What's new at Socket?

• Fix for slow times when finding files in large mono repos with greater than 100k files
• Fix for too long errors for some dependency overviews
• Fix for making determinations on if the CLI should run based on files changed in the commit info

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

Socket is launching a new "Suspicious Stars on GitHub" alert today, based on research that uncovers a growing trend of bad actors paying for stars in order to artificially inflate the popularity of their repositories on GitHub.

Over the past five years, we have detected more than 3.7 million fake GitHub stars. Repos leveraging these stars have been linked with scams, fraud, and malware. Socket now flags packages that are associated with these repositories.

Suspicious Stars on GitHub is a high-severity alert under the supply chain category, due to its potential for malicious activity. This alert gives users more visibility into the legitimacy of a software package’s star count, and flags those that may have been artificially inflated stars from bots, crowdsourcing, or other means.

Check out the alert documentation and read the announcement post for a detailed analysis of the research that surfaced 3.7 million fake GitHub stars.

• Added support for the web event for Gitlab
• Changed the behavior for Gitlab to not error out on unknown event types

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

Socket is introducing three new customizable default security policies that should simplify configuration for many of our customers. They are based on extensive customer feedback and research and are aimed at reducing alert noise and managing false positives more effectively. We're also enabling several new alert types that were previously disabled.

New default security policies

• Low Noise (traditional SCA)
• Default (ideal for most customers
• Higher Noise (for more engaged teams.)

These policies are based on recent enhancements to our alert system:

• Block (formerly "Error"): Fails the Socket CI/CD check, blocking Pull Requests (PRs) or Merge Requests (MRs) until resolved.
• Warn: Highlights issues in PRs/MRs without blocking them, allowing for context-specific decisions.
• Monitor: Displays alerts in the Socket Dashboard for evaluation without cluttering the development workflow.
• Ignore: Filters out irrelevant alerts entirely.
  

Timeline for Enabling the New Security Policies

Transition Period (August 14 - August 28, 2024): Review changes and lock in your preferences.

New Policies Take Effect (From August 28, 2024): Unless you've locked in specific settings, your policy will automatically update to the new default policy on this date. You will also gain the ability to switch between the three new policy options and continue fine-tuning your settings.

Check out the blog announcement for more details on the timeline, along with a detailed breakdown of how specific alerts are handled in the new policies.

We are disabling the "mixed-license" alert, as our "license allow list" feature will soon be available to use instead.

The larger and more developed packages frequently found in a project's dependencies are almost certainly going to have what is technically mixed licensing (the terms of more than one license apply) so the alert can potentially be noisy for some users. However, users taking advantage of our license allow list feature do not need to be notified of mixed licensing if it doesn't violate their specified license policy.

Our License Enforcement feature is still in pre-release but customers who want early access can reach out to support@socket.dev.

The Socket web extension has been completely revamped. This update improves security and expands support to PyPI, Go, and Maven ecosystems, with more to come!

The new version protects against malicious packages and commands from any website (GitHub, StackOverflow, blogs, docs, etc.), which can be configured in the settings. Socket's real-time threat detection can be displayed on any website you choose to enable.

The updated extension also displays metrics on how many threats Socket has detected. All of these new features come packaged in a reduced size with lower memory usage and faster execution. (1500x smaller, only ~0.02MB)

• Announcement: https://socket.dev/blog/new-socket-web-extension-take-socket-with-you
• Docs and new permissions: https://docs.socket.dev/docs/socket-chrome-extension-permissions-documentation
• Chrome Web Store: https://chromewebstore.google.com/detail/socket-security/jbcobpbfgkhmjfpjjepkcocalmpkiaop
• Firefox Add-ons: https://addons.mozilla.org/en-US/firefox/addon/socket-security

Socket now supports exporting your organization's dependencies as a PDF, using a new button in the dashboard.

Once license information is included, a PDF export of one's org dependencies is a great permanent record for book-keeping purposes. As of-now, it also makes it easy to share a document of ones org dependencies.

We've added the ability to export various views from your organization's dashboard pages as PDF files. Specifically:

• Dependency Overview: You can now save a PDF with a comprehensive, shareable overview of all your organization's dependencies (including package names, versions, types, and overall scores)
• Alert Table Export: Save the current view of the alert table, reflecting the applied filters and ordering. Note: The export is available for views with up to 2,500 alerts.
• Last but not least, you can save a PDF of your organization's overview statistics, repositories, and a sample of the threat feed.

To use: Look for new button with PDF icon on your organization's dashboard pages.

• Added additional debug logging
• Simplified the find_files functionality to improve performance
• Fixed logic for ignoring alerts, diff logic of alerts, and consolidation of alerts in comments
• Added full scan ID to the output results

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

• Fixed an issue with security comments not being consolidated to their main package purl
• Fixed an issue with dependency overview comments not being consolidated to their main package purl
• Fixed logic for diffing new alerts from current latest full scan for the default branch
• Fixed ignore comment logic for correctly removing alerts based on the ignore comment
• Added support to thumbsup processed ignore comments

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

This resolves an issue where no comments end up on a PR if a commit is pushed and completes its action before a PR is created.

