@staticmethod

def map_severity_to_sarif(severity: str) -> str:

"""

severity_mapping = {

"low": "note",

"medium": "warning",

"middle": "warning", # older data might say "middle"

"high": "error",

"critical": "error",

}

return severity_mapping.get(severity.lower(), "note")

@staticmethod

def get_manifest_file_url(diff: Diff, manifest_path: str, config=None) -> str:

"""

if not manifest_path:

return ""

# Handle multiple manifest files separated by ';' - use the first one

first_manifest = manifest_path.split(';')[0] if ';' in manifest_path else manifest_path

# Clean up the manifest path - remove build agent paths and normalize

clean_path = first_manifest

# Remove common build agent path prefixes

prefixes_to_remove = [

'opt/buildagent/work/',

'/opt/buildagent/work/',

'home/runner/work/',

'/home/runner/work/',

]

for prefix in prefixes_to_remove:

if clean_path.startswith(prefix):

# Find the part after the build ID (usually a hash)

parts = clean_path[len(prefix):].split('/', 2)

if len(parts) >= 3:

clean_path = parts[2] # Take everything after build ID and repo name

break

# Remove leading slashes

clean_path = clean_path.lstrip('/')

# Determine SCM type from config or diff_url

scm_type = "api" # Default to API

if config and hasattr(config, 'scm'):

scm_type = config.scm.lower()

elif hasattr(diff, 'diff_url') and diff.diff_url:

diff_url = diff.diff_url.lower()

if 'github.com' in diff_url or 'github' in diff_url:

scm_type = "github"

elif 'gitlab' in diff_url:

scm_type = "gitlab"

elif 'bitbucket' in diff_url:

scm_type = "bitbucket"

# Generate URL based on SCM type using config information

# NEVER use diff.diff_url for SCM URLs - those are Socket URLs for "View report" links

if scm_type == "github":

if config and hasattr(config, 'repo') and config.repo:

# Get branch from config, default to main

branch = getattr(config, 'branch', 'main') if hasattr(config, 'branch') and config.branch else 'main'

# Construct GitHub URL from repo info (could be github.com or GitHub Enterprise)

github_server = os.getenv('GITHUB_SERVER_URL', 'https://github.com')

return f"{github_server}/{config.repo}/blob/{branch}/{clean_path}"

elif scm_type == "gitlab":

if config and hasattr(config, 'repo') and config.repo:

# Get branch from config, default to main

branch = getattr(config, 'branch', 'main') if hasattr(config, 'branch') and config.branch else 'main'

# Construct GitLab URL from repo info (could be gitlab.com or self-hosted GitLab)

gitlab_server = os.getenv('CI_SERVER_URL', 'https://gitlab.com')

return f"{gitlab_server}/{config.repo}/-/blob/{branch}/{clean_path}"

elif scm_type == "bitbucket":

if config and hasattr(config, 'repo') and config.repo:

# Get branch from config, default to main

branch = getattr(config, 'branch', 'main') if hasattr(config, 'branch') and config.branch else 'main'

# Construct Bitbucket URL from repo info (could be bitbucket.org or Bitbucket Server)

bitbucket_server = os.getenv('BITBUCKET_SERVER_URL', 'https://bitbucket.org')

return f"{bitbucket_server}/{config.repo}/src/{branch}/{clean_path}"

# Fallback to Socket file view for API or unknown repository types

if hasattr(diff, 'report_url') and diff.report_url:

# Strip leading slash and URL encode for Socket dashboard

socket_path = clean_path.lstrip('/')

encoded_path = socket_path.replace('/', '%2F')

return f"{diff.report_url}?tab=files&file={encoded_path}"

return ""

@staticmethod

def find_line_in_file(packagename: str, packageversion: str, manifest_file: str) -> tuple:

