fix: warn about per-vulnerability reachability errors in scan output

mtorp · mtorp · commit b61aa9a0c5c9 · 2026-04-08T10:30:53.000+02:00
diff --git a/src/commands/scan/output-scan-reach.mts b/src/commands/scan/output-scan-reach.mts
@@ -1,6 +1,8 @@
 import { logger } from '@socketsecurity/registry/lib/logger'
+import { pluralize } from '@socketsecurity/registry/lib/words'
 
 import constants from '../../constants.mts'
+import { extractReachabilityErrors } from '../../utils/coana.mts'
 import { failMsgWithBadge } from '../../utils/fail-msg-with-badge.mts'
 import { serializeResultJson } from '../../utils/serialize-result-json.mts'
 
@@ -29,4 +31,20 @@ export async function outputScanReach(
   logger.log('')
   logger.success('Reachability analysis completed successfully!')
   logger.info(`Reachability report has been written to: ${actualOutputPath}`)
+
+  // Warn about individual vulnerabilities where reachability analysis errored.
+  const errors = extractReachabilityErrors(
+    result.data.reachabilityReport,
+  )
+  if (errors.length) {
+    logger.log('')
+    logger.warn(
+      `Reachability analysis returned ${errors.length} ${pluralize('error', errors.length)} for individual ${pluralize('vulnerability', errors.length)}:`,
+    )
+    for (const err of errors) {
+      logger.warn(
+        `  - ${err.ghsaId} in ${err.componentName}@${err.componentVersion} (${err.subprojectPath})`,
+      )
+    }
+  }
 }
diff --git a/src/utils/coana.mts b/src/utils/coana.mts
@@ -13,6 +13,59 @@
 
 import { readJsonSync } from '@socketsecurity/registry/lib/fs'
 
+export type ReachabilityError = {
+  componentName: string
+  componentVersion: string
+  ghsaId: string
+  subprojectPath: string
+}
+
+export function extractReachabilityErrors(
+  socketFactsFile: string,
+): ReachabilityError[] {
+  const json = readJsonSync(socketFactsFile, { throws: false }) as
+    | {
+        components?: Array<{
+          name?: string
+          reachability?: Array<{
+            ghsa_id?: string
+            reachability?: Array<{
+              subprojectPath?: string
+              type?: string
+            }>
+          }>
+          version?: string
+        }>
+      }
+    | null
+    | undefined
+  if (!json || !Array.isArray(json.components)) {
+    return []
+  }
+  const errors: ReachabilityError[] = []
+  for (const component of json.components) {
+    if (!Array.isArray(component.reachability)) {
+      continue
+    }
+    for (const ghsaEntry of component.reachability) {
+      if (!Array.isArray(ghsaEntry.reachability)) {
+        continue
+      }
+      for (const entry of ghsaEntry.reachability) {
+        if (entry.type === 'error') {
+          errors.push({
+            componentName: String(component.name ?? ''),
+            componentVersion: String(component.version ?? ''),
+            ghsaId: String(ghsaEntry.ghsa_id ?? ''),
+            subprojectPath: String(entry.subprojectPath ?? ''),
+          })
+        }
+      }
+    }
+  }
+  return errors
+}
+
 export function extractTier1ReachabilityScanId(
   socketFactsFile: string,
 ): string | undefined {
