@coana-tech/cli 13.17.13 → 13.17.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.js +95 -6
- package/package.json +1 -1
package/cli.js
CHANGED
|
@@ -101411,6 +101411,42 @@ var init_vuln_chain_detail_utils = __esm({
|
|
|
101411
101411
|
}
|
|
101412
101412
|
});
|
|
101413
101413
|
|
|
101414
|
+
// ../utils/src/vulnerable-paths-utils.ts
|
|
101415
|
+
var vulnerable_paths_utils_exports = {};
|
|
101416
|
+
__export(vulnerable_paths_utils_exports, {
|
|
101417
|
+
addPathToTrie: () => addPathToTrie,
|
|
101418
|
+
isShortestPath: () => isShortestPath,
|
|
101419
|
+
mkTrie: () => mkTrie
|
|
101420
|
+
});
|
|
101421
|
+
function mkTrie() {
|
|
101422
|
+
return { children: {}, leaf: false };
|
|
101423
|
+
}
|
|
101424
|
+
function addPathToTrie(root3, vulnPath) {
|
|
101425
|
+
if (!vulnPath.length) return;
|
|
101426
|
+
let curr = root3;
|
|
101427
|
+
let i5 = vulnPath.length - 1;
|
|
101428
|
+
while (i5 >= 0) {
|
|
101429
|
+
curr = curr.children[vulnPath[i5]] ??= { children: {}, leaf: false };
|
|
101430
|
+
--i5;
|
|
101431
|
+
}
|
|
101432
|
+
curr.leaf = true;
|
|
101433
|
+
}
|
|
101434
|
+
function isShortestPath(root3, vulnPath) {
|
|
101435
|
+
let curr = root3;
|
|
101436
|
+
let i5 = vulnPath.length - 1;
|
|
101437
|
+
while (i5 >= 0) {
|
|
101438
|
+
if (!curr || curr.leaf) return false;
|
|
101439
|
+
curr = curr.children[vulnPath[i5]];
|
|
101440
|
+
--i5;
|
|
101441
|
+
}
|
|
101442
|
+
return curr !== null;
|
|
101443
|
+
}
|
|
101444
|
+
var init_vulnerable_paths_utils = __esm({
|
|
101445
|
+
"../utils/src/vulnerable-paths-utils.ts"() {
|
|
101446
|
+
"use strict";
|
|
101447
|
+
}
|
|
101448
|
+
});
|
|
101449
|
+
|
|
101414
101450
|
// dist/internal/constants.js
|
|
101415
101451
|
var require_constants8 = __commonJS({
|
|
101416
101452
|
"dist/internal/constants.js"(exports2) {
|
|
@@ -185166,7 +185202,7 @@ var require_version = __commonJS({
|
|
|
185166
185202
|
"use strict";
|
|
185167
185203
|
Object.defineProperty(exports2, "__esModule", { value: true });
|
|
185168
185204
|
exports2.version = void 0;
|
|
185169
|
-
exports2.version = "13.17.
