feat(manifest): --facts mode emits Socket facts JSON for sbt/Scala projects (REA-474)

[Jeppe Fredsgaard Blaabjerg (jfblaa)]

What

Adds socket manifest scala --facts: emit a single .socket.facts.json dependency-graph SBOM from an sbt build (mirroring manifest gradle --facts, REA-442), for use as pregenerated input to scan create Tier 1 reachability instead of generating pom.xml.

Closes REA-474.

How

• Source-only sbt AutoPlugin shipped in dist/, dropped into an isolated -Dsbt.global.base plugins dir and run via sbt -Dsbt.global.base=… socketFacts. No plugin install, no project changes, never touches the user's ~/.sbt. Compiled by the sbt meta-build, so a single Ivy-based path spans sbt 0.13 → 1.x (no reflection).
• Metadata-only resolution via Ivy ResolveOptions.setDownload(false) — no artifact jars are downloaded (don't consume client bandwidth). Resolution is per-project, so divergent per-module versions are both reported; intra-build project deps are omitted; one component is emitted per resolved module.
• Config-scoped for speed + signal: resolves only the real dependency configs (compile/runtime/test/provided/optional) by default, skipping the Scala toolchain, sbt-native-packager configs (debian/docker/universal/…), -internal duplicates and docs/pom/sources. On lichess/lila (~70 modules): ~48s warm, no downloads.

Options

• --configs=compile,test,… — choose which sbt configurations to resolve.
• --ignore-unresolved — skip dependencies that fail to resolve instead of failing the run (default: fail).
• Both also read from socket.json (defaults.manifest.sbt.{configs,ignoreUnresolved}). The --facts toggle is exposed in the manifest setup wizard, and scan create --auto-manifest honors defaults.manifest.sbt.facts.

Notes

• Why Ivy (not update/updateFull): updateFull resolves every configuration (can't be scoped) so it's slower on packager-heavy builds and downloads jars; Ivy's setConfs resolves only what we want and stays metadata-only. Coursier's resolve-without-fetch isn't usable here — sbt ships coursier shaded and scalac can't compile against the shaded types (sbt#6651), and it doesn't exist on 0.13. Ivy resolves the same versions coursier does for real deps and respects dependencyOverrides (verified on lila).
• sbt 0.13 requires an older JDK (Java 8/11) — its TrapExit calls setSecurityManager, which JDK 18+ rejects; the CLI surfaces this with a clear hint.

Validation

sbt 0.13.18 / 1.9.9 / 1.10.0; Scala 2.11 / 2.13 / 3; single + multi-module; version eviction/overrides; crash-on-unresolved + --ignore-unresolved; --configs capturing custom (IntegrationTest) configs. pnpm check (lint + tsc) and the unit suite pass.

---

Note

Medium Risk
Runs external sbt with a global plugin and depends on correct Ivy resolution metadata for SBOM accuracy; scope is manifest generation only, not auth or data stores.

Overview
Adds socket manifest scala --facts to emit a build-root .socket.facts.json SBOM from sbt (metadata-only Ivy resolution, no pom.xml), aligned with existing Gradle facts mode for Tier 1 reachability / scan create --reach.

A new SocketFactsPlugin Scala source is bundled into dist/ and injected via an isolated -Dsbt.global.base (no changes to the project or ~/.sbt). convert-sbt-to-facts.mts stages the plugin, runs socketFacts, and surfaces failures (including a JDK hint for legacy sbt on JDK 18+). CLI flags --configs and --ignore-unresolved map to JVM properties; defaults can live in socket.json.

scan create --auto-manifest, manifest setup, help/tests, and the changelog are updated so sbt auto-manifest can prefer facts over makePom when configured.

^{Reviewed by Cursor Bugbot for commit 160208a. Configure here.}

[Martin Torp (mtorp)]

Nice work. The Ivy-based, source-only plugin approach is well-chosen, the cross-version (sbt 0.13 ↔ 1.x) story holds up, and the comments are doing real load-bearing work. Approving — left four small inline notes (none blocking) on places where the sbt path quietly diverges from the existing Gradle facts mode in user-visible or code-cleanliness ways.