Update to match current endpoint output

pvdz · pvdz · commit df5e9e0211f4 · 2025-03-26T18:20:20.000+01:00
diff --git a/src/commands/package/fetch-purl-deep-score.ts b/src/commands/package/fetch-purl-deep-score.ts
@@ -3,7 +3,7 @@ import colors from 'yoctocolors-cjs'
 import { logger } from '@socketsecurity/registry/lib/logger'
 
 import constants from '../../constants'
-import { handleAPIError, handleApiCall, queryAPI } from '../../utils/api'
+import { handleApiCall, handleApiError, queryApi } from '../../utils/api'
 import { AuthError } from '../../utils/errors'
 import { getDefaultToken } from '../../utils/sdk'
 
@@ -19,14 +19,14 @@ export async function fetchPurlDeepScore(purl: string) {
   }
 
   spinner.start('Getting deep package score...')
-  const response = await queryAPI(
+  const response = await queryApi(
     `purl/score/${encodeURIComponent(purl)}`,
     apiToken
   )
   spinner?.successAndStop('Received deep package score response.')
 
   if (!response.ok) {
-    const err = await handleAPIError(response.status)
+    const err = await handleApiError(response.status)
     logger.log('\nThere was an error', err)
     spinner.errorAndStop(
       `${colors.bgRed(colors.white(response.statusText))}: ${err}`
diff --git a/src/commands/package/output-purl-score.ts b/src/commands/package/output-purl-score.ts
@@ -24,99 +24,231 @@ export async function outputPurlScore(
   }
 
   if (outputKind === 'markdown') {
-    const { alerts, func, score, worst } = data as {
-      func: string
-      score: {
-        license: number
-        maintenance: number
-        overall: number
-        quality: number
-        supplyChain: number
-        vulnerability: number
+    const {
+      purl: requestedPurl,
+      self: {
+        alerts: selfAlerts,
+        capabilities: selfCaps,
+        purl,
+        score: selfScore
+      },
+      transitively: {
+        alerts,
+        capabilities,
+        dependencyCount,
+        func,
+        lowest,
+        score
       }
-      worst: {
-        license: string
-        maintenance: string
-        overall: string
-        quality: string
-        supplyChain: string
-        vulnerability: string
+    } = data as {
+      purl: string
+      self: {
+        purl: string
+        score: {
+          license: number
+          maintenance: number
+          overall: number
+          quality: number
+          supplyChain: number
+          vulnerability: number
+        }
+        capabilities: string[]
+        alerts: Array<{
+          name: string
+          severity: string
+          category: string
+          example: string
+        }>
+      }
+      transitively: {
+        dependencyCount: number
+        func: string
+        score: {
+          license: number
+          maintenance: number
+          overall: number
+          quality: number
+          supplyChain: number
+          vulnerability: number
+        }
+        lowest: {
+          license: string
+          maintenance: string
+          overall: string
+          quality: string
+          supplyChain: string
+          vulnerability: string
+        }
+        capabilities: string[]
+        alerts: Array<{
+          name: string
+          severity: string
+          category: string
+          example: string
+        }>
       }
-      alerts: Array<{
-        name: string
-        severity: string
-        category: string
-      }>
     }
 