|
|
185205
|
+
exports2.version = "13.17.15";
|
|
185170
185206
|
}
|
|
185171
185207
|
});
|
|
185172
185208
|
|
|
@@ -185196,6 +185232,7 @@ var require_cli_core = __commonJS({
|
|
|
185196
185232
|
var vuln_chain_detail_utils_1 = (init_vuln_chain_detail_utils(), __toCommonJS(vuln_chain_detail_utils_exports));
|
|
185197
185233
|
var vulnerability_reachability_1 = (init_vulnerability_reachability(), __toCommonJS(vulnerability_reachability_exports));
|
|
185198
185234
|
var other_modules_communicator_1 = (init_other_modules_communicator(), __toCommonJS(other_modules_communicator_exports));
|
|
185235
|
+
var vulnerable_paths_utils_1 = (init_vulnerable_paths_utils(), __toCommonJS(vulnerable_paths_utils_exports));
|
|
185199
185236
|
var constants_1 = require_constants8();
|
|
185200
185237
|
var dashboard_integration_1 = (init_dashboard_integration(), __toCommonJS(dashboard_integration_exports));
|
|
185201
185238
|
var vulnerability_scanning_1 = require_vulnerability_scanning();
|
|
@@ -185433,7 +185470,50 @@ var require_cli_core = __commonJS({
|
|
|
185433
185470
|
async runOnSubproject(otherModulesCommunicator, subProjAndWsPath, reachabilitySupported) {
|
|
185434
185471
|
const { packageManagerName, subprojectPath, workspacePaths } = subProjAndWsPath;
|
|
185435
185472
|
this.sendProgress("RUN_ON_SUBPROJECT", true, subprojectPath);
|
|
185473
|
+
const rootWorkingDirectory = this.rootWorkingDirectory;
|
|
185474
|
+
const ecosystem = subProjAndWsPath.ecosystem;
|
|
185436
185475
|
try {
|
|
185476
|
+
let pruneVulnerablePathsToShortestPathsOnly = function(ecosystem2, workspaceToAugmentedVulnerabilities2) {
|
|
185477
|
+
const vulnerabilityToWorkspaceToCodeAwareScanSuccess = {};
|
|
185478
|
+
for (const [workspacePath, augmentedVulnerabilities] of Object.entries(workspaceToAugmentedVulnerabilities2)) {
|
|
185479
|
+
augmentedVulnerabilities.forEach((augmentedVulnerability) => {
|
|
185480
|
+
const url2 = augmentedVulnerability.url;
|
|
185481
|
+
const results = augmentedVulnerability.results;
|
|
185482
|
+
if (results.type === "success") {
|
|
185483
|
+
(vulnerabilityToWorkspaceToCodeAwareScanSuccess[url2] ??= {})[workspacePath] = results;
|
|
185484
|
+
}
|
|
185485
|
+
});
|
|
185486
|
+
}
|
|
185487
|
+
const serialize3 = (t3) => `${t3.package}#${t3.class}`.toLowerCase();
|
|
185488
|
+
for (const workspaceToCodeAwareScanSuccess of Object.values(vulnerabilityToWorkspaceToCodeAwareScanSuccess)) {
|
|
185489
|
+
const trie = (0, vulnerable_paths_utils_1.mkTrie)();
|
|
185490
|
+
for (const codeAwareScanSuccess of Object.values(workspaceToCodeAwareScanSuccess)) {
|
|
185491
|
+
codeAwareScanSuccess.detectedOccurrences.forEach((detectedOccurence) => {
|
|
185492
|
+
detectedOccurence.affectedAppCodePoints.forEach((affectedAppCodePoint) => {
|
|
185493
|
+
(0, vulnerable_paths_utils_1.addPathToTrie)(trie, affectedAppCodePoint.map(serialize3));
|
|
185494
|
+
});
|
|
185495
|
+
});
|
|
185496
|
+
}
|
|
185497
|
+
for (const codeAwareScanSuccess of Object.values(workspaceToCodeAwareScanSuccess)) {
|
|
185498
|
+
codeAwareScanSuccess.detectedOccurrences = codeAwareScanSuccess.detectedOccurrences.filter((detectedOccurence) => {
|
|
185499
|
+
detectedOccurence.affectedAppCodePoints = detectedOccurence.affectedAppCodePoints.filter((affectedAppCodePoint) => {
|
|
185500
|
+
return (0, vulnerable_paths_utils_1.isShortestPath)(trie, affectedAppCodePoint.map(serialize3));
|
|
185501
|
+
});
|
|
185502
|
+
if (ecosystem2 === "MAVEN") {
|
|
185503
|
+
