refactor(fix): use find-vulnerabilities for GHSA discovery

Ported from v1.x commit cdd5971 (#958)

- Replace compute-fixes-and-upgrade-purls discovery with simpler find-vulnerabilities command
- Parse GHSA IDs from JSON output on stdout instead of temp file
- Remove temp file creation/cleanup for discovery
- Add error handling for JSON parsing
- Simplify discovery logic with direct stdout parsing

The find-vulnerabilities command is more efficient and cleaner than using
compute-fixes-and-upgrade-purls with --output-file for discovery.

Based on PR #958

Author: jdalton

packages/cli/src/commands/fix/coana-fix.mts

@@ -148,7 +148,7 @@ export async function coanaFix(
     }
   }
 
-  const shouldDiscoverGhsaIds = all || !ghsas.length
+  const shouldDiscoverGhsaIds = all || !ghsas.length || (ghsas.length === 1 && ghsas[0] === 'all')
 
   const shouldOpenPrs = fixEnv.isCi && fixEnv.repoInfo
 
@@ -180,9 +180,9 @@ export async function coanaFix(
       }
     }
 
-    // In local mode, process all discovered/provided IDs (no limit).
-    const ids = shouldDiscoverGhsaIds ? ['all'] : ghsas
-    if (!ids.length) {
+    // In local mode, apply limit to provided IDs.
+    const idsToProcess = shouldDiscoverGhsaIds ? ['all'] : ghsas.slice(0, prLimit)
+    if (!idsToProcess.length) {
       spinner?.stop()
       return { ok: true, data: { fixed: false } }
     }
@@ -199,7 +199,7 @@ export async function coanaFix(
           '--manifests-tar-hash',
           tarHash,
           '--apply-fixes-to',
-          ...ids,
+          ...idsToProcess,
           ...(fixConfig.rangeStyle
             ? ['--range-style', fixConfig.rangeStyle]
             : []),
@@ -271,52 +271,31 @@ export async function coanaFix(
 
   let ids: string[] | undefined
 
-  // When shouldDiscoverGhsaIds is true, discover vulnerabilities by running coana with --output-file.
+  // When shouldDiscoverGhsaIds is true, discover vulnerabilities using find-vulnerabilities command.
   // This gives us the GHSA IDs needed to create individual PRs in CI mode.
   if (shouldSpawnCoana && shouldDiscoverGhsaIds) {
-    const discoverTmpFile = path.join(
-      os.tmpdir(),
-      `socket-discover-${Date.now()}.json`,
-    )
-
     try {
       const discoverCResult = await spawnCoanaDlx(
-        [
-          'compute-fixes-and-upgrade-purls',
-          cwd,
-          '--manifests-tar-hash',
-          tarHash,
-          '--show-affected-direct-dependencies',
-          '--output-file',
-          discoverTmpFile,
-          ...(fixConfig.rangeStyle
-            ? ['--range-style', fixConfig.rangeStyle]
-            : []),
-          ...(minimumReleaseAge
-            ? ['--minimum-release-age', minimumReleaseAge]
-            : []),
-          ...(include.length ? ['--include', ...include] : []),
-          ...(exclude.length ? ['--exclude', ...exclude] : []),
-          ...(disableMajorUpdates ? ['--disable-major-updates'] : []),
-          ...fixConfig.unknownFlags,
-        ],
+        ['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash],
         fixConfig.orgSlug,
-        { coanaVersion, cwd, spinner, stdio: coanaStdio },
+        { coanaVersion, cwd, spinner },
+        { stdio: 'pipe' },
       )
 
       if (discoverCResult.ok) {
-        const discoverResult = readJsonSync(discoverTmpFile, { throws: false })
-        // Extract GHSA IDs from the discovery result.
-        // When compute-fixes-and-upgrade-purls is called without --apply-fixes-to,
-        // it returns { type: 'no-ghsas-fix-requested', ghsas: [...] }
-        const discoveredIds = Array.isArray((discoverResult as any)?.ghsas)
-          ? (discoverResult as any).ghsas
-          : []
+        // Coana prints ghsaIds as json-formatted string on the final line of the output.
+        const discoveredIds: string[] = []
+        try {
+          const ghsaIdsRaw = discoverCResult.data.trim().split('\n').pop()
+          if (ghsaIdsRaw) {
+            discoveredIds.push(...JSON.parse(ghsaIdsRaw))
+          }
+        } catch (e) {
+          debug('Failed to parse GHSA IDs from find-vulnerabilities output')
+          debugDir(e)
+        }
         ids = discoveredIds.slice(0, adjustedLimit)
       }
-
-      // Clean up discovery temp file.
-      await cleanupTempFile(discoverTmpFile)
     } catch (e) {
       debug('Failed to discover vulnerabilities')
       debugDir(e)

