cover FOSSA-compatible legal outputs/sample scenarios

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

tests/unit/test_cli_config.py

@@ -7,8 +7,15 @@ def test_api_token_from_env(self, monkeypatch):
         config = CliConfig.from_args([])  # Empty args list
         assert config.api_token == "test-token"
 
-    def test_required_args(self):
+    def test_required_args(self, monkeypatch):
         """Test that api token is required if not in environment"""
+        for env_var in (
+            "SOCKET_SECURITY_API_KEY",
+            "SOCKET_SECURITY_API_TOKEN",
+            "SOCKET_API_KEY",
+            "SOCKET_API_TOKEN",
+        ):
+            monkeypatch.delenv(env_var, raising=False)
         with pytest.raises(ValueError, match="API token is required"):
             config = CliConfig.from_args([])
             if not config.api_token:
@@ -86,6 +93,7 @@ def test_workspace_is_independent_of_workspace_name(self):
     def test_legal_flag_sets_default_artifact_files(self):
         config = CliConfig.from_args(["--api-token", "test", "--legal"])
         assert config.legal is True
+        assert config.legal_format == "socket"
         assert config.generate_license is True
         assert config.json_file == "socket-report.json"
         assert config.summary_file == "socket-summary.txt"
@@ -108,3 +116,14 @@ def test_legal_flag_preserves_explicit_file_paths(self):
         assert config.report_link_file == "custom-link.txt"
         assert config.sbom_file == "custom-sbom.json"
         assert config.license_file_name == "custom-license.json"
+
+    def test_fossa_legal_format_enables_legal_defaults(self):
+        config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"])
+        assert config.legal is True
+        assert config.legal_format == "fossa"
+        assert config.generate_license is True
+        assert config.json_file == "fossa-analyze.json"
+        assert config.summary_file == "fossa-test.txt"
+        assert config.report_link_file == "fossa-link.txt"
+        assert config.sbom_file is None
+        assert config.license_file_name == "fossa-sbom.json"

tests/unit/test_fossa_compat.py

@@ -0,0 +1,111 @@
+import json
+from pathlib import Path
+
+from socketsecurity.config import CliConfig
+from socketsecurity.core.classes import Diff, Issue, Package
+from socketsecurity.fossa_compat import build_fossa_report_payload
+
+
+FIXTURE_DIR = Path("/Users/lelia/github/fossa/DependencyScan/Fossa/validation-pipeline")
+
+
+def test_fossa_report_payload_matches_sample_top_level_shape():
+    sample = json.loads(
+        (FIXTURE_DIR / "fossa-analyze-11464165-job-011e1ec8-6569-5e69-4f06-baf193d1351e_03172026132742.json").read_text()
+    )
+
+    config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"])
+    diff = Diff(id="scan-123", report_url="https://socket.dev/report/123")
+
+    payload = build_fossa_report_payload(diff, config)
+
+    assert list(payload.keys()) == list(sample.keys())
+    assert sorted(payload["project"].keys()) == sorted(sample["project"].keys())
+    assert payload["vulnerability"] == []
+    assert payload["licensing"] == []
+    assert payload["quality"] == []
+
+
+def test_fossa_report_payload_vulnerability_keys_cover_sample_shape():
+    sample = json.loads(
+        (FIXTURE_DIR / "fossa-analyze-11464165-job-7f33e5bd-7764-5d8a-ba2e-506e078b9c3f_03172026132955.json").read_text()
+    )
+    sample_vulnerability = sample["vulnerability"][0]
+
+    config = CliConfig.from_args([
+        "--api-token", "test",
+        "--legal-format", "fossa",
+        "--repo", "owner/repo",
+        "--branch", "refs/heads/main",
+    ])
+    diff = Diff(id="scan-123", report_url="https://socket.dev/report/123")
+    diff.packages = {
+        "pkg-1": Package(
+            id="pkg-1",
+            name="requests",
+            version="2.31.0",
+            type="pypi",
+            score={},
+            alerts=[],
+            direct=True,
+            url="https://requests.readthedocs.io/",
+            license="Apache-2.0",
+            purl="pkg:pypi/requests@2.31.0",
+        )
+    }
+    diff.new_alerts = [
+        Issue(
+            title="Insufficiently Protected Credentials",
+            severity="medium",
+            description="Requests may leak credentials for crafted URLs.",
+            error=True,
+            key="GHSA-9hjg-9r4m-mvj7",
+            type="vulnerability",
+            pkg_type="pypi",
+            pkg_name="requests",
+            pkg_version="2.31.0",
+            pkg_id="pkg-1",
+            purl="pkg:pypi/requests@2.31.0",
+            url="https://socket.dev/pypi/package/requests/alerts/2.31.0",
+            props={
+                "id": 11088938,
+                "createdAt": "2025-10-08T10:41:05.933Z",
+                "ghsaId": "GHSA-9hjg-9r4m-mvj7",
+                "cveId": "CVE-2024-47081",
+                "cvssScore": 5.3,
+                "fixedVersion": "2.32.4",
+                "partialFixDistance": "MINOR",
+                "completeFixDistance": "MINOR",
+                "attackVector": "Network",
+                "attackComplexity": "High",
+                "privilegesRequired": "None",
+                "userInteraction": "Required",
+                "scope": "Unchanged",
+                "confidentialityImpact": "High",
+                "integrityImpact": "None",
+                "availabilityImpact": "None",
+                "cveStatus": "COMPLETED",
+                "cwes": ["CWE-522"],
+                "published": "2025-06-09T19:06:08Z",
+                "affectedVersionRanges": ["<2.32.4"],
+                "patchedVersionRanges": ["2.32.4"],
+                "references": ["https://github.com/advisories/GHSA-9hjg-9r4m-mvj7"],
+                "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
+                "exploitability": "UNKNOWN",
+                "epssScore": 0.00154,
+                "epssPercentile": 0.35957,
+                "cpes": [],
+            },
+        )
+    ]
+
+    payload = build_fossa_report_payload(diff, config)
+    generated_vulnerability = payload["vulnerability"][0]
+
+    assert sorted(generated_vulnerability.keys()) == sorted(sample_vulnerability.keys())
+    assert generated_vulnerability["source"]["packageManager"] == sample_vulnerability["source"]["packageManager"]
+    assert sorted(generated_vulnerability["source"].keys()) == sorted(sample_vulnerability["source"].keys())
+    assert sorted(generated_vulnerability["depths"].keys()) == sorted(sample_vulnerability["depths"].keys())
+    assert sorted(generated_vulnerability["statuses"].keys()) == sorted(sample_vulnerability["statuses"].keys())
+    assert sorted(generated_vulnerability["remediation"].keys()) == sorted(sample_vulnerability["remediation"].keys())
+    assert sorted(generated_vulnerability["epss"].keys()) == sorted(sample_vulnerability["epss"].keys())

