improved json output, add analysis information and commands

Author: alerizzo

README.md

@@ -51,12 +51,12 @@ codacy <command> --help   # Detailed usage for any command
 |---|---|
 | `info` | Show authenticated user info and their organizations |
 | `repositories <provider> <org>` | List repositories for an organization |
-| `repository <provider> <org> <repo>` | Show metrics for a repository, or add/remove/follow/unfollow it |
+| `repository <provider> <org> <repo>` | Show metrics for a repository, or add/remove/follow/unfollow/reanalyze it |
 | `issues <provider> <org> <repo>` | Search issues in a repository with filters |
 | `issue <provider> <org> <repo> <id>` | Show details for a single issue, or ignore/unignore it |
 | `findings <provider> <org> [repo]` | Show security findings for a repository or organization |
 | `finding <provider> <org> <id>` | Show details for a single security finding, or ignore/unignore it |
-| `pull-request <provider> <org> <repo> <pr>` | Show PR analysis, issues, diff coverage, and changed files |
+| `pull-request <provider> <org> <repo> <pr>` | Show PR analysis, issues, diff coverage, and changed files; or reanalyze it |
 | `tools <provider> <org> <repo>` | List analysis tools configured for a repository |
 | `tool <provider> <org> <repo> <tool>` | Enable, disable, or configure an analysis tool |
 | `patterns <provider> <org> <repo> <tool>` | List patterns for a tool with filters |

SPECS/README.md

@@ -6,7 +6,7 @@ This is the single source of truth for all project tasks and specs.
 
 ## Pending Tasks
 
-_No pending tasks._
+_No pending tasks._ All commands implemented.
 
 ## Command Inventory
 
@@ -24,6 +24,9 @@ _No pending tasks._
 | `tool` | `tl` | ✅ Done | [tools-and-patterns.md](commands/tools-and-patterns.md) |
 | `patterns` | `pats` | ✅ Done | [tools-and-patterns.md](commands/tools-and-patterns.md) |
 | `pattern` | `pat` | ✅ Done | [tools-and-patterns.md](commands/tools-and-patterns.md) |
+| `analysis` | N/A | ✅ Done | [analysis.md](commands/analysis.md) |
+| `json-output` | N/A | ✅ Done | [json-output.md](commands/json-output.md) |
+
 
 ## Other Specs
 
@@ -56,3 +59,5 @@ _No pending tasks._
 | 2026-02-25 | `repository` actions: `--add`, `--remove`, `--follow`, `--unfollow` (4 new tests, 112 total) |
 | 2026-02-25 | `tools`, `tool`, `patterns`, `pattern` commands + tests (35 new tests, 147 total); `findToolByName` helper added to `utils/formatting.ts` |
 | 2026-03-02 | `issue --ignore`, `pull-request --ignore-issue` / `--ignore-all-false-positives`, `finding --ignore` + tests (17 new tests, 164 total); all use `-R/--ignore-reason` and `-m/--ignore-comment` options |
+| 2026-03-05 | Analysis status in `repository` and `pull-request` About sections using `formatAnalysisStatus()`; `--reanalyze` option for both commands (13 new tests, 185 total) |
+| 2026-03-05 | JSON output filtering with `pickDeep` across all commands: `info`, `repositories`, `repository`, `pull-request`, `issues`, `issue`, `findings`, `finding`, `tools`, `patterns`; documented pattern in `src/commands/CLAUDE.md` |

