Merge pull request #311 from SocketDev/add-sbom

Add `socket manifest <lang>` including scala as first lang

Author: pvdz

README.md

@@ -86,6 +86,19 @@ use of the `projectIgnorePaths` to excludes files when creating a report.
 
 ## Contributing
 
+### Setup
+
+To run dev locally you can run these steps
+
+```
+npm install
+npm run build:dist
+npm exec socket
+```
+
+That should invoke it from local sources. If you make changes you run
+`build:dist` again.
+
 ### Environment variables for development
 
 - `SOCKET_SECURITY_API_BASE_URL` - if set, this will be the base for all

src/commands/index.ts

@@ -19,3 +19,4 @@ export * from './dependencies'
 export * from './analytics'
 export * from './diff-scan'
 export * from './threat-feed'
+export * from './manifest'

src/commands/manifest/auto.ts

@@ -0,0 +1,78 @@
+import fs from 'node:fs'
+
+import meow from 'meow'
+
+import { scala } from './scala.ts'
+
+import type { CliSubcommand } from '../../utils/meow-with-subcommands'
+
+const description = 'Auto-detect build and attempt to generate manifest file'
+
+const help = (name: string) => `
+  Usage
+    $ ${name}
+
+  Tries to figure out what language your current repo uses. If it finds a
+  supported case then it will try to generate the manifest file for that
+  language with the default or detected settings.
+
+  This command takes no arguments except --verbose.
+`
+
+export const auto: CliSubcommand = {
+  description,
+  async run(argv, importMeta, { parentName }) {
+    // Allow `--verbose` to pass through
+    let verbose = false
+    const args = argv.filter(arg => {
+      if (arg === '--verbose') {
+        verbose = true
+        return false
+      }
+      return true
+    })
+
+    const name = `${parentName} auto`
+    if (args.length) {
+      // note: meow will exit if it prints the --help screen
+      meow(help(name), {
+        argv: ['--help'],
+        description,
+        importMeta
+      })
+    }
+
+    const subArgs = []
+    if (verbose) subArgs.push('--verbose', '1')
+    const scalaDir = '.'
+    if (fs.existsSync(scalaDir)) {
+      console.log(
+        'Detected a Scala sbt build, running default Scala generator...'
+      )
+      subArgs.push(scalaDir)
+      await scala.run(subArgs, importMeta, { parentName })
+      return
+    }
+
+    // Show new help screen and exit
+    meow(
+      `
+      $ ${name}
+
+      Unfortunately this script did not discover a supported language in the
+      current folder.
+
+      - Make sure this script would work with your target build
+      - Make sure to run it from the correct folder
+      - Make sure the necessary build tools are available (\`PATH\`)
+
+      If that doesn't work, see \`${name} <lang> --help\` for config details
+    `,
+      {
+        argv: ['--help'],
+        description,
+        importMeta
+      }
+    )
+  }
+}

src/commands/manifest/index.ts

@@ -0,0 +1,70 @@
+import meow from 'meow'
+
+import { auto } from './auto.ts'
+import { scala } from './scala'
+import { meowWithSubcommands } from '../../utils/meow-with-subcommands'
+
+import type { CliSubcommand } from '../../utils/meow-with-subcommands'
+
+const description = 'Generate a dependency manifest for given file or dir'
+const help = (name: string) => `
+  Usage
+
+    $ ${name} <language> <target>
+
+  Generates a declarative dependency manifest (like a package.json for Node.JS
+  or requirements.txt for PyPi), but for certain supported ecosystems
+  where it's common to use a dynamic manifest, like Scala's sbt.
+
+  Only certain languages are supported and there may be language specific
+  configurations available. See \`manifest <language> --help\` for usage details
+  per language.
+
+  Currently supported language: scala
+
+  Examples
+
+    $ ${name} scala .
+
+  To have it auto-detect and attempt to run:
+
+    $ ${name} yolo
+`
+
+export const manifest: CliSubcommand = {
+  description,
+  hidden: true,
+  async run(argv, importMeta, { parentName }) {
+    const name = `${parentName} manifest`
+
+    // Note: this won't catch `socket manifest -xyz --help` sort of cases which
+    //       would fallback to the default meow help behavior. That's fine.
+    if (argv.length === 0 || argv[0] === '--help') {
+      meow(help(name), {
+        argv: ['--help'] as const, // meow will exit() when --help is passed
+        description,
+        importMeta
+      })
+    }
+
+    await meowWithSubcommands(
+      {
+        scala,
+        auto
+      },
+      {
+        argv,
+        aliases: {
+          yolo: {
+            description: auto.description,
+            hidden: true,
+            argv: ['auto']
+          }
+        },
+        description,
+        importMeta,
+        name
+      }
+    )
+  }
+}