tests/unit/test_output.py

@@ -1,6 +1,6 @@
 import pytest
 from socketsecurity.output import OutputHandler
-from socketsecurity.core.classes import Diff, Issue
+from socketsecurity.core.classes import Diff, Issue, Package
 import json
 
 class TestOutputHandler:
@@ -144,6 +144,7 @@ def test_json_file_saving(self, tmp_path):
         config.report_link_file = None
         config.sbom_file = None
         config.legal = True
+        config.legal_format = "socket"
         config.repo = "owner/repo"
         config.branch = "main"
         config.commit_sha = "abc123"
@@ -199,6 +200,7 @@ def test_summary_and_report_link_files_are_written(self, tmp_path):
         config.report_link_file = str(report_link_path)
         config.sbom_file = None
         config.legal = False
+        config.legal_format = "socket"
         config.repo = None
         config.branch = ""
         config.commit_sha = ""
@@ -235,6 +237,105 @@ def test_summary_and_report_link_files_are_written(self, tmp_path):
         assert "Security issues detected by Socket Security:" in summary_path.read_text()
         assert report_link_path.read_text().strip() == "https://socket.dev/report/123"
 
+    def test_json_file_saving_in_fossa_format(self, tmp_path):
+        from socketsecurity.config import CliConfig
+        from unittest.mock import Mock
+
+        json_path = tmp_path / "fossa-report.json"
+
+        config = Mock(spec=CliConfig)
+        config.disable_blocking = False
+        config.strict_blocking = False
+        config.json_file = str(json_path)
+        config.summary_file = None
+        config.report_link_file = None
+        config.sbom_file = None
+        config.legal = True
+        config.legal_format = "fossa"
+        config.repo = "owner/repo"
+        config.branch = "refs/heads/main"
+        config.commit_sha = "abc123"
+        config.enable_json = False
+        config.enable_sarif = False
+        config.enable_gitlab_security = False
+        config.enable_debug = False
+
+        handler = OutputHandler(config, Mock())
+
+        diff = Diff()
+        diff.id = "scan-123"
+        diff.report_url = "https://socket.dev/report/123"
+        diff.packages = {
+            "pkg-1": Package(
+                id="pkg-1",
+                name="requests",
+                version="2.31.0",
+                type="pypi",
+                score={},
+                alerts=[],
+                direct=True,
+                url="https://socket.dev/pypi/package/requests/overview/2.31.0",
+                license="Apache-2.0",
+                purl="pkg:pypi/requests@2.31.0",
+            )
+        }
+        diff.new_alerts = [
+            Issue(
+                title="Prototype Pollution",
+                severity="high",
+                description="Upgrade to a fixed version.",
+                error=True,
+                key="alert-1",
+                type="vulnerability",
+                pkg_type="pypi",
+                pkg_name="requests",
+                pkg_version="2.31.0",
+                pkg_id="pkg-1",
+                purl="pkg:pypi/requests@2.31.0",
+                url="https://socket.dev/npm/package/requests/alerts/2.31.0",
+                props={
+                    "ghsaId": "GHSA-1234",
+                    "cveId": "CVE-2026-1234",
+                    "cvssScore": 8.2,
+                    "fixedVersion": "2.31.1",
+                    "references": ["https://github.com/advisories/GHSA-1234"],
+                },
+            ),
+            Issue(
+                title="License Policy Violation",
+                severity="medium",
