4 --- /dev/null +++ b/.github/actions/setup-docker/action.yml @@ -0,0 +1,23 @@ +name: "Set up Docker" +description: >- + Set up QEMU + Docker Buildx and authenticate to Docker Hub for multi-arch + image builds. Centralizes the QEMU/Buildx/login trio used by release, + preview, and stable workflows. + +inputs: + dockerhub-username: + description: "Docker Hub username (pass from secrets)" + required: true + dockerhub-token: + description: "Docker Hub token/password (pass from secrets)" + required: true + +runs: + using: "composite" + steps: + - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 + - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + with: + username: ${{ inputs.dockerhub-username }} + password: ${{ inputs.dockerhub-token }} diff --git a/.github/actions/setup-hatch/action.yml b/.github/actions/setup-hatch/action.yml new file mode 100644 index 0000000..0da5160 --- /dev/null +++ b/.github/actions/setup-hatch/action.yml @@ -0,0 +1,13 @@ +name: "Set up Hatch build tooling" +description: >- + Install the pinned hatch / hatchling / virtualenv toolchain used to build + and publish the package. Assumes Python is already set up by the caller. + +runs: + using: "composite" + steps: + - shell: bash + run: | + python -m pip install --upgrade pip + pip install "virtualenv<20.36" + pip install hatchling==1.27.0 hatch==1.14.0 diff --git a/.github/actions/setup-sfw/action.yml b/.github/actions/setup-sfw/action.yml new file mode 100644 index 0000000..456f90b --- /dev/null +++ b/.github/actions/setup-sfw/action.yml @@ -0,0 +1,49 @@ +name: "Set up Socket Firewall" +description: >- + Set up the requested language toolchain and install Socket Firewall (free + or enterprise edition) so subsequent steps can run package-manager commands + wrapped with `sfw`. Defaults to free/anonymous mode (no API token -- safe on + untrusted / Dependabot / fork PRs). Pass mode: firewall-enterprise + + socket-token for full org-policy enforcement on trusted maintainer PRs. + +inputs: + python: + description: "Set up Python 3.12" + default: "false" + node: + description: "Set up Node 20 (needed for npm-wrapped checks)" + default: "false" + uv: + description: "Install uv (implies Python)" + default: "false" + mode: + description: "socketdev/action mode: firewall-free or firewall-enterprise" + default: "firewall-free" + socket-token: + description: "Socket API token (only used/required for firewall-enterprise)" + default: "" + +runs: + using: "composite" + steps: + - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }} + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: "3.12" + + - if: ${{ inputs.node == 'true' }} + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: "20" + + # Official Socket setup action. Wires up sfw routing correctly. + # socket-token is ignored in firewall-free mode and empty when absent. + - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + with: + mode: ${{ inputs.mode }} + socket-token: ${{ inputs.socket-token }} + + - if: ${{ inputs.uv == 'true' }} + name: Install uv + shell: bash + run: python -m pip install --upgrade pip uv diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..89e2ed0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,76 @@ +# Dependabot configuration for socket-python-cli. +# +# Design notes: +# - Python deps are grouped into a weekly PR (minor/patch). +# - GitHub Actions are grouped similarly into one weekly PR. +# - Docker (the project Dockerfile) is tracked separately. +# - 7-day cooldown enforced across all ecosystems. + +version: 2 +updates: + + # Main app Python deps (uv-tracked) + - package-ecosystem: "uv" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 2 + groups: + python-minor-patch: + patterns: + - "*" + update-types: + - "minor" + - "patch" + python-major: + patterns: + - "*" + update-types: + - "major" + labels: + - "dependencies" + - "python:uv" + commit-message: + prefix: "chore" + include: "scope" + cooldown: + default-days: 7 + + # GitHub Actions used in workflows and local composite actions. + - package-ecosystem: "github-actions" + directories: + - "/" + - "/.github/actions/*" + schedule: + interval: "weekly" + open-pull-requests-limit: 2 + groups: + github-actions-minor-patch: + patterns: + - "*" + update-types: + - "minor" + - "patch" + labels: + - "dependencies" + - "github-actions" + commit-message: + prefix: "ci" + include: "scope" + cooldown: + default-days: 7 + + # Project Dockerfile base images and pinned binaries + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 2 + labels: + - "dependencies" + - "docker" + commit-message: + prefix: "chore" + include: "scope" + cooldown: + default-days: 7 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..a39694f --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,653 @@ +name: dependency-review + +# Supply-chain guardrails for dependency-update PRs -- for BOTH Dependabot +# and maintainers. +# +# Inspects the changed files, then conditionally runs Socket Firewall (sfw) +# install smoke jobs for the affected manifests, picking the firewall edition +# per PR: +# +# - Trusted authors: any in-repo (non-fork) PR other than Dependabot's +# (i.e. someone with write access) -> Socket Firewall ENTERPRISE through +# the socket-firewall environment and its SOCKET_SFW_API_TOKEN secret +# (authenticated, full org-policy enforcement). +# - Everyone else: Dependabot and all fork PRs from external contributors -> +# Socket Firewall FREE (anonymous, no API token), which is safe in the +# unprivileged `pull_request` context. +# +# Only Enterprise jobs declare the socket-firewall environment. Free jobs do +# not touch that environment or its token. +# +# Each sfw smoke job collects an sfw-artifacts/ directory (provenance context +# + the firewall's console logs) and uploads it as a build artifact +# (if: always(), so the report survives even when sfw BLOCKS an install -- +# which is exactly when you want to read it). +# +# Pattern adapted from SocketDev/socket-basics and SocketDev/socket-sdk-python. + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + +permissions: + contents: read + +concurrency: + group: dependency-review-${{ github.event.pull_request.number }} + cancel-in-progress: true + +jobs: + inspect: + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }} + fixture_npm_changed: ${{ steps.diff.outputs.fixture_npm_changed }} + fixture_pypi_changed: ${{ steps.diff.outputs.fixture_pypi_changed }} + dockerfile_changed: ${{ steps.diff.outputs.dockerfile_changed }} + workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }} + sfw_mode: ${{ steps.mode.outputs.sfw_mode }} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Inspect changed files + id: diff + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + run: | + CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")" + + { + echo "## Changed files" + echo '```' + printf '%s\n' "$CHANGED_FILES" + echo '```' + } >> "$GITHUB_STEP_SUMMARY" + + has_file() { + local pattern="$1" + if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then + echo "true" + else + echo "false" + fi + } + + { + echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')" + echo "fixture_npm_changed=$(has_file '^tests/e2e/fixtures/simple-npm/')" + echo "fixture_pypi_changed=$(has_file '^tests/e2e/fixtures/simple-pypi/')" + echo "dockerfile_changed=$(has_file '^Dockerfile$')" + echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/actions/|^\.github/dependabot\.yml$')" + } >> "$GITHUB_OUTPUT" + + - name: Determine Socket Firewall mode + id: mode + # Trusted == any in-repo (non-fork) PR that isn't Dependabot's. Only + # accounts with write access can push a branch to this repo, so a + # non-fork PR already implies a trusted author -- the same boundary + # GitHub uses to decide whether secrets are exposed at all. + # + # NB: author_association is deliberately NOT used to require strict org + # membership. It only reflects PUBLIC org membership, so private members + # (the common case) show up as CONTRIBUTOR and would be misclassified. + # Reliable strict-membership detection would need a read:org token or + # public membership. This step references NO secret regardless -- it + # only decides which smoke job runs. + env: + IS_DEPENDABOT: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }} + AUTHOR_ASSOC: ${{ github.event.pull_request.author_association }} + run: | + mode=firewall-free + if [ "$IS_DEPENDABOT" != "true" ] && [ "$IS_FORK" != "true" ]; then + mode=firewall-enterprise + fi + + echo "sfw_mode=$mode" >> "$GITHUB_OUTPUT" + { + echo "## Socket Firewall mode: \`$mode\`" + echo "- author_association: \`$AUTHOR_ASSOC\`" + echo "- dependabot: \`$IS_DEPENDABOT\` | fork: \`$IS_FORK\`" + } >> "$GITHUB_STEP_SUMMARY" + + - name: Summarize review expectations + env: + PR_URL: ${{ github.event.pull_request.html_url }} + run: | + { + echo "## Dependency Review Checklist" + echo "- PR: $PR_URL" + echo "- Confirm upstream release notes before merge" + echo "- Do not treat a dependency PR as trusted solely because of the actor" + echo "- This workflow runs in pull_request context only; no publish secrets are exposed" + } >> "$GITHUB_STEP_SUMMARY" + + python-sfw-smoke-free: + needs: inspect + if: | + needs.inspect.outputs.python_deps_changed == 'true' && + needs.inspect.outputs.sfw_mode == 'firewall-free' + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 1 + persist-credentials: false + + - name: Prepare SFW artifact directory + run: | + mkdir -p sfw-artifacts + { + echo "mode=firewall-free" + echo "manifest=python" + echo "pr=${{ github.event.pull_request.number }}" + echo "sha=${{ github.event.pull_request.head.sha }}" + } > sfw-artifacts/context.txt + + - uses: ./.github/actions/setup-sfw + with: + uv: "true" + mode: firewall-free + + - name: Sync project through Socket Firewall + # `sfw uv sync` is the intended way to route uv through Socket Firewall + # (per Socket's own uv wrapper guidance). --locked verifies the exact + # uv.lock set and fails on lockfile drift rather than silently + # re-resolving, so the firewall inspects precisely what would install. + # Note: uv's sfw integration is quieter than npm/pip -- it does not + # print the "N packages fetched" footer, but interception is active. + # + # Use the runner's setup-python interpreter and forbid managed-Python + # downloads. The firewall is here to vet PyPI installs, not the + # interpreter/toolchain download path. + # + # pipefail keeps sfw's exit code through the tee so a firewall block + # still fails the job; tee captures the report for the artifact upload. + env: + UV_PYTHON: "3.12" + UV_PYTHON_DOWNLOADS: never + run: | + set -o pipefail + sfw uv sync --locked --extra test --extra dev 2>&1 | tee sfw-artifacts/sfw-uv-sync.log + + - name: Import smoke test + env: + UV_PYTHON: "3.12" + UV_PYTHON_DOWNLOADS: never + run: | + set -o pipefail + uv run python -c " + from socketsecurity.socketcli import cli, build_socket_sdk + from socketsecurity.core import Core + from socketsecurity.core.exceptions import ( + APIFailure, RequestTimeoutExceeded, APIResourceNotFound, + ) + from socketsecurity.core.git_interface import Git + from socketsecurity.config import CliConfig + print('import smoke OK') + " 2>&1 | tee sfw-artifacts/import-smoke.log + + - name: Collect SFW JSON report + # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP + # file) and reads it back in its post step to render the job summary, so + # COPY (don't move) the report into the bundle. sfw writes it even when + # it blocks an install -- always() keeps it on failures too. + if: always() + run: | + if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then + cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json" + echo "Collected SFW report -> sfw-artifacts/sfw-report.json" + else + echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-}'." \ + > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt" + fi + + - name: Upload SFW report artifact + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: socket-firewall-free-python-${{ github.event.pull_request.number }} + path: sfw-artifacts/ + if-no-files-found: warn + retention-days: 14 + + python-sfw-smoke-enterprise: + needs: inspect + if: | + needs.inspect.outputs.python_deps_changed == 'true' && + needs.inspect.outputs.sfw_mode == 'firewall-enterprise' + runs-on: ubuntu-latest + timeout-minutes: 15 + environment: socket-firewall + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 1 + persist-credentials: false + + - name: Prepare SFW artifact directory + run: | + mkdir -p sfw-artifacts + { + echo "mode=firewall-enterprise" + echo "manifest=python" + echo "pr=${{ github.event.pull_request.number }}" + echo "sha=${{ github.event.pull_request.head.sha }}" + } > sfw-artifacts/context.txt + + - uses: ./.github/actions/setup-sfw + with: + uv: "true" + mode: firewall-enterprise + socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }} + + - name: Sync project through Socket Firewall + # `sfw uv sync` is the intended way to route uv through Socket Firewall + # (per Socket's own uv wrapper guidance). --locked verifies the exact + # uv.lock set and fails on lockfile drift rather than silently + # re-resolving, so the firewall inspects precisely what would install. + # Note: uv's sfw integration is quieter than npm/pip -- it does not + # print the "N packages fetched" footer, but interception is active. + # + # Use the runner's setup-python interpreter and forbid managed-Python + # downloads. The firewall is here to vet PyPI installs, not the + # interpreter/toolchain download path. + # + # pipefail keeps sfw's exit code through the tee so a firewall block + # still fails the job; tee captures the report for the artifact upload. + env: + UV_PYTHON: "3.12" + UV_PYTHON_DOWNLOADS: never + run: | + set -o pipefail + sfw uv sync --locked --extra test --extra dev 2>&1 | tee sfw-artifacts/sfw-uv-sync.log + + - name: Import smoke test + env: + UV_PYTHON: "3.12" + UV_PYTHON_DOWNLOADS: never + run: | + set -o pipefail + uv run python -c " + from socketsecurity.socketcli import cli, build_socket_sdk + from socketsecurity.core import Core + from socketsecurity.core.exceptions import ( + APIFailure, RequestTimeoutExceeded, APIResourceNotFound, + ) + from socketsecurity.core.git_interface import Git + from socketsecurity.config import CliConfig + print('import smoke OK') + " 2>&1 | tee sfw-artifacts/import-smoke.log + + - name: Collect SFW JSON report + # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP + # file) and reads it back in its post step to render the job summary, so + # COPY (don't move) the report into the bundle. sfw writes it even when + # it blocks an install -- always() keeps it on failures too. + if: always() + run: | + if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then + cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json" + echo "Collected SFW report -> sfw-artifacts/sfw-report.json" + else + echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-}'." \ + > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt" + fi + + - name: Upload SFW report artifact + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: socket-firewall-enterprise-python-${{ github.event.pull_request.number }} + path: sfw-artifacts/ + if-no-files-found: warn + retention-days: 14 + + fixture-npm-sfw-smoke-free: + needs: inspect + if: | + needs.inspect.outputs.fixture_npm_changed == 'true' && + needs.inspect.outputs.sfw_mode == 'firewall-free' + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 1 + persist-credentials: false + + - name: Prepare SFW artifact directory + run: | + mkdir -p sfw-artifacts + { + echo "mode=firewall-free" + echo "manifest=npm" + echo "pr=${{ github.event.pull_request.number }}" + echo "sha=${{ github.event.pull_request.head.sha }}" + } > sfw-artifacts/context.txt + + - uses: ./.github/actions/setup-sfw + with: + node: "true" + mode: firewall-free + + - name: Install fixture through Socket Firewall + working-directory: tests/e2e/fixtures/simple-npm + # Tee to an absolute path under the workspace so the log lands in the + # repo-root sfw-artifacts/ dir despite this step's working-directory. + run: | + set -o pipefail + sfw npm install --no-audit --no-fund --ignore-scripts 2>&1 | tee "$GITHUB_WORKSPACE/sfw-artifacts/sfw-npm-install.log" + + - name: Collect SFW JSON report + # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP + # file) and reads it back in its post step to render the job summary, so + # COPY (don't move) the report into the bundle. sfw writes it even when + # it blocks an install -- always() keeps it on failures too. + if: always() + run: | + if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then + cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json" + echo "Collected SFW report -> sfw-artifacts/sfw-report.json" + else + echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-}'." \ + > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt" + fi + + - name: Upload SFW report artifact + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: socket-firewall-free-npm-${{ github.event.pull_request.number }} + path: sfw-artifacts/ + if-no-files-found: warn + retention-days: 14 + + fixture-npm-sfw-smoke-enterprise: + needs: inspect + if: | + needs.inspect.outputs.fixture_npm_changed == 'true' && + needs.inspect.outputs.sfw_mode == 'firewall-enterprise' + runs-on: ubuntu-latest + timeout-minutes: 15 + environment: socket-firewall + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 1 + persist-credentials: false + + - name: Prepare SFW artifact directory + run: | + mkdir -p sfw-artifacts + { + echo "mode=firewall-enterprise" + echo "manifest=npm" + echo "pr=${{ github.event.pull_request.number }}" + echo "sha=${{ github.event.pull_request.head.sha }}" + } > sfw-artifacts/context.txt + + - uses: ./.github/actions/setup-sfw + with: + node: "true" + mode: firewall-enterprise + socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }} + + - name: Install fixture through Socket Firewall + working-directory: tests/e2e/fixtures/simple-npm + # Tee to an absolute path under the workspace so the log lands in the + # repo-root sfw-artifacts/ dir despite this step's working-directory. + run: | + set -o pipefail + sfw npm install --no-audit --no-fund --ignore-scripts 2>&1 | tee "$GITHUB_WORKSPACE/sfw-artifacts/sfw-npm-install.log" + + - name: Collect SFW JSON report + # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP + # file) and reads it back in its post step to render the job summary, so + # COPY (don't move) the report into the bundle. sfw writes it even when + # it blocks an install -- always() keeps it on failures too. + if: always() + run: | + if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then + cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json" + echo "Collected SFW report -> sfw-artifacts/sfw-report.json" + else + echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-}'." \ + > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt" + fi + + - name: Upload SFW report artifact + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: socket-firewall-enterprise-npm-${{ github.event.pull_request.number }} + path: sfw-artifacts/ + if-no-files-found: warn + retention-days: 14 + + fixture-pypi-sfw-smoke-free: + needs: inspect + if: | + needs.inspect.outputs.fixture_pypi_changed == 'true' && + needs.inspect.outputs.sfw_mode == 'firewall-free' + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 1 + persist-credentials: false + + - name: Prepare SFW artifact directory + run: | + mkdir -p sfw-artifacts + { + echo "mode=firewall-free" + echo "manifest=pypi" + echo "pr=${{ github.event.pull_request.number }}" + echo "sha=${{ github.event.pull_request.head.sha }}" + } > sfw-artifacts/context.txt + + - uses: ./.github/actions/setup-sfw + with: + python: "true" + mode: firewall-free + + - name: Install fixture through Socket Firewall + working-directory: tests/e2e/fixtures/simple-pypi + # Tee to an absolute path under the workspace so the log lands in the + # repo-root sfw-artifacts/ dir despite this step's working-directory. + run: | + set -o pipefail + python -m venv .venv + # shellcheck disable=SC1091 + source .venv/bin/activate + sfw pip install -r requirements.txt 2>&1 | tee "$GITHUB_WORKSPACE/sfw-artifacts/sfw-pip-install.log" + + - name: Collect SFW JSON report + # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP + # file) and reads it back in its post step to render the job summary, so + # COPY (don't move) the report into the bundle. sfw writes it even when + # it blocks an install -- always() keeps it on failures too. + if: always() + run: | + if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then + cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json" + echo "Collected SFW report -> sfw-artifacts/sfw-report.json" + else + echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-}'." \ + > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt" + fi + + - name: Upload SFW report artifact + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: socket-firewall-free-pypi-${{ github.event.pull_request.number }} + path: sfw-artifacts/ + if-no-files-found: warn + retention-days: 14 + + fixture-pypi-sfw-smoke-enterprise: + needs: inspect + if: | + needs.inspect.outputs.fixture_pypi_changed == 'true' && + needs.inspect.outputs.sfw_mode == 'firewall-enterprise' + runs-on: ubuntu-latest + timeout-minutes: 15 + environment: socket-firewall + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 1 + persist-credentials: false + + - name: Prepare SFW artifact directory + run: | + mkdir -p sfw-artifacts + { + echo "mode=firewall-enterprise" + echo "manifest=pypi" + echo "pr=${{ github.event.pull_request.number }}" + echo "sha=${{ github.event.pull_request.head.sha }}" + } > sfw-artifacts/context.txt + + - uses: ./.github/actions/setup-sfw + with: + python: "true" + mode: firewall-enterprise + socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }} + + - name: Install fixture through Socket Firewall + working-directory: tests/e2e/fixtures/simple-pypi + # Tee to an absolute path under the workspace so the log lands in the + # repo-root sfw-artifacts/ dir despite this step's working-directory. + run: | + set -o pipefail + python -m venv .venv + # shellcheck disable=SC1091 + source .venv/bin/activate + sfw pip install -r requirements.txt 2>&1 | tee "$GITHUB_WORKSPACE/sfw-artifacts/sfw-pip-install.log" + + - name: Collect SFW JSON report + # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP + # file) and reads it back in its post step to render the job summary, so + # COPY (don't move) the report into the bundle. sfw writes it even when + # it blocks an install -- always() keeps it on failures too. + if: always() + run: | + if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then + cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json" + echo "Collected SFW report -> sfw-artifacts/sfw-report.json" + else + echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-}'." \ + > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt" + fi + + - name: Upload SFW report artifact + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: socket-firewall-enterprise-pypi-${{ github.event.pull_request.number }} + path: sfw-artifacts/ + if-no-files-found: warn + retention-days: 14 + + dockerfile-smoke: + needs: inspect + if: needs.inspect.outputs.dockerfile_changed == 'true' + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 1 + persist-credentials: false + + - name: Build the Dockerfile (no push) + run: docker build --pull -t socket-python-cli:dependabot-smoke . + + workflow-notice: + needs: inspect + if: needs.inspect.outputs.workflow_or_action_changed == 'true' + runs-on: ubuntu-latest + timeout-minutes: 2 + steps: + - name: Flag workflow-sensitive updates + run: | + { + echo "## Sensitive File Notice" + echo "This PR changes workflow, composite-action, or dependabot config files." + echo "Require explicit human review before merge." + } >> "$GITHUB_STEP_SUMMARY" + + # Single required status check that aggregates the conditional smoke jobs + # above. Branch protection can't require those jobs individually: each is + # conditional (per-manifest, and Firewall-free vs -enterprise per author), so + # on any given PR most are legitimately skipped -- and a required check whose + # job is skipped sits at "Expected -- Waiting for status to be reported" + # forever, blocking merge (the same trap that stranded Dependabot PRs on the + # e2e-* checks). + # + # This gate always runs (if: always(), so it reports even when upstream jobs + # are skipped or fail) and collapses them into one pass/fail signal: it FAILS + # if any smoke job that ran ended in failure or was cancelled, and passes when + # everything either succeeded or was not applicable. 'skipped' is expected and + # allowed -- it just means the job didn't apply to this PR. + # + # Mark THIS check (dependency-review-gate) required in branch protection. It + # satisfies Dependabot/fork PRs (which run the Firewall-free job) and + # maintainer PRs (which run Firewall-enterprise) alike, and -- crucially -- a + # Socket Firewall BLOCK now fails the gate and blocks merge, instead of living + # in a non-required enterprise job that nobody is forced to run. + dependency-review-gate: + needs: + - inspect + - python-sfw-smoke-free + - python-sfw-smoke-enterprise + - fixture-npm-sfw-smoke-free + - fixture-npm-sfw-smoke-enterprise + - fixture-pypi-sfw-smoke-free + - fixture-pypi-sfw-smoke-enterprise + - dockerfile-smoke + if: always() + runs-on: ubuntu-latest + timeout-minutes: 2 + steps: + - name: Verify no smoke job failed + env: + RESULTS: ${{ toJSON(needs) }} + run: | + echo "Upstream job results:" + printf '%s\n' "$RESULTS" | python3 -m json.tool + + # Fail the gate if any needed job ended in failure or was cancelled. + # 'success' and 'skipped' both pass: skipped means the job did not + # apply to this PR (wrong manifest, or free-vs-enterprise mismatch). + failed="$(printf '%s\n' "$RESULTS" | python3 -c " + import json, sys + data = json.load(sys.stdin) + bad = [name for name, info in data.items() + if info.get('result') in ('failure', 'cancelled')] + print(' '.join(sorted(bad))) + ")" + + if [ -n "$failed" ]; then + echo "::error::dependency-review smoke job(s) failed: $failed" + { + echo "## Dependency Review Gate: FAILED" + echo "The following smoke job(s) failed or were cancelled: \`$failed\`" + echo "If a Socket Firewall job is listed, it likely BLOCKED an install --" + echo "inspect its uploaded sfw-artifacts/ report before merging." + } >> "$GITHUB_STEP_SUMMARY" + exit 1 + fi + + echo "All dependency-review smoke jobs passed or were not applicable." + echo "## Dependency Review Gate: PASSED" >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml index 2a4c92d..934e0d9 100644 --- a/.github/workflows/docker-stable.yml +++ b/.github/workflows/docker-stable.yml @@ -6,39 +6,42 @@ on: description: 'Version to mark as stable (e.g., 1.2.3)' required: true +permissions: + contents: read + jobs: stable: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Check if version exists in PyPI id: version_check + env: + INPUT_VERSION: ${{ inputs.version }} run: | - if ! curl -s -f https://pypi.org/pypi/socketsecurity/${{ inputs.version }}/json > /dev/null; then - echo "Error: Version ${{ inputs.version }} not found on PyPI" + if ! curl -s -f "https://pypi.org/pypi/socketsecurity/${INPUT_VERSION}/json" > /dev/null; then + echo "Error: Version ${INPUT_VERSION} not found on PyPI" exit 1 fi - echo "Version ${{ inputs.version }} found on PyPI - proceeding with release" - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release" - - name: Login to Docker Hub with Organization Token - uses: docker/login-action@v3 + - name: Set up Docker publishing + uses: ./.github/actions/setup-docker with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Stable Docker - uses: docker/build-push-action@v5 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: push: true platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max tags: socketdev/cli:stable build-args: | CLI_VERSION=${{ inputs.version }} - \ No newline at end of file + diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 6e0e66f..1dab8a8 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -1,103 +1,86 @@ -name: E2E Test +name: E2E Tests on: push: branches: [main] pull_request: + workflow_dispatch: -jobs: - e2e-scan: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - with: - fetch-depth: 0 - - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 - with: - python-version: '3.12' - - - name: Install CLI from local repo - run: | - python -m pip install --upgrade pip - pip install . - - - name: Run Socket CLI scan - env: - SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }} - run: | - set -o pipefail - socketcli \ - --target-path tests/e2e/fixtures/simple-npm \ - --disable-blocking \ - --enable-debug \ - 2>&1 | tee /tmp/scan-output.log - - - name: Verify scan produced a report - run: | - if grep -q "Full scan report URL: https://socket.dev/" /tmp/scan-output.log; then - echo "PASS: Full scan report URL found" - grep "Full scan report URL:" /tmp/scan-output.log - elif grep -q "Diff Url: https://socket.dev/" /tmp/scan-output.log; then - echo "PASS: Diff URL found" - grep "Diff Url:" /tmp/scan-output.log - else - echo "FAIL: No report URL found in scan output" - cat /tmp/scan-output.log - exit 1 - fi - - e2e-sarif: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - with: - fetch-depth: 0 +permissions: + contents: read - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 - with: - python-version: '3.12' - - - name: Install CLI from local repo - run: | - python -m pip install --upgrade pip - pip install . - - - name: Run Socket CLI scan with --sarif-file - env: - SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }} - run: | - set -o pipefail - socketcli \ - --target-path tests/e2e/fixtures/simple-npm \ - --sarif-file /tmp/results.sarif \ - --disable-blocking \ - 2>&1 | tee /tmp/sarif-output.log - - - name: Verify SARIF file is valid - run: | - python3 -c " - import json, sys - with open('/tmp/results.sarif') as f: - data = json.load(f) - assert data['version'] == '2.1.0', f'Invalid version: {data[\"version\"]}' - assert '\$schema' in data, 'Missing \$schema' - count = len(data['runs'][0]['results']) - print(f'PASS: Valid SARIF 2.1.0 with {count} result(s)') - " - - e2e-reachability: +jobs: + e2e: + # Skip e2e on: + # - PRs from forks (no secrets) + # - Dependabot PRs (no secrets, and dependency-bump risk is already + # covered by dependency-review.yml's Socket Firewall smoke jobs) + if: >- + (github.event_name != 'pull_request' || + github.event.pull_request.head.repo.full_name == github.repository) && + github.event.pull_request.user.login != 'dependabot[bot]' runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - name: scan + args: >- + --target-path tests/e2e/fixtures/simple-npm + --disable-blocking + --enable-debug + validate: tests/e2e/validate-scan.sh + + - name: sarif + args: >- + --target-path tests/e2e/fixtures/simple-npm + --sarif-file /tmp/results.sarif + --disable-blocking + validate: tests/e2e/validate-sarif.sh + + - name: reachability + args: >- + --target-path tests/e2e/fixtures/simple-npm + --reach + --disable-blocking + --enable-debug + validate: tests/e2e/validate-reachability.sh + setup-node: "true" + + - name: gitlab + args: >- + --target-path tests/e2e/fixtures/simple-npm + --enable-gitlab-security + --disable-blocking + validate: tests/e2e/validate-gitlab.sh + + - name: json + args: >- + --target-path tests/e2e/fixtures/simple-npm + --enable-json + --disable-blocking + validate: tests/e2e/validate-json.sh + + - name: pypi + args: >- + --target-path tests/e2e/fixtures/simple-pypi + --disable-blocking + --enable-debug + validate: tests/e2e/validate-scan.sh + + name: e2e-${{ matrix.name }} steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' - - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + if: matrix.setup-node == 'true' with: node-version: '20' @@ -107,85 +90,48 @@ jobs: pip install . - name: Install uv + if: matrix.setup-node == 'true' run: pip install uv - - name: Run Socket CLI with reachability + - name: Run Socket CLI env: SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }} run: | set -o pipefail - socketcli \ - --target-path tests/e2e/fixtures/simple-npm \ - --reach \ - --disable-blocking \ - --enable-debug \ - 2>&1 | tee /tmp/reach-output.log - - - name: Verify reachability analysis completed - run: | - if grep -q "Reachability analysis completed successfully" /tmp/reach-output.log; then - echo "PASS: Reachability analysis completed" - grep "Reachability analysis completed successfully" /tmp/reach-output.log - grep "Results written to:" /tmp/reach-output.log || true - else - echo "FAIL: Reachability analysis did not complete successfully" - cat /tmp/reach-output.log - exit 1 - fi - - - name: Verify scan produced a report - run: | - if grep -q "Full scan report URL: https://socket.dev/" /tmp/reach-output.log; then - echo "PASS: Full scan report URL found" - grep "Full scan report URL:" /tmp/reach-output.log - elif grep -q "Diff Url: https://socket.dev/" /tmp/reach-output.log; then - echo "PASS: Diff URL found" - grep "Diff Url:" /tmp/reach-output.log - else - echo "FAIL: No report URL found in scan output" - cat /tmp/reach-output.log - exit 1 - fi - - - name: Run scan with --sarif-file (all results) - env: - SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }} - run: | - socketcli \ - --target-path tests/e2e/fixtures/simple-npm \ - --reach \ - --sarif-file /tmp/sarif-all.sarif \ - --sarif-scope full \ - --sarif-reachability all \ - --disable-blocking \ - 2>/dev/null - - - name: Run scan with --sarif-file --sarif-reachability reachable (filtered results) + socketcli ${{ matrix.args }} 2>&1 | tee /tmp/e2e-output.log + + - name: Validate results env: SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }} + run: bash ${{ matrix.validate }} + + # Branch protection requires the e2e-* checks, but the `e2e` job above is + # skipped on PRs that can't access repository secrets -- fork PRs and + # Dependabot PRs. A job skipped via a job-level `if` never expands its + # matrix, so the e2e-* check contexts are never created and the required + # checks sit at "Expected -- Waiting for status to be reported" forever, + # permanently blocking merge. + # + # This bypass reports a green status under the SAME e2e-* check names for + # exactly those PRs, satisfying branch protection without running the real + # tests (which need SOCKET_CLI_API_TOKEN). Its `if` is the precise negation + # of the e2e job's run condition, so the two are mutually exclusive: any + # given PR runs one or the other, never both, and never neither. + # + # Dependency-bump risk on these PRs is still covered by dependency-review.yml's + # Socket Firewall smoke jobs, which run without repository secrets. + e2e-bypass: + if: >- + github.event_name == 'pull_request' && + (github.event.pull_request.head.repo.full_name != github.repository || + github.event.pull_request.user.login == 'dependabot[bot]') + runs-on: ubuntu-latest + strategy: + matrix: + name: [scan, sarif, reachability, gitlab, json, pypi] + name: e2e-${{ matrix.name }} + steps: + - name: Report skip status run: | - socketcli \ - --target-path tests/e2e/fixtures/simple-npm \ - --reach \ - --sarif-file /tmp/sarif-reachable.sarif \ - --sarif-scope full \ - --sarif-reachability reachable \ - --disable-blocking \ - 2>/dev/null - - - name: Verify reachable-only results are a subset of all results - run: | - test -f /tmp/sarif-all.sarif - test -f /tmp/sarif-reachable.sarif - python3 -c " - import json - with open('/tmp/sarif-all.sarif') as f: - all_data = json.load(f) - with open('/tmp/sarif-reachable.sarif') as f: - reach_data = json.load(f) - all_count = len(all_data['runs'][0]['results']) - reach_count = len(reach_data['runs'][0]['results']) - print(f'All results: {all_count}, Reachable-only results: {reach_count}') - assert reach_count <= all_count, f'FAIL: reachable ({reach_count}) > all ({all_count})' - print('PASS: Reachable-only results is a subset of all results') - " + echo "Skipping e2e-${{ matrix.name }} for a PR without repository secrets" + echo "(fork or Dependabot). Dependency risk is covered by dependency-review.yml." diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index 28c7870..eb29ef9 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -3,27 +3,37 @@ on: pull_request: types: [opened, synchronize, ready_for_review] +# Cancel an in-flight preview when the PR is pushed again -- previews are slow +# (publish + multi-step Docker build), so superseded runs shouldn't keep going. +concurrency: + group: pr-preview-${{ github.event.pull_request.number }} + cancel-in-progress: true + jobs: preview: + # Skip on: + # - PRs from forks (no access to publish secrets) + # - Dependabot PRs: preview-publishing a dependency bump to Test PyPI / + # Docker Hub is pointless and fails (no version bump, secret access). + if: >- + github.event.pull_request.head.repo.full_name == github.repository && + github.event.pull_request.user.login != 'dependabot[bot]' runs-on: ubuntu-latest permissions: id-token: write contents: read pull-requests: write steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - # Install all dependencies from pyproject.toml - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install "virtualenv<20.36" - pip install hatchling==1.27.0 hatch==1.14.0 + - name: Install build tooling + uses: ./.github/actions/setup-hatch - name: Inject full dynamic version run: python .hooks/sync_version.py --dev @@ -55,14 +65,14 @@ jobs: - name: Publish to Test PyPI if: steps.version_check.outputs.exists != 'true' - uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: repository-url: https://test.pypi.org/legacy/ verbose: true - name: Comment on PR if: steps.version_check.outputs.exists != 'true' - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: VERSION: ${{ env.VERSION }} with: @@ -131,27 +141,26 @@ jobs: echo "success=false" >> $GITHUB_OUTPUT exit 1 - - name: Set up QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 - - - name: Login to Docker Hub with Organization Token + - name: Set up Docker publishing if: steps.verify_package.outputs.success == 'true' - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 + uses: ./.github/actions/setup-docker with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Docker Preview if: steps.verify_package.outputs.success == 'true' - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 env: VERSION: ${{ env.VERSION }} with: push: true - platforms: linux/amd64,linux/arm64 + # Preview images are for quick testing -- build amd64 only. arm64 via + # QEMU emulation is the slowest part of the job; release builds keep + # multi-arch. GHA layer cache speeds up repeated preview builds. + platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max tags: | socketdev/cli:pr-${{ github.event.pull_request.number }} build-args: | diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml index 3403b73..3247275 100644 --- a/.github/workflows/python-tests.yml +++ b/.github/workflows/python-tests.yml @@ -35,12 +35,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false - name: ๐Ÿ setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: ๐Ÿ› ๏ธ install deps @@ -48,5 +48,41 @@ jobs: python -m pip install --upgrade pip pip install uv uv sync --extra test + - name: ๐Ÿ”’ verify uv.lock is in sync with pyproject.toml + run: uv lock --locked - name: ๐Ÿงช run tests run: uv run pytest -q tests/unit/ tests/core/ + - name: ๐Ÿ’จ import smoke (catches API-removal breaks from upgraded deps) + run: | + uv run python -c " + from socketsecurity.socketcli import cli + from socketsecurity.core import Core + from socketsecurity.core.exceptions import APIFailure, APIResourceNotFound + from socketsecurity.core.git_interface import Git + from socketsecurity.config import CliConfig + print('import smoke OK') + " + - name: ๐Ÿ›ก๏ธ pip-audit (known CVEs in the locked deps) + run: | + uv export --no-hashes --no-emit-project --format requirements-txt > /tmp/req-audit.txt + uvx pip-audit --strict --progress-spinner off --disable-pip --no-deps -r /tmp/req-audit.txt + + unsupported-python-install: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 1 + persist-credentials: false + - name: ๐Ÿ setup python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: "3.10" + - name: ๐Ÿšซ verify install is rejected on unsupported python + run: | + python -m pip install --upgrade pip + if pip install .; then + echo "Expected pip install . to fail on Python 3.10" + exit 1 + fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 99372b6..6c41e9c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,27 +10,26 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - # Install all dependencies from pyproject.toml - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install "virtualenv<20.36" - pip install hatchling==1.27.0 hatch==1.14.0 - + - name: Install build tooling + uses: ./.github/actions/setup-hatch + - name: Get Version id: version + env: + REF_NAME: ${{ github.ref_name }} run: | RAW_VERSION=$(hatch version) echo "VERSION=$RAW_VERSION" >> $GITHUB_ENV - if [ "v$RAW_VERSION" != "${{ github.ref_name }}" ]; then - echo "Error: Git tag (${{ github.ref_name }}) does not match hatch version (v$RAW_VERSION)" + if [ "v$RAW_VERSION" != "$REF_NAME" ]; then + echo "Error: Git tag ($REF_NAME) does not match hatch version (v$RAW_VERSION)" exit 1 fi @@ -52,7 +51,7 @@ jobs: env: VERSION: ${{ env.VERSION }} run: | - if curl -s -f "https://hub.docker.com/v2/repositories/socketdev/cli/tags/${{ env.VERSION }}" > /dev/null; then + if curl -s -f "https://hub.docker.com/v2/repositories/socketdev/cli/tags/${VERSION}" > /dev/null; then echo "Docker image socketdev/cli:${VERSION} already exists" echo "docker_exists=true" >> $GITHUB_OUTPUT else @@ -67,19 +66,13 @@ jobs: - name: Publish to PyPI if: steps.version_check.outputs.pypi_exists != 'true' - uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d - - - name: Set up QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 - - name: Login to Docker Hub with Organization Token - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 + - name: Set up Docker publishing + uses: ./.github/actions/setup-docker with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Verify package is installable id: verify_package @@ -103,14 +96,16 @@ jobs: if: | steps.verify_package.outputs.success == 'true' && steps.docker_check.outputs.docker_exists != 'true' - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 env: VERSION: ${{ env.VERSION }} with: push: true platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max tags: | socketdev/cli:latest socketdev/cli:${{ env.VERSION }} build-args: | - CLI_VERSION=${{ env.VERSION }} \ No newline at end of file + CLI_VERSION=${{ env.VERSION }} diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index f2d63e4..a097208 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -4,16 +4,26 @@ on: types: [opened, synchronize, ready_for_review] paths: - 'socketsecurity/**' - - 'setup.py' - 'pyproject.toml' + - 'uv.lock' + +permissions: + contents: read + pull-requests: write + issues: write jobs: check_version: + # Skip on Dependabot PRs: they bump dependencies (touching uv.lock / + # pyproject.toml) without bumping the app version, so the increment check + # would always fail. App-version bumps come from maintainer PRs. + if: github.event.pull_request.user.login != 'dependabot[bot]' runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Fetch all history for all branches + persist-credentials: false - name: Check version increment id: version_check @@ -29,20 +39,59 @@ jobs: MAIN_VERSION=$(git show origin/main:socketsecurity/__init__.py | grep -o "__version__.*" | awk '{print $3}' | tr -d "'") echo "MAIN_VERSION=$MAIN_VERSION" >> $GITHUB_ENV - # Compare versions using Python - python3 -c " + export PR_VERSION + export MAIN_VERSION + + # Compare against both main and latest published PyPI release. + python3 <<'PY' + import json + import os + import urllib.request from packaging import version - pr_ver = version.parse('${PR_VERSION}') - main_ver = version.parse('${MAIN_VERSION}') - if pr_ver <= main_ver: - print(f'โŒ Version must be incremented! Main: {main_ver}, PR: {pr_ver}') - exit(1) - print(f'โœ… Version properly incremented from {main_ver} to {pr_ver}') - " + + pr_ver = version.parse(os.environ["PR_VERSION"]) + main_ver = version.parse(os.environ["MAIN_VERSION"]) + + with urllib.request.urlopen("https://pypi.org/pypi/socketsecurity/json") as response: + pypi_data = json.load(response) + + published_versions = [] + for raw in pypi_data.get("releases", {}).keys(): + parsed = version.parse(raw) + if not parsed.is_prerelease and not parsed.is_devrelease: + published_versions.append(parsed) + + pypi_ver = max(published_versions) if published_versions else version.parse("0.0.0") + required_floor = max(main_ver, pypi_ver) + + if pr_ver <= required_floor: + print( + f"โŒ Version must be greater than main and PyPI! " + f"Main: {main_ver}, PyPI: {pypi_ver}, PR: {pr_ver}" + ) + raise SystemExit(1) + + print( + f"โœ… Version properly incremented. " + f"Main: {main_ver}, PyPI: {pypi_ver}, PR: {pr_ver}" + ) + PY + + - name: Require uv.lock update when pyproject changes + run: | + CHANGED_FILES="$(git diff --name-only origin/main...HEAD)" + + if echo "$CHANGED_FILES" | grep -qx 'pyproject.toml'; then + if ! echo "$CHANGED_FILES" | grep -qx 'uv.lock'; then + echo "โŒ pyproject.toml changed, but uv.lock was not updated." + echo "Run 'uv lock' and commit uv.lock with the version bump." + exit 1 + fi + fi - name: Manage PR Comment - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea - if: always() + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + if: always() && github.event.pull_request.head.repo.full_name == github.repository env: MAIN_VERSION: ${{ env.MAIN_VERSION }} PR_VERSION: ${{ env.PR_VERSION }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..39d1b18 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + secrets-outside-env: + disable: true diff --git a/.gitignore b/.gitignore index e01bafe..10615ef 100644 --- a/.gitignore +++ b/.gitignore @@ -1,32 +1,58 @@ -.idea -venv -.venv -.venv-test -build -dist +# --- Python bytecode / cache --- +*.pyc +__pycache__/ +.coverage +.coverage.* +coverage.xml +htmlcov/ +.pytest_cache/ + +# --- Virtual environments --- +venv/ +.venv/ +.venv-test/ +Pipfile + +# --- Build / packaging --- *.build *.dist -*.egg-info -*.env -run_container.sh +*.egg-info/ +bin/ +build/ +dist/ *.zip -bin -scripts/*.py + +# --- Editor / IDE --- +.idea/ +*.swp +*.swo + +# --- OS --- +.DS_Store + +# --- Logs --- +logs/ + +# --- Env files --- +*.env +.env.local + +# --- Generated output --- *.json -*.sarif !tests/**/*.json !examples/config/*.json +*.sarif markdown_overview_temp.md markdown_security_temp.md -.DS_Store -*.pyc -test.py -*.cpython-312.pyc` + +# --- Project-specific scratch --- +ai_testing/ file_generator.py -.coverage -.env.local -Pipfile +run_container.sh +scripts/*.py test/ -logs -ai_testing/ +test.py verify_find_files_lazy_loading.py + +# --- Conductor workspace --- +.context/ diff --git a/.hooks/sync_version.py b/.hooks/sync_version.py index f26dd76..57b29d3 100644 --- a/.hooks/sync_version.py +++ b/.hooks/sync_version.py @@ -8,10 +8,13 @@ INIT_FILE = pathlib.Path("socketsecurity/__init__.py") PYPROJECT_FILE = pathlib.Path("pyproject.toml") +UV_LOCK_FILE = pathlib.Path("uv.lock") VERSION_PATTERN = re.compile(r"__version__\s*=\s*['\"]([^'\"]+)['\"]") PYPROJECT_PATTERN = re.compile(r'^version\s*=\s*".*"$', re.MULTILINE) -PYPI_API = "https://test.pypi.org/pypi/socketsecurity/json" +STABLE_VERSION_PATTERN = re.compile(r"^\d+\.\d+\.\d+$") +PYPI_PROD_API = "https://pypi.org/pypi/socketsecurity/json" +PYPI_TEST_API = "https://test.pypi.org/pypi/socketsecurity/json" def read_version_from_init(path: pathlib.Path) -> str: content = path.read_text() @@ -38,17 +41,39 @@ def bump_patch_version(version: str) -> str: parts[-1] = str(int(parts[-1]) + 1) return ".".join(parts) -def fetch_existing_versions() -> set: +def parse_stable_version(version: str): + if not STABLE_VERSION_PATTERN.fullmatch(version): + return None + return tuple(int(part) for part in version.split(".")) + + +def format_stable_version(version_parts) -> str: + return ".".join(str(part) for part in version_parts) + + +def fetch_existing_versions(api_url: str) -> set: try: - with urllib.request.urlopen(PYPI_API) as response: + with urllib.request.urlopen(api_url) as response: data = json.load(response) return set(data.get("releases", {}).keys()) except Exception as e: - print(f"โš ๏ธ Warning: Failed to fetch existing versions from Test PyPI: {e}") + print(f"โš ๏ธ Warning: Failed to fetch versions from {api_url}: {e}") return set() + +def fetch_latest_stable_pypi_version(): + versions = fetch_existing_versions(PYPI_PROD_API) + stable_versions = [] + for ver in versions: + parsed = parse_stable_version(ver) + if parsed is not None: + stable_versions.append(parsed) + if not stable_versions: + return None + return max(stable_versions) + def find_next_available_dev_version(base_version: str) -> str: - existing_versions = fetch_existing_versions() + existing_versions = fetch_existing_versions(PYPI_TEST_API) for i in range(1, 100): candidate = f"{base_version}.dev{i}" if candidate not in existing_versions: @@ -56,6 +81,19 @@ def find_next_available_dev_version(base_version: str) -> str: print("โŒ Could not find available .devN slot after 100 attempts.") sys.exit(1) + +def find_next_stable_patch_version(current_version: str) -> str: + current_stable = current_version.split(".dev")[0] if ".dev" in current_version else current_version + current_parts = parse_stable_version(current_stable) + if current_parts is None: + print(f"โŒ Unsupported version format for stable bump: {current_version}") + sys.exit(1) + + latest_pypi_parts = fetch_latest_stable_pypi_version() + base_parts = max([current_parts, latest_pypi_parts] if latest_pypi_parts else [current_parts]) + next_parts = (base_parts[0], base_parts[1], base_parts[2] + 1) + return format_stable_version(next_parts) + def inject_version(version: str): print(f"๐Ÿ” Updating version to: {version}") @@ -72,6 +110,21 @@ def inject_version(version: str): new_pyproject = re.sub(r"(\[project\])", rf"\1\nversion = \"{version}\"", pyproject) PYPROJECT_FILE.write_text(new_pyproject) + +def run_uv_lock() -> bool: + before = UV_LOCK_FILE.read_bytes() if UV_LOCK_FILE.exists() else b"" + try: + subprocess.run(["uv", "lock"], check=True, text=True) + except FileNotFoundError: + print("โŒ `uv` is required but was not found in PATH.") + sys.exit(1) + except subprocess.CalledProcessError: + print("โŒ `uv lock` failed. Please run it manually and fix any errors.") + sys.exit(1) + + after = UV_LOCK_FILE.read_bytes() if UV_LOCK_FILE.exists() else b"" + return before != after + def main(): dev_mode = "--dev" in sys.argv current_version = read_version_from_init(INIT_FILE) @@ -84,15 +137,36 @@ def main(): base_version = current_version.split(".dev")[0] if ".dev" in current_version else current_version new_version = find_next_available_dev_version(base_version) inject_version(new_version) - print("โš ๏ธ Version was unchanged โ€” auto-bumped. Please git add + commit again.") + uv_lock_changed = run_uv_lock() + lock_hint = " and uv.lock" if uv_lock_changed else "" + print(f"โš ๏ธ Version was unchanged โ€” auto-bumped. Please git add{lock_hint} + commit again.") sys.exit(0) else: - new_version = bump_patch_version(current_version) + new_version = find_next_stable_patch_version(current_version) inject_version(new_version) - print("โš ๏ธ Version was unchanged โ€” auto-bumped. Please git add + commit again.") + uv_lock_changed = run_uv_lock() + lock_hint = " and uv.lock" if uv_lock_changed else "" + print(f"โš ๏ธ Version was unchanged โ€” auto-bumped to {new_version}. Please git add{lock_hint} + commit again.") sys.exit(1) else: - print("โœ… Version already bumped โ€” proceeding.") + if not dev_mode: + current_parts = parse_stable_version(current_version) + latest_pypi_parts = fetch_latest_stable_pypi_version() + if current_parts is not None and latest_pypi_parts is not None and current_parts <= latest_pypi_parts: + next_parts = (latest_pypi_parts[0], latest_pypi_parts[1], latest_pypi_parts[2] + 1) + new_version = format_stable_version(next_parts) + inject_version(new_version) + uv_lock_changed = run_uv_lock() + lock_hint = " and uv.lock" if uv_lock_changed else "" + print(f"โš ๏ธ Version {current_version} is already published on PyPI โ€” auto-bumped to {new_version}. Please git add{lock_hint} + commit again.") + sys.exit(1) + + uv_lock_changed = run_uv_lock() + if uv_lock_changed: + print("โš ๏ธ Version already bumped, but uv.lock was out of date and has been updated. Please git add uv.lock + commit again.") + sys.exit(1) + + print("โœ… Version already bumped and uv.lock is up to date โ€” proceeding.") sys.exit(0) if __name__ == "__main__": diff --git a/CHANGELOG.md b/CHANGELOG.md index 683e0ad..b2f759c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,250 @@ # Changelog +## 2.4.6 + +### Docs: reachability reference corrections + +- Documented the `uv` and Enterprise-plan prerequisites the CLI enforces **before** running + reachability (exit code 3 if unmet), and clarified that per-ecosystem build toolchains + (JDK / .NET / Go / a compatible Python interpreter) are checked by the analysis engine at + runtime, not pre-checked by the CLI. +- Corrected the `--reach-min-severity` values to `info, low, moderate, high, critical`. +- Documented the previously-undocumented reachability flags: `--reach-enable-analysis-splitting`, + `--reach-detailed-analysis-log-file`, `--reach-lazy-mode`, and `--reach-use-only-pregenerated-sboms`. +- Clarified that `--only-facts-file` submits only the facts file when **creating** the full scan + (it does not require a pre-existing scan). +- Documentation-only; no functional code changes. + +## 2.4.5 + +### Changed: Bump required SDK version to `>=3.2.1` + +- Picks up `socketdev 3.2.1`. +- No CLI logic changes. + +## 2.4.4 + +### Changed: Bump required SDK version to `>=3.2.0` + +- Picks up `socketdev 3.2.0`, which adds `OTHER = "other"` to `SocketCategory` + so the backend's `other` alert category no longer trips the + "Unknown SocketCategory" warning fallback (SDK PR #85). +- No CLI logic changes. + +## 2.4.3 + +### Added: unified `--exclude-paths` for manifest discovery and reachability + +- New `--exclude-paths` flag (comma-separated globs) that excludes matching paths from + BOTH SCA manifest discovery and reachability analysis. Patterns are scan-root-relative + anchored globs (`*` does not cross `/`, `**` does), matching the Node CLI's behavior. +- Pattern validation rejects unsupported forms (negation, absolute paths, `..` traversal, + and match-everything patterns). Patterns may be supplied on the CLI as a comma-separated + string or via a `--config` file list. +- `--reach-exclude-paths` is now deprecated in favor of `--exclude-paths`. It still works + (and is unioned into the Coana `--exclude-dirs` argument) but is marked deprecated in + `--help` and warns at runtime. + +## 2.4.2 + +### Added: reachability flag and Coana environment alignment with the Node CLI + +- New `--reach-disable-external-tool-checks` flag (passes `--disable-external-tool-checks` + to the Coana CLI). +- New `--reach-debug` flag to enable Coana debug output (`--debug`) independently of the + global `--enable-debug`. +- Node-style `--reach-analysis-timeout` and `--reach-analysis-memory-limit` are now the + primary flag names; the previous `--reach-timeout` / `--reach-memory-limit` continue to + work as hidden aliases. +- The Coana subprocess now receives `SOCKET_CLI_VERSION` and `SOCKET_CALLER_USER_AGENT` so + calls are attributed to the Python CLI. Proxies continue to work via the inherited + `HTTPS_PROXY` / `HTTP_PROXY` environment variables, which Coana reads itself. +- `SOCKET_REPO_NAME` / `SOCKET_BRANCH_NAME` are no longer forwarded to Coana when the repo + and branch are the default sentinels, avoiding cross-run reachability cache-bucket + collisions. +- Tier 1 reachability finalize now retries with exponential backoff instead of giving up on + the first transient error. + +## 2.4.1 + +### Added: pyenv in the Docker image + +- The `socketdev/cli` Docker image now bundles [pyenv](https://github.com/pyenv/pyenv) + (pinned to `v2.7.1`) along with the Alpine build dependencies needed to compile + CPython from source, so the image can build/install arbitrary Python versions on + demand. +- The CLI itself is unchanged โ€” this release only affects the published Docker image. + +## 2.4.0 + +### Changed: license details are no longer requested on the full-scan diff + +- Full-scan diff requests now always set `include_license_details=false`, keeping + large diff responses smaller and avoiding truncation crashes on large repos. +- Soft breaking change for flag-scripted use: `--exclude-license-details` still + controls the dashboard report URL, but no longer affects the internal diff + request. Its `--help` text has been updated to reflect the narrower scope. +- License artifact output is unchanged: `--generate-license` continues to fetch + license details from the dedicated PURL endpoint. +- Requires `socketdev>=3.1.2`. + +## 2.3.1 + +### New: brotli-compressed `.socket.facts.json` upload + +The reachability facts file (`.socket.facts.json`) is now brotli-compressed before it is +uploaded as part of a full scan. The Socket API transparently decompresses any multipart +part named exactly `.socket.facts.json.br` and stores it as plain `.socket.facts.json`, so +the stored result is unchanged โ€” but the on-the-wire payload shrinks dramatically (a +~262 MB facts file compresses to roughly 15โ€“30 MB). + +This fixes large tierโ€‘1 reachability scans that previously failed when the uncompressed +facts file exceeded the API's perโ€‘file upload size cap (surfaced to the CLI as an HTTP +4xx/โ€œ502โ€, leaving the scan stuck with no report). + +Details: + +- Compression happens at the upload boundary (`Core.create_full_scan`); the file on disk is + left untouched, so local consumers (SARIF/JSON output, tierโ€‘1 finalize, alert selection) + continue to read the plain `.socket.facts.json`. +- Only a file whose basename is exactly `.socket.facts.json` is compressed (the API matches + that exact name). A custom `--reach-output-file` name is uploaded uncompressed, as before. +- Empty baseline-scan placeholder files are not compressed. +- Compression never blocks an upload: if it fails for any reason it falls back to uploading + the plain file, and a partially-written `.socket.facts.json.br` is removed rather than + left behind in the target directory. +- Adds a `brotli` (CPython) / `brotlicffi` (PyPy) dependency. + +## 2.3.0 + +### New: `--exit-code-on-api-error` + +- Added `--exit-code-on-api-error` so CI can distinguish API / infrastructure + failures from blocking security findings. The default remains `3`; the flag + only changes behavior when set explicitly. +- `--disable-blocking` still takes precedence and exits `0` for all outcomes. + +### New: commit message auto-truncation + +- `--commit-message` values longer than 200 characters are now truncated before + being sent to the API, preventing HTTP 413 errors from oversized query + parameters. + +### Improved: Buildkite log formatting + +- Infrastructure errors now emit Buildkite log section markers when + `BUILDKITE=true`, making those failures easier to find in Buildkite logs. + +### Fixed + +- `--timeout` is now honored end-to-end: it was only applied to the local + `CliClient`, but the full-scan diff comparison uses the Socket SDK instance, + which was constructed without the CLI timeout and defaulted to 1200s. +- `--exclude-license-details` now propagates to the full-scan diff comparison + request (it was only applied to full-scan params / report URLs before). + +## 2.2.93 + +- Bundled twelve Dependabot dependency updates: `urllib3`, `gitpython`, `python-dotenv`, `pytest`, `uv`, `cryptography`, `pygments`, `requests`, and `idna` (main app), plus `axios`, `requests`, and `flask` (e2e fixtures). `idna` 3.11 โ†’ 3.15 includes the fix for CVE-2026-45409. +- Added `.github/dependabot.yml` with grouped weekly updates, a 7-day cooldown, and e2e fixtures excluded. +- Added a `dependabot-review` workflow that runs Socket Firewall (`sfw`) install checks on Dependabot PRs with no API token required. +- Added a `uv.lock` drift check, an import smoke test, and `pip-audit` to the test workflow; skipped e2e tests on Dependabot PRs. +- Tidied `.gitignore` and backfilled missing CHANGELOG entries for `2.2.81`, `2.2.85`, `2.2.86`, `2.2.88`, `2.2.89`, `2.2.91`, and `2.2.92`. + +## 2.2.92 + +- Fixed dependency-overview rendering for unmapped alert types: alert types the SDK + has no metadata for now fall back to a humanized Title-Cased label (e.g. + `gptDidYouMean` -> "Possible typosquat attack (GPT)", `SQLInjection` -> "SQL + Injection") instead of surfacing the raw camelCase identifier. + +## 2.2.91 + +- Added legal/compliance artifact presets (`--legal`) and FOSSA-compatible output + shapes (`--legal-format fossa`) for license and SBOM reporting. + +## 2.2.90 + +- Migrated license enrichment PURL lookup to the org-scoped endpoint (`POST /v0/orgs/{slug}/purl`) from the deprecated global endpoint (`POST /v0/purl`). + +## 2.2.89 + +- Added `uv.lock` to the version-incrementation CI check so a `pyproject.toml` / + `__init__.py` version bump without a matching lockfile sync no longer slips through. +- Updated the local Python pre-commit hook to keep `uv.lock` in sync with + `pyproject.toml` and `socketsecurity/__init__.py` version changes automatically. + +## 2.2.88 + +- Added `bun.lock`, `bun.lockb`, and `vlt-lock.json` to the recognized manifest files + for Socket scanning, with matching unit-test coverage. + +## 2.2.86 + +- Bumped `socketdev` to `>=3.0.33,<4.0.0` to pick up the SDK fix for unknown alert + categories (the SDK previously crashed while deserializing diff alerts when the API + returned a category like `"other"`). +- Normalized diff artifacts with `score=None` to an empty score map in the CLI model + layer; PR-comment dependency-overview rendering no longer crashes on missing or + partial score data. +- Defaulted missing badge values to a valid `100%` fallback rather than producing + invalid badge URLs. + +## 2.2.85 + +- Added four hidden `--reach-continue-on-*` flags in preparation for Coana CLI v15: + `--reach-continue-on-analysis-errors`, `--reach-continue-on-install-errors`, + `--reach-continue-on-missing-lock-files`, `--reach-continue-on-no-source-files`. + Each forwards to the matching Coana flag and opts out of one of Coana v15's new + halt-by-default behaviors. No-op against today's default Coana version; will take + effect automatically once Coana v15 becomes the default. + +## 2.2.83 + +- Fixed branch detection in detached-HEAD CI checkouts. When `git name-rev --name-only HEAD` returned an output with a suffix operator (e.g. `remotes/origin/master~1`, `master^0`), the `~N`/`^N` was previously passed through as the branch name and rejected by the Socket API as an invalid Git ref. The suffix is now stripped before the prefix split, producing the bare branch name. + +## 2.2.81 + +- Fixed GitLab security report schema compliance: corrected schema validation errors so + Socket-produced reports parse cleanly under GitLab's dependency-scanning ingestion. +- Populated scan alert data in the GitLab security report so previously-empty alert + sections now carry the expected findings. + +## 2.2.80 + +- Hardened GitHub Actions workflows. +- Fixed broken links on PyPI page. + +## 2.2.79 + +- Updated minimum required Python version. +- Tweaked CI checks. + +## 2.2.78 + +- Fixed reachability filtering. +- Added config file support. + +## 2.2.77 + +- Fixed `has_manifest_files` failing to match root-level manifest files. + +## 2.2.76 + +- Added SARIF file output support. +- Improved reachability filtering. + +## 2.2.75 + +- Fixed `workspace` flag regression by updating SDK dependency. + +## 2.2.74 + +- Added `--workspace` flag to CLI args. +- Added GitLab branch protection flag. +- Added e2e tests for full scans and full scans with reachability. +- Bumped dependencies: `cryptography`, `virtualenv`, `filelock`, `urllib3`. + ## 2.2.71 - Added `strace` to the Docker image for debugging purposes. diff --git a/Dockerfile b/Dockerfile index 0d9f2cb..7511078 100644 --- a/Dockerfile +++ b/Dockerfile @@ -88,6 +88,29 @@ ENV GOPATH="/go" # Install uv COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv +# Install pyenv +# pyenv lets us build/install arbitrary Python versions on demand. We install +# the build dependencies needed to compile CPython on Alpine, then install +# pyenv itself. We deliberately only symlink the `pyenv` binary onto the PATH +# and do NOT add pyenv's shims directory, so its shims don't shadow the system +# Python that the CLI runs on. +RUN apk add --no-cache \ + bash \ + bzip2-dev \ + ca-certificates \ + libffi-dev \ + libxslt-dev \ + linux-headers \ + ncurses-dev \ + openssl-dev \ + readline-dev \ + sqlite-dev \ + xz-dev \ + zlib-dev +RUN curl -L https://raw.githubusercontent.com/pyenv/pyenv-installer/master/bin/pyenv-installer | PYENV_GIT_TAG="v2.7.1" bash && \ + ln -s ~/.pyenv/bin/pyenv /bin/pyenv && \ + pyenv --version + # Install CLI based on build mode RUN if [ "$USE_LOCAL_INSTALL" = "true" ]; then \ echo "Using local development install"; \ diff --git a/README.md b/README.md index ef84057..a3eeb10 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Socket Python CLI for Socket scans, diff reporting, reachability analysis, and SARIF/GitLab exports. -Comprehensive docs are available in [`docs/`](docs/) for full flag reference, CI/CD-specific guidance, and contributor setup. +Comprehensive docs are available in [`docs/`](https://github.com/SocketDev/socket-python-cli/tree/main/docs) for full flag reference, CI/CD-specific guidance, and contributor setup. ## Quick start @@ -27,8 +27,8 @@ socketcli --target-path . ## Common use cases This section covers the paved path/common workflows. -For advanced options and exhaustive details, see [`docs/cli-reference.md`](docs/cli-reference.md). -For CI/CD-specific guidance, see [`docs/ci-cd.md`](docs/ci-cd.md). +For advanced options and exhaustive details, see [`docs/cli-reference.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/cli-reference.md). +For CI/CD-specific guidance, see [`docs/ci-cd.