In light of recent findings, rename to socket package shallow

Author: pvdz

…mmands/package/cmd-package-score.test.ts …ands/package/cmd-package-shallow.test.tssrc/commands/package/cmd-package-score.test.ts renamed to src/commands/package/cmd-package-shallow.test.ts src/commands/package/cmd-package-score.test.ts renamed to src/commands/package/cmd-package-shallow.test.ts

@@ -7,63 +7,72 @@ import { cmdit, invokeNpm } from '../../../test/utils'
 
 const { CLI } = constants
 
-describe('socket package score', async () => {
+describe('socket package shallow', async () => {
   // Lazily access constants.rootBinPath.
   const entryPath = path.join(constants.rootBinPath, `${CLI}.js`)
 
-  cmdit(['package', 'score', '--help'], 'should support --help', async cmd => {
-    const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
-    expect(stdout).toMatchInlineSnapshot(
-      `
-      "Look up info regarding a package
+  cmdit(
+    ['package', 'shallow', '--help'],
+    'should support --help',
+    async cmd => {
+      const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(
+        `
+      "Look up info regarding one or more packages but not their transitives
 
         Usage
-          $ socket package score <<ecosystem> <name> [<name> ...] | <purl> [<purl> ...]>
+          $ socket package shallow <<ecosystem> <name> [<name> ...] | <purl> [<purl> ...]>
 
         Options
           --dryRun          Do input validation for a command and exit 0 when input is ok
           --help            Print this help.
           --json            Output result as json
           --markdown        Output result as markdown
 
-        Show scoring details for one or more packages.
+        Requirements
+          - quota: 100
+          - scope: \`packages:list\`
+
+        Show scoring details for one or more packages purely based on their own package.
+        This means that any dependency scores are not reflected by the score. You can
+        use the \`socket package score <pkg>\` command to get its full transitive score.
+
         Only a few ecosystems are supported like npm, golang, and maven.
 
-        A "purl" is a standard package formatting: \`pkg:eco/name@version\`
-        The "pkg:" prefix is automatically prepended when not present.
+        A "purl" is a standard package name formatting: \`pkg:eco/name@version\`
+        This command will automatically prepend "pkg:" when not present.
 
         If the first arg is an ecosystem, remaining args that are not a purl are
-        assumed to be scoped in that ecosystem or to be purls.
-
-        This command takes 100 quota units (regardless of arg count).
-        This command requires \`packages:list\` scope access on your API token.
+        assumed to be scoped to that ecosystem.
 
         Examples
-          $ socket package score npm webtorrent
-          $ socket package score npm webtorrent@1.9.1
-          $ socket package score npm/webtorrent@1.9.1
-          $ socket package score pkg:npm/webtorrent@1.9.1
-          $ socket package score maven webtorrent babel
-          $ socket package score npm/webtorrent golang/babel
-          $ socket package score npm npm/webtorrent@1.0.1 babel"
+          $ socket package shallow npm webtorrent
+          $ socket package shallow npm webtorrent@1.9.1
+          $ socket package shallow npm/webtorrent@1.9.1
+          $ socket package shallow pkg:npm/webtorrent@1.9.1
+          $ socket package shallow maven webtorrent babel
+          $ socket package shallow npm/webtorrent golang/babel
+          $ socket package shallow npm npm/webtorrent@1.0.1 babel"
     `
-    )
-    expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+      )
+      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
       "
          _____         _       _        /---------------
         |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
         |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
-        |_____|___|___|_,_|___|_|.dev   | Command: \`socket package score\`, cwd: <redacted>"
+        |_____|___|___|_,_|___|_|.dev   | Command: \`socket package shallow\`, cwd: <redacted>"
     `)
 
-    expect(code, 'help should exit with code 2').toBe(2)
-    expect(stderr, 'header should include command (without params)').toContain(
-      '`socket package score`'
-    )
-  })
+      expect(code, 'help should exit with code 2').toBe(2)
+      expect(
+        stderr,
+        'header should include command (without params)'
+      ).toContain('`socket package shallow`')
+    }
+  )
 
   cmdit(
-    ['package', 'score', '--dry-run'],
+    ['package', 'shallow', '--dry-run'],
     'should require args with just dry-run',
     async cmd => {
       const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
@@ -73,7 +82,7 @@ describe('socket package score', async () => {
            _____         _       _        /---------------
           |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
           |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
-          |_____|___|___|_,_|___|_|.dev   | Command: \`socket package score\`, cwd: <redacted>
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket package shallow\`, cwd: <redacted>
 
         \\x1b[31m\\xd7\\x1b[39m \\x1b[41m\\x1b[37mInput error\\x1b[39m\\x1b[49m: Please provide the required fields:
 