"""

file_type = Path(manifest_file).name

log.debug("Processing file for line lookup: %s", manifest_file)

if file_type in ["package-lock.json", "Pipfile.lock", "composer.lock"]:

try:

with open(manifest_file, "r", encoding="utf-8") as f:

raw_text = f.read()

log.debug("Read %d characters from %s", len(raw_text), manifest_file)

data = json.loads(raw_text)

packages_dict = (

data.get("packages")

or data.get("default")

or data.get("dependencies")

or {}

)

log.debug("Found package keys in %s: %s", manifest_file, list(packages_dict.keys()))

found_key = None

found_info = None

for key, value in packages_dict.items():

if key.endswith(packagename) and "version" in value:

if value["version"] == packageversion:

found_key = key

found_info = value

break

if found_key and found_info:

needle_key = f'"{found_key}":'

lines = raw_text.splitlines()

log.debug("Total lines in %s: %d", manifest_file, len(lines))

for i, line in enumerate(lines, start=1):

if needle_key in line:

log.debug("Found match at line %d in %s: %s", i, manifest_file, line.strip())

return i, line.strip()

return 1, f'"{found_key}": {found_info}'

else:

return 1, f"{packagename} {packageversion} (not found in {manifest_file})"

except (FileNotFoundError, json.JSONDecodeError) as e:

log.error("Error reading %s: %s", manifest_file, e)

return 1, f"Error reading {manifest_file}"

# For pnpm-lock.yaml, use a special regex pattern.

if file_type.lower() == "pnpm-lock.yaml":

searchstring = rf'^\s*/{re.escape(packagename)}/{re.escape(packageversion)}:'

else:

search_patterns = {

"package.json": rf'"{packagename}":\s*"[\^~]?{re.escape(packageversion)}"',

"yarn.lock": rf'{packagename}@{packageversion}',

"requirements.txt": rf'^{re.escape(packagename)}\s*(?:==|===|!=|>=|<=|~=|\s+)?\s*{re.escape(packageversion)}(?:\s*;.*)?$',

"pyproject.toml": rf'{packagename}\s*=\s*"{re.escape(packageversion)}"',

"Pipfile": rf'"{packagename}"\s*=\s*"{re.escape(packageversion)}"',

"go.mod": rf'require\s+{re.escape(packagename)}\s+{re.escape(packageversion)}',

"go.sum": rf'{re.escape(packagename)}\s+{re.escape(packageversion)}',

"pom.xml": rf'<artifactId>{re.escape(packagename)}</artifactId>\s*<version>{re.escape(packageversion)}</version>',

"build.gradle": rf'implementation\s+"{re.escape(packagename)}:{re.escape(packageversion)}"',

"Gemfile": rf'gem\s+"{re.escape(packagename)}",\s*"{re.escape(packageversion)}"',

"Gemfile.lock": rf'\s+{re.escape(packagename)}\s+\({re.escape(packageversion)}\)',

".csproj": rf'<PackageReference\s+Include="{re.escape(packagename)}"\s+Version="{re.escape(packageversion)}"\s*/>',

".fsproj": rf'<PackageReference\s+Include="{re.escape(packagename)}"\s+Version="{re.escape(packageversion)}"\s*/>',

"paket.dependencies": rf'nuget\s+{re.escape(packagename)}\s+{re.escape(packageversion)}',

"Cargo.toml": rf'{re.escape(packagename)}\s*=\s*"{re.escape(packageversion)}"',

"build.sbt": rf'"{re.escape(packagename)}"\s*%\s*"{re.escape(packageversion)}"',

"Podfile": rf'pod\s+"{re.escape(packagename)}",\s*"{re.escape(packageversion)}"',

"Package.swift": rf'\.package\(name:\s*"{re.escape(packagename)}",\s*url:\s*".*?",\s*version:\s*"{re.escape(packageversion)}"\)',

"mix.exs": rf'\{{:{re.escape(packagename)},\s*"{re.escape(packageversion)}"\}}',

"composer.json": rf'"{re.escape(packagename)}":\s*"{re.escape(packageversion)}"',

