What's new at Socket?

This update fixes two regressions related to Maven packages:

• Fixed: Regression where Maven packages were not showing package scores. The logic changed around filtering based on purl and it didn't account for multiple artifacts (e.g., ext + classifier combos). This has been fixed by reverting to the old behavior that precomputes an exact key.
• Fixed: Regression where Maven packages would be missing if they had more than one artifact.

These fixes improve Maven package handling to be more consistent across variations in the number of artifacts.

We're improving consistency in our UI to make it easier for users to connect and interpret information across different pages.

What’s New: We've replaced alert severity badges ([C], [H], etc.) with intuitive symbols (e.g., triangle, diamond) across all UIs for a more unified experience.

• Where It Applies:
  • Organization alerts page stats
  • Alert table headers and rows
  • Alert sidebar

This update aligns the alert severity indicators with those already used elsewhere, ensuring consistency and reducing cognitive load when navigating the Socket dashboard.

We've deprecated outdated report API endpoints in favor of the newer Full Scans endpoints, which offer improved functionality and better support.

Deprecated Endpoints:

• Delete Reports: /v0/report/delete/{id}
• List Reports: /v0/report/list
• Upload Reports: /v0/report/upload
• View Reports: /v0/report/view/{id}

Transitioning to the updated endpoints ensures you're using the latest and greatest tools from Socket in your workflows. Check out the Full Scans API documentation for more details on the new endpoints.

This update adds a license policy settings endpoint for our customers who want to change these settings from the API. It allows organizations to view and edit the license policy.

https://api.socket.dev/v0/orgs/{org_slug}/settings/license-policy

Check out the license policy API docs for implementation details.

Capability alerts now display the specific files associated with the potential risks, such as file system access or dynamic code execution.

By linking alerts to their exact file locations, we’re addressing a key customer request—making it easier to investigate and act on capability alerts. This update makes it easier to pinpoint the exact parts of the code responsible for generating capability alerts, enabling faster and more targeted investigations.

We're excited to announce that the latest version of our Web Extension includes full support for Go, showing threats and security metrics for Go packages as you visit websites.

Here's what's new:

• Added support for https://pkg.go.dev and external links to modules
• Added support for got get|install commands
• Added support for Go PURLs (e.g. pkg:golang/google.golang.org/genproto)

If you're not yet using the Socket Web Extension, install it on Chrome or Firefox to get real-time threat detection on any website (i.e. GitHub, npm, PyPI, Maven Central, pkg.go.dev, Stack Overflow) or configure it for specific sites.

We're making some UI/UX improvements to the experience of filtering data tables in the Socket dashboard that will enhance usability, ensure consistency across dashboard components, and provide a cleaner, more intuitive interface for users.

This update includes:

• Boolean Filter Improvements
  • Replaced the non-functional search input with a static label for filters that only offer boolean options (True/False), ensuring better usability.
• Filter Icon Addition
  • Added a filter icon to the left side of horizontal selection lists to enhance visual consistency with the existing "Filters" button.

These changes improve navigation and reduce visual clutter, laying the groundwork for future UI/UX enhancements. Stay tuned for more updates that will make Socket data tables easier to filter and navigate.

We’re excited to introduce the latest enhancements to Socket Optimize. Our new --pin option allows you to lock override versions effortlessly, ensuring consistent and reliable dependency management. With the --prod flag, you can now target production dependencies exclusively, streamlining your deployment process.

We've significantly improved workspace support for seamless multi-package handling, implemented more intuitive and helpful error messages to make troubleshooting a breeze, and upgraded all packages to fully support Node.js 18 and above.

New options:

—pin: pin override versions

—prod: overrides for prod deps only

Improved:

• better workspaces support

• helpful error messages

• all packages support Node 18+

We’re excited to unveil a significant performance improvement in Socket’s organization alerts and recently viewed reports! With this update, organization alerts are now cached on the client side for 15 minutes. This enhancement dramatically reduces server load and speeds up report page refreshes, ensuring that recently viewed reports and organization alerts load instantly.

