add flag --reach-use-only-pregenerated-sboms to exclude non-CDX and SPDX files from a Tier 1 reachability scan

Author: mtorp

socketsecurity/config.py

@@ -77,6 +77,7 @@ class CliConfig:
     reach_concurrency: Optional[int] = None
     reach_additional_params: Optional[List[str]] = None
     only_facts_file: bool = False
+    reach_only_use_pre_generated_sboms: bool = False
 
     @classmethod
     def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
@@ -139,6 +140,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'reach_concurrency': args.reach_concurrency,
             'reach_additional_params': args.reach_additional_params,
             'only_facts_file': args.only_facts_file,
+            'reach_only_use_pre_generated_sboms': args.reach_only_use_pre_generated_sboms,
             'version': __version__
         }
         try:
@@ -175,6 +177,11 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             logging.error("--only-facts-file requires --reach to be specified")
             exit(1)
 
+        # Validate that reach_only_use_pre_generated_sboms requires reach
+        if args.reach_only_use_pre_generated_sboms and not args.reach:
+            logging.error("--reach-only-use-pre-generated-sboms requires --reach to be specified")
+            exit(1)
+
         # Validate reach_concurrency is >= 1 if provided
         if args.reach_concurrency is not None and args.reach_concurrency < 1:
             logging.error("--reach-concurrency must be >= 1")
@@ -602,6 +609,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Submit only the .socket.facts.json file when creating full scan (requires --reach)"
     )
+    reachability_group.add_argument(
+        "--reach-only-use-pre-generated-sboms",
+        dest="reach_only_use_pre_generated_sboms",
+        action="store_true",
+        help="When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project. (requires --reach)"
+    )
 
     parser.add_argument(
         '--version',

socketsecurity/core/__init__.py

@@ -343,6 +343,57 @@ def find_files(self, path: str) -> List[str]:
 
         return file_list
 
+    def find_sbom_files(self, path: str) -> List[str]:
+        """
+        Finds only pre-generated SBOM files (CDX and SPDX) in the given path.
+
+        This is used with --reach-only-use-pre-generated-sboms to find only
+        pre-computed CycloneDX and SPDX manifest files.
+
+        Args:
+            path: Path to search for SBOM files.
+
+        Returns:
+            List of found CDX and SPDX file paths.
+        """
+        log.debug("Starting Find SBOM Files (CDX and SPDX only)")
+        files: Set[str] = set()
+
+        # Get supported patterns from the API and filter to only cdx and spdx
+        all_patterns = self.get_supported_patterns()
+        sbom_ecosystems = ['cdx', 'spdx']
+        sbom_patterns = {k: v for k, v in all_patterns.items() if k in sbom_ecosystems}
+
+        if not sbom_patterns:
+            log.warning("No CDX or SPDX patterns found in supported patterns from API")
+            return []
+
+        for ecosystem in sbom_patterns:
+            log.debug(f'Scanning for {ecosystem} files')
+            ecosystem_patterns = sbom_patterns[ecosystem]
+            for file_name in ecosystem_patterns:
+                original_pattern = ecosystem_patterns[file_name]["pattern"]
+
+                # Expand brace patterns
+                expanded_patterns = Core.expand_brace_pattern(original_pattern)
+
+                for pattern in expanded_patterns:
+                    case_insensitive_pattern = Core.to_case_insensitive_regex(pattern)
+                    file_path = os.path.join(path, "**", case_insensitive_pattern)
+
+                    log.debug(f"Globbing {file_path}")
+                    glob_files = glob(file_path, recursive=True)
+
+                    for glob_file in glob_files:
+                        if os.path.isfile(glob_file) and not Core.is_excluded(glob_file, self.config.excluded_dirs):
+                            files.add(glob_file.replace("\\", "/"))
+
+        file_list = sorted(files)
+        file_count = len(file_list)
+        log.info(f"Total SBOM files found (CDX/SPDX): {file_count}")
+
+        return file_list
+
     def get_supported_patterns(self) -> Dict:
         """
         Gets supported file patterns from the Socket API.