"conanfile.txt": rf'{re.escape(packagename)}/{re.escape(packageversion)}',

"vcpkg.json": rf'"{re.escape(packagename)}":\s*"{re.escape(packageversion)}"',

}

searchstring = search_patterns.get(file_type, rf'{re.escape(packagename)}.*{re.escape(packageversion)}')

log.debug("Using search pattern for %s: %s", file_type, searchstring)

try:

with open(manifest_file, 'r', encoding="utf-8") as file:

lines = [line.rstrip("\n") for line in file]

log.debug("Total lines in %s: %d", manifest_file, len(lines))

for line_number, line_content in enumerate(lines, start=1):

line_main = line_content.split(";", 1)[0].strip()

if re.search(searchstring, line_main, re.IGNORECASE):

log.debug("Match found at line %d in %s: %s", line_number, manifest_file, line_content.strip())

return line_number, line_content.strip()

except FileNotFoundError:

return 1, f"{manifest_file} not found"

except Exception as e:

return 1, f"Error reading {manifest_file}: {e}"

return 1, f"{packagename} {packageversion} (not found)"

@staticmethod

def get_manifest_type_url(manifest_file: str, pkg_name: str, pkg_version: str) -> str:

"""

manifest_to_url_prefix = {

"package.json": "npm",

"package-lock.json": "npm",

"yarn.lock": "npm",

"pnpm-lock.yaml": "npm",

"requirements.txt": "pypi",

"pyproject.toml": "pypi",

"Pipfile": "pypi",

"go.mod": "go",

"go.sum": "go",

"pom.xml": "maven",

"build.gradle": "maven",

".csproj": "nuget",

".fsproj": "nuget",

"paket.dependencies": "nuget",

"Cargo.toml": "cargo",

"Gemfile": "rubygems",

"Gemfile.lock": "rubygems",

"composer.json": "composer",

"vcpkg.json": "vcpkg",

}

file_type = Path(manifest_file).name

url_prefix = manifest_to_url_prefix.get(file_type, "unknown")

return f"https://socket.dev/{url_prefix}/package/{pkg_name}/alerts/{pkg_version}"

@staticmethod

def create_security_comment_sarif(diff) -> dict:

"""

if len(diff.new_alerts) == 0:

for alert in diff.new_alerts:

if alert.error:

break

sarif_data = {

"$schema": "https://json.schemastore.org/sarif-2.1.0.json",

"version": "2.1.0",

"runs": [{

"tool": {

"driver": {

"name": "Socket Security",

"informationUri": "https://socket.dev",

"rules": []

}

},

"results": []

}]

}

rules_map = {}

results_list = []

for alert in diff.new_alerts:

pkg_name = alert.pkg_name

pkg_version = alert.pkg_version

base_rule_id = f"{pkg_name}=={pkg_version}"

severity = alert.severity

log.debug("Alert %s - introduced_by: %s, manifests: %s", base_rule_id, alert.introduced_by, getattr(alert, 'manifests', None))

manifest_files = []

if alert.introduced_by and isinstance(alert.introduced_by, list):

for entry in alert.introduced_by:

if isinstance(entry, (list, tuple)) and len(entry) >= 2:

files = [f.strip() for f in entry[1].split(";") if f.strip()]

manifest_files.extend(files)

elif isinstance(entry, str):

manifest_files.extend([m.strip() for m in entry.split(";") if m.strip()])

elif hasattr(alert, 'manifests') and alert.manifests:

manifest_files = [mf.strip() for mf in alert.manifests.split(";") if mf.strip()]

log.debug("Alert %s - extracted manifest_files: %s", base_rule_id, manifest_files)

if not manifest_files:

log.error("Alert %s: No manifest file found; cannot determine file location.", base_rule_id)

continue

log.debug("Alert %s - using manifest_files for processing: %s", base_rule_id, manifest_files)

# Create an individual SARIF result for each manifest file.

for mf in manifest_files:

log.debug("Alert %s - Processing manifest file: %s", base_rule_id, mf)

socket_url = Messages.get_manifest_type_url(mf, pkg_name, pkg_version)

line_number, line_content = Messages.find_line_in_file(pkg_name, pkg_version, mf)

if line_number < 1:

line_number = 1

log.debug("Alert %s: Manifest %s, line %d: %s", base_rule_id, mf, line_number, line_content)