Whether you're managing multiple tabs or navigating through extensive data, enjoy a smoother and more responsive user experience with our optimized caching solution. This update adds a ServiceWorker cache for alerts endpoints.

The package for the Socket CLI is has officially been renamed to socket. Formerly available at @socketsecurity/cli, the CLI has moved to its new, more memorable namespace on npm: https://www.npmjs.com/package/socket

This change simplifies how you install our CLI tool but does not impact any of the commands. We will soon be deprecating the old package.

Some of our customers have requested the ability to set access security policy settings via the API. This update delivers API endpoints for org security policies:

• What’s New: GET and POST routes at /orgs/{org_slug}/settings/security-policy, mirroring the functionality of our website UI.

This works the same as it does for the website UI. Explore the API documentation for implementation details.

We have enhanced the "Native Code" alert to support multiple ecosystems beyond npm. Previously limited to detecting binding.gyp files for native add-ons in npm packages, the alert now scans for prebuilt binaries and ecosystem-specific files across various programming languages.

This update adds support for Yarn's "resolutions" field, which allows you to override the resolutions of specific dependencies. The field is frequently used to instruct Yarn to use a specific package version in cases where you want to enforce all your packages to use a single version of a dependency, or backport a fix.

For more information on the specifics of our Yarn support, check out the updated documentation.

This update to our Full Scans API gives users more data from various repository integrations and significantly improves repository management in the dashboard. It offers a more complete picture of how your organization is interacting with Socket and makes it easier to perform certain actions within the dashboard UI:

• API: Full Scans API now supports API, GitHub, GitLab, BitBucket and Azure metadata fields when viewed in the Socket dashboard.
• Repositories created by the GitHub app can now be deleted from the Organization Dashboard.
• Improved naming rules around Repositories and branch names associated with full scans.
• Full scan committer count is included in the dashboard overview metrics.
• Support for more Organization overview metrics for organizations without a GitHub integration.
• API: Full scans created by the API no longer require a branch name.

Check out the Full Scans API docs for more information on interacting with our API.

Organization "members" can now view the security policy page of their organization in a read-only format. This update ensures that all full members (users with "contributor" level access are excluded) of an organization can stay informed about the configured alert actions without compromising the integrity of the policy through unauthorized edits. As before, only organization administrators and owners can change the configured default security policy and alert actions.

We made some major improvements to our web extension based on user feedback. The UI has been polished to provide a more intuitive and user-friendly experience, making it easier to navigate security metrics while browsing the web.

This update includes the following bug fixes and enhancements:

• Filtered invalid package names in order to reduce unnecessary API calls
• Improved style robustness and reduce risks of it being overloaded by CSS resets
• Added reset button to popup to reset stats
• Handled Gem PURL enhancements
• Fixed a regression where SPA and links to package weren't handled correctly (e.g. https://www.npmjs.com/package/express clicking on Dependents tab doesn't scan packages listed but it should)
• Refactored into multiple files as the main file was starting to get too big and to prepare for more features
• Fixed popover position on https://rubygems.org/search?query=rails

Check out the Socket Web Extension docs for more details on its capabilities and permissions. We also have a guide for organizations that are interested in deploying the the extension via Google Workspace.

We're pleased to add support for Jenkins Jobs to our CI/D integrations. This new feature allows you to incorporate Socket’s powerful security and automation capabilities directly into your Jenkins workflows, ensuring that your builds are not only efficient but also secure from potential threats.

With Socket for Jenkins Jobs, developers and DevOps teams can now automate security checks, monitor build processes, and enforce compliance standards effortlessly. Whether you're running complex deployments or managing multiple projects, this integration simplifies your workflow.

To get started and learn more about setting up Jenkins Jobs with Socket, visit our official documentation.

• Added support for from_time for the report.list() function which supports a unix timestamp in seconds
• Added support to specify the timeout for Socket API Calls in timeout for socketdev
• Updated the README.rst to include fixed examples for the initialization. Now properly reads socket = socketdev(token="REPLACE_ME")
• Updated the sbom API to include the new function sbom.create_packages_dict() to be used with other Socket tools
• Updated import statements to use socket_sdk_python in preparation for publishing to pypi
• Added a build script for publishing to pypi
• Added pyproject.toml for publishing to pypi which is replacing setup.cfg
• Pushed version 1.0.9

Socket Python SDK can be found at:

• https://pypi.org/project/socket-sdk-python/
• https://github.com/SocketDev/socket-sdk-python

This update adds a command to get the Socket threat feed in the CLI:

socket threat-feed

The following flags are available:

• --perPage
• --page
• --direction
• --filter

The output can also be returned as a JSON object with the --json flag.

