@@ -57,10 +57,9 @@ function toPosixPath(path: string): string {
5757}
5858
5959/**
60- * Fans --exclude-paths out to both exclusion sinks: the SCA manifest-discovery
61- * pipeline (via fast-glob's `ignore` option, as already-anchored minimatch
62- * patterns) and the reachability analyzer (via `reachExcludePaths`, ultimately
63- * coana's --exclude-dirs).
60+ * Derives the two scan-time forms of --exclude-paths: anchored minimatch
61+ * patterns for SCA manifest discovery, and target-relative paths for Coana's
62+ * reachability analysis.
6463 */
6564export function applyFullExcludePaths ( {
6665 cwd,
@@ -105,9 +104,9 @@ const DEGENERATE_EXCLUDE_PATHS = new Set<string>([
105104/**
106105 * Validates --exclude-paths entries before they reach either exclusion sink.
107106 * Rejects gitignore-style negations (coana's --exclude-dirs has no negation
108- * form), absolute paths (`/repo/tests` silently no-ops on both sinks today),
109- * patterns escaping the scan root via `..`, and degenerate match-everything
110- * sentinels like `.`, `**`, `/`.
107+ * form), absolute paths (the flag is scan-root relative), patterns escaping
108+ * the scan root via `..`, and degenerate match-everything sentinels like `.`,
109+ * `**`, `/`.
111110 */
112111export function assertValidExcludePaths ( paths : readonly string [ ] ) : void {
113112 for ( const p of paths ) {
@@ -156,7 +155,7 @@ export function excludePathToScanIgnores(input: string): string[] {
156155}
157156
158157/**
159- * Re-anchors Socket-scan-root patterns onto the reachability analysis target.
158+ * Re-anchors --exclude-paths patterns onto the reachability analysis target.
160159 * Coana matches --exclude-dirs relative to whichever directory it was invoked
161160 * on, so when the analysis target is a nested subdirectory, scan-root
162161 * patterns need their target prefix stripped. Patterns that fall outside the
0 commit comments