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/ci-cd.md). ### Basic policy scan (no SARIF) @@ -84,6 +84,7 @@ socketcli \ | Use case | Recommended mode | Key flags | |:--|:--|:--| | Basic policy enforcement in CI | Diff-based policy check | `--strict-blocking` | +| Legal/compliance artifact generation | Legal preset | `--legal` | | Reachable-focused SARIF for reporting | Full-scope grouped SARIF | `--reach --sarif-scope full --sarif-grouping alert --sarif-reachability reachable --sarif-file ` | | Detailed reachability export for investigations | Full-scope instance SARIF | `--reach --sarif-scope full --sarif-grouping instance --sarif-reachability all --sarif-file ` | | Net-new PR findings only | Diff-scope SARIF | `--reach --sarif-scope diff --sarif-reachability reachable --sarif-file ` | @@ -91,7 +92,7 @@ socketcli \ Dashboard parity note: - Full-scope SARIF is the closest match for dashboard-style filtering. - Exact result counts can still differ from the dashboard due to backend/API consolidation differences and grouping semantics. -- See [`docs/troubleshooting.md#dashboard-vs-cli-result-counts`](docs/troubleshooting.md#dashboard-vs-cli-result-counts). +- See [`docs/troubleshooting.md#dashboard-vs-cli-result-counts`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#dashboard-vs-cli-result-counts). ## Config files (`--config`) @@ -134,26 +135,55 @@ Run: socketcli --config .socketcli.toml --target-path . ``` +Legal/compliance preset example: + +```bash +socketcli --legal --target-path . +``` + +This preset enables license generation and writes default artifacts unless you override them: +- `socket-report.json` +- `socket-summary.txt` +- `socket-report-link.txt` +- `socket-sbom.json` +- `socket-license.json` + +FOSSA-compatibility shaped legal artifacts: + +```bash +socketcli --legal-format fossa --target-path . +``` + +This switches the JSON report and legal artifact payloads to FOSSA-style compatibility shapes: +- the analyze artifact becomes a `project` / `vulnerability` / `licensing` / `quality` report +- the SBOM artifact becomes a FOSSA-attribution-style payload with `copyrightsByLicense`, `deepDependencies`, `directDependencies`, `licenses`, and `project` keys + +When `--legal-format fossa` is used without explicit output paths, the defaults are closer to the FOSSA pipeline contract: +- `fossa-analyze.json` +- `fossa-test.txt` +- `fossa-link.txt` +- `fossa-sbom.json` + Reference sample configs: TOML: -- [`examples/config/sarif-dashboard-parity.toml`](examples/config/sarif-dashboard-parity.toml) -- [`examples/config/sarif-instance-detail.toml`](examples/config/sarif-instance-detail.toml) -- [`examples/config/sarif-diff-ci-cd.toml`](examples/config/sarif-diff-ci-cd.toml) +- [`examples/config/sarif-dashboard-parity.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-dashboard-parity.toml) +- [`examples/config/sarif-instance-detail.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-instance-detail.toml) +- [`examples/config/sarif-diff-ci-cd.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-diff-ci-cd.toml) JSON: -- [`examples/config/sarif-dashboard-parity.json`](examples/config/sarif-dashboard-parity.json) -- [`examples/config/sarif-instance-detail.json`](examples/config/sarif-instance-detail.json) -- [`examples/config/sarif-diff-ci-cd.json`](examples/config/sarif-diff-ci-cd.json) +- [`examples/config/sarif-dashboard-parity.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-dashboard-parity.json) +- [`examples/config/sarif-instance-detail.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-instance-detail.json) +- [`examples/config/sarif-diff-ci-cd.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-diff-ci-cd.json) ## CI/CD examples Prebuilt workflow examples: -- [GitHub Actions](workflows/github-actions.yml) -- [Buildkite](workflows/buildkite.yml) -- [GitLab CI](workflows/gitlab-ci.yml) -- [Bitbucket Pipelines](workflows/bitbucket-pipelines.yml) +- [GitHub Actions](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/github-actions.yml) +- [Buildkite](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/buildkite.yml) +- [GitLab CI](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/gitlab-ci.yml) +- [Bitbucket Pipelines](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/bitbucket-pipelines.yml) Minimal pattern: @@ -164,9 +194,51 @@ Minimal pattern: SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }} ``` +## Exit codes + +| Code | Meaning | +|------|---------| +| `0` | Clean scan โ€” no blocking issues (or `--disable-blocking` set) | +| `1` | Blocking security finding(s) detected | +| `2` | Scan interrupted (SIGINT / Ctrl+C) | +| `3` | Infrastructure or API error (timeout, network failure, unexpected error) | + +`--exit-code-on-api-error ` remaps the infrastructure-error code (`3`) to any +value โ€” e.g. a Buildkite `soft_fail` code, or `0` to swallow infra errors. Exit +`3` is a Socket convention, not an industry standard. + +### How these options interact + +The two flags that affect exit codes can cancel each other out, so the order of +precedence matters: + +- **`--disable-blocking` wins over everything.** It forces exit `0` for *all* + outcomes โ€” security findings *and* infrastructure errors. If you set it, + `--exit-code-on-api-error` has no effect (you'll always get `0`). +- **`--exit-code-on-api-error` only applies when `--disable-blocking` is *not* + set.** It changes the infra-error code (and the generic-error code); it never + touches the security-finding code (`1`). + +So for the common "don't let Socket outages block my pipeline, but still fail on +real findings" goal, use `--exit-code-on-api-error` **without** `--disable-blocking`: + +```yaml +# Buildkite: soft-fail only on infrastructure errors, still block on findings +steps: + - label: ":lock: Socket Security Scan" + command: "socketcli --exit-code-on-api-error 100 ..." # NOT --disable-blocking + soft_fail: + - exit_status: 100 +``` + +Combining `--disable-blocking` with `--exit-code-on-api-error 100` would make the +scan exit `0` on *both* findings and outages โ€” the `soft_fail: 100` rule would +never match, and real findings would stop blocking. That's usually not what you +want. + ## Common gotchas -See [`docs/troubleshooting.md`](docs/troubleshooting.md#common-gotchas). +See [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#common-gotchas). ## Quick verification checks @@ -187,7 +259,7 @@ jq '.runs[0].results | length' sarif-diff-reachable.sarif ## Documentation reference -- Full CLI reference: [`docs/cli-reference.md`](docs/cli-reference.md) -- CI/CD guide: [`docs/ci-cd.md`](docs/ci-cd.md) -- Troubleshooting guide: [`docs/troubleshooting.md`](docs/troubleshooting.md) -- Development guide: [`docs/development.md`](docs/development.md) +- Full CLI reference: [`docs/cli-reference.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/cli-reference.md) +- CI/CD guide: [`docs/ci-cd.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/ci-cd.md) +- Troubleshooting guide: [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md) +- Development guide: [`docs/development.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/development.md) diff --git a/docs/cli-reference.md b/docs/cli-reference.md index 0c807f7..cdbf003 100644 --- a/docs/cli-reference.md +++ b/docs/cli-reference.md @@ -148,14 +148,15 @@ socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--workspace WORKSPACE] [-- [--owner OWNER] [--pr-number PR_NUMBER] [--commit-message COMMIT_MESSAGE] [--commit-sha COMMIT_SHA] [--committers [COMMITTERS ...]] [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--license-file-name LICENSE_FILE_NAME] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST] [--save-manifest-tar SAVE_MANIFEST_TAR] [--files FILES] [--sub-path SUB_PATH] [--workspace-name WORKSPACE_NAME] - [--excluded-ecosystems EXCLUDED_ECOSYSTEMS] [--default-branch] [--pending-head] [--generate-license] [--enable-debug] + [--excluded-ecosystems EXCLUDED_ECOSYSTEMS] [--exclude-paths EXCLUDE_PATHS] [--default-branch] [--pending-head] [--generate-license] [--enable-debug] [--enable-json] [--enable-sarif] [--sarif-file ] [--sarif-scope {diff,full}] [--sarif-grouping {instance,alert}] [--sarif-reachability {all,reachable,potentially,reachable-or-potentially}] [--enable-gitlab-security] [--gitlab-security-file ] [--disable-overview] [--exclude-license-details] [--allow-unverified] [--disable-security-issue] - [--ignore-commit-files] [--disable-blocking] [--enable-diff] [--scm SCM] [--timeout TIMEOUT] [--include-module-folders] - [--reach] [--reach-version REACH_VERSION] [--reach-timeout REACH_ANALYSIS_TIMEOUT] - [--reach-memory-limit REACH_ANALYSIS_MEMORY_LIMIT] [--reach-ecosystems REACH_ECOSYSTEMS] [--reach-exclude-paths REACH_EXCLUDE_PATHS] - [--reach-min-severity {low,medium,high,critical}] [--reach-skip-cache] [--reach-disable-analytics] [--reach-output-file REACH_OUTPUT_FILE] - [--only-facts-file] [--version] + [--ignore-commit-files] [--disable-blocking] [--disable-ignore] [--enable-diff] [--scm SCM] [--timeout TIMEOUT] [--include-module-folders] + [--reach] [--reach-version REACH_VERSION] [--reach-analysis-timeout REACH_ANALYSIS_TIMEOUT] + [--reach-analysis-memory-limit REACH_ANALYSIS_MEMORY_LIMIT] [--reach-concurrency REACH_CONCURRENCY] [--reach-ecosystems REACH_ECOSYSTEMS] + [--reach-min-severity ] [--reach-skip-cache] [--reach-disable-analytics] [--reach-enable-analysis-splitting] [--reach-detailed-analysis-log-file] + [--reach-lazy-mode] [--reach-use-only-pregenerated-sboms] [--reach-debug] [--reach-disable-external-tool-checks] + [--reach-output-file REACH_OUTPUT_FILE] [--only-facts-file] [--version] ```` If you don't want to provide the Socket API Token every time then you can use the environment variable `SOCKET_SECURITY_API_TOKEN` @@ -203,6 +204,7 @@ If you don't want to provide the Socket API Token every time then you can use th | `--sub-path` | False | | Sub-path within target-path for manifest file scanning (can be specified multiple times). All sub-paths are combined into a single workspace scan while preserving git context from target-path. Must be used with `--workspace-name` | | `--workspace-name` | False | | Workspace name suffix to append to repository name (repo-name-workspace_name). Must be used with `--sub-path` | | `--excluded-ecosystems` | False | [] | List of ecosystems to exclude from analysis (JSON array string). You can get supported files from the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) | +| `--exclude-paths` | False | | Comma-separated paths/globs to exclude from **both** manifest discovery (every scan) **and** reachability analysis (e.g. `tests/**,packages/legacy,*.spec.ts`). Patterns are scan-root-relative, case-sensitive globs where `*` does not cross `/` and `**` does. Supersedes `--reach-exclude-paths`. | #### Branch and Scan Configuration | Parameter | Required | Default | Description | @@ -237,23 +239,35 @@ If you don't want to provide the Socket API Token every time then you can use th #### Reachability Analysis | Parameter | Required | Default | Description | |:---------------------------------|:---------|:--------|:---------------------------------------------------------------------------------------------------------------------------| -| `--reach` | False | False | Enable reachability analysis to identify which vulnerable functions are actually called by your code | +| `--reach` | False | False | Enable reachability analysis to identify which vulnerable functions are actually called by your code. Creates a tier-1 full-application reachability scan (`scan_type=socket_tier1`). | | `--reach-version` | False | latest | Version of @coana-tech/cli to use for analysis | -| `--reach-timeout` | False | 1200 | Timeout in seconds for the reachability analysis (default: 1200 seconds / 20 minutes) | -| `--reach-memory-limit` | False | 4096 | Memory limit in MB for the reachability analysis (default: 4096 MB / 4 GB) | -| `--reach-concurrency` | False | | Control parallel analysis execution (must be >= 1) | +| `--reach-analysis-timeout` | False | *coana* | Timeout in seconds for the reachability analysis. Omitted by default, so coana applies its own (currently 600s). Alias: `--reach-timeout` | +| `--reach-analysis-memory-limit` | False | *coana* | Memory limit in MB for the reachability analysis. Omitted by default, so coana applies its own (currently 8192). Alias: `--reach-memory-limit` | +| `--reach-concurrency` | False | *coana* | Control parallel analysis execution (must be >= 1). Omitted by default, so coana applies its own (currently 1) | | `--reach-additional-params` | False | | Pass custom parameters to the coana CLI tool | | `--reach-ecosystems` | False | | Comma-separated list of ecosystems to analyze (e.g., "npm,pypi"). If not specified, all supported ecosystems are analyzed | -| `--reach-exclude-paths` | False | | Comma-separated list of file paths or patterns to exclude from reachability analysis | -| `--reach-min-severity` | False | | Minimum severity level for reporting reachability results (low, medium, high, critical) | +| `--reach-min-severity` | False | | Minimum severity level for reporting reachability results (info, low, moderate, high, critical) | | `--reach-skip-cache` | False | False | Skip cache and force fresh reachability analysis | | `--reach-disable-analytics` | False | False | Disable analytics collection during reachability analysis | +| `--reach-enable-analysis-splitting` | False | False | Enable analysis splitting/bucketing (a legacy performance feature). Splitting is disabled by default. | +| `--reach-detailed-analysis-log-file` | False | False | Write a detailed analysis log file; its path is printed to stdout | +| `--reach-lazy-mode` | False | False | Enable lazy mode (experimental performance feature) | +| `--reach-use-only-pregenerated-sboms` | False | False | Build the scan only from pre-generated CycloneDX (CDX) and SPDX files in your project (requires --reach) | +| `--reach-debug` | False | False | Enable coana debug output (`--debug`) for the analysis, independent of the global `--enable-debug` | +| `--reach-disable-external-tool-checks` | False | False | Disable coana's external tool availability checks (passes `--disable-external-tool-checks`) | | `--reach-output-file` | False | .socket.facts.json | Path where reachability analysis results should be saved | -| `--only-facts-file` | False | False | Submit only the .socket.facts.json file to an existing scan (requires --reach and a prior scan) | +| `--reach-exclude-paths` | False | | **[DEPRECATED โ€” use `--exclude-paths`]** Comma-separated paths to exclude from reachability analysis. Still honored (unioned with `--exclude-paths`) but will be hidden in a future release | +| `--only-facts-file` | False | False | Submit only the .socket.facts.json file when creating the full scan (requires --reach) | **Reachability Analysis Requirements:** -- `npm` - Required to install and run @coana-tech/cli -- `npx` - Required to execute @coana-tech/cli + +The Python CLI verifies the following **up front** (before invoking the analysis engine) and exits with code **3** if any are unmet: +- `npm` - Required to install and run `@coana-tech/cli` (the analysis engine) +- `npx` - Required to execute `@coana-tech/cli` +- `uv` - Required by the analysis engine +- An **Enterprise** Socket organization plan (any `enterprise*` plan, including Enterprise trials) + +Separately, the analysis engine (coana) needs the **per-ecosystem build toolchain** for whatever languages your project uses โ€” e.g. a compatible Python interpreter (3.11+, or PyPy) for Python, a JDK for Java/Kotlin/Scala, .NET 6+ for C#, the matching Go toolchain for Go, etc. These are validated by the engine **at analysis time** (the CLI does not pre-check them) and that validation can be skipped with `--reach-disable-external-tool-checks`. ## Config file support @@ -299,13 +313,14 @@ Sample config files: For CI-specific examples and guidance, see [`ci-cd.md`](ci-cd.md). -The CLI will automatically install `@coana-tech/cli` if not present. Use `--reach` to enable reachability analysis during a full scan, or use `--only-facts-file` with `--reach` to submit reachability results to an existing scan. +The CLI will automatically install `@coana-tech/cli` if not present. Use `--reach` to enable reachability analysis during a full scan, or add `--only-facts-file` (with `--reach`) to submit only the reachability facts file (`.socket.facts.json`) when creating the full scan. #### Advanced Configuration | Parameter | Required | Default | Description | |:-------------------------|:---------|:--------|:----------------------------------------------------------------------| | `--ignore-commit-files` | False | False | Ignore commit files | -| `--disable-blocking` | False | False | Disable blocking mode | +| `--disable-blocking` | False | False | Non-blocking CI mode: the CLI always exits **0**, even when blocking alerts are present (including with `--strict-blocking`). Also exits 0 on uncaught runtime errors and Socket API failures, so the job is treated as successful while findings and errors are still logged. Takes precedence over `--strict-blocking`. | +| `--disable-ignore` | False | False | Disable support for `@SocketSecurity ignore` commands in PR comments. When set, alerts cannot be suppressed via comments and ignore instructions are hidden from comment output. | | `--strict-blocking` | False | False | Fail on ANY security policy violations (blocking severity), not just new ones. Only works in diff mode. See [Strict Blocking Mode](#strict-blocking-mode) for details. | | `--enable-diff` | False | False | Enable diff mode even when using `--integration api` (forces diff mode without SCM integration) | | `--scm` | False | api | Source control management type | @@ -700,17 +715,44 @@ The GitLab report includes **actionable security alerts** based on your Socket p All alert types are included in the GitLab report if they're marked as `error` or `warn` by your Socket Security policy, ensuring the Security Dashboard shows only actionable findings. +### Alert Population: GitLab vs JSON/SARIF + +The GitLab Security Dashboard report and the JSON/SARIF diff outputs use different alert selection strategies, reflecting their distinct purposes: + +| Output Format | Default Alerts | With `--strict-blocking` | +|:---|:---|:---| +| `--enable-gitlab-security` | **All** alerts (new + existing) | All alerts (same) | +| `--enable-json` | New alerts only | New + existing alerts | +| `--enable-sarif` (diff scope) | New alerts only | New + existing alerts | + +**Why the difference?** GitLab's Security Dashboard is designed to present the full security posture of a project. An empty dashboard on a scan with no dependency changes would be misleading -- the vulnerabilities still exist, they just didn't change. By contrast, JSON and SARIF in diff scope are designed to answer "what changed?" and only include existing alerts when `--strict-blocking` explicitly requests it. + +> **Tip:** If you use `--enable-json` alongside `--enable-gitlab-security`, the GitLab report may contain more vulnerabilities than the JSON output. This is expected. To make JSON output match, add `--strict-blocking`. + +### Alert Ignoring via PR/MR Comments + +When using the CLI with SCM integration (`--scm github` or `--scm gitlab`), users can ignore specific alerts by reacting to Socket's PR/MR comments. Ignored alerts are removed from `--enable-json`, `--enable-sarif`, and console output. + +However, the GitLab Security Dashboard report includes **all** alerts matching your security policy (new and existing), regardless of comment-based ignores. This ensures the Security Dashboard always reflects the full set of known issues. To suppress a vulnerability from the GitLab report, adjust the alert's policy in Socket's dashboard rather than ignoring it via a PR comment. + ### Report Schema -Socket CLI generates reports compliant with [GitLab Dependency Scanning schema version 15.0.0](https://docs.gitlab.com/ee/development/integrations/secure.html). The reports include: +Socket CLI generates reports compliant with [GitLab Dependency Scanning schema version 15.0.0](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.0.0/dist/dependency-scanning-report-format.json). The reports include: -- **Scan metadata**: Analyzer and scanner information +- **Scan metadata**: Analyzer and scanner information with ISO 8601 timestamps - **Vulnerabilities**: Detailed vulnerability data with: - Unique deterministic UUIDs for tracking - Package location and dependency information - Severity levels mapped from Socket's analysis - Socket-specific alert types and CVE identifiers - Links to Socket.dev for detailed analysis +- **Dependency files**: Manifest files and their dependencies discovered during the scan + +**Schema compatibility:** The v15.0.0 schema is supported across all GitLab versions 12.0+ (both self-hosted and cloud). The report includes the `dependency_files` field, which is required by v15.0.0 and accepted as an optional extra by newer schema versions, ensuring maximum compatibility across GitLab instances. + +### Performance Notes + +When `--enable-gitlab-security` (or `--enable-json` / `--enable-sarif`) is used with a full scan (non-diff mode), the CLI fetches package and alert data from the scan results to populate the report. This adds time proportional to the number of packages in the scan. Without these output flags, no additional data is fetched and scan performance is unchanged. ### Requirements @@ -726,7 +768,9 @@ Socket CLI generates reports compliant with [GitLab Dependency Scanning schema v - Ensure the report file follows the correct schema format **Empty vulnerabilities array:** -- This is normal if no new security issues were detected +- The GitLab report includes both new and existing alerts, so repeated scans of the same repo should still populate the report as long as Socket detects actionable issues +- If the report is empty, verify the Socket dashboard shows alerts for the scanned packages -- an empty report means no error/warn-level alerts exist +- For full scans (non-diff mode), ensure you are using `--enable-gitlab-security` so alert data is fetched - Check Socket.dev dashboard for full analysis details ## Development diff --git a/pyproject.toml b/pyproject.toml index d401856..54cdb82 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,8 +6,8 @@ build-backend = "hatchling.build" [project] name = "socketsecurity" -version = "2.2.78" -requires-python = ">= 3.10" +version = "2.4.6" +requires-python = ">= 3.11" license = {"file" = "LICENSE"} dependencies = [ 'requests', @@ -16,9 +16,11 @@ dependencies = [ 'GitPython', 'packaging', 'python-dotenv', - "socketdev>=3.0.32,<4.0.0", + "socketdev>=3.2.1,<4.0.0", "bs4>=0.0.2", "markdown>=3.10", + "brotli>=1.0.9; platform_python_implementation == 'CPython'", + "brotlicffi>=1.0.9; platform_python_implementation != 'CPython'", ] readme = "README.md" description = "Socket Security CLI for CI/CD" @@ -166,4 +168,3 @@ include = ["socketsecurity", "LICENSE"] dev = [ "pre-commit>=4.3.0", ] - diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index 987c20b..7ac4760 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,3 +1,3 @@ __author__ = 'socket.dev' -__version__ = '2.2.78' +__version__ = '2.4.6' USER_AGENT = f'SocketPythonCLI/{__version__}' diff --git a/socketsecurity/config.py b/socketsecurity/config.py index 9c3b40b..3c258a3 100644 --- a/socketsecurity/config.py +++ b/socketsecurity/config.py @@ -55,6 +55,50 @@ def load_cli_config_file(config_path: str) -> dict: return scoped return data +def normalize_exclude_paths(value) -> Optional[List[str]]: + """Normalize a --exclude-paths value into a clean list of patterns. + + Accepts a comma-separated string (CLI) or a list/tuple (e.g. a JSON/TOML --config file + value), so config-file-supplied patterns flow through the same validation as CLI ones. + """ + if not value: + return None + if isinstance(value, str): + items = value.split(",") + elif isinstance(value, (list, tuple)): + items = value + else: + return None + cleaned = [str(p).strip() for p in items if str(p).strip()] + return cleaned or None + + +def validate_exclude_paths(patterns: List[str]) -> None: + """Validate --exclude-paths patterns (mirrors Node's assertValidExcludePaths). + + Patterns are scan-root-relative globs. Reject the cases coana's --exclude-dirs / fast-glob + cannot honor: negation, absolute paths, ``..`` traversal, and degenerate match-everything. + Exits with code 1 on the first invalid pattern. + """ + # Degenerate match-everything forms, compared against the trailing-slash-stripped pattern + # (so "**/" reduces to "**" and is rejected, matching Node's stripTrailingSlash + check). + degenerate = {"", ".", "**", "./**", "/**"} + for p in patterns: + norm = (p or "").strip().replace("\\", "/") + if norm.startswith("!"): + logging.error(f"--exclude-paths: negation patterns are not supported: {p!r}") + exit(1) + if norm.startswith("/"): + logging.error(f"--exclude-paths: patterns must be scan-root relative (no leading '/'): {p!r}") + exit(1) + if norm == ".." or norm.startswith("../") or "/../" in norm or norm.endswith("/.."): + logging.error(f"--exclude-paths: '..' path traversal is not allowed: {p!r}") + exit(1) + if norm.rstrip("/") in degenerate: + logging.error(f"--exclude-paths: pattern would exclude everything: {p!r}") + exit(1) + + @dataclass class PluginConfig: enabled: bool = False @@ -79,6 +123,7 @@ class CliConfig: enable_debug: bool = False allow_unverified: bool = False enable_json: bool = False + json_file: Optional[str] = None enable_sarif: bool = False sarif_file: Optional[str] = None sarif_scope: str = "diff" @@ -86,21 +131,26 @@ class CliConfig: sarif_reachability: str = "all" enable_gitlab_security: bool = False gitlab_security_file: Optional[str] = None + summary_file: Optional[str] = None + report_link_file: Optional[str] = None disable_overview: bool = False disable_security_issue: bool = False files: str = None ignore_commit_files: bool = False disable_blocking: bool = False + disable_ignore: bool = False strict_blocking: bool = False integration_type: IntegrationType = "api" integration_org_slug: Optional[str] = None pending_head: bool = False enable_diff: bool = False timeout: Optional[int] = 1200 + exit_code_on_api_error: int = 3 exclude_license_details: bool = False include_module_folders: bool = False repo_is_public: bool = False excluded_ecosystems: list[str] = field(default_factory=lambda: []) + exclude_paths: Optional[List[str]] = None version: str = __version__ jira_plugin: PluginConfig = field(default_factory=PluginConfig) slack_plugin: PluginConfig = field(default_factory=PluginConfig) @@ -130,8 +180,16 @@ class CliConfig: reach_additional_params: Optional[List[str]] = None only_facts_file: bool = False reach_use_only_pregenerated_sboms: bool = False + reach_continue_on_analysis_errors: bool = False + reach_continue_on_install_errors: bool = False + reach_continue_on_missing_lock_files: bool = False + reach_continue_on_no_source_files: bool = False + reach_debug: bool = False + reach_disable_external_tool_checks: bool = False max_purl_batch_size: int = 5000 enable_commit_status: bool = False + legal: bool = False + legal_format: str = "socket" config_file: Optional[str] = None @classmethod @@ -154,6 +212,12 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': args = parser.parse_args(args_list) + if args.reach_exclude_paths: + logging.warning( + "--reach-exclude-paths is deprecated; use --exclude-paths instead. " + "It is still honored and unioned with --exclude-paths." + ) + # Get API token from env or args (check multiple env var names) api_token = ( os.getenv("SOCKET_SECURITY_API_KEY") or @@ -172,6 +236,19 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': if commit_message and commit_message.startswith('"') and commit_message.endswith('"'): commit_message = commit_message[1:-1] + # Truncate to avoid 413s from oversized URL query parameters. + # The API has no application-layer length validation on commit_message; + # the 413 originates from an infrastructure-layer URL length limit + # (nginx/Cloudflare). 200 chars chosen as a conservative ceiling given + # URL encoding can 2-3x raw character count. + MAX_COMMIT_MESSAGE_LENGTH = 200 + if commit_message and len(commit_message) > MAX_COMMIT_MESSAGE_LENGTH: + logging.debug( + f"commit_message truncated from {len(commit_message)} to " + f"{MAX_COMMIT_MESSAGE_LENGTH} characters to avoid API request size limits" + ) + commit_message = commit_message[:MAX_COMMIT_MESSAGE_LENGTH] + config_args = { 'api_token': api_token, 'repo': args.repo, @@ -189,6 +266,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'enable_diff': args.enable_diff, 'allow_unverified': args.allow_unverified, 'enable_json': args.enable_json, + 'json_file': args.json_file, 'enable_sarif': args.enable_sarif, 'sarif_file': args.sarif_file, 'sarif_scope': args.sarif_scope, @@ -196,15 +274,19 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'sarif_reachability': args.sarif_reachability, 'enable_gitlab_security': args.enable_gitlab_security, 'gitlab_security_file': args.gitlab_security_file, + 'summary_file': args.summary_file, + 'report_link_file': args.report_link_file, 'disable_overview': args.disable_overview, 'disable_security_issue': args.disable_security_issue, 'files': args.files, 'ignore_commit_files': args.ignore_commit_files, 'disable_blocking': args.disable_blocking, + 'disable_ignore': args.disable_ignore, 'strict_blocking': args.strict_blocking, 'integration_type': args.integration, 'pending_head': args.pending_head, 'timeout': args.timeout, + 'exit_code_on_api_error': args.exit_code_on_api_error, 'exclude_license_details': args.exclude_license_details, 'include_module_folders': args.include_module_folders, 'repo_is_public': args.repo_is_public, @@ -227,6 +309,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'reach_lazy_mode': args.reach_lazy_mode, 'reach_ecosystems': args.reach_ecosystems.split(',') if args.reach_ecosystems else None, 'reach_exclude_paths': args.reach_exclude_paths.split(',') if args.reach_exclude_paths else None, + 'exclude_paths': normalize_exclude_paths(args.exclude_paths), 'reach_skip_cache': args.reach_skip_cache, 'reach_min_severity': args.reach_min_severity, 'reach_output_file': args.reach_output_file, @@ -234,11 +317,48 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'reach_additional_params': args.reach_additional_params, 'only_facts_file': args.only_facts_file, 'reach_use_only_pregenerated_sboms': args.reach_use_only_pregenerated_sboms, + 'reach_continue_on_analysis_errors': args.reach_continue_on_analysis_errors, + 'reach_continue_on_install_errors': args.reach_continue_on_install_errors, + 'reach_continue_on_missing_lock_files': args.reach_continue_on_missing_lock_files, + 'reach_continue_on_no_source_files': args.reach_continue_on_no_source_files, + 'reach_debug': args.reach_debug, + 'reach_disable_external_tool_checks': args.reach_disable_external_tool_checks, 'max_purl_batch_size': args.max_purl_batch_size, 'enable_commit_status': args.enable_commit_status, + 'legal': args.legal or args.legal_format == "fossa", + 'legal_format': args.legal_format, 'config_file': args.config_file, 'version': __version__ } + + if config_args['legal']: + config_args['generate_license'] = True + if not config_args['json_file']: + config_args['json_file'] = "socket-report.json" + if not config_args['summary_file']: + config_args['summary_file'] = "socket-summary.txt" + if not config_args['report_link_file']: + config_args['report_link_file'] = "socket-report-link.txt" + if not config_args['sbom_file']: + config_args['sbom_file'] = "socket-sbom.json" + if config_args['license_file_name'] == "license_output.json": + config_args['license_file_name'] = "socket-license.json" + + if config_args['legal_format'] == "fossa": + if not args.json_file: + config_args['json_file'] = "fossa-analyze.json" + if not args.summary_file: + config_args['summary_file'] = "fossa-test.txt" + if not args.report_link_file: + config_args['report_link_file'] = "fossa-link.txt" + if not args.license_file_name: + # argparse always provides a default, so this branch is defensive only + config_args['license_file_name'] = "fossa-sbom.json" + elif args.license_file_name == "license_output.json": + config_args['license_file_name'] = "fossa-sbom.json" + if not args.sbom_file: + # FOSSA's "SBOM" artifact is the attribution payload; suppress the extra Socket-only SBOM file by default. + config_args['sbom_file'] = None excluded_ecosystems = config_args["excluded_ecosystems"] if isinstance(excluded_ecosystems, list): config_args["excluded_ecosystems"] = excluded_ecosystems @@ -293,6 +413,10 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': logging.error("--sarif-reachability potentially/reachable-or-potentially requires --sarif-scope full") exit(1) + # Validate --exclude-paths patterns up front (mirrors Node's assertValidExcludePaths). + if config_args.get("exclude_paths"): + validate_exclude_paths(config_args["exclude_paths"]) + # Validate that only_facts_file requires reach if args.only_facts_file and not args.reach: logging.error("--only-facts-file requires --reach to be specified") @@ -502,6 +626,15 @@ def create_argument_parser() -> argparse.ArgumentParser: help="List of ecosystems to exclude from analysis (JSON array string)" ) + path_group.add_argument( + "--exclude-paths", + dest="exclude_paths", + metavar="", + help="Comma-separated paths/globs to exclude from BOTH manifest discovery and " + "reachability analysis (e.g. 'tests/**,packages/legacy,*.spec.ts'). " + "Supersedes --reach-exclude-paths." + ) + # Branch and Scan Configuration config_group = parser.add_argument_group('Branch and Scan Configuration') config_group.add_argument( @@ -560,6 +693,12 @@ def create_argument_parser() -> argparse.ArgumentParser: action="store_true", help="Output in JSON format" ) + output_group.add_argument( + "--json-file", + dest="json_file", + metavar="", + help="Output file path for JSON report" + ) output_group.add_argument( "--enable-sarif", dest="enable_sarif", @@ -607,6 +746,18 @@ def create_argument_parser() -> argparse.ArgumentParser: default="gl-dependency-scanning-report.json", help="Output file path for GitLab Security report (default: gl-dependency-scanning-report.json)" ) + output_group.add_argument( + "--summary-file", + dest="summary_file", + metavar="", + help="Output file path for a plain-text summary report" + ) + output_group.add_argument( + "--report-link-file", + dest="report_link_file", + metavar="", + help="Output file path for the Socket report link" + ) output_group.add_argument( "--disable-overview", dest="disable_overview", @@ -623,7 +774,12 @@ def create_argument_parser() -> argparse.ArgumentParser: "--exclude-license-details", dest="exclude_license_details", action="store_true", - help="Exclude license details from the diff report (boosts performance for large repos)" + help=( + "Exclude license details from the dashboard report URL. " + "As of 2.4.0 the internal diff request always omits license details " + "(they were unused there and bloated large-repo responses), so this " + "flag now only affects the report link, not diff performance." + ) ) output_group.add_argument( "--max-purl-batch-size", @@ -685,7 +841,11 @@ def create_argument_parser() -> argparse.ArgumentParser: "--disable-blocking", dest="disable_blocking", action="store_true", - help="Disable blocking mode" + help=( + "Non-blocking CI mode: always exit 0, even when blocking alerts are present " + "(including with --strict-blocking), on uncaught errors, or on Socket API failures. " + "Findings and errors are still logged. Overrides --strict-blocking." + ), ) advanced_group.add_argument( "--disable_blocking", @@ -693,6 +853,19 @@ def create_argument_parser() -> argparse.ArgumentParser: action="store_true", help=argparse.SUPPRESS ) + advanced_group.add_argument( + "--disable-ignore", + dest="disable_ignore", + action="store_true", + help="Disable support for @SocketSecurity ignore commands in PR comments. " + "Alerts cannot be suppressed via comments when this flag is set." + ) + advanced_group.add_argument( + "--disable_ignore", + dest="disable_ignore", + action="store_true", + help=argparse.SUPPRESS + ) advanced_group.add_argument( "--strict-blocking", dest="strict_blocking", @@ -718,11 +891,39 @@ def create_argument_parser() -> argparse.ArgumentParser: help="Timeout in seconds for API requests", required=False ) + advanced_group.add_argument( + "--exit-code-on-api-error", + dest="exit_code_on_api_error", + type=int, + default=3, + metavar="", + help=( + "Exit code to use when the CLI fails on an API or infrastructure error " + "(timeout, network failure, unexpected exception). Default: 3. Useful for " + "distinguishing infrastructure failures from security findings (exit 1) in " + "CI -- e.g. set to a Buildkite soft_fail code. NOTE: --disable-blocking " + "forces exit 0 for ALL outcomes and therefore overrides this flag; do not " + "combine the two if you want the custom code to take effect." + ) + ) advanced_group.add_argument( "--allow-unverified", action="store_true", help="Disable SSL certificate verification for API requests" ) + advanced_group.add_argument( + "--legal", + dest="legal", + action="store_true", + help="Enable legal/compliance-friendly defaults and file outputs" + ) + advanced_group.add_argument( + "--legal-format", + dest="legal_format", + choices=["socket", "fossa"], + default="socket", + help="Select the legal artifact format. 'socket' keeps Socket-native outputs; 'fossa' emits compatibility-shaped JSON artifacts." + ) config_group.add_argument( "--include-module-folders", dest="include_module_folders", @@ -746,18 +947,32 @@ def create_argument_parser() -> argparse.ArgumentParser: help="Specific version of @coana-tech/cli to use (e.g., '1.2.3')" ) reachability_group.add_argument( - "--reach-timeout", + "--reach-analysis-timeout", dest="reach_analysis_timeout", type=int, metavar="", help="Timeout for reachability analysis in seconds" ) + # Backwards-compatible alias for the pre-alignment name. Kept working, hidden from help. reachability_group.add_argument( - "--reach-memory-limit", + "--reach-timeout", + dest="reach_analysis_timeout", + type=int, + help=argparse.SUPPRESS + ) + reachability_group.add_argument( + "--reach-analysis-memory-limit", dest="reach_analysis_memory_limit", type=int, metavar="", - help="Memory limit for reachability analysis in MB" + help="Memory limit for reachability analysis in MB (defaults to the coana CLI's own default, currently 8192)" + ) + # Backwards-compatible alias for the pre-alignment name. Kept working, hidden from help. + reachability_group.add_argument( + "--reach-memory-limit", + dest="reach_analysis_memory_limit", + type=int, + help=argparse.SUPPRESS ) reachability_group.add_argument( "--reach-ecosystems", @@ -769,7 +984,8 @@ def create_argument_parser() -> argparse.ArgumentParser: "--reach-exclude-paths", dest="reach_exclude_paths", metavar="", - help="Paths to exclude from reachability analysis (comma-separated)" + help="[DEPRECATED: use --exclude-paths] Paths to exclude from reachability analysis " + "(comma-separated). Still honored and unioned with --exclude-paths." ) reachability_group.add_argument( "--reach-min-severity", @@ -825,7 +1041,7 @@ def create_argument_parser() -> argparse.ArgumentParser: dest="reach_concurrency", type=int, metavar="", - help="Concurrency level for reachability analysis (must be >= 1)" + help="Concurrency level for reachability analysis (must be >= 1; defaults to the coana CLI's own default, currently 1)" ) reachability_group.add_argument( "--reach-additional-params", @@ -846,6 +1062,44 @@ def create_argument_parser() -> argparse.ArgumentParser: action="store_true", help="When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project. (requires --reach)" ) + reachability_group.add_argument( + "--reach-continue-on-analysis-errors", + dest="reach_continue_on_analysis_errors", + action="store_true", + help=argparse.SUPPRESS + ) + reachability_group.add_argument( + "--reach-continue-on-install-errors", + dest="reach_continue_on_install_errors", + action="store_true", + help=argparse.SUPPRESS + ) + reachability_group.add_argument( + "--reach-continue-on-missing-lock-files", + dest="reach_continue_on_missing_lock_files", + action="store_true", + help=argparse.SUPPRESS + ) + reachability_group.add_argument( + "--reach-continue-on-no-source-files", + dest="reach_continue_on_no_source_files", + action="store_true", + help=argparse.SUPPRESS + ) + reachability_group.add_argument( + "--reach-debug", + dest="reach_debug", + action="store_true", + help="Enable debug output for the reachability analysis (passes --debug to the coana CLI). " + "Independent of the global --enable-debug flag." + ) + reachability_group.add_argument( + "--reach-disable-external-tool-checks", + dest="reach_disable_external_tool_checks", + action="store_true", + help="Disable coana's external tool availability checks during reachability analysis " + "(passes --disable-external-tool-checks to the coana CLI)." + ) parser.add_argument( '--version', diff --git a/socketsecurity/core/__init__.py b/socketsecurity/core/__init__.py index edd2814..20ff28f 100644 --- a/socketsecurity/core/__init__.py +++ b/socketsecurity/core/__init__.py @@ -1,5 +1,6 @@ import logging import os +import re import sys import tarfile import tempfile @@ -44,6 +45,51 @@ version = __version__ log = logging.getLogger("socketdev") +_ALERT_TYPE_TITLE_OVERRIDES = { + "gptDidYouMean": "Possible typosquat attack (GPT)", +} + +_HUMANIZE_BOUNDARY = re.compile(r"(?<=[a-z0-9])(?=[A-Z])|(?<=[A-Z])(?=[A-Z][a-z])") + +# Reachability facts-file upload compression. +# +# The Socket full-scan endpoint transparently brotli-decompresses any multipart part +# whose basename is exactly ``.socket.facts.json.br`` and stores it as plain +# ``.socket.facts.json``. Compressing the facts file on upload keeps it well under the +# server's per-file size cap (a ~262 MB facts file compresses to roughly 15-30 MB), +# which is required for large reachability (tier 1) scans to succeed. +# +# The server matches the *exact* name ``.socket.facts.json.br``, so we only compress +# files whose basename is exactly ``.socket.facts.json`` (a custom ``--reach-output-file`` +# name would not be decompressed server-side, so it is left as a plain upload). +SOCKET_FACTS_FILENAME = ".socket.facts.json" +SOCKET_FACTS_BROTLI_FILENAME = ".socket.facts.json.br" +# Brotli quality (0-11); 5 is a good speed/ratio tradeoff for large JSON payloads. +SOCKET_FACTS_BROTLI_QUALITY = 5 +# Largest brotli window (2**24 bytes); improves the ratio on large facts files. +SOCKET_FACTS_BROTLI_LGWIN = 24 +# Stream the facts file in 1 MiB chunks so large files aren't held fully in memory. +SOCKET_FACTS_BROTLI_CHUNK_SIZE = 1024 * 1024 + +# Tier 1 reachability finalize retry policy. The finalize call links the tier1 scan to the +# full scan and can fail transiently (network/API blips); a few backoff retries make it robust. +TIER1_FINALIZE_MAX_ATTEMPTS = 3 +TIER1_FINALIZE_BACKOFF_SECONDS = 1.0 + + +def _humanize_alert_type(alert_type: str) -> str: + """Convert a camelCase/PascalCase alert type into a Title-Cased label. + + Used as a last-resort fallback when the SDK does not have metadata for an + alert type and there is no explicit override. Adjacent capitals are kept + together so acronyms like 'SQL' survive ('SQLInjection' -> 'SQL Injection'). + """ + if not alert_type: + return "" + parts = _HUMANIZE_BOUNDARY.split(alert_type) + return " ".join(part[:1].upper() + part[1:] for part in parts if part) + + class Core: """Main class for interacting with Socket Security API and processing scan results.""" @@ -167,6 +213,67 @@ def is_excluded(file_path: str, excluded_dirs: Set[str]) -> bool: return True return False + @staticmethod + def _exclude_glob_to_regex(pattern: str) -> str: + """Translate a micromatch-style glob into an anchored regex string. + + Mirrors the Node CLI's --exclude-paths matcher (src/commands/scan/exclude-paths.mts): + patterns are matched against scan-root-relative POSIX paths, case-sensitively, where + ``*`` does NOT cross ``/`` and ``**`` DOES. Patterns are anchored at the scan root, so + ``tests`` matches ``tests`` (not ``src/tests``); use ``**/tests`` to match at any depth. + """ + i, n = 0, len(pattern) + out = ["^"] + while i < n: + c = pattern[i] + if c == "*": + if i + 1 < n and pattern[i + 1] == "*": + if i + 2 < n and pattern[i + 2] == "/": + out.append("(?:[^/]+/)*") # '**/' -> zero or more path segments + i += 3 + else: + out.append(".*") # '**' at end / before non-slash -> any, incl '/' + i += 2 + else: + out.append("[^/]*") # '*' -> within a single path segment + i += 1 + elif c == "?": + out.append("[^/]") + i += 1 + else: + out.append(re.escape(c)) + i += 1 + out.append("$") + return "".join(out) + + @staticmethod + def compile_exclude_paths(patterns: Optional[List[str]]) -> List["re.Pattern"]: + """Compile --exclude-paths globs into anchored regexes (compiled once per scan). + + Each pattern ``P`` is expanded the way Node feeds fast-glob's ``ignore``: ``P`` (a file- + or dir-shaped exact match) plus ``P/**`` (its subtree), unless ``P`` already ends with + ``/**``. Validation of the patterns happens earlier, in CliConfig.from_args. + """ + compiled: List["re.Pattern"] = [] + for raw in patterns or []: + p = (raw or "").strip().replace("\\", "/").rstrip("/") + if not p: + continue + globs = [p] if p.endswith("/**") else [p, f"{p}/**"] + compiled.extend(re.compile(Core._exclude_glob_to_regex(g)) for g in globs) + return compiled + + @staticmethod + def path_matches_exclude_regexes(rel_path: str, regexes: List["re.Pattern"]) -> bool: + rp = rel_path.replace(os.sep, "/").replace("\\", "/") + return any(r.match(rp) for r in regexes) + + @staticmethod + def matches_exclude_paths(file_path: str, base_path: str, patterns: List[str]) -> bool: + """Convenience matcher (compiles patterns per call); used in tests/ad-hoc checks.""" + rel_path = os.path.relpath(file_path, base_path).replace(os.sep, "/") + return Core.path_matches_exclude_regexes(rel_path, Core.compile_exclude_paths(patterns)) + def save_submitted_files_list(self, files: List[str], output_path: str) -> None: """ Save the list of submitted file names to a JSON file for debugging. @@ -290,6 +397,17 @@ def find_files(self, path: str, ecosystems: Optional[List[str]] = None) -> List[ start_time = time.time() files: Set[str] = set() + # Unified --exclude-paths: filter discovered manifests by the same paths/globs that are + # forwarded to coana's --exclude-dirs. Only consulted when the user supplied the flag. + # Patterns are anchored to `path` (the scan root this pass walks), matching coana's + # target and the Node CLI's fast-glob cwd. NOTE: when scanning multiple --sub-path + # targets, find_files runs once per sub-path, so a pattern like `tests` anchors to each + # sub-path independently (Node anchors all patterns to a single scan-root cwd). This only + # differs for the multi-target full-scan + --exclude-paths combo; the reach flow is + # single-target, so it matches Node there. + exclude_paths = getattr(self.cli_config, "exclude_paths", None) if self.cli_config else None + exclude_regexes = Core.compile_exclude_paths(exclude_paths) if exclude_paths else [] + # Get supported patterns from the API patterns = self.get_supported_patterns() @@ -319,8 +437,15 @@ def find_files(self, path: str, ecosystems: Optional[List[str]] = None) -> List[ for glob_file in glob_files: glob_file_str = str(glob_file) - if os.path.isfile(glob_file_str) and not Core.is_excluded(glob_file_str, self.config.excluded_dirs): - files.add(glob_file_str.replace("\\", "/")) + if not os.path.isfile(glob_file_str): + continue + if Core.is_excluded(glob_file_str, self.config.excluded_dirs): + continue + if exclude_regexes: + rel = os.path.relpath(glob_file_str, path) + if Core.path_matches_exclude_regexes(rel, exclude_regexes): + continue + files.add(glob_file_str.replace("\\", "/")) glob_end = time.time() log.debug(f"Globbing took {glob_end - glob_start:.4f} seconds") @@ -508,20 +633,139 @@ def finalize_tier1_scan(self, full_scan_id: str, facts_file_path: str) -> bool: log.debug(f"Failed to read tier1ReachabilityScanId from {facts_file_path}: {e}") return False - # Call the SDK to finalize the tier 1 scan - try: - success = self.sdk.fullscans.finalize_tier1( - full_scan_id=full_scan_id, - tier1_reachability_scan_id=tier1_scan_id, + # Call the SDK to finalize the tier 1 scan, retrying transient failures with backoff. + last_error: Optional[Exception] = None + for attempt in range(1, TIER1_FINALIZE_MAX_ATTEMPTS + 1): + try: + success = self.sdk.fullscans.finalize_tier1( + full_scan_id=full_scan_id, + tier1_reachability_scan_id=tier1_scan_id, + ) + + if success: + log.debug(f"Successfully finalized tier 1 scan {tier1_scan_id} for full scan {full_scan_id}") + return True + + log.debug( + f"finalize_tier1 returned a falsy result for scan {tier1_scan_id} " + f"(attempt {attempt}/{TIER1_FINALIZE_MAX_ATTEMPTS})" + ) + except Exception as e: + last_error = e + log.debug( + f"Unable to finalize tier 1 scan (attempt {attempt}/{TIER1_FINALIZE_MAX_ATTEMPTS}): {e}" + ) + + if attempt < TIER1_FINALIZE_MAX_ATTEMPTS: + time.sleep(TIER1_FINALIZE_BACKOFF_SECONDS * (2 ** (attempt - 1))) + + if last_error is not None: + log.debug( + f"Giving up finalizing tier 1 scan {tier1_scan_id} after " + f"{TIER1_FINALIZE_MAX_ATTEMPTS} attempts: {last_error}" + ) + else: + log.debug( + f"Giving up finalizing tier 1 scan {tier1_scan_id} after " + f"{TIER1_FINALIZE_MAX_ATTEMPTS} attempts" ) + return False - if success: - log.debug(f"Successfully finalized tier 1 scan {tier1_scan_id} for full scan {full_scan_id}") - return success + @staticmethod + def _compress_facts_file(source_path: str) -> str: + """Brotli-compress a ``.socket.facts.json`` file to a sibling ``.socket.facts.json.br``. - except Exception as e: - log.debug(f"Unable to finalize tier 1 scan: {e}") - return False + The source is streamed in chunks so a large facts file (hundreds of MB) never has + to be held in memory at once. The compressed file is written next to the source so + that the multipart key the SDK derives keeps the same directory prefix, only with a + ``.br`` basename. Any existing ``.socket.facts.json.br`` sibling is overwritten, and a + partially-written output is removed if compression fails part-way through (e.g. the + disk fills up mid-stream) so no orphaned ``.br`` is left in the target directory. + + Args: + source_path: Path to the plain ``.socket.facts.json`` file. + + Returns: + Path to the compressed sibling file. + """ + # Imported lazily so the dependency is only needed when actually uploading a facts + # file. brotlicffi is the API-compatible fallback used on PyPy / non-CPython runtimes. + try: + import brotli + except ImportError: + import brotlicffi as brotli + + target_path = os.path.join(os.path.dirname(source_path), SOCKET_FACTS_BROTLI_FILENAME) + compressor = brotli.Compressor( + quality=SOCKET_FACTS_BROTLI_QUALITY, + lgwin=SOCKET_FACTS_BROTLI_LGWIN, + ) + try: + with open(source_path, "rb") as src, open(target_path, "wb") as dst: + while True: + chunk = src.read(SOCKET_FACTS_BROTLI_CHUNK_SIZE) + if not chunk: + break + compressed = compressor.process(chunk) + if compressed: + dst.write(compressed) + dst.write(compressor.finish()) + except BaseException: + # Don't leave a half-written .br behind for the caller to miss (it only tracks + # the path for cleanup once this returns). Remove it, then re-raise so the caller + # falls back to uploading the plain file. + try: + os.unlink(target_path) + except OSError: + pass + raise + return target_path + + def _compress_facts_files_for_upload(self, files: List[str]) -> Tuple[List[str], List[str]]: + """Replace any ``.socket.facts.json`` upload entry with a brotli-compressed ``.br`` sibling. + + The Socket full-scan endpoint transparently decompresses a multipart part named + exactly ``.socket.facts.json.br``, so compressing here keeps a large facts file under + the server's per-file size cap without changing the stored result. Files whose + basename is not exactly ``.socket.facts.json`` are left untouched (the server only + matches that exact name), as are empty placeholder files (e.g. baseline scans). + + Compression never blocks an upload: if it fails for any reason (missing optional + ``brotli`` dependency, unwritable directory, etc.) the original plain file is used. + + Args: + files: The list of file paths about to be uploaded. + + Returns: + ``(upload_files, temp_paths)`` where ``upload_files`` is the possibly-rewritten + list to upload and ``temp_paths`` are compressed files the caller must delete + once the upload completes. + """ + upload_files: List[str] = [] + temp_paths: List[str] = [] + for file_path in files: + try: + if ( + os.path.basename(file_path) == SOCKET_FACTS_FILENAME + and os.path.isfile(file_path) + and os.path.getsize(file_path) > 0 + ): + compressed_path = self._compress_facts_file(file_path) + log.debug( + f"Brotli-compressed {file_path} for upload: " + f"{os.path.getsize(file_path)} -> {os.path.getsize(compressed_path)} bytes " + f"(uploading as {SOCKET_FACTS_BROTLI_FILENAME})" + ) + upload_files.append(compressed_path) + temp_paths.append(compressed_path) + continue + except Exception as e: + # Never let compression break an upload: fall back to the plain file. + log.warning( + f"Failed to brotli-compress facts file {file_path}, uploading uncompressed: {e}" + ) + upload_files.append(file_path) + return upload_files, temp_paths def create_full_scan(self, files: List[str], params: FullScanParams, base_paths: Optional[List[str]] = None) -> FullScan: """ @@ -538,7 +782,19 @@ def create_full_scan(self, files: List[str], params: FullScanParams, base_paths: log.info("Creating new full scan") create_full_start = time.time() - res = self.sdk.fullscans.post(files, params, use_types=True, use_lazy_loading=True, max_open_files=50, base_paths=base_paths) + # Brotli-compress the reachability facts file (if present) so it is uploaded as a + # `.socket.facts.json.br` part. The API decompresses it server-side, keeping a large + # facts file under the per-file upload size cap. See _compress_facts_files_for_upload. + upload_files, compressed_temp_files = self._compress_facts_files_for_upload(files) + try: + res = self.sdk.fullscans.post(upload_files, params, use_types=True, use_lazy_loading=True, max_open_files=50, base_paths=base_paths) + finally: + for temp_file in compressed_temp_files: + try: + os.unlink(temp_file) + log.debug(f"Cleaned up temporary compressed facts file: {temp_file}") + except OSError as cleanup_error: + log.debug(f"Failed to clean up temporary compressed facts file {temp_file}: {cleanup_error}") if not res.success: log.error(f"Error creating full scan: {res.message}, status: {res.status}") raise Exception(f"Error creating full scan: {res.message}, status: {res.status}") @@ -659,9 +915,48 @@ def create_full_scan_with_report_url( diff.report_url = f"{base_socket}/{self.config.org_slug}/sbom/{new_full_scan.id}" diff.diff_url = diff.report_url diff.id = new_full_scan.id - diff.packages = {} - # Return result in the format expected by the user + needs_alerts = ( + self.cli_config is not None + and ( + self.cli_config.enable_gitlab_security + or self.cli_config.enable_json + or self.cli_config.enable_sarif + ) + ) + + if needs_alerts: + log.info("Output format requires alerts, fetching SBOM data for full scan") + sbom_start = time.time() + sbom_artifacts_dict = self.get_sbom_data(new_full_scan.id) + sbom_artifacts = self.get_sbom_data_list(sbom_artifacts_dict) + packages = self._create_packages_dict_without_license_text(sbom_artifacts) + diff.packages = packages + + all_alerts_collection: Dict[str, List[Issue]] = {} + for package_id, package in packages.items(): + self.add_package_alerts_to_collection( + package=package, + alerts_collection=all_alerts_collection, + packages=packages + ) + + consolidated: Set[str] = set() + for alert_key, alerts in all_alerts_collection.items(): + for alert in alerts: + alert_str = f"{alert.purl},{alert.type}" + if (alert.error or alert.warn) and alert_str not in consolidated: + diff.new_alerts.append(alert) + consolidated.add(alert_str) + + sbom_end = time.time() + log.info( + f"Fetched {len(packages)} packages and {len(diff.new_alerts)} alerts " + f"in {sbom_end - sbom_start:.2f}s" + ) + else: + diff.packages = {} + return diff def get_full_scan(self, full_scan_id: str) -> FullScan: @@ -712,6 +1007,30 @@ def create_packages_dict(self, sbom_artifacts: list[SocketArtifact]) -> dict[str return packages + @staticmethod + def _create_packages_dict_without_license_text( + sbom_artifacts: list[SocketArtifact], + ) -> dict[str, Package]: + """Like create_packages_dict but skips the license-metadata API call. + + Used when we only need packages for alert extraction (e.g. populating + GitLab/JSON/SARIF reports from a full scan) and don't need license text. + """ + packages: dict[str, Package] = {} + top_level_count: dict[str, int] = {} + for artifact in sbom_artifacts: + package = Package.from_socket_artifact(asdict(artifact)) + if package.id not in packages: + packages[package.id] = package + if package.topLevelAncestors: + for top_id in package.topLevelAncestors: + top_level_count[top_id] = top_level_count.get(top_id, 0) + 1 + + for package_id, package in packages.items(): + package.transitives = top_level_count.get(package_id, 0) + + return packages + def get_package_license_text(self, package: Package) -> str: """ Gets the license text for a package if available. @@ -835,6 +1154,7 @@ def get_license_text_via_purl(self, packages: dict[str, Package], batch_size: in results = self.sdk.purl.post( license=True, components=batch_components, + org_slug=self.config.org_slug, licenseattrib=True, licensedetails=True ) @@ -856,7 +1176,8 @@ def get_license_text_via_purl(self, packages: dict[str, Package], batch_size: in def get_added_and_removed_packages( self, head_full_scan_id: str, - new_full_scan_id: str + new_full_scan_id: str, + include_license_details: bool = False ) -> Tuple[Dict[str, Package], Dict[str, Package], Dict[str, Package]]: """ Get packages that were added and removed between scans. @@ -864,6 +1185,27 @@ def get_added_and_removed_packages( Args: head_full_scan_id: Previous scan (maybe None if first scan) new_full_scan_id: New scan just created + include_license_details: Whether to ask the diff endpoint to embed + per-package license attribution/details in the response. + + Defaults to ``False`` on purpose. The diff endpoint exists to + compare alerts between two scans; the license fields it can embed + are never consumed off the diff: + * When ``--generate-license`` is OFF, the only consumer of + ``Package.licenseDetails``/``licenseAttrib`` (the legal/FOSSA + artifact builder) is never invoked, so the embedded license + data is parsed and then dropped on the floor. + * When ``--generate-license`` is ON, ``get_license_text_via_purl`` + re-fetches license data from the dedicated PURL endpoint and + OVERWRITES whatever the diff embedded, before anything reads it. + Either way the embedded license payload is dead weight, and on + large dependency trees it inflated the diff response past ~2.3MB + and truncated it mid-string, crashing ``response.json()`` + (CE-224, customer: Tremendous). Defaulting to ``False`` keeps the + diff lean with zero change to any output artifact. The parameter + is retained as an explicit override seam, not wired to the + ``--exclude-license-details`` user flag (which still governs the + human-facing dashboard report URL). Returns: Tuple of (added_packages, removed_packages) dictionaries @@ -873,16 +1215,18 @@ def get_added_and_removed_packages( diff_start = time.time() try: diff_report = ( - self.sdk.fullscans.stream_diff - ( + self.sdk.fullscans.stream_diff( self.config.org_slug, head_full_scan_id, new_full_scan_id, - use_types=True + use_types=True, + include_license_details=str(include_license_details).lower() ).data ) except APIFailure as e: log.error(f"API Error: {e}") + if self.cli_config and self.cli_config.disable_blocking: + sys.exit(0) sys.exit(1) except Exception as e: import traceback @@ -1060,6 +1404,8 @@ def create_new_diff( os.unlink(temp_file) except OSError: pass + if self.cli_config and self.cli_config.disable_blocking: + sys.exit(0) sys.exit(1) except Exception as e: import traceback @@ -1081,12 +1427,24 @@ def create_new_diff( except OSError as e: log.warning(f"Failed to clean up temporary file {temp_file}: {e}") - # Handle diff generation - now we always have both scans + # Handle diff generation - now we always have both scans. + # + # Note: we intentionally do NOT forward params.include_license_details + # (the --exclude-license-details user flag) into the diff request. The + # diff path never consumes embedded license data (see + # get_added_and_removed_packages docstring), so requesting it only bloats + # the response and risks the CE-224 truncation crash on large repos. The + # user flag still controls the dashboard report URL below; it just no + # longer gates this internal diff payload. ( added_packages, removed_packages, packages - ) = self.get_added_and_removed_packages(head_full_scan_id, new_full_scan.id) + ) = self.get_added_and_removed_packages( + head_full_scan_id, + new_full_scan.id, + include_license_details=False + ) # Separate unchanged packages from added/removed for --strict-blocking support unchanged_packages = { @@ -1334,11 +1692,19 @@ def add_package_alerts_to_collection(self, package: Package, alerts_collection: alert = Alert(**alert_item) props = getattr(self.config.all_issues, alert.type, default_props) introduced_by = self.get_source_data(package, packages) - - # Handle special case for license policy violations + + # Title resolution order: + # 1. SDK-provided title (props.title) if non-empty + # 2. Explicit override for known-but-unmapped alert types (e.g. gptDidYouMean) + # 3. Hard-coded special cases (e.g. licenseSpdxDisj) + # 4. Humanized alert.type as last-resort fallback title = props.title - if alert.type == "licenseSpdxDisj" and not title: + if not title: + title = _ALERT_TYPE_TITLE_OVERRIDES.get(alert.type, "") + if not title and alert.type == "licenseSpdxDisj": title = "License Policy Violation" + if not title: + title = _humanize_alert_type(alert.type) issue_alert = Issue( pkg_type=package.type, diff --git a/socketsecurity/core/classes.py b/socketsecurity/core/classes.py index d211079..db14522 100644 --- a/socketsecurity/core/classes.py +++ b/socketsecurity/core/classes.py @@ -207,7 +207,7 @@ def from_diff_artifact(cls, data: dict) -> "Package": name=data["name"], version=data["version"], type=data["type"], - score=data.get("score", data.get("scores", {})), + score=data.get("score") or data.get("scores") or {}, alerts=data.get("alerts", []), author=data.get("author", []), size=data.get("size"), @@ -236,7 +236,7 @@ def from_diff_artifact(cls, data: dict) -> "Package": name=data["name"], version=data["version"], type=data["type"], - score=data.get("score", data.get("scores", {})), + score=data.get("score") or data.get("scores") or {}, alerts=data.get("alerts", []), author=data.get("author", []), size=data.get("size"), @@ -448,6 +448,8 @@ def __init__(self, **kwargs): self.capabilities = [] if not hasattr(self, "is_new"): self.is_new = False + if not hasattr(self, "scores") or self.scores is None: + self.scores = {} self.author_url = Purl.generate_author_data(self.author, self.ecosystem) @staticmethod diff --git a/socketsecurity/core/cli_client.py b/socketsecurity/core/cli_client.py index 8bb2ed6..bfad0d1 100644 --- a/socketsecurity/core/cli_client.py +++ b/socketsecurity/core/cli_client.py @@ -1,4 +1,5 @@ import base64 +import json import logging from typing import Dict, List, Optional, Union @@ -55,3 +56,18 @@ def request( except requests.exceptions.RequestException as e: logger.error(f"API request failed: {str(e)}") raise APIFailure(f"Request failed: {str(e)}") + + def post_telemetry_events(self, org_slug: str, events: List[Dict]) -> None: + """Post telemetry events one at a time to the v0 telemetry API. Fire-and-forget โ€” logs errors but never raises.""" + logger.debug(f"Sending {len(events)} telemetry event(s) to v0/orgs/{org_slug}/telemetry") + for i, event in enumerate(events): + try: + logger.debug(f"Telemetry event {i+1}/{len(events)}: {json.dumps(event)}") + resp = self.request( + path=f"orgs/{org_slug}/telemetry", + method="POST", + payload=json.dumps(event), + ) + logger.debug(f"Telemetry event {i+1}/{len(events)} sent: status={resp.status_code}") + except Exception as e: + logger.warning(f"Failed to send telemetry event {i+1}/{len(events)}: {e}") diff --git a/socketsecurity/core/git_interface.py b/socketsecurity/core/git_interface.py index d750284..da61406 100644 --- a/socketsecurity/core/git_interface.py +++ b/socketsecurity/core/git_interface.py @@ -1,3 +1,4 @@ +import re import urllib.parse import os @@ -108,6 +109,11 @@ def __init__(self, path: str): # Try git name-rev first (most reliable for detached HEAD) result = self.repo.git.name_rev('--name-only', 'HEAD') if result and result != 'undefined': + # Strip name-rev suffix operators (~N, ^N, or combinations + # like master~3^2). These characters are forbidden in git + # ref names, so cutting at the first occurrence can never + # truncate a real branch name. + result = re.split(r'[~^]', result, maxsplit=1)[0] # Clean up the result (remove any prefixes like 'remotes/origin/') git_detected_branch = result.split('/')[-1] log.debug(f"Branch detected from git name-rev: {git_detected_branch}") diff --git a/socketsecurity/core/messages.py b/socketsecurity/core/messages.py index db62a6b..319e454 100644 --- a/socketsecurity/core/messages.py +++ b/socketsecurity/core/messages.py @@ -3,7 +3,7 @@ import os import re import uuid -from datetime import datetime +from datetime import datetime, timezone from pathlib import Path from mdutils import MdUtils from prettytable import PrettyTable @@ -593,6 +593,20 @@ def create_security_comment_json(diff: Diff) -> dict: output["new_alerts"].append(json.loads(str(alert))) return output + @staticmethod + def _pkg_type_to_package_manager(pkg_type: str) -> str: + """Map Socket pkg_type to GitLab package_manager name for dependency_files.""" + mapping = { + "npm": "npm", + "pypi": "pip", + "go": "go", + "maven": "maven", + "gem": "bundler", + "nuget": "nuget", + "cargo": "cargo", + } + return mapping.get(pkg_type, pkg_type or "unknown") + @staticmethod def map_socket_severity_to_gitlab(severity: str) -> str: """ @@ -743,15 +757,18 @@ def create_security_comment_gitlab(diff: Diff) -> dict: } }, "type": "dependency_scanning", - "start_time": datetime.utcnow().isoformat() + "Z", - "end_time": datetime.utcnow().isoformat() + "Z", + "start_time": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S"), + "end_time": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S"), "status": "success" }, - "vulnerabilities": [] + "vulnerabilities": [], + "dependency_files": [] } - # Process each alert - for alert in diff.new_alerts: + dep_files_map: dict = {} + + all_alerts = list(diff.new_alerts) + list(getattr(diff, 'unchanged_alerts', [])) + for alert in all_alerts: vulnerability = { "id": Messages.generate_uuid_from_alert_gitlab(alert), "category": "dependency_scanning", @@ -764,12 +781,29 @@ def create_security_comment_gitlab(diff: Diff) -> dict: "location": Messages.extract_location_gitlab(alert) } - # Add solution if available if hasattr(alert, 'suggestion') and alert.suggestion: vulnerability["solution"] = alert.suggestion gitlab_report["vulnerabilities"].append(vulnerability) + file_path = vulnerability["location"]["file"] + if file_path != "unknown": + pkg_manager = Messages._pkg_type_to_package_manager( + alert.pkg_type if hasattr(alert, 'pkg_type') else "" + ) + if file_path not in dep_files_map: + dep_files_map[file_path] = { + "path": file_path, + "package_manager": pkg_manager, + "dependencies": [] + } + dep_files_map[file_path]["dependencies"].append({ + "package": {"name": alert.pkg_name}, + "version": alert.pkg_version + }) + + gitlab_report["dependency_files"] = list(dep_files_map.values()) + return gitlab_report @staticmethod @@ -816,6 +850,8 @@ def security_comment_template(diff: Diff, config=None) -> str: """ + show_ignore = not (config and getattr(config, 'disable_ignore', False)) + # Loop through security alerts (non-license), dynamically generating rows for alert in security_alerts: severity_icon = Messages.get_severity_icon(alert.severity) @@ -824,6 +860,12 @@ def security_comment_template(diff: Diff, config=None) -> str: # Generate proper manifest URL manifest_url = Messages.get_manifest_file_url(diff, alert.manifests, config) # Generate a table row for each alert + ignore_html = ( + f"

