fix: emit fossa project.id as <locator>\$<revision>

flowstate · flowstate · commit 2d5f84b2381f · 2026-05-26T13:27:40.000-07:00
Real FOSSA artifacts use \$ as the revision separator in project.id, not
\-. Update _build_project_metadata and add two tests that pin the correct
separator and fallback behaviour.
diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py
@@ -45,12 +45,11 @@ def _build_project_metadata(diff_report: Diff, config: CliConfig) -> dict[str, A
     branch = getattr(config, "branch", None) or "socket-default-branch"
     revision = getattr(diff_report, "id", None) or getattr(diff_report, "new_scan_id", None) or "unknown-revision"
     report_url = getattr(diff_report, "report_url", None) or getattr(diff_report, "diff_url", None)
-    project_id = repo
     return {
         "branch": branch,
-        "id": f"{project_id}-{revision}",
+        "id": f"{repo}${revision}",
         "project": repo,
-        "projectId": project_id,
+        "projectId": repo,
         "revision": revision,
         "url": report_url,
     }
diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py
@@ -144,6 +144,38 @@ def test_fossa_report_payload_vulnerability_shape_is_stable():
     assert generated_vulnerability["cve"] == "CVE-2024-47081"
 
 
+def test_project_metadata_uses_dollar_revision_separator():
+    """The composed FOSSA `project.id` is `<projectLocator>$<revision>`."""
+    from socketsecurity.fossa_compat import _build_project_metadata
+    config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa", "--repo", "acme/widgets", "--branch", "refs/heads/main"])
+    diff = Diff(id="scan-abc123", report_url="https://socket.dev/x")
+    project = _build_project_metadata(diff, config)
+    assert project == {
+        "branch": "refs/heads/main",
+        "id": "acme/widgets$scan-abc123",
+        "project": "acme/widgets",
+        "projectId": "acme/widgets",
+        "revision": "scan-abc123",
+        "url": "https://socket.dev/x",
+    }
+
+
+def test_project_metadata_fallbacks_when_missing_fields():
+    """Falls back to literal placeholders when config/diff are sparse."""
+    from socketsecurity.fossa_compat import _build_project_metadata
+    config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"])
+    # Force absent repo/branch:
+    config.repo = None
+    config.branch = None
+    diff = Diff()
+    project = _build_project_metadata(diff, config)
+    assert project["branch"] == "socket-default-branch"
+    assert project["project"] == "socket-default-repo"
+    assert project["revision"] == "unknown-revision"
+    assert project["id"] == "socket-default-repo$unknown-revision"
+    assert project["url"] is None
+
+
 def test_fossa_attribution_payload_shape_is_stable():
     config = CliConfig.from_args([
         "--api-token", "test",
