Skip to content

change discoverGhsaIds to use coana cli command 'find-vulnerabilities' #958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jdalton merged 4 commits into from
Dec 2, 2025
Merged

change discoverGhsaIds to use coana cli command 'find-vulnerabilities' #958

jdalton merged 4 commits into from
Dec 2, 2025

Conversation

@jfblaa
Copy link
Contributor

@jfblaa jfblaa commented Dec 2, 2025
edited by cursor bot
Loading

bump coana version

Note

Use Coana find-vulnerabilities (JSON output) for socket fix GHSA discovery, update tests and PR flow accordingly, bump @coana-tech/cli to 14.12.110, and release v1.1.40 with a bug fix.

  • socket fix
    • Replace discovery command with Coana find-vulnerabilities and parse JSON output for GHSA IDs.
    • Remove legacy discovery flags; update local and PR flows to call new command with --manifests-tar-hash and piped stdio.
  • Tests
    • Update src/commands/fix/handle-fix-limit.test.mts to expect find-vulnerabilities and JSON ID output; validate limit and PR-adjustment behavior.
  • Release/Deps
    • Bump version to 1.1.40 and update CHANGELOG.md (fix vulnerability discovery; note Coana CLI update).
    • Upgrade dev dependency @coana-tech/cli to 14.12.110.

Written by Cursor Bugbot for commit 7dcf13e. Configure here.

@socket-security
Copy link

socket-security bot commented Dec 2, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​coana-tech/​cli@​14.12.107 ⏵ 14.12.11089 +110080 +196 +1100

View full report

@jfblaa jfblaa requested a review from barslev December 2, 2025 11:53
cursor[bot]
cursor bot reviewed Dec 2, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment @cursor review or bugbot run to trigger another review on this PR

@socket-security-staging
Copy link

socket-security-staging bot commented Dec 2, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​coana-tech/​cli@​14.12.107 ⏵ 14.12.1108910080 +196100

View full report

@jfblaa
Copy link
Contributor Author

jfblaa commented Dec 2, 2025

@cursor review

cursor[bot]
cursor bot reviewed Dec 2, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment @cursor review or bugbot run to trigger another review on this PR

@jfblaa
Copy link
Contributor Author

jfblaa commented Dec 2, 2025

@cursor review

cursor[bot]
cursor bot reviewed Dec 2, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no bugs!

Comment @cursor review or bugbot run to trigger another review on this PR

@jdalton
Copy link
Contributor

jdalton commented Dec 2, 2025

Very nice @jfblaa @mtorp ! 🕺

jdalton
jdalton reviewed Dec 2, 2025
View reviewed changes
src/commands/fix/coana-fix.mts
: []),
...fixConfig.unknownFlags,
],
['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash],
Copy link
Contributor

@jdalton jdalton Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jfblaa Love the new command!

['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash]

<-- if there was also a --json flag we could get the output as json to simplify parsing
Ideally the less we parse the more resilient it is to changes

@jdalton jdalton merged commit cdd5971 into v1.x Dec 2, 2025
8 checks passed
@jdalton jdalton deleted the jfblaa/rea-317-use-coana-cmd-find-vulnerabilities-for-discovering-ghsaids branch December 2, 2025 13:28
jdalton added a commit that referenced this pull request Dec 9, 2025
@jdalton
refactor(fix): use find-vulnerabilities for GHSA discovery
4f686c7 
Ported from v1.x commit cdd5971 (#958)

- Replace compute-fixes-and-upgrade-purls discovery with simpler find-vulnerabilities command
- Parse GHSA IDs from JSON output on stdout instead of temp file
- Remove temp file creation/cleanup for discovery
- Add error handling for JSON parsing
- Simplify discovery logic with direct stdout parsing

The find-vulnerabilities command is more efficient and cleaner than using
compute-fixes-and-upgrade-purls with --output-file for discovery.

Based on PR #958
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@jdalton jdalton jdalton approved these changes

@mtorp mtorp mtorp approved these changes

@BarrensZeppelin BarrensZeppelin Awaiting requested review from BarrensZeppelin

@barslev barslev Awaiting requested review from barslev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jfblaa @jdalton @mtorp