Skip to content

feat(scan): forward socket.json build-tool config into reachability (1.1.120, Coana 15.4.1)#1362

Merged
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 7 commits into
v1.xfrom
jfblaa/rea-549-socket-cli-map-socketjson-build-tool-config-into-coanas-auto
Jun 16, 2026
Merged

feat(scan): forward socket.json build-tool config into reachability (1.1.120, Coana 15.4.1)#1362
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 7 commits into
v1.xfrom
jfblaa/rea-549-socket-cli-map-socketjson-build-tool-config-into-coanas-auto

Conversation

@jfblaa

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Forwards socket.json per-ecosystem build-tool config into reachability analysis, and bumps @coana-tech/cli to 15.4.1 (which ships the --auto-manifest-config option this depends on). Cuts release 1.1.120.

  • socket scan create --reach now maps socket.json's per-ecosystem manifest build-tool options (custom binary, include/exclude configs, Gradle/sbt opts) into a Coana AutoManifestConfig, passed to coana run via --auto-manifest-config, so reach-time dependency resolution invokes the build tool the way the project is configured rather than with defaults.
  • Under --auto-manifest --reach the config carries failOnBuildToolError=true (fail-closed). Plain --reach leaves it unset and stays best-effort.

Changelog (1.1.120)

  • socket scan create --reach now applies your project's build-tool settings from socket.json (configured via socket manifest setup) for Gradle/sbt reachability resolution, instead of always invoking the build tool with defaults.
  • socket scan create --auto-manifest --reach now fails with an error when a build tool fails during manifest generation, rather than tolerating it.
  • Updated the Coana CLI to v 15.4.5.

Note

Medium Risk
Changes reachability and auto-manifest failure behavior (stricter with --auto-manifest) and depends on Coana 15.4.1; mis-mapped socket.json could affect Gradle/sbt resolution in scans.

Overview
Release 1.1.120 bumps @coana-tech/cli to 15.4.1 and wires socket.json Gradle/sbt manifest settings into reachability runs.

socket scan create --reach now maps defaults.manifest from socket.json (custom binary, include/exclude configs, gradleOpts/sbtOpts, ignoreUnresolved) into Coana’s AutoManifestConfig, written to a temp JSON file and passed as --auto-manifest-config on coana run. With --auto-manifest --reach, the config sets failOnBuildToolError=true so build-tool failures abort the scan; plain --reach leaves that unset for best-effort behavior.

New buildAutoManifestConfig / isAutoManifestConfigEmpty utilities and unit tests cover the mapping; scan create only builds the config when --reach is enabled.

Reviewed by Cursor Bugbot for commit 478fb22. Configure here.

@jfblaa
feat(scan): forward socket.json build-tool config into reachability
fe8f076 
socket scan create --reach now maps socket.json's per-ecosystem manifest
build-tool options (bin, include/exclude-configs, gradle/sbt opts) into a
Coana-defined AutoManifestConfig and passes it to `coana run` via
--auto-manifest-config (a temp JSON file path Coana reads), so reach-time
dependency resolution invokes the build tool the way the project is configured
rather than with defaults. Under --auto-manifest the config also carries
top-level failOnBuildToolError=true (fail-closed: Coana treats a build-tool
step failure as fatal instead of tolerating it); plain --reach leaves it unset
and stays permissive.

This is the socket-cli side of the manifest-flag-propagation gap. The Coana
`--auto-manifest-config` option is not yet released, so this must not ship
until Coana publishes it and the pinned @coana-tech/cli is bumped; until then
it is exercised via SOCKET_CLI_COANA_LOCAL_PATH.

- add src/utils/auto-manifest-config.mts: BuildToolOptions/AutoManifestConfig
  types + buildAutoManifestConfig (socket.json -> config) + tests
- ReachabilityOptions.autoManifestConfig; write the config to a temp file and
  pass its path to coana run, cleaning it up after
- build the config at the cmd-scan-create assembly point
@jfblaa
chore(release): 1.1.120 — Coana 15.4.1 and socket.json build-tool con…
478fb22 
…fig forwarding

Bump @coana-tech/cli to 15.4.1 (which ships the --auto-manifest-config
option the feat commit depends on), bump the package version to 1.1.120,
and add the changelog entry.
cursor[bot]
cursor Bot reviewed Jun 12, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Fix All in Cursor

Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 478fb22. Configure here.

Comment thread src/utils/auto-manifest-config.mts Outdated
Comment thread src/commands/scan/perform-reachability-analysis.mts
@jfblaa
fix(scan): gate --auto-manifest-config on Coana version support
7e4cd7a 
Only forward the socket.json build-tool config to `coana run` when the
resolved Coana version supports `--auto-manifest-config` (>= 15.4.1).
Passing the flag to an older Coana, pinned via --reach-version, would abort
the run on an unknown flag; we now skip it and warn instead. A local Coana
build (SOCKET_CLI_COANA_LOCAL_PATH) has no resolvable version and is treated
as supported.

Also drop internal tracker references from source comments.
@jfblaa
Merge branch 'v1.x' into jfblaa/rea-549-socket-cli-map-socketjson-bui…
9cdf594 
…ld-tool-config-into-coanas-auto
@socket-security-staging

socket-security-staging Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​coana-tech/​cli@​15.4.5971008098100

View full report

mtorp
Martin Torp (mtorp) approved these changes Jun 16, 2026
View reviewed changes

@mtorp Martin Torp (mtorp) left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅

Comment thread src/commands/scan/perform-reachability-analysis.mts Outdated
Comment thread src/commands/scan/perform-reachability-analysis.mts Outdated
@jfblaa
fix(scan): drop Coana version gate, clean up config temp file in finally
a89812a 
Coana is pinned to a specific version in the CLI, so gating
--auto-manifest-config on a minimum version added no real safety; remove
coanaSupportsAutoManifestConfig and forward the config unconditionally
when non-empty. Move the temp config file cleanup into a finally block so
it runs even if the Coana run throws.
@jfblaa
fix changelog entry
2f2d3c1
@socket-security

socket-security Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​coana-tech/​cli@​15.4.5741007998100

View full report

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) merged commit 80ccc51 into v1.x Jun 16, 2026
12 checks passed
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) deleted the jfblaa/rea-549-socket-cli-map-socketjson-build-tool-config-into-coanas-auto branch June 16, 2026 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@mtorp Martin Torp (mtorp) mtorp approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jfblaa @mtorp