# Create a unique rule id and name by appending the manifest file.

unique_rule_id = f"{base_rule_id} ({mf})"

rule_name = f"Alert {base_rule_id} ({mf})"

props = {}

if hasattr(alert, 'props') and alert.props:

props = alert.props

suggestion = ''

if hasattr(alert, 'suggestion'):

suggestion = alert.suggestion

alert_title = ''

if hasattr(alert, 'title'):

alert_title = alert.title

description = ''

if hasattr(alert, 'description'):

description = alert.description

short_desc = (f"{props.get('note', '')}<br/><br/>Suggested Action:<br/>{suggestion}"

f"<br/><a href=\"{socket_url}\">{socket_url}</a>")

full_desc = "{} - {}".format(alert_title, description.replace('\r\n', '<br/>'))

if unique_rule_id not in rules_map:

rules_map[unique_rule_id] = {

"id": unique_rule_id,

"name": rule_name,

"shortDescription": {"text": rule_name},

"fullDescription": {"text": full_desc},

"helpUri": socket_url,

"defaultConfiguration": {

"level": Messages.map_severity_to_sarif(severity)

},

}

result_obj = {

"ruleId": unique_rule_id,

"message": {"text": short_desc},

"locations": [{

"physicalLocation": {

"artifactLocation": {"uri": mf},

"region": {

"startLine": line_number,

"snippet": {"text": line_content},

},

}

}]

}

results_list.append(result_obj)

sarif_data["runs"][0]["tool"]["driver"]["rules"] = list(rules_map.values())

sarif_data["runs"][0]["results"] = results_list

return sarif_data

@staticmethod

def _normalize_reachability(reachability: str) -> str:

return str(reachability or "unknown").strip().lower().replace("-", "_").replace(" ", "_")

@staticmethod

def _matches_reachability_filter(reachability: str, selector: str, undeterminable: bool = False) -> bool:

normalized = Messages._normalize_reachability(reachability)

selected = (selector or "all").strip().lower()

if selected == "all":

return True

if selected == "reachable":

return normalized == "reachable"

potential_states = {"unknown", "error", "maybe_reachable", "potentially_reachable"}

is_potential = normalized in potential_states or undeterminable

if selected == "potentially":

return is_potential

if selected == "reachable-or-potentially":

return normalized == "reachable" or is_potential

return True

@staticmethod

def create_security_comment_sarif_from_facts(

components_with_alerts: list,

reachability_filter: str = "all",

grouping: str = "instance",

) -> dict:

"""

sarif_data = {

"$schema": "https://json.schemastore.org/sarif-2.1.0.json",

"version": "2.1.0",

"runs": [{

"tool": {

"driver": {

"name": "Socket Security",

"informationUri": "https://socket.dev",

"rules": []

}

},

"results": []

}]

}

rules_map = {}

results_list = []

grouped_results = {}

for component in components_with_alerts or []:

comp_type = component.get("type", "unknown")

comp_name = component.get("name") or component.get("id") or "unknown-package"

comp_version = component.get("version") or "unknown-version"

fallback_uri = f"pkg:{comp_type}/{comp_name}@{comp_version}"

manifests = component.get("manifestFiles", [])

manifest_uris = []

if isinstance(manifests, list):

for mf in manifests:

if isinstance(mf, dict):

path = mf.get("path") or mf.get("file") or mf.get("name")

if path:

manifest_uris.append(str(path))

elif isinstance(mf, str):

manifest_uris.append(mf)

if not manifest_uris:

manifest_uris = [fallback_uri]

else:

# Preserve order while removing duplicate manifest entries.

manifest_uris = list(dict.fromkeys(manifest_uris))

for alert in component.get("alerts", []):

props = alert.get("props", {}) or {}

reachability = Messages._normalize_reachability(props.get("reachability", "unknown"))

undeterminable = bool(props.get("undeterminableReachability", False))

if not Messages._matches_reachability_filter(

reachability=reachability,

selector=reachability_filter,

undeterminable=undeterminable,

):

continue

vuln_id = props.get("ghsaId") or props.get("cveId") or alert.get("title") or "unknown-vulnerability"

severity = str(alert.get("severity", "low")).lower()

if grouping == "alert":

rule_id = f"{comp_name}:{vuln_id}"

rule_name = f"Reachability alert {vuln_id} in {comp_name}"

else:

rule_id = f"{comp_name}=={comp_version}:{vuln_id}"

rule_name = f"Reachability alert {vuln_id} in {comp_name}@{comp_version}"

socket_url = (

props.get("url")

or Messages.get_manifest_type_url(manifest_uris[0], comp_name, comp_version)

