@coana-tech/cli 14.11.12 → 14.11.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.mjs +1 -1
- package/package.json +1 -1
- package/reachability-analyzers-cli.mjs +39 -32
package/cli.mjs
CHANGED
|
@@ -225392,7 +225392,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
|
|
|
225392
225392
|
}
|
|
225393
225393
|
|
|
225394
225394
|
// dist/version.js
|
|
225395
|
-
var version2 = "14.11.
|
|
225395
|
+
var version2 = "14.11.13";
|
|
225396
225396
|
|
|
225397
225397
|
// dist/cli-core.js
|
|
225398
225398
|
var { mapValues, omit, partition, pick } = import_lodash15.default;
|
package/package.json
CHANGED
|
@@ -94989,16 +94989,17 @@ import { join as join13, resolve as resolve10, sep } from "path";
|
|
|
94989
94989
|
var { uniq: uniq5 } = import_lodash11.default;
|
|
94990
94990
|
var GoCodeAwareVulnerabilityScanner = class {
|
|
94991
94991
|
projectDir;
|
|
94992
|
-
|
|
94992
|
+
options;
|
|
94993
94993
|
name = "GOANA";
|
|
94994
|
-
constructor(projectDir,
|
|
94994
|
+
constructor(projectDir, options = {}) {
|
|
94995
94995
|
this.projectDir = projectDir;
|
|
94996
|
-
this.
|
|
94996
|
+
this.options = options;
|
|
94997
94997
|
}
|
|
94998
94998
|
async runAnalysis(vulns, heuristic, _analyzesAllVulns) {
|
|
94999
94999
|
logger.info("Started instantiating Go code-aware analysis");
|
|
95000
95000
|
if (!existsSync9(join13(this.projectDir, "go.mod")))
|
|
95001
95001
|
throw new Error("go.mod file not found in the project directory");
|
|
95002
|
+
const { timeoutInSeconds, memoryLimitInMB } = this.options;
|
|
95002
95003
|
const tmpDir = await createTmpDirectory("goana-output");
|
|
95003
95004
|
const vulnsOutputFile = join13(tmpDir, "vulns.json");
|
|
95004
95005
|
const diagnosticsOutputFile = join13(tmpDir, "diagnostics.json");
|
|
@@ -95008,7 +95009,10 @@ var GoCodeAwareVulnerabilityScanner = class {
|
|
|
95008
95009
|
-output-vulnerabilities ${vulnsOutputFile}
|
|
95009
95010
|
-output-diagnostics ${diagnosticsOutputFile}
|
|
95010
95011
|
-topk=4 ${heuristic.includeTests && "-tests"}
|
|
95011
|
-
${this.projectDir} ${vulnAccPaths}`, void 0, {
|
|
95012
|
+
${this.projectDir} ${vulnAccPaths}`, void 0, {
|
|
95013
|
+
timeout: timeoutInSeconds ? timeoutInSeconds * 1e3 : void 0,
|
|
95014
|
+
env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${memoryLimitInMB}MB` } : void 0
|
|
95015
|
+
});
|
|
95012
95016
|
if (error) {
|
|
95013
95017
|
logger.error("Error running Go code-aware analysis", error);
|
|
95014
95018
|
const timeout = !!error.killed;
|
|
@@ -95045,7 +95049,7 @@ ${stderr}`);
|
|
|
95045
95049
|
await rm4(tmpDir, { recursive: true, force: true });
|
|
95046
95050
|
}
|
|
95047
95051
|
}
|
|
95048
|
-
static async runOnDependencyChain([first2, ...rest], vuln,
|
|
95052
|
+
static async runOnDependencyChain([first2, ...rest], vuln, options = {}) {
|
|
95049
95053
|
assert4(first2.version);
|
|
95050
95054
|
const { Dir, GoMod } = JSON.parse(await runCommandResolveStdOut(cmdt`go mod download -json ${first2.packageName}@v${first2.version}`));
|
|
95051
95055
|
const projectDir = await createTmpDirectory("go-run-on-dependency-chain-");
|
|
@@ -95062,7 +95066,7 @@ ${stderr}`);
|
|
|
95062
95066
|
await runGoModTidy(projectDir);
|
|
95063
95067
|
}
|
|
95064
95068
|
const heuristic = GoanaHeuristics.NO_TESTS;
|
|
95065
|
-
const result = await new this(projectDir,
|
|
95069
|
+
const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, true);
|
|
95066
95070
|
if (result.type === "error")
|
|
95067
95071
|
return {
|
|
95068
95072
|
error: result.message,
|
|
@@ -95078,7 +95082,7 @@ ${stderr}`);
|
|
|
95078
95082
|
await rm4(projectDir, { recursive: true, force: true });
|
|
95079
95083
|
}
|
|
95080
95084
|
}
|
|
95081
|
-
static async runOnAlreadyDownloadedPackages(packages, vuln,