-    logger.error(`Score report for "${purl}":\n`)
-    logger.log('# Deep Package Score')
-    logger.log('')
-    logger.log(
-      'This Socket report contains the response for requesting a deep package score for'
-    )
-    logger.log(
-      `a package and any of its dependencies or transitive dependencies.`
-    )
-    logger.log('')
-    logger.log(`The package is: ${purl}`)
+    logger.error(`Score report for "${requestedPurl}" ("${purl}"):\n`)
+    logger.log('# Complete Package Score')
     logger.log('')
-    logger.log('## Score')
+    if (dependencyCount) {
+      logger.log(
+        `This is a Socket report for the package *"${purl}"* and its *${dependencyCount}* direct/transitive dependencies.`
+      )
+    } else {
+      logger.log(
+        `This is a Socket report for the package *"${purl}"*. It has *no dependencies*.`
+      )
+    }
     logger.log('')
-    logger.log('Please note:')
-    logger.log(
-      '    The listed scores reflect the scores from the requested package, its'
-    )
-    logger.log(
-      '    dependencies, and any transitive dependencies. An aggregation function'
-    )
-    logger.log(
-      '    computes the final score which is presented in this report.'
-    )
+    if (dependencyCount) {
+      logger.log(
+        `It will show you the shallow score for just the package itself and a deep score for all the transitives combined. Additionally you can see which capabilities were found and the top alerts as well as a package that was responsible for it.`
+      )
+    } else {
+      logger.log(
+        `It will show you the shallow score for the package itself, which capabilities were found, and its top alerts.`
+      )
+      logger.log('')
+      logger.log(
+        'Since it has no dependencies, the shallow score is also the deep score.'
+      )
+    }
     logger.log('')
-    logger.log(`The aggregation function that was used is: "${func}"`)
+    if (dependencyCount) {
+      // This doesn't make much sense if there are no dependencies. Better to omit it.
+      logger.log(
+        'The report should give you a good insight into the status of this package.'
+      )
+      logger.log('')
+      logger.log('## Package itself')
+      logger.log('')
+      logger.log(
+        'Here are results for the package itself (excluding data from dependencies).'
+      )
+    } else {
+      logger.log('## Report')
+      logger.log('')
+      logger.log(
+        'The report should give you a good insight into the status of this package.'
+      )
+    }
     logger.log('')
-    logger.log('- Overall: ' + score.overall)
-    logger.log('- Maintenance: ' + score.maintenance)
-    logger.log('- Quality: ' + score.quality)
-    logger.log('- Supply Chain: ' + score.supplyChain)
-    logger.log('- Vulnerability: ' + score.vulnerability)
-    logger.log('- License: ' + score.license)
+    logger.log('### Shallow Score')
     logger.log('')
-    logger.log('## Worst score examples')
+    logger.log('This score is just for the package itself:')
     logger.log('')
-    logger.log(
-      'These are packages with the worst score in each category. Only one package is'
-    )
-    logger.log(
-      'listed even if multiple have that lowest score. Each of these packages is the'
-    )
-    logger.log('package itself or a (transitive) dependency.')
+    logger.log('- Overall: ' + selfScore.overall)
+    logger.log('- Maintenance: ' + selfScore.maintenance)
+    logger.log('- Quality: ' + selfScore.quality)
+    logger.log('- Supply Chain: ' + selfScore.supplyChain)
+    logger.log('- Vulnerability: ' + selfScore.vulnerability)
+    logger.log('- License: ' + selfScore.license)
     logger.log('')
-    logger.log('- Overall: ' + worst.overall)
-    logger.log('- Maintenance: ' + worst.maintenance)
-    logger.log('- Quality: ' + worst.quality)
-    logger.log('- Supply Chain: ' + worst.supplyChain)
-    logger.log('- Vulnerability: ' + worst.vulnerability)
-    logger.log('- License: ' + worst.license)
+    logger.log('### Capabilities')
     logger.log('')
-    logger.log('## Alerts')
+    if (selfCaps.length) {
+      logger.log('These are the capabilities detected in the package itself:')
+      logger.log('')
+      selfCaps.forEach(cap => {
+        logger.log(`- ${cap}`)
+      })
+    } else {
+      logger.log('No capabilities were found in the package.')
+    }
     logger.log('')
-    logger.log(
-      'Here is a list of the alerts emitted by this package or any of its (transitive)'
-    )
-    logger.log(
-      'dependencies in aggregate. Only the first 100 or shown, ordered by severity.'
-    )
+    logger.log('### Alerts for this package')
     logger.log('')
-    alerts.forEach(({ name, severity }) => {
-      logger.log(`- [${severity}] ${name}`)
-    })
+    if (selfAlerts.length) {
+      if (dependencyCount) {
+        logger.log('These are the alerts found for the package itself:')
+      } else {
+        logger.log('These are the alerts found for this package:')
+      }
+      logger.log('')
+      selfAlerts.forEach(alert => {
+        logger.log(`- [${alert.severity}] ${alert.name}`)
+      })
+    } else {
+      logger.log('There are currently no alerts for this package.')
+    }
     logger.log('')
+    if (dependencyCount) {
+      logger.log('## Transitive Package Results')
+      logger.log('')
+      logger.log(
+        'Here are results for the package and its direct/transitive dependencies.'
+      )
+      logger.log('')
+      logger.log('### Deep Score')
+      logger.log('')
+      logger.log(
+        'This score represents the package and and its direct/transitive dependencies:'
+      )
+      logger.log(
+        `The function used to calculate the values in aggregate is: *"${func}"*`
+      )
+      logger.log('')
+      logger.log('- Overall: ' + score.overall)
+      logger.log('- Maintenance: ' + score.maintenance)
+      logger.log('- Quality: ' + score.quality)
+      logger.log('- Supply Chain: ' + score.supplyChain)
+      logger.log('- Vulnerability: ' + score.vulnerability)
+      logger.log('- License: ' + score.license)
+      logger.log('')
+      logger.log('### Capabilities')
+      logger.log('')
+      logger.log(
+        'These are the packages with the lowest recorded score. If there is more than one with the lowest score, just one is shown here. This may help you figure out the source of low scores.'
+      )
+      logger.log('')
+      logger.log('- Overall: ' + lowest.overall)
+      logger.log('- Maintenance: ' + lowest.maintenance)
+      logger.log('- Quality: ' + lowest.quality)
+      logger.log('- Supply Chain: ' + lowest.supplyChain)
+      logger.log('- Vulnerability: ' + lowest.vulnerability)
+      logger.log('- License: ' + lowest.license)
+      logger.log('')
+      logger.log('### Capabilities')
+      logger.log('')
+      if (capabilities.length) {
+        logger.log(
+          'These are the capabilities detected in at least one package:'
+        )
+        logger.log('')
+        capabilities.forEach(cap => {
+          logger.log(`- ${cap}`)
+        })
+      } else {
+        logger.log(
+          'This package had no capabilities and neither did any of its direct/transitive dependencies.'
+        )
+      }
+      logger.log('')
+      logger.log('### Alerts')
+      logger.log('')
+      if (alerts.length) {
+        logger.log('These are the alerts found:')
+        logger.log('')
+        alerts.forEach(alert => {
+          logger.log(
+            `- [${alert.severity}] ${alert.name} (at least in ${alert.example})`
+          )
+        })
+      } else {
+        logger.log(
+          'This package had no alerts and neither did any of its direct/transitive dependencies.'
+        )
+      }
+      logger.log('')
+    }
     return
   }
 
-  logger.log(`Score report for "${purl}":`)
+  logger.log(
+    `Score report for "${purl}" (use --json for raw and --markdown for formatted reports):`
+  )
   logger.log(data)
   logger.log('')
 }