)

if rule_id not in rules_map:

rules_map[rule_id] = {

"id": rule_id,

"name": rule_name,

"shortDescription": {"text": rule_name},

"fullDescription": {"text": alert.get("title", rule_name)},

"helpUri": socket_url,

"defaultConfiguration": {

"level": Messages.map_severity_to_sarif(severity)

},

}

message = (

f"Reachability: {reachability}. "

f"Suggested Action:<br/>{props.get('range', '')}"

f"<br/><a href=\"{socket_url}\">{socket_url}</a>"

)

if grouping == "alert":

alert_key = props.get("key") or props.get("alertKey") or f"{comp_type}:{comp_name}:{vuln_id}"

existing = grouped_results.get(alert_key)

if not existing:

first_uri = manifest_uris[0]

grouped_results[alert_key] = {

"ruleId": rule_id,

"message": {"text": message},

"locations": [{

"physicalLocation": {

"artifactLocation": {"uri": first_uri},

"region": {

"startLine": 1,

"snippet": {"text": f"{comp_name}@{comp_version}"}

},

}

}],

"properties": {

"reachability": reachability,

"reachabilityStates": [reachability],

"versions": [str(comp_version)],

"manifestUris": list(manifest_uris),

"purls": [props.get("purl")] if props.get("purl") else [],

"ghsaId": props.get("ghsaId"),

"cveId": props.get("cveId"),

"source": "socket-facts",

"socketAlertKey": alert_key,

}

}

else:

states = set(existing["properties"].get("reachabilityStates", []))

states.add(reachability)

existing["properties"]["reachabilityStates"] = sorted(states)

versions = set(existing["properties"].get("versions", []))

versions.add(str(comp_version))

existing["properties"]["versions"] = sorted(versions)

uris = set(existing["properties"].get("manifestUris", []))

uris.update(manifest_uris)

existing["properties"]["manifestUris"] = sorted(uris)

purls = set(existing["properties"].get("purls", []))

if props.get("purl"):

purls.add(props.get("purl"))

existing["properties"]["purls"] = sorted(purls)

else:

for uri in manifest_uris:

results_list.append({

"ruleId": rule_id,

"message": {"text": message},

"locations": [{

"physicalLocation": {

"artifactLocation": {"uri": uri},

"region": {

"startLine": 1,

"snippet": {"text": f"{comp_name}@{comp_version}"}

},

}

}],

"properties": {

"reachability": reachability,

"purl": props.get("purl"),

"ghsaId": props.get("ghsaId"),

"cveId": props.get("cveId"),

"source": "socket-facts"

}

})

if grouping == "alert":

for grouped in grouped_results.values():

states = grouped["properties"].get("reachabilityStates", [])

if "reachable" in states:

grouped["properties"]["reachability"] = "reachable"

elif states:

grouped["properties"]["reachability"] = states[0]

results_list.append(grouped)

sarif_data["runs"][0]["tool"]["driver"]["rules"] = list(rules_map.values())

sarif_data["runs"][0]["results"] = results_list

return sarif_data

@staticmethod

def create_security_comment_json(diff: Diff) -> dict:

scan_failed = False

if len(diff.new_alerts) > 0:

for alert in diff.new_alerts:

alert: Issue

if alert.error:

scan_failed = True

break

output = {

"scan_failed": scan_failed,

"new_alerts": [],

"full_scan_id": diff.id,

"diff_url": diff.diff_url

}

for alert in diff.new_alerts:

alert: Issue

output["new_alerts"].append(json.loads(str(alert)))

return output

@staticmethod

def map_socket_severity_to_gitlab(severity: str) -> str:

"""

severity_mapping = {

"critical": "Critical",

"high": "High",

"medium": "Medium",

"middle": "Medium", # Socket's older format

"low": "Low",

}

return severity_mapping.get(severity.lower(), "Unknown")

