fix: bump Socket SDK version, handle missing diff scores (#193)

* fix: handle missing diff scores in dependency overview

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore: bump release version for CLI

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore: bump SDK version for release

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

---------

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.85"
+version = "2.2.86"
 requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -16,7 +16,7 @@ dependencies = [
     'GitPython',
     'packaging',
     'python-dotenv',
-    "socketdev>=3.0.32,<4.0.0",
+    "socketdev>=3.0.33,<4.0.0",
     "bs4>=0.0.2",
     "markdown>=3.10",
 ]

socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.85'
+__version__ = '2.2.86'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

socketsecurity/core/classes.py

@@ -207,7 +207,7 @@ def from_diff_artifact(cls, data: dict) -> "Package":
                 name=data["name"],
                 version=data["version"],
                 type=data["type"],
-                score=data.get("score", data.get("scores", {})),
+                score=data.get("score") or data.get("scores") or {},
                 alerts=data.get("alerts", []),
                 author=data.get("author", []),
                 size=data.get("size"),
@@ -236,7 +236,7 @@ def from_diff_artifact(cls, data: dict) -> "Package":
             name=data["name"],
             version=data["version"],
             type=data["type"],
-            score=data.get("score", data.get("scores", {})),
+            score=data.get("score") or data.get("scores") or {},
             alerts=data.get("alerts", []),
             author=data.get("author", []),
             size=data.get("size"),
@@ -448,6 +448,8 @@ def __init__(self, **kwargs):
             self.capabilities = []
         if not hasattr(self, "is_new"):
             self.is_new = False
+        if not hasattr(self, "scores") or self.scores is None:
+            self.scores = {}
         self.author_url = Purl.generate_author_data(self.author, self.ecosystem)
 
     @staticmethod

socketsecurity/core/messages.py

@@ -1179,12 +1179,27 @@ def score_to_badge(score):
                 score_percent = int(score * 100)  # Convert to integer percentage
                 return f"[![{score_percent}](https://github-app-statics.socket.dev/score-{score_percent}.svg)]({added.url})"
 
+            def get_score_for_badge(score_name: str) -> float:
+                scores = getattr(added, "scores", None)
+                if isinstance(scores, dict):
+                    raw_score = scores.get(score_name)
+                else:
+                    raw_score = getattr(scores, score_name, None) if scores is not None else None
+
+                if raw_score is None:
+                    return 1.0
+
+                score = float(raw_score)
+                if score > 1:
+                    score = score / 100
+                return max(0.0, min(score, 1.0))
+
             # Generate badges for each score type
-            supply_chain_risk_badge = score_to_badge(added.scores.get("supplyChain", 100))
-            vulnerability_badge = score_to_badge(added.scores.get("vulnerability", 100))
-            quality_badge = score_to_badge(added.scores.get("quality", 100))
-            maintenance_badge = score_to_badge(added.scores.get("maintenance", 100))
-            license_badge = score_to_badge(added.scores.get("license", 100))
+            supply_chain_risk_badge = score_to_badge(get_score_for_badge("supplyChain"))
+            vulnerability_badge = score_to_badge(get_score_for_badge("vulnerability"))
+            quality_badge = score_to_badge(get_score_for_badge("quality"))
+            maintenance_badge = score_to_badge(get_score_for_badge("maintenance"))
+            license_badge = score_to_badge(get_score_for_badge("license"))
 
             # Add the row for this package
             row = [

tests/unit/test_dependency_overview.py

@@ -0,0 +1,67 @@
+from socketsecurity.core.classes import Diff, Package, Purl
+from socketsecurity.core.messages import Messages
+
+
+def _make_purl(name: str, scores) -> Purl:
+    return Purl(
+        id=f"pkg:npm/{name}@1.0.0",
+        name=name,
+        version="1.0.0",
+        ecosystem="npm",
+        direct=True,
+        introduced_by=[("direct", "package.json")],
+        author=["test-author"],
+        size=1000,
+        transitives=0,
+        url=f"https://socket.dev/npm/package/{name}/overview/1.0.0",
+        purl=f"pkg:npm/{name}@1.0.0",
+        scores=scores,
+    )
+
+
+def test_package_from_diff_artifact_normalizes_null_score():
+    package = Package.from_diff_artifact(
+        {
+            "id": "pkg:npm/example@1.0.0",
+            "name": "example",
+            "version": "1.0.0",
+            "type": "npm",
+            "diffType": "added",
+            "score": None,
+            "alerts": [],
+            "author": [],
+            "topLevelAncestors": [],
+            "direct": True,
+            "manifestFiles": [],
+        }
+    )
+
+    assert package.score == {}
+
+
+def test_dependency_overview_template_defaults_missing_or_null_scores(tmp_path, monkeypatch):
+    monkeypatch.chdir(tmp_path)
+
+    diff = Diff(
+        id="test-diff",
+        diff_url="https://socket.dev/test-diff",
+        new_packages=[
+            _make_purl("missing-scores", None),
+            _make_purl(
+                "partial-scores",
+                {
+                    "supplyChain": 0.42,
+                    "vulnerability": None,
+                },
+            ),
+        ],
+        removed_packages=[],
+        new_alerts=[],
+    )
+
+    comment = Messages.dependency_overview_template(diff)
+
+    assert "Socket Security: Dependency Overview" in comment
+    assert "score-42.svg" in comment
+    assert "score-100.svg" in comment
+    assert "score-10000.svg" not in comment