• The GitHub app now generates full-scan resources for all scans triggered by push events.
• Dependency scans run by the GitHub app are now accessible through the full_scans API endpoint.
• The API returns a paginated list of all full scans for an organization, excluding SBOM artifacts.

This update enhances integration with the GitHub app by providing complete scan data through the full_scans API.

Check out the documentation for details on how to retrieve a paginated list of full scans using the full_scans API endpoint, including parameters, responses, and examples for integration.

We’re excited to announce that Ruby support is now available in Experimental! This release brings fully functional core alerts and Ruby gem security scanning for your Ruby projects

We're still working through some bugs with package pages in this initial release but should have those resolved soon.

Socket is introducing dashboard analytics, a feature that has frequently been requested by our users. It shows graphs for analytics at both the organization and repository levels, including the following:

• Total number of critical and high alerts found in the main branches across the repositories
• Total number of critical and high alerts that have been merged to the default branches on a given day
• Total number of alerts prevented from being merged to the default branches
• Top 5 alert types across the organization

Data is ingested once per day and filters are available to display the data ingested in the last 7, 30 and 90 days. The data can also be exported as CSV or JSON.

Check out the announcement on the blog for more details.

• Fix for slow times when finding files in large mono repos with greater than 100k files
• Fix for too long errors for some dependency overviews
• Fix for making determinations on if the CLI should run based on files changed in the commit info

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

We updated our API to support the use of a from query filter for the audit-log endpoint in the format of a unix epoc in seconds. It enables support for customer integrations that allow the Audit log to run on an interval and only get the latest updates.

By using this query filter, customers can efficiently retrieve only the most recent audit log entries, saving time and resources.

Socket is launching a new "Suspicious Stars on GitHub" alert today, based on research that uncovers a growing trend of bad actors paying for stars in order to artificially inflate the popularity of their repositories on GitHub.

Over the past five years, we have detected more than 3.7 million fake GitHub stars. Repos leveraging these stars have been linked with scams, fraud, and malware. Socket now flags packages that are associated with these repositories.

Suspicious Stars on GitHub is a high-severity alert under the supply chain category, due to its potential for malicious activity. This alert gives users more visibility into the legitimacy of a software package’s star count, and flags those that may have been artificially inflated stars from bots, crowdsourcing, or other means.

Check out the alert documentation and read the announcement post for a detailed analysis of the research that surfaced 3.7 million fake GitHub stars.

• Added support for the web event for Gitlab
• Changed the behavior for Gitlab to not error out on unknown event types

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

Socket is introducing three new customizable default security policies that should simplify configuration for many of our customers. They are based on extensive customer feedback and research and are aimed at reducing alert noise and managing false positives more effectively. We're also enabling several new alert types that were previously disabled.

New default security policies

• Low Noise (traditional SCA)
• Default (ideal for most customers
• Higher Noise (for more engaged teams.)

These policies are based on recent enhancements to our alert system:

• Block (formerly "Error"): Fails the Socket CI/CD check, blocking Pull Requests (PRs) or Merge Requests (MRs) until resolved.
• Warn: Highlights issues in PRs/MRs without blocking them, allowing for context-specific decisions.
• Monitor: Displays alerts in the Socket Dashboard for evaluation without cluttering the development workflow.
• Ignore: Filters out irrelevant alerts entirely.
  

Timeline for Enabling the New Security Policies

Transition Period (August 14 - August 28, 2024): Review changes and lock in your preferences.

New Policies Take Effect (From August 28, 2024): Unless you've locked in specific settings, your policy will automatically update to the new default policy on this date. You will also gain the ability to switch between the three new policy options and continue fine-tuning your settings.

