Skip to content

fix(core): fall back to humanized title for unmapped alert types#208

Merged
lelia merged 7 commits into
mainfrom
erichibbs/cus2-2-empty-alert-label-fallback
May 29, 2026
Merged

fix(core): fall back to humanized title for unmapped alert types#208
lelia merged 7 commits into
mainfrom
erichibbs/cus2-2-empty-alert-label-fallback

Conversation

@flowstate
Copy link
Copy Markdown
Contributor

@flowstate Eric Hibbs (flowstate) commented May 29, 2026

Fixes CE-207. Webflow's CI was blocking on is-typed-array@1.1.15 via Socket CLI 2.2.86, but the Alert column for that row rendered blank. The API returns a single gptDidYouMean alert; the bundled socketdev SDK had no class for that type, so alert.title was empty and the table rendered nothing for that row.

Root Cause

socket-python-cli resolves alert titles via the socketdev SDK's AllIssues registry. When the API emits an alert type that has no corresponding class on AllIssuesgptDidYouMean being the case Webflow hit — alert.title is empty and every downstream consumer (the CLI's console table, SARIF report, PR/security comments) renders blank. There was no fallback.

The upstream cause is that socket-sdk-python's AllIssues is hand-maintained and never got gptDidYouMean added. That's tracked in CE-206 (in progress) and is the proper long-term fix.

Fix

Title resolution in Core.add_package_alerts_to_collection is now a four-step ladder:

  1. SDK-provided title (props.title) if non-empty
  2. Explicit override map (_ALERT_TYPE_TITLE_OVERRIDES) — currently maps gptDidYouMean"Possible typosquat attack (GPT)"
  3. Existing licenseSpdxDisj special-case (unchanged)
  4. Generic camelCase humanizer (_humanize_alert_type) — any future unknown alert type at least renders something legible instead of blank

Purely additive: every alert type already covered by the SDK's AllIssues keeps its current title.

The override map is load-bearing until CE-206 ships. Once gptDidYouMean lands in socketdev/core/issues.py and the CLI's socketdev floor is bumped to include it, the override entry can be removed in a follow-up. The generic humanizer fallback stays as belt-and-suspenders for any future unknown alert types.

Test plan:

  • pytest tests/ — green; 8 new tests cover gptDidYouMean, an arbitrary unknown type, a regression guard for licenseSpdxDisj, and the humanizer helper (camelCase, PascalCase, single-word, empty input, acronym preservation). Original test count on author's machine at handoff time: 201 passed, 2 skipped (the two skips are pre-existing gitlab tests on main).
  • Manual: rendered the console alert table against a synthesized gptDidYouMean alert; Alert column reads "Possible typosquat attack (GPT)" instead of blank.

Public Changelog

CLI now falls back to a humanized alert label for any alert type without an SDK-provided title, so the Alert column never renders blank. Adds an explicit label for gptDidYouMean ("Possible typosquat attack (GPT)") which previously rendered empty for customers on socketdev SDK versions without that alert class.

@flowstate Eric Hibbs (flowstate) requested a review from a team as a code owner May 29, 2026 20:35
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026
edited
Loading

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.92.dev2

Docker image: socketdev/cli:pr-208

@lelia lelia self-assigned this May 29, 2026
@flowstate
test: failing repro for empty title on gptDidYouMean alerts
c4c699d
@flowstate
test: failing repro for empty title on unknown alert types
fa6e03f
@flowstate
test: lock in licenseSpdxDisj title fallback
ecb66f5
@flowstate
feat(core): add alert-type humanizer and override-map plumbing
e31ab9b
@flowstate
fix(core): fall back to humanized title for unmapped alert types
756a8be 
Resolves CUS2-2: gptDidYouMean and any future alert type without SDK
metadata previously rendered as a blank Alert column in the CLI output
table, SARIF report, and PR/security comments. Title resolution now
falls back through an explicit override map and a generic humanizer.
@flowstate
test: hoist _humanize_alert_type import to module scope
37e2563
@flowstate
chore(release): bump to 2.2.92 to clear main collision
57138a7 
#199 landed on main between the original 2.2.91 bump and this PR opening,
so 2.2.91 ties main and fails check_version. Bump to 2.2.92.
@flowstate Eric Hibbs (flowstate) force-pushed the erichibbs/cus2-2-empty-alert-label-fallback branch from 508154e to 57138a7 Compare May 29, 2026 21:02
@lelia lelia merged commit cc24682 into main May 29, 2026
15 checks passed
@lelia lelia mentioned this pull request May 29, 2026
Merged
5 tasks
lelia added a commit that referenced this pull request May 29, 2026
@lelia
Merge origin/main into lelia/cli-api-error-exit-handling
88732aa 
Resolve version-bump conflicts (pyproject.toml, socketsecurity/__init__.py,
uv.lock) in favor of 2.3.0, which supersedes main's 2.2.92 release (#208).
Auto-merged #208's alert-title fallback changes in core/__init__.py.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lelia lelia lelia approved these changes

Assignees

@lelia lelia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flowstate @lelia