@staticmethod

def generate_uuid_from_alert_gitlab(alert: Issue) -> str:

"""

# Create unique string from alert key properties

unique_str = f"{alert.pkg_name}:{alert.pkg_version}:{alert.type}:{alert.severity}"

# Generate UUID5 (deterministic) from namespace and unique string

namespace = uuid.UUID('6ba7b810-9dad-11d1-80b4-00c04fd430c8') # DNS namespace

return str(uuid.uuid5(namespace, unique_str))

@staticmethod

def extract_identifiers_gitlab(alert: Issue) -> list:

"""

identifiers = []

# Primary identifier: Socket alert type

identifiers.append({

"type": "socket_alert",

"name": f"Socket {alert.type}",

"value": alert.type,

"url": alert.url if hasattr(alert, 'url') and alert.url else None

})

# Extract CVE identifiers from props

if hasattr(alert, 'props') and alert.props:

if 'cve' in alert.props:

cves = alert.props['cve']

if isinstance(cves, list):

for cve in cves:

identifiers.append({

"type": "cve",

"name": cve,

"value": cve,

"url": f"https://cve.mitre.org/cgi-bin/cvename.cgi?name={cve}"

})

elif isinstance(cves, str):

identifiers.append({

"type": "cve",

"name": cves,

"value": cves,

"url": f"https://cve.mitre.org/cgi-bin/cvename.cgi?name={cves}"

})

return identifiers

@staticmethod

def extract_location_gitlab(alert: Issue) -> dict:

"""

# Get manifest file from introduced_by or manifests attribute

manifest_file = "unknown"

dependency_path = []

is_direct = True

if hasattr(alert, 'introduced_by') and alert.introduced_by:

if isinstance(alert.introduced_by, list) and len(alert.introduced_by) > 0:

first_entry = alert.introduced_by[0]

if isinstance(first_entry, (list, tuple)) and len(first_entry) >= 2:

dependency_path_str = first_entry[0]

manifest_file = first_entry[1].split(';')[0] if ';' in first_entry[1] else first_entry[1]

# Parse dependency path

if ' > ' in dependency_path_str:

dependency_path = dependency_path_str.split(' > ')

# If there's a chain, it's transitive (not direct)

is_direct = len(dependency_path) <= 1

elif hasattr(alert, 'manifests') and alert.manifests:

manifest_file = alert.manifests.split(';')[0]

location = {

"file": manifest_file,

"dependency": {

"package": {

"name": alert.pkg_name

},

"version": alert.pkg_version,

"direct": is_direct

}

}

return location

@staticmethod

def create_security_comment_gitlab(diff: Diff) -> dict:

"""

from socketsecurity import __version__

gitlab_report = {

"version": "15.0.0", # GitLab schema version

"scan": {

"analyzer": {

"id": "socket-security",

"name": "Socket Security",

"version": __version__,

"vendor": {

"name": "Socket"

}

},

"scanner": {

"id": "socket-cli",

"name": "Socket CLI",

"version": __version__,

"vendor": {

"name": "Socket"

}

},

"type": "dependency_scanning",

"start_time": datetime.utcnow().isoformat() + "Z",

"end_time": datetime.utcnow().isoformat() + "Z",

"status": "success"

},

"vulnerabilities": []

}

# Process each alert

for alert in diff.new_alerts:

vulnerability = {

"id": Messages.generate_uuid_from_alert_gitlab(alert),

"category": "dependency_scanning",

"name": alert.title if hasattr(alert, 'title') else f"{alert.type} in {alert.pkg_name}",

"message": f"{alert.pkg_name}@{alert.pkg_version}: {alert.title if hasattr(alert, 'title') else alert.type}",

"description": alert.description if hasattr(alert, 'description') and alert.description else "",

"severity": Messages.map_socket_severity_to_gitlab(alert.severity),

"identifiers": Messages.extract_identifiers_gitlab(alert),

"links": [{"url": alert.url}] if hasattr(alert, 'url') and alert.url else [],

"location": Messages.extract_location_gitlab(alert)