Check out the blog announcement for more details on the timeline, along with a detailed breakdown of how specific alerts are handled in the new policies.

We are disabling the "mixed-license" alert, as our "license allow list" feature will soon be available to use instead.

The larger and more developed packages frequently found in a project's dependencies are almost certainly going to have what is technically mixed licensing (the terms of more than one license apply) so the alert can potentially be noisy for some users. However, users taking advantage of our license allow list feature do not need to be notified of mixed licensing if it doesn't violate their specified license policy.

Our License Enforcement feature is still in pre-release but customers who want early access can reach out to support@socket.dev.

The Socket web extension has been completely revamped. This update improves security and expands support to PyPI, Go, and Maven ecosystems, with more to come!

The new version protects against malicious packages and commands from any website (GitHub, StackOverflow, blogs, docs, etc.), which can be configured in the settings. Socket's real-time threat detection can be displayed on any website you choose to enable.

The updated extension also displays metrics on how many threats Socket has detected. All of these new features come packaged in a reduced size with lower memory usage and faster execution. (1500x smaller, only ~0.02MB)

• Announcement: https://socket.dev/blog/new-socket-web-extension-take-socket-with-you
• Docs and new permissions: https://docs.socket.dev/docs/socket-chrome-extension-permissions-documentation
• Chrome Web Store: https://chromewebstore.google.com/detail/socket-security/jbcobpbfgkhmjfpjjepkcocalmpkiaop
• Firefox Add-ons: https://addons.mozilla.org/en-US/firefox/addon/socket-security

Socket now supports exporting your organization's dependencies as a PDF, using a new button in the dashboard.

Once license information is included, a PDF export of one's org dependencies is a great permanent record for book-keeping purposes. As of-now, it also makes it easy to share a document of ones org dependencies.

We've added the ability to export various views from your organization's dashboard pages as PDF files. Specifically:

• Dependency Overview: You can now save a PDF with a comprehensive, shareable overview of all your organization's dependencies (including package names, versions, types, and overall scores)
• Alert Table Export: Save the current view of the alert table, reflecting the applied filters and ordering. Note: The export is available for views with up to 2,500 alerts.
• Last but not least, you can save a PDF of your organization's overview statistics, repositories, and a sample of the threat feed.

To use: Look for new button with PDF icon on your organization's dashboard pages.

• Added additional debug logging
• Simplified the find_files functionality to improve performance
• Fixed logic for ignoring alerts, diff logic of alerts, and consolidation of alerts in comments
• Added full scan ID to the output results

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

• Fixed an issue with security comments not being consolidated to their main package purl
• Fixed an issue with dependency overview comments not being consolidated to their main package purl
• Fixed logic for diffing new alerts from current latest full scan for the default branch
• Fixed ignore comment logic for correctly removing alerts based on the ignore comment
• Added support to thumbsup processed ignore comments

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

This resolves an issue where no comments end up on a PR if a commit is pushed and completes its action before a PR is created.

• Added support for the pull_request event on Github.
• This event type will now run on the `opened` state to handle if a commit had been pushed, and the action completed, before a PR completes.

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

We’re excited to announce that Maven support is now available in Public Beta! This means that it is feature complete, stable, and rolled out to all users.

With this update, Socket will automatically scan any project that includes a Maven manifest, providing comprehensive vulnerability data and dependency analyses. Whether you're managing Java applications or other Maven-based projects, you can now stay ahead of potential threats with Socket's real-time security alerts.

• Adds support for Security Policy Modes Block & Warn
  Note: The Python CLI does not currently support individually triaged alerts
• Comments have been updated to have a new column in Github and Gitlab Comments with the new version to indicate Block/Warn
• The console output will include the CI Status of Block/Warn as well
• New option --ignore-commit-files to look for all manifest files whether or not there is one in the last commit detected
• Updated docker containers of socketdev/cli:1.0.0 and socketdev/cli:latest have been pushed

Example Console Output

Example PR Comment Output:

For those using the Socket full-scan API, we now include a from and repo fields for the v0/report/list endpoint that filters the results based on a unix timestamp.

