Skip to content

Always omit license details from full-scan diff request#221

Merged
lelia merged 5 commits into
mainfrom
lelia/ce-224-cli-exclude-license-details-flag-not-wired-through-to
Jun 3, 2026
Merged

Always omit license details from full-scan diff request#221
lelia merged 5 commits into
mainfrom
lelia/ce-224-cli-exclude-license-details-flag-not-wired-through-to

Conversation

@lelia
Copy link
Copy Markdown
Contributor

@lelia lelia commented Jun 2, 2026
edited
Loading

Summary

Follow-on PR to the fixes introduced in #211. Now that SocketDev/socket-sdk-python#84 is released as socketdev v3.1.2, this PR raises the CLI SDK floor to socketdev>=3.1.2 and makes the full-scan diff request (fullscans.stream_diff) always send include_license_details=false.

This prevents the large-repo truncation crash (Unterminated string / JSON parse failure) from recurring even when the user does not pass --exclude-license-details.

Scope of --exclude-license-details

--exclude-license-details still controls the human-facing dashboard report URL (?include_license_details=false), but no longer affects the internal diff payload. The CLI help text and changelog now describe that narrower scope.

License artifact output is unchanged: --generate-license continues to fetch license details from the dedicated PURL endpoint before writing Socket/FOSSA legal artifacts.

Versioning

This is a deliberate default-behavior change, so the CLI version is bumped to 2.4.0.

Tests

  • uv run --extra test pytest tests/core/test_sdk_methods.py tests/core/test_package_and_alerts.py tests/unit/test_socketcli.py tests/unit/test_fossa_compat.py -q (55 passed)

Fixes: CE-224

@lelia
fix(core): always omit license details from full-scan diff request (#C…
ff4b2ae 
…E-224 follow-on)

The full-scan diff request (fullscans.stream_diff) now always sets
include_license_details=false, decoupled from the --exclude-license-details
flag. This prevents the CE-224 truncation crash (Unterminated string / JSON
parse failure on large repos, reported by the tremendous org) from recurring
even when the flag is not passed.

Why this is safe (no output changes): the license fields the diff endpoint can
embed are never consumed off the diff. With --generate-license off, the only
consumer (the legal/FOSSA artifact builder) never runs. With --generate-license
on, get_license_text_via_purl re-fetches license data from the dedicated PURL
endpoint and overwrites whatever the diff embedded before anything reads it.
Either way the embedded payload was dead weight that only bloated the response.

--exclude-license-details still works but its scope is now narrower: it controls
only the dashboard report URL, not the internal diff payload. Help text updated.
Core.get_added_and_removed_packages(..., include_license_details=True) remains as
an explicit override seam (exercised in tests).

Minor bump to 2.4.0: outputs are provably unchanged, but this is a deliberate
default-behavior change (2.3.0 made the flag propagate; 2.4.0 makes the lean diff
the default), which warrants a minor bump per the project's semver policy.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia lelia requested a review from a team as a code owner June 2, 2026 22:16
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 2, 2026
edited
Loading

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.4.0.dev4

Docker image: socketdev/cli:pr-221

@lelia lelia changed the title fix(core): always omit license details from full-scan diff request (CE-224 follow-on) Always omit license details from full-scan diff request Jun 2, 2026
flowstate
Eric Hibbs (flowstate) approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@flowstate Eric Hibbs (flowstate) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with one nit:

The CHANGELOG entry could explicitly call out the --exclude-license-details scope narrowing as a "soft breaking change for flag-scripted use."

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 2, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpypi/​socketdev@​3.1.0 ⏵ 3.1.298100100100100

View full report

@lelia
Copy link
Copy Markdown
Contributor Author

lelia commented Jun 2, 2026
edited
Loading

LGTM with one nit:

The CHANGELOG entry could explicitly call out the --exclude-license-details scope narrowing as a "soft breaking change for flag-scripted use."

Eric Hibbs (@flowstate) fixed in: 970fb55

@lelia lelia temporarily deployed to socket-firewall June 2, 2026 23:36 — with GitHub Actions Inactive
@lelia
Merge remote-tracking branch 'origin/main' into lelia/ce-224-cli-excl…
dee8949 
…ude-license-details-flag-not-wired-through-to
@socket-security-staging
Copy link
Copy Markdown

socket-security-staging Bot commented Jun 2, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpypi/​socketdev@​3.1.0 ⏵ 3.1.298100100100100

View full report

@lelia lelia temporarily deployed to socket-firewall June 2, 2026 23:52 — with GitHub Actions Inactive
@lelia lelia merged commit a486d4a into main Jun 3, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flowstate Eric Hibbs (flowstate) flowstate approved these changes

Assignees

@flowstate Eric Hibbs (flowstate)

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lelia @flowstate