[ANE-2724] Pass --debug to Ficus when CLI is in debug mode

[nficca]

Overview

Important

This PR depends on fossas/ficus#170 being released first. Current Ficus will reject the --debug flag, so this must not be merged until a Ficus release containing that change is vendored in.

When the CLI runs with --debug, Ficus was still running at its default info log level. This meant debug-level observations (like per-file Vendetta match data from fossas/ficus#170) were filtered out and never made it into the debug bundle.

This passes --debug to Ficus when the CLI is in debug mode, so that Ficus's debug observations show up in fossa.ficus-stdout.log.

We use a CLI flag rather than setting FICUS_LOG=debug via the process environment because it's simpler (no need to inherit and merge the parent environment) and it keeps Ficus's debug mode explicitly visible in the command invocation.

Acceptance criteria

• When the CLI runs with --debug, Ficus receives --debug and emits debug-level observations
• When the CLI runs without --debug, Ficus behavior is unchanged

Testing plan

Requires fossas/ficus#170 to be released and vendored first.

1. Run a vendetta scan with --debug:

fossa analyze --x-vendetta --debug

2. Inspect fossa.ficus-stdout.log in the debug bundle:

unzip -p fossa.debug.zip fossa.ficus-stdout.log | jq 'select(.level == "DEBUG") | .observation.payload | fromjson?'

You should see structured file match observations like:

{"file":"vendor/sqlite/sqlite3.c","component":"sqlite","purl":"pkg:github/nicowilliams/[email protected]","corrected":false,"single_file_lib":false}

3. Run without --debug and confirm fossa.ficus-stdout.log does NOT contain debug observations (only finding and error level).

Debug bundle size impact

Tested on the fossa-cli repo itself (~22k files walked by Vendetta):

	Zip size	stdout (raw)	stderr (raw)
Without --debug to Ficus	885 KB	7 KB	8 KB
With --debug to Ficus	1,024 KB	4,075 KB	4,682 KB

The zip grows by ~140 KB (16%) thanks to ~95% compression on the repetitive debug output.

Risks

This PR must be released after fossas/ficus#170. Current Ficus rejects unknown flags, so merging this before the Ficus update would break Ficus invocation when --debug is used.

References

• ANE-2724
• fossas/ficus#170: Ficus-side changes (debug observations + --debug flag)

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md

No tests needed for this change. It's passing a flag through to a subprocess.

[coderabbitai]

Walkthrough

This pull request updates the FOSSA CLI changelog to document release 3.17.5 and modifies the Ficus analysis module to conditionally enable debug mode. The changelog addition notes that debug bundles now include per-file component match data from Vendetta scans. In src/App/Fossa/Ficus/Analyze.hs, the runFicus function was changed to construct a debugArgs list that includes the --debug flag when a debug directory is configured, then passes these arguments to the Ficus binary invocation alongside existing command arguments.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: passing the --debug flag to Ficus when CLI is in debug mode.
Description check	✅ Passed	The description includes all major template sections: comprehensive overview with important context, clear acceptance criteria, detailed testing plan with concrete steps, identified risks, and references to Jira ticket; checklist items are addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/App/Fossa/Ficus/Analyze.hs`:
- Around line 257-265: The logged Ficus command omits debugArgs (the "--debug"
added when maybeDebugDir is Just _) because the log is built from cmdArgs alone;
update ficusCommand to compute the final argument list (combine debugArgs with
map toString (cmdArgs cmd)) after processConfig is assembled and log that final
effective args (use the same combined list used in processConfig) so the debug
log reflects the exact OS invocation; reference debugArgs, maybeDebugDir,
processConfig and the function that builds the command (ficusCommand/where
block) to locate and adjust the logging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: e490cd8d-55a3-4952-a375-b6ecaf9fcd4d

📥 Commits

Reviewing files that changed from the base of the PR and between fe49217 and 8c99467.

📒 Files selected for processing (2)

• Changelog.md
• src/App/Fossa/Ficus/Analyze.hs