Fix has_manifest_files failing to match root-level manifest files

dc-larsen · dc-larsen · commit cea7932eeef1 · 2026-03-04T16:36:51.000-05:00
PurePath.match("**/package.json") returns False for root-level files
in Python 3.12+ because ** requires at least one directory component.
The function was unconditionally prepending **/ to all patterns,
causing root-level manifests like package.json and package-lock.json
to never match. This forced every scan into full scan mode instead of
diff scan mode, which meant MR/PR comments were never posted.

Fix by trying the direct pattern match first, then falling back to
the **/ prefixed pattern for subdirectory matching.

Fixes Zendesk #2447
diff --git a/socketsecurity/core/__init__.py b/socketsecurity/core/__init__.py
@@ -414,15 +414,15 @@ def has_manifest_files(self, files: list) -> bool:
                 # Expand brace patterns for each manifest pattern
                 expanded_patterns = Core.expand_brace_pattern(pattern_str)
                 for exp_pat in expanded_patterns:
-                    # If pattern doesn't contain '/', prepend '**/' to match files in any subdirectory
-                    # This ensures patterns like '*requirements.txt' match '.test/requirements.txt'
-                    if '/' not in exp_pat:
-                        exp_pat = f"**/{exp_pat}"
-                    
                     for file in norm_files:
-                        # Use PurePath.match for glob-like matching
+                        # Match the pattern as-is first (handles root-level files
+                        # like "package.json" matching pattern "package.json")
                         if PurePath(file).match(exp_pat):
                             return True
+                        # Also try with **/ prefix to match files in subdirectories
+                        # (e.g. "src/requirements.txt" matching "*requirements.txt")
+                        if '/' not in exp_pat and PurePath(file).match(f"**/{exp_pat}"):
+                            return True
         return False
 
     def check_file_count_limit(self, file_count: int) -> dict:
diff --git a/tests/core/test_has_manifest_files.py b/tests/core/test_has_manifest_files.py
@@ -0,0 +1,70 @@
+from pathlib import PurePath
+from unittest.mock import patch
+
+from socketsecurity.core import Core
+
+
+# Minimal patterns matching what the Socket API returns
+MOCK_PATTERNS = {
+    "npm": {
+        "packagejson": {"pattern": "package.json"},
+        "packagelockjson": {"pattern": "package-lock.json"},
+        "yarnlock": {"pattern": "yarn.lock"},
+    },
+    "pypi": {
+        "requirements": {"pattern": "*requirements.txt"},
+        "requirementsin": {"pattern": "*requirements*.txt"},
+        "setuppy": {"pattern": "setup.py"},
+    },
+    "maven": {
+        "pomxml": {"pattern": "pom.xml"},
+    },
+}
+
+
+@patch.object(Core, "get_supported_patterns", return_value=MOCK_PATTERNS)
+@patch.object(Core, "__init__", lambda self, *a, **kw: None)
+class TestHasManifestFiles:
+    def test_root_level_package_json(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["package.json"]) is True
+
+    def test_root_level_package_lock_json(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["package-lock.json"]) is True
+
+    def test_subdirectory_package_json(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["libs/ui/package.json"]) is True
+
+    def test_root_level_requirements_txt(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["requirements.txt"]) is True
+
+    def test_subdirectory_requirements_txt(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["src/requirements.txt"]) is True
+
+    def test_prefixed_requirements_txt(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["dev-requirements.txt"]) is True
+
+    def test_no_manifest_files(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["README.md", "src/app.py"]) is False
+
+    def test_mixed_files_with_manifest(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files([".gitlab-ci.yml", "package.json", "src/app.tsx"]) is True
+
+    def test_empty_list(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files([]) is False
+
+    def test_dot_slash_prefix_normalized(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["./package.json"]) is True
+
+    def test_pom_xml_root(self, mock_patterns):
+        core = Core.__new__(Core)
+        assert core.has_manifest_files(["pom.xml"]) is True