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
" + f"@SocketSecurity ignore {alert.pkg_name}@{alert.pkg_version}
" + f"Or ignore all future alerts with:
" + f"@SocketSecurity ignore-all

" + ) if show_ignore else "" comment += f""" @@ -836,16 +878,13 @@ def security_comment_template(diff: Diff, config=None) -> str: {alert.pkg_name}@{alert.pkg_version} - {alert.title}

Note: {alert.description}

Source: Manifest File

-

โ„น๏ธ Read more on: - This package | - This alert | +

โ„น๏ธ Read more on: + This package | + This alert | What is known malware?

Suggestion: {alert.suggestion}

-

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
- @SocketSecurity ignore {alert.pkg_name}@{alert.pkg_version}
- Or ignore all future alerts with:
- @SocketSecurity ignore-all

+ {ignore_html}
@@ -883,14 +922,20 @@ def security_comment_template(diff: Diff, config=None) -> str: # Generate proper manifest URL for license violations license_manifest_url = Messages.get_manifest_file_url(diff, first_alert.manifests, config) - + + license_ignore_html = ( + f"

Mark the package as acceptable risk: To ignore this alert only in this pull request, reply with the comment " + f"@SocketSecurity ignore {first_alert.pkg_name}@{first_alert.pkg_version}. " + f"You can also ignore all packages with @SocketSecurity ignore-all. " + f"To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

" + ) if show_ignore else "" comment += f"""

From: Manifest File

โ„น๏ธ Read more on: This package | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

-

Mark the package as acceptable risk: To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore {first_alert.pkg_name}@{first_alert.pkg_version}. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

+ {license_ignore_html}
@@ -1134,12 +1179,27 @@ def score_to_badge(score): score_percent = int(score * 100) # Convert to integer percentage return f"[![{score_percent}](https://github-app-statics.socket.dev/score-{score_percent}.svg)]({added.url})" + def get_score_for_badge(score_name: str) -> float: + scores = getattr(added, "scores", None) + if isinstance(scores, dict): + raw_score = scores.get(score_name) + else: + raw_score = getattr(scores, score_name, None) if scores is not None else None + + if raw_score is None: + return 1.0 + + score = float(raw_score) + if score > 1: + score = score / 100 + return max(0.0, min(score, 1.0)) + # Generate badges for each score type - supply_chain_risk_badge = score_to_badge(added.scores.get("supplyChain", 100)) - vulnerability_badge = score_to_badge(added.scores.get("vulnerability", 100)) - quality_badge = score_to_badge(added.scores.get("quality", 100)) - maintenance_badge = score_to_badge(added.scores.get("maintenance", 100)) - license_badge = score_to_badge(added.scores.get("license", 100)) + supply_chain_risk_badge = score_to_badge(get_score_for_badge("supplyChain")) + vulnerability_badge = score_to_badge(get_score_for_badge("vulnerability")) + quality_badge = score_to_badge(get_score_for_badge("quality")) + maintenance_badge = score_to_badge(get_score_for_badge("maintenance")) + license_badge = score_to_badge(get_score_for_badge("license")) # Add the row for this package row = [ diff --git a/socketsecurity/core/scm/gitlab.py b/socketsecurity/core/scm/gitlab.py index e88e050..b3b3492 100644 --- a/socketsecurity/core/scm/gitlab.py +++ b/socketsecurity/core/scm/gitlab.py @@ -1,3 +1,4 @@ +import json import os import sys from dataclasses import dataclass @@ -219,6 +220,24 @@ def update_comment(self, body: str, comment_id: str) -> None: base_url=self.config.api_url ) + def has_thumbsup_reaction(self, comment_id: int) -> bool: + """Best-effort check for 'thumbsup' award emoji on a MR note.""" + if not self.config.mr_project_id or not self.config.mr_iid: + return False + path = f"projects/{self.config.mr_project_id}/merge_requests/{self.config.mr_iid}/notes/{comment_id}/award_emoji" + try: + response = self._request_with_fallback( + path=path, + headers=self.config.headers, + base_url=self.config.api_url + ) + for emoji in response.json(): + if emoji.get("name") == "thumbsup": + return True + except Exception as e: + log.debug(f"Could not check award emoji for note {comment_id} (best effort): {e}") + return False + def get_comments_for_pr(self) -> dict: log.debug(f"Getting Gitlab comments for Repo {self.config.repository} for PR {self.config.mr_iid}") path = f"projects/{self.config.mr_project_id}/merge_requests/{self.config.mr_iid}/notes" @@ -326,9 +345,32 @@ def set_commit_status(self, state: str, description: str, target_url: str = '') except Exception as e: log.error(f"Failed to set commit status: {e}") + def post_thumbsup_reaction(self, comment_id: int) -> None: + """Best-effort: add 'thumbsup' award emoji to a MR note.""" + if not self.config.mr_project_id or not self.config.mr_iid: + return + path = f"projects/{self.config.mr_project_id}/merge_requests/{self.config.mr_iid}/notes/{comment_id}/award_emoji" + try: + headers = {**self.config.headers, "Content-Type": "application/json"} + self._request_with_fallback( + path=path, + payload=json.dumps({"name": "thumbsup"}), + method="POST", + headers=headers, + base_url=self.config.api_url + ) + except Exception as e: + log.debug(f"Could not add thumbsup emoji to note {comment_id} (best effort): {e}") + + def handle_ignore_reactions(self, comments: dict) -> None: + for comment in comments.get("ignore", []): + if "SocketSecurity ignore" in comment.body and not self.has_thumbsup_reaction(comment.id): + self.post_thumbsup_reaction(comment.id) + def remove_comment_alerts(self, comments: dict): security_alert = comments.get("security") if security_alert is not None: # Type narrowing: after None check, mypy knows this is Comment new_body = Comments.process_security_comment(security_alert, comments) + self.handle_ignore_reactions(comments) self.update_comment(new_body, str(security_alert.id)) diff --git a/socketsecurity/core/scm_comments.py b/socketsecurity/core/scm_comments.py index bd1b4d7..741578e 100644 --- a/socketsecurity/core/scm_comments.py +++ b/socketsecurity/core/scm_comments.py @@ -51,11 +51,13 @@ def get_ignore_options(comments: dict) -> [bool, list]: for comment in comments["ignore"]: comment: Comment first_line = comment.body_list[0] - if not ignore_all and "SocketSecurity ignore" in first_line: + if not ignore_all and "socketsecurity ignore" in first_line.lower(): try: first_line = first_line.lstrip("@") - _, command = first_line.split("SocketSecurity ") - command = command.strip() + # Case-insensitive split: find "SocketSecurity " regardless of casing + lower_line = first_line.lower() + split_idx = lower_line.index("socketsecurity ") + len("socketsecurity ") + command = first_line[split_idx:].strip() if command == "ignore-all": ignore_all = True else: diff --git a/socketsecurity/core/tools/reachability.py b/socketsecurity/core/tools/reachability.py index 581ea70..008bd65 100644 --- a/socketsecurity/core/tools/reachability.py +++ b/socketsecurity/core/tools/reachability.py @@ -1,15 +1,31 @@ from socketdev import socketdev from typing import List, Optional, Dict, Any import os +import platform import subprocess import json import pathlib import logging import sys +from socketsecurity import __version__ + log = logging.getLogger(__name__) +def _build_caller_user_agent() -> str: + """Build the SOCKET_CALLER_USER_AGENT string forwarded to the coana CLI. + + Mirrors the Node CLI's ``/ / /`` + shape so the backend can attribute reachability calls to the Python CLI. + """ + return ( + f"socket/{__version__} " + f"python/{platform.python_version()} " + f"{platform.system().lower()}/{platform.machine().lower()}" + ) + + class ReachabilityAnalyzer: def __init__(self, sdk: socketdev, api_token: str): self.sdk = sdk @@ -104,6 +120,12 @@ def run_reachability_analysis( allow_unverified: bool = False, enable_debug: bool = False, use_only_pregenerated_sboms: bool = False, + continue_on_analysis_errors: bool = False, + continue_on_install_errors: bool = False, + continue_on_missing_lock_files: bool = False, + continue_on_no_source_files: bool = False, + reach_debug: bool = False, + disable_external_tool_checks: bool = False, ) -> Dict[str, Any]: """ Run reachability analysis. @@ -143,8 +165,7 @@ def run_reachability_analysis( # Add required arguments output_dir = str(pathlib.Path(output_path).parent) - log.warning(f"output_dir: {output_dir}") - log.warning(f"output_path: {output_path}") + log.debug(f"output_dir: {output_dir}, output_path: {output_path}") cmd.extend([ "--output-dir", output_dir, "--socket-mode", output_path, @@ -193,9 +214,27 @@ def run_reachability_analysis( if enable_debug: cmd.append("-d") + if reach_debug: + cmd.append("--debug") + + if disable_external_tool_checks: + cmd.append("--disable-external-tool-checks") + if use_only_pregenerated_sboms: cmd.append("--use-only-pregenerated-sboms") + if continue_on_analysis_errors: + cmd.append("--reach-continue-on-analysis-errors") + + if continue_on_install_errors: + cmd.append("--reach-continue-on-install-errors") + + if continue_on_missing_lock_files: + cmd.append("--reach-continue-on-missing-lock-files") + + if continue_on_no_source_files: + cmd.append("--reach-continue-on-no-source-files") + # Add any additional parameters provided by the user if additional_params: cmd.extend(additional_params) @@ -206,14 +245,25 @@ def run_reachability_analysis( # Required environment variables for Coana CLI env["SOCKET_ORG_SLUG"] = org_slug env["SOCKET_CLI_API_TOKEN"] = self.api_token - - # Optional environment variables + + # Identify the calling CLI to the coana tool / backend (parity with the Node CLI). + env["SOCKET_CLI_VERSION"] = __version__ + env["SOCKET_CALLER_USER_AGENT"] = _build_caller_user_agent() + + # NOTE: no proxy env is set here. coana already reads HTTPS_PROXY/HTTP_PROXY itself, and + # we pass the full parent env above, so it inherits them. A SOCKET_CLI_API_PROXY override + # should only be set from an explicit --proxy flag (not yet implemented), since seeding it + # from HTTPS_PROXY would be a no-op (it's the same value coana already resolves). + + # Optional environment variables. + # NOTE: repo/branch are intentionally omitted by the caller (passed as None) when they + # are the default sentinels, to avoid polluting coana's per-repo/branch cache buckets. if repo_name: env["SOCKET_REPO_NAME"] = repo_name - + if branch_name: env["SOCKET_BRANCH_NAME"] = branch_name - + # Set NODE_TLS_REJECT_UNAUTHORIZED=0 if allow_unverified is True if allow_unverified: env["NODE_TLS_REJECT_UNAUTHORIZED"] = "0" diff --git a/socketsecurity/core/utils.py b/socketsecurity/core/utils.py index 6e9fb09..9485ec8 100644 --- a/socketsecurity/core/utils.py +++ b/socketsecurity/core/utils.py @@ -38,6 +38,15 @@ }, "pnpm-workspace.yml": { "pattern": "pnpm-workspace.yml" + }, + "bun.lock": { + "pattern": "bun.lock" + }, + "bun.lockb": { + "pattern": "bun.lockb" + }, + "vlt-lock.json": { + "pattern": "vlt-lock.json" } }, "pypi": { @@ -105,4 +114,4 @@ "pattern": "packages.lock.json" } } -} \ No newline at end of file +} diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py new file mode 100644 index 0000000..0be11a9 --- /dev/null +++ b/socketsecurity/fossa_compat.py @@ -0,0 +1,459 @@ +"""FOSSA-compat output shaping for `--legal-format fossa`. + +Builds two artifacts whose top-level shapes mirror real FOSSA pipeline outputs: + + fossa-analyze.json โ€” wrapper of {project, vulnerability, licensing, quality}, + where `project` is the raw `fossa analyze --json` shape and + the three arrays are FOSSA /api/v2/issues-shaped items. + fossa-sbom.json โ€” `fossa report --json attribution` shape: 5 top-level keys + (copyrightsByLicense, deepDependencies, directDependencies, + licenses, project). + +Fields without a Socket data source are emitted as documented defaults: + + vulnerability[]: + epss -> {score: None, percentile: None} + cvssVector -> None + exploitability -> None + cveStatus -> None + published -> None + containerLayers -> {base: 0, other: 0} + customRiskScore -> None + remediation.partialFixDistance, completeFixDistance -> None (semver-distance TBD) + remediation.partialFix, completeFix -> same Socket fix version + (Socket has no partial/complete distinction) + projects[].scannedAt, analyzedAt, firstFoundAt -> None + + dependencies[] (SBOM): + description, downloadUrl, projectUrl -> "" + hash, isGolang -> None (always null in real FOSSA samples) + notes, otherLicenses -> [] + + Top-level SBOM: + copyrightsByLicense -> {} (would require parsing attribText for `Copyright (c)` lines) + licenses -> {} (would require bundling SPDX license body texts) +""" +from __future__ import annotations + +from typing import Any, Iterable, Optional + +from socketsecurity.config import CliConfig +from socketsecurity.core.classes import Diff, Issue, Package + +LICENSE_ALERT_TYPES = {"licenseSpdxDisj"} +QUALITY_ALERT_PREFIXES = ("risk", "quality", "outdated", "unmaintained") + + +def _ecosystem_to_package_manager(ecosystem: Optional[str]) -> str: + mapping = { + "pypi": "pip", + "npm": "npm", + "maven": "maven", + "nuget": "nuget", + "gem": "gem", + "golang": "go", + "cargo": "cargo", + } + if not ecosystem: + return "unknown" + return mapping.get(ecosystem, ecosystem) + + +def _listify(value: Any) -> list[Any]: + if value is None: + return [] + if isinstance(value, list): + return value + return [value] + + +def _first_non_empty(*values: Any) -> Any: + for value in values: + if value not in (None, "", [], {}): + return value + return None + + +def _build_project_metadata(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + repo = getattr(config, "repo", None) or "socket-default-repo" + branch = getattr(config, "branch", None) or "socket-default-branch" + revision = getattr(diff_report, "id", None) or getattr(diff_report, "new_scan_id", None) or "unknown-revision" + report_url = getattr(diff_report, "report_url", None) or getattr(diff_report, "diff_url", None) + return { + "branch": branch, + "id": f"{repo}${revision}", + "project": repo, + "projectId": repo, + "revision": revision, + "url": report_url, + } + + +def _build_source_metadata(issue: Issue, package: Optional[Package]) -> dict[str, Any]: + package_type = _ecosystem_to_package_manager( + getattr(package, "type", None) or getattr(issue, "pkg_type", None) + ) + package_name = getattr(package, "name", None) or getattr(issue, "pkg_name", None) + package_version = getattr(package, "version", None) or getattr(issue, "pkg_version", None) + package_url = getattr(package, "url", None) or getattr(issue, "url", None) + return { + "id": f"{package_type}+{package_name}${package_version}", + "name": package_name, + "url": package_url, + "version": package_version, + "packageManager": package_type, + } + + +def _build_depths(package: Optional[Package]) -> dict[str, int]: + is_direct = bool(getattr(package, "direct", False)) + return { + "direct": 1 if is_direct else 0, + "deep": 0 if is_direct else 1, + } + + +def _build_statuses(issue: Issue) -> dict[str, int]: + is_ignored = bool(getattr(issue, "ignore", False)) + return { + "active": 0 if is_ignored else 1, + "ignored": 1 if is_ignored else 0, + } + + +def _build_projects_entry(project: dict[str, Any], package: Optional[Package]) -> list[dict[str, Any]]: + is_direct = bool(getattr(package, "direct", False)) + return [{ + "id": project["projectId"], + "status": "active", + "depth": 1 if is_direct else 2, + "title": project["project"], + "scannedAt": None, + "analyzedAt": None, + "url": project["url"], + "firstFoundAt": None, + "defaultBranch": project["branch"], + "latest": True, + "revisionId": f"{project['projectId']}${project['revision']}", + "revisionScanId": project["revision"], + }] + + +def _extract_cve(props: dict[str, Any]) -> Optional[str]: + cve = _first_non_empty(props.get("cveId"), props.get("cve")) + if isinstance(cve, list): + return cve[0] if cve else None + return cve + + +def _extract_float(*values: Any) -> Optional[float]: + value = _first_non_empty(*values) + if value is None: + return None + try: + return float(value) + except (TypeError, ValueError): + return None + + +def _extract_string_list(*values: Any) -> list[str]: + items = _listify(_first_non_empty(*values)) + output = [] + for item in items: + if isinstance(item, str) and item: + output.append(item) + return output + + +def _build_remediation(props: dict[str, Any]) -> dict[str, Any]: + fix = _first_non_empty( + props.get("firstPatchedVersionIdentifier"), + props.get("partialFix"), + props.get("completeFix"), + props.get("fixedVersion"), + props.get("fixed_version"), + props.get("patchedVersion"), + props.get("patched_version"), + ) + return { + "partialFix": fix, + "partialFixDistance": props.get("partialFixDistance"), + "completeFix": fix, + "completeFixDistance": props.get("completeFixDistance"), + } + + +def _build_epss(props: dict[str, Any]) -> dict[str, Any]: + score = _extract_float(props.get("epssScore"), props.get("epss_score")) + percentile = _extract_float(props.get("epssPercentile"), props.get("epss_percentile")) + return { + "score": score, + "percentile": percentile, + } + + +def _build_metrics(props: dict[str, Any]) -> list[dict[str, Any]]: + metrics = props.get("metrics") + if isinstance(metrics, list): + return metrics + + metric_map = [ + ("Attack Vector", props.get("attackVector")), + ("Attack Complexity", props.get("attackComplexity")), + ("Privileges Required", props.get("privilegesRequired")), + ("User Interaction", props.get("userInteraction")), + ("Scope", props.get("scope")), + ("Confidentiality Impact", props.get("confidentialityImpact")), + ("Integrity Impact", props.get("integrityImpact")), + ("Availability Impact", props.get("availabilityImpact")), + ] + return [ + {"name": name, "value": value} + for name, value in metric_map + if value not in (None, "") + ] + + +def _extract_references(issue: Issue, props: dict[str, Any]) -> list[str]: + references = _listify(props.get("references")) + if props.get("url"): + references.append(props["url"]) + if getattr(issue, "url", None): + references.append(issue.url) + deduped = [] + seen = set() + for reference in references: + if not isinstance(reference, str) or not reference: + continue + if reference in seen: + continue + seen.add(reference) + deduped.append(reference) + return deduped + + +def _build_vulnerability_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + return { + "id": props.get("id") or f"socket-vulnerability-{index}", + "type": "vulnerability", + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "containerLayers": {"base": 0, "other": 0}, + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "vulnId": _first_non_empty(props.get("ghsaId"), props.get("cveId"), issue.key, f"socket-vuln-{index}"), + "title": getattr(issue, "title", None), + "cve": _extract_cve(props), + "cvss": _extract_float(props.get("cvssScore"), props.get("cvss")), + "severity": getattr(issue, "severity", "unknown"), + "details": _first_non_empty(getattr(issue, "description", None), props.get("overview"), props.get("note")), + "remediation": _build_remediation(props), + "metrics": _build_metrics(props), + "cveStatus": props.get("cveStatus"), + "cwes": _extract_string_list(props.get("cwes"), props.get("cwe")), + "published": props.get("published"), + "affectedVersionRanges": _extract_string_list( + props.get("affectedVersionRanges"), + props.get("vulnerableVersionRange"), + props.get("affected_versions"), + ), + "patchedVersionRanges": _extract_string_list( + props.get("patchedVersionRanges"), + props.get("firstPatchedVersionIdentifier"), + props.get("patched_versions"), + ), + "references": _extract_references(issue, props), + "cvssVector": props.get("cvssVector"), + "exploitability": props.get("exploitability"), + "epss": _build_epss(props), + "cpes": _extract_string_list(props.get("cpes")), + "customRiskScore": None, + } + + +def _build_licensing_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + package_license = getattr(package, "license", None) + issue_type = "policy_conflict" + if not package_license: + issue_type = "unlicensed_dependency" + elif getattr(issue, "type", None) not in LICENSE_ALERT_TYPES: + issue_type = "policy_flag" + return { + "id": props.get("id") or f"socket-licensing-{index}", + "type": issue_type, + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "title": getattr(issue, "title", None) or "License Policy Violation", + "details": _first_non_empty(getattr(issue, "description", None), props.get("note"), package_license), + "license": package_license, + "identifiedLicense": package_license, + "references": _extract_references(issue, props), + } + + +def _build_quality_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + return { + "id": props.get("id") or f"socket-quality-{index}", + "type": getattr(issue, "type", None) or "quality_issue", + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "title": getattr(issue, "title", None), + "details": _first_non_empty(getattr(issue, "description", None), props.get("note")), + "references": _extract_references(issue, props), + } + + +def _iter_selected_issues(diff_report: Diff, config: CliConfig) -> Iterable[Issue]: + """Yield all currently-present issues (new + unchanged) to match FOSSA's + /api/v2/issues behavior, which returns a point-in-time snapshot of all + issues at the scan revision, not only diff-new ones. The `config` argument + is retained for signature stability but no longer gates output. + """ + yield from getattr(diff_report, "new_alerts", []) or [] + yield from getattr(diff_report, "unchanged_alerts", []) or [] + + +def _classify_issue(issue: Issue) -> str: + issue_type = (getattr(issue, "type", "") or "").lower() + category = (getattr(issue, "category", "") or "").lower() + if issue_type in LICENSE_ALERT_TYPES or "license" in issue_type or category == "licensing": + return "licensing" + if category == "quality" or issue_type.startswith(QUALITY_ALERT_PREFIXES): + return "quality" + return "vulnerability" + + +def build_fossa_report_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + project = _build_project_metadata(diff_report, config) + package_lookup = getattr(diff_report, "packages", {}) or {} + vulnerabilities = [] + licensing = [] + quality = [] + + for index, issue in enumerate(_iter_selected_issues(diff_report, config), start=1): + package = package_lookup.get(getattr(issue, "pkg_id", "")) if package_lookup else None + category = _classify_issue(issue) + if category == "licensing": + licensing.append(_build_licensing_entry(issue, package, project, index)) + elif category == "quality": + quality.append(_build_quality_entry(issue, package, project, index)) + else: + vulnerabilities.append(_build_vulnerability_entry(issue, package, project, index)) + + return { + "project": project, + "vulnerability": vulnerabilities, + "licensing": licensing, + "quality": quality, + } + + +def _build_attribution_project(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + repo = getattr(config, "repo", None) or "socket-default-repo" + revision = ( + getattr(diff_report, "id", None) + or getattr(diff_report, "new_scan_id", None) + or "unknown-revision" + ) + return {"name": repo, "revision": revision} + + +def _build_dependency_licenses(package: Package) -> list[dict[str, str]]: + """Build the `licenses[]` array: prefer licenseAttrib entries (full attribution text), + fall back to a single name-only entry from declared license, else empty. + """ + attribs = getattr(package, "licenseAttrib", None) or [] + licenses = [] + for attrib in attribs: + attrib_text = attrib.get("attribText", "") if isinstance(attrib, dict) else getattr(attrib, "attribText", "") + attrib_data = attrib.get("attribData", []) if isinstance(attrib, dict) else getattr(attrib, "attribData", []) + spdx = "" + if attrib_data: + first = attrib_data[0] + spdx = first.get("spdxExpr", "") if isinstance(first, dict) else getattr(first, "spdxExpr", "") + if attrib_text or spdx: + licenses.append({"attribution": attrib_text or "", "name": spdx or getattr(package, "license", "") or ""}) + if licenses: + return licenses + declared = getattr(package, "license", None) + if declared: + return [{"attribution": "", "name": declared}] + return [] + + +def _build_dependency_entry(package: Package, dependency_paths: list[str]) -> dict[str, Any]: + return { + "authors": list(getattr(package, "author", []) or []), + "dependencyPaths": list(dependency_paths), + "description": "", + "downloadUrl": "", + "hash": None, + "isGolang": None, + "licenses": _build_dependency_licenses(package), + "notes": [], + "otherLicenses": [], + "package": package.name, + "projectUrl": "", + "source": _ecosystem_to_package_manager(package.type), + "title": package.name, + "version": package.version, + } + + +def _compute_dependency_paths(package: Package, package_lookup: dict[str, Package]) -> list[str]: + if bool(getattr(package, "direct", False)): + return [package.name] + ancestors = getattr(package, "topLevelAncestors", None) or [] + paths = [] + for ancestor_id in ancestors: + ancestor = package_lookup.get(ancestor_id) + if ancestor and getattr(ancestor, "name", None): + paths.append(f"{ancestor.name} > {package.name}") + if not paths: + return [package.name] + return paths + + +def _partition_dependencies(packages: list[Package]) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]: + direct: list[dict[str, Any]] = [] + deep: list[dict[str, Any]] = [] + package_lookup = {getattr(p, "id", None): p for p in packages if getattr(p, "id", None)} + for package in packages: + paths = _compute_dependency_paths(package, package_lookup) + entry = _build_dependency_entry(package, paths) + if bool(getattr(package, "direct", False)): + direct.append(entry) + else: + deep.append(entry) + return direct, deep + + +def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + packages = list((getattr(diff_report, "packages", {}) or {}).values()) + direct, deep = _partition_dependencies(packages) + return { + "copyrightsByLicense": {}, + "deepDependencies": deep, + "directDependencies": direct, + "licenses": {}, + "project": _build_attribution_project(diff_report, config), + } diff --git a/socketsecurity/output.py b/socketsecurity/output.py index 921ca79..63fe565 100644 --- a/socketsecurity/output.py +++ b/socketsecurity/output.py @@ -5,6 +5,7 @@ from .core.messages import Messages from .core.classes import Diff, Issue from .config import CliConfig +from .fossa_compat import build_fossa_report_payload from socketsecurity.plugins.manager import PluginManager from socketsecurity.core.alert_selection import ( clone_diff_with_selected_alerts, @@ -90,6 +91,9 @@ def handle_output(self, diff_report: Diff) -> None: plugin_mgr = PluginManager({"slack": slack_config}) plugin_mgr.send(diff_report, config=self.config) + self.save_json_file(diff_report, getattr(self.config, "json_file", None)) + self.save_summary_file(diff_report, getattr(self.config, "summary_file", None)) + self.save_report_link_file(diff_report, getattr(self.config, "report_link_file", None)) self.save_sbom_file(diff_report, self.config.sbom_file) def return_exit_code(self, diff_report: Diff) -> int: @@ -107,50 +111,15 @@ def return_exit_code(self, diff_report: Diff) -> int: def output_console_comments(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Outputs formatted console comments""" - selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) - has_new_alerts = len(selected_alerts) > 0 - has_unchanged_alerts = ( - self.config.strict_blocking and - hasattr(diff_report, 'unchanged_alerts') and - len(diff_report.unchanged_alerts) > 0 - ) - - if not has_new_alerts and not has_unchanged_alerts: - self.logger.info("No issues found") - return - - # Count blocking vs warning alerts - new_blocking = sum(1 for issue in diff_report.new_alerts if issue.error) - new_warning = sum(1 for issue in diff_report.new_alerts if issue.warn) - - unchanged_blocking = 0 - unchanged_warning = 0 - if has_unchanged_alerts: - unchanged_blocking = sum(1 for issue in diff_report.unchanged_alerts if issue.error) - unchanged_warning = sum(1 for issue in diff_report.unchanged_alerts if issue.warn) - - selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) - console_security_comment = Messages.create_console_security_alert_table(selected_diff) - - # Build status message - self.logger.info("Security issues detected by Socket Security:") - if new_blocking > 0: - self.logger.info(f" - NEW blocking issues: {new_blocking}") - if new_warning > 0: - self.logger.info(f" - NEW warning issues: {new_warning}") - if unchanged_blocking > 0: - self.logger.info(f" - EXISTING blocking issues: {unchanged_blocking} (causing failure due to --strict-blocking)") - if unchanged_warning > 0: - self.logger.info(f" - EXISTING warning issues: {unchanged_warning}") - - self.logger.info(f"Diff Url: {diff_report.diff_url}") - self.logger.info(f"\n{console_security_comment}") + summary_text = self.build_summary_text(diff_report) + for line in summary_text.splitlines(): + self.logger.info(line) + if not summary_text.strip(): + self.logger.info("") def output_console_json(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Outputs JSON formatted results""" - selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) - selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) - console_security_comment = Messages.create_security_comment_json(selected_diff) + console_security_comment = self.build_json_report(diff_report) self.save_sbom_file(diff_report, sbom_file_name) self.logger.info(json.dumps(console_security_comment)) @@ -246,14 +215,106 @@ def report_pass(self, diff_report: Diff) -> bool: def save_sbom_file(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Saves SBOM file if filename is provided""" - if not sbom_file_name or not diff_report.sbom: + if not sbom_file_name: return - sbom_path = Path(sbom_file_name) - sbom_path.parent.mkdir(parents=True, exist_ok=True) + sbom_data = getattr(diff_report, "sbom", None) + if sbom_data is None: + sbom_data = [] + + self.write_json_file(sbom_file_name, sbom_data) - with open(sbom_path, "w") as f: - json.dump(diff_report.sbom, f, indent=2) + def build_summary_text(self, diff_report: Diff) -> str: + """Render the console summary text for stdout and file output.""" + selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) + has_new_alerts = len(selected_alerts) > 0 + has_unchanged_alerts = ( + self.config.strict_blocking and + hasattr(diff_report, 'unchanged_alerts') and + len(diff_report.unchanged_alerts) > 0 + ) + + if not has_new_alerts and not has_unchanged_alerts: + return "No issues found" + + new_blocking = sum(1 for issue in diff_report.new_alerts if issue.error) + new_warning = sum(1 for issue in diff_report.new_alerts if issue.warn) + + unchanged_blocking = 0 + unchanged_warning = 0 + if has_unchanged_alerts: + unchanged_blocking = sum(1 for issue in diff_report.unchanged_alerts if issue.error) + unchanged_warning = sum(1 for issue in diff_report.unchanged_alerts if issue.warn) + + selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) + console_security_comment = Messages.create_console_security_alert_table(selected_diff) + + lines = ["Security issues detected by Socket Security:"] + if new_blocking > 0: + lines.append(f" - NEW blocking issues: {new_blocking}") + if new_warning > 0: + lines.append(f" - NEW warning issues: {new_warning}") + if unchanged_blocking > 0: + lines.append( + f" - EXISTING blocking issues: {unchanged_blocking} (causing failure due to --strict-blocking)" + ) + if unchanged_warning > 0: + lines.append(f" - EXISTING warning issues: {unchanged_warning}") + + report_link = getattr(diff_report, "report_url", "") or getattr(diff_report, "diff_url", "") + lines.append(f"Diff Url: {report_link}") + lines.append("") + lines.append(str(console_security_comment)) + return "\n".join(lines) + + def build_json_report(self, diff_report: Diff) -> dict: + """Build the JSON report payload for stdout and file output.""" + if getattr(self.config, "legal_format", "socket") == "fossa": + return build_fossa_report_payload(diff_report, self.config) + + selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) + selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) + report = Messages.create_security_comment_json(selected_diff) + legal_flag = getattr(self.config, "legal", False) + repo = getattr(self.config, "repo", None) + branch = getattr(self.config, "branch", None) + commit_sha = getattr(self.config, "commit_sha", None) + report["report_url"] = getattr(diff_report, "report_url", None) + report["repo"] = repo if isinstance(repo, str) or repo is None else None + report["branch"] = branch if isinstance(branch, str) or branch is None else None + report["commit_sha"] = commit_sha if isinstance(commit_sha, str) or commit_sha is None else None + report["legal_mode"] = legal_flag if isinstance(legal_flag, bool) else False + return report + + def save_json_file(self, diff_report: Diff, json_file_name: Optional[str] = None) -> None: + if not json_file_name: + return + self.write_json_file(json_file_name, self.build_json_report(diff_report)) + + def save_summary_file(self, diff_report: Diff, summary_file_name: Optional[str] = None) -> None: + if not summary_file_name: + return + self.write_text_file(summary_file_name, self.build_summary_text(diff_report) + "\n") + + def save_report_link_file(self, diff_report: Diff, report_link_file_name: Optional[str] = None) -> None: + if not report_link_file_name: + return + report_link = getattr(diff_report, "report_url", "") or getattr(diff_report, "diff_url", "") + if not report_link: + return + self.write_text_file(report_link_file_name, report_link + "\n") + + def write_json_file(self, file_name: str, content: Any) -> None: + file_path = Path(file_name) + file_path.parent.mkdir(parents=True, exist_ok=True) + with open(file_path, "w") as f: + json.dump(content, f, indent=2) + + def write_text_file(self, file_name: str, content: str) -> None: + file_path = Path(file_name) + file_path.parent.mkdir(parents=True, exist_ok=True) + with open(file_path, "w") as f: + f.write(content) def output_gitlab_security(self, diff_report: Diff) -> None: """ diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py index 6f17f58..1e339ae 100644 --- a/socketsecurity/socketcli.py +++ b/socketsecurity/socketcli.py @@ -1,14 +1,16 @@ import json import os +import shutil import sys import traceback -import shutil -import warnings +from datetime import datetime, timezone +from uuid import uuid4 from dotenv import load_dotenv from git import InvalidGitRepositoryError, NoSuchPathError from socketdev import socketdev from socketdev.fullscans import FullScanParams + from socketsecurity.config import CliConfig from socketsecurity.core import Core from socketsecurity.core.classes import Diff @@ -18,12 +20,102 @@ from socketsecurity.core.messages import Messages from socketsecurity.core.scm_comments import Comments from socketsecurity.core.socket_config import SocketConfig +from socketsecurity.fossa_compat import build_fossa_attribution_payload from socketsecurity.output import OutputHandler socket_logger, log = initialize_logging() load_dotenv() +# Buildkite sets BUILDKITE=true in every job environment. Used to gate log +# section markers that would render as literal text on other CI platforms. +IS_BUILDKITE = os.getenv("BUILDKITE") == "true" + + +def _emit_infrastructure_error(message: str, include_traceback: bool = False) -> None: + """Emit a structured error for infrastructure/API failures. + + When running in Buildkite, wraps the error in log-section markers + (`^^^ +++` expands the section in the BK UI) and prints a soft_fail hint. + On every other platform it's a plain log.error so the markers don't leak + as literal text. This is presentation only -- it does not decide the exit + code (the caller does that, honoring --disable-blocking and + --exit-code-on-api-error). + """ + if IS_BUILDKITE: + print("^^^ +++", flush=True) + print("--- :warning: Socket infrastructure error", flush=True) + + log.error(message) + + if IS_BUILDKITE: + log.error( + "Tip: this is an infrastructure error, not a security finding. To keep it " + "from blocking the build, add a soft_fail rule for the CLI's API-error exit " + "code (default 3, or whatever you pass to --exit-code-on-api-error)." + ) + + if include_traceback: + traceback.print_exc() + + +def build_license_artifact_payload( + diff: Diff, + legal_format: str = "socket", + config: CliConfig | None = None, +) -> dict: + """Build the license artifact payload from a diff, tolerating sparse scan paths.""" + if legal_format == "fossa": + if config is None: + raise ValueError("config is required when building FOSSA-format legal artifacts") + return build_fossa_attribution_payload(diff, config) + + all_packages = {} + packages = getattr(diff, "packages", {}) or {} + for purl in packages: + package = packages[purl] + output = { + "id": package.id, + "name": package.name, + "version": package.version, + "ecosystem": package.type, + "direct": package.direct, + "url": package.url, + "license": package.license, + "licenseDetails": package.licenseDetails, + "licenseAttrib": package.licenseAttrib, + "purl": package.purl, + } + all_packages[package.id] = output + return all_packages + +def _write_attribution_file(config, payload: dict) -> None: + Core.save_file(config.license_file_name, json.dumps(payload, indent=2)) + + +DEFAULT_API_TIMEOUT = 1200 + +# Sentinel repo/branch names used when none can be detected from git or supplied via flags. +# When the repo/branch are these defaults we skip forwarding SOCKET_REPO_NAME/SOCKET_BRANCH_NAME +# to the coana CLI so unrelated default-named runs don't share reachability cache buckets. +DEFAULT_REPO_NAME = "socket-default-repo" +DEFAULT_BRANCH_NAME = "socket-default-branch" + + +def get_api_request_timeout(config: CliConfig) -> int: + return config.timeout if config.timeout is not None else DEFAULT_API_TIMEOUT + + +def build_socket_sdk(config: CliConfig) -> socketdev: + cli_user_agent_string = f"SocketPythonCLI/{config.version}" + return socketdev( + token=config.api_token, + timeout=get_api_request_timeout(config), + allow_unverified=config.allow_unverified, + user_agent=cli_user_agent_string + ) + + def cli(): try: main_code() @@ -35,12 +127,17 @@ def cli(): else: sys.exit(0) except Exception as error: - log.error("Unexpected error when running the cli") - log.error(error) - traceback.print_exc() config = CliConfig.from_args() # Get current config + _emit_infrastructure_error( + f"Unexpected error when running the CLI: {error}", + include_traceback=True, + ) + # --disable-blocking forces a clean exit for ALL outcomes (it takes + # precedence over --exit-code-on-api-error); otherwise infra/API errors + # exit with the configurable code (default 3), keeping them distinct + # from blocking security findings (exit 1). if not config.disable_blocking: - sys.exit(3) + sys.exit(config.exit_code_on_api_error) else: sys.exit(0) @@ -61,8 +158,7 @@ def main_code(): "1. Command line: --api-token YOUR_TOKEN\n" "2. Environment variable: SOCKET_SECURITY_API_TOKEN") sys.exit(3) - cli_user_agent_string = f"SocketPythonCLI/{config.version}" - sdk = socketdev(token=config.api_token, allow_unverified=config.allow_unverified, user_agent=cli_user_agent_string) + sdk = build_socket_sdk(config) # Suppress urllib3 InsecureRequestWarning when using --allow-unverified if config.allow_unverified: @@ -81,7 +177,7 @@ def main_code(): socket_config = SocketConfig( api_key=config.api_token, allow_unverified_ssl=config.allow_unverified, - timeout=config.timeout if config.timeout is not None else 1200 # Use CLI timeout if provided + timeout=get_api_request_timeout(config) ) log.debug("loaded socket_config") client = CliClient(socket_config) @@ -123,7 +219,7 @@ def main_code(): # Check if plan matches enterprise* pattern (enterprise, enterprise_trial, etc.) if not org_plan.startswith('enterprise'): - log.error(f"Reachability analysis is only available for enterprise plans.") + log.error("Reachability analysis is only available for enterprise plans.") log.error(f"Your organization plan is: {org_plan}") log.error("Please upgrade to an enterprise plan to use reachability analysis.") sys.exit(3) @@ -198,16 +294,21 @@ def main_code(): except NoSuchPathError: raise Exception(f"Unable to find path {config.target_path}") + # Track whether repo/branch fell back to the default sentinels so reachability can skip + # forwarding them as coana cache-bucket keys (computed before any workspace suffixing). + repo_defaulted = not config.repo + branch_defaulted = not config.branch + if not config.repo: - base_repo_name = "socket-default-repo" + base_repo_name = DEFAULT_REPO_NAME if config.workspace_name: config.repo = f"{base_repo_name}-{config.workspace_name}" else: config.repo = base_repo_name log.debug(f"Using default repository name: {config.repo}") - + if not config.branch: - config.branch = "socket-default-branch" + config.branch = DEFAULT_BRANCH_NAME log.debug(f"Using default branch name: {config.branch}") # Calculate the scan paths - combine target_path with sub_paths if provided @@ -287,24 +388,38 @@ def main_code(): timeout=config.reach_analysis_timeout, memory_limit=config.reach_analysis_memory_limit, ecosystems=config.reach_ecosystems, - exclude_paths=config.reach_exclude_paths, + # Union the deprecated --reach-exclude-paths with the unified --exclude-paths + # and forward verbatim to coana's --exclude-dirs. Patterns are scan-root + # relative; coana resolves --exclude-dirs relative to its `run` target, which + # here is `.` == cwd == scan root, so passthrough is correct. If a nested + # target is ever supported, re-anchor patterns to the target first (see Node's + # pathRelativeToTarget in exclude-paths.mts). + exclude_paths=( + (config.reach_exclude_paths or []) + (config.exclude_paths or []) + ) or None, min_severity=config.reach_min_severity, skip_cache=config.reach_skip_cache or False, disable_analytics=config.reach_disable_analytics or False, enable_analysis_splitting=config.reach_enable_analysis_splitting or False, detailed_analysis_log_file=config.reach_detailed_analysis_log_file or False, lazy_mode=config.reach_lazy_mode or False, - repo_name=config.repo, - branch_name=config.branch, + repo_name=None if repo_defaulted else config.repo, + branch_name=None if branch_defaulted else config.branch, version=config.reach_version, concurrency=config.reach_concurrency, additional_params=config.reach_additional_params, allow_unverified=config.allow_unverified, enable_debug=config.enable_debug, - use_only_pregenerated_sboms=config.reach_use_only_pregenerated_sboms + use_only_pregenerated_sboms=config.reach_use_only_pregenerated_sboms, + continue_on_analysis_errors=config.reach_continue_on_analysis_errors, + continue_on_install_errors=config.reach_continue_on_install_errors, + continue_on_missing_lock_files=config.reach_continue_on_missing_lock_files, + continue_on_no_source_files=config.reach_continue_on_no_source_files, + reach_debug=config.reach_debug, + disable_external_tool_checks=config.reach_disable_external_tool_checks, ) - log.info(f"Reachability analysis completed successfully") + log.info("Reachability analysis completed successfully") log.info(f"Results written to: {result['report_path']}") if result.get('scan_id'): log.info(f"Reachability scan ID: {result['scan_id']}") @@ -478,6 +593,17 @@ def main_code(): # Handle SCM-specific flows log.debug(f"Flow decision: scm={scm is not None}, force_diff_mode={force_diff_mode}, force_api_mode={force_api_mode}, enable_diff={config.enable_diff}") + + def _is_unprocessed(c): + """Check if an ignore comment has not yet been marked with '+1' reaction. + For GitHub, reactions['+1'] is already in the comment response (no extra call). + For GitLab, has_thumbsup_reaction() makes a lazy API call per comment.""" + if getattr(c, "reactions", {}).get("+1"): + return False + if hasattr(scm, "has_thumbsup_reaction") and scm.has_thumbsup_reaction(c.id): + return False + return True + if scm is not None and scm.check_event_type() == "comment": # FIXME: This entire flow should be a separate command called "filter_ignored_alerts_in_comments" # It's not related to scanning or diff generation - it just: @@ -486,10 +612,51 @@ def main_code(): # 3. Updates the comment to remove ignored alerts # This is completely separate from the main scanning functionality log.info("Comment initiated flow") - - comments = scm.get_comments_for_pr() - log.debug("Removing comment alerts") - scm.remove_comment_alerts(comments) + + if not config.disable_ignore: + comments = scm.get_comments_for_pr() + + # Emit telemetry for ignore comments before +1 reaction is added. + # The +1 reaction (added by remove_comment_alerts) serves as the "processed" marker. + if "ignore" in comments: + unprocessed = [c for c in comments["ignore"] if _is_unprocessed(c)] + if unprocessed: + try: + events = [] + for c in unprocessed: + single = {"ignore": [c]} + ignore_all, ignore_commands = Comments.get_ignore_options(single) + user = getattr(c, "user", None) or getattr(c, "author", None) or {} + now = datetime.now(timezone.utc).isoformat() + shared_fields = { + "event_kind": "user-action", + "client_action": "ignore", + "alert_action": "error", + "event_sender_created_at": now, + "vcs_provider": integration_type, + "owner": config.repo.split("/")[0] if "/" in config.repo else "", + "repo": config.repo, + "pr_number": pr_number, + "ignore_all": ignore_all, + "sender_name": user.get("login") or user.get("username", ""), + "sender_id": str(user.get("id", "")), + } + if ignore_commands: + for name, version in ignore_commands: + events.append({**shared_fields, "event_id": str(uuid4()), "artifact_input": f"{name}@{version}"}) + elif ignore_all: + events.append({**shared_fields, "event_id": str(uuid4())}) + + if events: + log.debug(f"Ignore telemetry: {len(events)} events to send") + client.post_telemetry_events(org_slug, events) + except Exception as e: + log.warning(f"Failed to send ignore telemetry: {e}") + + log.debug("Removing comment alerts") + scm.remove_comment_alerts(comments) + else: + log.info("Ignore commands disabled (--disable-ignore), skipping comment processing") elif scm is not None and scm.check_event_type() != "comment" and not force_api_mode: log.info("Push initiated flow") @@ -497,10 +664,80 @@ def main_code(): log.info("Starting comment logic for PR/MR event") diff = core.create_new_diff(scan_paths, params, no_change=should_skip_scan, save_files_list_path=config.save_submitted_files_list, save_manifest_tar_path=config.save_manifest_tar, base_paths=base_paths, explicit_files=sbom_files_to_submit) comments = scm.get_comments_for_pr() - log.debug("Removing comment alerts") - + # FIXME: this overwrites diff.new_alerts, which was previously populated by Core.create_issue_alerts - diff.new_alerts = Comments.remove_alerts(comments, diff.new_alerts) + if not config.disable_ignore: + log.debug("Removing comment alerts") + alerts_before = list(diff.new_alerts) + diff.new_alerts = Comments.remove_alerts(comments, diff.new_alerts) + + ignored_alerts = [a for a in alerts_before if a not in diff.new_alerts] + # Emit telemetry per-comment so each event carries the comment author. + unprocessed_ignore = [ + c for c in comments.get("ignore", []) + if _is_unprocessed(c) + ] + if ignored_alerts and unprocessed_ignore: + try: + events = [] + now = datetime.now(timezone.utc).isoformat() + for c in unprocessed_ignore: + single = {"ignore": [c]} + c_ignore_all, c_ignore_commands = Comments.get_ignore_options(single) + user = getattr(c, "user", None) or getattr(c, "author", None) or {} + sender_name = user.get("login") or user.get("username", "") + sender_id = str(user.get("id", "")) + + # Match this comment's targets to the actual ignored alerts + matched_alerts = [] + if c_ignore_all: + matched_alerts = ignored_alerts + else: + for alert in ignored_alerts: + full_name = f"{alert.pkg_type}/{alert.pkg_name}" + purl = (full_name, alert.pkg_version) + purl_star = (full_name, "*") + if purl in c_ignore_commands or purl_star in c_ignore_commands: + matched_alerts.append(alert) + + shared_fields = { + "event_kind": "user-action", + "client_action": "ignore", + "event_sender_created_at": now, + "vcs_provider": integration_type, + "owner": config.repo.split("/")[0] if "/" in config.repo else "", + "repo": config.repo, + "pr_number": pr_number, + "ignore_all": c_ignore_all, + "sender_name": sender_name, + "sender_id": sender_id, + } + if matched_alerts: + for alert in matched_alerts: + # Derive alert_action from the alert's resolved action flags + if getattr(alert, "error", False): + alert_action = "error" + elif getattr(alert, "warn", False): + alert_action = "warn" + elif getattr(alert, "monitor", False): + alert_action = "monitor" + else: + alert_action = "error" + events.append({**shared_fields, "alert_action": alert_action, "event_id": str(uuid4()), "artifact_purl": alert.purl}) + elif c_ignore_all: + events.append({**shared_fields, "event_id": str(uuid4())}) + + if events: + client.post_telemetry_events(org_slug, events) + + # Mark ignore comments as processed with +1 reaction + if hasattr(scm, "handle_ignore_reactions"): + scm.handle_ignore_reactions(comments) + except Exception as e: + log.warning(f"Failed to send ignore telemetry: {e}") + else: + log.info("Ignore commands disabled (--disable-ignore), all alerts will be reported") + log.debug("Creating Dependency Overview Comment") overview_comment = Messages.dependency_overview_template(diff) @@ -615,23 +852,12 @@ def main_code(): # Handle license generation if not should_skip_scan and diff.id != "NO_DIFF_RAN" and diff.id != "NO_SCAN_RAN" and config.generate_license: - all_packages = {} - for purl in diff.packages: - package = diff.packages[purl] - output = { - "id": package.id, - "name": package.name, - "version": package.version, - "ecosystem": package.type, - "direct": package.direct, - "url": package.url, - "license": package.license, - "licenseDetails": package.licenseDetails, - "licenseAttrib": package.licenseAttrib, - "purl": package.purl, - } - all_packages[package.id] = output - core.save_file(config.license_file_name, json.dumps(all_packages)) + all_packages = build_license_artifact_payload( + diff, + legal_format=getattr(config, "legal_format", "socket"), + config=config, + ) + _write_attribution_file(config, all_packages) # If we forced API mode due to no supported files, behave as if --disable-blocking was set if force_api_mode: @@ -649,11 +875,20 @@ def main_code(): scm.enable_merge_pipeline_check() passed = output_handler.report_pass(diff) state = "success" if passed else "failed" - blocking_count = sum(1 for a in diff.new_alerts if a.error) + new_blocking = sum(1 for a in diff.new_alerts if a.error) + unchanged_blocking = 0 + if config.strict_blocking and hasattr(diff, 'unchanged_alerts'): + unchanged_blocking = sum(1 for a in diff.unchanged_alerts if a.error) + blocking_count = new_blocking + unchanged_blocking if passed: description = "No blocking issues" else: - description = f"{blocking_count} blocking alert(s) found" + parts = [] + if new_blocking: + parts.append(f"{new_blocking} new") + if unchanged_blocking: + parts.append(f"{unchanged_blocking} existing") + description = f"{blocking_count} blocking alert(s) found ({', '.join(parts)})" target_url = diff.report_url or diff.diff_url or "" scm.set_commit_status(state, description, target_url) diff --git a/tests/core/test_facts_compression.py b/tests/core/test_facts_compression.py new file mode 100644 index 0000000..ba04efa --- /dev/null +++ b/tests/core/test_facts_compression.py @@ -0,0 +1,137 @@ +"""Tests for brotli compression of the reachability facts file on upload. + +The Socket full-scan endpoint transparently decompresses a multipart part named exactly +`.socket.facts.json.br`, so the CLI compresses the facts file before uploading it. These +tests cover the helpers in `Core` that do that rewriting. +""" +import json +import os + +import pytest + +try: + import brotli +except ImportError: # pragma: no cover - PyPy / non-CPython fallback + import brotlicffi as brotli + +from socketsecurity.core import ( + SOCKET_FACTS_BROTLI_FILENAME, + SOCKET_FACTS_FILENAME, + Core, +) + + +def _write(path, data: bytes): + with open(path, "wb") as f: + f.write(data) + return path + + +def test_compress_facts_file_roundtrips(tmp_path): + """The compressed sibling decompresses back to the exact original bytes.""" + source = tmp_path / SOCKET_FACTS_FILENAME + payload = json.dumps({"components": [{"id": str(i)} for i in range(1000)]}).encode() + _write(str(source), payload) + + compressed_path = Core._compress_facts_file(str(source)) + + # Compressed file is a sibling named exactly `.socket.facts.json.br`. + assert compressed_path == str(tmp_path / SOCKET_FACTS_BROTLI_FILENAME) + assert os.path.basename(compressed_path) == SOCKET_FACTS_BROTLI_FILENAME + # The original is untouched (other code paths still read it locally). + assert source.read_bytes() == payload + # Roundtrip matches. + with open(compressed_path, "rb") as f: + assert brotli.decompress(f.read()) == payload + + +def test_compress_for_upload_rewrites_facts_entry(tmp_path): + """A `.socket.facts.json` entry is replaced by its `.br` sibling; others pass through.""" + core = Core.