feat(manifest): quieter JVM output + fail-closed manifest generation (1.1.133)#1392
Merged
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 6 commits intoJul 1, 2026
Merged
Conversation
`socket manifest gradle|sbt|maven` (and `--auto-manifest`) streamed the build tool's full output to the terminal. Capture it by default and show a spinner instead, streaming live only under --verbose. On a build crash the captured output tail is surfaced so failures stay diagnosable without a rebuild. Also fix runNeverThrow: the registry's isSpawnError is unreliable (it never matches), so a non-zero build exit rethrew as an opaque "command failed" instead of returning the exit code. Duck-type the numeric exit code directly.
Align the JVM facts path with convertGradleToMaven (the `--pom` generator), which is the direct-spawn sibling of these commands rather than the coana dlx wrapper: - spinner + captured output by default, stream on --verbose (unchanged intent). - On failure use process.exitCode = 1 + logger.fail(...) + return instead of throwing, so the facts path behaves identically to the pom path — including under --auto-manifest, where both now set exit 1 and continue the sequence. - runNeverThrow classifies a non-zero build exit by a numeric `code` (the utils/dlx.mts convention), not the registry's isSpawnError, which is broken upstream and never matches.
Under --auto-manifest, a failed manifest generation now aborts the whole run instead of continuing with a partial or empty SBOM (which silently under-reports dependencies). This is enforced uniformly for every JVM path — Gradle, sbt, and Maven, in both Socket-facts and pom mode — in generate_auto_manifest, keying off the exit code each generator already sets. The standalone `socket manifest` commands are unchanged (they exit non-zero, as before). Failures the user opted to tolerate (ignoreUnresolved / --reach-continue-on-install-errors) warn without setting an exit code, so they continue.
…olved ignoreUnresolved (and --ignore-unresolved) means 'the build ran but some dependencies could not be resolved; tolerate those'. It must not swallow the build process itself failing (missing JDK/build tool, unparseable project, OOM, plugin crash). Scope it to the blocking-resolution-failure branch only; a crashed build now fails regardless.
…fest ignoreUnresolved --reach-continue-on-install-errors is a Coana concern (it tells Coana to keep going past its own install errors) and is threaded to Coana in perform-reachability-analysis. It should not also decide whether socket-cli's manifest generation tolerates unresolved dependencies — that is a separate concern governed by the manifest's own ignoreUnresolved (socket.json / --ignore-unresolved). Drop the resolveIgnoreUnresolved coupling so the two are independent; the flag still reaches Coana unchanged.
Martin Torp (mtorp)
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Improves the output and failure handling of JVM manifest generation (
socket manifest gradle | sbt | maven, and--auto-manifest).Quieter output
[INFO]lines) no longer streams to the terminal. It's captured behind a progress spinner by default, matching the existingsocket manifest gradle --pomUX. Pass--verboseto stream it live.Build output:group, so failures stay diagnosable without re-running.Consistent, fail-closed error handling
socket manifest <tool>now matches the--pomgenerator: a failure sets a non-zero exit code (no more opaque "command failed").--auto-manifest, a failed manifest generation now aborts the whole run — for Gradle, sbt, and Maven, in both Socket-facts and pom mode — instead of continuing with an incomplete SBOM.ignoreUnresolved(socket.json /--ignore-unresolved) only tolerates dependencies a successful build couldn't resolve.--reach-continue-on-install-errorsis now purely a Coana concern; it no longer influences socket-cli's manifestignoreUnresolved(the two were previously conflated).Under the hood
runNeverThrowclassifies a non-zero build exit by its numeric exit code (theutils/dlx.mtsconvention) rather than the registry'sisSpawnError, which is broken upstream and never matches.Verification
Full manifest unit suite passes (349); type-check and lint clean. Verified locally against Maven projects: quiet by default,
--verbosestreams the build log, a broken build fails with a clean message plus the captured output tail, and--auto-manifestaborts on a build failure.Note
The always-false
isSpawnErroris an upstream@socketsecurity/registrybug (also deadens a check inutils/git.mts) worth fixing there; this PR just stops depending on it.Note
Low Risk
UX and subprocess error-handling only for JVM manifest generation; no auth, API, or SBOM assembly logic changes beyond propagating captured output.
Overview
Gradle, sbt, and Maven manifest facts generation no longer streams the full build log by default. Output is captured with
stdio: 'pipe', a progress spinner runs during resolution, and--verbosestill passes through live tool output.When a build exits non-zero without emitting facts or resolution failures, the CLI now prints the last ~40 lines of captured stdout/stderr under a
Build output:group (unless--verbosealready showed the stream), and the error message no longer tells users they must re-run with--verbose.runNeverThrowstops using the registry’s brokenisSpawnErrorhelper and instead treats spawn rejections with a numericcodeas a normal non-zero exit, returning captured stdout/stderr so the fail-closed path and error surfacing work reliably.Reviewed by Cursor Bugbot for commit ac95036. Configure here.