@@ -87,7 +96,7 @@ describe('socket package score', async () => {
   )
 
   cmdit(
-    ['package', 'score', 'npm', 'babel', '--dry-run'],
+    ['package', 'shallow', 'npm', 'babel', '--dry-run'],
     'should require args with just dry-run',
     async cmd => {
       const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
@@ -97,7 +106,7 @@ describe('socket package score', async () => {
            _____         _       _        /---------------
           |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
           |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
-          |_____|___|___|_,_|___|_|.dev   | Command: \`socket package score\`, cwd: <redacted>"
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket package shallow\`, cwd: <redacted>"
       `)
 
       expect(code, 'dry-run should exit with code 0 if input ok').toBe(0)

src/commands/package/cmd-package-score.ts …/commands/package/cmd-package-shallow.tssrc/commands/package/cmd-package-score.ts renamed to src/commands/package/cmd-package-shallow.ts src/commands/package/cmd-package-score.ts renamed to src/commands/package/cmd-package-shallow.ts

@@ -14,9 +14,10 @@ import type { CliCommandConfig } from '../../utils/meow-with-subcommands'
 const { DRY_RUN_BAIL_TEXT } = constants
 
 const config: CliCommandConfig = {
-  commandName: 'score',
-  description: 'Look up info regarding a package',
-  hidden: false,
+  commandName: 'shallow',
+  description:
+    'Look up info regarding one or more packages but not their transitives',
+  hidden: true,
   flags: {
     ...commonFlags,
     ...outputFlags
@@ -28,17 +29,21 @@ const config: CliCommandConfig = {
     Options
       ${getFlagListOutput(config.flags, 6)}
 
-    Show scoring details for one or more packages.
+    Requirements
+      - quota: 100
+      - scope: \`packages:list\`
+
+    Show scoring details for one or more packages purely based on their own package.
+    This means that any dependency scores are not reflected by the score. You can
+    use the \`socket package score <pkg>\` command to get its full transitive score.
+
     Only a few ecosystems are supported like npm, golang, and maven.
 
-    A "purl" is a standard package formatting: \`pkg:eco/name@version\`
-    The "pkg:" prefix is automatically prepended when not present.
+    A "purl" is a standard package name formatting: \`pkg:eco/name@version\`
+    This command will automatically prepend "pkg:" when not present.
 
     If the first arg is an ecosystem, remaining args that are not a purl are
-    assumed to be scoped in that ecosystem or to be purls.
-
-    This command takes 100 quota units (regardless of arg count).
-    This command requires \`packages:list\` scope access on your API token.
+    assumed to be scoped to that ecosystem.
 
     Examples
       $ ${command} npm webtorrent
@@ -51,9 +56,16 @@ const config: CliCommandConfig = {
   `
 }
 
-export const cmdPackageScore = {
+export const cmdPackageShallow = {
   description: config.description,
   hidden: config.hidden,
+  alias: {
+    shallowScore: {
+      description: config.description,
+      hidden: true,
+      argv: []
+    }
+  },
   run
 }
 
@@ -92,10 +104,7 @@ async function run(
   }
 
   await showPurlInfo({
-    // commandName: `${parentName} ${config.commandName}`,
-    // includeAllIssues: Boolean(all),
     outputKind: json ? 'json' : markdown ? 'markdown' : 'text',
     purls
-    // strict: Boolean(strict)
   })
 }

src/commands/package/cmd-package.test.ts

@@ -7,64 +7,41 @@ import { cmdit, invokeNpm } from '../../../test/utils'
 
 const { CLI } = constants
 
-describe('socket manifest', async () => {
+describe('socket package', async () => {
   // Lazily access constants.rootBinPath.
   const entryPath = path.join(constants.rootBinPath, `${CLI}.js`)
 
-  cmdit(['manifest', '--help'], 'should support --help', async cmd => {
+  cmdit(['package', '--help'], 'should support --help', async cmd => {
     const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
     expect(stdout).toMatchInlineSnapshot(
       `
-      "Generate a dependency manifest for given file or dir
+      "Commands relating to looking up published packages
 
         Usage
-          $ socket manifest <command>
+          $ socket package <command>
 
         Commands
-          auto              Auto-detect build and attempt to generate manifest file
-          gradle            [beta] Use Gradle to generate a manifest file (\`pom.xml\`) for a Gradle/Java/Kotlin/etc project
-          kotlin            [beta] Use Gradle to generate a manifest file (\`pom.xml\`) for a Kotlin project
-          scala             [beta] Generate a manifest file (\`pom.xml\`) from Scala's \`build.sbt\` file
+        
 
         Options
           --dryRun          Do input validation for a command and exit 0 when input is ok
           --help            Print this help.
 
