Reachability analysis improvements (#709)

* use shared performReachabilityAnalysis for socket scan create --reach

* add API Token Requirements to socket scan reach help description

* use reachabilityReport instead of scanPaths for ReachabilityAnalysisResult

* remove --reach-continue-on-failing-projects since it's now the default behaviour

* upgrade coana CLI to version 14.11.10

* use the new Coana CLI flag --purl-types instead of computing --reach-ecosystems to legacy Coana-compatible advisory ecosystems

Author: mtorp

package-lock.json

@@ -84,7 +84,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.3",
     "@biomejs/biome": "2.2.0",
-    "@coana-tech/cli": "14.11.8",
+    "@coana-tech/cli": "14.11.10",
     "@cyclonedx/cdxgen": "11.5.0",
     "@dotenvx/dotenvx": "1.48.4",
     "@eslint/compat": "1.3.2",

package.json

@@ -39,7 +39,6 @@ export async function handleCi(autoManifest: boolean): Promise<void> {
     pullRequest: 0,
     reach: {
       runReachabilityAnalysis: false,
-      reachContinueOnFailingProjects: false,
       reachDisableAnalytics: false,
       reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,

src/commands/ci/handle-ci.mts

@@ -218,7 +218,6 @@ async function run(
     reach,
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
-    reachContinueOnFailingProjects,
     reachDisableAnalytics,
     readOnly,
     setAsAlertsPage: pendingHeadFlag,
@@ -241,7 +240,6 @@ async function run(
     reach: boolean
     reachAnalysisTimeout: number
     reachAnalysisMemoryLimit: number
-    reachContinueOnFailingProjects: boolean
     reachDisableAnalytics: boolean
   }
 
@@ -467,13 +465,6 @@ async function run(
       message: 'The --reachEcosystems flag requires --reach to be set',
       fail: 'missing --reach flag',
     },
-    {
-      nook: true,
-      test: reach || !reachContinueOnFailingProjects,
-      message:
-        'The --reachContinueOnFailingProjects flag requires --reach to be set',
-      fail: 'missing --reach flag',
-    },
     {
       nook: true,
       test: reach || !reachExcludePaths.length,
@@ -505,7 +496,6 @@ async function run(
     pullRequest: Number(pullRequest),
     reach: {
       runReachabilityAnalysis: Boolean(reach),
-      reachContinueOnFailingProjects: Boolean(reachContinueOnFailingProjects),
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),

src/commands/scan/cmd-scan-create.mts

@@ -45,7 +45,6 @@ describe('socket scan create', async () => {
           Reachability Options (when --reach is used)
             --reach-analysis-memory-limit  The maximum memory in MB to use for the reachability analysis. The default is 8192MB.
             --reach-analysis-timeout  Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly.
-            --reach-continue-on-failing-projects  Continue reachability analysis even when some projects/workspaces fail. Default is to crash the CLI at the first failing project/workspace.
             --reach-disable-analytics  Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
@@ -285,37 +284,6 @@ describe('socket scan create', async () => {
     },
   )
 
-  cmdit(
-    [
-      'scan',
-      'create',
-      '--org',
-      'fakeOrg',
-      'target',
-      '--dry-run',
-      '--repo',
-      'xyz',
-      '--branch',
-      'abc',
-      '--reach-continue-on-failing-projects',
-      '--config',
-      '{"apiToken":"fakeToken"}',
-    ],
-    'should fail when --reach-continue-on-failing-projects is used without --reach',
-    async cmd => {
-      const { code, stderr, stdout } = await invokeNpm(binCliPath, cmd)
-      const output = stdout + stderr
-      expect(output).toContain(
-        'The --reachContinueOnFailingProjects flag requires --reach to be set',
-      )
-      expect(output).toContain('missing --reach flag')
-      expect(
-        code,
-        'should exit with non-zero code when validation fails',
-      ).not.toBe(0)
-    },
-  )
-
   cmdit(
     [
       'scan',
@@ -394,39 +362,6 @@ describe('socket scan create', async () => {
       '--branch',
       'abc',
       '--reach',
-      '--reach-continue-on-failing-projects',
-      '--reach-disable-analytics',
-      '--reach-analysis-memory-limit',
-      '4096',
-      '--reach-analysis-timeout',
-      '3600',
-      '--reach-ecosystems',
-      'npm',
-      '--config',
-      '{"apiToken":"fakeToken"}',
-    ],
-    'should succeed when all reachability options including reachContinueOnFailingProjects are used with --reach',
-    async cmd => {
-      const { code, stdout } = await invokeNpm(binCliPath, cmd)
-      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`)
-      expect(code, 'should exit with code 0 when all flags are valid').toBe(0)
-    },
-  )
-
-  cmdit(
-    [
-      'scan',
-      'create',
-      '--org',
-      'fakeOrg',
-      'target',
-      '--dry-run',
-      '--repo',
-      'xyz',
-      '--branch',
-      'abc',
-      '--reach',
-      '--reach-continue-on-failing-projects',
       '--reach-disable-analytics',
       '--reach-analysis-memory-limit',
       '4096',