__new__(Core) + facts = _write(str(tmp_path / SOCKET_FACTS_FILENAME), b'{"a": 1}') + manifest = _write(str(tmp_path / "package.json"), b"{}") + + upload_files, temp_paths = core._compress_facts_files_for_upload([facts, manifest]) + + expected_br = str(tmp_path / SOCKET_FACTS_BROTLI_FILENAME) + assert upload_files == [expected_br, manifest] + assert temp_paths == [expected_br] + assert os.path.isfile(expected_br) + # Non-facts files are never compressed. + assert manifest in upload_files + + +def test_compress_facts_file_removes_partial_output_on_failure(tmp_path, monkeypatch): + """If compression fails mid-stream, the half-written .br is removed (not orphaned).""" + source = _write(str(tmp_path / SOCKET_FACTS_FILENAME), b'{"a": 1}' * 1000) + + class ExplodingCompressor: + def __init__(self, *args, **kwargs): + pass + + def process(self, _data): + raise RuntimeError("disk full") + + def finish(self): # pragma: no cover - never reached + return b"" + + # Patch the module the helper imports (brotli on CPython, brotlicffi elsewhere). + monkeypatch.setattr(brotli, "Compressor", ExplodingCompressor) + + with pytest.raises(RuntimeError, match="disk full"): + Core._compress_facts_file(source) + + # No orphaned .br left behind in the target directory. + assert not (tmp_path / SOCKET_FACTS_BROTLI_FILENAME).exists() + + +def test_compress_for_upload_preserves_directory_prefix(tmp_path): + """The `.br` sibling keeps the facts file's directory so the relative key is preserved.""" + core = Core.__new__(Core) + subdir = tmp_path / "nested" + subdir.mkdir() + facts = _write(str(subdir / SOCKET_FACTS_FILENAME), b'{"a": 1}') + + upload_files, temp_paths = core._compress_facts_files_for_upload([facts]) + + assert upload_files == [str(subdir / SOCKET_FACTS_BROTLI_FILENAME)] + assert temp_paths == [str(subdir / SOCKET_FACTS_BROTLI_FILENAME)] + + +def test_empty_facts_file_is_not_compressed(tmp_path): + """Empty placeholder facts files (e.g. baseline scans) are uploaded as-is.""" + core = Core.__new__(Core) + empty_facts = _write(str(tmp_path / SOCKET_FACTS_FILENAME), b"") + + upload_files, temp_paths = core._compress_facts_files_for_upload([empty_facts]) + + assert upload_files == [empty_facts] + assert temp_paths == [] + assert not (tmp_path / SOCKET_FACTS_BROTLI_FILENAME).exists() + + +def test_custom_named_facts_file_is_not_compressed(tmp_path): + """A custom --reach-output-file name is not compressed (server only matches the exact name).""" + core = Core.__new__(Core) + custom = _write(str(tmp_path / "custom.facts.json"), b'{"a": 1}') + + upload_files, temp_paths = core._compress_facts_files_for_upload([custom]) + + assert upload_files == [custom] + assert temp_paths == [] + + +def test_compression_failure_falls_back_to_plain_file(tmp_path, monkeypatch): + """If compression raises, the original plain file is uploaded instead of failing.""" + core = Core.__new__(Core) + facts = _write(str(tmp_path / SOCKET_FACTS_FILENAME), b'{"a": 1}') + + def boom(_source_path): + raise RuntimeError("brotli unavailable") + + monkeypatch.setattr(Core, "_compress_facts_file", staticmethod(boom)) + + upload_files, temp_paths = core._compress_facts_files_for_upload([facts]) + + assert upload_files == [facts] + assert temp_paths == [] diff --git a/tests/core/test_has_manifest_files.py b/tests/core/test_has_manifest_files.py index 150ffbd..228253f 100644 --- a/tests/core/test_has_manifest_files.py +++ b/tests/core/test_has_manifest_files.py @@ -1,6 +1,7 @@ from unittest.mock import patch from socketsecurity.core import Core +from socketsecurity.core.utils import socket_globs # Minimal patterns matching what the Socket API returns MOCK_PATTERNS = { @@ -8,6 +9,9 @@ "packagejson": {"pattern": "package.json"}, "packagelockjson": {"pattern": "package-lock.json"}, "yarnlock": {"pattern": "yarn.lock"}, + "bunlock": {"pattern": "bun.lock"}, + "bunlockb": {"pattern": "bun.lockb"}, + "vltlockjson": {"pattern": "vlt-lock.json"}, }, "pypi": { "requirements": {"pattern": "*requirements.txt"}, @@ -66,3 +70,42 @@ def test_dot_slash_prefix_normalized(self, mock_patterns): def test_pom_xml_root(self, mock_patterns): core = Core.__new__(Core) assert core.has_manifest_files(["pom.xml"]) is True + + def test_bun_lock_root(self, mock_patterns): + core = Core.__new__(Core) + assert core.has_manifest_files(["bun.lock"]) is True + + def test_bun_lockb_root(self, mock_patterns): + core = Core.__new__(Core) + assert core.has_manifest_files(["bun.lockb"]) is True + + def test_vlt_lock_json_root(self, mock_patterns): + core = Core.__new__(Core) + assert core.has_manifest_files(["vlt-lock.json"]) is True + + def test_bun_lock_subdirectory(self, mock_patterns): + core = Core.__new__(Core) + assert core.has_manifest_files(["apps/web/bun.lock"]) is True + + +@patch.object(Core, "get_supported_patterns", side_effect=RuntimeError("API unreachable")) +@patch.object(Core, "__init__", lambda self, *a, **kw: None) +class TestHasManifestFilesFallback: + """Exercises the socket_globs fallback path used when the Socket API is unreachable.""" + + def test_fallback_matches_bun_lock(self, mock_patterns): + core = Core.__new__(Core) + assert core.has_manifest_files(["bun.lock"]) is True + + def test_fallback_matches_bun_lockb(self, mock_patterns): + core = Core.__new__(Core) + assert core.has_manifest_files(["bun.lockb"]) is True + + def test_fallback_matches_vlt_lock_json(self, mock_patterns): + core = Core.__new__(Core) + assert core.has_manifest_files(["vlt-lock.json"]) is True + + def test_fallback_patterns_dict_contains_new_entries(self, mock_patterns): + assert "bun.lock" in socket_globs["npm"] + assert "bun.lockb" in socket_globs["npm"] + assert "vlt-lock.json" in socket_globs["npm"] diff --git a/tests/core/test_package_and_alerts.py b/tests/core/test_package_and_alerts.py index 09a8455..171eae7 100644 --- a/tests/core/test_package_and_alerts.py +++ b/tests/core/test_package_and_alerts.py @@ -4,7 +4,7 @@ import pytest from socketdev import socketdev -from socketsecurity.core import Core +from socketsecurity.core import Core, _humanize_alert_type from socketsecurity.core.classes import Issue, Package from socketsecurity.core.socket_config import SocketConfig @@ -166,6 +166,62 @@ def test_add_package_alerts_basic(self, core): assert alert.type == "networkAccess" assert alert.severity == "high" + def test_gpt_did_you_mean_gets_typosquat_title(self, core): + """gptDidYouMean alerts must render a non-empty title (CUS2-2).""" + package = self.make_package( + alerts=[{ + "type": "gptDidYouMean", + "key": "gpt-did-you-mean-alert", + "severity": "middle", + }], + topLevelAncestors=[], + ) + + result = core.add_package_alerts_to_collection( + package, alerts_collection={}, packages={package.id: package} + ) + + alert = result["gpt-did-you-mean-alert"][0] + assert alert.type == "gptDidYouMean" + assert alert.title, "title should not be empty for gptDidYouMean" + assert "typosquat" in alert.title.lower() + + def test_unknown_alert_type_falls_back_to_humanized_title(self, core): + """Any alert type not present in the SDK should still render a non-empty title.""" + package = self.make_package( + alerts=[{ + "type": "someBrandNewAlertType", + "key": "future-alert", + "severity": "low", + }], + topLevelAncestors=[], + ) + + result = core.add_package_alerts_to_collection( + package, alerts_collection={}, packages={package.id: package} + ) + + alert = result["future-alert"][0] + assert alert.title == "Some Brand New Alert Type" + + def test_license_spdx_disj_keeps_explicit_title(self, core): + """licenseSpdxDisj must keep its hard-coded fallback (regression guard for CUS2-2 fix).""" + package = self.make_package( + alerts=[{ + "type": "licenseSpdxDisj", + "key": "license-alert", + "severity": "high", + }], + topLevelAncestors=[], + ) + + result = core.add_package_alerts_to_collection( + package, alerts_collection={}, packages={package.id: package} + ) + + alert = result["license-alert"][0] + assert alert.title == "License Policy Violation" + def test_get_capabilities_for_added_packages(self, core): @@ -228,4 +284,60 @@ def test_get_new_alerts_with_readded(self): # With ignore_readded=False new_alerts = Core.get_new_alerts(added_alerts, removed_alerts, ignore_readded=False) - assert len(new_alerts) == 1 + assert len(new_alerts) == 1 + + def test_get_license_text_via_purl_uses_org_scoped_endpoint(self, core, mock_sdk): + """Test license enrichment calls the org-scoped PURL SDK method.""" + core.sdk.purl = Mock() + core.sdk.purl.post.return_value = [ + { + "type": "npm", + "name": "lodash", + "version": "4.18.1", + "licenseAttrib": [{"name": "MIT"}], + "licenseDetails": [{"license": "MIT"}], + } + ] + + packages = { + "npm/lodash@4.18.1": Package( + id="pkg:npm/lodash@4.18.1", + type="npm", + name="lodash", + version="4.18.1", + score={}, + alerts=[], + topLevelAncestors=[], + ) + } + + result = core.get_license_text_via_purl(packages) + + core.sdk.purl.post.assert_called_once_with( + license=True, + components=[{"purl": "pkg:/npm/lodash@4.18.1"}], + org_slug="test-org", + licenseattrib=True, + licensedetails=True, + ) + assert result["npm/lodash@4.18.1"].licenseAttrib == [{"name": "MIT"}] + assert result["npm/lodash@4.18.1"].licenseDetails == [{"license": "MIT"}] + + +class TestHumanizeAlertType: + def test_humanizes_camel_case(self): + assert _humanize_alert_type("gptDidYouMean") == "Gpt Did You Mean" + + def test_humanizes_single_word(self): + assert _humanize_alert_type("malware") == "Malware" + + def test_humanizes_pascal_case(self): + assert _humanize_alert_type("UnsafeShellAccess") == "Unsafe Shell Access" + + def test_empty_input_returns_empty_string(self): + assert _humanize_alert_type("") == "" + + def test_handles_acronyms_conservatively(self): + """Adjacent capitals are kept together: SQLInjection -> 'SQL Injection'.""" + assert _humanize_alert_type("SQLInjection") == "SQL Injection" + diff --git a/tests/core/test_sdk_methods.py b/tests/core/test_sdk_methods.py index bb096eb..2cad8e5 100644 --- a/tests/core/test_sdk_methods.py +++ b/tests/core/test_sdk_methods.py @@ -95,12 +95,17 @@ def test_get_added_and_removed_packages(core): # Get two different scans to compare added, removed, all_packages = core.get_added_and_removed_packages("head", "new") - # Verify SDK was called correctly + # Verify SDK was called correctly. + # include_license_details defaults to "false": the diff path never consumes + # embedded license data (license artifacts come from the PURL endpoint), so + # requesting it only bloats the response and risks the CE-224 truncation + # crash on large repos. core.sdk.fullscans.stream_diff.assert_called_once_with( core.config.org_slug, "head", "new", use_types=True, + include_license_details="false", ) # Verify the results @@ -115,6 +120,18 @@ def test_get_added_and_removed_packages(core): assert "dp2_t1" in removed # Verify transitive dependencies are also tracked assert "pypi/direct_package_1@1.6.0" in all_packages # Unchanged package is in full package map +def test_get_added_and_removed_packages_license_override(core): + """The include_license_details override seam still works when explicitly requested.""" + core.get_added_and_removed_packages("head", "new", include_license_details=True) + + core.sdk.fullscans.stream_diff.assert_called_once_with( + core.config.org_slug, + "head", + "new", + use_types=True, + include_license_details="true", + ) + def test_empty_alerts_preserved(core): """Test that empty alerts arrays stay as empty arrays and don't become None""" # Get the scan that contains dp2 (which has empty alerts array) diff --git a/tests/e2e/fixtures/simple-npm/package.json b/tests/e2e/fixtures/simple-npm/package.json index cf70416..3454c5b 100644 --- a/tests/e2e/fixtures/simple-npm/package.json +++ b/tests/e2e/fixtures/simple-npm/package.json @@ -4,9 +4,9 @@ "description": "Test fixture for reachability analysis", "main": "index.js", "dependencies": { - "lodash": "4.17.23", + "lodash": "4.18.1", "express": "4.22.0", - "axios": "1.13.5" + "axios": "1.16.1" }, "devDependencies": { "typescript": "5.0.4", diff --git a/tests/e2e/fixtures/simple-pypi/requirements.txt b/tests/e2e/fixtures/simple-pypi/requirements.txt new file mode 100644 index 0000000..28271a8 --- /dev/null +++ b/tests/e2e/fixtures/simple-pypi/requirements.txt @@ -0,0 +1,3 @@ +requests==2.33.0 +flask==3.1.3 +pyyaml==6.0.1 diff --git a/tests/e2e/validate-gitlab.sh b/tests/e2e/validate-gitlab.sh new file mode 100755 index 0000000..259d07f --- /dev/null +++ b/tests/e2e/validate-gitlab.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +set -euo pipefail + +REPORT="gl-dependency-scanning-report.json" + +if [ ! -f "$REPORT" ]; then + echo "FAIL: GitLab report not found at $REPORT" + exit 1 +fi + +python3 -c " +import json, re, sys + +with open('$REPORT') as f: + data = json.load(f) + +errors = [] + +# v15.0.0 required root-level keys +for key in ('version', 'scan', 'vulnerabilities', 'dependency_files'): + if key not in data: + errors.append(f'Missing required root key: {key}') + +if 'scan' in data: + scan = data['scan'] + + # Timestamp format: YYYY-MM-DDTHH:MM:SS (no microseconds, no trailing Z) + ts_pattern = re.compile(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}$') + for field in ('start_time', 'end_time'): + val = scan.get(field, '') + if not ts_pattern.match(val): + errors.append(f'scan.{field} \"{val}\" does not match pattern YYYY-MM-DDTHH:MM:SS') + + if scan.get('type') != 'dependency_scanning': + errors.append(f'scan.type is \"{scan.get(\"type\")}\" expected \"dependency_scanning\"') + + analyzer_id = scan.get('analyzer', {}).get('id', '') + if analyzer_id != 'socket-security': + errors.append(f'scan.analyzer.id is \"{analyzer_id}\" expected \"socket-security\"') + + scanner_id = scan.get('scanner', {}).get('id', '') + if scanner_id != 'socket-cli': + errors.append(f'scan.scanner.id is \"{scanner_id}\" expected \"socket-cli\"') + + if scan.get('status') != 'success': + errors.append(f'scan.status is \"{scan.get(\"status\")}\" expected \"success\"') + +# dependency_files structure check +if 'dependency_files' in data: + for i, df in enumerate(data['dependency_files']): + for req in ('path', 'package_manager', 'dependencies'): + if req not in df: + errors.append(f'dependency_files[{i}] missing required key: {req}') + +if errors: + for e in errors: + print(f'FAIL: {e}') + sys.exit(1) + +vuln_count = len(data.get('vulnerabilities', [])) +dep_file_count = len(data.get('dependency_files', [])) +print(f'PASS: Valid GitLab v15.0.0 report with {vuln_count} vulnerability(ies) and {dep_file_count} dependency file(s)') +" diff --git a/tests/e2e/validate-json.sh b/tests/e2e/validate-json.sh new file mode 100755 index 0000000..d4f5302 --- /dev/null +++ b/tests/e2e/validate-json.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -euo pipefail + +LOG="/tmp/e2e-output.log" + +python3 -c " +import json, sys + +# The JSON output may be prefixed with a logger timestamp (e.g. '2026-04-08 22:46:50,580: {...}'). +# Try parsing the full line first, then from the first '{' character. +found = False +with open('$LOG') as f: + for line in f: + line = line.strip() + if not line or '{' not in line: + continue + # Try full line first, then from the first brace + for candidate in (line, line[line.index('{'):]): + try: + data = json.loads(candidate) + if isinstance(data, dict): + found = True + print(f'PASS: Valid JSON output with {len(data)} top-level key(s)') + break + except json.JSONDecodeError: + continue + if found: + break + +if not found: + print('FAIL: No valid JSON object found in output') + sys.exit(1) +" diff --git a/tests/e2e/validate-reachability.sh b/tests/e2e/validate-reachability.sh new file mode 100755 index 0000000..e32f004 --- /dev/null +++ b/tests/e2e/validate-reachability.sh @@ -0,0 +1,81 @@ +#!/usr/bin/env bash +set -euo pipefail + +LOG="/tmp/e2e-output.log" + +# 1. Verify reachability analysis completed +if grep -q "Reachability analysis completed successfully" "$LOG"; then + echo "PASS: Reachability analysis completed" + grep "Reachability analysis completed successfully" "$LOG" + grep "Results written to:" "$LOG" || true +else + echo "FAIL: Reachability analysis did not complete successfully" + cat "$LOG" + exit 1 +fi + +# 2. Verify scan produced a report URL +if grep -q "Full scan report URL: https://socket.dev/" "$LOG"; then + echo "PASS: Full scan report URL found" + grep "Full scan report URL:" "$LOG" +elif grep -q "Diff Url: https://socket.dev/" "$LOG"; then + echo "PASS: Diff URL found" + grep "Diff Url:" "$LOG" +else + echo "FAIL: No report URL found in scan output" + cat "$LOG" + exit 1 +fi + +FACTS_PATH="tests/e2e/fixtures/simple-npm/.socket.facts.json" +if [ ! -f "$FACTS_PATH" ]; then + echo "FAIL: Expected reachability facts at $FACTS_PATH after initial scan" + exit 1 +fi +echo "PASS: Reachability facts file present at $FACTS_PATH" + +# 3-4. Build SARIF from the facts file produced by the initial --reach run. +# Avoid re-running reach + full scan here; duplicate API scans are slow and flaky in CI. +uv run python -c " +import json +from pathlib import Path + +from socketsecurity.core.alert_selection import load_components_with_alerts +from socketsecurity.core.messages import Messages + +target = 'tests/e2e/fixtures/simple-npm' +facts_file = '.socket.facts.json' +components = load_components_with_alerts(target, facts_file) +if not components: + raise SystemExit('FAIL: no components with alerts in .socket.facts.json') + +for outfile, reach_filter in [ + ('/tmp/sarif-all.sarif', 'all'), + ('/tmp/sarif-reachable.sarif', 'reachable'), +]: + sarif = Messages.create_security_comment_sarif_from_facts( + components, + reachability_filter=reach_filter, + grouping='instance', + ) + Path(outfile).write_text(json.dumps(sarif, indent=2)) + count = len(sarif['runs'][0]['results']) + print(f'PASS: Wrote {outfile} ({count} results, filter={reach_filter})') +" + +# 5. Verify reachable-only results are a subset of all results +test -f /tmp/sarif-all.sarif +test -f /tmp/sarif-reachable.sarif + +uv run python -c " +import json +with open('/tmp/sarif-all.sarif') as f: + all_data = json.load(f) +with open('/tmp/sarif-reachable.sarif') as f: + reach_data = json.load(f) +all_count = len(all_data['runs'][0]['results']) +reach_count = len(reach_data['runs'][0]['results']) +print(f'All results: {all_count}, Reachable-only results: {reach_count}') +assert reach_count <= all_count, f'FAIL: reachable ({reach_count}) > all ({all_count})' +print('PASS: Reachable-only results is a subset of all results') +" diff --git a/tests/e2e/validate-sarif.sh b/tests/e2e/validate-sarif.sh new file mode 100755 index 0000000..3846c0f --- /dev/null +++ b/tests/e2e/validate-sarif.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +set -euo pipefail + +SARIF="/tmp/results.sarif" + +if [ ! -f "$SARIF" ]; then + echo "FAIL: SARIF file not found at $SARIF" + exit 1 +fi + +python3 -c " +import json, sys +with open('$SARIF') as f: + data = json.load(f) +assert data['version'] == '2.1.0', f'Invalid version: {data[\"version\"]}' +assert '\$schema' in data, 'Missing \$schema' +count = len(data['runs'][0]['results']) +print(f'PASS: Valid SARIF 2.1.0 with {count} result(s)') +" diff --git a/tests/e2e/validate-scan.sh b/tests/e2e/validate-scan.sh new file mode 100755 index 0000000..fd8eccf --- /dev/null +++ b/tests/e2e/validate-scan.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -euo pipefail + +LOG="/tmp/e2e-output.log" + +if grep -q "Full scan report URL: https://socket.dev/" "$LOG"; then + echo "PASS: Full scan report URL found" + grep "Full scan report URL:" "$LOG" +elif grep -q "Diff Url: https://socket.dev/" "$LOG"; then + echo "PASS: Diff URL found" + grep "Diff Url:" "$LOG" +else + echo "FAIL: No report URL found in scan output" + cat "$LOG" + exit 1 +fi diff --git a/tests/fixtures/fossa/README.md b/tests/fixtures/fossa/README.md new file mode 100644 index 0000000..853d716 --- /dev/null +++ b/tests/fixtures/fossa/README.md @@ -0,0 +1,18 @@ +# FOSSA reference fixtures + +Real `fossa analyze` and `fossa report --json attribution` artifacts captured +from a representative Azure DevOps FOSSA pipeline run, used as the +structural-parity baseline for `--legal-format fossa` output. + +Customer-identifying values (org IDs, project names) have been sanitized; the +structural shape, key sets, value types, and per-field cardinality match the +real artifacts byte-for-byte aside from those substitutions. + +- `fossa-analyze-populated.json` โ€” composed FOSSA analyze artifact with + vulnerabilities present. +- `fossa-analyze-empty.json` โ€” composed FOSSA analyze artifact with zero + vulnerabilities. +- `fossa-sbom-populated.json` โ€” `fossa report --json attribution` output with + direct + deep dependencies. +- `fossa-sbom-empty-deep.json` โ€” attribution output with empty + `deepDependencies`. diff --git a/tests/fixtures/fossa/fossa-analyze-empty.json b/tests/fixtures/fossa/fossa-analyze-empty.json new file mode 100644 index 0000000..fd7efa3 --- /dev/null +++ b/tests/fixtures/fossa/fossa-analyze-empty.json @@ -0,0 +1,13 @@ +{ + "project": { + "branch": "refs/heads/master", + "id": "custom+1234/example-validation-project-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", + "project": "1234/example-validation-project", + "projectId": "custom+1234/example-validation-project", + "revision": "12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", + "url": "https://app.fossa.com/account/saml/1234?next=/projects/custom%252b1234%252fexample-validation-project/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux" + }, + "vulnerability": [], + "licensing": [], + "quality": [] +} diff --git a/tests/fixtures/fossa/fossa-analyze-populated.json b/tests/fixtures/fossa/fossa-analyze-populated.json new file mode 100644 index 0000000..515fed9 --- /dev/null +++ b/tests/fixtures/fossa/fossa-analyze-populated.json @@ -0,0 +1,1275 @@ +{ + "project": { + "branch": "refs/heads/master", + "id": "custom+1234/example-validation-project-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "project": "1234/example-validation-project", + "projectId": "custom+1234/example-validation-project", + "revision": "12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "url": "https://app.fossa.com/account/saml/1234?next=/projects/custom%252b1234%252fexample-validation-project/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux" + }, + "vulnerability": [ + { + "id": 11088939, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+certifi$2023.11.17", + "name": "certifi", + "url": "https://github.com/certifi/python-certifi", + "version": "2023.11.17", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088939?revisionScanId=106820047", + "vulnId": "CVE-2024-39689_pip+certifi", + "title": "Insufficient Verification of Data Authenticity", + "cve": "CVE-2024-39689", + "cvss": 7.5, + "severity": "high", + "details": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\"", + "remediation": { + "partialFix": "2024.7.4", + "partialFixDistance": "MAJOR", + "completeFix": "2024.7.4", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-345" + ], + "published": "2024-07-05T19:15:10Z", + "affectedVersionRanges": [ + ">=2021.5.30,<2024.7.4" + ], + "patchedVersionRanges": [ + "2024.7.4" + ], + "references": [ + "https://github.com/advisories/GHSA-248v-346w-9cwc", + "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", + "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", + "https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2024-230.yaml", + "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI", + "https://pypi.org/project/certifi/", + "https://security.netapp.com/advisory/ntap-20241206-0001", + "https://security.netapp.com/advisory/ntap-20241206-0001/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.21233, + "percentile": 0.95751 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 11088937, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+idna$3.6", + "name": "idna", + "url": "https://pypi.org/project/idna/", + "version": "3.6", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088937?revisionScanId=106820047", + "vulnId": "CVE-2024-3651_pip+idna", + "title": "Uncontrolled Resource Consumption", + "cve": "CVE-2024-3651", + "cvss": 7.5, + "severity": "high", + "details": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", + "remediation": { + "partialFix": "3.7", + "completeFix": "3.7" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-400", + "CWE-1333" + ], + "published": "2024-07-07T18:15:00Z", + "affectedVersionRanges": [ + "<3.7" + ], + "patchedVersionRanges": [ + "3.7" + ], + "references": [ + "https://github.com/advisories/GHSA-jjg7-2v4v-x38h", + "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d", + "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h", + "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml", + "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb", + "https://lists.debian.org/debian-lts-announce/2024/05/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWF", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43", + "https://pypi.org/project/idna/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.0067, + "percentile": 0.71572 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 15980738, + "type": "vulnerability", + "createdAt": "2026-05-20T14:40:25.221Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 1, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-05-20T14:40:25.221+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/15980738?revisionScanId=106820047", + "vulnId": "CVE-2026-25645_pip+requests", + "title": "Insecure Temporary File", + "cve": "CVE-2026-25645", + "cvss": 4.4, + "severity": "medium", + "details": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.", + "remediation": { + "partialFix": "2.33.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Local" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "Low" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-377" + ], + "published": "2026-03-25T17:16:52Z", + "affectedVersionRanges": [ + "<2.33.0" + ], + "patchedVersionRanges": [ + "2.33.0" + ], + "references": [ + "https://github.com/advisories/GHSA-gc5v-m9x4-r6x2", + "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7", + "https://github.com/psf/requests/releases/tag/v2.33.0", + "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2", + "https://pypi.org/project/requests/" + ], + "cvssVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 5E-05, + "percentile": 0.00232 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 11088938, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 1, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088938?revisionScanId=106820047", + "vulnId": "CVE-2024-47081_pip+requests", + "title": "Insufficiently Protected Credentials", + "cve": "CVE-2024-47081", + "cvss": 5.3, + "severity": "medium", + "details": "Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.", + "remediation": { + "partialFix": "2.32.4", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-522" + ], + "published": "2025-06-09T19:06:08Z", + "affectedVersionRanges": [ + "<2.32.4" + ], + "patchedVersionRanges": [ + "2.32.4" + ], + "references": [ + "http://seclists.org/fulldisclosure/2025/Jun/2", + "http://www.openwall.com/lists/oss-security/2025/06/03/11", + "http://www.openwall.com/lists/oss-security/2025/06/03/9", + "http://www.openwall.com/lists/oss-security/2025/06/04/1", + "http://www.openwall.com/lists/oss-security/2025/06/04/6", + "https://github.com/advisories/GHSA-9hjg-9r4m-mvj7", + "https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef", + "https://github.com/psf/requests/pull/6965", + "https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7", + "https://pypi.org/project/requests/", + "https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env", + "https://seclists.org/fulldisclosure/2025/Jun/2" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00208, + "percentile": 0.43056 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 9643353, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 1, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643353?revisionScanId=106820047", + "vulnId": "CVE-2024-35195_pip+requests", + "title": "Always-Incorrect Control Flow Implementation", + "cve": "CVE-2024-35195", + "cvss": 5.6, + "severity": "medium", + "details": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "remediation": { + "partialFix": "2.32.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Local" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "High" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-670" + ], + "published": "2024-05-20T20:15:00Z", + "affectedVersionRanges": [ + "<2.32.0" + ], + "patchedVersionRanges": [ + "2.32.0" + ], + "references": [ + "https://github.com/advisories/GHSA-9wx4-h78v-vm56", + "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac", + "https://github.com/psf/requests/pull/6655", + "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ", + "https://pypi.org/project/requests/" + ], + "cvssVector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00044, + "percentile": 0.13635 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 9643352, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 1, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643352?revisionScanId=106820047", + "vulnId": "CVE-2023-32681_pip+requests", + "title": "Exposure of Sensitive Information to an Unauthorized Actor", + "cve": "CVE-2023-32681", + "cvss": 6.1, + "severity": "medium", + "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.", + "remediation": { + "partialFix": "2.31.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Changed" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-200" + ], + "published": "2023-05-26T18:15:00Z", + "affectedVersionRanges": [ + ">=2.3.0,<2.31.0" + ], + "patchedVersionRanges": [ + "2.31.0" + ], + "references": [ + "https://github.com/advisories/GHSA-j8r2-6x86-q33q", + "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5", + "https://github.com/psf/requests/releases/tag/v2.31.0", + "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q", + "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/", + "https://pypi.org/project/requests/", + "https://security.gentoo.org/glsa/202309-08" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.06121, + "percentile": 0.90893 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 17096816, + "type": "vulnerability", + "createdAt": "2026-05-20T14:40:25.221Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-05-20T14:40:25.221+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/17096816?revisionScanId=106820047", + "vulnId": "CVE-2026-44431_pip+urllib3", + "title": "Exposure of Sensitive Information to an Unauthorized Actor", + "cve": "CVE-2026-44431", + "cvss": 8.2, + "severity": "high", + "details": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", + "remediation": { + "partialFix": "2.7.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "High" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-200", + "NVD-CWE-noinfo" + ], + "published": "2026-05-13T16:16:57Z", + "affectedVersionRanges": [ + ">=1.23,<2.7.0" + ], + "patchedVersionRanges": [], + "references": [ + "https://github.com/advisories/GHSA-qccp-gfcp-xxvc", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.0004, + "percentile": 0.12165 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14594289, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14594289?revisionScanId=106820047", + "vulnId": "CVE-2026-21441_pip+urllib3", + "title": "Improper Handling of Highly Compressed Data (Data Amplification)", + "cve": "CVE-2026-21441", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", + "remediation": { + "partialFix": "2.6.3", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-409" + ], + "published": "2026-01-07T22:15:44Z", + "affectedVersionRanges": [ + ">=1.22,<2.6.3" + ], + "patchedVersionRanges": [ + "2.6.3" + ], + "references": [ + "https://github.com/advisories/GHSA-38jv-5279-wg99", + "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99", + "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00032, + "percentile": 0.09194 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14169171, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169171?revisionScanId=106820047", + "vulnId": "CVE-2025-66418_pip+urllib3", + "title": "Allocation of Resources Without Limits or Throttling", + "cve": "CVE-2025-66418", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", + "remediation": { + "partialFix": "2.6.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-770" + ], + "published": "2025-12-05T16:15:51Z", + "affectedVersionRanges": [ + ">=1.24,<2.6.0" + ], + "patchedVersionRanges": [ + "2.6.0" + ], + "references": [ + "https://github.com/advisories/GHSA-gm62-xv2j-4w53", + "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00019, + "percentile": 0.05115 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14169170, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169170?revisionScanId=106820047", + "vulnId": "CVE-2025-66471_pip+urllib3", + "title": "Improper Handling of Highly Compressed Data (Data Amplification)", + "cve": "CVE-2025-66471", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", + "remediation": { + "partialFix": "2.6.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-409" + ], + "published": "2025-12-05T17:16:04Z", + "affectedVersionRanges": [ + ">=1.0,<2.6.0" + ], + "patchedVersionRanges": [ + "2.6.0" + ], + "references": [ + "https://github.com/advisories/GHSA-2xpw-w6gg-jr37", + "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00017, + "percentile": 0.04227 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 10198614, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/10198614?revisionScanId=106820047", + "vulnId": "CVE-2025-50181_pip+urllib3", + "title": "URL Redirection to Untrusted Site ('Open Redirect')", + "cve": "CVE-2025-50181", + "cvss": 5.3, + "severity": "medium", + "details": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.", + "remediation": { + "partialFix": "2.5.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "Low" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-601" + ], + "published": "2025-06-18T17:50:00Z", + "affectedVersionRanges": [ + "<2.5.0" + ], + "patchedVersionRanges": [ + "2.5.0" + ], + "references": [ + "https://github.com/advisories/GHSA-pq67-6m6q-mj2v", + "https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857", + "https://github.com/urllib3/urllib3/releases/tag/2.5.0", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00079, + "percentile": 0.23201 + }, + "cpes": [], + "customRiskScore": null + } + ], + "licensing": [], + "quality": [] +} diff --git a/tests/fixtures/fossa/fossa-sbom-empty-deep.json b/tests/fixtures/fossa/fossa-sbom-empty-deep.json new file mode 100644 index 0000000..f3cf63e --- /dev/null +++ b/tests/fixtures/fossa/fossa-sbom-empty-deep.json @@ -0,0 +1 @@ +{"copyrightsByLicense":{"MIT":["2013 Fatih Arslan","2016 Yasuhiro Matsumoto","Yasuhiro MATSUMOTO "]},"deepDependencies":[{"authors":["mattn","hymkor","koron","alecrabbit","dolmen","tklauser","ikedam","toshimaru","mislav","ncw","aviau","cenkalti","whereswaldon","secDre4mer","alexandear","radeksimko","segrey","magicshui","filimonov","naoyukis","rbtnn","tyru","uji"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable"],"description":"Cached by the Go Module Proxy at Wed, 29 Sep 2021 16:02:39 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-colorable/@v/v0.1.9.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2016 Yasuhiro Matsumoto\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-colorable","projectUrl":"http://godoc.org/github.com/mattn/go-colorable","source":"go","title":"github.com/mattn/go-colorable","version":"v0.1.9"},{"authors":["mattn","tklauser","thesyncim","dolmen","renovate[bot]","shogo82148","aeppert","grafov","carlosedp","mysqto","dkegel-fastly","dmgk","ddevault","Mischi","fatih","cookieY","lgonzalez-silen","mahdi-hm","marcauberer","martinlindhe","ncw","radeksimko","sthibaul","CaptainCodeman","tjni","stuartnelson3"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable > github.com/mattn/go-isatty","github.com/fatih/color > github.com/mattn/go-isatty"],"description":"Cached by the Go Module Proxy at Sun, 29 Aug 2021 14:41:14 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-isatty/@v/v0.0.14.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Yasuhiro MATSUMOTO \nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-isatty","projectUrl":"http://godoc.org/github.com/mattn/go-isatty","source":"go","title":"github.com/mattn/go-isatty","version":"v0.0.14"}],"directDependencies":[{"authors":["fatih","dependabot[bot]","gregpoirson","pellared","n10v","sashamelentyev","bl-ue","zddhub","ataypamart","pattmax00","qualidafial","martinlindhe","msabramo","rhysd","Tonkpils","klauspost","jeffwillette","hackebrot","sinan","tliron","morfu","mattn","majiayu000","UnSubble","ilyabrin","hyunsooda","hermanschaaf","DrKhyz","EdwardBetts","dmitris","cenkalti","moorereason","andrewaustin","deining","AlekSi","klaidliadon","ahmetb","achilleas-k"],"dependencyPaths":["github.com/fatih/color"],"description":"Color package for Go (golang)","downloadUrl":"https://proxy.golang.org/github.com/fatih/color/@v/v1.13.0.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2013 Fatih Arslan\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/fatih/color","projectUrl":"https://pkg.go.dev/github.com/fatih/color","source":"go","title":"github.com/fatih/color","version":"v1.13.0"}],"licenses":{"MIT":"MIT License\nCopyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE."},"project":{"name":"example-validation-project","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-windows"}} \ No newline at end of file diff --git a/tests/fixtures/fossa/fossa-sbom-populated.json b/tests/fixtures/fossa/fossa-sbom-populated.json new file mode 100644 index 0000000..303f92c --- /dev/null +++ b/tests/fixtures/fossa/fossa-sbom-populated.json @@ -0,0 +1 @@ +{"copyrightsByLicense":{"Apache-2.0":["Amazon.com, Inc. or its affiliates. All Rights Reserved."," Amazon.com, Inc. or its affiliates. All Rights Reserved.","2015 Google Inc. All rights reserved."],"BSD-3-Clause":["2013-2023 Kim Davies and contributors.","2022 Intel Corporation","2023 Intel Corporation","2019 Google LLC","2024 Arm Limited and/or its affiliates ","2022-2023 Intel Corporation","2021 Serge Sans Paille","2010 Jonathan Hartley","2014 Bibek Kafle and Roland Shoemaker","2014 John MacFarlane","Individual contributors.","2015 The Go Authors. All rights reserved."," Individual contributors.","2005-2020 NumPy Developers."],"CC-BY-SA-4.0":[],"IETF":[],"MIT":["2020 Will McGugan"," Sindre Sorhus (sindresorhus.com)","2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2012-2013 Mitch Garnaat http://garnaat.org/","2012-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz.","2010-2020 Benjamin Peterson","2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)","2015-2016 Will Bond ","2012 Senko Rasic ","2008-2020 Andrey Petrov and contributors.","2019 TAHRI Ahmed R."],"MPL-2.0":["2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2019-2022 Pyodide contributors and Mozilla","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz."]},"deepDependencies":[{"authors":["me@kennethreitz.com"],"dependencyPaths":["requests > certifi"],"description":"Python package for providing Mozilla's CA Bundle.","downloadUrl":"https://files.pythonhosted.org/packages/d4/91/c89518dd4fe1f3a4e3f6ab7ff23cb00ef2e8c9adf99dacc618ad5e068e28/certifi-2023.11.17.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n","name":"MPL-2.0"}],"notes":[],"otherLicenses":[],"package":"certifi","projectUrl":"https://github.com/certifi/python-certifi","source":"pip","title":"certifi","version":"2023.11.17"},{"authors":["\"Ahmed R. TAHRI\" "],"dependencyPaths":["requests > charset-normalizer"],"description":"The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.","downloadUrl":"https://files.pythonhosted.org/packages/56/31/7bcaf657fafb3c6db8c787a865434290b726653c912085fbd371e9b92e1c/charset-normalizer-2.0.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"charset-normalizer","projectUrl":"https://pypi.org/project/charset-normalizer/","source":"pip","title":"charset-normalizer","version":"2.0.12"},{"authors":["Jonathan Hartley "],"dependencyPaths":["rich > colorama"],"description":"Cross-platform colored terminal text.","downloadUrl":"https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2010 Jonathan Hartley\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holders, nor those of its contributors\n may be used to endorse or promote products derived from this software without\n specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"colorama","projectUrl":"https://pypi.org/project/colorama/","source":"pip","title":"colorama","version":"0.4.6"},{"authors":["rolandshoemaker@gmail.com"],"dependencyPaths":["rich > commonmark"],"description":"commonmark.py\n=============\n\ncommonmark.py is a pure Python port of `jgm `__'s\n`commonmark.js `__, a\nMarkdown parser and renderer for the\n`CommonMark `__ specification, using only native\nmodules. Once both this project and the CommonMark specification are\nstable we will release the first ``1.0`` version and attempt to keep up\nto date with changes in ``commonmark.js``.\n\ncommonmark.py is tested against the CommonMark spec with Python versions\n2.7, 3.4, 3.5, 3.6, and 3.7.\n\n**Current version:** 0.9.1\n\n|Pypi Link| |Build Status| |Doc Link|\n\nInstallation\n------------\n\n::\n\n $ pip install commonmark\n\nUsage\n-----\n\n::\n\n >>> import commonmark\n >>> commonmark.commonmark('*hello!*')\n '

