feat: backport v1.x features and DRY out HTTP layer

Backport missing features from v1.x branch:
- SSL_CERT_FILE support for TLS certificate configuration
- Request URL included in API error messages
- --reach-version flag for scan/reach commands
- --reach-enable-analysis-splitting (splitting disabled by default)
- --reach-detailed-analysis-log-file flag
- --reach-disable-external-tool-checks flag for scan and fix commands
- --output flag for socket scan reach
- PR link/number in socket fix JSON output (ghsaDetails)
- Enhanced Coana error logging on reachability failure
- Remove unused cwd from output-scan-reach

DRY out HTTP requests:
- Replace all direct fetch() calls with socketHttpRequest wrapper
- Use httpRequest from @socketsecurity/lib for all HTTP communication
- Centralize SSL_CERT_FILE/CA cert handling in socketHttpRequest
- Remove hand-rolled _httpsRequestFetch redirect/TLS implementation

Author: jdalton

packages/cli/src/commands/ci/handle-ci.mts

@@ -55,15 +55,18 @@ export async function handleCi(autoManifest: boolean): Promise<void> {
       reachAnalysisTimeout: 0,
       reachConcurrency: 1,
       reachDebug: false,
+      reachDetailedAnalysisLogFile: false,
       reachDisableAnalytics: false,
-      reachDisableAnalysisSplitting: false,
+      reachDisableExternalToolChecks: false,
+      reachEnableAnalysisSplitting: false,
       reachEcosystems: [],
       reachExcludePaths: [],
       reachLazyMode: false,
       reachMinSeverity: '',
       reachSkipCache: false,
       reachUseOnlyPregeneratedSboms: false,
       reachUseUnreachableFromPrecomputation: false,
+      reachVersion: undefined,
       runReachabilityAnalysis: false,
     },
     repoName,

packages/cli/src/commands/fix/cmd-fix.mts

@@ -41,6 +41,7 @@ interface FixFlags {
   applyFixes: boolean
   autopilot: boolean
   debug: boolean
+  disableExternalToolChecks: boolean
   ecosystems: string[]
   exclude: string[]
   fixVersion: string | undefined
@@ -177,6 +178,12 @@ Available styles:
       'Enable debug logging in the Coana-based Socket Fix CLI invocation.',
     shortFlag: 'd',
   },
+  disableExternalToolChecks: {
+    type: 'boolean',
+    default: false,
+    description: 'Disable external tool checks during fix analysis.',
+    hidden: true,
+  },
   showAffectedDirectDependencies: {
     type: 'boolean',
     default: false,
@@ -324,6 +331,7 @@ async function run(
     applyFixes,
     autopilot,
     debug,
+    disableExternalToolChecks,
     ecosystems,
     exclude,
     fixVersion,
@@ -486,6 +494,7 @@ async function run(
     coanaVersion: fixVersion,
     cwd,
     debug,
+    disableExternalToolChecks: Boolean(disableExternalToolChecks),
     disableMajorUpdates,
     ecosystems: validatedEcosystems,
     exclude: excludePatterns,

packages/cli/src/commands/fix/coana-fix.mts

@@ -4,7 +4,6 @@ import path from 'node:path'
 
 import { joinAnd } from '@socketsecurity/lib/arrays'
 import { debug, debugDir } from '@socketsecurity/lib/debug'
-import { readJsonSync } from '@socketsecurity/lib/fs'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { pluralize } from '@socketsecurity/lib/words'
 
@@ -67,16 +66,24 @@ async function cleanupTempFile(filePath: string): Promise<void> {
   }
 }
 
+export type GhsaFixResult = {
+  ghsaId: string
+  fixed: boolean
+  pullRequestLink?: string | undefined
+  pullRequestNumber?: number | undefined
+}
+
 export async function coanaFix(
   fixConfig: FixConfig,
-): Promise<CResult<{ data?: unknown; fixed: boolean }>> {
+): Promise<CResult<{ fixedAll: boolean; ghsaDetails: GhsaFixResult[] }>> {
   const {
     all,
     applyFixes,
     autopilot,
     coanaVersion,
     cwd,
     debug: debugFlag,
+    disableExternalToolChecks,
     disableMajorUpdates,
     ecosystems,
     exclude,
@@ -188,7 +195,7 @@ export async function coanaFix(
       : ghsas.slice(0, prLimit)
     if (!idsToProcess.length) {
       spinner?.stop()
-      return { ok: true, data: { fixed: false } }
+      return { ok: true, data: { fixedAll: false, ghsaDetails: [] } }
     }
 
     // Create a temporary file for the output.
@@ -217,6 +224,9 @@ export async function coanaFix(
           '--output-file',
           tmpFile,
           ...(debugFlag ? ['--debug'] : []),
+          ...(disableExternalToolChecks
+            ? ['--disable-external-tool-checks']
+            : []),
           ...(disableMajorUpdates ? ['--disable-major-updates'] : []),
           ...(showAffectedDirectDependencies
             ? ['--show-affected-direct-dependencies']
@@ -233,17 +243,23 @@ export async function coanaFix(
         return fixCResult
       }
 
-      // Read the temporary file to get the actual fixes result.
-      const fixesResultJson = readJsonSync(tmpFile, { throws: false })
-
       // Copy to outputFile if provided.
       if (outputFile) {
         logger.info(`Copying fixes result to ${outputFile}`)
         const tmpContent = await fs.readFile(tmpFile, 'utf8')
         await fs.writeFile(outputFile, tmpContent, 'utf8')
       }
 