packages/cli/test/unit/commands/fix/handle-fix-limit.test.mts

@@ -208,7 +208,7 @@ describe('socket fix --limit behavior verification', () => {
       const result = await coanaFix({
         ...baseConfig,
         ghsas,
-        limit: 3,
+        prLimit: 3,
       })
 
       expect(result.ok).toBe(true)
@@ -242,7 +242,7 @@ describe('socket fix --limit behavior verification', () => {
       const result = await coanaFix({
         ...baseConfig,
         ghsas,
-        limit: 10,
+        prLimit: 10,
       })
 
       expect(result.ok).toBe(true)
@@ -267,7 +267,7 @@ describe('socket fix --limit behavior verification', () => {
       const result = await coanaFix({
         ...baseConfig,
         ghsas,
-        limit: 0,
+        prLimit: 0,
       })
 
       expect(result.ok).toBe(true)
@@ -286,7 +286,7 @@ describe('socket fix --limit behavior verification', () => {
       const result = await coanaFix({
         ...baseConfig,
         ghsas: ['all'],
-        limit: 10,
+        prLimit: 10,
       })
 
       expect(result.ok).toBe(true)
@@ -325,13 +325,10 @@ describe('socket fix --limit behavior verification', () => {
         'GHSA-dddd-dddd-dddd',
       ]
 
-      // Mock discovery call result with proper ghsas format.
-      mockReadJsonSync.mockReturnValueOnce({ ghsas })
-
-      // Discovery call writes to output file.
+      // Mock discovery call result with JSON output on last line.
       mockSpawnCoanaDlx.mockResolvedValueOnce({
         ok: true,
-        data: '',
+        data: `Some discovery output\n${JSON.stringify(ghsas)}`,
       })
 
       // Subsequent calls are for individual GHSA fixes.
@@ -345,10 +342,12 @@ describe('socket fix --limit behavior verification', () => {
         data: ['package.json'],
       })
 
+      mockReadJsonSync.mockReturnValue({ fixed: true })
+
       const result = await coanaFix({
         ...baseConfig,
         ghsas: ['all'],
-        limit: 2,
+        prLimit: 2,
       })
 
       expect(result.ok).toBe(true)
@@ -372,13 +371,10 @@ describe('socket fix --limit behavior verification', () => {
       // Second call returns no open PRs for specific GHSAs.
       mockGetSocketFixPrs.mockResolvedValue([])
 
-      // Mock discovery call result with proper ghsas format.
-      mockReadJsonSync.mockReturnValueOnce({ ghsas })
-
-      // Discovery call writes to output file.
+      // Mock discovery call result with JSON output on last line.
       mockSpawnCoanaDlx.mockResolvedValueOnce({
         ok: true,
-        data: '',
+        data: `Some discovery output\n${JSON.stringify(ghsas)}`,
       })
 
       mockSpawnCoanaDlx.mockResolvedValue({
@@ -391,10 +387,12 @@ describe('socket fix --limit behavior verification', () => {
         data: ['package.json'],
       })
 
+      mockReadJsonSync.mockReturnValue({ fixed: true })
+
       const result = await coanaFix({
         ...baseConfig,
         ghsas: ['all'],
-        limit: 3,
+        prLimit: 3,
       })
 
       expect(result.ok).toBe(true)
@@ -417,7 +415,7 @@ describe('socket fix --limit behavior verification', () => {
       const result = await coanaFix({
         ...baseConfig,
         ghsas: ['all'],
-        limit: 3,
+        prLimit: 3,
       })
 
       expect(result.ok).toBe(true)
@@ -446,7 +444,7 @@ describe('socket fix --limit behavior verification', () => {
       const result = await coanaFix({
         ...baseConfig,
         ghsas,
-        limit: 2,
+        prLimit: 2,
       })
 
       expect(result.ok).toBe(true)
@@ -474,7 +472,7 @@ describe('socket fix --limit behavior verification', () => {
       const result = await coanaFix({
         ...baseConfig,
         ghsas,
-        limit: 1,
+        prLimit: 1,
       })
 
       expect(result.ok).toBe(true)