hello!

\\n'\n\nOr, without the syntactic sugar:\n\n.. code:: python\n\n import commonmark\n parser = commonmark.Parser()\n ast = parser.parse(\"Hello *World*\")\n\n renderer = commonmark.HtmlRenderer()\n html = renderer.render(ast)\n print(html) #

Hello World

\n\n # inspecting the abstract syntax tree\n json = commonmark.dumpJSON(ast)\n commonmark.dumpAST(ast) # pretty print generated AST structure\n\nThere is also a CLI:\n\n::\n\n $ cmark README.md -o README.html\n $ cmark README.md -o README.json -aj # output AST as JSON\n $ cmark README.md -a # pretty print generated AST structure\n $ cmark -h\n usage: cmark [-h] [-o [O]] [-a] [-aj] [infile]\n\n Process Markdown according to the CommonMark specification.\n\n positional arguments:\n infile Input Markdown file to parse, defaults to stdin\n\n optional arguments:\n -h, --help show this help message and exit\n -o [O] Output HTML/JSON file, defaults to stdout\n -a Print formatted AST\n -aj Output JSON AST\n\n\nContributing\n------------\n\nIf you would like to offer suggestions/optimizations/bugfixes through\npull requests please do! Also if you find an error in the\nparser/renderer that isn't caught by the current test suite please open\na new issue and I would also suggest you send the\n`commonmark.js `__ project\na pull request adding your test to the existing test suite.\n\nTests\n-----\n\nTo work on commonmark.py, you will need to be able to run the test suite to\nmake sure your changes don't break anything. To run the tests, you can do\nsomething like this:\n\n::\n\n $ pyvenv venv\n $ ./venv/bin/python setup.py develop test\n\nThe tests script, ``commonmark/tests/run_spec_tests.py``, is pretty much a devtool. As\nwell as running all the tests embedded in ``spec.txt`` it also allows you\nto run specific tests using the ``-t`` argument, provide information\nabout passed tests with ``-p``, percentage passed by category of test\nwith ``-s``, and enter markdown interactively with ``-i`` (In\ninteractive mode end a block by inputting a line with just ``end``, to\nquit do the same but with ``quit``). ``-d`` can be used to print call\ntracing.\n\n::\n\n $ ./venv/bin/python commonmark/tests/run_spec_tests.py -h\n usage: run_spec_tests.py [-h] [-t T] [-p] [-f] [-i] [-d] [-np] [-s]\n\n script to run the CommonMark specification tests against the commonmark.py\n parser.\n\n optional arguments:\n -h, --help show this help message and exit\n -t T Single test to run or comma separated list of tests (-t 10 or -t 10,11,12,13)\n -p Print passed test information\n -f Print failed tests (during -np...)\n -i Interactive Markdown input mode\n -d Debug, trace calls\n -np Only print section header, tick, or cross\n -s Print percent of tests passed by category\n\nAuthors\n-------\n\n- `Bibek Kafle `__\n- `Roland Shoemaker `__\n- `Nikolas Nyby `__\n\n.. |Pypi Link| image:: https://img.shields.io/pypi/v/commonmark.svg\n :target: https://pypi.org/project/commonmark/\n\n.. |Build Status| image:: https://travis-ci.org/rtfd/commonmark.py.svg?branch=master\n :target: https://travis-ci.org/rtfd/commonmark.py\n\n.. |Doc Link| image:: https://readthedocs.org/projects/commonmarkpy/badge/?version=latest\n :target: https://commonmarkpy.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\n\n","downloadUrl":"https://files.pythonhosted.org/packages/60/48/a60f593447e8f0894ebb7f6e6c1f25dafc5e89c5879fdc9360ae93ff83f0/commonmark-0.9.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2014, Bibek Kafle and Roland Shoemaker\r\n\r\nBased on stmd.js: Copyright (c) 2014, John MacFarlane\r\n\r\nAll rights reserved.\r\n\r\nRedistribution and use in source and binary forms, with or without\r\nmodification, are permitted provided that the following conditions are met:\r\n\r\n * Redistributions of source code must retain the above copyright\r\n notice, this list of conditions and the following disclaimer.\r\n\r\n * Redistributions in binary form must reproduce the above\r\n copyright notice, this list of conditions and the following\r\n disclaimer in the documentation and/or other materials provided\r\n with the distribution.\r\n\r\n * Neither the names of Bibek Kafle, Roland Shoemaker nor the names of other\r\n contributors may be used to endorse or promote products derived\r\n from this software without specific prior written permission.\r\n\r\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\r\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\r\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\r\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\r\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\r\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\r\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\r\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\r\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\r\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\r\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[{"attribution":"Attribution-ShareAlike 4.0 International<>\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reasonโ€“for example, because of any applicable exception or limitation to copyrightโ€“then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 โ€“ Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 โ€“ Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor โ€“ Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor โ€“ Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 โ€“ License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 โ€“ Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 โ€“ Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 โ€“ Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 โ€“ Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 โ€“ Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","name":"CC-BY-SA-4.0"}],"package":"commonmark","projectUrl":"https://github.com/rtfd/commonmark.py","source":"pip","title":"commonmark","version":"0.9.1"},{"authors":["Kim Davies "],"dependencyPaths":["requests > idna"],"description":"Internationalized Domain Names in Applications (IDNA)","downloadUrl":"https://files.pythonhosted.org/packages/bf/3f/ea4b9117521a1e9c50344b909be7886dd00a519552724809bb1f486986c2/idna-3.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"BSD 3-Clause License\n\nCopyright (c) 2013-2023, Kim Davies and contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its\n contributors may be used to endorse or promote products derived from\n this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED\nTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\nLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"idna","projectUrl":"https://pypi.org/project/idna/","source":"pip","title":"idna","version":"3.6"},{"authors":["Andrey Petrov "],"dependencyPaths":["requests > urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/e4/e8/6ff5e6bc22095cfc59b6ea711b687e2b7ed4bdb373f7eeec370a97d7392f/urllib3-1.26.20.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"Copyright 2015 Google Inc. All rights reserved.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\nSee the License for the specific language governing permissions and limitations under the License.","name":"Apache-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"1.26.20"}],"directDependencies":[{"authors":["Amazon Web Services"],"dependencyPaths":["botocore"],"description":"Low-level, data-driven core of boto 3.","downloadUrl":"https://files.pythonhosted.org/packages/6d/a1/95ec376c2300e605225998619c46f7093c515710b9d6d65f891f126f32b6/botocore-1.43.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"Copyright (c) 2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"},{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"botocore","projectUrl":"https://github.com/boto/botocore","source":"pip","title":"botocore","version":"1.43.12"},{"authors":["The Python Cryptographic Authority and individual contributors "],"dependencyPaths":["cryptography"],"description":"cryptography is a package which provides cryptographic recipes and primitives to Python developers.","downloadUrl":"https://files.pythonhosted.org/packages/9f/a9/db8f313fdcd85d767d4973515e1db101f9c71f95fced83233de224673757/cryptography-48.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"},{"attribution":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","name":"IETF"}],"package":"cryptography","projectUrl":"https://pypi.org/project/cryptography/","source":"pip","title":"cryptography","version":"48.0.0"},{"authors":[],"dependencyPaths":["numpy"],"description":null,"downloadUrl":"https://files.pythonhosted.org/packages/d0/ad/fed0499ce6a338d2a03ebae59cd15093910c8875328855781952abf6c2fe/numpy-2.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2005-2020, NumPy Developers.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n * Redistributions in binary form must reproduce the above\n copyright notice, this list of conditions and the following\n disclaimer in the documentation and/or other materials provided\n with the distribution.\n\n * Neither the name of the NumPy Developers nor the names of any\n contributors may be used to endorse or promote products derived\n from this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"numpy","projectUrl":null,"source":"pip","title":"numpy","version":"2.4.6"},{"authors":["Kenneth Reitz "],"dependencyPaths":["requests"],"description":"Python HTTP for Humans.","downloadUrl":"https://files.pythonhosted.org/packages/60/f3/26ff3767f099b73e0efa138a9998da67890793bfa475d8278f84a30fec77/requests-2.27.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[],"package":"requests","projectUrl":"https://pypi.org/project/requests/","source":"pip","title":"requests","version":"2.27.1"},{"authors":["willmcgugan@gmail.com"],"dependencyPaths":["rich"],"description":"Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal","downloadUrl":"https://files.pythonhosted.org/packages/eb/be/bd5d6c37f5de55f31cb9432e0d926ceeab1b2ee774bd696557b53bc15012/rich-11.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2020 Will McGugan\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"rich","projectUrl":"https://pypi.org/project/rich/","source":"pip","title":"rich","version":"11.0.0"},{"authors":["Andrey Petrov "],"dependencyPaths":["urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"2.7.0"}],"licenses":{"Apache-2.0":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","BSD-3-Clause":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","CC-BY-SA-4.0":"Creative Commons Attribution-ShareAlike 4.0 International Creative Commons Corporation (\"Creative Commons\") is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an \"as-is\" basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reasonโ€“for example, because of any applicable exception or limitation to copyrightโ€“then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 โ€“ Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 โ€“ Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor โ€“ Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor โ€“ Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 โ€“ License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 โ€“ Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 โ€“ Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 โ€“ Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 โ€“ Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 โ€“ Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" The text of the Creative Commons public licenses is dedicated to the public domain under the CC0 Public Domain Dedication. Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","IETF":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","MIT":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","MPL-2.0":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n"},"project":{"name":"example-validation-project","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux"}} diff --git a/tests/unit/test_cli_config.py b/tests/unit/test_cli_config.py index 045f0e4..39447c2 100644 --- a/tests/unit/test_cli_config.py +++ b/tests/unit/test_cli_config.py @@ -1,14 +1,60 @@ import pytest from socketsecurity.config import CliConfig + +class TestExitCodeOnApiError: + def test_default_is_3(self): + config = CliConfig.from_args(["--api-token", "test"]) + assert config.exit_code_on_api_error == 3 + + def test_custom_value(self): + config = CliConfig.from_args( + ["--api-token", "test", "--exit-code-on-api-error", "100"] + ) + assert config.exit_code_on_api_error == 100 + + def test_zero_value(self): + config = CliConfig.from_args( + ["--api-token", "test", "--exit-code-on-api-error", "0"] + ) + assert config.exit_code_on_api_error == 0 + + +class TestCommitMessageTruncation: + def test_passes_through_under_limit(self): + msg = "a normal short commit message" + config = CliConfig.from_args(["--api-token", "test", "--commit-message", msg]) + assert config.commit_message == msg + + def test_truncated_above_limit(self): + config = CliConfig.from_args( + ["--api-token", "test", "--commit-message", "a" * 250] + ) + assert config.commit_message == "a" * 200 + + def test_quote_strip_runs_before_truncation(self): + quoted = '"' + ("b" * 250) + '"' + config = CliConfig.from_args( + ["--api-token", "test", "--commit-message", quoted] + ) + assert config.commit_message == "b" * 200 + + class TestCliConfig: def test_api_token_from_env(self, monkeypatch): monkeypatch.setenv("SOCKET_SECURITY_API_KEY", "test-token") config = CliConfig.from_args([]) # Empty args list assert config.api_token == "test-token" - def test_required_args(self): + def test_required_args(self, monkeypatch): """Test that api token is required if not in environment""" + for env_var in ( + "SOCKET_SECURITY_API_KEY", + "SOCKET_SECURITY_API_TOKEN", + "SOCKET_API_KEY", + "SOCKET_API_TOKEN", + ): + monkeypatch.delenv(env_var, raising=False) with pytest.raises(ValueError, match="API token is required"): config = CliConfig.from_args([]) if not config.api_token: @@ -81,4 +127,42 @@ def test_workspace_is_independent_of_workspace_name(self): "--workspace-name", "monorepo-suffix", ]) assert config.workspace == "my-workspace" - assert config.workspace_name == "monorepo-suffix" \ No newline at end of file + assert config.workspace_name == "monorepo-suffix" + + def test_legal_flag_sets_default_artifact_files(self): + config = CliConfig.from_args(["--api-token", "test", "--legal"]) + assert config.legal is True + assert config.legal_format == "socket" + assert config.generate_license is True + assert config.json_file == "socket-report.json" + assert config.summary_file == "socket-summary.txt" + assert config.report_link_file == "socket-report-link.txt" + assert config.sbom_file == "socket-sbom.json" + assert config.license_file_name == "socket-license.json" + + def test_legal_flag_preserves_explicit_file_paths(self): + config = CliConfig.from_args([ + "--api-token", "test", + "--legal", + "--json-file", "custom-report.json", + "--summary-file", "custom-summary.txt", + "--report-link-file", "custom-link.txt", + "--sbom-file", "custom-sbom.json", + "--license-file-name", "custom-license.json", + ]) + assert config.json_file == "custom-report.json" + assert config.summary_file == "custom-summary.txt" + assert config.report_link_file == "custom-link.txt" + assert config.sbom_file == "custom-sbom.json" + assert config.license_file_name == "custom-license.json" + + def test_fossa_legal_format_enables_legal_defaults(self): + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + assert config.legal is True + assert config.legal_format == "fossa" + assert config.generate_license is True + assert config.json_file == "fossa-analyze.json" + assert config.summary_file == "fossa-test.txt" + assert config.report_link_file == "fossa-link.txt" + assert config.sbom_file is None + assert config.license_file_name == "fossa-sbom.json" diff --git a/tests/unit/test_client.py b/tests/unit/test_client.py index 3998d39..e0f62d8 100644 --- a/tests/unit/test_client.py +++ b/tests/unit/test_client.py @@ -122,4 +122,53 @@ def test_request_with_payload(client): args, kwargs = mock_request.call_args assert kwargs['method'] == "POST" - assert kwargs['data'] == payload \ No newline at end of file + assert kwargs['data'] == payload + + +def test_post_telemetry_events_sends_individually(client): + """Test that telemetry events are posted one at a time to v0 API""" + import json + + events = [ + {"event_kind": "user-action", "client_action": "ignore_alerts", "artifact_purl": "pkg:npm/foo@1.0.0"}, + {"event_kind": "user-action", "client_action": "ignore_alerts", "artifact_purl": "pkg:npm/bar@2.0.0"}, + ] + + with patch('requests.request') as mock_request: + mock_response = Mock() + mock_response.status_code = 201 + mock_request.return_value = mock_response + + client.post_telemetry_events("test-org", events) + + assert mock_request.call_count == 2 + + first_call = mock_request.call_args_list[0] + assert first_call.kwargs['url'] == "https://api.socket.dev/v0/orgs/test-org/telemetry" + assert first_call.kwargs['method'] == "POST" + assert first_call.kwargs['data'] == json.dumps(events[0]) + + second_call = mock_request.call_args_list[1] + assert second_call.kwargs['data'] == json.dumps(events[1]) + + +def test_post_telemetry_events_continues_on_failure(client): + """Test that a failed event does not prevent subsequent events from being sent""" + import json + + events = [ + {"event_kind": "user-action", "artifact_purl": "pkg:npm/foo@1.0.0"}, + {"event_kind": "user-action", "artifact_purl": "pkg:npm/bar@2.0.0"}, + ] + + with patch('requests.request') as mock_request: + mock_response = Mock() + mock_response.status_code = 201 + mock_request.side_effect = [ + requests.exceptions.ConnectionError("timeout"), + mock_response, + ] + + client.post_telemetry_events("test-org", events) + + assert mock_request.call_count == 2 diff --git a/tests/unit/test_config.py b/tests/unit/test_config.py index 2c46628..7403005 100644 --- a/tests/unit/test_config.py +++ b/tests/unit/test_config.py @@ -1,5 +1,7 @@ +from pathlib import Path import pytest from unittest.mock import patch +import tomllib from socketsecurity.core.socket_config import SocketConfig from socketsecurity.config import CliConfig @@ -162,3 +164,65 @@ def test_config_file_json_sets_defaults(self, tmp_path): assert config.sarif_scope == "full" assert config.sarif_grouping == "alert" assert config.sarif_reachability == "reachable" + + +class TestReachAlignmentFlags: + """Tests for the reachability flag/default alignment with the Node CLI.""" + + BASE_ARGS = ["--api-token", "test-token", "--repo", "test-repo"] + + def test_reach_defaults_are_unset_and_delegated_to_coana(self): + """memory-limit/concurrency/timeout are not hardcoded; omitted so coana applies its + own defaults (8192 MB / concurrency 1 / 600s), which already match what we'd set.""" + config = CliConfig.from_args(self.BASE_ARGS + ["--reach"]) + assert config.reach_analysis_memory_limit is None + assert config.reach_concurrency is None + assert config.reach_analysis_timeout is None + + def test_reach_node_style_name_aliases(self): + """G8: Node-style primary names map to the same dests.""" + config = CliConfig.from_args( + self.BASE_ARGS + + ["--reach", "--reach-analysis-timeout", "300", "--reach-analysis-memory-limit", "2048"] + ) + assert config.reach_analysis_timeout == 300 + assert config.reach_analysis_memory_limit == 2048 + + def test_reach_legacy_name_aliases_still_work(self): + """G8: pre-alignment names keep working (hidden aliases).""" + config = CliConfig.from_args( + self.BASE_ARGS + ["--reach", "--reach-timeout", "111", "--reach-memory-limit", "512"] + ) + assert config.reach_analysis_timeout == 111 + assert config.reach_analysis_memory_limit == 512 + + def test_reach_debug_flag(self): + """G9: dedicated --reach-debug flag, independent of --enable-debug.""" + config = CliConfig.from_args(self.BASE_ARGS + ["--reach", "--reach-debug"]) + assert config.reach_debug is True + assert config.enable_debug is False + + def test_reach_disable_external_tool_checks_flag(self): + """G1: --reach-disable-external-tool-checks parses to its dest.""" + config = CliConfig.from_args( + self.BASE_ARGS + ["--reach", "--reach-disable-external-tool-checks"] + ) + assert config.reach_disable_external_tool_checks is True + + def test_reach_new_flags_default_false(self): + config = CliConfig.from_args(self.BASE_ARGS + ["--reach"]) + assert config.reach_debug is False + assert config.reach_disable_external_tool_checks is False + + +def test_pyproject_requires_python_matches_tomllib_usage(): + pyproject = tomllib.loads(Path("pyproject.toml").read_text(encoding="utf-8")) + requires_python = pyproject["project"]["requires-python"] + + assert requires_python.startswith(">=") + + minimum_version = tuple(int(part) for part in requires_python.removeprefix(">=").split(".")[:2]) + config_module = Path("socketsecurity/config.py").read_text(encoding="utf-8") + + if "import tomllib" in config_module: + assert minimum_version >= (3, 11) diff --git a/tests/unit/test_dependency_overview.py b/tests/unit/test_dependency_overview.py new file mode 100644 index 0000000..3afb805 --- /dev/null +++ b/tests/unit/test_dependency_overview.py @@ -0,0 +1,67 @@ +from socketsecurity.core.classes import Diff, Package, Purl +from socketsecurity.core.messages import Messages + + +def _make_purl(name: str, scores) -> Purl: + return Purl( + id=f"pkg:npm/{name}@1.0.0", + name=name, + version="1.0.0", + ecosystem="npm", + direct=True, + introduced_by=[("direct", "package.json")], + author=["test-author"], + size=1000, + transitives=0, + url=f"https://socket.dev/npm/package/{name}/overview/1.0.0", + purl=f"pkg:npm/{name}@1.0.0", + scores=scores, + ) + + +def test_package_from_diff_artifact_normalizes_null_score(): + package = Package.from_diff_artifact( + { + "id": "pkg:npm/example@1.0.0", + "name": "example", + "version": "1.0.0", + "type": "npm", + "diffType": "added", + "score": None, + "alerts": [], + "author": [], + "topLevelAncestors": [], + "direct": True, + "manifestFiles": [], + } + ) + + assert package.score == {} + + +def test_dependency_overview_template_defaults_missing_or_null_scores(tmp_path, monkeypatch): + monkeypatch.chdir(tmp_path) + + diff = Diff( + id="test-diff", + diff_url="https://socket.dev/test-diff", + new_packages=[ + _make_purl("missing-scores", None), + _make_purl( + "partial-scores", + { + "supplyChain": 0.42, + "vulnerability": None, + }, + ), + ], + removed_packages=[], + new_alerts=[], + ) + + comment = Messages.dependency_overview_template(diff) + + assert "Socket Security: Dependency Overview" in comment + assert "score-42.svg" in comment + assert "score-100.svg" in comment + assert "score-10000.svg" not in comment diff --git a/tests/unit/test_disable_ignore.py b/tests/unit/test_disable_ignore.py new file mode 100644 index 0000000..e151a3f --- /dev/null +++ b/tests/unit/test_disable_ignore.py @@ -0,0 +1,138 @@ +"""Tests for the --disable-ignore flag.""" + +import pytest +from dataclasses import dataclass + +from socketsecurity.config import CliConfig +from socketsecurity.core.classes import Comment, Diff, Issue +from socketsecurity.core.messages import Messages +from socketsecurity.core.scm_comments import Comments + + +# --- CLI flag parsing tests --- + +class TestDisableIgnoreFlag: + def test_flag_defaults_to_false(self): + config = CliConfig.from_args(["--api-token", "test"]) + assert config.disable_ignore is False + + def test_flag_parsed_with_dashes(self): + config = CliConfig.from_args(["--api-token", "test", "--disable-ignore"]) + assert config.disable_ignore is True + + def test_flag_parsed_with_underscores(self): + config = CliConfig.from_args(["--api-token", "test", "--disable_ignore"]) + assert config.disable_ignore is True + + def test_flag_independent_of_disable_blocking(self): + config = CliConfig.from_args([ + "--api-token", "test", + "--disable-ignore", + "--disable-blocking", + ]) + assert config.disable_ignore is True + assert config.disable_blocking is True + + +# --- Alert suppression tests --- + +def _make_alert(**overrides) -> Issue: + defaults = dict( + pkg_name="lodash", + pkg_version="4.17.21", + pkg_type="npm", + severity="high", + title="Known Malware", + description="Test description", + type="malware", + url="https://socket.dev/test", + manifests="package.json", + props={}, + key="test-key", + purl="pkg:npm/lodash@4.17.21", + error=True, + warn=False, + ignore=False, + monitor=False, + suggestion="Remove this package", + next_step_title="Next steps", + emoji="๐Ÿšจ", + ) + defaults.update(overrides) + return Issue(**defaults) + + +def _make_comment(body: str, comment_id: int = 1) -> Comment: + return Comment( + id=comment_id, + body=body, + body_list=body.split("\n"), + reactions={"+1": 0}, + user={"login": "test-user", "id": 123}, + ) + + +class TestRemoveAlertsRespectedByFlag: + """Verify that Comments.remove_alerts behaves correctly so the + disable_ignore conditional in socketcli.py has the right effect.""" + + def test_remove_alerts_suppresses_matching_alert(self): + """Without --disable-ignore, matching alerts are removed.""" + alert = _make_alert() + ignore_comment = _make_comment("SocketSecurity ignore npm/lodash@4.17.21") + comments = Comments.check_for_socket_comments({ignore_comment.id: ignore_comment}) + result = Comments.remove_alerts(comments, [alert]) + assert len(result) == 0 + + def test_alerts_preserved_when_no_ignore_comments(self): + """With --disable-ignore the caller skips remove_alerts entirely, + which is equivalent to passing empty comments.""" + alert = _make_alert() + result = Comments.remove_alerts({}, [alert]) + assert len(result) == 1 + assert result[0].pkg_name == "lodash" + + def test_ignore_all_suppresses_all_alerts(self): + alert1 = _make_alert() + alert2 = _make_alert(pkg_name="express", pkg_version="4.18.2", + purl="pkg:npm/express@4.18.2") + ignore_comment = _make_comment("SocketSecurity ignore-all") + comments = Comments.check_for_socket_comments({ignore_comment.id: ignore_comment}) + result = Comments.remove_alerts(comments, [alert1, alert2]) + assert len(result) == 0 + + +# --- Comment output tests --- + +@dataclass +class _FakeConfig: + disable_ignore: bool = False + scm: str = "github" + + +class TestSecurityCommentIgnoreInstructions: + def _make_diff_with_alert(self) -> Diff: + diff = Diff() + diff.id = "test-scan-id" + diff.diff_url = "https://socket.dev/test" + diff.new_alerts = [_make_alert()] + return diff + + def test_ignore_instructions_shown_by_default(self): + diff = self._make_diff_with_alert() + config = _FakeConfig(disable_ignore=False) + comment = Messages.security_comment_template(diff, config) + assert "@SocketSecurity ignore" in comment + assert "Mark as acceptable risk" in comment + + def test_ignore_instructions_hidden_when_disabled(self): + diff = self._make_diff_with_alert() + config = _FakeConfig(disable_ignore=True) + comment = Messages.security_comment_template(diff, config) + assert "@SocketSecurity ignore" not in comment + assert "Mark as acceptable risk" not in comment + + def test_ignore_instructions_shown_when_config_is_none(self): + diff = self._make_diff_with_alert() + comment = Messages.security_comment_template(diff, config=None) + assert "@SocketSecurity ignore" in comment diff --git a/tests/unit/test_exclude_paths.py b/tests/unit/test_exclude_paths.py new file mode 100644 index 0000000..32271a1 --- /dev/null +++ b/tests/unit/test_exclude_paths.py @@ -0,0 +1,177 @@ +"""Tests for the unified --exclude-paths flag (G2, Node alignment). + +Covers the path matcher, config parsing + soft-deprecation of --reach-exclude-paths, +and that --exclude-paths filters SCA manifest discovery via Core.find_files. +""" +import logging +import types +from unittest.mock import MagicMock + +import pytest + +from socketsecurity.config import CliConfig +from socketsecurity.core import Core +from socketsecurity.core.socket_config import SocketConfig + +# ---- matcher ------------------------------------------------------------- + +@pytest.mark.parametrize( + "rel, patterns, expected", + [ + # directory prefix -> the directory's whole subtree + ("packages/legacy/package.json", ["packages/legacy"], True), + ("packages/keep/package.json", ["packages/legacy"], False), + # root-anchored: a bare name matches at the root only, NOT nested + ("tests/x.json", ["tests"], True), + ("src/tests/x.json", ["tests"], False), + # **/ matches at any depth + ("src/tests/x.json", ["**/tests"], True), + ("tests/unit/x.json", ["tests/**"], True), + ("tests", ["tests/**"], False), # P/** is the subtree, not P itself + # '*' does NOT cross '/': anchored basename glob is root-level only + ("index.spec.ts", ["*.spec.ts"], True), + ("src/app/index.spec.ts", ["*.spec.ts"], False), + ("src/app/index.spec.ts", ["**/*.spec.ts"], True), + ("src/app/index.ts", ["**/*.spec.ts"], False), + # single-star matches exactly one path segment + ("packages/a/node_modules/x.json", ["packages/*/node_modules"], True), + ("packages/a/b/node_modules/x.json", ["packages/*/node_modules"], False), + ], +) +def test_matches_exclude_paths(rel, patterns, expected): + assert Core.matches_exclude_paths(rel, ".", patterns) is expected + + +@pytest.mark.parametrize( + "pattern, excluded, kept", + [ + # Node parity cases (src/commands/scan/exclude-paths.mts), anchored at scan root. + ("tests", "tests/pkg/package.json", "src/tests/package.json"), + ("package-lock.json", "package-lock.json", "packages/a/package-lock.json"), + ("**/node_modules", "packages/a/node_modules/dep/package.json", "src/app/package.json"), + ("packages/legacy", "packages/legacy/p.json", "packages/legacy-x/p.json"), + ("src/*.json", "src/a.json", "src/sub/a.json"), + ], +) +def test_matches_exclude_paths_node_parity(pattern, excluded, kept): + assert Core.matches_exclude_paths(excluded, ".", [pattern]) is True + assert Core.matches_exclude_paths(kept, ".", [pattern]) is False + + +def test_matches_exclude_paths_empty_is_false(): + assert Core.matches_exclude_paths("a/b.json", ".", []) is False + assert Core.matches_exclude_paths("a/b.json", ".", [" "]) is False + + +# ---- config parsing ------------------------------------------------------ + +BASE_ARGS = ["--api-token", "test-token", "--repo", "test-repo"] + + +def test_exclude_paths_parses_to_list(): + config = CliConfig.from_args(BASE_ARGS + ["--exclude-paths", "tests/**, packages/legacy , *.spec.ts"]) + assert config.exclude_paths == ["tests/**", "packages/legacy", "*.spec.ts"] + + +def test_exclude_paths_defaults_none(): + config = CliConfig.from_args(BASE_ARGS) + assert config.exclude_paths is None + + +def test_reach_exclude_paths_still_works_and_warns(caplog): + with caplog.at_level(logging.WARNING): + config = CliConfig.from_args(BASE_ARGS + ["--reach", "--reach-exclude-paths", "a,b"]) + assert config.reach_exclude_paths == ["a", "b"] + assert any("deprecated" in r.message for r in caplog.records) + + +@pytest.mark.parametrize( + "bad", + ["!foo", "/abs/path", "..", "../escape", "a/../b", ".", "**", "**/", "/**", "./", "./**"], +) +def test_exclude_paths_validation_rejects(bad): + with pytest.raises(SystemExit) as exc: + CliConfig.from_args(BASE_ARGS + ["--exclude-paths", bad]) + assert exc.value.code == 1 + + +def test_exclude_paths_validation_rejects_within_csv(): + with pytest.raises(SystemExit) as exc: + CliConfig.from_args(BASE_ARGS + ["--exclude-paths", "src,..,tests"]) + assert exc.value.code == 1 + + +def _write_config(tmp_path, value): + import json + path = tmp_path / "socketcli.json" + path.write_text(json.dumps({"socketcli": {"exclude_paths": value}}), encoding="utf-8") + return str(path) + + +def test_exclude_paths_from_config_file_list(tmp_path): + """A JSON list in --config flows through normalization (not just CSV strings).""" + cfg = _write_config(tmp_path, ["tests/**", "packages/legacy"]) + config = CliConfig.from_args(BASE_ARGS + ["--config", cfg]) + assert config.exclude_paths == ["tests/**", "packages/legacy"] + + +def test_exclude_paths_from_config_file_string(tmp_path): + cfg = _write_config(tmp_path, "tests/**, packages/legacy") + config = CliConfig.from_args(BASE_ARGS + ["--config", cfg]) + assert config.exclude_paths == ["tests/**", "packages/legacy"] + + +def test_exclude_paths_from_config_file_is_validated(tmp_path): + """Config-file patterns are validated too (not bypassed).""" + cfg = _write_config(tmp_path, ["../escape"]) + with pytest.raises(SystemExit) as exc: + CliConfig.from_args(BASE_ARGS + ["--config", cfg]) + assert exc.value.code == 1 + + +def test_exclude_paths_valid_globs_accepted(): + config = CliConfig.from_args(BASE_ARGS + ["--exclude-paths", "tests/**,**/*.spec.ts,packages/legacy"]) + assert config.exclude_paths == ["tests/**", "**/*.spec.ts", "packages/legacy"] + + +# ---- find_files integration --------------------------------------------- + +def _make_core(exclude_paths): + core = Core.__new__(Core) + core.config = SocketConfig(api_key="test-key") + core.cli_config = types.SimpleNamespace(exclude_paths=exclude_paths) + core.sdk = MagicMock() + return core + + +def _seed_manifests(tmp_path): + for rel in ("package.json", "sub/package.json", "legacy/package.json"): + p = tmp_path / rel + p.parent.mkdir(parents=True, exist_ok=True) + p.write_text("{}", encoding="utf-8") + + +def test_find_files_excludes_matching_paths(tmp_path, mocker): + _seed_manifests(tmp_path) + core = _make_core(["legacy"]) + mocker.patch.object( + core, "get_supported_patterns", + return_value={"npm": {"package.json": {"pattern": "package.json"}}}, + ) + + found = core.find_files(str(tmp_path)) + assert any(f.endswith("/package.json") and "/legacy/" not in f for f in found) + assert not any("/legacy/" in f for f in found) + + +def test_find_files_no_exclude_paths_keeps_all(tmp_path, mocker): + _seed_manifests(tmp_path) + core = _make_core(None) + mocker.patch.object( + core, "get_supported_patterns", + return_value={"npm": {"package.json": {"pattern": "package.json"}}}, + ) + + found = core.find_files(str(tmp_path)) + assert any("/legacy/" in f for f in found) + assert len(found) == 3 diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py new file mode 100644 index 0000000..fadaf03 --- /dev/null +++ b/tests/unit/test_fossa_compat.py @@ -0,0 +1,470 @@ +from socketsecurity.config import CliConfig +from socketsecurity.core.classes import Diff, Issue, Package +from socketsecurity.fossa_compat import ( + build_fossa_attribution_payload, + build_fossa_report_payload, +) + +EXPECTED_TOP_LEVEL_KEYS = ["project", "vulnerability", "licensing", "quality"] +EXPECTED_PROJECT_KEYS = ["branch", "id", "project", "projectId", "revision", "url"] +EXPECTED_VULNERABILITY_KEYS = [ + "affectedVersionRanges", + "containerLayers", + "cpes", + "createdAt", + "customRiskScore", + "cve", + "cveStatus", + "cwes", + "cvss", + "cvssVector", + "depths", + "details", + "epss", + "exploitability", + "id", + "metrics", + "patchedVersionRanges", + "projects", + "published", + "references", + "remediation", + "severity", + "source", + "statuses", + "title", + "type", + "url", + "vulnId", +] +EXPECTED_SOURCE_KEYS = ["id", "name", "packageManager", "url", "version"] +EXPECTED_DEPTH_KEYS = ["deep", "direct"] +EXPECTED_STATUS_KEYS = ["active", "ignored"] +EXPECTED_REMEDIATION_KEYS = [ + "completeFix", + "completeFixDistance", + "partialFix", + "partialFixDistance", +] +EXPECTED_EPSS_KEYS = ["percentile", "score"] + + +def test_fossa_report_payload_uses_expected_top_level_shape(): + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") + + payload = build_fossa_report_payload(diff, config) + + assert list(payload.keys()) == EXPECTED_TOP_LEVEL_KEYS + assert sorted(payload["project"].keys()) == sorted(EXPECTED_PROJECT_KEYS) + assert payload["vulnerability"] == [] + assert payload["licensing"] == [] + assert payload["quality"] == [] + + +def test_fossa_report_payload_vulnerability_shape_is_stable(): + config = CliConfig.from_args([ + "--api-token", "test", + "--legal-format", "fossa", + "--repo", "owner/repo", + "--branch", "refs/heads/main", + ]) + diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") + diff.packages = { + "pkg-1": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://requests.readthedocs.io/", + license="Apache-2.0", + purl="pkg:pypi/requests@2.31.0", + ) + } + diff.new_alerts = [ + Issue( + title="Insufficiently Protected Credentials", + severity="medium", + description="Requests may leak credentials for crafted URLs.", + error=True, + key="GHSA-9hjg-9r4m-mvj7", + type="vulnerability", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/pypi/package/requests/alerts/2.31.0", + props={ + "id": 11088938, + "createdAt": "2025-10-08T10:41:05.933Z", + "ghsaId": "GHSA-9hjg-9r4m-mvj7", + "cveId": "CVE-2024-47081", + "cvssScore": 5.3, + "fixedVersion": "2.32.4", + "partialFixDistance": "MINOR", + "completeFixDistance": "MINOR", + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "Required", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cveStatus": "COMPLETED", + "cwes": ["CWE-522"], + "published": "2025-06-09T19:06:08Z", + "affectedVersionRanges": ["<2.32.4"], + "patchedVersionRanges": ["2.32.4"], + "references": ["https://github.com/advisories/GHSA-9hjg-9r4m-mvj7"], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epssScore": 0.00154, + "epssPercentile": 0.35957, + "cpes": [], + }, + ) + ] + + payload = build_fossa_report_payload(diff, config) + generated_vulnerability = payload["vulnerability"][0] + + assert sorted(generated_vulnerability.keys()) == sorted(EXPECTED_VULNERABILITY_KEYS) + assert sorted(generated_vulnerability["source"].keys()) == sorted(EXPECTED_SOURCE_KEYS) + assert sorted(generated_vulnerability["depths"].keys()) == sorted(EXPECTED_DEPTH_KEYS) + assert sorted(generated_vulnerability["statuses"].keys()) == sorted(EXPECTED_STATUS_KEYS) + assert sorted(generated_vulnerability["remediation"].keys()) == sorted(EXPECTED_REMEDIATION_KEYS) + assert sorted(generated_vulnerability["epss"].keys()) == sorted(EXPECTED_EPSS_KEYS) + assert generated_vulnerability["source"]["packageManager"] == "pip" + assert generated_vulnerability["vulnId"] == "GHSA-9hjg-9r4m-mvj7" + assert generated_vulnerability["cve"] == "CVE-2024-47081" + + +def test_project_metadata_uses_dollar_revision_separator(): + """The composed FOSSA `project.id` is `$`.""" + from socketsecurity.fossa_compat import _build_project_metadata + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa", "--repo", "acme/widgets", "--branch", "refs/heads/main"]) + diff = Diff(id="scan-abc123", report_url="https://socket.dev/x") + project = _build_project_metadata(diff, config) + assert project == { + "branch": "refs/heads/main", + "id": "acme/widgets$scan-abc123", + "project": "acme/widgets", + "projectId": "acme/widgets", + "revision": "scan-abc123", + "url": "https://socket.dev/x", + } + + +def test_project_metadata_fallbacks_when_missing_fields(): + """Falls back to literal placeholders when config/diff are sparse.""" + from socketsecurity.fossa_compat import _build_project_metadata + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + # Force absent repo/branch: + config.repo = None + config.branch = None + diff = Diff() + project = _build_project_metadata(diff, config) + assert project["branch"] == "socket-default-branch" + assert project["project"] == "socket-default-repo" + assert project["revision"] == "unknown-revision" + assert project["id"] == "socket-default-repo$unknown-revision" + assert project["url"] is None + + +def test_dependency_entry_full_shape(): + """Per-dependency dict has the exact 14-key FOSSA attribution shape.""" + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", + name="requests", + version="2.31.0", + id="pip+requests$2.31.0", + score={}, + alerts=[], + direct=True, + author=["Kenneth Reitz "], + license="Apache-2.0", + licenseAttrib=[{"attribText": "Apache License 2.0\n\nCopyright 2023 Kenneth Reitz", + "attribData": [{"spdxExpr": "Apache-2.0"}]}], + ) + entry = _build_dependency_entry(package, dependency_paths=["requests"]) + assert set(entry.keys()) == { + "authors", "dependencyPaths", "description", "downloadUrl", "hash", + "isGolang", "licenses", "notes", "otherLicenses", "package", + "projectUrl", "source", "title", "version", + } + assert entry["authors"] == ["Kenneth Reitz "] + assert entry["dependencyPaths"] == ["requests"] + assert entry["description"] == "" + assert entry["downloadUrl"] == "" + assert entry["hash"] is None + assert entry["isGolang"] is None + assert entry["licenses"] == [{ + "attribution": "Apache License 2.0\n\nCopyright 2023 Kenneth Reitz", + "name": "Apache-2.0", + }] + assert entry["notes"] == [] + assert entry["otherLicenses"] == [] + assert entry["package"] == "requests" + assert entry["projectUrl"] == "" + assert entry["source"] == "pip" + assert entry["title"] == "requests" + assert entry["version"] == "2.31.0" + + +def test_dependency_entry_falls_back_to_declared_license_when_no_attrib(): + """When licenseAttrib is empty, `licenses[]` falls back to a single name-only entry from Package.license.""" + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", name="x", version="1.0", id="pip+x$1.0", + score={}, alerts=[], license="MIT", + ) + entry = _build_dependency_entry(package, dependency_paths=["x"]) + assert entry["licenses"] == [{"attribution": "", "name": "MIT"}] + + +def test_dependency_entry_unlicensed_package_emits_empty_licenses(): + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", name="x", version="1.0", id="pip+x$1.0", + score={}, alerts=[], license=None, + ) + entry = _build_dependency_entry(package, dependency_paths=["x"]) + assert entry["licenses"] == [] + + +def test_analyze_payload_top_level_keys_exactly_four(): + """The composed FOSSA analyze artifact has exactly project/vulnerability/licensing/quality.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + diff = Diff() # empty alerts + payload = build_fossa_report_payload(diff, config) + assert set(payload.keys()) == {"project", "vulnerability", "licensing", "quality"} + assert "risk" not in payload + + +def test_analyze_payload_empty_diff_yields_empty_arrays(): + """An empty diff still emits all 4 keys with `[]` arrays.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_report_payload(Diff(), config) + assert payload["vulnerability"] == [] + assert payload["licensing"] == [] + assert payload["quality"] == [] + + +def test_vulnerability_gap_fields_emit_known_defaults(): + """Fields with no Socket data source emit documented null/empty defaults.""" + from socketsecurity.fossa_compat import _build_vulnerability_entry + issue = Issue( + type="criticalCVE", + severity="high", + key="x", + pkg_type="pypi", + pkg_name="x", + pkg_version="1.0", + props={}, + ) + package = Package( + type="pypi", + name="x", + version="1.0", + id="pip+x$1.0", + score={}, + alerts=[], + direct=True, + ) + project = {"branch": "m", "id": "a$x", "project": "a", "projectId": "a", "revision": "x", "url": "u"} + entry = _build_vulnerability_entry(issue, package, project, index=1) + # Documented gap fields: + assert entry["epss"] == {"score": None, "percentile": None} + assert entry["cvssVector"] is None + assert entry["exploitability"] is None + assert entry["cveStatus"] is None + assert entry["published"] is None + assert entry["containerLayers"] == {"base": 0, "other": 0} + assert entry["remediation"]["partialFixDistance"] is None + assert entry["remediation"]["completeFixDistance"] is None + assert "customRiskScore" in entry + assert entry["customRiskScore"] is None + proj_entry = entry["projects"][0] + assert proj_entry["scannedAt"] is None + assert proj_entry["analyzedAt"] is None + assert proj_entry["firstFoundAt"] is None + + +def test_attribution_payload_top_level_is_5_keys(): + """fossa-sbom.json has exactly the 5 keys from `fossa report --json attribution`.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(Diff(), config) + assert set(payload.keys()) == { + "copyrightsByLicense", + "deepDependencies", + "directDependencies", + "licenses", + "project", + } + + +def test_attribution_project_has_only_name_and_revision(): + """SBOM `project` is the 2-key subset, not the 6-key analyze project.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa", "--repo", "acme/widgets"]) + diff = Diff(id="rev-x") + payload = build_fossa_attribution_payload(diff, config) + assert payload["project"] == {"name": "acme/widgets", "revision": "rev-x"} + + +def test_attribution_empty_diff_yields_empty_collections(): + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(Diff(), config) + assert payload["copyrightsByLicense"] == {} + assert payload["licenses"] == {} + assert payload["directDependencies"] == [] + assert payload["deepDependencies"] == [] + + +def test_attribution_partitions_direct_vs_deep(): + pkg_a = Package( + type="pypi", name="a", version="1.0", id="pip+a$1.0", + score={}, alerts=[], direct=True, + ) + pkg_b = Package( + type="pypi", name="b", version="1.0", id="pip+b$1.0", + score={}, alerts=[], direct=False, + ) + pkg_c = Package( + type="pypi", name="c", version="1.0", id="pip+c$1.0", + score={}, alerts=[], direct=True, + ) + diff = Diff(packages={"id-a": pkg_a, "id-b": pkg_b, "id-c": pkg_c}) + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(diff, config) + direct_names = sorted(d["package"] for d in payload["directDependencies"]) + deep_names = sorted(d["package"] for d in payload["deepDependencies"]) + assert direct_names == ["a", "c"] + assert deep_names == ["b"] + + +def test_dependency_paths_direct_package_is_name_only(): + from socketsecurity.fossa_compat import _compute_dependency_paths + pkg = Package( + type="pypi", name="requests", version="2.31.0", + id="pip+requests$2.31.0", score={}, alerts=[], direct=True, + ) + paths = _compute_dependency_paths(pkg, {"pip+requests$2.31.0": pkg}) + assert paths == ["requests"] + + +def test_dependency_paths_transitive_chains_through_ancestor_name(): + from socketsecurity.fossa_compat import _compute_dependency_paths + parent = Package( + type="pypi", name="requests", version="2.31.0", + id="parent-id", score={}, alerts=[], direct=True, + ) + child = Package( + type="pypi", name="certifi", version="2024.7.4", + id="child-id", score={}, alerts=[], direct=False, + topLevelAncestors=["parent-id"], + ) + lookup = {"parent-id": parent, "child-id": child} + assert _compute_dependency_paths(child, lookup) == ["requests > certifi"] + + +def test_dependency_paths_multi_ancestor_emits_one_per_root(): + from socketsecurity.fossa_compat import _compute_dependency_paths + p1 = Package(type="pypi", name="boto3", version="1.0", id="p1", + score={}, alerts=[], direct=True) + p2 = Package(type="pypi", name="botocore", version="1.0", id="p2", + score={}, alerts=[], direct=True) + child = Package( + type="pypi", name="jmespath", version="1.0", id="c", + score={}, alerts=[], direct=False, + topLevelAncestors=["p1", "p2"], + ) + lookup = {"p1": p1, "p2": p2, "c": child} + assert sorted(_compute_dependency_paths(child, lookup)) == [ + "boto3 > jmespath", + "botocore > jmespath", + ] + + +def test_dependency_paths_missing_ancestor_falls_back_to_name(): + from socketsecurity.fossa_compat import _compute_dependency_paths + pkg = Package( + type="pypi", name="orphan", version="1.0", id="o", + score={}, alerts=[], direct=False, + topLevelAncestors=["missing-id"], + ) + assert _compute_dependency_paths(pkg, {"o": pkg}) == ["orphan"] + + +def test_vulnerability_version_ranges_sourced_from_socket_fields(): + """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped.""" + from socketsecurity.fossa_compat import _build_vulnerability_entry + issue = Issue( + type="criticalCVE", + severity="high", + key="CVE-2024-12345_pip+requests", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.30.0", + props={ + "ghsaId": "GHSA-aaaa-bbbb-cccc", + "cveId": "CVE-2024-12345", + "cvss": 7.5, + "vulnerableVersionRange": ">=2.0.0,<2.31.1", + "firstPatchedVersionIdentifier": "2.31.1", + "cwes": ["CWE-200"], + }, + ) + package = Package( + type="pypi", + name="requests", + version="2.30.0", + id="pip+requests$2.30.0", + score={}, + alerts=[], + direct=True, + ) + project = {"branch": "main", "id": "acme$x", "project": "acme", "projectId": "acme", "revision": "x", "url": "u"} + entry = _build_vulnerability_entry(issue, package, project, index=1) + assert entry["affectedVersionRanges"] == [">=2.0.0,<2.31.1"] + assert entry["patchedVersionRanges"] == ["2.31.1"] + assert entry["remediation"]["partialFix"] == "2.31.1" + assert entry["remediation"]["completeFix"] == "2.31.1" + + +def test_fossa_payload_includes_unchanged_alerts_regardless_of_strict_blocking(): + """FOSSA emits all currently-present issues at the scan revision, not just + diff-new ones. So `unchanged_alerts` must always flow into the payload, + independent of the --strict-blocking flag.""" + new_issue = Issue( + type="criticalCVE", severity="high", key="NEW", + pkg_type="pypi", pkg_name="a", pkg_version="1.0", + props={"cveId": "CVE-2024-NEW", "ghsaId": "GHSA-new"}, + ) + unchanged_issue = Issue( + type="criticalCVE", severity="high", key="OLD", + pkg_type="pypi", pkg_name="b", pkg_version="1.0", + props={"cveId": "CVE-2024-OLD", "ghsaId": "GHSA-old"}, + ) + diff = Diff(new_alerts=[new_issue], unchanged_alerts=[unchanged_issue]) + + # strict_blocking off (default): + config_loose = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload_loose = build_fossa_report_payload(diff, config_loose) + loose_cves = sorted(v["cve"] for v in payload_loose["vulnerability"]) + assert loose_cves == ["CVE-2024-NEW", "CVE-2024-OLD"], ( + "FOSSA mode must include unchanged_alerts even without --strict-blocking" + ) + + # strict_blocking on โ€” same result (always include both): + config_strict = CliConfig.from_args( + ["--api-token", "test", "--legal-format", "fossa", "--strict-blocking"] + ) + payload_strict = build_fossa_report_payload(diff, config_strict) + strict_cves = sorted(v["cve"] for v in payload_strict["vulnerability"]) + assert strict_cves == loose_cves diff --git a/tests/unit/test_fossa_parity.py b/tests/unit/test_fossa_parity.py new file mode 100644 index 0000000..2a408d8 --- /dev/null +++ b/tests/unit/test_fossa_parity.py @@ -0,0 +1,106 @@ +"""Structural parity tests: assert our FOSSA-shaped output matches real FOSSA artifact shapes. + +These tests load real FOSSA artifacts captured from a customer pipeline and compare them +against our --legal-format fossa output by shape (key sets + value types), not by value. +A value-level golden test would be too brittle; the goal is to catch structural drift. +""" +from __future__ import annotations + +import json +from pathlib import Path + +FIXTURE_DIR = Path(__file__).parent.parent / "fixtures" / "fossa" + + +def _load(name: str) -> dict: + return json.loads((FIXTURE_DIR / name).read_text()) + + +def test_fixtures_present_and_parseable(): + """Sanity: all four FOSSA reference fixtures load as JSON objects.""" + for name in ( + "fossa-analyze-populated.json", + "fossa-analyze-empty.json", + "fossa-sbom-populated.json", + "fossa-sbom-empty-deep.json", + ): + data = _load(name) + assert isinstance(data, dict), f"{name} should be a JSON object at the top level" + + +def test_analyze_fixture_top_level_shape(): + """The real FOSSA analyze artifact has exactly these top-level keys.""" + data = _load("fossa-analyze-populated.json") + assert set(data.keys()) == {"project", "vulnerability", "licensing", "quality"} + assert "risk" not in data # FOSSA API 400s on risk category; key never appears + + +def test_sbom_fixture_top_level_shape(): + """The real FOSSA attribution artifact has exactly these 5 top-level keys.""" + data = _load("fossa-sbom-populated.json") + assert set(data.keys()) == { + "copyrightsByLicense", + "deepDependencies", + "directDependencies", + "licenses", + "project", + } + + +def test_our_analyze_matches_fossa_analyze_top_level_keys(): + """Our build_fossa_report_payload top-level keyset matches the real fixture.""" + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_report_payload + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_report_payload(Diff(), config) + theirs = _load("fossa-analyze-empty.json") + assert set(ours.keys()) == set(theirs.keys()) + + +def test_our_analyze_project_keys_match(): + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_report_payload + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_report_payload(Diff(), config) + theirs = _load("fossa-analyze-empty.json") + assert set(ours["project"].keys()) == set(theirs["project"].keys()) + + +def test_our_sbom_matches_fossa_sbom_top_level_keys(): + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_attribution_payload + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(Diff(), config) + theirs = _load("fossa-sbom-populated.json") + assert set(ours.keys()) == set(theirs.keys()) + + +def test_our_sbom_project_keys_match(): + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_attribution_payload + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(Diff(), config) + theirs = _load("fossa-sbom-populated.json") + assert set(ours["project"].keys()) == set(theirs["project"].keys()) + + +def test_our_sbom_dependency_keys_match_when_populated(): + """When we have at least one dependency, its keyset matches a real FOSSA dependency entry.""" + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff, Package + from socketsecurity.fossa_compat import build_fossa_attribution_payload + pkg = Package( + type="pypi", name="x", version="1.0", id="pid", + score={}, alerts=[], direct=True, + ) + diff = Diff(packages={"pid": pkg}) + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(diff, config) + theirs = _load("fossa-sbom-populated.json") + our_dep = ours["directDependencies"][0] + their_dep = theirs["directDependencies"][0] + assert set(our_dep.keys()) == set(their_dep.keys()) diff --git a/tests/unit/test_gitlab_format.py b/tests/unit/test_gitlab_format.py index 1799dcf..96218e4 100644 --- a/tests/unit/test_gitlab_format.py +++ b/tests/unit/test_gitlab_format.py @@ -1,3 +1,5 @@ +import re + import pytest from socketsecurity.core.messages import Messages from socketsecurity.core.classes import Diff, Issue @@ -6,8 +8,11 @@ class TestGitLabFormat: """Test suite for GitLab Security Dashboard format generation""" + # GitLab v15.0.0 schema: ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}$ + GITLAB_TIMESTAMP_RE = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}$") + def test_gitlab_report_structure(self): - """Test basic GitLab report structure is valid""" + """Test basic GitLab report structure matches v15.0.0 schema requirements""" diff = Diff() diff.new_alerts = [] diff.id = "test-scan-id" @@ -15,10 +20,11 @@ def test_gitlab_report_structure(self): report = Messages.create_security_comment_gitlab(diff) - # Verify required top-level fields + # All four root-level keys required by v15.0.0 schema assert "version" in report assert "scan" in report assert "vulnerabilities" in report + assert "dependency_files" in report # Verify scan structure assert report["scan"]["type"] == "dependency_scanning" @@ -28,6 +34,12 @@ def test_gitlab_report_structure(self): assert report["scan"]["scanner"]["id"] == "socket-cli" assert report["scan"]["status"] == "success" + # Timestamps must match GitLab pattern (no microseconds, no trailing Z) + assert self.GITLAB_TIMESTAMP_RE.match(report["scan"]["start_time"]), \ + f"start_time '{report['scan']['start_time']}' doesn't match GitLab pattern" + assert self.GITLAB_TIMESTAMP_RE.match(report["scan"]["end_time"]), \ + f"end_time '{report['scan']['end_time']}' doesn't match GitLab pattern" + def test_vulnerability_mapping(self): """Test Socket Issue maps correctly to GitLab vulnerability""" diff = Diff() @@ -391,3 +403,164 @@ def test_manifests_attribute_fallback(self): vuln = report["vulnerabilities"][0] assert vuln["location"]["file"] == "requirements.txt" + + def test_dependency_files_populated_from_alerts(self): + """Test dependency_files is built from alert locations per v15.0.0 schema""" + diff = Diff() + diff.id = "test-scan-id" + diff.diff_url = "https://socket.dev/test" + + diff.new_alerts = [ + Issue( + pkg_name="pkg-a", + pkg_version="1.0.0", + type="malware", + severity="high", + title="Alert A", + manifests="package.json", + pkg_type="npm", + key="key-a", + purl="pkg:npm/pkg-a@1.0.0" + ), + Issue( + pkg_name="pkg-b", + pkg_version="2.0.0", + type="vulnerability", + severity="medium", + title="Alert B", + manifests="requirements.txt", + pkg_type="pypi", + key="key-b", + purl="pkg:pypi/pkg-b@2.0.0" + ), + ] + + report = Messages.create_security_comment_gitlab(diff) + + assert "dependency_files" in report + dep_files = report["dependency_files"] + assert len(dep_files) == 2 + + paths = {df["path"] for df in dep_files} + assert "package.json" in paths + assert "requirements.txt" in paths + + for df in dep_files: + assert "path" in df + assert "package_manager" in df + assert "dependencies" in df + assert isinstance(df["dependencies"], list) + assert len(df["dependencies"]) >= 1 + for dep in df["dependencies"]: + assert "package" in dep + assert "name" in dep["package"] + assert "version" in dep + + def test_dependency_files_groups_by_manifest(self): + """Test multiple alerts from the same manifest are grouped into one dependency_file""" + diff = Diff() + diff.id = "test-scan-id" + diff.diff_url = "https://socket.dev/test" + + diff.new_alerts = [ + Issue( + pkg_name="pkg-a", pkg_version="1.0.0", type="malware", severity="high", + title="A", manifests="package.json", pkg_type="npm", key="k1", purl="pkg:npm/pkg-a@1.0.0" + ), + Issue( + pkg_name="pkg-b", pkg_version="2.0.0", type="vulnerability", severity="low", + title="B", manifests="package.json", pkg_type="npm", key="k2", purl="pkg:npm/pkg-b@2.0.0" + ), + ] + + report = Messages.create_security_comment_gitlab(diff) + dep_files = report["dependency_files"] + + assert len(dep_files) == 1 + assert dep_files[0]["path"] == "package.json" + assert dep_files[0]["package_manager"] == "npm" + assert len(dep_files[0]["dependencies"]) == 2 + + def test_dependency_files_empty_when_no_alerts(self): + """Test dependency_files is an empty array when there are no alerts""" + diff = Diff() + diff.id = "test-scan-id" + diff.diff_url = "https://socket.dev/test" + diff.new_alerts = [] + + report = Messages.create_security_comment_gitlab(diff) + assert report["dependency_files"] == [] + + def test_dependency_files_skips_unknown_manifest(self): + """Test alerts with unknown manifest don't produce dependency_file entries""" + diff = Diff() + diff.id = "test-scan-id" + diff.diff_url = "https://socket.dev/test" + + diff.new_alerts = [ + Issue( + pkg_name="pkg-a", pkg_version="1.0.0", type="malware", severity="high", + title="A", pkg_type="npm", key="k1", purl="pkg:npm/pkg-a@1.0.0" + ), + ] + + report = Messages.create_security_comment_gitlab(diff) + assert report["dependency_files"] == [] + + def test_unchanged_alerts_included_in_report(self): + """Test that unchanged_alerts are included alongside new_alerts in the GitLab report""" + diff = Diff() + diff.id = "test-scan-id" + diff.diff_url = "https://socket.dev/test" + + diff.new_alerts = [ + Issue( + pkg_name="new-pkg", pkg_version="1.0.0", type="malware", severity="high", + title="New Alert", manifests="package.json", pkg_type="npm", key="k1", purl="pkg:npm/new-pkg@1.0.0" + ), + ] + diff.unchanged_alerts = [ + Issue( + pkg_name="existing-pkg", pkg_version="2.0.0", type="vulnerability", severity="medium", + title="Existing Alert", manifests="package.json", pkg_type="npm", key="k2", purl="pkg:npm/existing-pkg@2.0.0" + ), + ] + + report = Messages.create_security_comment_gitlab(diff) + assert len(report["vulnerabilities"]) == 2 + + names = {v["name"] for v in report["vulnerabilities"]} + assert "New Alert" in names + assert "Existing