Use alert.fix property

Author: jdalton

src/constants.ts

@@ -57,17 +57,17 @@ type IPC = Readonly<{
 type Constants = Remap<
   Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {
     readonly 'Symbol(kInternalsSymbol)': Internals
+    readonly ALERT_FIX_TYPE_CVE: 'cve'
+    readonly ALERT_FIX_TYPE_UPGRADE: 'upgrade'
     readonly ALERT_TYPE_CRITICAL_CVE: 'criticalCVE'
     readonly ALERT_TYPE_CVE: 'cve'
     readonly ALERT_TYPE_MEDIUM_CVE: 'mediumCVE'
     readonly ALERT_TYPE_MILD_CVE: 'mildCVE'
-    readonly ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE: 'socketUpgradeAvailable'
     readonly API_V0_URL: 'https://api.socket.dev/v0/'
     readonly BINARY_LOCK_EXT: '.lockb'
     readonly BUN: 'bun'
     readonly CLI: 'cli'
     readonly CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER: 'firstPatchedVersionIdentifier'
-    readonly CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE: 'vulnerableVersionRange'
     readonly ENV: ENV
     readonly DIST_TYPE: 'module-sync' | 'require'
     readonly DRY_RUN_LABEL: '[DryRun]'
@@ -131,18 +131,18 @@ type Constants = Remap<
 const SOCKET = 'socket'
 const WITH_SENTRY = 'with-sentry'
 
+const ALERT_FIX_TYPE_CVE = 'cve'
+const ALERT_FIX_TYPE_UPGRADE = 'upgrade'
 const ALERT_TYPE_CRITICAL_CVE = 'criticalCVE'
 const ALERT_TYPE_CVE = 'cve'
 const ALERT_TYPE_MEDIUM_CVE = 'mediumCVE'
 const ALERT_TYPE_MILD_CVE = 'mildCVE'
-const ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE = 'socketUpgradeAvailable'
 const API_V0_URL = 'https://api.socket.dev/v0/'
 const BINARY_LOCK_EXT = '.lockb'
 const BUN = 'bun'
 const CLI = 'cli'
 const CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER =
   'firstPatchedVersionIdentifier'
-const CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE = 'vulnerableVersionRange'
 const DRY_RUN_LABEL = '[DryRun]'
 const DRY_RUN_BAIL_TEXT = `${DRY_RUN_LABEL}: Bailing now`
 const INLINED_SOCKET_CLI_LEGACY_BUILD = 'INLINED_SOCKET_CLI_LEGACY_BUILD'
@@ -304,17 +304,17 @@ const lazyZshRcPath = () =>
 
 const constants = createConstantsObject(
   {
+    ALERT_FIX_TYPE_CVE,
+    ALERT_FIX_TYPE_UPGRADE,
     ALERT_TYPE_CRITICAL_CVE,
     ALERT_TYPE_CVE,
     ALERT_TYPE_MEDIUM_CVE,
     ALERT_TYPE_MILD_CVE,
-    ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE,
     API_V0_URL,
     BINARY_LOCK_EXT,
     BUN,
     CLI,
     CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
-    CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE,
     // Lazily defined values are initialized as `undefined` to keep their key order.
     DIST_TYPE: undefined,
     DRY_RUN_LABEL,

src/utils/alert/artifact.ts

@@ -53,10 +53,7 @@ const {
   ALERT_TYPE_CRITICAL_CVE,
   ALERT_TYPE_CVE,
   ALERT_TYPE_MEDIUM_CVE,
-  ALERT_TYPE_MILD_CVE,
-  ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE,
-  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
-  CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE
+  ALERT_TYPE_MILD_CVE
 } = constants
 