-      return { ok: true, data: { data: fixesResultJson, fixed: true } }
+      return {
+        ok: true,
+        data: {
+          fixedAll: true,
+          ghsaDetails: idsToProcess.map(id => ({
+            ghsaId: id,
+            fixed: true,
+          })),
+        },
+      }
     } finally {
       // Clean up the temporary file.
       await cleanupTempFile(tmpFile)
@@ -334,7 +350,7 @@ export async function coanaFix(
 
   if (!ids?.length || !fixEnv.repoInfo) {
     spinner?.stop()
-    return { ok: true, data: { fixed: false } }
+    return { ok: true, data: { fixedAll: false, ghsaDetails: [] } }
   }
 
   const displayIds =
@@ -390,6 +406,7 @@ export async function coanaFix(
 
   let count = 0
   let overallFixed = false
+  const ghsaFixResults: GhsaFixResult[] = []
 
   // Process each GHSA ID individually.
   // Use unprocessedIds instead of ids to skip already-fixed GHSAs.
@@ -417,6 +434,9 @@ export async function coanaFix(
         ...(exclude.length ? ['--exclude', ...exclude] : []),
         ...(ecosystems.length ? ['--purl-types', ...ecosystems] : []),
         ...(debugFlag ? ['--debug'] : []),
+        ...(disableExternalToolChecks
+          ? ['--disable-external-tool-checks']
+          : []),
         ...(disableMajorUpdates ? ['--disable-major-updates'] : []),
         ...(showAffectedDirectDependencies
           ? ['--show-affected-direct-dependencies']
@@ -609,6 +629,13 @@ export async function coanaFix(
         logger.info(`PR URL: ${data.html_url}`)
         logPrEvent('created', data.number, ghsaId, data.html_url)
 
+        ghsaFixResults.push({
+          fixed: true,
+          ghsaId,
+          pullRequestLink: data.html_url,
+          pullRequestNumber: data.number,
+        })
+
         // Mark GHSA as fixed in tracker.
         // eslint-disable-next-line no-await-in-loop
         await markGhsaFixed(cwd, ghsaId, data.number, branch)
@@ -707,6 +734,6 @@ export async function coanaFix(
 
   return {
     ok: true,
-    data: { fixed: overallFixed },
+    data: { fixedAll: overallFixed, ghsaDetails: ghsaFixResults },
   }
 }

packages/cli/src/commands/fix/handle-fix.mts

@@ -110,6 +110,7 @@ export async function handleFix({
   coanaVersion,
   cwd,
   debug: debugFlag,
+  disableExternalToolChecks,
   disableMajorUpdates,
   ecosystems,
   exclude,
@@ -136,6 +137,7 @@ export async function handleFix({
     coanaVersion,
     cwd,
     debug: debugFlag,
+    disableExternalToolChecks,
     disableMajorUpdates,
     ecosystems,
     exclude,
@@ -160,6 +162,7 @@ export async function handleFix({
       coanaVersion,
       cwd,
       debug: debugFlag,
+      disableExternalToolChecks,
       disableMajorUpdates,
       ecosystems,
       exclude,

packages/cli/src/commands/fix/types.mts

@@ -10,6 +10,7 @@ export type FixConfig = {
   coanaVersion: string | undefined
   cwd: string
   debug: boolean
+  disableExternalToolChecks: boolean
   disableMajorUpdates: boolean
   ecosystems: PURL_Type[]
   exclude: string[]

packages/cli/src/commands/scan/cmd-scan-create.mts

@@ -62,13 +62,16 @@ interface ScanCreateFlags {
   reachAnalysisTimeout: number
   reachConcurrency: number
   reachDebug: boolean
-  reachDisableAnalysisSplitting: boolean
+  reachDetailedAnalysisLogFile: boolean
   reachDisableAnalytics: boolean
+  reachDisableExternalToolChecks: boolean
+  reachEnableAnalysisSplitting: boolean
   reachLazyMode: boolean
   reachMinSeverity: string
   reachSkipCache: boolean
   reachUseOnlyPregeneratedSboms: boolean
   reachUseUnreachableFromPrecomputation: boolean
+  reachVersion: string
   readOnly: boolean
   repo: string
   report?: boolean | undefined
@@ -292,13 +295,16 @@ async function run(
     reachAnalysisTimeout,
     reachConcurrency,
     reachDebug,
-    reachDisableAnalysisSplitting,
+    reachDetailedAnalysisLogFile,
     reachDisableAnalytics,
+    reachDisableExternalToolChecks,
+    reachEnableAnalysisSplitting,
     reachLazyMode,
     reachMinSeverity,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
     reachUseUnreachableFromPrecomputation,
+    reachVersion,
     readOnly,
     reportLevel,
     setAsAlertsPage: pendingHeadFlag,
@@ -484,9 +490,9 @@ async function run(
     isUsingNonDefaultAnalytics ||
     hasReachEcosystems ||
     hasReachExcludePaths ||
+    reachEnableAnalysisSplitting ||
     reachLazyMode ||
-    reachSkipCache ||
-    reachDisableAnalysisSplitting
+    reachSkipCache
 
   // Validate target constraints when --reach is enabled.
   const reachTargetValidation = reach
@@ -650,8 +656,10 @@ async function run(
       reachAnalysisTimeout: validatedReachAnalysisTimeout,
       reachConcurrency: validatedReachConcurrency,
       reachDebug: Boolean(reachDebug),
+      reachDetailedAnalysisLogFile: Boolean(reachDetailedAnalysisLogFile),
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
-      reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
+      reachDisableExternalToolChecks: Boolean(reachDisableExternalToolChecks),
+      reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachEcosystems,
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
@@ -661,6 +669,7 @@ async function run(
       reachUseUnreachableFromPrecomputation: Boolean(
         reachUseUnreachableFromPrecomputation,
       ),
+      reachVersion: reachVersion || undefined,
     },
     readOnly: Boolean(readOnly),
     repoName,