Alert" in names + + def test_only_unchanged_alerts_produces_nonempty_report(self): + """Test that a diff with no new alerts but unchanged alerts still populates the report""" + diff = Diff() + diff.id = "test-scan-id" + diff.diff_url = "https://socket.dev/test" + + diff.new_alerts = [] + diff.unchanged_alerts = [ + Issue( + pkg_name="stable-pkg", pkg_version="3.0.0", type="vulnerability", severity="critical", + title="Known Issue", manifests="requirements.txt", pkg_type="pypi", key="k1", purl="pkg:pypi/stable-pkg@3.0.0" + ), + ] + + report = Messages.create_security_comment_gitlab(diff) + assert len(report["vulnerabilities"]) == 1 + assert report["vulnerabilities"][0]["name"] == "Known Issue" + assert len(report["dependency_files"]) == 1 + assert report["dependency_files"][0]["path"] == "requirements.txt" + + def test_pkg_type_to_package_manager_mapping(self): + """Test package manager mapping covers common ecosystems""" + assert Messages._pkg_type_to_package_manager("npm") == "npm" + assert Messages._pkg_type_to_package_manager("pypi") == "pip" + assert Messages._pkg_type_to_package_manager("go") == "go" + assert Messages._pkg_type_to_package_manager("maven") == "maven" + assert Messages._pkg_type_to_package_manager("gem") == "bundler" + assert Messages._pkg_type_to_package_manager("nuget") == "nuget" + assert Messages._pkg_type_to_package_manager("cargo") == "cargo" + assert Messages._pkg_type_to_package_manager("") == "unknown" + assert Messages._pkg_type_to_package_manager("swift") == "swift" diff --git a/tests/unit/test_ignore_telemetry_filtering.py b/tests/unit/test_ignore_telemetry_filtering.py new file mode 100644 index 0000000..39b7691 --- /dev/null +++ b/tests/unit/test_ignore_telemetry_filtering.py @@ -0,0 +1,237 @@ +"""Tests for the +1 reaction dedup logic used to filter ignore comments for telemetry.""" + +from unittest.mock import Mock + +from socketsecurity.core.classes import Comment +from socketsecurity.core.scm_comments import Comments + + +def _make_comment(body: str, thumbs_up: int = 0, comment_id: int = 1, user: dict | None = None) -> Comment: + return Comment( + id=comment_id, + body=body, + body_list=body.split("\n"), + reactions={"+1": thumbs_up}, + user=user or {"login": "test-user", "id": 123}, + ) + + +def _filter_unprocessed(comments: list[Comment], scm=None) -> list[Comment]: + """Mirrors the _is_unprocessed logic in socketcli.py.""" + def _is_unprocessed(c): + if getattr(c, "reactions", {}).get("+1"): + return False + if hasattr(scm, "has_thumbsup_reaction") and scm.has_thumbsup_reaction(c.id): + return False + return True + + return [c for c in comments if _is_unprocessed(c)] + + +class TestUnprocessedIgnoreFiltering: + def test_returns_comments_without_thumbsup(self): + comments = [ + _make_comment("SocketSecurity ignore npm/lodash@4.17.21", thumbs_up=0, comment_id=1), + _make_comment("SocketSecurity ignore npm/express@4.18.2", thumbs_up=0, comment_id=2), + ] + result = _filter_unprocessed(comments) + assert len(result) == 2 + + def test_excludes_comments_with_thumbsup(self): + comments = [ + _make_comment("SocketSecurity ignore npm/lodash@4.17.21", thumbs_up=1, comment_id=1), + _make_comment("SocketSecurity ignore npm/express@4.18.2", thumbs_up=0, comment_id=2), + ] + result = _filter_unprocessed(comments) + assert len(result) == 1 + assert result[0].id == 2 + + def test_returns_empty_when_all_processed(self): + comments = [ + _make_comment("SocketSecurity ignore npm/lodash@4.17.21", thumbs_up=1, comment_id=1), + _make_comment("SocketSecurity ignore-all", thumbs_up=2, comment_id=2), + ] + result = _filter_unprocessed(comments) + assert len(result) == 0 + + def test_handles_missing_reactions_attr(self): + c = Comment(id=1, body="SocketSecurity ignore npm/foo@1.0.0", body_list=["SocketSecurity ignore npm/foo@1.0.0"]) + # No reactions attribute set at all + result = _filter_unprocessed([c]) + assert len(result) == 1 + + def test_handles_empty_reactions_dict(self): + c = _make_comment("SocketSecurity ignore npm/foo@1.0.0", comment_id=1) + c.reactions = {} + result = _filter_unprocessed([c]) + assert len(result) == 1 + + def test_handles_reactions_with_thumbsup_zero(self): + c = _make_comment("SocketSecurity ignore npm/foo@1.0.0", thumbs_up=0, comment_id=1) + result = _filter_unprocessed([c]) + assert len(result) == 1 + + +class TestUnprocessedIgnoreFilteringWithScmFallback: + """Tests for the has_thumbsup_reaction fallback path (GitLab).""" + + def test_scm_fallback_excludes_processed_comments(self): + """When inline reactions['+1'] is 0 but scm says it has thumbsup, exclude it.""" + comments = [ + _make_comment("SocketSecurity ignore npm/lodash@4.17.21", thumbs_up=0, comment_id=1), + _make_comment("SocketSecurity ignore npm/express@4.18.2", thumbs_up=0, comment_id=2), + ] + scm = Mock() + scm.has_thumbsup_reaction = Mock(side_effect=lambda cid: cid == 1) + + result = _filter_unprocessed(comments, scm=scm) + assert len(result) == 1 + assert result[0].id == 2 + + def test_scm_fallback_not_called_when_inline_thumbsup_present(self): + """When inline reactions['+1'] is truthy, scm.has_thumbsup_reaction should not be called.""" + comments = [ + _make_comment("SocketSecurity ignore npm/lodash@4.17.21", thumbs_up=1, comment_id=1), + ] + scm = Mock() + scm.has_thumbsup_reaction = Mock(return_value=False) + + result = _filter_unprocessed(comments, scm=scm) + assert len(result) == 0 + scm.has_thumbsup_reaction.assert_not_called() + + def test_scm_without_has_thumbsup_reaction_skips_fallback(self): + """When scm doesn't have has_thumbsup_reaction (e.g. GitHub), only inline check runs.""" + comments = [ + _make_comment("SocketSecurity ignore npm/foo@1.0.0", thumbs_up=0, comment_id=1), + ] + scm = Mock(spec=[]) # no methods at all + + result = _filter_unprocessed(comments, scm=scm) + assert len(result) == 1 + + def test_scm_fallback_returns_all_unprocessed(self): + """When scm says none have thumbsup, all are returned.""" + comments = [ + _make_comment("SocketSecurity ignore npm/foo@1.0.0", thumbs_up=0, comment_id=1), + _make_comment("SocketSecurity ignore npm/bar@2.0.0", thumbs_up=0, comment_id=2), + ] + scm = Mock() + scm.has_thumbsup_reaction = Mock(return_value=False) + + result = _filter_unprocessed(comments, scm=scm) + assert len(result) == 2 + + +class TestUnprocessedIgnoreFilteringWithCommentsParsing: + """Integration: filter unprocessed comments, then parse ignore options.""" + + def test_only_new_artifacts_are_parsed(self): + comments = [ + _make_comment("SocketSecurity ignore npm/lodash@4.17.21", thumbs_up=1, comment_id=1), + _make_comment("SocketSecurity ignore npm/express@4.18.2", thumbs_up=0, comment_id=2), + _make_comment("SocketSecurity ignore npm/axios@1.6.0", thumbs_up=0, comment_id=3), + ] + unprocessed = _filter_unprocessed(comments) + unprocessed_comments = {"ignore": unprocessed} + ignore_all, ignore_commands = Comments.get_ignore_options(unprocessed_comments) + + assert not ignore_all + assert ("npm/express", "4.18.2") in ignore_commands + assert ("npm/axios", "1.6.0") in ignore_commands + assert ("npm/lodash", "4.17.21") not in ignore_commands + + def test_ignore_all_from_unprocessed(self): + comments = [ + _make_comment("SocketSecurity ignore npm/lodash@4.17.21", thumbs_up=1, comment_id=1), + _make_comment("SocketSecurity ignore-all", thumbs_up=0, comment_id=2), + ] + unprocessed = _filter_unprocessed(comments) + unprocessed_comments = {"ignore": unprocessed} + ignore_all, ignore_commands = Comments.get_ignore_options(unprocessed_comments) + + assert ignore_all + + def test_no_unprocessed_means_no_telemetry(self): + comments = [ + _make_comment("SocketSecurity ignore npm/lodash@4.17.21", thumbs_up=1, comment_id=1), + _make_comment("SocketSecurity ignore npm/express@4.18.2", thumbs_up=2, comment_id=2), + ] + unprocessed = _filter_unprocessed(comments) + assert len(unprocessed) == 0 + + +def _build_event(comment, ignore_all=False, ignore_commands=None, artifact_input=None, artifact_purl=None): + """Mirrors the event construction logic in socketcli.py.""" + from datetime import datetime, timezone + from uuid import uuid4 + + user = getattr(comment, "user", None) or getattr(comment, "author", None) or {} + shared_fields = { + "event_kind": "user-action", + "client_action": "ignore", + "alert_action": "error", + "event_sender_created_at": datetime.now(timezone.utc).isoformat(), + "vcs_provider": "github", + "owner": "test-owner", + "repo": "test-owner/test-repo", + "pr_number": 1, + "ignore_all": ignore_all, + "sender_name": user.get("login") or user.get("username", ""), + "sender_id": str(user.get("id", "")), + } + if artifact_input: + return {**shared_fields, "event_id": str(uuid4()), "artifact_input": artifact_input} + if artifact_purl: + return {**shared_fields, "event_id": str(uuid4()), "artifact_purl": artifact_purl} + return {**shared_fields, "event_id": str(uuid4())} + + +class TestTelemetryEventPayloadShape: + """Tests that telemetry event payloads contain the required fields.""" + + def test_per_artifact_event_has_required_fields(self): + c = _make_comment("SocketSecurity ignore npm/lodash@4.17.21", user={"login": "alice", "id": 1}) + event = _build_event(c, artifact_input="npm/lodash@4.17.21") + + assert event["event_kind"] == "user-action" + assert event["client_action"] == "ignore" + assert event["alert_action"] == "error" + assert event["vcs_provider"] == "github" + assert event["sender_name"] == "alice" + assert event["sender_id"] == "1" + assert event["artifact_input"] == "npm/lodash@4.17.21" + assert "event_id" in event + assert "event_sender_created_at" in event + + def test_ignore_all_event_has_required_fields(self): + c = _make_comment("SocketSecurity ignore-all", user={"login": "bob", "id": 2}) + event = _build_event(c, ignore_all=True) + + assert event["event_kind"] == "user-action" + assert event["client_action"] == "ignore" + assert event["alert_action"] == "error" + assert event["ignore_all"] is True + assert event["sender_name"] == "bob" + assert "artifact_input" not in event + assert "artifact_purl" not in event + + def test_push_flow_event_uses_artifact_purl(self): + c = _make_comment("SocketSecurity ignore npm/lodash@4.17.21", user={"login": "alice", "id": 1}) + event = _build_event(c, artifact_purl="pkg:npm/lodash@4.17.21") + + assert event["artifact_purl"] == "pkg:npm/lodash@4.17.21" + assert event["alert_action"] == "error" + assert "artifact_input" not in event + + def test_gitlab_author_populates_sender(self): + c = Comment( + id=1, body="SocketSecurity ignore npm/foo@1.0.0", + body_list=["SocketSecurity ignore npm/foo@1.0.0"], + reactions={"+1": 0}, + author={"username": "gitlab-dev", "id": 42}, + ) + event = _build_event(c, artifact_input="npm/foo@1.0.0") + + assert event["sender_name"] == "gitlab-dev" + assert event["sender_id"] == "42" diff --git a/tests/unit/test_output.py b/tests/unit/test_output.py index 0fe007e..c4271e7 100644 --- a/tests/unit/test_output.py +++ b/tests/unit/test_output.py @@ -1,13 +1,17 @@ +import json + import pytest + +from socketsecurity.core.classes import Diff, Issue, Package from socketsecurity.output import OutputHandler -from socketsecurity.core.classes import Diff, Issue -import json + class TestOutputHandler: @pytest.fixture def handler(self): - from socketsecurity.config import CliConfig from unittest.mock import Mock + + from socketsecurity.config import CliConfig config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = False @@ -25,8 +29,9 @@ def test_report_pass_with_blocking_issues(self, handler): assert not handler.report_pass(diff) def test_report_pass_with_blocking_disabled(self): - from socketsecurity.config import CliConfig from unittest.mock import Mock + + from socketsecurity.config import CliConfig config = Mock(spec=CliConfig) config.disable_blocking = True config.strict_blocking = False @@ -65,9 +70,10 @@ def test_json_output_format(self, handler, caplog): def test_json_output_includes_unchanged_alerts_with_strict_blocking(self, caplog): import logging - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -123,11 +129,228 @@ def test_sbom_file_saving(self, handler, tmp_path): handler.save_sbom_file(diff, str(sbom_path)) assert sbom_path.exists() + def test_sbom_file_saving_without_sbom_writes_empty_array(self, handler, tmp_path): + diff = Diff() + sbom_path = tmp_path / "empty.json" + handler.save_sbom_file(diff, str(sbom_path)) + assert sbom_path.exists() + assert json.loads(sbom_path.read_text()) == [] + + def test_json_file_saving(self, tmp_path): + from unittest.mock import Mock + + from socketsecurity.config import CliConfig + + json_path = tmp_path / "report.json" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = str(json_path) + config.summary_file = None + config.report_link_file = None + config.sbom_file = None + config.legal = True + config.legal_format = "socket" + config.repo = "owner/repo" + config.branch = "main" + config.commit_sha = "abc123" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.diff_url = "https://socket.dev/diff/123" + diff.report_url = "https://socket.dev/report/123" + diff.new_alerts = [ + Issue( + title="Test", + severity="high", + description="desc", + error=True, + key="test-key", + type="vulnerability", + pkg_type="npm", + pkg_name="test-package", + pkg_version="1.0.0", + purl="pkg:npm/test-package@1.0.0", + url="https://socket.dev/npm/package/test-package/alerts/1.0.0", + ) + ] + + handler.save_json_file(diff, str(json_path)) + + saved = json.loads(json_path.read_text()) + assert saved["full_scan_id"] == "scan-123" + assert saved["report_url"] == "https://socket.dev/report/123" + assert saved["repo"] == "owner/repo" + assert saved["branch"] == "main" + assert saved["commit_sha"] == "abc123" + assert saved["legal_mode"] is True + + def test_summary_and_report_link_files_are_written(self, tmp_path): + from unittest.mock import Mock + + from socketsecurity.config import CliConfig + + summary_path = tmp_path / "summary.txt" + report_link_path = tmp_path / "report-link.txt" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = None + config.summary_file = str(summary_path) + config.report_link_file = str(report_link_path) + config.sbom_file = None + config.legal = False + config.legal_format = "socket" + config.repo = None + config.branch = "" + config.commit_sha = "" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.diff_url = "https://socket.dev/diff/123" + diff.report_url = "https://socket.dev/report/123" + diff.new_alerts = [ + Issue( + title="Test", + severity="high", + description="desc", + error=True, + key="test-key", + type="vulnerability", + pkg_type="npm", + pkg_name="test-package", + pkg_version="1.0.0", + purl="pkg:npm/test-package@1.0.0", + url="https://socket.dev/npm/package/test-package/alerts/1.0.0", + ) + ] + + handler.save_summary_file(diff, str(summary_path)) + handler.save_report_link_file(diff, str(report_link_path)) + + assert "Security issues detected by Socket Security:" in summary_path.read_text() + assert report_link_path.read_text().strip() == "https://socket.dev/report/123" + + def test_json_file_saving_in_fossa_format(self, tmp_path): + from unittest.mock import Mock + + from socketsecurity.config import CliConfig + + json_path = tmp_path / "fossa-report.json" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = str(json_path) + config.summary_file = None + config.report_link_file = None + config.sbom_file = None + config.legal = True + config.legal_format = "fossa" + config.repo = "owner/repo" + config.branch = "refs/heads/main" + config.commit_sha = "abc123" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.report_url = "https://socket.dev/report/123" + diff.packages = { + "pkg-1": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + purl="pkg:pypi/requests@2.31.0", + ) + } + diff.new_alerts = [ + Issue( + title="Prototype Pollution", + severity="high", + description="Upgrade to a fixed version.", + error=True, + key="alert-1", + type="vulnerability", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/npm/package/requests/alerts/2.31.0", + props={ + "ghsaId": "GHSA-1234", + "cveId": "CVE-2026-1234", + "cvssScore": 8.2, + "fixedVersion": "2.31.1", + "references": ["https://github.com/advisories/GHSA-1234"], + }, + ), + Issue( + title="License Policy Violation", + severity="medium", + description="Package license violates policy.", + warn=True, + key="license-1", + type="licenseSpdxDisj", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/pypi/package/requests/license/2.31.0", + ), + ] + + handler.save_json_file(diff, str(json_path)) + + saved = json.loads(json_path.read_text()) + assert saved["project"] == { + "branch": "refs/heads/main", + "id": "owner/repo$scan-123", + "project": "owner/repo", + "projectId": "owner/repo", + "revision": "scan-123", + "url": "https://socket.dev/report/123", + } + assert len(saved["vulnerability"]) == 1 + assert saved["vulnerability"][0]["vulnId"] == "GHSA-1234" + assert saved["vulnerability"][0]["cve"] == "CVE-2026-1234" + assert saved["vulnerability"][0]["source"]["packageManager"] == "pip" + assert saved["vulnerability"][0]["remediation"]["completeFix"] == "2.31.1" + assert saved["licensing"][0]["type"] == "policy_conflict" + assert saved["quality"] == [] + def test_report_pass_with_strict_blocking_new_alerts(self): """Test that strict-blocking fails on new blocking alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + # Create config with strict_blocking config = Mock(spec=CliConfig) config.disable_blocking = False @@ -143,9 +366,10 @@ def test_report_pass_with_strict_blocking_new_alerts(self): def test_report_pass_with_strict_blocking_unchanged_alerts(self): """Test that strict-blocking fails on unchanged blocking alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -160,9 +384,10 @@ def test_report_pass_with_strict_blocking_unchanged_alerts(self): def test_report_pass_with_strict_blocking_both_alerts(self): """Test that strict-blocking fails when both new and unchanged alerts exist""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -177,9 +402,10 @@ def test_report_pass_with_strict_blocking_both_alerts(self): def test_report_pass_with_strict_blocking_only_warnings(self): """Test that strict-blocking passes when only warnings (not errors) exist""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -194,9 +420,10 @@ def test_report_pass_with_strict_blocking_only_warnings(self): def test_report_pass_strict_blocking_disabled(self): """Test that strict-blocking without the flag passes with unchanged alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = False # Flag not set @@ -212,9 +439,10 @@ def test_report_pass_strict_blocking_disabled(self): def test_disable_blocking_overrides_strict_blocking(self): """Test that disable-blocking takes precedence over strict-blocking""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = True config.strict_blocking = True @@ -230,9 +458,10 @@ def test_disable_blocking_overrides_strict_blocking(self): def test_sarif_file_output(self, tmp_path): """Test that --sarif-file writes SARIF report to a file""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -268,9 +497,10 @@ def test_sarif_file_output(self, tmp_path): def test_sarif_reachability_reachable_filters_non_reachable(self, tmp_path): """Test that --sarif-reachability reachable uses .socket.facts.json reachability.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" facts_path = tmp_path / ".socket.facts.json" @@ -343,9 +573,10 @@ def make_issue(name, error, ghsa_id): def test_sarif_reachability_reachable_falls_back_to_blocking_when_facts_missing(self, tmp_path): """Test that missing facts file falls back to historical blocking filter.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -382,9 +613,10 @@ def test_sarif_reachability_reachable_falls_back_to_blocking_when_facts_missing( def test_sarif_output_includes_unchanged_with_strict_blocking(self, tmp_path): """Strict blocking should include unchanged alerts in diff-scope SARIF output.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path_strict_false = tmp_path / "strict-false.sarif" sarif_path_strict_true = tmp_path / "strict-true.sarif" @@ -437,9 +669,10 @@ def build_diff(): def test_sarif_reachability_all_includes_all(self, tmp_path): """Test that --sarif-reachability all includes all alerts.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -476,9 +709,10 @@ def test_sarif_reachability_all_includes_all(self, tmp_path): def test_sarif_no_file_when_not_configured(self, tmp_path): """Test that no file is written when --sarif-file is not set""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.sarif_file = None config.sarif_scope = "diff" @@ -497,9 +731,10 @@ def test_sarif_no_file_when_not_configured(self, tmp_path): def test_sarif_file_nested_directory(self, tmp_path): """Test that --sarif-file creates parent directories if needed""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "nested" / "dir" / "report.sarif" config = Mock(spec=CliConfig) @@ -522,9 +757,10 @@ def test_sarif_file_nested_directory(self, tmp_path): def test_sarif_scope_full_before_after_reachable_filtering_snapshot(self, tmp_path): """Full-scope SARIF should show before/after changes with reachable-only filtering.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" all_path = tmp_path / "full-all.sarif" reachable_path = tmp_path / "full-reachable.sarif" @@ -591,9 +827,10 @@ def build_handler(output_path, reachable_only): def test_sarif_scope_full_works_when_diff_not_run(self, tmp_path): """Full scope should still emit SARIF when diff id is NO_DIFF_RAN.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-no-diff.sarif" @@ -636,9 +873,10 @@ def test_sarif_scope_full_works_when_diff_not_run(self, tmp_path): def test_sarif_scope_full_dedupes_duplicate_manifest_uris(self, tmp_path): """Full scope should not emit duplicate results for duplicate manifest entries.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-dedup.sarif" @@ -678,9 +916,10 @@ def test_sarif_scope_full_dedupes_duplicate_manifest_uris(self, tmp_path): def test_sarif_scope_full_with_sarif_file_suppresses_stdout(self, tmp_path, capsys): """Full scope + --sarif-file should avoid printing massive SARIF JSON to stdout.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-suppressed.sarif" @@ -718,9 +957,10 @@ def test_sarif_scope_full_with_sarif_file_suppresses_stdout(self, tmp_path, caps assert out_path.exists() def test_sarif_scope_full_alert_grouping_dedupes_versions(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + out_path = tmp_path / "full-alert-grouping.sarif" facts_path = tmp_path / ".socket.facts.json" facts_path.write_text(json.dumps({ @@ -768,9 +1008,10 @@ def test_sarif_scope_full_alert_grouping_dedupes_versions(self, tmp_path): assert props["reachability"] == "reachable" def test_sarif_scope_full_potentially_filter(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + out_path = tmp_path / "full-potentially.sarif" facts_path = tmp_path / ".socket.facts.json" facts_path.write_text(json.dumps({ diff --git a/tests/unit/test_reachability.py b/tests/unit/test_reachability.py new file mode 100644 index 0000000..10b6d54 --- /dev/null +++ b/tests/unit/test_reachability.py @@ -0,0 +1,106 @@ +"""Tests for the reachability coana-CLI command/env construction (Node alignment). + +These cover the arg-builder and environment wiring in +``socketsecurity.core.tools.reachability.ReachabilityAnalyzer`` without actually +invoking npm/npx/coana: ``_ensure_coana_cli_installed`` and ``subprocess.run`` are mocked. +""" +from unittest.mock import MagicMock + +import pytest + +from socketsecurity import __version__ +from socketsecurity.core.tools import reachability +from socketsecurity.core.tools.reachability import ( + ReachabilityAnalyzer, + _build_caller_user_agent, +) + + +@pytest.fixture +def analyzer(): + return ReachabilityAnalyzer(MagicMock(), "test-api-token") + + +def _run(analyzer, mocker, **kwargs): + """Invoke run_reachability_analysis with npm/npx/coana mocked; return (cmd, env).""" + mocker.patch.object(analyzer, "_ensure_coana_cli_installed", return_value="@coana-tech/cli") + mocker.patch.object(analyzer, "_extract_scan_id", return_value="scan-123") + completed = MagicMock() + completed.returncode = 0 + run_mock = mocker.patch.object(reachability.subprocess, "run", return_value=completed) + + analyzer.run_reachability_analysis(org_slug="my-org", target_directory=".", **kwargs) + + cmd = run_mock.call_args.args[0] + env = run_mock.call_args.kwargs["env"] + return cmd, env + + +def test_build_caller_user_agent_shape(): + ua = _build_caller_user_agent() + parts = ua.split(" ") + assert parts[0] == f"socket/{__version__}" + assert parts[1].startswith("python/") + assert "/" in parts[2] # platform/arch + + +def test_reach_debug_appends_debug_long_flag(analyzer, mocker): + """G9: --reach-debug -> coana --debug; does not emit the global -d.""" + cmd, _ = _run(analyzer, mocker, reach_debug=True) + assert "--debug" in cmd + assert "-d" not in cmd + + +def test_enable_debug_still_emits_short_d(analyzer, mocker): + """G9: existing global --enable-debug -> -d behavior is unchanged.""" + cmd, _ = _run(analyzer, mocker, enable_debug=True) + assert "-d" in cmd + assert "--debug" not in cmd + + +def test_disable_external_tool_checks(analyzer, mocker): + """G1: --reach-disable-external-tool-checks -> coana --disable-external-tool-checks.""" + cmd, _ = _run(analyzer, mocker, disable_external_tool_checks=True) + assert "--disable-external-tool-checks" in cmd + + cmd2, _ = _run(analyzer, mocker) + assert "--disable-external-tool-checks" not in cmd2 + + +def test_concurrency_and_memory_args(analyzer, mocker): + """G7: explicit concurrency/memory propagate as coana args.""" + cmd, _ = _run(analyzer, mocker, concurrency=1, memory_limit=8192) + assert "--concurrency" in cmd and cmd[cmd.index("--concurrency") + 1] == "1" + assert "--memory-limit" in cmd and cmd[cmd.index("--memory-limit") + 1] == "8192" + + +def test_env_identifies_python_cli(analyzer, mocker): + """G5: SOCKET_CLI_VERSION + SOCKET_CALLER_USER_AGENT forwarded to coana.""" + _, env = _run(analyzer, mocker) + assert env["SOCKET_CLI_VERSION"] == __version__ + assert env["SOCKET_CALLER_USER_AGENT"].startswith("socket/") + assert env["SOCKET_ORG_SLUG"] == "my-org" + assert env["SOCKET_CLI_API_TOKEN"] == "test-api-token" + + +def test_no_proxy_env_set_by_default(analyzer, mocker, monkeypatch): + """coana inherits HTTPS_PROXY/HTTP_PROXY from the passed env; we don't set + SOCKET_CLI_API_PROXY ourselves (that's reserved for a future explicit --proxy flag).""" + monkeypatch.delenv("SOCKET_CLI_API_PROXY", raising=False) + monkeypatch.setenv("HTTPS_PROXY", "http://envproxy:3128") + _, env = _run(analyzer, mocker) + # Even with HTTPS_PROXY set, we don't copy it into SOCKET_CLI_API_PROXY (coana reads it itself). + assert "SOCKET_CLI_API_PROXY" not in env + + +def test_repo_branch_env_present_when_supplied(analyzer, mocker): + _, env = _run(analyzer, mocker, repo_name="acme/widget", branch_name="main") + assert env["SOCKET_REPO_NAME"] == "acme/widget" + assert env["SOCKET_BRANCH_NAME"] == "main" + + +def test_repo_branch_env_absent_when_none(analyzer, mocker): + """G6: caller passes None for default sentinels -> env keys omitted (cache hygiene).""" + _, env = _run(analyzer, mocker, repo_name=None, branch_name=None) + assert "SOCKET_REPO_NAME" not in env + assert "SOCKET_BRANCH_NAME" not in env diff --git a/tests/unit/test_socketcli.py b/tests/unit/test_socketcli.py new file mode 100644 index 0000000..39f59f5 --- /dev/null +++ b/tests/unit/test_socketcli.py @@ -0,0 +1,230 @@ +import sys + +import pytest + +from socketsecurity.core.classes import Diff, Package +from socketsecurity import socketcli +from socketsecurity.socketcli import build_license_artifact_payload + + +# --------------------------------------------------------------------------- +# Exit-code-on-api-error (flag-only, non-breaking for 2.3.x). +# +# Default behavior is unchanged from prior releases: unexpected errors exit 3, +# and --disable-blocking forces exit 0 for everything. The flag only changes +# the code when explicitly set, and --disable-blocking still takes precedence. +# --------------------------------------------------------------------------- + + +def _run_cli_expecting_exit(monkeypatch, argv, boom=None): + def fail_main_code(): + raise (boom or RuntimeError("infra boom")) + + monkeypatch.setattr(socketcli, "main_code", fail_main_code) + monkeypatch.setattr(sys, "argv", argv) + with pytest.raises(SystemExit) as exc_info: + socketcli.cli() + return exc_info.value.code + + +def test_unexpected_error_exits_3_by_default(monkeypatch): + code = _run_cli_expecting_exit(monkeypatch, ["socketcli", "--api-token", "test"]) + assert code == 3 + + +def test_exit_code_on_api_error_remaps_failure(monkeypatch): + code = _run_cli_expecting_exit( + monkeypatch, + ["socketcli", "--api-token", "test", "--exit-code-on-api-error", "100"], + ) + assert code == 100 + + +def test_disable_blocking_overrides_exit_code_on_api_error(monkeypatch): + # The documented interaction: --disable-blocking forces exit 0 for ALL + # outcomes and therefore overrides --exit-code-on-api-error. A user who + # sets both gets 0, NOT 100 -- this guards against silently regressing + # that precedence (which would break the documented soft_fail guidance). + code = _run_cli_expecting_exit( + monkeypatch, + [ + "socketcli", "--api-token", "test", + "--exit-code-on-api-error", "100", + "--disable-blocking", + ], + ) + assert code == 0 + + +def test_keyboard_interrupt_still_exits_2(monkeypatch): + code = _run_cli_expecting_exit( + monkeypatch, ["socketcli", "--api-token", "test"], boom=KeyboardInterrupt() + ) + assert code == 2 + + +# --------------------------------------------------------------------------- +# Buildkite-aware infrastructure error formatting. +# --------------------------------------------------------------------------- + + +def test_emit_infra_error_no_buildkite_has_no_markers(monkeypatch, capsys, caplog): + monkeypatch.setattr(socketcli, "IS_BUILDKITE", False) + with caplog.at_level("ERROR", logger="socketcli"): + socketcli._emit_infrastructure_error("something failed") + out = capsys.readouterr().out + assert "^^^ +++" not in out + assert "--- :warning:" not in out + assert "soft_fail" not in "\n".join(r.getMessage() for r in caplog.records) + + +def test_emit_infra_error_buildkite_emits_markers(monkeypatch, capsys, caplog): + monkeypatch.setattr(socketcli, "IS_BUILDKITE", True) + with caplog.at_level("ERROR", logger="socketcli"): + socketcli._emit_infrastructure_error("something failed") + out = capsys.readouterr().out + assert "^^^ +++" in out + assert "--- :warning: Socket infrastructure error" in out + assert "soft_fail" in "\n".join(r.getMessage() for r in caplog.records) + + +def test_emit_infra_error_traceback_gated(monkeypatch, capsys): + monkeypatch.setattr(socketcli, "IS_BUILDKITE", False) + try: + raise ValueError("boom") + except ValueError: + socketcli._emit_infrastructure_error("wrapped", include_traceback=True) + err = capsys.readouterr().err + assert "Traceback" in err and "ValueError: boom" in err + + +def test_build_license_artifact_payload_without_packages_returns_empty_dict(): + diff = Diff() + + payload = build_license_artifact_payload(diff) + + assert payload == {} + + +def test_build_license_artifact_payload_serializes_package_fields(): + diff = Diff() + diff.packages = { + "pypi/requests@2.31.0": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + licenseDetails=[{"id": "Apache-2.0"}], + licenseAttrib=[{"id": "Apache-2.0"}], + purl="requests@2.31.0", + ) + } + + payload = build_license_artifact_payload(diff) + + assert payload == { + "pkg-1": { + "id": "pkg-1", + "name": "requests", + "version": "2.31.0", + "ecosystem": "pypi", + "direct": True, + "url": "https://socket.dev/pypi/package/requests/overview/2.31.0", + "license": "Apache-2.0", + "licenseDetails": [{"id": "Apache-2.0"}], + "licenseAttrib": [{"id": "Apache-2.0"}], + "purl": "requests@2.31.0", + } + } + + +def test_build_license_artifact_payload_fossa_format_without_packages(): + class Config: + repo = "owner/repo" + branch = "main" + + diff = Diff(id="scan-1", report_url="https://socket.dev/report/1") + + payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config()) + + assert payload == { + "copyrightsByLicense": {}, + "deepDependencies": [], + "directDependencies": [], + "licenses": {}, + "project": {"name": "owner/repo", "revision": "scan-1"}, + } + + +def test_fossa_attribution_file_is_written_indented(tmp_path): + """fossa-sbom.json should be written with indent=2, matching fossa-analyze.json.""" + import json + from types import SimpleNamespace + + from socketsecurity import socketcli + + target = tmp_path / "fossa-sbom.json" + config = SimpleNamespace(license_file_name=str(target)) + payload = { + "copyrightsByLicense": {}, + "deepDependencies": [], + "directDependencies": [], + "licenses": {}, + "project": {"name": "x", "revision": "y"}, + } + socketcli._write_attribution_file(config, payload) + content = target.read_text() + assert "\n " in content, f"Expected indented JSON, got: {content!r}" + assert json.loads(content) == payload + + +def test_build_license_artifact_payload_fossa_format_serializes_dependencies(): + class Config: + repo = "owner/repo" + branch = "main" + + diff = Diff(id="scan-1", report_url="https://socket.dev/report/1") + diff.packages = { + "pkg:pypi/requests@2.31.0": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + licenseDetails=[{"id": "Apache-2.0"}], + licenseAttrib=[{"id": "Apache-2.0"}], + purl="pkg:pypi/requests@2.31.0", + ) + } + + payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config()) + + assert payload["project"] == {"name": "owner/repo", "revision": "scan-1"} + assert payload["directDependencies"] == [{ + "authors": [], + "dependencyPaths": ["requests"], + "description": "", + "downloadUrl": "", + "hash": None, + "isGolang": None, + "licenses": [{"attribution": "", "name": "Apache-2.0"}], + "notes": [], + "otherLicenses": [], + "package": "requests", + "projectUrl": "", + "source": "pip", + "title": "requests", + "version": "2.31.0", + }] + assert payload["deepDependencies"] == [] + assert payload["copyrightsByLicense"] == {} + assert payload["licenses"] == {} diff --git a/tests/unit/test_tier1_finalize.py b/tests/unit/test_tier1_finalize.py new file mode 100644 index 0000000..2577643 --- /dev/null +++ b/tests/unit/test_tier1_finalize.py @@ -0,0 +1,70 @@ +"""Tests for tier1 reachability finalize retry/backoff (G11, Node parity).""" +import json +from unittest.mock import MagicMock + +import pytest + +from socketsecurity.core import TIER1_FINALIZE_MAX_ATTEMPTS, Core + + +@pytest.fixture +def core_with_mock_sdk(): + # Build a Core without running org setup; we only exercise finalize_tier1_scan. + core = Core.__new__(Core) + core.sdk = MagicMock() + return core + + +@pytest.fixture +def facts_file(tmp_path): + path = tmp_path / ".socket.facts.json" + path.write_text(json.dumps({"tier1ReachabilityScanId": "tier1-abc"}), encoding="utf-8") + return str(path) + + +@pytest.fixture(autouse=True) +def no_sleep(mocker): + return mocker.patch("socketsecurity.core.time.sleep") + + +def test_finalize_succeeds_first_try(core_with_mock_sdk, facts_file, no_sleep): + core_with_mock_sdk.sdk.fullscans.finalize_tier1.return_value = True + + assert core_with_mock_sdk.finalize_tier1_scan("full-1", facts_file) is True + assert core_with_mock_sdk.sdk.fullscans.finalize_tier1.call_count == 1 + no_sleep.assert_not_called() + + +def test_finalize_retries_then_succeeds(core_with_mock_sdk, facts_file, no_sleep): + core_with_mock_sdk.sdk.fullscans.finalize_tier1.side_effect = [ + Exception("transient"), + Exception("transient"), + True, + ] + + assert core_with_mock_sdk.finalize_tier1_scan("full-1", facts_file) is True + assert core_with_mock_sdk.sdk.fullscans.finalize_tier1.call_count == 3 + assert no_sleep.call_count == 2 # backoff between the 3 attempts + + +def test_finalize_exhausts_on_persistent_exception(core_with_mock_sdk, facts_file, no_sleep): + core_with_mock_sdk.sdk.fullscans.finalize_tier1.side_effect = Exception("down") + + # Never raises; returns False after exhausting attempts. + assert core_with_mock_sdk.finalize_tier1_scan("full-1", facts_file) is False + assert core_with_mock_sdk.sdk.fullscans.finalize_tier1.call_count == TIER1_FINALIZE_MAX_ATTEMPTS + + +def test_finalize_exhausts_on_persistent_falsy(core_with_mock_sdk, facts_file, no_sleep): + core_with_mock_sdk.sdk.fullscans.finalize_tier1.return_value = False + + assert core_with_mock_sdk.finalize_tier1_scan("full-1", facts_file) is False + assert core_with_mock_sdk.sdk.fullscans.finalize_tier1.call_count == TIER1_FINALIZE_MAX_ATTEMPTS + + +def test_finalize_returns_false_when_no_scan_id(core_with_mock_sdk, tmp_path): + path = tmp_path / ".socket.facts.json" + path.write_text(json.dumps({"components": []}), encoding="utf-8") + + assert core_with_mock_sdk.finalize_tier1_scan("full-1", str(path)) is False + core_with_mock_sdk.sdk.fullscans.finalize_tier1.assert_not_called() diff --git a/uv.lock b/uv.lock index 8edd838..d8ebc6b 100644 --- a/uv.lock +++ b/uv.lock @@ -1,13 +1,16 @@ version = 1 revision = 3 -requires-python = ">=3.10" +requires-python = ">=3.11" +resolution-markers = [ + "python_full_version >= '3.13'", + "python_full_version < '3.13'", +] [[package]] name = "anyio" version = "4.12.0" source = { registry = "https://pypi.org/simple" } dependencies = [ - { name = "exceptiongroup", marker = "python_full_version < '3.11'" }, { name = "idna" }, { name = "typing-extensions", marker = "python_full_version < '3.13'" }, ] @@ -16,15 +19,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/7f/9c/36c5c37947ebfb8c7f22e0eb6e4d188ee2d53aa3880f3f2744fb894f0cb1/anyio-4.12.0-py3-none-any.whl", hash = "sha256:dad2376a628f98eeca4881fc56cd06affd18f659b17a747d3ff0307ced94b1bb", size = 113362, upload-time = "2025-11-28T23:36:57.897Z" }, ] -[[package]] -name = "backports-asyncio-runner" -version = "1.2.0" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/8e/ff/70dca7d7cb1cbc0edb2c6cc0c38b65cba36cccc491eca64cabd5fe7f8670/backports_asyncio_runner-1.2.0.tar.gz", hash = "sha256:a5aa7b2b7d8f8bfcaa2b57313f70792df84e32a2a746f585213373f900b42162", size = 69893, upload-time = "2025-07-02T02:27:15.685Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/a0/59/76ab57e3fe74484f48a53f8e337171b4a2349e506eabe136d7e01d059086/backports_asyncio_runner-1.2.0-py3-none-any.whl", hash = "sha256:0da0a936a8aeb554eccb426dc55af3ba63bcdc69fa1a600b5bb305413a4477b5", size = 12313, upload-time = "2025-07-02T02:27:14.263Z" }, -] - [[package]] name = "backports-tarfile" version = "1.2.0" @@ -40,23 +34,6 @@ version = "1.3.0" source = { registry = "https://pypi.org/simple" } sdist = { url = "https://files.pythonhosted.org/packages/f4/b1/36a5182ce1d8ef9ef32bff69037bd28b389bbdb66338f8069e61da7028cb/backports_zstd-1.3.0.tar.gz", hash = "sha256:e8b2d68e2812f5c9970cabc5e21da8b409b5ed04e79b4585dbffa33e9b45ebe2", size = 997138, upload-time = "2025-12-29T17:28:06.143Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/76/70/766f6ebbb9db2ed75951f0a671ee15931dc69278c84d9f09b08dd6b67c3e/backports_zstd-1.3.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0a2db17a6d9bf6b4dc223b3f6414aa9db6d1afe9de9bff61d582c2934ca456a0", size = 435664, upload-time = "2025-12-29T17:25:29.201Z" }, - { url = "https://files.pythonhosted.org/packages/55/f8/7b3fad9c6ee5ff3bcd7c941586675007330197ff4a388f01c73198ecc8bb/backports_zstd-1.3.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:a7f16b98ba81780a9517ce6c493e1aea9b7d72de2b1efa08375136c270e1ecba", size = 362060, upload-time = "2025-12-29T17:25:30.94Z" }, - { url = "https://files.pythonhosted.org/packages/68/9e/cad0f508ed7c3fbd07398f22b5bf25aa0523fcf56c84c3def642909e80ae/backports_zstd-1.3.0-cp310-cp310-manylinux2010_i686.manylinux_2_12_i686.manylinux_2_28_i686.whl", hash = "sha256:1124a169a647671ccb4654a0ef1d0b42d6735c45ce3d0adf609df22fb1f099db", size = 505958, upload-time = "2025-12-29T17:25:32.694Z" }, - { url = "https://files.pythonhosted.org/packages/b7/dc/96dc55c043b0d86e53ae9608b496196936244c1ecf7e95cdf66d0dbc0f23/backports_zstd-1.3.0-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:8410fda08b36202d01ab4503f6787c763898888cb1a48c19fce94711563d3ee3", size = 475571, upload-time = "2025-12-29T17:25:33.9Z" }, - { url = "https://files.pythonhosted.org/packages/20/48/d9c8c8c2a5ac57fc5697f1945254af31407b0c5f80335a175a7c215b4118/backports_zstd-1.3.0-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:ab139d1fc0e91a697e82fa834e6404098802f11b6035607174776173ded9a2cc", size = 581199, upload-time = "2025-12-29T17:25:35.566Z" }, - { url = "https://files.pythonhosted.org/packages/0d/ca/7fe70d2d39ed39e26a6c6f6c1dd229f1ab889500d5c90b17527702b1a21e/backports_zstd-1.3.0-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:6f3115d203f387f77c23b5461fb6678d282d4f276f9f39298ad242b00120afc7", size = 640846, upload-time = "2025-12-29T17:25:36.86Z" }, - { url = "https://files.pythonhosted.org/packages/0e/d8/5b8580469e70b72402212885bf19b9d31eaf23549b602e0c294edf380e25/backports_zstd-1.3.0-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:116f65cce84e215dfac0414924b051faf8d29dc7188cf3944dd1e5be8dd15a32", size = 491061, upload-time = "2025-12-29T17:25:38.721Z" }, - { url = "https://files.pythonhosted.org/packages/cc/dd/17a752263fccd1ba24184b7e89c14cd31553d512e2e5b065f38e63a0ba86/backports_zstd-1.3.0-cp310-cp310-manylinux_2_34_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:04def169e4a9ae291298124da4e097c6d6545d0e93164f934b716da04d24630a", size = 565071, upload-time = "2025-12-29T17:25:40.372Z" }, - { url = "https://files.pythonhosted.org/packages/1a/81/df23d3fe664b2497ab2ec01dc012cb9304e7d568c67f50b1b324fb2d8cbb/backports_zstd-1.3.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:481b586291ef02a250f03d4c31a37c9881e5e93556568abbd20ca1ad720d443f", size = 481518, upload-time = "2025-12-29T17:25:41.925Z" }, - { url = "https://files.pythonhosted.org/packages/ba/cd/e50dd85fde890c5d79e1ed5dc241f1c45f87b6c12571fdb60add57f2ee66/backports_zstd-1.3.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:0290979eea67f7275fa42d5859cc5bea94f2c08cca6bc36396673476773d2bad", size = 509464, upload-time = "2025-12-29T17:25:43.844Z" }, - { url = "https://files.pythonhosted.org/packages/d3/bb/e429156e4b834837fe78b4f32ed512491aea39415444420c79ccd3aa0526/backports_zstd-1.3.0-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:01c699d8c803dc9f9c9d6ede21b75ec99f45c3b411821011692befca538928cb", size = 585563, upload-time = "2025-12-29T17:25:45.038Z" }, - { url = "https://files.pythonhosted.org/packages/95/c0/1a0d245325827242aefe76f4f3477ec183b996b8db5105698564f8303481/backports_zstd-1.3.0-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:2c662912cfc1a5ebd1d2162ac651549d58bd3c97a8096130ec13c703fca355f2", size = 562889, upload-time = "2025-12-29T17:25:46.576Z" }, - { url = "https://files.pythonhosted.org/packages/93/42/126b2bc7540a15452c3ebdf190ebfea8a8644e29b22f4e10e2a6aa2389e4/backports_zstd-1.3.0-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:3180c8eb085396928e9946167e610aa625922b82c3e2263c5f17000556370168", size = 631423, upload-time = "2025-12-29T17:25:47.81Z" }, - { url = "https://files.pythonhosted.org/packages/dc/32/018e49657411582569032b7d1bb5d62e514aad8b44952de740ec6250588d/backports_zstd-1.3.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:5b9a8c75a294e7ffa18fc8425a763facc366435a8b442e4dffdc19fa9499a22c", size = 495122, upload-time = "2025-12-29T17:25:49.377Z" }, - { url = "https://files.pythonhosted.org/packages/c2/9e/cdd1d2e1d3612bb90d9cf9b23bea06f2155cdafccd8b6f28a1c4d7750004/backports_zstd-1.3.0-cp310-cp310-win32.whl", hash = "sha256:845defdb172385f17123d92a00d2e952d341e9ae310bfa2410c292bf03846034", size = 288573, upload-time = "2025-12-29T17:25:51.167Z" }, - { url = "https://files.pythonhosted.org/packages/55/7c/2e9c80f08375bd14262cefa69297a926134f517c9955c0795eec5e1d470e/backports_zstd-1.3.0-cp310-cp310-win_amd64.whl", hash = "sha256:43a9fea6299c801da85221e387b32d90a9ad7c62aa2a34edf525359ce5ad8f3a", size = 313506, upload-time = "2025-12-29T17:25:52.778Z" }, - { url = "https://files.pythonhosted.org/packages/c5/5d/fa67e8174f54db44eb33498abb7f98bea4f2329e873b225391bda0113a5e/backports_zstd-1.3.0-cp310-cp310-win_arm64.whl", hash = "sha256:df8473cb117e1316e6c6101f2724e025bd8f50af2dc009d0001c0aabfb5eb57c", size = 288688, upload-time = "2025-12-29T17:25:54.012Z" }, { url = "https://files.pythonhosted.org/packages/ac/28/ed31a0e35feb4538a996348362051b52912d50f00d25c2d388eccef9242c/backports_zstd-1.3.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:249f90b39d3741c48620021a968b35f268ca70e35f555abeea9ff95a451f35f9", size = 435660, upload-time = "2025-12-29T17:25:55.207Z" }, { url = "https://files.pythonhosted.org/packages/00/0d/3db362169d80442adda9dd563c4f0bb10091c8c1c9a158037f4ecd53988e/backports_zstd-1.3.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:b0e71e83e46154a9d3ced6d4de9a2fea8207ee1e4832aeecf364dc125eda305c", size = 362056, upload-time = "2025-12-29T17:25:56.729Z" }, { url = "https://files.pythonhosted.org/packages/bd/00/b67ba053a7d6f6dbe2f8a704b7d3a5e01b1d2e2e8edbc9b634f2702ef73c/backports_zstd-1.3.0-cp311-cp311-manylinux2010_i686.manylinux_2_12_i686.manylinux_2_28_i686.whl", hash = "sha256:cbc6193acd21f96760c94dd71bf32b161223e8503f5277acb0a5ab54e5598957", size = 505957, upload-time = "2025-12-29T17:25:57.941Z" }, @@ -125,12 +102,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/32/04/cfab76878f360f124dbb533779e1e4603c801a0f5ada72ae5c742b7c4d7d/backports_zstd-1.3.0-cp313-cp313t-win32.whl", hash = "sha256:7d3f0f2499d2049ec53d2674c605a4b3052c217cc7ee49c05258046411685adc", size = 289389, upload-time = "2025-12-29T17:27:22.287Z" }, { url = "https://files.pythonhosted.org/packages/cb/ff/dbcfb6c9c922ab6d98f3d321e7d0c7b34ecfa26f3ca71d930fe1ef639737/backports_zstd-1.3.0-cp313-cp313t-win_amd64.whl", hash = "sha256:eb2f8fab0b1ea05148394cb34a9e543a43477178765f2d6e7c84ed332e34935e", size = 314776, upload-time = "2025-12-29T17:27:23.458Z" }, { url = "https://files.pythonhosted.org/packages/01/4b/82e4baae3117806639fe1c693b1f2f7e6133a7cefd1fa2e38018c8edcd68/backports_zstd-1.3.0-cp313-cp313t-win_arm64.whl", hash = "sha256:c66ad9eb5bfbe28c2387b7fc58ddcdecfb336d6e4e60bcba1694a906c1f21a6c", size = 289315, upload-time = "2025-12-29T17:27:24.601Z" }, - { url = "https://files.pythonhosted.org/packages/95/b7/e843d32122f25d9568e75d1e7a29c00eae5e5728015604f3f6d02259b3a5/backports_zstd-1.3.0-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:3ab0d5632b84eff4355c42a04668cfe6466f7d390890f718978582bd1ff36949", size = 409771, upload-time = "2025-12-29T17:27:48.869Z" }, - { url = "https://files.pythonhosted.org/packages/fa/a5/d6a897d4b91732f54b4506858f1da65d7a5b2dc0dbe36a23992a64f09f5a/backports_zstd-1.3.0-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:6b97cea95dbb1a97c02afd718155fad93f747815069722107a429804c355e206", size = 339289, upload-time = "2025-12-29T17:27:50.055Z" }, - { url = "https://files.pythonhosted.org/packages/3f/b0/f0ce566ec221b284508eebbf574a779ba4a8932830db6ea03b6176f336a2/backports_zstd-1.3.0-pp310-pypy310_pp73-manylinux2010_i686.manylinux_2_12_i686.manylinux_2_28_i686.whl", hash = "sha256:477895f2642f9397aeba69618df2c91d7f336e02df83d1e623ac37c5d3a5115e", size = 420335, upload-time = "2025-12-29T17:27:51.455Z" }, - { url = "https://files.pythonhosted.org/packages/62/6d/bf55652c84c79b2565d3087265bcb097719540a313dee16359a54d83ab4e/backports_zstd-1.3.0-pp310-pypy310_pp73-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:330172aaf5fd3bfa53f49318abc6d1d4238cb043c384cf71f7b8f0fe2fb7ce31", size = 393880, upload-time = "2025-12-29T17:27:52.869Z" }, - { url = "https://files.pythonhosted.org/packages/be/e0/d1feebb70ffeb150e2891c6f09700079f4a60085ebc67529eb1ca72fb5c2/backports_zstd-1.3.0-pp310-pypy310_pp73-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:32974e71eff15897ed3f8b7766a753d9f3197ea4f1c9025d80f8de099a691b99", size = 413840, upload-time = "2025-12-29T17:27:54.527Z" }, - { url = "https://files.pythonhosted.org/packages/36/28/3b7be27ae51e418d3a724bbc4cb7fea77b6bd38b5007e333a56b0cb165c8/backports_zstd-1.3.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:993e3a34eaba5928a2065545e34bf75c65b9c34ecb67e43d5ef49b16cc182077", size = 299685, upload-time = "2025-12-29T17:27:56.149Z" }, { url = "https://files.pythonhosted.org/packages/9a/d9/8c9c246e5ea79a4f45d551088b11b61f2dc7efcdc5dbe6df3be84a506e0c/backports_zstd-1.3.0-pp311-pypy311_pp73-macosx_10_15_x86_64.whl", hash = "sha256:968167d29f012cee7b112ad031a8925e484e97e99288e55e4d62962c3a1013e3", size = 409666, upload-time = "2025-12-29T17:27:57.37Z" }, { url = "https://files.pythonhosted.org/packages/a4/4f/a55b33c314ca8c9074e99daab54d04c5d212070ae7dbc435329baf1b139e/backports_zstd-1.3.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:d8f6fc7d62b71083b574193dd8fb3a60e6bb34880cc0132aad242943af301f7a", size = 339199, upload-time = "2025-12-29T17:27:58.542Z" }, { url = "https://files.pythonhosted.org/packages/9d/13/ce31bd048b1c88d0f65d7af60b6cf89cfbed826c7c978f0ebca9a8a71cfc/backports_zstd-1.3.0-pp311-pypy311_pp73-manylinux2010_i686.manylinux_2_12_i686.manylinux_2_28_i686.whl", hash = "sha256:e0f2eca6aac280fdb77991ad3362487ee91a7fb064ad40043fb5a0bf5a376943", size = 420332, upload-time = "2025-12-29T17:28:00.332Z" }, @@ -152,6 +123,79 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/1a/39/47f9197bdd44df24d67ac8893641e16f386c984a0619ef2ee4c51fbbc019/beautifulsoup4-4.14.3-py3-none-any.whl", hash = "sha256:0918bfe44902e6ad8d57732ba310582e98da931428d231a5ecb9e7c703a735bb", size = 107721, upload-time = "2025-11-30T15:08:24.087Z" }, ] +[[package]] +name = "brotli" +version = "1.2.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/f7/16/c92ca344d646e71a43b8bb353f0a6490d7f6e06210f8554c8f874e454285/brotli-1.2.0.tar.gz", hash = "sha256:e310f77e41941c13340a95976fe66a8a95b01e783d430eeaf7a2f87e0a57dd0a", size = 7388632, upload-time = "2025-11-05T18:39:42.86Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/7a/ef/f285668811a9e1ddb47a18cb0b437d5fc2760d537a2fe8a57875ad6f8448/brotli-1.2.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:15b33fe93cedc4caaff8a0bd1eb7e3dab1c61bb22a0bf5bdfdfd97cd7da79744", size = 863110, upload-time = "2025-11-05T18:38:12.978Z" }, + { url = "https://files.pythonhosted.org/packages/50/62/a3b77593587010c789a9d6eaa527c79e0848b7b860402cc64bc0bc28a86c/brotli-1.2.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:898be2be399c221d2671d29eed26b6b2713a02c2119168ed914e7d00ceadb56f", size = 445438, upload-time = "2025-11-05T18:38:14.208Z" }, + { url = "https://files.pythonhosted.org/packages/cd/e1/7fadd47f40ce5549dc44493877db40292277db373da5053aff181656e16e/brotli-1.2.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:350c8348f0e76fff0a0fd6c26755d2653863279d086d3aa2c290a6a7251135dd", size = 1534420, upload-time = "2025-11-05T18:38:15.111Z" }, + { url = "https://files.pythonhosted.org/packages/12/8b/1ed2f64054a5a008a4ccd2f271dbba7a5fb1a3067a99f5ceadedd4c1d5a7/brotli-1.2.0-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:2e1ad3fda65ae0d93fec742a128d72e145c9c7a99ee2fcd667785d99eb25a7fe", size = 1632619, upload-time = "2025-11-05T18:38:16.094Z" }, + { url = "https://files.pythonhosted.org/packages/89/5a/7071a621eb2d052d64efd5da2ef55ecdac7c3b0c6e4f9d519e9c66d987ef/brotli-1.2.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:40d918bce2b427a0c4ba189df7a006ac0c7277c180aee4617d99e9ccaaf59e6a", size = 1426014, upload-time = "2025-11-05T18:38:17.177Z" }, + { url = "https://files.pythonhosted.org/packages/26/6d/0971a8ea435af5156acaaccec1a505f981c9c80227633851f2810abd252a/brotli-1.2.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:2a7f1d03727130fc875448b65b127a9ec5d06d19d0148e7554384229706f9d1b", size = 1489661, upload-time = "2025-11-05T18:38:18.41Z" }, + { url = "https://files.pythonhosted.org/packages/f3/75/c1baca8b4ec6c96a03ef8230fab2a785e35297632f402ebb1e78a1e39116/brotli-1.2.0-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:9c79f57faa25d97900bfb119480806d783fba83cd09ee0b33c17623935b05fa3", size = 1599150, upload-time = "2025-11-05T18:38:19.792Z" }, + { url = "https://files.pythonhosted.org/packages/0d/1a/23fcfee1c324fd48a63d7ebf4bac3a4115bdb1b00e600f80f727d850b1ae/brotli-1.2.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:844a8ceb8483fefafc412f85c14f2aae2fb69567bf2a0de53cdb88b73e7c43ae", size = 1493505, upload-time = "2025-11-05T18:38:20.913Z" }, + { url = "https://files.pythonhosted.org/packages/36/e5/12904bbd36afeef53d45a84881a4810ae8810ad7e328a971ebbfd760a0b3/brotli-1.2.0-cp311-cp311-win32.whl", hash = "sha256:aa47441fa3026543513139cb8926a92a8e305ee9c71a6209ef7a97d91640ea03", size = 334451, upload-time = "2025-11-05T18:38:21.94Z" }, + { url = "https://files.pythonhosted.org/packages/02/8b/ecb5761b989629a4758c394b9301607a5880de61ee2ee5fe104b87149ebc/brotli-1.2.0-cp311-cp311-win_amd64.whl", hash = "sha256:022426c9e99fd65d9475dce5c195526f04bb8be8907607e27e747893f6ee3e24", size = 369035, upload-time = "2025-11-05T18:38:22.941Z" }, + { url = "https://files.pythonhosted.org/packages/11/ee/b0a11ab2315c69bb9b45a2aaed022499c9c24a205c3a49c3513b541a7967/brotli-1.2.0-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:35d382625778834a7f3061b15423919aa03e4f5da34ac8e02c074e4b75ab4f84", size = 861543, upload-time = "2025-11-05T18:38:24.183Z" }, + { url = "https://files.pythonhosted.org/packages/e1/2f/29c1459513cd35828e25531ebfcbf3e92a5e49f560b1777a9af7203eb46e/brotli-1.2.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:7a61c06b334bd99bc5ae84f1eeb36bfe01400264b3c352f968c6e30a10f9d08b", size = 444288, upload-time = "2025-11-05T18:38:25.139Z" }, + { url = "https://files.pythonhosted.org/packages/3d/6f/feba03130d5fceadfa3a1bb102cb14650798c848b1df2a808356f939bb16/brotli-1.2.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:acec55bb7c90f1dfc476126f9711a8e81c9af7fb617409a9ee2953115343f08d", size = 1528071, upload-time = "2025-11-05T18:38:26.081Z" }, + { url = "https://files.pythonhosted.org/packages/2b/38/f3abb554eee089bd15471057ba85f47e53a44a462cfce265d9bf7088eb09/brotli-1.2.0-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:260d3692396e1895c5034f204f0db022c056f9e2ac841593a4cf9426e2a3faca", size = 1626913, upload-time = "2025-11-05T18:38:27.284Z" }, + { url = "https://files.pythonhosted.org/packages/03/a7/03aa61fbc3c5cbf99b44d158665f9b0dd3d8059be16c460208d9e385c837/brotli-1.2.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:072e7624b1fc4d601036ab3f4f27942ef772887e876beff0301d261210bca97f", size = 1419762, upload-time = "2025-11-05T18:38:28.295Z" }, + { url = "https://files.pythonhosted.org/packages/21/1b/0374a89ee27d152a5069c356c96b93afd1b94eae83f1e004b57eb6ce2f10/brotli-1.2.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:adedc4a67e15327dfdd04884873c6d5a01d3e3b6f61406f99b1ed4865a2f6d28", size = 1484494, upload-time = "2025-11-05T18:38:29.29Z" }, + { url = "https://files.pythonhosted.org/packages/cf/57/69d4fe84a67aef4f524dcd075c6eee868d7850e85bf01d778a857d8dbe0a/brotli-1.2.0-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:7a47ce5c2288702e09dc22a44d0ee6152f2c7eda97b3c8482d826a1f3cfc7da7", size = 1593302, upload-time = "2025-11-05T18:38:30.639Z" }, + { url = "https://files.pythonhosted.org/packages/d5/3b/39e13ce78a8e9a621c5df3aeb5fd181fcc8caba8c48a194cd629771f6828/brotli-1.2.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:af43b8711a8264bb4e7d6d9a6d004c3a2019c04c01127a868709ec29962b6036", size = 1487913, upload-time = "2025-11-05T18:38:31.618Z" }, + { url = "https://files.pythonhosted.org/packages/62/28/4d00cb9bd76a6357a66fcd54b4b6d70288385584063f4b07884c1e7286ac/brotli-1.2.0-cp312-cp312-win32.whl", hash = "sha256:e99befa0b48f3cd293dafeacdd0d191804d105d279e0b387a32054c1180f3161", size = 334362, upload-time = "2025-11-05T18:38:32.939Z" }, + { url = "https://files.pythonhosted.org/packages/1c/4e/bc1dcac9498859d5e353c9b153627a3752868a9d5f05ce8dedd81a2354ab/brotli-1.2.0-cp312-cp312-win_amd64.whl", hash = "sha256:b35c13ce241abdd44cb8ca70683f20c0c079728a36a996297adb5334adfc1c44", size = 369115, upload-time = "2025-11-05T18:38:33.765Z" }, + { url = "https://files.pythonhosted.org/packages/6c/d4/4ad5432ac98c73096159d9ce7ffeb82d151c2ac84adcc6168e476bb54674/brotli-1.2.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:9e5825ba2c9998375530504578fd4d5d1059d09621a02065d1b6bfc41a8e05ab", size = 861523, upload-time = "2025-11-05T18:38:34.67Z" }, + { url = "https://files.pythonhosted.org/packages/91/9f/9cc5bd03ee68a85dc4bc89114f7067c056a3c14b3d95f171918c088bf88d/brotli-1.2.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:0cf8c3b8ba93d496b2fae778039e2f5ecc7cff99df84df337ca31d8f2252896c", size = 444289, upload-time = "2025-11-05T18:38:35.6Z" }, + { url = "https://files.pythonhosted.org/packages/2e/b6/fe84227c56a865d16a6614e2c4722864b380cb14b13f3e6bef441e73a85a/brotli-1.2.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c8565e3cdc1808b1a34714b553b262c5de5fbda202285782173ec137fd13709f", size = 1528076, upload-time = "2025-11-05T18:38:36.639Z" }, + { url = "https://files.pythonhosted.org/packages/55/de/de4ae0aaca06c790371cf6e7ee93a024f6b4bb0568727da8c3de112e726c/brotli-1.2.0-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:26e8d3ecb0ee458a9804f47f21b74845cc823fd1bb19f02272be70774f56e2a6", size = 1626880, upload-time = "2025-11-05T18:38:37.623Z" }, + { url = "https://files.pythonhosted.org/packages/5f/16/a1b22cbea436642e071adcaf8d4b350a2ad02f5e0ad0da879a1be16188a0/brotli-1.2.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:67a91c5187e1eec76a61625c77a6c8c785650f5b576ca732bd33ef58b0dff49c", size = 1419737, upload-time = "2025-11-05T18:38:38.729Z" }, + { url = "https://files.pythonhosted.org/packages/46/63/c968a97cbb3bdbf7f974ef5a6ab467a2879b82afbc5ffb65b8acbb744f95/brotli-1.2.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4ecdb3b6dc36e6d6e14d3a1bdc6c1057c8cbf80db04031d566eb6080ce283a48", size = 1484440, upload-time = "2025-11-05T18:38:39.916Z" }, + { url = "https://files.pythonhosted.org/packages/06/9d/102c67ea5c9fc171f423e8399e585dabea29b5bc79b05572891e70013cdd/brotli-1.2.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:3e1b35d56856f3ed326b140d3c6d9db91740f22e14b06e840fe4bb1923439a18", size = 1593313, upload-time = "2025-11-05T18:38:41.24Z" }, + { url = "https://files.pythonhosted.org/packages/9e/4a/9526d14fa6b87bc827ba1755a8440e214ff90de03095cacd78a64abe2b7d/brotli-1.2.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:54a50a9dad16b32136b2241ddea9e4df159b41247b2ce6aac0b3276a66a8f1e5", size = 1487945, upload-time = "2025-11-05T18:38:42.277Z" }, + { url = "https://files.pythonhosted.org/packages/5b/e8/3fe1ffed70cbef83c5236166acaed7bb9c766509b157854c80e2f766b38c/brotli-1.2.0-cp313-cp313-win32.whl", hash = "sha256:1b1d6a4efedd53671c793be6dd760fcf2107da3a52331ad9ea429edf0902f27a", size = 334368, upload-time = "2025-11-05T18:38:43.345Z" }, + { url = "https://files.pythonhosted.org/packages/ff/91/e739587be970a113b37b821eae8097aac5a48e5f0eca438c22e4c7dd8648/brotli-1.2.0-cp313-cp313-win_amd64.whl", hash = "sha256:b63daa43d82f0cdabf98dee215b375b4058cce72871fd07934f179885aad16e8", size = 369116, upload-time = "2025-11-05T18:38:44.609Z" }, + { url = "https://files.pythonhosted.org/packages/17/e1/298c2ddf786bb7347a1cd71d63a347a79e5712a7c0cba9e3c3458ebd976f/brotli-1.2.0-cp314-cp314-macosx_10_15_universal2.whl", hash = "sha256:6c12dad5cd04530323e723787ff762bac749a7b256a5bece32b2243dd5c27b21", size = 863080, upload-time = "2025-11-05T18:38:45.503Z" }, + { url = "https://files.pythonhosted.org/packages/84/0c/aac98e286ba66868b2b3b50338ffbd85a35c7122e9531a73a37a29763d38/brotli-1.2.0-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:3219bd9e69868e57183316ee19c84e03e8f8b5a1d1f2667e1aa8c2f91cb061ac", size = 445453, upload-time = "2025-11-05T18:38:46.433Z" }, + { url = "https://files.pythonhosted.org/packages/ec/f1/0ca1f3f99ae300372635ab3fe2f7a79fa335fee3d874fa7f9e68575e0e62/brotli-1.2.