src/commands/scan/cmd-scan-create.test.mts

@@ -50,6 +50,10 @@ const config: CliCommandConfig = {
     Usage
       $ ${command} [options] [CWD=.]
 
+    API Token Requirements
+      - Quota: 1 unit
+      - Permissions: full-scans:create
+
     Options
       ${getFlagListOutput(generalFlags)}
 
@@ -96,7 +100,6 @@ async function run(
     org: orgFlag,
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
-    reachContinueOnFailingProjects,
     reachDisableAnalytics,
   } = cli.flags as {
     cwd: string
@@ -106,7 +109,6 @@ async function run(
     org: string
     reachAnalysisTimeout: number
     reachAnalysisMemoryLimit: number
-    reachContinueOnFailingProjects: boolean
     reachDisableAnalytics: boolean
   }
 
@@ -183,7 +185,6 @@ async function run(
     targets,
     interactive,
     reachabilityOptions: {
-      reachContinueOnFailingProjects: Boolean(reachContinueOnFailingProjects),
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),

src/commands/scan/cmd-scan-reach.mts

@@ -18,6 +18,10 @@ describe('socket scan reach', async () => {
           Usage
             $ socket scan reach [options] [CWD=.]
 
+          API Token Requirements
+            - Quota: 1 unit
+            - Permissions: full-scans:create
+
           Options
             --cwd               working directory, defaults to process.cwd()
             --json              Output result as json
@@ -27,7 +31,6 @@ describe('socket scan reach', async () => {
           Reachability Options
             --reach-analysis-memory-limit  The maximum memory in MB to use for the reachability analysis. The default is 8192MB.
             --reach-analysis-timeout  Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly.
-            --reach-continue-on-failing-projects  Continue reachability analysis even when some projects/workspaces fail. Default is to crash the CLI at the first failing project/workspace.
             --reach-disable-analytics  Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
@@ -206,25 +209,6 @@ describe('socket scan reach', async () => {
     },
   )
 
-  cmdit(
-    [
-      'scan',
-      'reach',
-      '--dry-run',
-      '--reach-continue-on-failing-projects',
-      '--org',
-      'fakeOrg',
-      '--config',
-      '{"apiToken":"fakeToken"}',
-    ],
-    'should accept --reach-continue-on-failing-projects flag',
-    async cmd => {
-      const { code, stdout } = await invokeNpm(binCliPath, cmd)
-      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`)
-      expect(code, 'should exit with code 0').toBe(0)
-    },
-  )
-
   cmdit(
     [
       'scan',
@@ -279,7 +263,6 @@ describe('socket scan reach', async () => {
       '3600',
       '--reach-ecosystems',
       'npm,pypi',
-      '--reach-continue-on-failing-projects',
       '--reach-exclude-paths',
       'node_modules,dist',
       '--org',

src/commands/scan/cmd-scan-reach.test.mts

@@ -241,7 +241,6 @@ async function scanOneRepo(
     pullRequest: 0,
     reach: {
       runReachabilityAnalysis: false,
-      reachContinueOnFailingProjects: false,
       reachDisableAnalytics: false,
       reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,