 export function isArtifactAlertCve(
@@ -70,28 +67,3 @@ export function isArtifactAlertCve(
     type === ALERT_TYPE_CRITICAL_CVE
   )
 }
-
-export function isArtifactAlertCveFixable(
-  alert: CompactSocketArtifactAlert
-): alert is ArtifactAlertCveFixable {
-  if (!isArtifactAlertCve(alert)) {
-    return false
-  }
-  const { props } = alert
-  return (
-    !!props?.[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER] &&
-    !!props?.[CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE]
-  )
-}
-
-export function isArtifactAlertUpgrade(
-  alert: CompactSocketArtifactAlert
-): alert is ArtifactAlertUpgrade {
-  return alert.type === ALERT_TYPE_SOCKET_UPGRADE_AVAILABLE
-}
-
-export function isArtifactAlertFixable(
-  alert: CompactSocketArtifactAlert
-): alert is ArtifactAlertCveFixable | ArtifactAlertUpgrade {
-  return isArtifactAlertUpgrade(alert) || isArtifactAlertCveFixable(alert)
-}

src/utils/lockfile/package-lock-json.ts

@@ -13,14 +13,12 @@ import { DiffAction } from '../../shadow/npm/arborist/lib/arborist/types'
 import { Edge } from '../../shadow/npm/arborist/lib/edge'
 import { getPublicToken, setupSdk } from '../../utils/sdk'
 import { CompactSocketArtifact } from '../alert/artifact'
-import {
-  type AlertsByPkgId,
-  addArtifactToAlertsMap
-} from '../socket-package-alert'
+import { addArtifactToAlertsMap } from '../socket-package-alert'
 
 import type { Diff } from '../../shadow/npm/arborist/lib/arborist/types'
 import type { SafeEdge } from '../../shadow/npm/arborist/lib/edge'
 import type { SafeNode } from '../../shadow/npm/arborist/lib/node'
+import type { AlertsByPkgId } from '../socket-package-alert'
 import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 
 type Packument = Exclude<
@@ -203,6 +201,7 @@ export async function getAlertsMapFromArborist(
 ): Promise<AlertsByPkgId> {
   const { include: _include, spinner } = {
     __proto__: null,
+    consolidate: false,
     ...options
   } as GetAlertsMapFromArboristOptions
 
@@ -256,7 +255,8 @@ export async function getAlertsMapFromArborist(
   for await (const batchPackageFetchResult of socketSdk.batchPackageStream(
     {
       alerts: 'true',
-      compact: 'true'
+      compact: 'true',
+      fixable: include.unfixable ? 'false' : 'true'
     },
     {
       components: pkgIds.map(id => ({ purl: `pkg:npm/${id}` }))

src/utils/lockfile/pnpm-lock-yaml.ts

@@ -28,9 +28,20 @@ export async function getAlertsMapFromPnpmLockfile(
 ): Promise<AlertsByPkgId> {
   const { include: _include, spinner } = {
     __proto__: null,
+    consolidate: false,
     ...options
   } as GetAlertsMapFromPnpmLockfileOptions
 
+  const include = {
+    __proto__: null,
+    critical: true,
+    cve: true,
+    existing: false,
+    unfixable: true,
+    upgrade: false,
+    ..._include
+  } as AlertIncludeFilter
+
   const depTypes = detectDepTypes(lockfile)
   const pkgIds = Object.keys(depTypes)
 
@@ -53,7 +64,8 @@ export async function getAlertsMapFromPnpmLockfile(
   for await (const batchPackageFetchResult of socketSdk.batchPackageStream(
     {
       alerts: 'true',
-      compact: 'true'
+      compact: 'true',
+      fixable: include.unfixable ? 'false' : 'true'
     },
     {
       components: pkgIds.map(id => ({ purl: `pkg:npm/${id}` }))

src/utils/socket-package-alert.ts

@@ -6,12 +6,7 @@ import { hasOwn } from '@socketsecurity/registry/lib/objects'
 import { resolvePackageName } from '@socketsecurity/registry/lib/packages'
 import { naturalCompare } from '@socketsecurity/registry/lib/sorts'
 
-import {
-  CompactSocketArtifact,
-  isArtifactAlertCve,
-  isArtifactAlertCveFixable,
-  isArtifactAlertUpgrade
-} from './alert/artifact'
+import { CompactSocketArtifact, isArtifactAlertCve } from './alert/artifact'
 import { uxLookup } from './alert/rules'
 import { SEVERITY } from './alert/severity'
 import { ColorOrMarkdown } from './color-or-markdown'
@@ -34,7 +29,12 @@ export type SocketPackageAlert = {
 
 export type AlertsByPkgId = Map<string, SocketPackageAlert[]>
 
-const { CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER, NPM } = constants
+const {
+  ALERT_FIX_TYPE_CVE,
+  ALERT_FIX_TYPE_UPGRADE,
+  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
+  NPM
+} = constants
 
 const format = new ColorOrMarkdown(false)
 