|
|
95085
|
+
static async runOnAlreadyDownloadedPackages(packages, vuln, options = {}) {
|
|
95082
95086
|
for (const pkg of packages)
|
|
95083
95087
|
assert4(existsSync9(join13(pkg, "go.mod")), `${pkg} does not contain a go.mod file`);
|
|
95084
95088
|
const [app, ...dependencies] = packages;
|
|
@@ -95095,7 +95099,7 @@ ${stderr}`);
|
|
|
95095
95099
|
await runGoModTidy(projectDir);
|
|
95096
95100
|
}
|
|
95097
95101
|
const heuristic = GoanaHeuristics.NO_TESTS;
|
|
95098
|
-
const result = await new this(projectDir,
|
|
95102
|
+
const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, true);
|
|
95099
95103
|
if (result.type === "error")
|
|
95100
95104
|
return {
|
|
95101
95105
|
error: result.message,
|
|
@@ -96170,7 +96174,10 @@ async function analyzePackages(ecosystem, packages, vulnerability, options) {
|
|
|
96170
96174
|
break;
|
|
96171
96175
|
case "GO":
|
|
96172
96176
|
analysisName = "Goana";
|
|
96173
|
-
result = await GoCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability,
|
|
96177
|
+
result = await GoCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, {
|
|
96178
|
+
timeoutInSeconds: options?.timeoutInSeconds ?? 60,
|
|
96179
|
+
memoryLimitInMB: options?.memoryLimitInMB ?? 16384
|
|
96180
|
+
});
|
|
96174
96181
|
break;
|
|
96175
96182
|
case "RUST":
|
|
96176
96183
|
analysisName = "Rustica";
|
|
@@ -96215,7 +96222,10 @@ async function analyzeAlreadyInstalledPackages(ecosystem, packages, vulnerabilit
|
|
|
96215
96222
|
break;
|
|
96216
96223
|
case "GO":
|
|
96217
96224
|
analysisName = "Goana";
|
|
96218
|
-
result = await GoCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability,
|
|
96225
|
+
result = await GoCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
|
|
96226
|
+
timeoutInSeconds: options?.timeoutInSeconds ?? 60,
|
|
96227
|
+
memoryLimitInMB: options?.memoryLimitInMB ?? 16384
|
|
96228
|
+
});
|
|
96219
96229
|
break;
|
|
96220
96230
|
case "RUST":
|
|
96221
96231
|
analysisName = "Rustica";
|
|
@@ -96270,7 +96280,7 @@ async function getVersion(analysisName) {
|
|
|
96270
96280
|
// dist/whole-program-code-aware-vulnerability-scanner/python/python-code-aware-vulnerability-scanner.js
|
|
96271
96281
|
var import_semver2 = __toESM(require_semver2(), 1);
|
|
96272
96282
|
var { omit, once: once3, pick, sortedUniq, uniqBy } = import_lodash14.default;
|
|
96273
|
-
var PythonCodeAwareVulnerabilityScanner = class
|
|
96283
|
+
var PythonCodeAwareVulnerabilityScanner = class {
|
|
96274
96284
|
state;
|
|
96275
96285
|
projectDir;
|
|
96276
96286
|
name = "MAMBALADE";
|
|
@@ -96295,9 +96305,7 @@ var PythonCodeAwareVulnerabilityScanner = class _PythonCodeAwareVulnerabilitySca
|
|
|
96295
96305
|
async runAnalysis(vulns, heuristic, analyzesAllVulns) {
|
|
96296
96306
|
if (!this.virtualEnvInfo)
|
|
96297
96307
|
throw new Error("Virtual environment not set up");
|
|
96298
|
-
|
|
96299
|
-
await this.setupMambalade();
|
|
96300
|
-
}
|
|
96308
|
+
this.mambaladeVenvPath ??= await setupMambalade();
|
|
96301
96309
|
logger.info("Started instantiating Python code-aware analysis");
|
|
96302
96310
|
logger.debug(`Trying to find files to analyze from projectDir: ${this.projectDir}`);
|
|
96303
96311
|
const { rootWorkingDir, reachabilityAnalysisOptions } = this.state;
|
|
@@ -96429,7 +96437,7 @@ ${msg}`;
|
|
|
96429
96437
|
logger.info(`Copying ${app} to ${projectDir}`);
|
|
96430
96438
|
await cp5(app, projectDir, { recursive: true });
|
|
96431
96439
|
fileMappings.set(projectDir, app);
|
|
96432
|
-
const scanner = new
|
|
96440
|
+
const scanner = new this({
|
|
96433
96441
|
rootWorkingDir: projectTmpDir,
|
|
96434
96442
|
reachabilityAnalysisOptions: options
|
|
96435
96443
|
}, projectTmpDir);
|
|
@@ -96608,22 +96616,6 @@ ${msg}`;
|
|
|
96608
96616