SPECS/commands/analysis.md

@@ -0,0 +1,85 @@
+# Analysis Status & Reanalyze Spec
+
+**Status:** ✅ Done (2026-03-05)
+
+## Purpose
+
+Show analysis status of the HEAD commit in the `repository` and `pull-request` commands, and allow triggering reanalysis.
+
+## Usage
+
+```
+codacy repository <provider> <organization> <repository> --reanalyze
+codacy pull-request <provider> <organization> <repository> <prNumber> --reanalyze
+```
+
+On success, show: "Reanalysis requested successfully, new results will be available in a few minutes."
+On failure, show: "Failed to request reanalysis: \<error message\>".
+
+## Updates to existing commands
+
+### `repository` command — About section
+
+The "Last Analysis" row is replaced by "Analysis", showing the current analysis status of the HEAD commit:
+
+- Reanalysis in progress (HEAD commit already analyzed, but currently being reanalyzed):
+```
+Analysis       Finished 12h ago (c00e638) — Reanalysis in progress...
+```
+
+- First analysis (HEAD commit not yet analyzed):
+```
+Analysis       In progress... (c00e638)
+```
+
+- Analysis finished, waiting for coverage (within 3h):
+```
+Analysis       Finished 12h ago (c00e638) — Waiting for coverage reports...
+```
+
+- Analysis finished, coverage overdue (>3h):
+```
+Analysis       Finished 12h ago (c00e638) — Missing coverage reports
+```
+
+- Normal finished state:
+```
+Analysis       Finished 12h ago (c00e638)
+```
+
+"In progress..." and "Reanalysis in progress..." are colored light blue. "Missing coverage reports" is yellow.
+
+### `pull-request` command — About section
+
+Same "Analysis" row replaces the former "Head Commit" row, with the same status logic applied to the PR's HEAD commit.
+
+## Analysis Status Logic
+
+- **Being analyzed**: `startedAnalysis` is set AND (`endedAnalysis` is absent OR `startedAnalysis > endedAnalysis`)
+- **Coverage expected**: determined by `listCoverageReports(limit=1).data.hasCoverageOverview`
+- **Coverage data present**: `diffCoverage.value !== undefined OR deltaCoverage !== undefined` (PR); `coveragePercentage !== undefined` (repo)
+- **Wait threshold**: 3 hours from `endedAnalysis`
+
+Implemented in `formatAnalysisStatus()` in `src/utils/formatting.ts`.
+
+## API Endpoints
+
+- [`reanalyzeCommitById`](https://api.codacy.com/api/api-docs#reanalyzecommitbyid) — `RepositoryService.reanalyzeCommitById(provider, org, repo, { commitUuid: sha })`
+- [`getPullRequestCommits`](https://api.codacy.com/api/api-docs#getpullrequestcommits) with `limit=1` — head commit timing for PR
+- [`listRepositoryCommits`](https://api.codacy.com/api/api-docs#listrepositorycommits) with `limit=1` — head commit timing for repo
+- [`listCoverageReports`](https://api.codacy.com/api/api-docs#listcoveragereports) with `limit=1` — check `hasCoverageOverview`
+
+## Tasks
+
+- [x] Update analysis status in the About section of the `repository` command
+- [x] Update analysis status in the About section of the `pull-request` command
+- [x] Add `--reanalyze` option to the `repository` command
+- [x] Add `--reanalyze` option to the `pull-request` command
+- [x] Update existing tests for the status sections
+- [x] Add tests for the new `--reanalyze` option
+
+## Tests
+
+- `src/utils/formatting.test.ts` — 6 unit tests for `formatAnalysisStatus`
+- `src/commands/repository.test.ts` — 4 new tests (analysis status, reanalyze)
+- `src/commands/pull-request.test.ts` — 3 new tests (analysis status, reanalyze)

SPECS/commands/finding.md

@@ -12,23 +12,34 @@ Show full details of a single security finding.
 codacy finding <provider> <organization> <findingId>
 codacy fin gh my-org abc123-uuid
 codacy fin gh my-org abc123-uuid --output json
+codacy fin gh my-org abc123-uuid --ignore
+codacy fin gh my-org abc123-uuid --ignore --ignore-reason FalsePositive --ignore-comment "Verified safe"
+codacy fin gh my-org abc123-uuid --unignore
 ```
 
 The `findingId` is the UUID shown in dim gray at the end of each findings card.
 
+## Options
+
+| Option | Short | Description |
+|---|---|---|
+| `--ignore` | `-I` | Ignore this finding |
+| `--ignore-reason <reason>` | `-R` | Reason: `AcceptedUse` (default) \| `FalsePositive` \| `NotExploitable` \| `TestCode` \| `ExternalCode` |
+| `--ignore-comment <comment>` | `-m` | Optional comment |
+| `--unignore` | `-U` | Unignore this finding |
+
 ## API Endpoints
 
 1. [`getSecurityItem`](https://api.codacy.com/api/api-docs#getsecurityitem) — `SecurityService.getSecurityItem(provider, org, findingId)`
 2. For Codacy-source findings (`itemSource === 'Codacy'`), after step 1:
    - `AnalysisService.getIssue(provider, org, item.repository, parseInt(item.itemSourceId))` → linked quality issue
    - Then in parallel: `ToolsService.getPattern(toolUuid, patternId)` + `FileService.getFileContent(...)`
    - Failures at steps 2/3 are silently caught — the finding is still shown
+3. When `item.cve` is present, fetch CVE data from `https://cveawg.mitre.org/api/cve/{CVE-ID}` in parallel with step 2
 
 ## Output Format
 