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:963a08f3bebd8b75ac57661045402da15991468a621f014be54e50f53a58d19e", size = 1528168, upload-time = "2025-11-05T18:38:47.371Z" }, + { url = "https://files.pythonhosted.org/packages/d6/a6/2ebfc8f766d46df8d3e65b880a2e220732395e6d7dc312c1e1244b0f074a/brotli-1.2.0-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:9322b9f8656782414b37e6af884146869d46ab85158201d82bab9abbcb971dc7", size = 1627098, upload-time = "2025-11-05T18:38:48.385Z" }, + { url = "https://files.pythonhosted.org/packages/f3/2f/0976d5b097ff8a22163b10617f76b2557f15f0f39d6a0fe1f02b1a53e92b/brotli-1.2.0-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:cf9cba6f5b78a2071ec6fb1e7bd39acf35071d90a81231d67e92d637776a6a63", size = 1419861, upload-time = "2025-11-05T18:38:49.372Z" }, + { url = "https://files.pythonhosted.org/packages/9c/97/d76df7176a2ce7616ff94c1fb72d307c9a30d2189fe877f3dd99af00ea5a/brotli-1.2.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7547369c4392b47d30a3467fe8c3330b4f2e0f7730e45e3103d7d636678a808b", size = 1484594, upload-time = "2025-11-05T18:38:50.655Z" }, + { url = "https://files.pythonhosted.org/packages/d3/93/14cf0b1216f43df5609f5b272050b0abd219e0b54ea80b47cef9867b45e7/brotli-1.2.0-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:fc1530af5c3c275b8524f2e24841cbe2599d74462455e9bae5109e9ff42e9361", size = 1593455, upload-time = "2025-11-05T18:38:51.624Z" }, + { url = "https://files.pythonhosted.org/packages/b3/73/3183c9e41ca755713bdf2cc1d0810df742c09484e2e1ddd693bee53877c1/brotli-1.2.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:d2d085ded05278d1c7f65560aae97b3160aeb2ea2c0b3e26204856beccb60888", size = 1488164, upload-time = "2025-11-05T18:38:53.079Z" }, + { url = "https://files.pythonhosted.org/packages/64/6a/0c78d8f3a582859236482fd9fa86a65a60328a00983006bcf6d83b7b2253/brotli-1.2.0-cp314-cp314-win32.whl", hash = "sha256:832c115a020e463c2f67664560449a7bea26b0c1fdd690352addad6d0a08714d", size = 339280, upload-time = "2025-11-05T18:38:54.02Z" }, + { url = "https://files.pythonhosted.org/packages/f5/10/56978295c14794b2c12007b07f3e41ba26acda9257457d7085b0bb3bb90c/brotli-1.2.0-cp314-cp314-win_amd64.whl", hash = "sha256:e7c0af964e0b4e3412a0ebf341ea26ec767fa0b4cf81abb5e897c9338b5ad6a3", size = 375639, upload-time = "2025-11-05T18:38:55.67Z" }, +] + +[[package]] +name = "brotlicffi" +version = "1.2.0.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "cffi" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/8a/b6/017dc5f852ed9b8735af77774509271acbf1de02d238377667145fcee01d/brotlicffi-1.2.0.1.tar.gz", hash = "sha256:c20d5c596278307ad06414a6d95a892377ea274a5c6b790c2548c009385d621c", size = 478156, upload-time = "2026-03-05T19:54:11.547Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/ef/f9/dfa56316837fa798eac19358351e974de8e1e2ca9475af4cb90293cd6576/brotlicffi-1.2.0.1-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:2c85e65913cf2b79c57a3fdd05b98d9731d9255dc0cb696b09376cc091b9cddd", size = 433046, upload-time = "2026-03-05T19:53:46.209Z" }, + { url = "https://files.pythonhosted.org/packages/4a/f5/f8f492158c76b0d940388801f04f747028971ad5774287bded5f1e53f08d/brotlicffi-1.2.0.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:535f2d05d0273408abc13fc0eebb467afac17b0ad85090c8913690d40207dac5", size = 1541126, upload-time = "2026-03-05T19:53:48.248Z" }, + { url = "https://files.pythonhosted.org/packages/3b/e1/ff87af10ac419600c63e9287a0649c673673ae6b4f2bcf48e96cb2f89f60/brotlicffi-1.2.0.1-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ce17eb798ca59ecec67a9bb3fd7a4304e120d1cd02953ce522d959b9a84d58ac", size = 1541983, upload-time = "2026-03-05T19:53:50.317Z" }, + { url = "https://files.pythonhosted.org/packages/47/c0/80ecd9bd45776109fab14040e478bf63e456967c9ddee2353d8330ed8de1/brotlicffi-1.2.0.1-cp314-cp314t-win32.whl", hash = "sha256:3c9544f83cb715d95d7eab3af4adbbef8b2093ad6382288a83b3a25feb1a57ec", size = 349047, upload-time = "2026-03-05T19:53:52.215Z" }, + { url = "https://files.pythonhosted.org/packages/ab/98/13e5b250236a281b6cd9e92a01ee1ae231029fa78faee932ef3766e1cb24/brotlicffi-1.2.0.1-cp314-cp314t-win_amd64.whl", hash = "sha256:625f8115d32ae9c0740d01ea51518437c3fbaa3e78d41cb18459f6f7ac326000", size = 385652, upload-time = "2026-03-05T19:53:53.892Z" }, + { url = "https://files.pythonhosted.org/packages/9a/9f/b98dcd4af47994cee97aebac866996a006a2e5fc1fd1e2b82a8ad95cf09c/brotlicffi-1.2.0.1-cp38-abi3-macosx_11_0_arm64.whl", hash = "sha256:91ba5f0ccc040f6ff8f7efaf839f797723d03ed46acb8ae9408f99ffd2572cf4", size = 432608, upload-time = "2026-03-05T19:53:56.736Z" }, + { url = "https://files.pythonhosted.org/packages/b1/7a/ac4ee56595a061e3718a6d1ea7e921f4df156894acffb28ed88a1fd52022/brotlicffi-1.2.0.1-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:be9a670c6811af30a4bd42d7116dc5895d3b41beaa8ed8a89050447a0181f5ce", size = 1534257, upload-time = "2026-03-05T19:53:58.667Z" }, + { url = "https://files.pythonhosted.org/packages/99/39/e7410db7f6f56de57744ea52a115084ceb2735f4d44973f349bb92136586/brotlicffi-1.2.0.1-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:6f3314a3476f59e5443f9f72a6dff16edc0c3463c9b318feaef04ae3e4683f5a", size = 1536838, upload-time = "2026-03-05T19:54:00.705Z" }, + { url = "https://files.pythonhosted.org/packages/a6/75/6e7977d1935fc3fbb201cbd619be8f2c7aea25d40a096967132854b34708/brotlicffi-1.2.0.1-cp38-abi3-win32.whl", hash = "sha256:82ea52e2b5d3145b6c406ebd3efb0d55db718b7ad996bd70c62cec0439de1187", size = 343337, upload-time = "2026-03-05T19:54:02.446Z" }, + { url = "https://files.pythonhosted.org/packages/d8/ef/e7e485ce5e4ba3843a0a92feb767c7b6098fd6e65ce752918074d175ae71/brotlicffi-1.2.0.1-cp38-abi3-win_amd64.whl", hash = "sha256:da2e82a08e7778b8bc539d27ca03cdd684113e81394bfaaad8d0dfc6a17ddede", size = 379026, upload-time = "2026-03-05T19:54:04.322Z" }, + { url = "https://files.pythonhosted.org/packages/7f/53/6262c2256513e6f530d81642477cb19367270922063eaa2d7b781d8c723d/brotlicffi-1.2.0.1-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:e015af99584c6db1490a69a210c765953e473e63adc2d891ac3062a737c9e851", size = 402265, upload-time = "2026-03-05T19:54:05.858Z" }, + { url = "https://files.pythonhosted.org/packages/1f/d9/d5340b43cf5fbe7fe5a083d237e5338cc1caa73bea523be1c5e452c26290/brotlicffi-1.2.0.1-pp311-pypy311_pp73-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:37cb587d32bf7168e2218c455e22e409ad1f3157c6c71945879a311f3e6b6abf", size = 406710, upload-time = "2026-03-05T19:54:07.272Z" }, + { url = "https://files.pythonhosted.org/packages/a3/82/dbced4c1e0792efdf23fd90ff6d2a320c64ff4dfef7aacc85c04fde9ddd2/brotlicffi-1.2.0.1-pp311-pypy311_pp73-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9d6ba65dd528892b4d9960beba2ae011a753620bcfc66cf6fa3cee18d7b0baa4", size = 402787, upload-time = "2026-03-05T19:54:08.73Z" }, + { url = "https://files.pythonhosted.org/packages/ef/6f/534205ba7590c9a8716a614f270c5c2ec419b5b7079b3f9cd31b7b5580de/brotlicffi-1.2.0.1-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:f2a5575653b0672638ba039b82fda56854934d7a6a24d4b8b5033f73ab43cbc1", size = 375108, upload-time = "2026-03-05T19:54:10.079Z" }, +] + [[package]] name = "bs4" version = "0.0.2" @@ -182,14 +226,8 @@ dependencies = [ ] sdist = { url = "https://files.pythonhosted.org/packages/eb/56/b1ba7935a17738ae8453301356628e8147c79dbb825bcbc73dc7401f9846/cffi-2.0.0.tar.gz", hash = "sha256:44d1b5909021139fe36001ae048dbdde8214afa20200eda0f64c068cac5d5529", size = 523588, upload-time = "2025-09-08T23:24:04.541Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/50/bd/b1a6362b80628111e6653c961f987faa55262b4002fcec42308cad1db680/cffi-2.0.0-cp310-cp310-manylinux1_i686.manylinux2014_i686.manylinux_2_17_i686.manylinux_2_5_i686.whl", hash = "sha256:53f77cbe57044e88bbd5ed26ac1d0514d2acf0591dd6bb02a3ae37f76811b80c", size = 208811, upload-time = "2025-09-08T23:22:12.267Z" }, - { url = "https://files.pythonhosted.org/packages/4f/27/6933a8b2562d7bd1fb595074cf99cc81fc3789f6a6c05cdabb46284a3188/cffi-2.0.0-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:3e837e369566884707ddaf85fc1744b47575005c0a229de3327f8f9a20f4efeb", size = 216402, upload-time = "2025-09-08T23:22:13.455Z" }, - { url = "https://files.pythonhosted.org/packages/05/eb/b86f2a2645b62adcfff53b0dd97e8dfafb5c8aa864bd0d9a2c2049a0d551/cffi-2.0.0-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.whl", hash = "sha256:5eda85d6d1879e692d546a078b44251cdd08dd1cfb98dfb77b670c97cee49ea0", size = 203217, upload-time = "2025-09-08T23:22:14.596Z" }, - { url = "https://files.pythonhosted.org/packages/9f/e0/6cbe77a53acf5acc7c08cc186c9928864bd7c005f9efd0d126884858a5fe/cffi-2.0.0-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.whl", hash = "sha256:9332088d75dc3241c702d852d4671613136d90fa6881da7d770a483fd05248b4", size = 203079, upload-time = "2025-09-08T23:22:15.769Z" }, - { url = "https://files.pythonhosted.org/packages/98/29/9b366e70e243eb3d14a5cb488dfd3a0b6b2f1fb001a203f653b93ccfac88/cffi-2.0.0-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:fc7de24befaeae77ba923797c7c87834c73648a05a4bde34b3b7e5588973a453", size = 216475, upload-time = "2025-09-08T23:22:17.427Z" }, - { url = "https://files.pythonhosted.org/packages/21/7a/13b24e70d2f90a322f2900c5d8e1f14fa7e2a6b3332b7309ba7b2ba51a5a/cffi-2.0.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:cf364028c016c03078a23b503f02058f1814320a56ad535686f90565636a9495", size = 218829, upload-time = "2025-09-08T23:22:19.069Z" }, - { url = "https://files.pythonhosted.org/packages/60/99/c9dc110974c59cc981b1f5b66e1d8af8af764e00f0293266824d9c4254bc/cffi-2.0.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e11e82b744887154b182fd3e7e8512418446501191994dbf9c9fc1f32cc8efd5", size = 211211, upload-time = "2025-09-08T23:22:20.588Z" }, - { url = "https://files.pythonhosted.org/packages/49/72/ff2d12dbf21aca1b32a40ed792ee6b40f6dc3a9cf1644bd7ef6e95e0ac5e/cffi-2.0.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:8ea985900c5c95ce9db1745f7933eeef5d314f0565b27625d9a10ec9881e1bfb", size = 218036, upload-time = "2025-09-08T23:22:22.143Z" }, + { url = "https://files.pythonhosted.org/packages/12/4a/3dfd5f7850cbf0d06dc84ba9aa00db766b52ca38d8b86e3a38314d52498c/cffi-2.0.0-cp311-cp311-macosx_10_13_x86_64.whl", hash = "sha256:b4c854ef3adc177950a8dfc81a86f5115d2abd545751a304c5bcf2c2c7283cfe", size = 184344, upload-time = "2025-09-08T23:22:26.456Z" }, + { url = "https://files.pythonhosted.org/packages/4f/8b/f0e4c441227ba756aafbe78f117485b25bb26b1c059d01f137fa6d14896b/cffi-2.0.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:2de9a304e27f7596cd03d16f1b7c72219bd944e99cc52b84d0145aefb07cbd3c", size = 180560, upload-time = "2025-09-08T23:22:28.197Z" }, { url = "https://files.pythonhosted.org/packages/b1/b7/1200d354378ef52ec227395d95c2576330fd22a869f7a70e88e1447eb234/cffi-2.0.0-cp311-cp311-manylinux1_i686.manylinux2014_i686.manylinux_2_17_i686.manylinux_2_5_i686.whl", hash = "sha256:baf5215e0ab74c16e2dd324e8ec067ef59e41125d3eade2b863d294fd5035c92", size = 209613, upload-time = "2025-09-08T23:22:29.475Z" }, { url = "https://files.pythonhosted.org/packages/b8/56/6033f5e86e8cc9bb629f0077ba71679508bdf54a9a5e112a3c0b91870332/cffi-2.0.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:730cacb21e1bdff3ce90babf007d0a0917cc3e6492f336c2f0134101e0944f93", size = 216476, upload-time = "2025-09-08T23:22:31.063Z" }, { url = "https://files.pythonhosted.org/packages/dc/7f/55fecd70f7ece178db2f26128ec41430d8720f2d12ca97bf8f0a628207d5/cffi-2.0.0-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.whl", hash = "sha256:6824f87845e3396029f3820c206e459ccc91760e8fa24422f8b0c3d1731cbec5", size = 203374, upload-time = "2025-09-08T23:22:32.507Z" }, @@ -198,6 +236,11 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/44/64/58f6255b62b101093d5df22dcb752596066c7e89dd725e0afaed242a61be/cffi-2.0.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:a05d0c237b3349096d3981b727493e22147f934b20f6f125a3eba8f994bec4a9", size = 218971, upload-time = "2025-09-08T23:22:36.805Z" }, { url = "https://files.pythonhosted.org/packages/ab/49/fa72cebe2fd8a55fbe14956f9970fe8eb1ac59e5df042f603ef7c8ba0adc/cffi-2.0.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:94698a9c5f91f9d138526b48fe26a199609544591f859c870d477351dc7b2414", size = 211972, upload-time = "2025-09-08T23:22:38.436Z" }, { url = "https://files.pythonhosted.org/packages/0b/28/dd0967a76aab36731b6ebfe64dec4e981aff7e0608f60c2d46b46982607d/cffi-2.0.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:5fed36fccc0612a53f1d4d9a816b50a36702c28a2aa880cb8a122b3466638743", size = 217078, upload-time = "2025-09-08T23:22:39.776Z" }, + { url = "https://files.pythonhosted.org/packages/2b/c0/015b25184413d7ab0a410775fdb4a50fca20f5589b5dab1dbbfa3baad8ce/cffi-2.0.0-cp311-cp311-win32.whl", hash = "sha256:c649e3a33450ec82378822b3dad03cc228b8f5963c0c12fc3b1e0ab940f768a5", size = 172076, upload-time = "2025-09-08T23:22:40.95Z" }, + { url = "https://files.pythonhosted.org/packages/ae/8f/dc5531155e7070361eb1b7e4c1a9d896d0cb21c49f807a6c03fd63fc877e/cffi-2.0.0-cp311-cp311-win_amd64.whl", hash = "sha256:66f011380d0e49ed280c789fbd08ff0d40968ee7b665575489afa95c98196ab5", size = 182820, upload-time = "2025-09-08T23:22:42.463Z" }, + { url = "https://files.pythonhosted.org/packages/95/5c/1b493356429f9aecfd56bc171285a4c4ac8697f76e9bbbbb105e537853a1/cffi-2.0.0-cp311-cp311-win_arm64.whl", hash = "sha256:c6638687455baf640e37344fe26d37c404db8b80d037c3d29f58fe8d1c3b194d", size = 177635, upload-time = "2025-09-08T23:22:43.623Z" }, + { url = "https://files.pythonhosted.org/packages/ea/47/4f61023ea636104d4f16ab488e268b93008c3d0bb76893b1b31db1f96802/cffi-2.0.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:6d02d6655b0e54f54c4ef0b94eb6be0607b70853c45ce98bd278dc7de718be5d", size = 185271, upload-time = "2025-09-08T23:22:44.795Z" }, + { url = "https://files.pythonhosted.org/packages/df/a2/781b623f57358e360d62cdd7a8c681f074a71d445418a776eef0aadb4ab4/cffi-2.0.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8eca2a813c1cb7ad4fb74d368c2ffbbb4789d377ee5bb8df98373c2cc0dee76c", size = 181048, upload-time = "2025-09-08T23:22:45.938Z" }, { url = "https://files.pythonhosted.org/packages/ff/df/a4f0fbd47331ceeba3d37c2e51e9dfc9722498becbeec2bd8bc856c9538a/cffi-2.0.0-cp312-cp312-manylinux1_i686.manylinux2014_i686.manylinux_2_17_i686.manylinux_2_5_i686.whl", hash = "sha256:21d1152871b019407d8ac3985f6775c079416c282e431a4da6afe7aefd2bccbe", size = 212529, upload-time = "2025-09-08T23:22:47.349Z" }, { url = "https://files.pythonhosted.org/packages/d5/72/12b5f8d3865bf0f87cf1404d8c374e7487dcf097a1c91c436e72e6badd83/cffi-2.0.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b21e08af67b8a103c71a250401c78d5e0893beff75e28c53c98f4de42f774062", size = 220097, upload-time = "2025-09-08T23:22:48.677Z" }, { url = "https://files.pythonhosted.org/packages/c2/95/7a135d52a50dfa7c882ab0ac17e8dc11cec9d55d2c18dda414c051c5e69e/cffi-2.0.0-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.whl", hash = "sha256:1e3a615586f05fc4065a8b22b8152f0c1b00cdbc60596d187c2a74f9e3036e4e", size = 207983, upload-time = "2025-09-08T23:22:50.06Z" }, @@ -205,6 +248,11 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/78/2d/7fa73dfa841b5ac06c7b8855cfc18622132e365f5b81d02230333ff26e9e/cffi-2.0.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:3e17ed538242334bf70832644a32a7aae3d83b57567f9fd60a26257e992b79ba", size = 219572, upload-time = "2025-09-08T23:22:52.902Z" }, { url = "https://files.pythonhosted.org/packages/07/e0/267e57e387b4ca276b90f0434ff88b2c2241ad72b16d31836adddfd6031b/cffi-2.0.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:3925dd22fa2b7699ed2617149842d2e6adde22b262fcbfada50e3d195e4b3a94", size = 222963, upload-time = "2025-09-08T23:22:54.518Z" }, { url = "https://files.pythonhosted.org/packages/b6/75/1f2747525e06f53efbd878f4d03bac5b859cbc11c633d0fb81432d98a795/cffi-2.0.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:2c8f814d84194c9ea681642fd164267891702542f028a15fc97d4674b6206187", size = 221361, upload-time = "2025-09-08T23:22:55.867Z" }, + { url = "https://files.pythonhosted.org/packages/7b/2b/2b6435f76bfeb6bbf055596976da087377ede68df465419d192acf00c437/cffi-2.0.0-cp312-cp312-win32.whl", hash = "sha256:da902562c3e9c550df360bfa53c035b2f241fed6d9aef119048073680ace4a18", size = 172932, upload-time = "2025-09-08T23:22:57.188Z" }, + { url = "https://files.pythonhosted.org/packages/f8/ed/13bd4418627013bec4ed6e54283b1959cf6db888048c7cf4b4c3b5b36002/cffi-2.0.0-cp312-cp312-win_amd64.whl", hash = "sha256:da68248800ad6320861f129cd9c1bf96ca849a2771a59e0344e88681905916f5", size = 183557, upload-time = "2025-09-08T23:22:58.351Z" }, + { url = "https://files.pythonhosted.org/packages/95/31/9f7f93ad2f8eff1dbc1c3656d7ca5bfd8fb52c9d786b4dcf19b2d02217fa/cffi-2.0.0-cp312-cp312-win_arm64.whl", hash = "sha256:4671d9dd5ec934cb9a73e7ee9676f9362aba54f7f34910956b84d727b0d73fb6", size = 177762, upload-time = "2025-09-08T23:22:59.668Z" }, + { url = "https://files.pythonhosted.org/packages/4b/8d/a0a47a0c9e413a658623d014e91e74a50cdd2c423f7ccfd44086ef767f90/cffi-2.0.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb", size = 185230, upload-time = "2025-09-08T23:23:00.879Z" }, + { url = "https://files.pythonhosted.org/packages/4a/d2/a6c0296814556c68ee32009d9c2ad4f85f2707cdecfd7727951ec228005d/cffi-2.0.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:45d5e886156860dc35862657e1494b9bae8dfa63bf56796f2fb56e1679fc0bca", size = 181043, upload-time = "2025-09-08T23:23:02.231Z" }, { url = "https://files.pythonhosted.org/packages/b0/1e/d22cc63332bd59b06481ceaac49d6c507598642e2230f201649058a7e704/cffi-2.0.0-cp313-cp313-manylinux1_i686.manylinux2014_i686.manylinux_2_17_i686.manylinux_2_5_i686.whl", hash = "sha256:07b271772c100085dd28b74fa0cd81c8fb1a3ba18b21e03d7c27f3436a10606b", size = 212446, upload-time = "2025-09-08T23:23:03.472Z" }, { url = "https://files.pythonhosted.org/packages/a9/f5/a2c23eb03b61a0b8747f211eb716446c826ad66818ddc7810cc2cc19b3f2/cffi-2.0.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:d48a880098c96020b02d5a1f7d9251308510ce8858940e6fa99ece33f610838b", size = 220101, upload-time = "2025-09-08T23:23:04.792Z" }, { url = "https://files.pythonhosted.org/packages/f2/7f/e6647792fc5850d634695bc0e6ab4111ae88e89981d35ac269956605feba/cffi-2.0.0-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.whl", hash = "sha256:f93fd8e5c8c0a4aa1f424d6173f14a892044054871c771f8566e4008eaa359d2", size = 207948, upload-time = "2025-09-08T23:23:06.127Z" }, @@ -212,18 +260,31 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/98/df/0a1755e750013a2081e863e7cd37e0cdd02664372c754e5560099eb7aa44/cffi-2.0.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:c8d3b5532fc71b7a77c09192b4a5a200ea992702734a2e9279a37f2478236f26", size = 219499, upload-time = "2025-09-08T23:23:09.648Z" }, { url = "https://files.pythonhosted.org/packages/50/e1/a969e687fcf9ea58e6e2a928ad5e2dd88cc12f6f0ab477e9971f2309b57c/cffi-2.0.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:d9b29c1f0ae438d5ee9acb31cadee00a58c46cc9c0b2f9038c6b0b3470877a8c", size = 222928, upload-time = "2025-09-08T23:23:10.928Z" }, { url = "https://files.pythonhosted.org/packages/36/54/0362578dd2c9e557a28ac77698ed67323ed5b9775ca9d3fe73fe191bb5d8/cffi-2.0.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6d50360be4546678fc1b79ffe7a66265e28667840010348dd69a314145807a1b", size = 221302, upload-time = "2025-09-08T23:23:12.42Z" }, + { url = "https://files.pythonhosted.org/packages/eb/6d/bf9bda840d5f1dfdbf0feca87fbdb64a918a69bca42cfa0ba7b137c48cb8/cffi-2.0.0-cp313-cp313-win32.whl", hash = "sha256:74a03b9698e198d47562765773b4a8309919089150a0bb17d829ad7b44b60d27", size = 172909, upload-time = "2025-09-08T23:23:14.32Z" }, + { url = "https://files.pythonhosted.org/packages/37/18/6519e1ee6f5a1e579e04b9ddb6f1676c17368a7aba48299c3759bbc3c8b3/cffi-2.0.0-cp313-cp313-win_amd64.whl", hash = "sha256:19f705ada2530c1167abacb171925dd886168931e0a7b78f5bffcae5c6b5be75", size = 183402, upload-time = "2025-09-08T23:23:15.535Z" }, + { url = "https://files.pythonhosted.org/packages/cb/0e/02ceeec9a7d6ee63bb596121c2c8e9b3a9e150936f4fbef6ca1943e6137c/cffi-2.0.0-cp313-cp313-win_arm64.whl", hash = "sha256:256f80b80ca3853f90c21b23ee78cd008713787b1b1e93eae9f3d6a7134abd91", size = 177780, upload-time = "2025-09-08T23:23:16.761Z" }, + { url = "https://files.pythonhosted.org/packages/92/c4/3ce07396253a83250ee98564f8d7e9789fab8e58858f35d07a9a2c78de9f/cffi-2.0.0-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:fc33c5141b55ed366cfaad382df24fe7dcbc686de5be719b207bb248e3053dc5", size = 185320, upload-time = "2025-09-08T23:23:18.087Z" }, + { url = "https://files.pythonhosted.org/packages/59/dd/27e9fa567a23931c838c6b02d0764611c62290062a6d4e8ff7863daf9730/cffi-2.0.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:c654de545946e0db659b3400168c9ad31b5d29593291482c43e3564effbcee13", size = 181487, upload-time = "2025-09-08T23:23:19.622Z" }, { url = "https://files.pythonhosted.org/packages/d6/43/0e822876f87ea8a4ef95442c3d766a06a51fc5298823f884ef87aaad168c/cffi-2.0.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:24b6f81f1983e6df8db3adc38562c83f7d4a0c36162885ec7f7b77c7dcbec97b", size = 220049, upload-time = "2025-09-08T23:23:20.853Z" }, { url = "https://files.pythonhosted.org/packages/b4/89/76799151d9c2d2d1ead63c2429da9ea9d7aac304603de0c6e8764e6e8e70/cffi-2.0.0-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.whl", hash = "sha256:12873ca6cb9b0f0d3a0da705d6086fe911591737a59f28b7936bdfed27c0d47c", size = 207793, upload-time = "2025-09-08T23:23:22.08Z" }, { url = "https://files.pythonhosted.org/packages/bb/dd/3465b14bb9e24ee24cb88c9e3730f6de63111fffe513492bf8c808a3547e/cffi-2.0.0-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.whl", hash = "sha256:d9b97165e8aed9272a6bb17c01e3cc5871a594a446ebedc996e2397a1c1ea8ef", size = 206300, upload-time = "2025-09-08T23:23:23.314Z" }, { url = "https://files.pythonhosted.org/packages/47/d9/d83e293854571c877a92da46fdec39158f8d7e68da75bf73581225d28e90/cffi-2.0.0-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:afb8db5439b81cf9c9d0c80404b60c3cc9c3add93e114dcae767f1477cb53775", size = 219244, upload-time = "2025-09-08T23:23:24.541Z" }, { url = "https://files.pythonhosted.org/packages/2b/0f/1f177e3683aead2bb00f7679a16451d302c436b5cbf2505f0ea8146ef59e/cffi-2.0.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:737fe7d37e1a1bffe70bd5754ea763a62a066dc5913ca57e957824b72a85e205", size = 222828, upload-time = "2025-09-08T23:23:26.143Z" }, { url = "https://files.pythonhosted.org/packages/c6/0f/cafacebd4b040e3119dcb32fed8bdef8dfe94da653155f9d0b9dc660166e/cffi-2.0.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:38100abb9d1b1435bc4cc340bb4489635dc2f0da7456590877030c9b3d40b0c1", size = 220926, upload-time = "2025-09-08T23:23:27.873Z" }, + { url = "https://files.pythonhosted.org/packages/3e/aa/df335faa45b395396fcbc03de2dfcab242cd61a9900e914fe682a59170b1/cffi-2.0.0-cp314-cp314-win32.whl", hash = "sha256:087067fa8953339c723661eda6b54bc98c5625757ea62e95eb4898ad5e776e9f", size = 175328, upload-time = "2025-09-08T23:23:44.61Z" }, + { url = "https://files.pythonhosted.org/packages/bb/92/882c2d30831744296ce713f0feb4c1cd30f346ef747b530b5318715cc367/cffi-2.0.0-cp314-cp314-win_amd64.whl", hash = "sha256:203a48d1fb583fc7d78a4c6655692963b860a417c0528492a6bc21f1aaefab25", size = 185650, upload-time = "2025-09-08T23:23:45.848Z" }, + { url = "https://files.pythonhosted.org/packages/9f/2c/98ece204b9d35a7366b5b2c6539c350313ca13932143e79dc133ba757104/cffi-2.0.0-cp314-cp314-win_arm64.whl", hash = "sha256:dbd5c7a25a7cb98f5ca55d258b103a2054f859a46ae11aaf23134f9cc0d356ad", size = 180687, upload-time = "2025-09-08T23:23:47.105Z" }, + { url = "https://files.pythonhosted.org/packages/3e/61/c768e4d548bfa607abcda77423448df8c471f25dbe64fb2ef6d555eae006/cffi-2.0.0-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:9a67fc9e8eb39039280526379fb3a70023d77caec1852002b4da7e8b270c4dd9", size = 188773, upload-time = "2025-09-08T23:23:29.347Z" }, + { url = "https://files.pythonhosted.org/packages/2c/ea/5f76bce7cf6fcd0ab1a1058b5af899bfbef198bea4d5686da88471ea0336/cffi-2.0.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:7a66c7204d8869299919db4d5069a82f1561581af12b11b3c9f48c584eb8743d", size = 185013, upload-time = "2025-09-08T23:23:30.63Z" }, { url = "https://files.pythonhosted.org/packages/be/b4/c56878d0d1755cf9caa54ba71e5d049479c52f9e4afc230f06822162ab2f/cffi-2.0.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7cc09976e8b56f8cebd752f7113ad07752461f48a58cbba644139015ac24954c", size = 221593, upload-time = "2025-09-08T23:23:31.91Z" }, { url = "https://files.pythonhosted.org/packages/e0/0d/eb704606dfe8033e7128df5e90fee946bbcb64a04fcdaa97321309004000/cffi-2.0.0-cp314-cp314t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.whl", hash = "sha256:92b68146a71df78564e4ef48af17551a5ddd142e5190cdf2c5624d0c3ff5b2e8", size = 209354, upload-time = "2025-09-08T23:23:33.214Z" }, { url = "https://files.pythonhosted.org/packages/d8/19/3c435d727b368ca475fb8742ab97c9cb13a0de600ce86f62eab7fa3eea60/cffi-2.0.0-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.whl", hash = "sha256:b1e74d11748e7e98e2f426ab176d4ed720a64412b6a15054378afdb71e0f37dc", size = 208480, upload-time = "2025-09-08T23:23:34.495Z" }, { url = "https://files.pythonhosted.org/packages/d0/44/681604464ed9541673e486521497406fadcc15b5217c3e326b061696899a/cffi-2.0.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:28a3a209b96630bca57cce802da70c266eb08c6e97e5afd61a75611ee6c64592", size = 221584, upload-time = "2025-09-08T23:23:36.096Z" }, { url = "https://files.pythonhosted.org/packages/25/8e/342a504ff018a2825d395d44d63a767dd8ebc927ebda557fecdaca3ac33a/cffi-2.0.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:7553fb2090d71822f02c629afe6042c299edf91ba1bf94951165613553984512", size = 224443, upload-time = "2025-09-08T23:23:37.328Z" }, { url = "https://files.pythonhosted.org/packages/e1/5e/b666bacbbc60fbf415ba9988324a132c9a7a0448a9a8f125074671c0f2c3/cffi-2.0.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:6c6c373cfc5c83a975506110d17457138c8c63016b563cc9ed6e056a82f13ce4", size = 223437, upload-time = "2025-09-08T23:23:38.945Z" }, + { url = "https://files.pythonhosted.org/packages/a0/1d/ec1a60bd1a10daa292d3cd6bb0b359a81607154fb8165f3ec95fe003b85c/cffi-2.0.0-cp314-cp314t-win32.whl", hash = "sha256:1fc9ea04857caf665289b7a75923f2c6ed559b8298a1b8c49e59f7dd95c8481e", size = 180487, upload-time = "2025-09-08T23:23:40.423Z" }, + { url = "https://files.pythonhosted.org/packages/bf/41/4c1168c74fac325c0c8156f04b6749c8b6a8f405bbf91413ba088359f60d/cffi-2.0.0-cp314-cp314t-win_amd64.whl", hash = "sha256:d68b6cef7827e8641e8ef16f4494edda8b36104d79773a334beaa1e3521430f6", size = 191726, upload-time = "2025-09-08T23:23:41.742Z" }, + { url = "https://files.pythonhosted.org/packages/ae/3a/dbeec9d1ee0844c679f6bb5d6ad4e9f198b1224f4e7a32825f47f6192b0c/cffi-2.0.0-cp314-cp314t-win_arm64.whl", hash = "sha256:0a1527a803f0a659de1af2e1fd700213caba79377e27e4693648c2923da066f9", size = 184195, upload-time = "2025-09-08T23:23:43.004Z" }, ] [[package]] @@ -241,22 +302,6 @@ version = "3.4.4" source = { registry = "https://pypi.org/simple" } sdist = { url = "https://files.pythonhosted.org/packages/13/69/33ddede1939fdd074bce5434295f38fae7136463422fe4fd3e0e89b98062/charset_normalizer-3.4.4.tar.gz", hash = "sha256:94537985111c35f28720e43603b8e7b43a6ecfb2ce1d3058bbe955b73404e21a", size = 129418, upload-time = "2025-10-14T04:42:32.879Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/1f/b8/6d51fc1d52cbd52cd4ccedd5b5b2f0f6a11bbf6765c782298b0f3e808541/charset_normalizer-3.4.4-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:e824f1492727fa856dd6eda4f7cee25f8518a12f3c4a56a74e8095695089cf6d", size = 209709, upload-time = "2025-10-14T04:40:11.385Z" }, - { url = "https://files.pythonhosted.org/packages/5c/af/1f9d7f7faafe2ddfb6f72a2e07a548a629c61ad510fe60f9630309908fef/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:4bd5d4137d500351a30687c2d3971758aac9a19208fc110ccb9d7188fbe709e8", size = 148814, upload-time = "2025-10-14T04:40:13.135Z" }, - { url = "https://files.pythonhosted.org/packages/79/3d/f2e3ac2bbc056ca0c204298ea4e3d9db9b4afe437812638759db2c976b5f/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:027f6de494925c0ab2a55eab46ae5129951638a49a34d87f4c3eda90f696b4ad", size = 144467, upload-time = "2025-10-14T04:40:14.728Z" }, - { url = "https://files.pythonhosted.org/packages/ec/85/1bf997003815e60d57de7bd972c57dc6950446a3e4ccac43bc3070721856/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:f820802628d2694cb7e56db99213f930856014862f3fd943d290ea8438d07ca8", size = 162280, upload-time = "2025-10-14T04:40:16.14Z" }, - { url = "https://files.pythonhosted.org/packages/3e/8e/6aa1952f56b192f54921c436b87f2aaf7c7a7c3d0d1a765547d64fd83c13/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:798d75d81754988d2565bff1b97ba5a44411867c0cf32b77a7e8f8d84796b10d", size = 159454, upload-time = "2025-10-14T04:40:17.567Z" }, - { url = "https://files.pythonhosted.org/packages/36/3b/60cbd1f8e93aa25d1c669c649b7a655b0b5fb4c571858910ea9332678558/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9d1bb833febdff5c8927f922386db610b49db6e0d4f4ee29601d71e7c2694313", size = 153609, upload-time = "2025-10-14T04:40:19.08Z" }, - { url = "https://files.pythonhosted.org/packages/64/91/6a13396948b8fd3c4b4fd5bc74d045f5637d78c9675585e8e9fbe5636554/charset_normalizer-3.4.4-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:9cd98cdc06614a2f768d2b7286d66805f94c48cde050acdbbb7db2600ab3197e", size = 151849, upload-time = "2025-10-14T04:40:20.607Z" }, - { url = "https://files.pythonhosted.org/packages/b7/7a/59482e28b9981d105691e968c544cc0df3b7d6133152fb3dcdc8f135da7a/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:077fbb858e903c73f6c9db43374fd213b0b6a778106bc7032446a8e8b5b38b93", size = 151586, upload-time = "2025-10-14T04:40:21.719Z" }, - { url = "https://files.pythonhosted.org/packages/92/59/f64ef6a1c4bdd2baf892b04cd78792ed8684fbc48d4c2afe467d96b4df57/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:244bfb999c71b35de57821b8ea746b24e863398194a4014e4c76adc2bbdfeff0", size = 145290, upload-time = "2025-10-14T04:40:23.069Z" }, - { url = "https://files.pythonhosted.org/packages/6b/63/3bf9f279ddfa641ffa1962b0db6a57a9c294361cc2f5fcac997049a00e9c/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:64b55f9dce520635f018f907ff1b0df1fdc31f2795a922fb49dd14fbcdf48c84", size = 163663, upload-time = "2025-10-14T04:40:24.17Z" }, - { url = "https://files.pythonhosted.org/packages/ed/09/c9e38fc8fa9e0849b172b581fd9803bdf6e694041127933934184e19f8c3/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:faa3a41b2b66b6e50f84ae4a68c64fcd0c44355741c6374813a800cd6695db9e", size = 151964, upload-time = "2025-10-14T04:40:25.368Z" }, - { url = "https://files.pythonhosted.org/packages/d2/d1/d28b747e512d0da79d8b6a1ac18b7ab2ecfd81b2944c4c710e166d8dd09c/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:6515f3182dbe4ea06ced2d9e8666d97b46ef4c75e326b79bb624110f122551db", size = 161064, upload-time = "2025-10-14T04:40:26.806Z" }, - { url = "https://files.pythonhosted.org/packages/bb/9a/31d62b611d901c3b9e5500c36aab0ff5eb442043fb3a1c254200d3d397d9/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:cc00f04ed596e9dc0da42ed17ac5e596c6ccba999ba6bd92b0e0aef2f170f2d6", size = 155015, upload-time = "2025-10-14T04:40:28.284Z" }, - { url = "https://files.pythonhosted.org/packages/1f/f3/107e008fa2bff0c8b9319584174418e5e5285fef32f79d8ee6a430d0039c/charset_normalizer-3.4.4-cp310-cp310-win32.whl", hash = "sha256:f34be2938726fc13801220747472850852fe6b1ea75869a048d6f896838c896f", size = 99792, upload-time = "2025-10-14T04:40:29.613Z" }, - { url = "https://files.pythonhosted.org/packages/eb/66/e396e8a408843337d7315bab30dbf106c38966f1819f123257f5520f8a96/charset_normalizer-3.4.4-cp310-cp310-win_amd64.whl", hash = "sha256:a61900df84c667873b292c3de315a786dd8dac506704dea57bc957bd31e22c7d", size = 107198, upload-time = "2025-10-14T04:40:30.644Z" }, - { url = "https://files.pythonhosted.org/packages/b5/58/01b4f815bf0312704c267f2ccb6e5d42bcc7752340cd487bc9f8c3710597/charset_normalizer-3.4.4-cp310-cp310-win_arm64.whl", hash = "sha256:cead0978fc57397645f12578bfd2d5ea9138ea0fac82b2f63f7f7c6877986a69", size = 100262, upload-time = "2025-10-14T04:40:32.108Z" }, { url = "https://files.pythonhosted.org/packages/ed/27/c6491ff4954e58a10f69ad90aca8a1b6fe9c5d3c6f380907af3c37435b59/charset_normalizer-3.4.4-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6e1fcf0720908f200cd21aa4e6750a48ff6ce4afe7ff5a79a90d5ed8a08296f8", size = 206988, upload-time = "2025-10-14T04:40:33.79Z" }, { url = "https://files.pythonhosted.org/packages/94/59/2e87300fe67ab820b5428580a53cad894272dbb97f38a7a814a2a1ac1011/charset_normalizer-3.4.4-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:5f819d5fe9234f9f82d75bdfa9aef3a3d72c4d24a6e57aeaebba32a704553aa0", size = 147324, upload-time = "2025-10-14T04:40:34.961Z" }, { url = "https://files.pythonhosted.org/packages/07/fb/0cf61dc84b2b088391830f6274cb57c82e4da8bbc2efeac8c025edb88772/charset_normalizer-3.4.4-cp311-cp311-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:a59cb51917aa591b1c4e6a43c132f0cdc3c76dbad6155df4e28ee626cc77a0a3", size = 142742, upload-time = "2025-10-14T04:40:36.105Z" }, @@ -351,18 +396,6 @@ version = "7.13.1" source = { registry = "https://pypi.org/simple" } sdist = { url = "https://files.pythonhosted.org/packages/23/f9/e92df5e07f3fc8d4c7f9a0f146ef75446bf870351cd37b788cf5897f8079/coverage-7.13.1.tar.gz", hash = "sha256:b7593fe7eb5feaa3fbb461ac79aac9f9fc0387a5ca8080b0c6fe2ca27b091afd", size = 825862, upload-time = "2025-12-28T15:42:56.969Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/2d/9a/3742e58fd04b233df95c012ee9f3dfe04708a5e1d32613bd2d47d4e1be0d/coverage-7.13.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:e1fa280b3ad78eea5be86f94f461c04943d942697e0dac889fa18fff8f5f9147", size = 218633, upload-time = "2025-12-28T15:40:10.165Z" }, - { url = "https://files.pythonhosted.org/packages/7e/45/7e6bdc94d89cd7c8017ce735cf50478ddfe765d4fbf0c24d71d30ea33d7a/coverage-7.13.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c3d8c679607220979434f494b139dfb00131ebf70bb406553d69c1ff01a5c33d", size = 219147, upload-time = "2025-12-28T15:40:12.069Z" }, - { url = "https://files.pythonhosted.org/packages/f7/38/0d6a258625fd7f10773fe94097dc16937a5f0e3e0cdf3adef67d3ac6baef/coverage-7.13.1-cp310-cp310-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:339dc63b3eba969067b00f41f15ad161bf2946613156fb131266d8debc8e44d0", size = 245894, upload-time = "2025-12-28T15:40:13.556Z" }, - { url = "https://files.pythonhosted.org/packages/27/58/409d15ea487986994cbd4d06376e9860e9b157cfbfd402b1236770ab8dd2/coverage-7.13.1-cp310-cp310-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:db622b999ffe49cb891f2fff3b340cdc2f9797d01a0a202a0973ba2562501d90", size = 247721, upload-time = "2025-12-28T15:40:15.37Z" }, - { url = "https://files.pythonhosted.org/packages/da/bf/6e8056a83fd7a96c93341f1ffe10df636dd89f26d5e7b9ca511ce3bcf0df/coverage-7.13.1-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d1443ba9acbb593fa7c1c29e011d7c9761545fe35e7652e85ce7f51a16f7e08d", size = 249585, upload-time = "2025-12-28T15:40:17.226Z" }, - { url = "https://files.pythonhosted.org/packages/f4/15/e1daff723f9f5959acb63cbe35b11203a9df77ee4b95b45fffd38b318390/coverage-7.13.1-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:c832ec92c4499ac463186af72f9ed4d8daec15499b16f0a879b0d1c8e5cf4a3b", size = 246597, upload-time = "2025-12-28T15:40:19.028Z" }, - { url = "https://files.pythonhosted.org/packages/74/a6/1efd31c5433743a6ddbc9d37ac30c196bb07c7eab3d74fbb99b924c93174/coverage-7.13.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:562ec27dfa3f311e0db1ba243ec6e5f6ab96b1edfcfc6cf86f28038bc4961ce6", size = 247626, upload-time = "2025-12-28T15:40:20.846Z" }, - { url = "https://files.pythonhosted.org/packages/6d/9f/1609267dd3e749f57fdd66ca6752567d1c13b58a20a809dc409b263d0b5f/coverage-7.13.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:4de84e71173d4dada2897e5a0e1b7877e5eefbfe0d6a44edee6ce31d9b8ec09e", size = 245629, upload-time = "2025-12-28T15:40:22.397Z" }, - { url = "https://files.pythonhosted.org/packages/e2/f6/6815a220d5ec2466383d7cc36131b9fa6ecbe95c50ec52a631ba733f306a/coverage-7.13.1-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:a5a68357f686f8c4d527a2dc04f52e669c2fc1cbde38f6f7eb6a0e58cbd17cae", size = 245901, upload-time = "2025-12-28T15:40:23.836Z" }, - { url = "https://files.pythonhosted.org/packages/ac/58/40576554cd12e0872faf6d2c0eb3bc85f71d78427946ddd19ad65201e2c0/coverage-7.13.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:77cc258aeb29a3417062758975521eae60af6f79e930d6993555eeac6a8eac29", size = 246505, upload-time = "2025-12-28T15:40:25.421Z" }, - { url = "https://files.pythonhosted.org/packages/3b/77/9233a90253fba576b0eee81707b5781d0e21d97478e5377b226c5b096c0f/coverage-7.13.1-cp310-cp310-win32.whl", hash = "sha256:bb4f8c3c9a9f34423dba193f241f617b08ffc63e27f67159f60ae6baf2dcfe0f", size = 221257, upload-time = "2025-12-28T15:40:27.217Z" }, - { url = "https://files.pythonhosted.org/packages/e0/43/e842ff30c1a0a623ec80db89befb84a3a7aad7bfe44a6ea77d5a3e61fedd/coverage-7.13.1-cp310-cp310-win_amd64.whl", hash = "sha256:c8e2706ceb622bc63bac98ebb10ef5da80ed70fbd8a7999a5076de3afaef0fb1", size = 222191, upload-time = "2025-12-28T15:40:28.916Z" }, { url = "https://files.pythonhosted.org/packages/b4/9b/77baf488516e9ced25fc215a6f75d803493fc3f6a1a1227ac35697910c2a/coverage-7.13.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:1a55d509a1dc5a5b708b5dad3b5334e07a16ad4c2185e27b40e4dba796ab7f88", size = 218755, upload-time = "2025-12-28T15:40:30.812Z" }, { url = "https://files.pythonhosted.org/packages/d7/cd/7ab01154e6eb79ee2fab76bf4d89e94c6648116557307ee4ebbb85e5c1bf/coverage-7.13.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4d010d080c4888371033baab27e47c9df7d6fb28d0b7b7adf85a4a49be9298b3", size = 219257, upload-time = "2025-12-28T15:40:32.333Z" }, { url = "https://files.pythonhosted.org/packages/01/d5/b11ef7863ffbbdb509da0023fad1e9eda1c0eaea61a6d2ea5b17d4ac706e/coverage-7.13.1-cp311-cp311-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:d938b4a840fb1523b9dfbbb454f652967f18e197569c32266d4d13f37244c3d9", size = 249657, upload-time = "2025-12-28T15:40:34.1Z" }, @@ -451,51 +484,50 @@ toml = [ [[package]] name = "cryptography" -version = "46.0.5" +version = "46.0.7" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cffi", marker = "platform_python_implementation != 'PyPy'" }, - { name = "typing-extensions", marker = "python_full_version < '3.11'" }, -] -sdist = { url = "https://files.pythonhosted.org/packages/60/04/ee2a9e8542e4fa2773b81771ff8349ff19cdd56b7258a0cc442639052edb/cryptography-46.0.5.tar.gz", hash = "sha256:abace499247268e3757271b2f1e244b36b06f8515cf27c4d49468fc9eb16e93d", size = 750064, upload-time = "2026-02-10T19:18:38.255Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/ff/9e/6b4397a3e3d15123de3b1806ef342522393d50736c13b20ec4c9ea6693a6/cryptography-46.0.5-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:c18ff11e86df2e28854939acde2d003f7984f721eba450b56a200ad90eeb0e6b", size = 4275637, upload-time = "2026-02-10T19:17:10.53Z" }, - { url = "https://files.pythonhosted.org/packages/63/e7/471ab61099a3920b0c77852ea3f0ea611c9702f651600397ac567848b897/cryptography-46.0.5-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:4d7e3d356b8cd4ea5aff04f129d5f66ebdc7b6f8eae802b93739ed520c47c79b", size = 4424742, upload-time = "2026-02-10T19:17:12.388Z" }, - { url = "https://files.pythonhosted.org/packages/37/53/a18500f270342d66bf7e4d9f091114e31e5ee9e7375a5aba2e85a91e0044/cryptography-46.0.5-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:50bfb6925eff619c9c023b967d5b77a54e04256c4281b0e21336a130cd7fc263", size = 4277528, upload-time = "2026-02-10T19:17:13.853Z" }, - { url = "https://files.pythonhosted.org/packages/22/29/c2e812ebc38c57b40e7c583895e73c8c5adb4d1e4a0cc4c5a4fdab2b1acc/cryptography-46.0.5-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:803812e111e75d1aa73690d2facc295eaefd4439be1023fefc4995eaea2af90d", size = 4947993, upload-time = "2026-02-10T19:17:15.618Z" }, - { url = "https://files.pythonhosted.org/packages/6b/e7/237155ae19a9023de7e30ec64e5d99a9431a567407ac21170a046d22a5a3/cryptography-46.0.5-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3ee190460e2fbe447175cda91b88b84ae8322a104fc27766ad09428754a618ed", size = 4456855, upload-time = "2026-02-10T19:17:17.221Z" }, - { url = "https://files.pythonhosted.org/packages/2d/87/fc628a7ad85b81206738abbd213b07702bcbdada1dd43f72236ef3cffbb5/cryptography-46.0.5-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:f145bba11b878005c496e93e257c1e88f154d278d2638e6450d17e0f31e558d2", size = 3984635, upload-time = "2026-02-10T19:17:18.792Z" }, - { url = "https://files.pythonhosted.org/packages/84/29/65b55622bde135aedf4565dc509d99b560ee4095e56989e815f8fd2aa910/cryptography-46.0.5-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:e9251e3be159d1020c4030bd2e5f84d6a43fe54b6c19c12f51cde9542a2817b2", size = 4277038, upload-time = "2026-02-10T19:17:20.256Z" }, - { url = "https://files.pythonhosted.org/packages/bc/36/45e76c68d7311432741faf1fbf7fac8a196a0a735ca21f504c75d37e2558/cryptography-46.0.5-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:47fb8a66058b80e509c47118ef8a75d14c455e81ac369050f20ba0d23e77fee0", size = 4912181, upload-time = "2026-02-10T19:17:21.825Z" }, - { url = "https://files.pythonhosted.org/packages/6d/1a/c1ba8fead184d6e3d5afcf03d569acac5ad063f3ac9fb7258af158f7e378/cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:4c3341037c136030cb46e4b1e17b7418ea4cbd9dd207e4a6f3b2b24e0d4ac731", size = 4456482, upload-time = "2026-02-10T19:17:25.133Z" }, - { url = "https://files.pythonhosted.org/packages/f9/e5/3fb22e37f66827ced3b902cf895e6a6bc1d095b5b26be26bd13c441fdf19/cryptography-46.0.5-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:890bcb4abd5a2d3f852196437129eb3667d62630333aacc13dfd470fad3aaa82", size = 4405497, upload-time = "2026-02-10T19:17:26.66Z" }, - { url = "https://files.pythonhosted.org/packages/1a/df/9d58bb32b1121a8a2f27383fabae4d63080c7ca60b9b5c88be742be04ee7/cryptography-46.0.5-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:80a8d7bfdf38f87ca30a5391c0c9ce4ed2926918e017c29ddf643d0ed2778ea1", size = 4667819, upload-time = "2026-02-10T19:17:28.569Z" }, - { url = "https://files.pythonhosted.org/packages/67/c8/581a6702e14f0898a0848105cbefd20c058099e2c2d22ef4e476dfec75d7/cryptography-46.0.5-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:5be7bf2fb40769e05739dd0046e7b26f9d4670badc7b032d6ce4db64dddc0678", size = 4265728, upload-time = "2026-02-10T19:17:35.569Z" }, - { url = "https://files.pythonhosted.org/packages/dd/4a/ba1a65ce8fc65435e5a849558379896c957870dd64fecea97b1ad5f46a37/cryptography-46.0.5-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:fe346b143ff9685e40192a4960938545c699054ba11d4f9029f94751e3f71d87", size = 4408287, upload-time = "2026-02-10T19:17:36.938Z" }, - { url = "https://files.pythonhosted.org/packages/f8/67/8ffdbf7b65ed1ac224d1c2df3943553766914a8ca718747ee3871da6107e/cryptography-46.0.5-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:c69fd885df7d089548a42d5ec05be26050ebcd2283d89b3d30676eb32ff87dee", size = 4270291, upload-time = "2026-02-10T19:17:38.748Z" }, - { url = "https://files.pythonhosted.org/packages/f8/e5/f52377ee93bc2f2bba55a41a886fd208c15276ffbd2569f2ddc89d50e2c5/cryptography-46.0.5-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:8293f3dea7fc929ef7240796ba231413afa7b68ce38fd21da2995549f5961981", size = 4927539, upload-time = "2026-02-10T19:17:40.241Z" }, - { url = "https://files.pythonhosted.org/packages/3b/02/cfe39181b02419bbbbcf3abdd16c1c5c8541f03ca8bda240debc467d5a12/cryptography-46.0.5-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:1abfdb89b41c3be0365328a410baa9df3ff8a9110fb75e7b52e66803ddabc9a9", size = 4442199, upload-time = "2026-02-10T19:17:41.789Z" }, - { url = "https://files.pythonhosted.org/packages/c0/96/2fcaeb4873e536cf71421a388a6c11b5bc846e986b2b069c79363dc1648e/cryptography-46.0.5-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:d66e421495fdb797610a08f43b05269e0a5ea7f5e652a89bfd5a7d3c1dee3648", size = 3960131, upload-time = "2026-02-10T19:17:43.379Z" }, - { url = "https://files.pythonhosted.org/packages/d8/d2/b27631f401ddd644e94c5cf33c9a4069f72011821cf3dc7309546b0642a0/cryptography-46.0.5-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:4e817a8920bfbcff8940ecfd60f23d01836408242b30f1a708d93198393a80b4", size = 4270072, upload-time = "2026-02-10T19:17:45.481Z" }, - { url = "https://files.pythonhosted.org/packages/f4/a7/60d32b0370dae0b4ebe55ffa10e8599a2a59935b5ece1b9f06edb73abdeb/cryptography-46.0.5-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:68f68d13f2e1cb95163fa3b4db4bf9a159a418f5f6e7242564fc75fcae667fd0", size = 4892170, upload-time = "2026-02-10T19:17:46.997Z" }, - { url = "https://files.pythonhosted.org/packages/d2/b9/cf73ddf8ef1164330eb0b199a589103c363afa0cf794218c24d524a58eab/cryptography-46.0.5-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:a3d1fae9863299076f05cb8a778c467578262fae09f9dc0ee9b12eb4268ce663", size = 4441741, upload-time = "2026-02-10T19:17:48.661Z" }, - { url = "https://files.pythonhosted.org/packages/5f/eb/eee00b28c84c726fe8fa0158c65afe312d9c3b78d9d01daf700f1f6e37ff/cryptography-46.0.5-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:c4143987a42a2397f2fc3b4d7e3a7d313fbe684f67ff443999e803dd75a76826", size = 4396728, upload-time = "2026-02-10T19:17:50.058Z" }, - { url = "https://files.pythonhosted.org/packages/65/f4/6bc1a9ed5aef7145045114b75b77c2a8261b4d38717bd8dea111a63c3442/cryptography-46.0.5-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:7d731d4b107030987fd61a7f8ab512b25b53cef8f233a97379ede116f30eb67d", size = 4652001, upload-time = "2026-02-10T19:17:51.54Z" }, - { url = "https://files.pythonhosted.org/packages/0f/04/c85bdeab78c8bc77b701bf0d9bdcf514c044e18a46dcff330df5448631b0/cryptography-46.0.5-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7d1f30a86d2757199cb2d56e48cce14deddf1f9c95f1ef1b64ee91ea43fe2e18", size = 4275349, upload-time = "2026-02-10T19:17:58.419Z" }, - { url = "https://files.pythonhosted.org/packages/5c/32/9b87132a2f91ee7f5223b091dc963055503e9b442c98fc0b8a5ca765fab0/cryptography-46.0.5-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:039917b0dc418bb9f6edce8a906572d69e74bd330b0b3fea4f79dab7f8ddd235", size = 4420667, upload-time = "2026-02-10T19:18:00.619Z" }, - { url = "https://files.pythonhosted.org/packages/a1/a6/a7cb7010bec4b7c5692ca6f024150371b295ee1c108bdc1c400e4c44562b/cryptography-46.0.5-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ba2a27ff02f48193fc4daeadf8ad2590516fa3d0adeeb34336b96f7fa64c1e3a", size = 4276980, upload-time = "2026-02-10T19:18:02.379Z" }, - { url = "https://files.pythonhosted.org/packages/8e/7c/c4f45e0eeff9b91e3f12dbd0e165fcf2a38847288fcfd889deea99fb7b6d/cryptography-46.0.5-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:61aa400dce22cb001a98014f647dc21cda08f7915ceb95df0c9eaf84b4b6af76", size = 4939143, upload-time = "2026-02-10T19:18:03.964Z" }, - { url = "https://files.pythonhosted.org/packages/37/19/e1b8f964a834eddb44fa1b9a9976f4e414cbb7aa62809b6760c8803d22d1/cryptography-46.0.5-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3ce58ba46e1bc2aac4f7d9290223cead56743fa6ab94a5d53292ffaac6a91614", size = 4453674, upload-time = "2026-02-10T19:18:05.588Z" }, - { url = "https://files.pythonhosted.org/packages/db/ed/db15d3956f65264ca204625597c410d420e26530c4e2943e05a0d2f24d51/cryptography-46.0.5-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:420d0e909050490d04359e7fdb5ed7e667ca5c3c402b809ae2563d7e66a92229", size = 3978801, upload-time = "2026-02-10T19:18:07.167Z" }, - { url = "https://files.pythonhosted.org/packages/41/e2/df40a31d82df0a70a0daf69791f91dbb70e47644c58581d654879b382d11/cryptography-46.0.5-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:582f5fcd2afa31622f317f80426a027f30dc792e9c80ffee87b993200ea115f1", size = 4276755, upload-time = "2026-02-10T19:18:09.813Z" }, - { url = "https://files.pythonhosted.org/packages/33/45/726809d1176959f4a896b86907b98ff4391a8aa29c0aaaf9450a8a10630e/cryptography-46.0.5-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:bfd56bb4b37ed4f330b82402f6f435845a5f5648edf1ad497da51a8452d5d62d", size = 4901539, upload-time = "2026-02-10T19:18:11.263Z" }, - { url = "https://files.pythonhosted.org/packages/99/0f/a3076874e9c88ecb2ecc31382f6e7c21b428ede6f55aafa1aa272613e3cd/cryptography-46.0.5-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:a3d507bb6a513ca96ba84443226af944b0f7f47dcc9a399d110cd6146481d24c", size = 4452794, upload-time = "2026-02-10T19:18:12.914Z" }, - { url = "https://files.pythonhosted.org/packages/02/ef/ffeb542d3683d24194a38f66ca17c0a4b8bf10631feef44a7ef64e631b1a/cryptography-46.0.5-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9f16fbdf4da055efb21c22d81b89f155f02ba420558db21288b3d0035bafd5f4", size = 4404160, upload-time = "2026-02-10T19:18:14.375Z" }, - { url = "https://files.pythonhosted.org/packages/96/93/682d2b43c1d5f1406ed048f377c0fc9fc8f7b0447a478d5c65ab3d3a66eb/cryptography-46.0.5-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:ced80795227d70549a411a4ab66e8ce307899fad2220ce5ab2f296e687eacde9", size = 4667123, upload-time = "2026-02-10T19:18:15.886Z" }, - { url = "https://files.pythonhosted.org/packages/e9/6f/6cc6cc9955caa6eaf83660b0da2b077c7fe8ff9950a3c5e45d605038d439/cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:bc84e875994c3b445871ea7181d424588171efec3e185dced958dad9e001950a", size = 4218321, upload-time = "2026-02-10T19:18:22.349Z" }, - { url = "https://files.pythonhosted.org/packages/3e/5d/c4da701939eeee699566a6c1367427ab91a8b7088cc2328c09dbee940415/cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:2ae6971afd6246710480e3f15824ed3029a60fc16991db250034efd0b9fb4356", size = 4381786, upload-time = "2026-02-10T19:18:24.529Z" }, - { url = "https://files.pythonhosted.org/packages/ac/97/a538654732974a94ff96c1db621fa464f455c02d4bb7d2652f4edc21d600/cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:d861ee9e76ace6cf36a6a89b959ec08e7bc2493ee39d07ffe5acb23ef46d27da", size = 4217990, upload-time = "2026-02-10T19:18:25.957Z" }, - { url = "https://files.pythonhosted.org/packages/ae/11/7e500d2dd3ba891197b9efd2da5454b74336d64a7cc419aa7327ab74e5f6/cryptography-46.0.5-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:2b7a67c9cd56372f3249b39699f2ad479f6991e62ea15800973b956f4b73e257", size = 4381252, upload-time = "2026-02-10T19:18:27.496Z" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/47/93/ac8f3d5ff04d54bc814e961a43ae5b0b146154c89c61b47bb07557679b18/cryptography-46.0.7.tar.gz", hash = "sha256:e4cfd68c5f3e0bfdad0d38e023239b96a2fe84146481852dffbcca442c245aa5", size = 750652, upload-time = "2026-04-08T01:57:54.692Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/5f/45/6d80dc379b0bbc1f9d1e429f42e4cb9e1d319c7a8201beffd967c516ea01/cryptography-46.0.7-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b36a4695e29fe69215d75960b22577197aca3f7a25b9cf9d165dcfe9d80bc325", size = 4275492, upload-time = "2026-04-08T01:56:19.36Z" }, + { url = "https://files.pythonhosted.org/packages/4a/9a/1765afe9f572e239c3469f2cb429f3ba7b31878c893b246b4b2994ffe2fe/cryptography-46.0.7-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:5ad9ef796328c5e3c4ceed237a183f5d41d21150f972455a9d926593a1dcb308", size = 4426670, upload-time = "2026-04-08T01:56:21.415Z" }, + { url = "https://files.pythonhosted.org/packages/8f/3e/af9246aaf23cd4ee060699adab1e47ced3f5f7e7a8ffdd339f817b446462/cryptography-46.0.7-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:73510b83623e080a2c35c62c15298096e2a5dc8d51c3b4e1740211839d0dea77", size = 4280275, upload-time = "2026-04-08T01:56:23.539Z" }, + { url = "https://files.pythonhosted.org/packages/0f/54/6bbbfc5efe86f9d71041827b793c24811a017c6ac0fd12883e4caa86b8ed/cryptography-46.0.7-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cbd5fb06b62bd0721e1170273d3f4d5a277044c47ca27ee257025146c34cbdd1", size = 4928402, upload-time = "2026-04-08T01:56:25.624Z" }, + { url = "https://files.pythonhosted.org/packages/2d/cf/054b9d8220f81509939599c8bdbc0c408dbd2bdd41688616a20731371fe0/cryptography-46.0.7-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:420b1e4109cc95f0e5700eed79908cef9268265c773d3a66f7af1eef53d409ef", size = 4459985, upload-time = "2026-04-08T01:56:27.309Z" }, + { url = "https://files.pythonhosted.org/packages/f9/46/4e4e9c6040fb01c7467d47217d2f882daddeb8828f7df800cb806d8a2288/cryptography-46.0.7-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:24402210aa54baae71d99441d15bb5a1919c195398a87b563df84468160a65de", size = 3990652, upload-time = "2026-04-08T01:56:29.095Z" }, + { url = "https://files.pythonhosted.org/packages/36/5f/313586c3be5a2fbe87e4c9a254207b860155a8e1f3cca99f9910008e7d08/cryptography-46.0.7-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:8a469028a86f12eb7d2fe97162d0634026d92a21f3ae0ac87ed1c4a447886c83", size = 4279805, upload-time = "2026-04-08T01:56:30.928Z" }, + { url = "https://files.pythonhosted.org/packages/69/33/60dfc4595f334a2082749673386a4d05e4f0cf4df8248e63b2c3437585f2/cryptography-46.0.7-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9694078c5d44c157ef3162e3bf3946510b857df5a3955458381d1c7cfc143ddb", size = 4892883, upload-time = "2026-04-08T01:56:32.614Z" }, + { url = "https://files.pythonhosted.org/packages/c7/0b/333ddab4270c4f5b972f980adef4faa66951a4aaf646ca067af597f15563/cryptography-46.0.7-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:42a1e5f98abb6391717978baf9f90dc28a743b7d9be7f0751a6f56a75d14065b", size = 4459756, upload-time = "2026-04-08T01:56:34.306Z" }, + { url = "https://files.pythonhosted.org/packages/d2/14/633913398b43b75f1234834170947957c6b623d1701ffc7a9600da907e89/cryptography-46.0.7-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:91bbcb08347344f810cbe49065914fe048949648f6bd5c2519f34619142bbe85", size = 4410244, upload-time = "2026-04-08T01:56:35.977Z" }, + { url = "https://files.pythonhosted.org/packages/10/f2/19ceb3b3dc14009373432af0c13f46aa08e3ce334ec6eff13492e1812ccd/cryptography-46.0.7-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:5d1c02a14ceb9148cc7816249f64f623fbfee39e8c03b3650d842ad3f34d637e", size = 4674868, upload-time = "2026-04-08T01:56:38.034Z" }, + { url = "https://files.pythonhosted.org/packages/74/66/e3ce040721b0b5599e175ba91ab08884c75928fbeb74597dd10ef13505d2/cryptography-46.0.7-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:db0f493b9181c7820c8134437eb8b0b4792085d37dbb24da050476ccb664e59c", size = 4268551, upload-time = "2026-04-08T01:56:46.071Z" }, + { url = "https://files.pythonhosted.org/packages/03/11/5e395f961d6868269835dee1bafec6a1ac176505a167f68b7d8818431068/cryptography-46.0.7-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ebd6daf519b9f189f85c479427bbd6e9c9037862cf8fe89ee35503bd209ed902", size = 4408887, upload-time = "2026-04-08T01:56:47.718Z" }, + { url = "https://files.pythonhosted.org/packages/40/53/8ed1cf4c3b9c8e611e7122fb56f1c32d09e1fff0f1d77e78d9ff7c82653e/cryptography-46.0.7-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:b7b412817be92117ec5ed95f880defe9cf18a832e8cafacf0a22337dc1981b4d", size = 4271354, upload-time = "2026-04-08T01:56:49.312Z" }, + { url = "https://files.pythonhosted.org/packages/50/46/cf71e26025c2e767c5609162c866a78e8a2915bbcfa408b7ca495c6140c4/cryptography-46.0.7-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:fbfd0e5f273877695cb93baf14b185f4878128b250cc9f8e617ea0c025dfb022", size = 4905845, upload-time = "2026-04-08T01:56:50.916Z" }, + { url = "https://files.pythonhosted.org/packages/c0/ea/01276740375bac6249d0a971ebdf6b4dc9ead0ee0a34ef3b5a88c1a9b0d4/cryptography-46.0.7-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:ffca7aa1d00cf7d6469b988c581598f2259e46215e0140af408966a24cf086ce", size = 4444641, upload-time = "2026-04-08T01:56:52.882Z" }, + { url = "https://files.pythonhosted.org/packages/3d/4c/7d258f169ae71230f25d9f3d06caabcff8c3baf0978e2b7d65e0acac3827/cryptography-46.0.7-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:60627cf07e0d9274338521205899337c5d18249db56865f943cbe753aa96f40f", size = 3967749, upload-time = "2026-04-08T01:56:54.597Z" }, + { url = "https://files.pythonhosted.org/packages/b5/2a/2ea0767cad19e71b3530e4cad9605d0b5e338b6a1e72c37c9c1ceb86c333/cryptography-46.0.7-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:80406c3065e2c55d7f49a9550fe0c49b3f12e5bfff5dedb727e319e1afb9bf99", size = 4270942, upload-time = "2026-04-08T01:56:56.416Z" }, + { url = "https://files.pythonhosted.org/packages/41/3d/fe14df95a83319af25717677e956567a105bb6ab25641acaa093db79975d/cryptography-46.0.7-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:c5b1ccd1239f48b7151a65bc6dd54bcfcc15e028c8ac126d3fada09db0e07ef1", size = 4871079, upload-time = "2026-04-08T01:56:58.31Z" }, + { url = "https://files.pythonhosted.org/packages/9c/59/4a479e0f36f8f378d397f4eab4c850b4ffb79a2f0d58704b8fa0703ddc11/cryptography-46.0.7-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:d5f7520159cd9c2154eb61eb67548ca05c5774d39e9c2c4339fd793fe7d097b2", size = 4443999, upload-time = "2026-04-08T01:57:00.508Z" }, + { url = "https://files.pythonhosted.org/packages/28/17/b59a741645822ec6d04732b43c5d35e4ef58be7bfa84a81e5ae6f05a1d33/cryptography-46.0.7-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:fcd8eac50d9138c1d7fc53a653ba60a2bee81a505f9f8850b6b2888555a45d0e", size = 4399191, upload-time = "2026-04-08T01:57:02.654Z" }, + { url = "https://files.pythonhosted.org/packages/59/6a/bb2e166d6d0e0955f1e9ff70f10ec4b2824c9cfcdb4da772c7dd69cc7d80/cryptography-46.0.7-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:65814c60f8cc400c63131584e3e1fad01235edba2614b61fbfbfa954082db0ee", size = 4655782, upload-time = "2026-04-08T01:57:04.592Z" }, + { url = "https://files.pythonhosted.org/packages/a5/d0/36a49f0262d2319139d2829f773f1b97ef8aef7f97e6e5bd21455e5a8fb5/cryptography-46.0.7-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:84d4cced91f0f159a7ddacad249cc077e63195c36aac40b4150e7a57e84fffe7", size = 4270628, upload-time = "2026-04-08T01:57:12.885Z" }, + { url = "https://files.pythonhosted.org/packages/8a/6c/1a42450f464dda6ffbe578a911f773e54dd48c10f9895a23a7e88b3e7db5/cryptography-46.0.7-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:128c5edfe5e5938b86b03941e94fac9ee793a94452ad1365c9fc3f4f62216832", size = 4415405, upload-time = "2026-04-08T01:57:14.923Z" }, + { url = "https://files.pythonhosted.org/packages/9a/92/4ed714dbe93a066dc1f4b4581a464d2d7dbec9046f7c8b7016f5286329e2/cryptography-46.0.7-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5e51be372b26ef4ba3de3c167cd3d1022934bc838ae9eaad7e644986d2a3d163", size = 4272715, upload-time = "2026-04-08T01:57:16.638Z" }, + { url = "https://files.pythonhosted.org/packages/b7/e6/a26b84096eddd51494bba19111f8fffe976f6a09f132706f8f1bf03f51f7/cryptography-46.0.7-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cdf1a610ef82abb396451862739e3fc93b071c844399e15b90726ef7470eeaf2", size = 4918400, upload-time = "2026-04-08T01:57:19.021Z" }, + { url = "https://files.pythonhosted.org/packages/c7/08/ffd537b605568a148543ac3c2b239708ae0bd635064bab41359252ef88ed/cryptography-46.0.7-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1d25aee46d0c6f1a501adcddb2d2fee4b979381346a78558ed13e50aa8a59067", size = 4450634, upload-time = "2026-04-08T01:57:21.185Z" }, + { url = "https://files.pythonhosted.org/packages/16/01/0cd51dd86ab5b9befe0d031e276510491976c3a80e9f6e31810cce46c4ad/cryptography-46.0.7-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:cdfbe22376065ffcf8be74dc9a909f032df19bc58a699456a21712d6e5eabfd0", size = 3985233, upload-time = "2026-04-08T01:57:22.862Z" }, + { url = "https://files.pythonhosted.org/packages/92/49/819d6ed3a7d9349c2939f81b500a738cb733ab62fbecdbc1e38e83d45e12/cryptography-46.0.7-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:abad9dac36cbf55de6eb49badd4016806b3165d396f64925bf2999bcb67837ba", size = 4271955, upload-time = "2026-04-08T01:57:24.814Z" }, + { url = "https://files.pythonhosted.org/packages/80/07/ad9b3c56ebb95ed2473d46df0847357e01583f4c52a85754d1a55e29e4d0/cryptography-46.0.7-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:935ce7e3cfdb53e3536119a542b839bb94ec1ad081013e9ab9b7cfd478b05006", size = 4879888, upload-time = "2026-04-08T01:57:26.88Z" }, + { url = "https://files.pythonhosted.org/packages/b8/c7/201d3d58f30c4c2bdbe9b03844c291feb77c20511cc3586daf7edc12a47b/cryptography-46.0.7-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:35719dc79d4730d30f1c2b6474bd6acda36ae2dfae1e3c16f2051f215df33ce0", size = 4449961, upload-time = "2026-04-08T01:57:29.068Z" }, + { url = "https://files.pythonhosted.org/packages/a5/ef/649750cbf96f3033c3c976e112265c33906f8e462291a33d77f90356548c/cryptography-46.0.7-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7bbc6ccf49d05ac8f7d7b5e2e2c33830d4fe2061def88210a126d130d7f71a85", size = 4401696, upload-time = "2026-04-08T01:57:31.029Z" }, + { url = "https://files.pythonhosted.org/packages/41/52/a8908dcb1a389a459a29008c29966c1d552588d4ae6d43f3a1a4512e0ebe/cryptography-46.0.7-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a1529d614f44b863a7b480c6d000fe93b59acee9c82ffa027cfadc77521a9f5e", size = 4664256, upload-time = "2026-04-08T01:57:33.144Z" }, + { url = "https://files.pythonhosted.org/packages/3a/ea/075aac6a84b7c271578d81a2f9968acb6e273002408729f2ddff517fed4a/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:d3b99c535a9de0adced13d159c5a9cf65c325601aa30f4be08afd680643e9c15", size = 4219700, upload-time = "2026-04-08T01:57:40.625Z" }, + { url = "https://files.pythonhosted.org/packages/6c/7b/1c55db7242b5e5612b29fc7a630e91ee7a6e3c8e7bf5406d22e206875fbd/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:d02c738dacda7dc2a74d1b2b3177042009d5cab7c7079db74afc19e56ca1b455", size = 4385982, upload-time = "2026-04-08T01:57:42.725Z" }, + { url = "https://files.pythonhosted.org/packages/cb/da/9870eec4b69c63ef5925bf7d8342b7e13bc2ee3d47791461c4e49ca212f4/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:04959522f938493042d595a736e7dbdff6eb6cc2339c11465b3ff89343b65f65", size = 4219115, upload-time = "2026-04-08T01:57:44.939Z" }, + { url = "https://files.pythonhosted.org/packages/f4/72/05aa5832b82dd341969e9a734d1812a6aadb088d9eb6f0430fc337cc5a8f/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:3986ac1dee6def53797289999eabe84798ad7817f3e97779b5061a95b0ee4968", size = 4385479, upload-time = "2026-04-08T01:57:46.86Z" }, ] [[package]] @@ -522,25 +554,13 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/02/10/5da547df7a391dcde17f59520a231527b8571e6f46fc8efb02ccb370ab12/docutils-0.22.4-py3-none-any.whl", hash = "sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de", size = 633196, upload-time = "2025-12-18T19:00:18.077Z" }, ] -[[package]] -name = "exceptiongroup" -version = "1.3.1" -source = { registry = "https://pypi.org/simple" } -dependencies = [ - { name = "typing-extensions", marker = "python_full_version < '3.13'" }, -] -sdist = { url = "https://files.pythonhosted.org/packages/50/79/66800aadf48771f6b62f7eb014e352e5d06856655206165d775e675a02c9/exceptiongroup-1.3.1.tar.gz", hash = "sha256:8b412432c6055b0b7d14c310000ae93352ed6754f70fa8f7c34141f91c4e3219", size = 30371, upload-time = "2025-11-21T23:01:54.787Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/8a/0e/97c33bf5009bdbac74fd2beace167cab3f978feb69cc36f1ef79360d6c4e/exceptiongroup-1.3.1-py3-none-any.whl", hash = "sha256:a7a39a3bd276781e98394987d3a5701d0c4edffb633bb7a5144577f82c773598", size = 16740, upload-time = "2025-11-21T23:01:53.443Z" }, -] - [[package]] name = "filelock" -version = "3.20.3" +version = "3.29.1" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/1d/65/ce7f1b70157833bf3cb851b556a37d4547ceafc158aa9b34b36782f23696/filelock-3.20.3.tar.gz", hash = "sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1", size = 19485, upload-time = "2026-01-09T17:55:05.421Z" } +sdist = { url = "https://files.pythonhosted.org/packages/1f/f9/f38573ed5844586db374d085911740a501ccfa373b455fc9413f09f85237/filelock-3.29.1.tar.gz", hash = "sha256:d97e6b1b9757569626c58caa07dc4beb1613f4a2938b1e8cc81afca398906c9e", size = 59335, upload-time = "2026-06-03T15:19:04.053Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/b5/36/7fb70f04bf00bc646cd5bb45aa9eddb15e19437a28b8fb2b4a5249fac770/filelock-3.20.3-py3-none-any.whl", hash = "sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1", size = 16701, upload-time = "2026-01-09T17:55:04.334Z" }, + { url = "https://files.pythonhosted.org/packages/4c/a0/614c5fe402fd88951df45f4dda2fa3b4e17a99ecd92340771929169b3b95/filelock-3.29.1-py3-none-any.whl", hash = "sha256:85199dfd706869641b72b2e8955d5416a4b2b7dc4b0e8e6d97b4cc1299a6983b", size = 40750, upload-time = "2026-06-03T15:19:02.959Z" }, ] [[package]] @@ -557,14 +577,14 @@ wheels = [ [[package]] name = "gitpython" -version = "3.1.46" +version = "3.1.50" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "gitdb" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/df/b5/59d16470a1f0dfe8c793f9ef56fd3826093fc52b3bd96d6b9d6c26c7e27b/gitpython-3.1.46.tar.gz", hash = "sha256:400124c7d0ef4ea03f7310ac2fbf7151e09ff97f2a3288d64a440c584a29c37f", size = 215371, upload-time = "2026-01-01T15:37:32.073Z" } +sdist = { url = "https://files.pythonhosted.org/packages/33/f6/354ae6491228b5eb40e10d89c4d13c651fe1cf7556e35ebdded50cff57ce/gitpython-3.1.50.tar.gz", hash = "sha256:80da2d12504d52e1f998772dc5baf6e553f8d2fcfe1fcc226c9d9a2ee3372dcc", size = 219798, upload-time = "2026-05-06T04:01:26.571Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/6a/09/e21df6aef1e1ffc0c816f0522ddc3f6dcded766c3261813131c78a704470/gitpython-3.1.46-py3-none-any.whl", hash = "sha256:79812ed143d9d25b6d176a10bb511de0f9c67b1fa641d82097b0ab90398a2058", size = 208620, upload-time = "2026-01-01T15:37:30.574Z" }, + { url = "https://files.pythonhosted.org/packages/20/7a/1c6e3562dfd8950adbb11ffbc65d21e7c89d01a6e4f137fa981056de25c5/gitpython-3.1.50-py3-none-any.whl", hash = "sha256:d352abe2908d07355014abdd21ddf798c2a961469239afec4962e9da884858f9", size = 212507, upload-time = "2026-05-06T04:01:23.799Z" }, ] [[package]] @@ -578,7 +598,7 @@ wheels = [ [[package]] name = "hatch" -version = "1.16.2" +version = "1.16.5" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "backports-zstd", marker = "python_full_version < '3.14'" }, @@ -591,6 +611,7 @@ dependencies = [ { name = "pexpect" }, { name = "platformdirs" }, { name = "pyproject-hooks" }, + { name = "python-discovery" }, { name = "rich" }, { name = "shellingham" }, { name = "tomli-w" }, @@ -599,9 +620,9 @@ dependencies = [ { name = "uv" }, { name = "virtualenv" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/b9/c1/8598996a6f264d430c530799dc65fb13942fb29092e35505039a5f2fb5dc/hatch-1.16.2.tar.gz", hash = "sha256:f288938da85b4b90e47d94788e19e9976dcd6fd53b48343ea251a2a37256a980", size = 5216569, upload-time = "2025-12-06T19:18:12.596Z" } +sdist = { url = "https://files.pythonhosted.org/packages/d2/02/ce9c4c439fa3f195b21b4b5bb18b44d1076297c86477ef7e3d2de6064ec3/hatch-1.16.5.tar.gz", hash = "sha256:57bdeeaa72577859ce37091a5449583875331c06f9cb6af9077947ad40b3a1de", size = 5220741, upload-time = "2026-02-27T18:45:31.21Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/d4/7c/bbed5611b1cd7b0b42b2dadb0721d9ccfa4fa9d03abc05e0f57c85a319c6/hatch-1.16.2-py3-none-any.whl", hash = "sha256:827eaf9813c63119f172b85975c5c27110a2306b07e5304c9d38527b0239052a", size = 140658, upload-time = "2025-12-06T19:18:10.573Z" }, + { url = "https://files.pythonhosted.org/packages/e4/8a/11ae7e271870f0ad8fa0012e4265982bebe0fdc21766b161fb8b8fc3aefc/hatch-1.16.5-py3-none-any.whl", hash = "sha256:d9b8047f2cd10d3349eb6e8f278ad728a04f91495aace305c257d5c2747188fb", size = 141269, upload-time = "2026-02-27T18:45:29.573Z" }, ] [[package]] @@ -612,7 +633,6 @@ dependencies = [ { name = "packaging" }, { name = "pathspec" }, { name = "pluggy" }, - { name = "tomli", marker = "python_full_version < '3.11'" }, { name = "trove-classifiers" }, ] sdist = { url = "https://files.pythonhosted.org/packages/0b/8e/e480359492affde4119a131da729dd26da742c2c9b604dff74836e47eef9/hatchling-1.28.0.tar.gz", hash = "sha256:4d50b02aece6892b8cd0b3ce6c82cb218594d3ec5836dbde75bf41a21ab004c8", size = 55365, upload-time = "2025-11-27T00:31:13.766Z" } @@ -683,11 +703,11 @@ wheels = [ [[package]] name = "idna" -version = "3.11" +version = "3.15" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/6f/6d/0703ccc57f3a7233505399edb88de3cbd678da106337b9fcde432b65ed60/idna-3.11.tar.gz", hash = "sha256:795dafcc9c04ed0c1fb032c2aa73654d8e8c5023a7df64a53f39190ada629902", size = 194582, upload-time = "2025-10-12T14:55:20.501Z" } +sdist = { url = "https://files.pythonhosted.org/packages/82/77/7b3966d0b9d1d31a36ddf1746926a11dface89a83409bf1483f0237aa758/idna-3.15.tar.gz", hash = "sha256:ca962446ea538f7092a95e057da437618e886f4d349216d2b1e294abfdb65fdc", size = 199245, upload-time = "2026-05-12T22:45:57.011Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/0e/61/66938bbb5fc52dbdf84594873d5b51fb1f7c7794e9c0f5bd885f30bc507b/idna-3.11-py3-none-any.whl", hash = "sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea", size = 71008, upload-time = "2025-10-12T14:55:18.883Z" }, + { url = "https://files.pythonhosted.org/packages/d2/23/408243171aa9aaba178d3e2559159c24c1171a641aa83b67bdd3394ead8e/idna-3.15-py3-none-any.whl", hash = "sha256:048adeaf8c2d788c40fee287673ccaa74c24ffd8dcf09ffa555a2fbb59f10ac8", size = 72340, upload-time = "2026-05-12T22:45:55.733Z" }, ] [[package]] @@ -695,7 +715,7 @@ name = "importlib-metadata" version = "8.7.1" source = { registry = "https://pypi.org/simple" } dependencies = [ - { name = "zipp" }, + { name = "zipp", marker = "python_full_version < '3.13'" }, ] sdist = { url = "https://files.pythonhosted.org/packages/f3/49/3b30cad09e7771a4982d9975a8cbf64f00d4a1ececb53297f1d9a7be1b10/importlib_metadata-8.7.1.tar.gz", hash = "sha256:49fef1ae6440c182052f407c8d34a68f72efc36db9ca90dc0113398f2fdde8bb", size = 57107, upload-time = "2025-12-21T10:00:19.278Z" } wheels = [ @@ -776,11 +796,11 @@ wheels = [ [[package]] name = "markdown" -version = "3.10" +version = "3.10.2" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/7d/ab/7dd27d9d863b3376fcf23a5a13cb5d024aed1db46f963f1b5735ae43b3be/markdown-3.10.tar.gz", hash = "sha256:37062d4f2aa4b2b6b32aefb80faa300f82cc790cb949a35b8caede34f2b68c0e", size = 364931, upload-time = "2025-11-03T19:51:15.007Z" } +sdist = { url = "https://files.pythonhosted.org/packages/2b/f4/69fa6ed85ae003c2378ffa8f6d2e3234662abd02c10d216c0ba96081a238/markdown-3.10.2.tar.gz", hash = "sha256:994d51325d25ad8aa7ce4ebaec003febcce822c3f8c911e3b17c52f7f589f950", size = 368805, upload-time = "2026-02-09T14:57:26.942Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/70/81/54e3ce63502cd085a0c556652a4e1b919c45a446bd1e5300e10c44c8c521/markdown-3.10-py3-none-any.whl", hash = "sha256:b5b99d6951e2e4948d939255596523444c0e677c669700b1d17aa4a8a464cb7c", size = 107678, upload-time = "2025-11-03T19:51:13.887Z" }, + { url = "https://files.pythonhosted.org/packages/de/1f/77fa3081e4f66ca3576c896ae5d31c3002ac6607f9747d2e3aa49227e464/markdown-3.10.2-py3-none-any.whl", hash = "sha256:e91464b71ae3ee7afd3017d9f358ef0baf158fd9a298db92f1d4761133824c36", size = 108180, upload-time = "2026-02-09T14:57:25.787Z" }, ] [[package]] @@ -866,11 +886,11 @@ wheels = [ [[package]] name = "packaging" -version = "25.0" +version = "26.2" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/a1/d4/1fc4078c65507b51b96ca8f8c3ba19e6a61c8253c72794544580a7b6c24d/packaging-25.0.tar.gz", hash = "sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f", size = 165727, upload-time = "2025-04-19T11:48:59.673Z" } +sdist = { url = "https://files.pythonhosted.org/packages/d7/f1/e7a6dd94a8d4a5626c03e4e99c87f241ba9e350cd9e6d75123f992427270/packaging-26.2.tar.gz", hash = "sha256:ff452ff5a3e828ce110190feff1178bb1f2ea2281fa2075aadb987c2fb221661", size = 228134, upload-time = "2026-04-24T20:15:23.917Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/20/12/38679034af332785aac8774540895e234f4d07f7545804097de4b666afd8/packaging-25.0-py3-none-any.whl", hash = "sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484", size = 66469, upload-time = "2025-04-19T11:48:57.875Z" }, + { url = "https://files.pythonhosted.org/packages/df/b2/87e62e8c3e2f4b32e5fe99e0b86d576da1312593b39f47d8ceef365e95ed/packaging-26.2-py3-none-any.whl", hash = "sha256:5fc45236b9446107ff2415ce77c807cee2862cb6fac22b8a73826d0693b0980e", size = 100195, upload-time = "2026-04-24T20:15:22.081Z" }, ] [[package]] @@ -914,7 +934,7 @@ wheels = [ [[package]] name = "pre-commit" -version = "4.5.1" +version = "4.6.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cfgv" }, @@ -923,9 +943,9 @@ dependencies = [ { name = "pyyaml" }, { name = "virtualenv" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/40/f1/6d86a29246dfd2e9b6237f0b5823717f60cad94d47ddc26afa916d21f525/pre_commit-4.5.1.tar.gz", hash = "sha256:eb545fcff725875197837263e977ea257a402056661f09dae08e4b149b030a61", size = 198232, upload-time = "2025-12-16T21:14:33.552Z" } +sdist = { url = "https://files.pythonhosted.org/packages/8e/22/2de9408ac81acbb8a7d05d4cc064a152ccf33b3d480ebe0cd292153db239/pre_commit-4.6.0.tar.gz", hash = "sha256:718d2208cef53fdc38206e40524a6d4d9576d103eb16f0fec11c875e7716e9d9", size = 198525, upload-time = "2026-04-21T20:31:41.613Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/5d/19/fd3ef348460c80af7bb4669ea7926651d1f95c23ff2df18b9d24bab4f3fa/pre_commit-4.5.1-py2.py3-none-any.whl", hash = "sha256:3b3afd891e97337708c1674210f8eba659b52a38ea5f822ff142d10786221f77", size = 226437, upload-time = "2025-12-16T21:14:32.409Z" }, + { url = "https://files.pythonhosted.org/packages/80/6e/4b28b62ecb6aae56769c34a8ff1d661473ec1e9519e2d5f8b2c150086b26/pre_commit-4.6.0-py2.py3-none-any.whl", hash = "sha256:e2cf246f7299edcabcf15f9b0571fdce06058527f0a06535068a86d38089f29b", size = 226472, upload-time = "2026-04-21T20:31:40.092Z" }, ] [[package]] @@ -960,11 +980,11 @@ wheels = [ [[package]] name = "pygments" -version = "2.19.2" +version = "2.20.0" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/b0/77/a5b8c569bf593b0140bde72ea885a803b82086995367bf2037de0159d924/pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887", size = 4968631, upload-time = "2025-06-21T13:39:12.283Z" } +sdist = { url = "https://files.pythonhosted.org/packages/c3/b2/bc9c9196916376152d655522fdcebac55e66de6603a76a02bca1b6414f6c/pygments-2.20.0.tar.gz", hash = "sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f", size = 4955991, upload-time = "2026-03-29T13:29:33.898Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b", size = 1225217, upload-time = "2025-06-21T13:39:07.939Z" }, + { url = "https://files.pythonhosted.org/packages/f4/7e/a72dd26f3b0f4f2bf1dd8923c85f7ceb43172af56d63c7383eb62b332364/pygments-2.20.0-py3-none-any.whl", hash = "sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176", size = 1231151, upload-time = "2026-03-29T13:29:30.038Z" }, ] [[package]] @@ -978,48 +998,45 @@ wheels = [ [[package]] name = "pytest" -version = "9.0.2" +version = "9.0.3" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "colorama", marker = "sys_platform == 'win32'" }, - { name = "exceptiongroup", marker = "python_full_version < '3.11'" }, { name = "iniconfig" }, { name = "packaging" }, { name = "pluggy" }, { name = "pygments" }, - { name = "tomli", marker = "python_full_version < '3.11'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/d1/db/7ef3487e0fb0049ddb5ce41d3a49c235bf9ad299b6a25d5780a89f19230f/pytest-9.0.2.tar.gz", hash = "sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11", size = 1568901, upload-time = "2025-12-06T21:30:51.014Z" } +sdist = { url = "https://files.pythonhosted.org/packages/7d/0d/549bd94f1a0a402dc8cf64563a117c0f3765662e2e668477624baeec44d5/pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c", size = 1572165, upload-time = "2026-04-07T17:16:18.027Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/3b/ab/b3226f0bd7cdcf710fbede2b3548584366da3b19b5021e74f5bde2a8fa3f/pytest-9.0.2-py3-none-any.whl", hash = "sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b", size = 374801, upload-time = "2025-12-06T21:30:49.154Z" }, + { url = "https://files.pythonhosted.org/packages/d4/24/a372aaf5c9b7208e7112038812994107bc65a84cd00e0354a88c2c77a617/pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9", size = 375249, upload-time = "2026-04-07T17:16:16.13Z" }, ] [[package]] name = "pytest-asyncio" -version = "1.3.0" +version = "1.4.0" source = { registry = "https://pypi.org/simple" } dependencies = [ - { name = "backports-asyncio-runner", marker = "python_full_version < '3.11'" }, { name = "pytest" }, { name = "typing-extensions", marker = "python_full_version < '3.13'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/90/2c/8af215c0f776415f3590cac4f9086ccefd6fd463befeae41cd4d3f193e5a/pytest_asyncio-1.3.0.tar.gz", hash = "sha256:d7f52f36d231b80ee124cd216ffb19369aa168fc10095013c6b014a34d3ee9e5", size = 50087, upload-time = "2025-11-10T16:07:47.256Z" } +sdist = { url = "https://files.pythonhosted.org/packages/43/7c/d36d04db312ecf4298932ef77e6e4a9e8ad017906e24e34f0b0c361a2473/pytest_asyncio-1.4.0.tar.gz", hash = "sha256:c6c0d2259945122819f171a32ecea2c349ead889ee28176caaf492143424be42", size = 58514, upload-time = "2026-05-26T09:56:04.083Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/e5/35/f8b19922b6a25bc0880171a2f1a003eaeb93657475193ab516fd87cac9da/pytest_asyncio-1.3.0-py3-none-any.whl", hash = "sha256:611e26147c7f77640e6d0a92a38ed17c3e9848063698d5c93d5aa7aa11cebff5", size = 15075, upload-time = "2025-11-10T16:07:45.537Z" }, + { url = "https://files.pythonhosted.org/packages/03/e2/08a497ef684b88559c9cc5f4ad53a37e7b99e727094a86d6ea32536d5d3c/pytest_asyncio-1.4.0-py3-none-any.whl", hash = "sha256:933ca923a23075a87fb7070c0ec272a6848489824d887c85c812670932835aa1", size = 16930, upload-time = "2026-05-26T09:56:02.576Z" }, ] [[package]] name = "pytest-cov" -version = "7.0.0" +version = "7.1.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "coverage", extra = ["toml"] }, { name = "pluggy" }, { name = "pytest" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/5e/f7/c933acc76f5208b3b00089573cf6a2bc26dc80a8aece8f52bb7d6b1855ca/pytest_cov-7.0.0.tar.gz", hash = "sha256:33c97eda2e049a0c5298e91f519302a1334c26ac65c1a483d6206fd458361af1", size = 54328, upload-time = "2025-09-09T10:57:02.113Z" } +sdist = { url = "https://files.pythonhosted.org/packages/b1/51/a849f96e117386044471c8ec2bd6cfebacda285da9525c9106aeb28da671/pytest_cov-7.1.0.tar.gz", hash = "sha256:30674f2b5f6351aa09702a9c8c364f6a01c27aae0c1366ae8016160d1efc56b2", size = 55592, upload-time = "2026-03-21T20:11:16.284Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/ee/49/1377b49de7d0c1ce41292161ea0f721913fa8722c19fb9c1e3aa0367eecb/pytest_cov-7.0.0-py3-none-any.whl", hash = "sha256:3b8e9558b16cc1479da72058bdecf8073661c7f57f7d3c5f22a1c23507f2d861", size = 22424, upload-time = "2025-09-09T10:57:00.695Z" }, + { url = "https://files.pythonhosted.org/packages/9d/7a/d968e294073affff457b041c2be9868a40c1c71f4a35fcc1e45e5493067b/pytest_cov-7.1.0-py3-none-any.whl", hash = "sha256:a0461110b7865f9a271aa1b51e516c9a95de9d696734a2f71e3e78f46e1d4678", size = 22876, upload-time = "2026-03-21T20:11:14.438Z" }, ] [[package]] @@ -1046,13 +1063,26 @@ dependencies = [ ] sdist = { url = "https://files.pythonhosted.org/packages/36/47/ab65fc1d682befc318c439940f81a0de1026048479f732e84fe714cd69c0/pytest-watch-4.2.0.tar.gz", hash = "sha256:06136f03d5b361718b8d0d234042f7b2f203910d8568f63df2f866b547b3d4b9", size = 16340, upload-time = "2018-05-20T19:52:16.194Z" } +[[package]] +name = "python-discovery" +version = "1.4.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "filelock" }, + { name = "platformdirs" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/a6/12/38c1a0b1e64806780c9563e3fc9f6e472251839662587cfbe9bfaf2ae10a/python_discovery-1.4.0.tar.gz", hash = "sha256:eb8bc7daad3c226c147e45bb4e970a1feb1bf4048ee178e6db59e197b8010ce3", size = 68455, upload-time = "2026-05-28T01:15:37.639Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c8/8d/3d316429f65029532bb1e28ff77b797d86b5ac3915bb44ca4e19aa283d43/python_discovery-1.4.0-py3-none-any.whl", hash = "sha256:26ed78d703e234879a66244c7d4114563fb13ec5cd30a2d1357e5fb4850782da", size = 33217, upload-time = "2026-05-28T01:15:36.573Z" }, +] + [[package]] name = "python-dotenv" -version = "1.2.1" +version = "1.2.2" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/f0/26/19cadc79a718c5edbec86fd4919a6b6d3f681039a2f6d66d14be94e75fb9/python_dotenv-1.2.1.tar.gz", hash = "sha256:42667e897e16ab0d66954af0e60a9caa94f0fd4ecf3aaf6d2d260eec1aa36ad6", size = 44221, upload-time = "2025-10-26T15:12:10.434Z" } +sdist = { url = "https://files.pythonhosted.org/packages/82/ed/0301aeeac3e5353ef3d94b6ec08bbcabd04a72018415dcb29e588514bba8/python_dotenv-1.2.2.tar.gz", hash = "sha256:2c371a91fbd7ba082c2c1dc1f8bf89ca22564a087c2c287cd9b662adde799cf3", size = 50135, upload-time = "2026-03-01T16:00:26.196Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/14/1b/a298b06749107c305e1fe0f814c6c74aea7b2f1e10989cb30f544a1b3253/python_dotenv-1.2.1-py3-none-any.whl", hash = "sha256:b81ee9561e9ca4004139c6cbba3a238c32b03e4894671e181b671e8cb8425d61", size = 21230, upload-time = "2025-10-26T15:12:09.109Z" }, + { url = "https://files.pythonhosted.org/packages/0b/d7/1959b9648791274998a9c3526f6d0ec8fd2233e4d4acce81bbae76b44b2a/python_dotenv-1.2.2-py3-none-any.whl", hash = "sha256:1d8214789a24de455a8b8bd8ae6fe3c6b69a5e3d64aa8a8e5d68e694bbcb285a", size = 22101, upload-time = "2026-03-01T16:00:25.09Z" }, ] [[package]] @@ -1070,15 +1100,6 @@ version = "6.0.3" source = { registry = "https://pypi.org/simple" } sdist = { url = "https://files.pythonhosted.org/packages/05/8e/961c0007c59b8dd7729d542c61a4d537767a59645b82a0b521206e1e25c2/pyyaml-6.0.3.tar.gz", hash = "sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f", size = 130960, upload-time = "2025-09-25T21:33:16.546Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/f4/a0/39350dd17dd6d6c6507025c0e53aef67a9293a6d37d3511f23ea510d5800/pyyaml-6.0.3-cp310-cp310-macosx_10_13_x86_64.whl", hash = "sha256:214ed4befebe12df36bcc8bc2b64b396ca31be9304b8f59e25c11cf94a4c033b", size = 184227, upload-time = "2025-09-25T21:31:46.04Z" }, - { url = "https://files.pythonhosted.org/packages/05/14/52d505b5c59ce73244f59c7a50ecf47093ce4765f116cdb98286a71eeca2/pyyaml-6.0.3-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:02ea2dfa234451bbb8772601d7b8e426c2bfa197136796224e50e35a78777956", size = 174019, upload-time = "2025-09-25T21:31:47.706Z" }, - { url = "https://files.pythonhosted.org/packages/43/f7/0e6a5ae5599c838c696adb4e6330a59f463265bfa1e116cfd1fbb0abaaae/pyyaml-6.0.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:b30236e45cf30d2b8e7b3e85881719e98507abed1011bf463a8fa23e9c3e98a8", size = 740646, upload-time = "2025-09-25T21:31:49.21Z" }, - { url = "https://files.pythonhosted.org/packages/2f/3a/61b9db1d28f00f8fd0ae760459a5c4bf1b941baf714e207b6eb0657d2578/pyyaml-6.0.3-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:66291b10affd76d76f54fad28e22e51719ef9ba22b29e1d7d03d6777a9174198", size = 840793, upload-time = "2025-09-25T21:31:50.735Z" }, - { url = "https://files.pythonhosted.org/packages/7a/1e/7acc4f0e74c4b3d9531e24739e0ab832a5edf40e64fbae1a9c01941cabd7/pyyaml-6.0.3-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9c7708761fccb9397fe64bbc0395abcae8c4bf7b0eac081e12b809bf47700d0b", size = 770293, upload-time = "2025-09-25T21:31:51.828Z" }, - { url = "https://files.pythonhosted.org/packages/8b/ef/abd085f06853af0cd59fa5f913d61a8eab65d7639ff2a658d18a25d6a89d/pyyaml-6.0.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:418cf3f2111bc80e0933b2cd8cd04f286338bb88bdc7bc8e6dd775ebde60b5e0", size = 732872, upload-time = "2025-09-25T21:31:53.282Z" }, - { url = "https://files.pythonhosted.org/packages/1f/15/2bc9c8faf6450a8b3c9fc5448ed869c599c0a74ba2669772b1f3a0040180/pyyaml-6.0.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:5e0b74767e5f8c593e8c9b5912019159ed0533c70051e9cce3e8b6aa699fcd69", size = 758828, upload-time = "2025-09-25T21:31:54.807Z" }, - { url = "https://files.pythonhosted.org/packages/a3/00/531e92e88c00f4333ce359e50c19b8d1de9fe8d581b1534e35ccfbc5f393/pyyaml-6.0.3-cp310-cp310-win32.whl", hash = "sha256:28c8d926f98f432f88adc23edf2e6d4921ac26fb084b028c733d01868d19007e", size = 142415, upload-time = "2025-09-25T21:31:55.885Z" }, - { url = "https://files.pythonhosted.org/packages/2a/fa/926c003379b19fca39dd4634818b00dec6c62d87faf628d1394e137354d4/pyyaml-6.0.3-cp310-cp310-win_amd64.whl", hash = "sha256:bdb2c67c6c1390b63c6ff89f210c8fd09d9a1217a465701eac7316313c915e4c", size = 158561, upload-time = "2025-09-25T21:31:57.406Z" }, { url = "https://files.pythonhosted.org/packages/6d/16/a95b6757765b7b031c9374925bb718d55e0a9ba8a1b6a12d25962ea44347/pyyaml-6.0.3-cp311-cp311-macosx_10_13_x86_64.whl", hash = "sha256:44edc647873928551a01e7a563d7452ccdebee747728c1080d881d68af7b997e", size = 185826, upload-time = "2025-09-25T21:31:58.655Z" }, { url = "https://files.pythonhosted.org/packages/16/19/13de8e4377ed53079ee996e1ab0a9c33ec2faf808a4647b7b4c0d46dd239/pyyaml-6.0.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:652cb6edd41e718550aad172851962662ff2681490a8a711af6a4d288dd96824", size = 175577, upload-time = "2025-09-25T21:32:00.088Z" }, { url = "https://files.pythonhosted.org/packages/0c/62/d2eb46264d4b157dae1275b573017abec435397aa59cbcdab6fc978a8af4/pyyaml-6.0.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:10892704fc220243f5305762e276552a0395f7beb4dbf9b14ec8fd43b57f126c", size = 775556, upload-time = "2025-09-25T21:32:01.31Z" }, @@ -1144,7 +1165,7 @@ wheels = [ [[package]] name = "requests" -version = "2.32.5" +version = "2.34.2" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "certifi" }, @@ -1152,9 +1173,9 @@ dependencies = [ { name = "idna" }, { name = "urllib3" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/c9/74/b3ff8e6c8446842c3f5c837e9c3dfcfe2018ea6ecef224c710c85ef728f4/requests-2.32.5.tar.gz", hash = "sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf", size = 134517, upload-time = "2025-08-18T20:46:02.573Z" } +sdist = { url = "https://files.pythonhosted.org/packages/ac/c3/e2a2b89f2d3e2179abd6d00ebd70bff6273f37fb3e0cc209f48b39d00cbf/requests-2.34.2.tar.gz", hash = "sha256:f288924cae4e29463698d6d60bc6a4da69c89185ad1e0bcc4104f584e960b9ed", size = 142856, upload-time = "2026-05-14T19:25:27.735Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl", hash = "sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6", size = 64738, upload-time = "2025-08-18T20:46:00.542Z" }, + { url = "https://files.pythonhosted.org/packages/a0/f4/c67b0b3f1b9245e8d266f0f112c500d50e5b4e83cb6f3b71b6528104182a/requests-2.34.2-py3-none-any.whl", hash = "sha256:2a0d60c172f83ac6ab31e4554906c0f3b3588d37b5cb939b1c061f4907e278e0", size = 73075, upload-time = "2026-05-14T19:25:26.443Z" }, ] [[package]] @@ -1193,28 +1214,27 @@ wheels = [ [[package]] name = "ruff" -version = "0.14.10" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/57/08/52232a877978dd8f9cf2aeddce3e611b40a63287dfca29b6b8da791f5e8d/ruff-0.14.10.tar.gz", hash = "sha256:9a2e830f075d1a42cd28420d7809ace390832a490ed0966fe373ba288e77aaf4", size = 5859763, upload-time = "2025-12-18T19:28:57.98Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/60/01/933704d69f3f05ee16ef11406b78881733c186fe14b6a46b05cfcaf6d3b2/ruff-0.14.10-py3-none-linux_armv6l.whl", hash = "sha256:7a3ce585f2ade3e1f29ec1b92df13e3da262178df8c8bdf876f48fa0e8316c49", size = 13527080, upload-time = "2025-12-18T19:29:25.642Z" }, - { url = "https://files.pythonhosted.org/packages/df/58/a0349197a7dfa603ffb7f5b0470391efa79ddc327c1e29c4851e85b09cc5/ruff-0.14.10-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:674f9be9372907f7257c51f1d4fc902cb7cf014b9980152b802794317941f08f", size = 13797320, upload-time = "2025-12-18T19:29:02.571Z" }, - { url = "https://files.pythonhosted.org/packages/7b/82/36be59f00a6082e38c23536df4e71cdbc6af8d7c707eade97fcad5c98235/ruff-0.14.10-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d85713d522348837ef9df8efca33ccb8bd6fcfc86a2cde3ccb4bc9d28a18003d", size = 12918434, upload-time = "2025-12-18T19:28:51.202Z" }, - { url = "https://files.pythonhosted.org/packages/a6/00/45c62a7f7e34da92a25804f813ebe05c88aa9e0c25e5cb5a7d23dd7450e3/ruff-0.14.10-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6987ebe0501ae4f4308d7d24e2d0fe3d7a98430f5adfd0f1fead050a740a3a77", size = 13371961, upload-time = "2025-12-18T19:29:04.991Z" }, - { url = "https://files.pythonhosted.org/packages/40/31/a5906d60f0405f7e57045a70f2d57084a93ca7425f22e1d66904769d1628/ruff-0.14.10-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:16a01dfb7b9e4eee556fbfd5392806b1b8550c9b4a9f6acd3dbe6812b193c70a", size = 13275629, upload-time = "2025-12-18T19:29:21.381Z" }, - { url = "https://files.pythonhosted.org/packages/3e/60/61c0087df21894cf9d928dc04bcd4fb10e8b2e8dca7b1a276ba2155b2002/ruff-0.14.10-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7165d31a925b7a294465fa81be8c12a0e9b60fb02bf177e79067c867e71f8b1f", size = 14029234, upload-time = "2025-12-18T19:29:00.132Z" }, - { url = "https://files.pythonhosted.org/packages/44/84/77d911bee3b92348b6e5dab5a0c898d87084ea03ac5dc708f46d88407def/ruff-0.14.10-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:c561695675b972effb0c0a45db233f2c816ff3da8dcfbe7dfc7eed625f218935", size = 15449890, upload-time = "2025-12-18T19:28:53.573Z" }, - { url = "https://files.pythonhosted.org/packages/e9/36/480206eaefa24a7ec321582dda580443a8f0671fdbf6b1c80e9c3e93a16a/ruff-0.14.10-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4bb98fcbbc61725968893682fd4df8966a34611239c9fd07a1f6a07e7103d08e", size = 15123172, upload-time = "2025-12-18T19:29:23.453Z" }, - { url = "https://files.pythonhosted.org/packages/5c/38/68e414156015ba80cef5473d57919d27dfb62ec804b96180bafdeaf0e090/ruff-0.14.10-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f24b47993a9d8cb858429e97bdf8544c78029f09b520af615c1d261bf827001d", size = 14460260, upload-time = "2025-12-18T19:29:27.808Z" }, - { url = "https://files.pythonhosted.org/packages/b3/19/9e050c0dca8aba824d67cc0db69fb459c28d8cd3f6855b1405b3f29cc91d/ruff-0.14.10-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:59aabd2e2c4fd614d2862e7939c34a532c04f1084476d6833dddef4afab87e9f", size = 14229978, upload-time = "2025-12-18T19:29:11.32Z" }, - { url = "https://files.pythonhosted.org/packages/51/eb/e8dd1dd6e05b9e695aa9dd420f4577debdd0f87a5ff2fedda33c09e9be8c/ruff-0.14.10-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:213db2b2e44be8625002dbea33bb9c60c66ea2c07c084a00d55732689d697a7f", size = 14338036, upload-time = "2025-12-18T19:29:09.184Z" }, - { url = "https://files.pythonhosted.org/packages/6a/12/f3e3a505db7c19303b70af370d137795fcfec136d670d5de5391e295c134/ruff-0.14.10-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:b914c40ab64865a17a9a5b67911d14df72346a634527240039eb3bd650e5979d", size = 13264051, upload-time = "2025-12-18T19:29:13.431Z" }, - { url = "https://files.pythonhosted.org/packages/08/64/8c3a47eaccfef8ac20e0484e68e0772013eb85802f8a9f7603ca751eb166/ruff-0.14.10-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:1484983559f026788e3a5c07c81ef7d1e97c1c78ed03041a18f75df104c45405", size = 13283998, upload-time = "2025-12-18T19:29:06.994Z" }, - { url = "https://files.pythonhosted.org/packages/12/84/534a5506f4074e5cc0529e5cd96cfc01bb480e460c7edf5af70d2bcae55e/ruff-0.14.10-py3-none-musllinux_1_2_i686.whl", hash = "sha256:c70427132db492d25f982fffc8d6c7535cc2fd2c83fc8888f05caaa248521e60", size = 13601891, upload-time = "2025-12-18T19:28:55.811Z" }, - { url = "https://files.pythonhosted.org/packages/0d/1e/14c916087d8598917dbad9b2921d340f7884824ad6e9c55de948a93b106d/ruff-0.14.10-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:5bcf45b681e9f1ee6445d317ce1fa9d6cba9a6049542d1c3d5b5958986be8830", size = 14336660, upload-time = "2025-12-18T19:29:16.531Z" }, - { url = "https://files.pythonhosted.org/packages/f2/1c/d7b67ab43f30013b47c12b42d1acd354c195351a3f7a1d67f59e54227ede/ruff-0.14.10-py3-none-win32.whl", hash = "sha256:104c49fc7ab73f3f3a758039adea978869a918f31b73280db175b43a2d9b51d6", size = 13196187, upload-time = "2025-12-18T19:29:19.006Z" }, - { url = "https://files.pythonhosted.org/packages/fb/9c/896c862e13886fae2af961bef3e6312db9ebc6adc2b156fe95e615dee8c1/ruff-0.14.10-py3-none-win_amd64.whl", hash = "sha256:466297bd73638c6bdf06485683e812db1c00c7ac96d4ddd0294a338c62fdc154", size = 14661283, upload-time = "2025-12-18T19:29:30.16Z" }, - { url = "https://files.pythonhosted.org/packages/74/31/b0e29d572670dca3674eeee78e418f20bdf97fa8aa9ea71380885e175ca0/ruff-0.14.10-py3-none-win_arm64.whl", hash = "sha256:e51d046cf6dda98a4633b8a8a771451107413b0f07183b2bef03f075599e44e6", size = 13729839, upload-time = "2025-12-18T19:28:48.636Z" }, +version = "0.15.14" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/dc/8a/8bce2894573e9dae6ff4d77fe34ad727d79b9e6238ad288c5638990d90f6/ruff-0.15.14.tar.gz", hash = "sha256:48e866b165be4a9bdbf310f7d3c9a07edef2fe8cd63ffeb4e00bb590506ebf9f", size = 4700910, upload-time = "2026-05-21T14:34:55.177Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b9/c8/74a92c6ff9fcfb4f1f947126d3ebee8389276e161ecc85de5bda7cda51bd/ruff-0.15.14-py3-none-linux_armv6l.whl", hash = "sha256:8dd2db9416e487c8d4b01fa7056bb02c4d05969d4f8d17a08c229c2f4ff3c108", size = 10739177, upload-time = "2026-05-21T14:34:37.332Z" }, + { url = "https://files.pythonhosted.org/packages/45/91/254a35c20acc38a7223c9d2d594af12e794432464f2cdeb52af1dc4a892d/ruff-0.15.14-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:be4ff55af755bd71a00ab3dc6bd7ffc467bd76e0df6881e286c2e3d23e8fb43b", size = 11144969, upload-time = "2026-05-21T14:34:43.978Z" }, + { url = "https://files.pythonhosted.org/packages/56/9e/d13e40f83b8d0a94430e6778ce1d94a43b38cf2efe63278bdd2b4c65abbf/ruff-0.15.14-py3-none-macosx_11_0_arm64.whl", hash = "sha256:48d5909d7d06276ce7dde6d32bfa4b0d4cb2651145cd8ee4b440722cbc77832f", size = 10478207, upload-time = "2026-05-21T14:34:48.378Z" }, + { url = "https://files.pythonhosted.org/packages/8d/f1/b15a7839fa4f332f8acec78e20564f26bb2d866e3d21710b877fd0263000/ruff-0.15.14-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca8cbfa94c4f90984a67561978602746d4cd27103568f745fa90eee3f0d4107d", size = 10818459, upload-time = "2026-05-21T14:34:22.318Z" }, + { url = "https://files.pythonhosted.org/packages/45/33/53d651177f84f94b400a0e27f8824eeada3dddc9d5ee8aeb048f4352a520/ruff-0.15.14-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:9a6bbc0333f1ab053423bcbf6226477d266ca7cec7738c4c8e3f55647803f3c4", size = 10541800, upload-time = "2026-05-21T14:34:20.209Z" }, + { url = "https://files.pythonhosted.org/packages/b8/a6/868f87e0bf9786ed24b5d0d0ad8676b8a94fd1912f42cddf9cfc7857818a/ruff-0.15.14-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8a24a4f7605d7003a6674d4387651effd939dead3fddd0f36561eb77a9a2e542", size = 11342149, upload-time = "2026-05-21T14:34:46.365Z" }, + { url = "https://files.pythonhosted.org/packages/a7/8b/38cd5c19faffdcc05a408d2b78edccc69492ab9720eadb49ea15ef80d768/ruff-0.15.14-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:049b5326e53ed80978f2fc041a280603f69dd6b0c95464342a2bb4572d9d9e2f", size = 12212563, upload-time = "2026-05-21T14:34:28.579Z" }, + { url = "https://files.pythonhosted.org/packages/3e/4d/a3c5b874a556d5731e3e657aaf04311bb76f0a5c3ec220ed43051be6b64b/ruff-0.15.14-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d4ed42e6696c8dfa5f06728e6441993901f548eb92d73bc472cb5a38d1395fbf", size = 11493299, upload-time = "2026-05-21T14:34:41.836Z" }, + { url = "https://files.pythonhosted.org/packages/1e/c0/56472c251d09858a53e51efbd485b09e1995d8731668b76d52e5dd6ee0f1/ruff-0.15.14-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:715c543cf450c4888251f91c52f1942a800541d9bddd7ac060aa4e6b77ae7cba", size = 11455931, upload-time = "2026-05-21T14:34:57.276Z" }, + { url = "https://files.pythonhosted.org/packages/2c/4a/e2e7b4d8dbf233d4eace59c75bc3435fa6d8bd3bae82d351d4e4300c0fd1/ruff-0.15.14-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:72ebab6013ec887d439d8b7593737a0a4ffb06d45d209d4e4bf2e92813082d3f", size = 11400794, upload-time = "2026-05-21T14:34:39.773Z" }, + { url = "https://files.pythonhosted.org/packages/97/c7/83c0539fe34c3e09136204d1e75d6052492364e0b3cb05e9465423f567d7/ruff-0.15.14-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:49072d36abdbe97a8dd7f480afe9c675699c0c495d4c84076e2c1203c4550581", size = 10804759, upload-time = "2026-05-21T14:34:31.045Z" }, + { url = "https://files.pythonhosted.org/packages/86/a6/18f2bfc095a2ab4a78745644e428205532ce6653a5d0fa8501572891534d/ruff-0.15.14-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:958522aee105068640c2c2ceae08f413ae44d922f52a1374ac13d6a96032fc93", size = 10539517, upload-time = "2026-05-21T14:34:53.064Z" }, + { url = "https://files.pythonhosted.org/packages/54/3a/5a8b3b69c654d4e4bf1d246ac5b49cbcdac6eaab6905925f8915f31e3b80/ruff-0.15.14-py3-none-musllinux_1_2_i686.whl", hash = "sha256:f3707da619a143a2e8830e2abab8224478d69ace2d28cb6c20543ae97c36bf61", size = 11065169, upload-time = "2026-05-21T14:34:24.484Z" }, + { url = "https://files.pythonhosted.org/packages/ed/c5/8864e4e7925b836ea354b31d57641ec03830564e281a8b6f061f8c3e0ec1/ruff-0.15.14-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:bb01d645694e3ec0102105d07ef2d53703970407d59c04e59d3ba0b7a1d53553", size = 11560214, upload-time = "2026-05-21T14:34:50.975Z" }, + { url = "https://files.pythonhosted.org/packages/36/38/012bf76752e1f89ed50b77b99532d90f3a3e287bc7918e1fc0948ac866ac/ruff-0.15.14-py3-none-win32.whl", hash = "sha256:6d0c1ad2a0ab718d39b6d8fd2217981ce4d625cd96a720095f798fb47d8b13e6", size = 10805548, upload-time = "2026-05-21T14:34:33.453Z" }, + { url = "https://files.pythonhosted.org/packages/d1/b7/4ea2c170f10ad760fff2a5250beb18897719dc8b52b53a24cddbb9dd3f19/ruff-0.15.14-py3-none-win_amd64.whl", hash = "sha256:802342981e056db3851a7836e5b070f8f15f67d4a685ae2a6160939d364b2902", size = 11939523, upload-time = "2026-05-21T14:34:18.077Z" }, + { url = "https://files.pythonhosted.org/packages/62/d5/bc97ff895ec35cf3925d4bd60f3b39d822f377a446906ec9bcc87405e59b/ruff-0.15.14-py3-none-win_arm64.whl", hash = "sha256:ff47b90a9ef6a40c9e2f3b479c1fb78531adf055b94c1eba0a7ba04b31951826", size = 11208607, upload-time = "2026-05-21T14:34:26.525Z" }, ] [[package]] @@ -1250,22 +1270,24 @@ wheels = [ [[package]] name = "socketdev" -version = "3.0.32" +version = "3.2.1" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "requests" }, { name = "typing-extensions" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/06/03/95800661041781428cc753aea65d8e1bc44d108f4be29c6a0815d18fcdd3/socketdev-3.0.32.tar.gz", hash = "sha256:89167632834dcf222877d599e68ed87a3a08e7abe171759f54490712ea8aa89a", size = 170997, upload-time = "2026-02-27T17:59:58.554Z" } +sdist = { url = "https://files.pythonhosted.org/packages/21/65/07df2bf6e490c56544fb06e4cfde059b2572fdd5b02ff352c766b1d5f7ce/socketdev-3.2.1.tar.gz", hash = "sha256:7db910a98628473e8ec06822deb01b6bd465b385e9e8ea405f2b7526e8258074", size = 179279, upload-time = "2026-06-03T18:08:19.806Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/81/5c/58fa24c442d2bb8b8cab926c89cd4fb2613f73a35556e385d9bdb00abb72/socketdev-3.0.32-py3-none-any.whl", hash = "sha256:6a22356dadf4741eb731593b1d5ed4d708769f945998723bbfd1b613b8c968cc", size = 66868, upload-time = "2026-02-27T17:59:56.896Z" }, + { url = "https://files.pythonhosted.org/packages/53/01/fff70923755b3a187ca971189fb078a2aaedcad42d682abfdd06f3445def/socketdev-3.2.1-py3-none-any.whl", hash = "sha256:6dc762d78baea8011dc22f2afe49c84c926e640a6879bd7b58c3abdd4e29e8bb", size = 67266, upload-time = "2026-06-03T18:08:18.029Z" }, ] [[package]] name = "socketsecurity" -version = "2.2.78" +version = "2.4.6" source = { editable = "." } dependencies = [ + { name = "brotli", marker = "platform_python_implementation == 'CPython'" }, + { name = "brotlicffi", marker = "platform_python_implementation != 'CPython'" }, { name = "bs4" }, { name = "gitpython" }, { name = "markdown" }, @@ -1300,6 +1322,8 @@ dev = [ [package.metadata] requires-dist = [ + { name = "brotli", marker = "platform_python_implementation == 'CPython'", specifier = ">=1.0.9" }, + { name = "brotlicffi", marker = "platform_python_implementation != 'CPython'", specifier = ">=1.0.9" }, { name = "bs4", specifier = ">=0.0.2" }, { name = "gitpython" }, { name = "hatch", marker = "extra == 'dev'" }, @@ -1316,7 +1340,7 @@ requires-dist = [ { name = "python-dotenv" }, { name = "requests" }, { name = "ruff", marker = "extra == 'dev'", specifier = ">=0.3.0" }, - { name = "socketdev", specifier = ">=3.0.32,<4.0.0" }, + { name = "socketdev", specifier = ">=3.2.1,<4.0.0" }, { name = "twine", marker = "extra == 'dev'" }, { name = "uv", marker = "extra == 'dev'", specifier = ">=0.1.0" }, ] @@ -1441,11 +1465,11 @@ wheels = [ [[package]] name = "urllib3" -version = "2.6.3" +version = "2.7.0" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" } +sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602, upload-time = "2026-05-07T16:13:18.596Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" }, + { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087, upload-time = "2026-05-07T16:13:17.151Z" }, ] [[package]] @@ -1462,43 +1486,43 @@ wheels = [ [[package]] name = "uv" -version = "0.9.21" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/e2/2b/4e2090bc3a6265b445b3d31ca6fff20c6458d11145069f7e48ade3e2d75b/uv-0.9.21.tar.gz", hash = "sha256:aa4ca6ccd68e81b5ebaa3684d3c4df2b51a982ac16211eadf0707741d36e6488", size = 3834762, upload-time = "2025-12-30T16:12:51.927Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/da/26/0750c5bb1637ebefe1db0936dc76ead8ce97f17368cda950642bfd90fa3f/uv-0.9.21-py3-none-linux_armv6l.whl", hash = "sha256:0b330eaced2fd9d94e2a70f3bb6c8fd7beadc9d9bf9f1227eb14da44039c413a", size = 21266556, upload-time = "2025-12-30T16:12:47.311Z" }, - { url = "https://files.pythonhosted.org/packages/3e/ef/f019466c1e367ea68003cf35f4d44cc328694ed4a59b6004aa7dcacb2b35/uv-0.9.21-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:1d8e0940bddd37a55f4479d61adaa6b302b780d473f037fc084e48b09a1678e7", size = 20485648, upload-time = "2025-12-30T16:12:15.746Z" }, - { url = "https://files.pythonhosted.org/packages/2a/41/f735bd9a5b4848b6f4f1028e6d768f581559d68eddb6403eb0f19ca4c843/uv-0.9.21-py3-none-macosx_11_0_arm64.whl", hash = "sha256:cb420ddab7bcdd12c2352d4b551ced428d104311c0b98ce205675ab5c97072db", size = 18986976, upload-time = "2025-12-30T16:12:25.034Z" }, - { url = "https://files.pythonhosted.org/packages/9a/5f/01d537e05927594dc379ff8bc04f8cde26384d25108a9f63758eae2a7936/uv-0.9.21-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:a36d164438a6310c9fceebd041d80f7cffcc63ba80a7c83ee98394fadf2b8545", size = 20819312, upload-time = "2025-12-30T16:12:41.802Z" }, - { url = "https://files.pythonhosted.org/packages/18/89/9497395f57e007a2daed8172042ecccade3ff5569fd367d093f49bd6a4a8/uv-0.9.21-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c0ad83ce874cbbf9eda569ba793a9fb70870db426e9862300db8cf2950a7fe3b", size = 20900227, upload-time = "2025-12-30T16:12:19.242Z" }, - { url = "https://files.pythonhosted.org/packages/04/61/a3f6dfc75d278cce96b370e00b6f03d73ec260e5304f622504848bad219d/uv-0.9.21-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9076191c934b813147060e4cd97e33a58999de0f9c46f8ac67f614e154dae5c8", size = 21965424, upload-time = "2025-12-30T16:12:01.589Z" }, - { url = "https://files.pythonhosted.org/packages/18/3e/344e8c1078cfea82159c6608b8694f24fdfe850ce329a4708c026cb8b0ff/uv-0.9.21-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:2ce0f6aca91f7fbf1192e43c063f4de3666fd43126aacc71ff7d5a79f831af59", size = 23540343, upload-time = "2025-12-30T16:12:13.139Z" }, - { url = "https://files.pythonhosted.org/packages/7f/20/5826659a81526687c6e5b5507f3f79f4f4b7e3022f3efae2ba36b19864c3/uv-0.9.21-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0b4817642d5ef248b74ca7be3505e5e012a06be050669b80d1f7ced5ad50d188", size = 23171564, upload-time = "2025-12-30T16:12:22.219Z" }, - { url = "https://files.pythonhosted.org/packages/a6/8d/404c54e019bb99ce474dc21e6b96c8a1351ba3c06e5e19fd8dcae0ba1899/uv-0.9.21-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4fb42237fa309d79905fb73f653f63c1fe45a51193411c614b13512cf5506df3", size = 22202400, upload-time = "2025-12-30T16:12:04.612Z" }, - { url = "https://files.pythonhosted.org/packages/1a/f0/aa3d0081a2004050564364a1ef3277ddf889c9989a7278c0a9cce8284926/uv-0.9.21-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f1d22f0ac03635d661e811c69d7c0b292751f90699acc6a1fb1509e17c936474", size = 22206448, upload-time = "2025-12-30T16:12:30.626Z" }, - { url = "https://files.pythonhosted.org/packages/fc/a9/7a375e723a588f31f305ddf9ae2097af0b9dc7f7813641788b5b9764a237/uv-0.9.21-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:cdd805909d360ad67640201376c8eb02de08dcf1680a1a81aebd9519daed6023", size = 20940568, upload-time = "2025-12-30T16:12:27.533Z" }, - { url = "https://files.pythonhosted.org/packages/18/d5/6187ffb7e1d24df34defe2718db8c4c3c08f153d3e7da22c250134b79cd1/uv-0.9.21-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:82e438595a609cbe4e45c413a54bd5756d37c8c39108ce7b2799aff15f7d3337", size = 22085077, upload-time = "2025-12-30T16:12:10.153Z" }, - { url = "https://files.pythonhosted.org/packages/ee/fa/8e211167d0690d9f15a08da610a0383d2f43a6c838890878e14948472284/uv-0.9.21-py3-none-musllinux_1_1_armv7l.whl", hash = "sha256:fc1c06e1e5df423e1517e350ea2c9d85ecefd0919188a0a9f19bd239bbbdeeaf", size = 20862893, upload-time = "2025-12-30T16:12:49.87Z" }, - { url = "https://files.pythonhosted.org/packages/33/b2/9d24d84cb9a1a6a5ea98d03a29abf800d87e5710d25e53896dc73aeb63a5/uv-0.9.21-py3-none-musllinux_1_1_i686.whl", hash = "sha256:9ef3d2a213c7720f4dae336e5123fe88427200d7523c78091c4ab7f849c3f13f", size = 21428397, upload-time = "2025-12-30T16:12:07.483Z" }, - { url = "https://files.pythonhosted.org/packages/4f/40/1e8e4c2e1308432c708eaa66dccdb83d2ee6120ea2b7d65e04fc06f48ff8/uv-0.9.21-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:8da20914d92ba4cc35f071414d3da7365294fc0b7114da8ac2ab3a86c695096f", size = 22450537, upload-time = "2025-12-30T16:12:33.36Z" }, - { url = "https://files.pythonhosted.org/packages/18/b8/99c4731d001f512e844dfdc740db2bf2fea56d538749b639d21f5117a74a/uv-0.9.21-py3-none-win32.whl", hash = "sha256:e716e23bc0ec8cbb0811f99e653745e0cf15223e7ba5d8857d46be5b40b3045b", size = 20032654, upload-time = "2025-12-30T16:12:36.007Z" }, - { url = "https://files.pythonhosted.org/packages/29/6b/da441bf335f5e1c0c100b7dfb9702b6fed367ba703e543037bf1e70bf8c3/uv-0.9.21-py3-none-win_amd64.whl", hash = "sha256:64a7bb0e4e6a4c2d98c2d55f42aead7c2df0ceb17d5911d1a42b76228cab4525", size = 22206744, upload-time = "2025-12-30T16:12:38.953Z" }, - { url = "https://files.pythonhosted.org/packages/98/02/afbed8309fe07aaa9fa58a98941cebffbcd300fe70499a02a6806d93517b/uv-0.9.21-py3-none-win_arm64.whl", hash = "sha256:6c13c40966812f6bd6ecb6546e5d3e27e7fe9cefa07018f074f51d703cb29e1c", size = 20591604, upload-time = "2025-12-30T16:12:44.634Z" }, +version = "0.11.17" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/2c/8e/ec34c19d0f254fcbcc5c1ce8c7f06e47e0f69a7e1a0269c1d59cb0b0f279/uv-0.11.17.tar.gz", hash = "sha256:1d1be74deec997db1dda05a7e67541c904d65cbfd72e455d3c0a2a1e4bf2cddf", size = 4203607, upload-time = "2026-05-28T20:39:47.707Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/15/2e/e6d42f9d39009eee976f1e5dfd31d3d1943e6e593ad7b191cf11e9744a36/uv-0.11.17-py3-none-linux_armv6l.whl", hash = "sha256:8426bfe315564d414cbc5ba5467595dc6348965e19acec742914f47da3ff269f", size = 23551216, upload-time = "2026-05-28T20:39:05.395Z" }, + { url = "https://files.pythonhosted.org/packages/d0/ee/d72bcc60f3585653a4b768425854d737d98d65c1765547d25c2999547ea9/uv-0.11.17-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:6d1a033cc68cabb4141d6c1e3b66ffc6e970b98ba42e210f33270251e0bd8697", size = 22997377, upload-time = "2026-05-28T20:39:25.21Z" }, + { url = "https://files.pythonhosted.org/packages/58/34/1bc69798d9ae998fbc42c61b02883f2ba00d04bdd858e589604d01846287/uv-0.11.17-py3-none-macosx_11_0_arm64.whl", hash = "sha256:58c07ffc272c847d29cd98ca5082fa4304a645f87c718ec900e3cca9026bd096", size = 21630197, upload-time = "2026-05-28T20:39:28.935Z" }, + { url = "https://files.pythonhosted.org/packages/6b/93/1be48ec6a8933d9a77d0ce5240ed63f68869f68517ccf5d62268ed03f3e8/uv-0.11.17-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:036d6e2940afe8b79637530b01b9241d8cfd174b07f1179a1ebbd42409c38ca3", size = 23414940, upload-time = "2026-05-28T20:39:55.015Z" }, + { url = "https://files.pythonhosted.org/packages/00/31/b7488ff49d80090ea9d05d67a4d381a1b4479502e9853e654caa1c1c678e/uv-0.11.17-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:283186700c3e65a4644a73a917232da7d3e4a94d25ea0377a44f5b263fa49577", size = 23096330, upload-time = "2026-05-28T20:39:01.284Z" }, + { url = "https://files.pythonhosted.org/packages/fe/95/42b6137c5de06278d229c7eef2f314df2a738cd799795bbb44dace21bd6e/uv-0.11.17-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:f2e44dfbfc7778d0d90edc6738f237c91e5e37e4e3cfe94c8a312cec56a41485", size = 23101906, upload-time = "2026-05-28T20:39:17.149Z" }, + { url = "https://files.pythonhosted.org/packages/17/7c/0ca03b2d19965db6d5dfe0c8cf96a3d0b424503c8cbc3cd2ffdc5869a15d/uv-0.11.17-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1a817eeb3026f27a53d3f4b7855a5105f6787dd192140e201eda4d2b9a11b72e", size = 24444409, upload-time = "2026-05-28T20:39:59.218Z" }, + { url = "https://files.pythonhosted.org/packages/b5/fb/179f55a3b19d47c30ec1f41b9b964da74dfa7053ff310a70a9c4d8cb998d/uv-0.11.17-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:bf8f5ad959583dcd2c4ae445c754a97c05700246ff89259f3fd285c9c20f4c00", size = 25540153, upload-time = "2026-05-28T20:39:09.535Z" }, + { url = "https://files.pythonhosted.org/packages/f7/29/592f42012765c43ae45c112110e214bca7b0cfc08c4c1b52e1dfa47dedd5/uv-0.11.17-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ce16892a45134d20165c1ceababe06f3e9ce6a58902db1eff812c8c93626823f", size = 24665906, upload-time = "2026-05-28T20:39:41.254Z" }, + { url = "https://files.pythonhosted.org/packages/0e/51/b75808766f895248553c6370968509cd4f726e6943e310a8f7a171036ad0/uv-0.11.17-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9da839e5a491c9a701d7d327a199cafc76ac27a03ac84fd2a8d4bf32c3af2448", size = 24863325, upload-time = "2026-05-28T20:39:51.006Z" }, + { url = "https://files.pythonhosted.org/packages/ee/6a/6f27ee69e97f480104bb8ec335f04c2a12add98edfcc4844a68e9538b6e2/uv-0.11.17-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:ec004b3c9bf9cb7756067ad1bd0bf64eb843e6fa2edbfbb3135ee152c14cea91", size = 23521674, upload-time = "2026-05-28T20:38:55.869Z" }, + { url = "https://files.pythonhosted.org/packages/df/11/1344aca7c710f794750f74de0e552a54ab24193ecc01fa3b3ae22ff822a1/uv-0.11.17-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:659227cac719b618cc91e02be9e274ad5bd72d74fa278123e6373537e9f28216", size = 24224725, upload-time = "2026-05-28T20:39:32.945Z" }, + { url = "https://files.pythonhosted.org/packages/ad/44/7b11550c1453ea13b81e549c83523e6ab6ed3231d09b2fd6b9eb19acceaf/uv-0.11.17-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:e301d844eed9401f0f0351de12c55f1306ca05372acb0f28d35717c8ba663a22", size = 24301643, upload-time = "2026-05-28T20:39:45.183Z" }, + { url = "https://files.pythonhosted.org/packages/1a/36/8f683bc60547b8f93d0e752a8574d13fad776999cb978482b360c053ca22/uv-0.11.17-py3-none-musllinux_1_1_i686.whl", hash = "sha256:f0bf483c0d9fa14283992d56061b498b9d3d4adebd285af8744dc33f64dadfba", size = 23786049, upload-time = "2026-05-28T20:39:20.999Z" }, + { url = "https://files.pythonhosted.org/packages/10/dc/7a495db39c2970de4fa375c337dbd617b16780911f88f0511f8fe7f6747c/uv-0.11.17-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:2ccd5487a4a192bc832ea04c867a26883757db8fdfe88bed85d8129c82f9e505", size = 25049786, upload-time = "2026-05-28T20:40:03.292Z" }, + { url = "https://files.pythonhosted.org/packages/37/dd/74eff72d749eaf7e19f489878e21a368a7fef58d26ea0c63ec044ecd78b1/uv-0.11.17-py3-none-win32.whl", hash = "sha256:12b701fa32c5be3691759a73956e4462f30fa7b0dfa52ec66cb305bbb6ea4129", size = 22479213, upload-time = "2026-05-28T20:39:13.316Z" }, + { url = "https://files.pythonhosted.org/packages/79/99/8af4a92b99a8a4823297c26df727fe957267e03e1196e3caa803c3f6ccb2/uv-0.11.17-py3-none-win_amd64.whl", hash = "sha256:44ec1fe3af839f87370dcf0400c0cab917cc1ce697d563e860fc7d9ed72655e7", size = 25083161, upload-time = "2026-05-28T20:40:07.931Z" }, + { url = "https://files.pythonhosted.org/packages/00/76/a689077832d585d29d87f9cd0d65eca1af58abd29a4eab004d0a8a858b9c/uv-0.11.17-py3-none-win_arm64.whl", hash = "sha256:37c915bfcf86f99c1c5be7c9ed21e0d80624067ba47bc8916a3cb0530bc94d27", size = 23544936, upload-time = "2026-05-28T20:39:37.137Z" }, ] [[package]] name = "virtualenv" -version = "20.36.1" +version = "21.4.2" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "distlib" }, { name = "filelock" }, { name = "platformdirs" }, - { name = "typing-extensions", marker = "python_full_version < '3.11'" }, + { name = "python-discovery" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/aa/a3/4d310fa5f00863544e1d0f4de93bddec248499ccf97d4791bc3122c9d4f3/virtualenv-20.36.1.tar.gz", hash = "sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba", size = 6032239, upload-time = "2026-01-09T18:21:01.296Z" } +sdist = { url = "https://files.pythonhosted.org/packages/e1/0d/4e93c8e6d1001a75763f87d8f5ecda8ebc7f4aa2153dddfaf4ae8892821a/virtualenv-21.4.2.tar.gz", hash = "sha256:38e6ee0a555615c0ea9da2ac7e9998fe8dc3b911dd33ad8eaad2020957653b0c", size = 7613326, upload-time = "2026-05-31T17:01:22.827Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/6a/2a/dc2228b2888f51192c7dc766106cd475f1b768c10caaf9727659726f7391/virtualenv-20.36.1-py3-none-any.whl", hash = "sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f", size = 6008258, upload-time = "2026-01-09T18:20:59.425Z" }, + { url = "https://files.pythonhosted.org/packages/bf/c4/557dc082be035381b85fdb2b74e21d3d21b57750b74f2b47a32f3a639ff9/virtualenv-21.4.2-py3-none-any.whl", hash = "sha256:854210ca524a1a4d0d744734f4acbc721c3ffe163b85bbf5d56d14d5ae2f0fae", size = 7594079, upload-time = "2026-05-31T17:01:20.735Z" }, ] [[package]] @@ -1507,9 +1531,6 @@ version = "6.0.0" source = { registry = "https://pypi.org/simple" } sdist = { url = "https://files.pythonhosted.org/packages/db/7d/7f3d619e951c88ed75c6037b246ddcf2d322812ee8ea189be89511721d54/watchdog-6.0.0.tar.gz", hash = "sha256:9ddf7c82fda3ae8e24decda1338ede66e1c99883db93711d8fb941eaa2d8c282", size = 131220, upload-time = "2024-11-01T14:07:13.037Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/0c/56/90994d789c61df619bfc5ce2ecdabd5eeff564e1eb47512bd01b5e019569/watchdog-6.0.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d1cdb490583ebd691c012b3d6dae011000fe42edb7a82ece80965b42abd61f26", size = 96390, upload-time = "2024-11-01T14:06:24.793Z" }, - { url = "https://files.pythonhosted.org/packages/55/46/9a67ee697342ddf3c6daa97e3a587a56d6c4052f881ed926a849fcf7371c/watchdog-6.0.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:bc64ab3bdb6a04d69d4023b29422170b74681784ffb9463ed4870cf2f3e66112", size = 88389, upload-time = "2024-11-01T14:06:27.112Z" }, - { url = "https://files.pythonhosted.org/packages/44/65/91b0985747c52064d8701e1075eb96f8c40a79df889e59a399453adfb882/watchdog-6.0.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c897ac1b55c5a1461e16dae288d22bb2e412ba9807df8397a635d88f671d36c3", size = 89020, upload-time = "2024-11-01T14:06:29.876Z" }, { url = "https://files.pythonhosted.org/packages/e0/24/d9be5cd6642a6aa68352ded4b4b10fb0d7889cb7f45814fb92cecd35f101/watchdog-6.0.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6eb11feb5a0d452ee41f824e271ca311a09e250441c262ca2fd7ebcf2461a06c", size = 96393, upload-time = "2024-11-01T14:06:31.756Z" }, { url = "https://files.pythonhosted.org/packages/63/7a/6013b0d8dbc56adca7fdd4f0beed381c59f6752341b12fa0886fa7afc78b/watchdog-6.0.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:ef810fbf7b781a5a593894e4f439773830bdecb885e6880d957d5b9382a960d2", size = 88392, upload-time = "2024-11-01T14:06:32.99Z" }, { url = "https://files.pythonhosted.org/packages/d1/40/b75381494851556de56281e053700e46bff5b37bf4c7267e858640af5a7f/watchdog-6.0.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:afd0fe1b2270917c5e23c2a65ce50c2a4abb63daafb0d419fde368e272a76b7c", size = 89019, upload-time = "2024-11-01T14:06:34.963Z" }, @@ -1519,8 +1540,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/68/98/b0345cabdce2041a01293ba483333582891a3bd5769b08eceb0d406056ef/watchdog-6.0.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:490ab2ef84f11129844c23fb14ecf30ef3d8a6abafd3754a6f75ca1e6654136c", size = 96480, upload-time = "2024-11-01T14:06:42.952Z" }, { url = "https://files.pythonhosted.org/packages/85/83/cdf13902c626b28eedef7ec4f10745c52aad8a8fe7eb04ed7b1f111ca20e/watchdog-6.0.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:76aae96b00ae814b181bb25b1b98076d5fc84e8a53cd8885a318b42b6d3a5134", size = 88451, upload-time = "2024-11-01T14:06:45.084Z" }, { url = "https://files.pythonhosted.org/packages/fe/c4/225c87bae08c8b9ec99030cd48ae9c4eca050a59bf5c2255853e18c87b50/watchdog-6.0.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:a175f755fc2279e0b7312c0035d52e27211a5bc39719dd529625b1930917345b", size = 89057, upload-time = "2024-11-01T14:06:47.324Z" }, - { url = "https://files.pythonhosted.org/packages/30/ad/d17b5d42e28a8b91f8ed01cb949da092827afb9995d4559fd448d0472763/watchdog-6.0.0-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:c7ac31a19f4545dd92fc25d200694098f42c9a8e391bc00bdd362c5736dbf881", size = 87902, upload-time = "2024-11-01T14:06:53.119Z" }, - { url = "https://files.pythonhosted.org/packages/5c/ca/c3649991d140ff6ab67bfc85ab42b165ead119c9e12211e08089d763ece5/watchdog-6.0.0-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:9513f27a1a582d9808cf21a07dae516f0fab1cf2d7683a742c498b93eedabb11", size = 88380, upload-time = "2024-11-01T14:06:55.19Z" }, { url = "https://files.pythonhosted.org/packages/a9/c7/ca4bf3e518cb57a686b2feb4f55a1892fd9a3dd13f470fca14e00f80ea36/watchdog-6.0.0-py3-none-manylinux2014_aarch64.whl", hash = "sha256:7607498efa04a3542ae3e05e64da8202e58159aa1fa4acddf7678d34a35d4f13", size = 79079, upload-time = "2024-11-01T14:06:59.472Z" }, { url = "https://files.pythonhosted.org/packages/5c/51/d46dc9332f9a647593c947b4b88e2381c8dfc0942d15b8edc0310fa4abb1/watchdog-6.0.0-py3-none-manylinux2014_armv7l.whl", hash = "sha256:9041567ee8953024c83343288ccc458fd0a2d811d6a0fd68c4c22609e3490379", size = 79078, upload-time = "2024-11-01T14:07:01.431Z" }, { url = "https://files.pythonhosted.org/packages/d4/57/04edbf5e169cd318d5f07b4766fee38e825d64b6913ca157ca32d1a42267/watchdog-6.0.0-py3-none-manylinux2014_i686.whl", hash = "sha256:82dc3e3143c7e38ec49d61af98d6558288c415eac98486a5c581726e0737c00e", size = 79076, upload-time = "2024-11-01T14:07:02.568Z" },