|
getVirtualEnvInfo() {
|
|
96609
96617
|
return this.virtualEnvInfo;
|
|
96610
96618
|
}
|
|
96611
|
-
async setupMambalade() {
|
|
96612
|
-
const venvDir = await createTmpDirectory("mambalade-venv");
|
|
96613
|
-
logger.info("Creating Mambalade virtual environment");
|
|
96614
|
-
const pythonInterpreter = await getPythonInterpreter();
|
|
96615
|
-
await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
|
|
96616
|
-
const mambaladeWheelsPath = join15(COANA_REPOS_PATH(), "mambalade", "dist");
|
|
96617
|
-
const wheelFiles = await readdir3(mambaladeWheelsPath);
|
|
96618
|
-
const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join15(mambaladeWheelsPath, f2));
|
|
96619
|
-
if (mambaladeWheels.length === 0) {
|
|
96620
|
-
throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
|
|
96621
|
-
}
|
|
96622
|
-
logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
|
|
96623
|
-
await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
|
|
96624
|
-
this.mambaladeVenvPath = venvDir;
|
|
96625
|
-
logger.info("Mambalade virtual environment setup complete");
|
|
96626
|
-
}
|
|
96627
96619
|
// async [Symbol.asyncDispose]() {
|
|
96628
96620
|
async cleanup() {
|
|
96629
96621
|
if (this.virtualEnvInfo?.temporary) {
|
|
@@ -96684,6 +96676,21 @@ async function getPythonInterpreter() {
|
|
|
96684
96676
|
return "python3";
|
|
96685
96677
|
throw new Error(`No Python ${pythonVersionRequired} interpreter found`);
|
|
96686
96678
|
}
|
|
96679
|
+
async function setupMambalade() {
|
|
96680
|
+
const venvDir = await createTmpDirectory("mambalade-venv");
|
|
96681
|
+
logger.info("Creating Mambalade virtual environment");
|
|
96682
|
+
const pythonInterpreter = await getPythonInterpreter();
|
|
96683
|
+
await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
|
|
96684
|
+
const mambaladeWheelsPath = join15(COANA_REPOS_PATH(), "mambalade", "dist");
|
|
96685
|
+
const wheelFiles = await readdir3(mambaladeWheelsPath);
|
|
96686
|
+
const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join15(mambaladeWheelsPath, f2));
|
|
96687
|
+
if (!mambaladeWheels.length)
|
|
96688
|
+
throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
|
|
96689
|
+
logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
|
|
96690
|
+
await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
|
|
96691
|
+
logger.info("Mambalade virtual environment setup complete");
|
|
96692
|
+
return venvDir;
|
|
96693
|
+
}
|
|
96687
96694
|
|
|
96688
96695
|
// dist/whole-program-code-aware-vulnerability-scanner/python/phantom-deps.js
|
|
96689
96696
|
var { uniq: uniq8 } = import_lodash15.default;
|
|
@@ -97208,7 +97215,7 @@ var GoAnalyzer = class {
|
|
|
97208
97215
|
const vulnerablePackages = uniq9(vulns.flatMap((v) => v.vulnerabilityAccessPaths.map((vap) => vap.split(":")[0])));
|
|
97209
97216
|
const irrelevantPackages = new Set(await getIrrelevantPackages(this.projectDir, vulnerablePackages));
|
|
97210
97217
|
const [unreachableVulns, otherVulns] = partition2(vulns, (v) => v.vulnerabilityAccessPaths.every((vap) => irrelevantPackages.has(vap.split(":")[0])));
|
|
97211
|
-
const res = otherVulns.length ? await analyzeWithHeuristics(this.state, otherVulns, [GoanaHeuristics.DEFAULT], false, new GoCodeAwareVulnerabilityScanner(this.projectDir, this.state.reachabilityAnalysisOptions
|
|
97218
|
+
const res = otherVulns.length ? await analyzeWithHeuristics(this.state, otherVulns, [GoanaHeuristics.DEFAULT], false, new GoCodeAwareVulnerabilityScanner(this.projectDir, this.state.reachabilityAnalysisOptions), analysisMetadataCollector, statusUpdater) : [];
|
|
97212
97219
|
if (unreachableVulns.length) {
|
|
97213
97220
|
const heuristicName = GoanaHeuristics.IMPORT_REACHABILITY.name;
|
|
97214
97221
|
const detectedOccurrences = {
|