detectedOccurence.affectedAppCodePoints = detectedOccurence.affectedAppCodePoints.map((path2) => {
|
|
185504
|
+
if (path2.length < 2)
|
|
185505
|
+
throw new Error("The path should always have length at least two.");
|
|
185506
|
+
return {
|
|
185507
|
+
appClass: path2[0].class,
|
|
185508
|
+
reference: path2[1]
|
|
185509
|
+
};
|
|
185510
|
+
});
|
|
185511
|
+
}
|
|
185512
|
+
return detectedOccurence.affectedAppCodePoints.length > 0;
|
|
185513
|
+
});
|
|
185514
|
+
}
|
|
185515
|
+
}
|
|
185516
|
+
};
|
|
185437
185517
|
this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", true, subprojectPath);
|
|
185438
185518
|
const projectInfo = await otherModulesCommunicator.prepareProjectAndGetProjectData(packageManagerName, subprojectPath, workspacePaths, this.options.providerProject ? await this.runOnProvider(this.options.providerProject) : void 0);
|
|
185439
185519
|
this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", false, subprojectPath);
|
|
@@ -185454,9 +185534,12 @@ var require_cli_core = __commonJS({
|
|
|
185454
185534
|
this.sendProgress("SCAN_FOR_VULNERABILITIES", false, subprojectPath, workspacePath);
|
|
185455
185535
|
}
|
|
185456
185536
|
})));
|
|
185457
|
-
|
|
185537
|
+
const workspaceToDependencyTree = Object.fromEntries(workspacePaths.map((workspacePath) => [
|
|
185538
|
+
workspacePath,
|
|
185539
|
+
projectInfo[workspacePath].dataForAnalysis.dependencyTree
|
|
185540
|
+
]));
|
|
185541
|
+
const workspaceToAugmentedVulnerabilities = Object.fromEntries(await (0, async_1.asyncMap)(workspacePaths, async (workspacePath) => {
|
|
185458
185542
|
const dataForAnalysis = projectInfo[workspacePath].dataForAnalysis;
|
|
185459
|
-
const ecosystem = dataForAnalysis.type ?? "NPM";
|
|
185460
185543
|
const vulnerabilities = workspaceToVulnerabilities[workspacePath];
|
|
185461
185544
|
const augmentedVulnerabilities = reachabilitySupported ? await this.runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, dataForAnalysis, vulnerabilities) : vulnerabilities.map((v) => ({
|
|
185462
185545
|
...v,
|
|
@@ -185465,14 +185548,20 @@ var require_cli_core = __commonJS({
|
|
|
185465
185548
|
message: `Reachability analysis for languages using ${ecosystem} not supported yet`
|
|
185466
185549
|
}
|
|
185467
185550
|
}));
|
|
185551
|
+
return [workspacePath, augmentedVulnerabilities];
|
|
185552
|
+
}));
|
|
185553
|
+
if (ecosystem === "MAVEN" || ecosystem === "NUGET") {
|
|
185554
|
+
pruneVulnerablePathsToShortestPathsOnly(ecosystem, workspaceToAugmentedVulnerabilities);
|
|
185555
|
+
}
|
|
185556
|
+
return workspacePaths.map((workspacePath) => {
|
|
185468
185557
|
const codeAwareScanResultsForAllPackages = [];
|
|
185469
|
-
codeAwareScanResultsForAllPackages.push(...transformToReportVulnerabilities(
|
|
185558
|
+
codeAwareScanResultsForAllPackages.push(...transformToReportVulnerabilities(workspaceToAugmentedVulnerabilities[workspacePath], projectInfo[workspacePath].directDependenciesMap ?? {}, subprojectPath, workspacePath, rootWorkingDirectory));
|
|
185470
185559
|
return {
|
|
185471
|
-
subprojectPath: (0, path_1.relative)(
|
|
185560
|
+
subprojectPath: (0, path_1.relative)(rootWorkingDirectory, subprojectPath) || ".",
|
|
185472
185561
|
workspacePath,
|
|
185473
185562
|
directDependencies: projectInfo[workspacePath].directDependenciesMap ?? {},
|
|
185474
185563
|
vulnerabilities: codeAwareScanResultsForAllPackages,
|
|
185475
|
-
dependencyTree:
|
|
185564
|
+
dependencyTree: workspaceToDependencyTree[workspacePath]
|
|
185476
185565
|
};
|
|
185477
185566
|
});
|
|
185478
185567
|
} finally {
|