change discoverGhsaIds to use coana cli command 'find-vulnerabilities'

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.40](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.40) - 2025-12-02
+
+### Fixed
+- Fix a bug where vulnerabilities were not found correctly during `socket fix`.
+
+### Changed
+- Updated the Coana CLI to v `14.12.110`.
+
 ## [1.1.39](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.39) - 2025-12-01
 
 ### Added

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.39",
+  "version": "1.1.40",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -94,7 +94,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "14.12.107",
+    "@coana-tech/cli": "14.12.110",
     "@cyclonedx/cdxgen": "11.11.0",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",

src/commands/fix/coana-fix.mts

@@ -27,7 +27,6 @@ import {
   GQL_PR_STATE_OPEN,
 } from '../../constants.mts'
 import { handleApiCall } from '../../utils/api.mts'
-import { cmdFlagValueToArray } from '../../utils/cmd.mts'
 import { spawnCoanaDlx } from '../../utils/dlx.mts'
 import { getErrorCause } from '../../utils/errors.mts'
 import {
@@ -66,7 +65,6 @@ type DiscoverGhsaIdsOptions = {
 async function discoverGhsaIds(
   orgSlug: string,
   tarHash: string,
-  fixConfig: FixConfig,
   options?: DiscoverGhsaIdsOptions | undefined,
 ): Promise<string[]> {
   const {
@@ -79,31 +77,21 @@ async function discoverGhsaIds(
   } as DiscoverGhsaIdsOptions
 
   const foundCResult = await spawnCoanaDlx(
-    [
-      'compute-fixes-and-upgrade-purls',
-      cwd,
-      '--manifests-tar-hash',
-      tarHash,
-      ...(fixConfig.rangeStyle ? ['--range-style', fixConfig.rangeStyle] : []),
-      ...(fixConfig.minimumReleaseAge
-        ? ['--minimum-release-age', fixConfig.minimumReleaseAge]
-        : []),
-      ...(fixConfig.include.length ? ['--include', ...fixConfig.include] : []),
-      ...(fixConfig.exclude.length ? ['--exclude', ...fixConfig.exclude] : []),
-      ...(fixConfig.disableMajorUpdates ? ['--disable-major-updates'] : []),
-      ...(fixConfig.showAffectedDirectDependencies
-        ? ['--show-affected-direct-dependencies']
-        : []),
-      ...fixConfig.unknownFlags,
-    ],
+    ['find-vulnerabilities', cwd, '--manifests-tar-hash', tarHash],
     orgSlug,
     { cwd, spinner },
+    { stdio: 'pipe' },
   )
 
   if (foundCResult.ok) {
-    const foundIds = cmdFlagValueToArray(
-      /(?<=Vulnerabilities found:).*/.exec(foundCResult.data),
-    )
+    // Coana prints ghsaIds as json-formatted string on the final line of the output
+    const foundIds: string[] = []
+    try {
+      const ghsaIdsRaw = foundCResult.data.trim().split('\n').pop()
+      if (ghsaIdsRaw) {
+        foundIds.push(...JSON.parse(ghsaIdsRaw))
+      }
+    } catch {}
     return limit !== undefined ? foundIds.slice(0, limit) : foundIds
   }
   return []
@@ -206,7 +194,7 @@ export async function coanaFix(
 
     let ids: string[]
     if (isAll && limit > 0) {
-      ids = await discoverGhsaIds(orgSlug, tarHash, fixConfig, {
+      ids = await discoverGhsaIds(orgSlug, tarHash, {
         cwd,
         limit,
         spinner,
@@ -312,7 +300,7 @@ export async function coanaFix(
   let ids: string[] | undefined
 
   if (shouldSpawnCoana && isAll) {
-    ids = await discoverGhsaIds(orgSlug, tarHash, fixConfig, {
+    ids = await discoverGhsaIds(orgSlug, tarHash, {
       cwd,
       limit: adjustedLimit,
       spinner,

src/commands/fix/handle-fix-limit.test.mts

@@ -223,7 +223,7 @@ describe('socket fix --limit behavior verification', () => {
       // First call is for discovery (returns vulnerability IDs).
       mockSpawnCoanaDlx.mockResolvedValueOnce({
         ok: true,
-        data: 'Vulnerabilities found: GHSA-aaaa-aaaa-aaaa,GHSA-bbbb-bbbb-bbbb',
+        data: JSON.stringify(['GHSA-aaaa-aaaa-aaaa', 'GHSA-bbbb-bbbb-bbbb']),
       })
 
       // Second call is to apply fixes to the discovered IDs.
@@ -245,7 +245,7 @@ describe('socket fix --limit behavior verification', () => {
 
       // First call is discovery (no --apply-fixes-to).
       const discoveryArgs = mockSpawnCoanaDlx.mock.calls[0]?.[0] as string[]
-      expect(discoveryArgs).toContain('compute-fixes-and-upgrade-purls')
+      expect(discoveryArgs).toContain('find-vulnerabilities')
       expect(discoveryArgs).not.toContain('--apply-fixes-to')
 
       // Second call applies fixes to discovered IDs.
@@ -284,7 +284,7 @@ describe('socket fix --limit behavior verification', () => {
       // First call returns the IDs to process.
       mockSpawnCoanaDlx.mockResolvedValueOnce({
         ok: true,
-        data: `Vulnerabilities found: ${ghsas.join(',')}`,
+        data: JSON.stringify(ghsas),
       })
 
       // Subsequent calls are for individual GHSA fixes.
@@ -327,7 +327,7 @@ describe('socket fix --limit behavior verification', () => {
 
       mockSpawnCoanaDlx.mockResolvedValueOnce({
         ok: true,
-        data: `Vulnerabilities found: ${ghsas.join(',')}`,
+        data: JSON.stringify(ghsas),
       })
 
       mockSpawnCoanaDlx.mockResolvedValue({