Here are the new fields with specific notes on how to use them:

• Added a from querystring filter to the GET /report/list endpoint. The field accepts a unix timestamp in seconds and filters the report list from that date.
• Added a repo querystring filter to the GET /report/list endpoint. The field filters the results by a repo slug.
• Added a from querystring filter to the GET /orgs/{org_slug}/full-scans endpoint. The field accepts a unix timestamp in seconds and filters the report list from that date.
• Added a repo querystring filter to the GET /orgs/{org_slug}/full-scans endpoint. The field filters the results by a repo slug.

Yarn's dependency resolution algorithm varies from yarn versions and scenario. Without a node_modules folder as a source of truth we opted for implementing an alternative module resolution algorithm for yarn. We start by mapping the package.json dependencies to those found in the yarn lock file, then traverse the lock file dependencies to generate an npm v1 lockfile which we use as the reference to resolve modules.

The Socket API now supports a new licenseattrib option for the /v0/purl endpoint which includes license attribution data, including license text and author information in the endpoint response.

This update fixes an accidental quadratic loop in the GitHub file ingest. It enables GitHub app reports to run to completion, even when we are unable to ingest the full set of manifest files from GitHub. This helps larger repositories from timing out. Reports under these circumstances previously aborted.

Socket now supports the Unmaintained alert for Maven packages. This alert applies to packages that have not been updated in more than 5 years and may be unmaintained.

This update adds a badge with the estimated count of packages with the respective alert to the alerts/[alertType]/packages pages. We already expose this information indirectly via the pagination component at the bottom but this gives offers a quick glimpse into the frequency of our various alert types. It gives a sense of how common a given alert is, which can be helpful when configuring one's security policy.

Socket now supports the Deprecated alert for PyPI packages. It detects packages that have officially been yanked where developers have marked a package as deprecated by specifying the yanked attribute in the release metadata. This indicates that the release should not be used, but it doesn't delete it from the index. This approach helps inform users that they should avoid using a particular version of a package while maintaining historical records.

There's a new API endpoint to export a CycloneDX SBOM from a SocketSBOM report id or full scan id:

curl --request GET \
     --url https://api.socket.dev/v0/orgs/{org_slug}/export/cdx/{id} \
     --user '<api_key>_api:' \
     --header 'accept: application/json'

Check out the Export CycloneDX SBOM docs for more information on how to use this endpoint.

This update makes each dependency's name a clickable link on the dependencies tables.

Socket now supports deleting repositories in the dashboard. The new delete button is available to admins and owners:

• The delete button only works on repos created with the API on the repositories resource.
• GitHub repos you can delete by de-activating the permissions on the gitHub app.
• This also fixes the 404 state on the repos list page.
• This also fixes 404s when viewing a report thats associated with a deleted repo.
• It also allows deleted repositories to share the slug of a recreated repository with the same slug.

Search for any dependency that is being used in your organization

This update implements a command to get an organization's audit log.

Demo:

Implements commands to view, list, create, update, and delete an organization's repositories

This update implements the full scans feature of the API in the CLI with the command socket scan.

Options:

• list
  • <org slug>. e.g. socket scan list FakeOrg
• stream
  • <org slug> <full scan ID>. e.g. socket scan stream FakeOrg 1234-oooo-5678-aaaa or
  • <org slug> <full scan ID> <path to output file. e.g. socket scan stream FakeOrg 1234-oooo-5678-aaaa ./output.txt
• create
  • <org slug>. e.g. socket scan create FakeOrg <flags>
• delete
  • <org slug> <full scan ID>. e.g. socket scan del FakeOrg 1234-oooo-5678-aaaa
• metadata
  • <org slug> <full scan ID>. e.g. socket scan metadata FakeOrg 1234-oooo-5678-aaaa

• adds human-readable label for alert triage action
• ensures event type shows up in audit log select box

Socket for GitHub now allows users to filter alerts by alert triage

Implements an audit log endpoint that matches Socket's dashboard features

This adds two api endpoints /license-details and /license-attrib for getting an artifact's license information and license attribution information respectively.

It also updates the license panel to only take a purl argument, with the data and attribution being fetched from the API.