socketsecurity/core/tools/reachability.py

@@ -101,10 +101,11 @@ def run_reachability_analysis(
         additional_params: Optional[List[str]] = None,
         allow_unverified: bool = False,
         enable_debug: bool = False,
+        use_only_pregenerated_sboms: bool = False,
     ) -> Dict[str, Any]:
         """
         Run reachability analysis.
-        
+
         Args:
             org_slug: Socket organization slug
             target_directory: Directory to analyze
@@ -125,7 +126,8 @@ def run_reachability_analysis(
             additional_params: Additional parameters to pass to coana CLI
             allow_unverified: Disable SSL certificate verification (sets NODE_TLS_REJECT_UNAUTHORIZED=0)
             enable_debug: Enable debug mode (passes -d flag to coana CLI)
-            
+            use_only_pregenerated_sboms: Use only pre-generated CDX and SPDX files for the scan
+
         Returns:
             Dict containing scan_id and report_path
         """
@@ -179,7 +181,10 @@ def run_reachability_analysis(
 
         if enable_debug:
             cmd.append("-d")
-        
+
+        if use_only_pregenerated_sboms:
+            cmd.append("--use-only-pregenerated-sboms")
+
         # Add any additional parameters provided by the user
         if additional_params:
             cmd.extend(additional_params)

socketsecurity/socketcli.py

@@ -167,6 +167,8 @@ def main_code():
 
     # Variable to track if we need to override files with facts file
     facts_file_to_submit = None
+    # Variable to track SBOM files to submit when using --reach-only-use-pre-generated-sboms
+    sbom_files_to_submit = None
 
     # Git setup
     is_repo = False
@@ -230,12 +232,14 @@ def main_code():
     # Run reachability analysis if enabled
     if config.reach:
         from socketsecurity.core.tools.reachability import ReachabilityAnalyzer
-        
+
         log.info("Starting reachability analysis...")
-        
+
         # Find manifest files in scan paths (excluding .socket.facts.json to avoid circular dependency)
         log.info("Finding manifest files for reachability analysis...")
         manifest_files = []
+
+        # Always find all manifest files for the tar hash upload
         for scan_path in scan_paths:
             scan_manifests = core.find_files(scan_path)
             # Filter out .socket.facts.json files from manifest upload
@@ -289,7 +293,8 @@ def main_code():
                     concurrency=config.reach_concurrency,
                     additional_params=config.reach_additional_params,
                     allow_unverified=config.allow_unverified,
-                    enable_debug=config.enable_debug
+                    enable_debug=config.enable_debug,
+                    use_only_pregenerated_sboms=config.reach_only_use_pre_generated_sboms
                 )
 
                 log.info(f"Reachability analysis completed successfully")
@@ -301,6 +306,17 @@ def main_code():
                 if config.only_facts_file:
                     facts_file_to_submit = os.path.abspath(output_path)
                     log.info(f"Only-facts-file mode: will submit only {facts_file_to_submit}")
+
+                # If reach-only-use-pre-generated-sboms mode, submit CDX, SPDX, and facts file
+                if config.reach_only_use_pre_generated_sboms:
+                    # Find only CDX and SPDX files for the final scan submission
+                    sbom_files_to_submit = []
+                    for scan_path in scan_paths:
+                        sbom_files_to_submit.extend(core.find_sbom_files(scan_path))
+                    facts_path = os.path.abspath(output_path)
+                    if os.path.exists(facts_path):
+                        sbom_files_to_submit.append(facts_path)
+                    log.info(f"Pre-generated SBOMs mode: will submit {len(sbom_files_to_submit)} files (CDX, SPDX, and facts file)")
 
             except Exception as e:
                 log.error(f"Reachability analysis failed: {str(e)}")
@@ -331,6 +347,12 @@ def main_code():
         files_explicitly_specified = True
         log.debug(f"Overriding files to only submit facts file: {facts_file_to_submit}")
 
+    # Override files if reach-only-use-pre-generated-sboms mode is active
+    if sbom_files_to_submit:
+        specified_files = sbom_files_to_submit
+        files_explicitly_specified = True
+        log.debug(f"Overriding files to submit only SBOM files (CDX, SPDX, and facts): {sbom_files_to_submit}")
+
     # Determine files to check based on the new logic
     files_to_check = []
     force_api_mode = False