         Examples
-          $ socket manifest --help"
+          $ socket package --help"
     `
     )
     expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
       "
          _____         _       _        /---------------
         |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
         |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
-        |_____|___|___|_,_|___|_|.dev   | Command: \`socket manifest\`, cwd: <redacted>"
+        |_____|___|___|_,_|___|_|.dev   | Command: \`socket package\`, cwd: <redacted>"
     `)
 
     expect(code, 'help should exit with code 2').toBe(2)
     expect(stderr, 'header should include command (without params)').toContain(
-      '`socket manifest`'
+      '`socket package`'
     )
   })
-
-  cmdit(
-    ['manifest', 'mootools', '--dry-run'],
-    'should require args with just dry-run',
-    async cmd => {
-      const { code, stderr, stdout } = await invokeNpm(entryPath, cmd)
-      expect(stdout).toMatchInlineSnapshot(
-        `"[DryRun]: No-op, call a sub-command; ok"`
-      )
-      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
-        "
-           _____         _       _        /---------------
-          |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver <redacted>
-          |__   | . |  _| '_| -_|  _|     | Node: <redacted>, API token set: <redacted>
-          |_____|___|___|_,_|___|_|.dev   | Command: \`socket manifest\`, cwd: <redacted>"
-      `)
-
-      expect(code, 'dry-run should exit with code 0 if input ok').toBe(0)
-    }
-  )
 })

src/commands/package/cmd-package.ts

@@ -1,4 +1,4 @@
-import { cmdPackageScore } from './cmd-package-score'
+import { cmdPackageShallow } from './cmd-package-shallow'
 import { meowWithSubcommands } from '../../utils/meow-with-subcommands'
 
 import type { CliSubcommand } from '../../utils/meow-with-subcommands'
@@ -11,7 +11,7 @@ export const cmdPackage: CliSubcommand = {
   async run(argv, importMeta, { parentName }) {
     await meowWithSubcommands(
       {
-        score: cmdPackageScore
+        shallow: cmdPackageShallow
       },
       {
         aliases: {

src/commands/package/fetch-package-info.ts

@@ -1,10 +1,14 @@
 import { logger } from '@socketsecurity/registry/lib/logger'
-import { SocketSdkResultType, SocketSdkReturnType } from '@socketsecurity/sdk'
 
 import constants from '../../constants'
 import { handleApiCall, handleUnsuccessfulApiResponse } from '../../utils/api'
 import { getPublicToken, setupSdk } from '../../utils/sdk'
 
+import type {
+  SocketSdkResultType,
+  SocketSdkReturnType
+} from '@socketsecurity/sdk'
+
 export async function fetchPackageInfo(
   purls: string[]
 ): Promise<SocketSdkReturnType<'batchPackageFetch'>> {
@@ -14,7 +18,7 @@ export async function fetchPackageInfo(
   const { spinner } = constants
 
   logger.error(
-    `Requesting data for ${purls.length} package urls (purl): ${purls.join(', ')}`
+    `Requesting shallow score data for ${purls.length} package urls (purl): ${purls.join(', ')}`
   )
   spinner.start(`Requesting data ...`)
 

src/commands/package/log-package-info.ts

@@ -2,7 +2,8 @@ import { stripIndents } from 'common-tags'
 import colors from 'yoctocolors-cjs'
 
 import { logger } from '@socketsecurity/registry/lib/logger'
-import { components } from '@socketsecurity/sdk/types/api'
+
+import type { components } from '@socketsecurity/sdk/types/api'
 
 export function logPackageInfo(
   purls: string[],
@@ -32,17 +33,26 @@ export function logPackageInfo(
 
   if (outputKind === 'markdown') {
     logger.log(stripIndents`
-      # Package report
+      # Shallow Package Report
 
       This report contains the response for requesting data on some package url(s).
 
+      Please note: The listed scores are ONLY for the package itself. It does NOT
+                   reflect the scores of any dependencies, transitive or otherwise.
+
       ${missing.length ? `\n## Missing response\n\nAt least one package had no response or the purl was not canonical:\n\n${missing.map(purl => '- ' + purl + '\n').join('')}` : ''}
 
       ${packageData.map(data => '## ' + formatReportCard(data, false)).join('\n\n\n')}
     `)
     return
   }
 
+  logger.log('\n' + colors.bold('Shallow Package Score') + '\n')
+  logger.log(
+    'Please note: The listed scores are ONLY for the package itself. It does NOT\n' +
+      '             reflect the scores of any dependencies, transitive or otherwise.'
+  )
+
   if (missing.length) {
     logger.log(
       `\nAt least one package had no response or the purl was not canonical:\n${missing.map(purl => '\n- ' + colors.bold(purl)).join('')}`

src/commands/package/show-purl-info.ts

@@ -1,27 +1,14 @@
-import { components } from '@socketsecurity/sdk/types/api'
-
 import { fetchPackageInfo } from './fetch-package-info'
 import { logPackageInfo } from './log-package-info'
 
-import type { SocketSdkAlert } from '../../utils/alert/severity'
-import type { SocketSdkReturnType } from '@socketsecurity/sdk'
-
-export interface PackageData {
-  data: SocketSdkReturnType<'getIssuesByNPMPackage'>['data']
-  severityCount: Record<SocketSdkAlert['severity'], number>
-  score: SocketSdkReturnType<'getScoreByNPMPackage'>['data']
-}
+import type { components } from '@socketsecurity/sdk/types/api'
 
 export async function showPurlInfo({
-  // commandName,
   outputKind,
   purls
-  // strict
 }: {
-  // commandName: string
   outputKind: 'json' | 'markdown' | 'text'
   purls: string[]
-  // strict: boolean
 }) {
   const packageData = await fetchPackageInfo(purls)
   if (packageData) {