}

# Add solution if available

if hasattr(alert, 'suggestion') and alert.suggestion:

vulnerability["solution"] = alert.suggestion

gitlab_report["vulnerabilities"].append(vulnerability)

return gitlab_report

@staticmethod

def security_comment_template(diff: Diff, config=None) -> str:

"""

# Group license policy violations by PURL (ecosystem/package@version)

license_groups = {}

security_alerts = []

for alert in diff.new_alerts:

if alert.type == "licenseSpdxDisj":

purl_key = f"{alert.pkg_type}/{alert.pkg_name}@{alert.pkg_version}"

if purl_key not in license_groups:

license_groups[purl_key] = []

license_groups[purl_key].append(alert)

else:

security_alerts.append(alert)

# Start of the comment

comment = """<!-- socket-security-comment-actions -->

# Loop through security alerts (non-license), dynamically generating rows

for alert in security_alerts:

severity_icon = Messages.get_severity_icon(alert.severity)

action = "Block" if alert.error else "Warn"

details_open = ""

# Generate proper manifest URL

manifest_url = Messages.get_manifest_file_url(diff, alert.manifests, config)

# Generate a table row for each alert

comment += f"""

# Add license policy violation entries grouped by PURL

for purl_key, alerts in license_groups.items():

action = "Block" if any(alert.error for alert in alerts) else "Warn"

first_alert = alerts[0]

# Use orange diamond for license policy violations

license_icon = "🔶"

# Build license findings list

license_findings = []

for alert in alerts:

license_findings.append(alert.title)

comment += f"""

for finding in license_findings:

comment += f" <li>{finding}</li>\n"

# Generate proper manifest URL for license violations

license_manifest_url = Messages.get_manifest_file_url(diff, first_alert.manifests, config)

comment += f""" </ul>

# Close table

# Use diff_url for PRs, report_url for non-PR scans

view_report_url = ""

if hasattr(diff, 'diff_url') and diff.diff_url:

view_report_url = diff.diff_url

elif hasattr(diff, 'report_url') and diff.report_url:

view_report_url = diff.report_url

comment += f"""

return comment

@staticmethod

def get_severity_icon(severity: str) -> str:

"""

severity_map = {

"critical": "https://github-app-statics.socket.dev/severity-3.svg",

"high": "https://github-app-statics.socket.dev/severity-2.svg",

"medium": "https://github-app-statics.socket.dev/severity-1.svg",

"low": "https://github-app-statics.socket.dev/severity-0.svg",

}

return severity_map.get(severity.lower(), "https://github-app-statics.socket.dev/severity-0.svg")

@staticmethod

def create_next_steps(md: MdUtils, next_steps: dict):

"""

for step in next_steps:

detail = next_steps[step]

md.new_line("<details>")

md.new_line(f"<summary>{step}</summary>")

for line in detail:

md.new_paragraph(line)

md.new_line("</details>")

return md

@staticmethod

def create_deeper_look(md: MdUtils) -> MdUtils:

"""

md.new_line("<details>")

md.new_line("<summary>Take a deeper look at the dependency</summary>")

md.new_paragraph(

"Take a moment to review the security alert above. Review the linked package source code to understand the "

"potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, "

"reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev."

)

md.new_line("</details>")

return md

@staticmethod

def create_remove_package(md: MdUtils) -> MdUtils:

"""

md.new_line("<details>")

md.new_line("<summary>Remove the package</summary>")

md.new_paragraph(

"If you happen to install a dependency that Socket reports as "

"[https://socket.dev/npm/issue/malware](Known Malware) you should immediately remove it and select a "

"different dependency. For other alert types, you may may wish to investigate alternative packages or "

"consider if there are other ways to mitigate the specific risk posed by the dependency."

)

md.new_line("</details>")

return md

@staticmethod

def create_acceptable_risk(md: MdUtils, ignore_commands: list) -> MdUtils:

"""

md.new_line("<details>")

md.new_line("<summary>Mark a package as acceptable risk</summary>")

md.new_paragraph(

"To ignore an alert, reply with a comment starting with `SocketSecurity ignore` followed by a space "

"separated list of `ecosystem/package-name@version` specifiers. e.g. `SocketSecurity ignore npm/foo@1.0.0`"