@@ -62,6 +62,7 @@ export async function addArtifactToAlertsMap(
   if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
     return
   }
+
   const {
     consolidate = false,
     include: _include,
@@ -70,6 +71,7 @@ export async function addArtifactToAlertsMap(
     __proto__: null,
     ...options
   } as AddSocketArtifactAlertToAlertsMapOptions
+
   const include = {
     __proto__: null,
     critical: true,
@@ -79,6 +81,7 @@ export async function addArtifactToAlertsMap(
     upgrade: false,
     ..._include
   } as AlertIncludeFilter
+
   const name = resolvePackageName(artifact)
   const { version } = artifact
   const pkgId = `${name}@${version}`
@@ -90,10 +93,11 @@ export async function addArtifactToAlertsMap(
       package: { name, version },
       alert: { type: alert.type }
     })
+    const fixType = alert.fix?.type ?? ''
     const critical = alert.severity === SEVERITY.critical
     const cve = isArtifactAlertCve(alert)
-    const fixableCve = isArtifactAlertCveFixable(alert)
-    const fixableUpgrade = isArtifactAlertUpgrade(alert)
+    const fixableCve = fixType === ALERT_FIX_TYPE_CVE
+    const fixableUpgrade = fixType === ALERT_FIX_TYPE_UPGRADE
     const fixable = fixableCve || fixableUpgrade
     const upgrade = fixableUpgrade && !hasOwn(overrides, name)
     if (
@@ -130,11 +134,11 @@ export async function addArtifactToAlertsMap(
     >()
     const unfixableAlerts: SocketPackageAlert[] = []
     for (const sockPkgAlert of sockPkgAlerts) {
-      if (isArtifactAlertCveFixable(sockPkgAlert.raw)) {
+      const alert = sockPkgAlert.raw
+      const fixType = alert.fix?.type ?? ''
+      if (fixType === ALERT_FIX_TYPE_CVE) {
         const patchedVersion =
-          sockPkgAlert.raw.props[
-            CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER
-          ]
+          alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER]
         const patchedMajor = semver.major(patchedVersion)
         const oldHighest = highestForCve.get(patchedMajor)
         const highest = oldHighest?.version ?? '0.0.0'
@@ -144,7 +148,7 @@ export async function addArtifactToAlertsMap(
             version: patchedVersion
           })
         }
-      } else if (isArtifactAlertUpgrade(sockPkgAlert.raw)) {
+      } else if (fixType === ALERT_FIX_TYPE_UPGRADE) {
         const oldHighest = highestForUpgrade.get(major)
         const highest = oldHighest?.version ?? '0.0.0'
         if (semver.gt(version, highest)) {
@@ -192,12 +196,13 @@ export function getCveInfoByAlertsMap(
     ...({ __proto__: null, ...options } as GetCveInfoByPackageOptions).exclude
   }
   let infoByPkg: CveInfoByPkgId | null = null
-  for (const [pkgId, alerts] of alertsMap) {
+  for (const [pkgId, sockPkgAlerts] of alertsMap) {
     const purlObj = PackageURL.fromString(`pkg:npm/${pkgId}`)
     const name = resolvePackageName(purlObj)
-    for (const alert of alerts) {
+    for (const sockPkgAlert of sockPkgAlerts) {
+      const alert = sockPkgAlert.raw
       if (
-        !isArtifactAlertCveFixable(alert.raw) ||
+        alert.fix?.type !== ALERT_FIX_TYPE_CVE ||
         (exclude.upgrade && getManifestData(NPM, name))
       ) {
         continue
@@ -211,7 +216,7 @@ export function getCveInfoByAlertsMap(
         infoByPkg.set(name, infos)
       }
       const { firstPatchedVersionIdentifier, vulnerableVersionRange } =
-        alert.raw.props
+        alert.props
       infos.push({
         firstPatchedVersionIdentifier,
         vulnerableVersionRange: new semver.Range(