 ```
-────────────────────────────────────────
-
 {Priority colored} | {SecurityCategory} {ScanType} | {Optional: Likelihood} {EffortToFix} | {Optional: Repository}  {id dimmed}
 {Finding title}
 
@@ -44,129 +55,20 @@ The `findingId` is the UUID shown in dim gray at the end of each findings card.
 {Optional: remediation}
 
 {For Codacy-source: shared printIssueCodeContext output — file context + pattern docs}
-
-────────────────────────────────────────
 ```
 
-## CVE Enrichment (Pending)
+## CVE Enrichment
 
-When `item.cve` is present, fetch CVE data from `https://cveawg.mitre.org/api/cve/{CVE-CODE}` and add it to the output.
+When `item.cve` is present, fetch CVE data from `https://cveawg.mitre.org/api/cve/{CVE-ID}` and display:
 
-Use types from `src/utils/cve.ts` to parse the response. Show the enriched CVE information (description, CVSS score, references) after the finding's metadata block.
+- CVE ID as a bold header ("About {cveId}")
+- CVSS score(s) and severity, published/updated dates (from `cveMetadata`)
+- Title (from `containers.cna.title` or first English problem type description)
+- English description (from `containers.cna.descriptions`)
+- Deduplicated references from `cna` and all `adp` containers
 
-The output should match the component we have in our UI. Here's the React component code:
-
-```
-const CVSS_COLOR_MAP: Record<string, PillLabelStatus> = {
-  low: 'success',
-  medium: 'warning',
-  high: 'high',
-  critical: 'critical',
-  default: 'default',
-}
-
-const CVEMetric: React.FC<{ score?: number; severity?: string }> = ({ score, severity }) => (
-  <PillLabel size="md" ml={2} status={CVSS_COLOR_MAP[severity?.toLowerCase() || 'default']}>
-    {score || '-'} | {capitalize(severity || '-')}
-  </PillLabel>
-)
-
-export const CVEContent: React.FCC<CVEContentProps> = ({ cve, ...props }) => {
-  const { data: cveData, isLoading, isError } = useCVE(cve)
-
-  return (
-    <Box backgroundColor="background-primary" p={5} borderRadius={1} {...props}>
-      {isLoading && <CVEContentSkeleton />}
-      {!isLoading && isError && (
-        <EmptyState template="noMatch" py={6} maxWidth="50%">
-          <Subheader size="lg">Sadly, we couldn't show CVE details for {cve}</Subheader>
-          <Paragraph mt={4} size="md">
-            The CVE data is not available or the CVE code is invalid. You can{' '}
-            <Link href={`https://www.cve.org/CVERecord?id=${cve}`} isExternal size="md">
-              go to the CVE website
-            </Link>{' '}
-            to see the details.
-          </Paragraph>
-        </EmptyState>
-      )}
-      {!isLoading && !isError && cveData && (
-        <Box>
-          <Flex flexDirection="row" alignItems="center" justifyContent="space-between" mb={2}>
-            <Subheader size="sm" mr={2} flexGrow={1}>
-              <Link href={`https://www.cve.org/CVERecord?id=${cveData.cveMetadata.cveId}`} isExternal size="lg">
-                {cveData.cveMetadata.cveId}
-              </Link>
-            </Subheader>
-            {!!cveData.containers.cna.metrics?.length && (
-              <Caption size="sm" color="tertiary" mr={1}>
-                <span title="Common Vulnerability Scoring System">CVSS:</span>
-              </Caption>
-            )}
-            {cveData.containers.cna.metrics?.map((metric) => (
-              <CVEMetric
-                key={metric.format}
-                score={
-                  metric.cvssV4_0?.baseScore ||
-                  metric.cvssV3_1?.baseScore ||
-                  metric.cvssV3_0?.baseScore ||
-                  metric.cvssV2_0?.baseScore
-                }
-                severity={
-                  metric.cvssV4_0?.baseSeverity || metric.cvssV3_1?.baseSeverity || metric.cvssV3_0?.baseSeverity
-                }
-              />
-            ))}
-          </Flex>
-
-          <Caption size="sm" color="tertiary" mb={4}>
-            {!!cveData.cveMetadata.datePublished && (
-              <>
-                Published: <TimeCaption value={cveData.cveMetadata.datePublished} mr={2} />
-              </>
-            )}
-            {!!cveData.cveMetadata.dateUpdated && (
-              <>
-                Updated: <TimeCaption value={cveData.cveMetadata.dateUpdated} mr={2} />
-              </>
-            )}
-          </Caption>
-
-          {(cveData.containers.cna.title || cveData.containers.cna.problemTypes?.length) && (
-            <Subheader size="sm" mb={2}>
-              {cveData.containers.cna.title ||
-                cveData.containers.cna.problemTypes?.[0]?.descriptions?.filter(
-                  (description) => description.lang === 'en'
-                )[0]?.description}
-            </Subheader>
-          )}
-          <Paragraph size="md" mb={6}>
-            {cveData.containers.cna.descriptions?.filter((description) => description.lang === 'en')[0]?.value}
-          </Paragraph>
-          <Subheader size="xs" mb={2}>
-            References
-          </Subheader>
-          <BulletedList>
-            {uniqBy(
-              [
-                ...(cveData.containers.cna.references || []),
-                ...(cveData.containers.adp?.flatMap((adp) => adp.references || []) || []),
-              ],
-              'url'
-            ).map((reference) => (
-              <li key={reference.url}>
-                <Link href={reference.url} isExternal size="sm" styleType="light">
-                  {reference.url}
-                </Link>
-              </li>
-            ))}
-          </BulletedList>
-        </Box>
-      )}
-    </Box>
-  )
-}
-```
+For Codacy-source findings, the CVE block is injected between the code context and the pattern documentation. For non-Codacy-source findings, it follows the prose fields.
 
 ## Tests
 
-File: `src/commands/finding.test.ts` — 9 tests.
+File: `src/commands/finding.test.ts` — 14 tests (9 original + 5 for CVE enrichment).

SPECS/commands/findings.md

@@ -12,8 +12,8 @@ Show security findings for a repository or an organization. The repository argum
 codacy findings <provider> <organization> [repository]
 codacy findings gh my-org my-repo
 codacy findings gh my-org
-codacy fins gh my-org --severities High,Critical --statuses OnTrack
-codacy fins gh my-org my-repo --output json
+codacy find gh my-org --severities High,Critical --statuses OnTrack
+codacy find gh my-org my-repo --output json
 ```
 