• Added support for the pull_request event on Github.
• This event type will now run on the `opened` state to handle if a commit had been pushed, and the action completed, before a PR completes.

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

• Adds support for Security Policy Modes Block & Warn
  Note: The Python CLI does not currently support individually triaged alerts
• Comments have been updated to have a new column in Github and Gitlab Comments with the new version to indicate Block/Warn
• The console output will include the CI Status of Block/Warn as well
• New option --ignore-commit-files to look for all manifest files whether or not there is one in the last commit detected
• Updated docker containers of socketdev/cli:1.0.0 and socketdev/cli:latest have been pushed

Example Console Output

Example PR Comment Output:

For those using the Socket full-scan API, we now include a from and repo fields for the v0/report/list endpoint that filters the results based on a unix timestamp.

Here are the new fields with specific notes on how to use them:

• Added a from querystring filter to the GET /report/list endpoint. The field accepts a unix timestamp in seconds and filters the report list from that date.
• Added a repo querystring filter to the GET /report/list endpoint. The field filters the results by a repo slug.
• Added a from querystring filter to the GET /orgs/{org_slug}/full-scans endpoint. The field accepts a unix timestamp in seconds and filters the report list from that date.
• Added a repo querystring filter to the GET /orgs/{org_slug}/full-scans endpoint. The field filters the results by a repo slug.

Yarn's dependency resolution algorithm varies from yarn versions and scenario. Without a node_modules folder as a source of truth we opted for implementing an alternative module resolution algorithm for yarn. We start by mapping the package.json dependencies to those found in the yarn lock file, then traverse the lock file dependencies to generate an npm v1 lockfile which we use as the reference to resolve modules.

The Socket API now supports a new licenseattrib option for the /v0/purl endpoint which includes license attribution data, including license text and author information in the endpoint response.

This update fixes an accidental quadratic loop in the GitHub file ingest. It enables GitHub app reports to run to completion, even when we are unable to ingest the full set of manifest files from GitHub. This helps larger repositories from timing out. Reports under these circumstances previously aborted.

Socket now supports the Unmaintained alert for Maven packages. This alert applies to packages that have not been updated in more than 5 years and may be unmaintained.

This update adds a badge with the estimated count of packages with the respective alert to the alerts/[alertType]/packages pages. We already expose this information indirectly via the pagination component at the bottom but this gives offers a quick glimpse into the frequency of our various alert types. It gives a sense of how common a given alert is, which can be helpful when configuring one's security policy.

Socket now supports the Deprecated alert for PyPI packages. It detects packages that have officially been yanked where developers have marked a package as deprecated by specifying the yanked attribute in the release metadata. This indicates that the release should not be used, but it doesn't delete it from the index. This approach helps inform users that they should avoid using a particular version of a package while maintaining historical records.

There's a new API endpoint to export a CycloneDX SBOM from a SocketSBOM report id or full scan id:

curl --request GET \
     --url https://api.socket.dev/v0/orgs/{org_slug}/export/cdx/{id} \
     --user '<api_key>_api:' \
     --header 'accept: application/json'

Check out the Export CycloneDX SBOM docs for more information on how to use this endpoint.

This update makes each dependency's name a clickable link on the dependencies tables.

Socket now supports deleting repositories in the dashboard. The new delete button is available to admins and owners:

• The delete button only works on repos created with the API on the repositories resource.
• GitHub repos you can delete by de-activating the permissions on the gitHub app.
• This also fixes the 404 state on the repos list page.
• This also fixes 404s when viewing a report thats associated with a deleted repo.
• It also allows deleted repositories to share the slug of a recreated repository with the same slug.

Search for any dependency that is being used in your organization

This update implements a command to get an organization's audit log.

Demo:

Implements commands to view, list, create, update, and delete an organization's repositories

This update implements the full scans feature of the API in the CLI with the command socket scan.

Options:

• list
  • <org slug>. e.g. socket scan list FakeOrg
• stream
  • <org slug> <full scan ID>. e.g. socket scan stream FakeOrg 1234-oooo-5678-aaaa or
  • <org slug> <full scan ID> <path to output file. e.g. socket scan stream FakeOrg 1234-oooo-5678-aaaa ./output.txt
• create
  • <org slug>. e.g. socket scan create FakeOrg <flags>
• delete
  • <org slug> <full scan ID>. e.g. socket scan del FakeOrg 1234-oooo-5678-aaaa
• metadata
  • <org slug> <full scan ID>. e.g. socket scan metadata FakeOrg 1234-oooo-5678-aaaa

• adds human-readable label for alert triage action
• ensures event type shows up in audit log select box

Socket for GitHub now allows users to filter alerts by alert triage

Implements an audit log endpoint that matches Socket's dashboard features

This adds two api endpoints /license-details and /license-attrib for getting an artifact's license information and license attribution information respectively.

It also updates the license panel to only take a purl argument, with the data and attribution being fetched from the API.