+                description="Package license violates policy.",
+                warn=True,
+                key="license-1",
+                type="licenseSpdxDisj",
+                pkg_type="pypi",
+                pkg_name="requests",
+                pkg_version="2.31.0",
+                pkg_id="pkg-1",
+                purl="pkg:pypi/requests@2.31.0",
+                url="https://socket.dev/pypi/package/requests/license/2.31.0",
+            ),
+        ]
+
+        handler.save_json_file(diff, str(json_path))
+
+        saved = json.loads(json_path.read_text())
+        assert saved["project"] == {
+            "branch": "refs/heads/main",
+            "id": "owner/repo-scan-123",
+            "project": "owner/repo",
+            "projectId": "owner/repo",
+            "revision": "scan-123",
+            "url": "https://socket.dev/report/123",
+        }
+        assert len(saved["vulnerability"]) == 1
+        assert saved["vulnerability"][0]["vulnId"] == "GHSA-1234"
+        assert saved["vulnerability"][0]["cve"] == "CVE-2026-1234"
+        assert saved["vulnerability"][0]["source"]["packageManager"] == "pip"
+        assert saved["vulnerability"][0]["remediation"]["completeFix"] == "2.31.1"
+        assert saved["licensing"][0]["type"] == "policy_conflict"
+        assert saved["quality"] == []
+
     def test_report_pass_with_strict_blocking_new_alerts(self):
         """Test that strict-blocking fails on new blocking alerts"""
         from socketsecurity.config import CliConfig

tests/unit/test_socketcli.py

@@ -45,3 +45,65 @@ def test_build_license_artifact_payload_serializes_package_fields():
             "purl": "requests@2.31.0",
         }
     }
+
+
+def test_build_license_artifact_payload_fossa_format_without_packages():
+    class Config:
+        repo = "owner/repo"
+        branch = "main"
+
+    diff = Diff(id="scan-1", report_url="https://socket.dev/report/1")
+
+    payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config())
+
+    assert payload == {
+        "project": {
+            "branch": "main",
+            "id": "owner/repo-scan-1",
+            "project": "owner/repo",
+            "projectId": "owner/repo",
+            "revision": "scan-1",
+            "url": "https://socket.dev/report/1",
+        },
+        "dependencies": [],
+    }
+
+
+def test_build_license_artifact_payload_fossa_format_serializes_dependencies():
+    class Config:
+        repo = "owner/repo"
+        branch = "main"
+
+    diff = Diff(id="scan-1", report_url="https://socket.dev/report/1")
+    diff.packages = {
+        "pkg:pypi/requests@2.31.0": Package(
+            id="pkg-1",
+            name="requests",
+            version="2.31.0",
+            type="pypi",
+            score={},
+            alerts=[],
+            direct=True,
+            url="https://socket.dev/pypi/package/requests/overview/2.31.0",
+            license="Apache-2.0",
+            licenseDetails=[{"id": "Apache-2.0"}],
+            licenseAttrib=[{"id": "Apache-2.0"}],
+            purl="pkg:pypi/requests@2.31.0",
+        )
+    }
+
+    payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config())
+
+    assert payload["project"]["projectId"] == "owner/repo"
+    assert payload["dependencies"] == [{
+        "id": "pkg-1",
+        "name": "requests",
+        "version": "2.31.0",
+        "ecosystem": "pip",
+        "direct": True,
+        "url": "https://socket.dev/pypi/package/requests/overview/2.31.0",
+        "purl": "pkg:pypi/requests@2.31.0",
+        "declaredLicense": "Apache-2.0",
+        "licenseDetails": [{"id": "Apache-2.0"}],
+        "licenseAttrib": [{"id": "Apache-2.0"}],
+    }]