 ## API Endpoints
@@ -24,13 +24,15 @@ codacy fins gh my-org my-repo --output json
 
 | Option | Short | Description |
 |---|---|---|
-| `--search <term>` | `-s` | Search term to filter findings |
-| `--severities <list>` | `-S` | Comma-separated priority levels |
-| `--statuses <list>` | `-t` | Comma-separated status names |
+| `--search <term>` | `-q` | Search term to filter findings |
+| `--severities <list>` | `-s` | Comma-separated priority levels: Critical, High, Medium, Low |
+| `--statuses <list>` | `-S` | Comma-separated statuses: Overdue, OnTrack, DueSoon, ClosedOnTime, ClosedLate, Ignored |
 | `--categories <list>` | `-c` | Comma-separated security category names |
-| `--scan-types <list>` | `-T` | Comma-separated scan types |
+| `--scan-types <list>` | `-T` | Comma-separated scan types: SAST, Secrets, SCA, CICD, IaC, DAST, PenTesting, License, CSPM |
 | `--dast-targets <list>` | `-d` | Comma-separated DAST target URLs |
 
+Default status filter: `Overdue,OnTrack,DueSoon`.
+
 ## Output
 
 Card-style format:
@@ -40,13 +42,14 @@ Card-style format:
 
 {Priority colored} | {SecurityCategory} {ScanType} | {Optional: Likelihood} {Optional: EffortToFix} | {Optional: Repository}  {id dimmed}
 {Finding title}
+{Optional: affectedTargets}
 
-{Status} {DueAt} | {Optional: CVE or CWE} | {Optional: AffectedVersion → FixedVersion} | {Optional: Application} | {Optional: AffectedTargets}
+{Status} {DueAt} | {Optional: CVE or CWE} | {Optional: AffectedVersion → FixedVersion} | {Optional: Application}
 
 ────────────────────────────────────────
 ```
 
-The `id` (UUID) is shown in dim gray at the end of line 1 for use with the `finding` command.
+The `id` (UUID) is shown in dim gray at the end of line 1 — use it with the `finding` command to see full details.
 
 Priority colors: Critical=red, High=orange, Medium=yellow, Low=blue.