feat(scan): forward socket.json build-tool config into reachability (1.1.120, Coana 15.4.1)#1362
Conversation
socket scan create --reach now maps socket.json's per-ecosystem manifest build-tool options (bin, include/exclude-configs, gradle/sbt opts) into a Coana-defined AutoManifestConfig and passes it to `coana run` via --auto-manifest-config (a temp JSON file path Coana reads), so reach-time dependency resolution invokes the build tool the way the project is configured rather than with defaults. Under --auto-manifest the config also carries top-level failOnBuildToolError=true (fail-closed: Coana treats a build-tool step failure as fatal instead of tolerating it); plain --reach leaves it unset and stays permissive. This is the socket-cli side of the manifest-flag-propagation gap. The Coana `--auto-manifest-config` option is not yet released, so this must not ship until Coana publishes it and the pinned @coana-tech/cli is bumped; until then it is exercised via SOCKET_CLI_COANA_LOCAL_PATH. - add src/utils/auto-manifest-config.mts: BuildToolOptions/AutoManifestConfig types + buildAutoManifestConfig (socket.json -> config) + tests - ReachabilityOptions.autoManifestConfig; write the config to a temp file and pass its path to coana run, cleaning it up after - build the config at the cmd-scan-create assembly point
…fig forwarding Bump @coana-tech/cli to 15.4.1 (which ships the --auto-manifest-config option the feat commit depends on), bump the package version to 1.1.120, and add the changelog entry.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 478fb22. Configure here.
| // Per-ecosystem build-tool options handed off to the Coana CLI — used both when | ||
| // generating manifests (`coana manifest <ecosystem>`) and, in socket mode, for | ||
| // reach-time dependency resolution (`coana run`). This mirrors the Coana-side | ||
| // `--auto-manifest-config` shape (REA-547): socket-cli owns mapping `socket.json` |
There was a problem hiding this comment.
Internal ticket ID in comments
Low Severity
New comments reference the internal tracker id REA-547. Source comments in this repo should describe intent without Jira-style ticket references so they stay readable outside internal tooling.
Additional Locations (1)
Triggered by learned rule: No internal ticket references in code comments — remove Jira/tracker IDs
Reviewed by Cursor Bugbot for commit 478fb22. Configure here.
| // REA-547. | ||
| ...(autoManifestConfigPath | ||
| ? ['--auto-manifest-config', autoManifestConfigPath] | ||
| : []), |
There was a problem hiding this comment.
Config flag needs Coana version
Medium Severity
Reachability now appends --auto-manifest-config whenever the mapped config is non-empty, but reachVersion (or a local Coana path) can still invoke a Coana build older than 15.4.1 that does not implement that flag, causing reach analysis to fail unexpectedly.
Reviewed by Cursor Bugbot for commit 478fb22. Configure here.
1 participant
Summary
Forwards
socket.jsonper-ecosystem build-tool config into reachability analysis, and bumps@coana-tech/clito15.4.1(which ships the--auto-manifest-configoption this depends on). Cuts release1.1.120.socket scan create --reachnow mapssocket.json's per-ecosystem manifest build-tool options (custom binary, include/exclude configs, Gradle/sbt opts) into a CoanaAutoManifestConfig, passed tocoana runvia--auto-manifest-config, so reach-time dependency resolution invokes the build tool the way the project is configured rather than with defaults.--auto-manifest --reachthe config carriesfailOnBuildToolError=true(fail-closed). Plain--reachleaves it unset and stays best-effort.Changelog (1.1.120)
socket scan create --reachnow applies your project's build-tool settings fromsocket.json(configured viasocket manifest setup) for Gradle/sbt reachability resolution, instead of always invoking the build tool with defaults.socket scan create --auto-manifest --reachnow fails with an error when a build tool fails during manifest generation, rather than tolerating it.15.4.1.Notes
--auto-manifest-configoption is gated on Coana15.4.1, now released, so this is no longer pinned behindSOCKET_CLI_COANA_LOCAL_PATH.Note
Medium Risk
Changes reachability and auto-manifest failure behavior (stricter with --auto-manifest) and depends on Coana 15.4.1; mis-mapped socket.json could affect Gradle/sbt resolution in scans.
Overview
Release 1.1.120 bumps
@coana-tech/clito 15.4.1 and wiressocket.jsonGradle/sbt manifest settings into reachability runs.socket scan create --reachnow mapsdefaults.manifestfromsocket.json(custom binary, include/exclude configs,gradleOpts/sbtOpts,ignoreUnresolved) into Coana’sAutoManifestConfig, written to a temp JSON file and passed as--auto-manifest-configoncoana run. With--auto-manifest --reach, the config setsfailOnBuildToolError=trueso build-tool failures abort the scan; plain--reachleaves that unset for best-effort behavior.New
buildAutoManifestConfig/isAutoManifestConfigEmptyutilities and unit tests cover the mapping; scan create only builds the config when--reachis enabled.Reviewed by Cursor Bugbot for commit 478fb22. Configure here.