@coana-tech/cli 14.11.12 → 14.11.14

package/cli.mjs

@@ -210065,7 +210065,7 @@ function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonPro
     case "NPM": {
       const base = basename7(manifestPath);
       const dir = dirname8(manifestPath);
-      return base === "package.json" ? dir === "" ? "." : dir : void 0;
+      return base === "package.json" ? dir || "." : void 0;
     }
     case "MAVEN": {
       return ".";
@@ -210096,6 +210096,11 @@ function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonPro
     case "RUST": {
       return dirname8(manifestPath) || ".";
     }
+    case "GO": {
+      const base = basename7(manifestPath);
+      const dir = dirname8(manifestPath);
+      return base === "go.mod" ? dir || "." : void 0;
+    }
     default: {
       return ".";
     }
@@ -225392,7 +225397,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.11.12";
+var version2 = "14.11.14";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -225572,7 +225577,7 @@ var CliCore = class {
         otherModulesCommunicator,
         this.rootWorkingDirectory,
         ecosystem,
-        ["NPM", "PIP"].includes(ecosystem) && isEcosystemToAnalyze
+        ["NPM", "PIP", "GO"].includes(ecosystem) && isEcosystemToAnalyze
       )).flat());
       this.sendProgress("RUN_ON_SUBPROJECT", false, this.rootWorkingDirectory);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.11.12",
+  "version": "14.11.14",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -9234,7 +9234,7 @@ var require_pipeline = __commonJS({
       if (typeof streams[streams.length - 1] !== "function") return noop4;
       return streams.pop();
     }
-    function pipeline() {
+    function pipeline2() {
       for (var _len = arguments.length, streams = new Array(_len), _key = 0; _key < _len; _key++) {
         streams[_key] = arguments[_key];
       }
@@ -9257,7 +9257,7 @@ var require_pipeline = __commonJS({
       });
       return streams.reduce(pipe);
     }
-    module.exports = pipeline;
+    module.exports = pipeline2;
   }
 });
 
@@ -11444,7 +11444,7 @@ var require_file = __commonJS({
     var fs12 = __require("fs");
     var path9 = __require("path");
     var asyncSeries = require_series();
-    var zlib2 = __require("zlib");
+    var zlib3 = __require("zlib");
     var { MESSAGE } = require_triple_beam();
     var { Stream: Stream2, PassThrough } = require_readable();
     var TransportStream = require_winston_transport();
@@ -12013,7 +12013,7 @@ var require_file = __commonJS({
           if (err) {
             return callback();
           }
-          var gzip = zlib2.createGzip();
+          var gzip = zlib3.createGzip();
           var inp = fs12.createReadStream(src);
           var out = fs12.createWriteStream(dest);
           out.on("finish", () => {
@@ -43748,7 +43748,7 @@ var require_client = __commonJS({
     var assert9 = __require("assert");
     var net = __require("net");
     var http2 = __require("http");
-    var { pipeline } = __require("stream");
+    var { pipeline: pipeline2 } = __require("stream");
     var util6 = require_util2();
     var timers = require_timers();
     var Request2 = require_request();
@@ -45166,7 +45166,7 @@ upgrade: ${upgrade}\r
         let onPipeData = function(chunk2) {
           request.onBodySent(chunk2);
         };
-        const pipe = pipeline(
+        const pipe = pipeline2(
           body,
           h2stream,
           (err) => {
@@ -46926,7 +46926,7 @@ var require_api_pipeline = __commonJS({
         util6.destroy(ret, err);
       }
     };
-    function pipeline(opts, handler) {
+    function pipeline2(opts, handler) {
       try {
         const pipelineHandler = new PipelineHandler(opts, handler);
         this.dispatch({ ...opts, body: pipelineHandler.req }, pipelineHandler);
@@ -46935,7 +46935,7 @@ var require_api_pipeline = __commonJS({
         return new PassThrough().destroy(err);
       }
     }
-    module.exports = pipeline;
+    module.exports = pipeline2;
   }
 });
 
@@ -49832,7 +49832,7 @@ var require_fetch = __commonJS({
     } = require_response();
     var { Headers } = require_headers();
     var { Request: Request2, makeRequest } = require_request2();
-    var zlib2 = __require("zlib");
+    var zlib3 = __require("zlib");
     var {
       bytesMatch,
       makePolicyContainer,
@@ -49876,7 +49876,7 @@ var require_fetch = __commonJS({
     } = require_constants3();
     var { kHeadersList } = require_symbols();
     var EE3 = __require("events");
-    var { Readable: Readable2, pipeline } = __require("stream");
+    var { Readable: Readable2, pipeline: pipeline2 } = __require("stream");
     var { addAbortListener, isErrored, isReadable: isReadable2, nodeMajor, nodeMinor } = require_util2();
     var { dataURLProcessor, serializeAMimeType } = require_dataURL();
     var { TransformStream } = __require("stream/web");
@@ -50773,18 +50773,18 @@ var require_fetch = __commonJS({
               if (request.method !== "HEAD" && request.method !== "CONNECT" && !nullBodyStatus.includes(status) && !willFollow) {
                 for (const coding of codings) {
                   if (coding === "x-gzip" || coding === "gzip") {
-                    decoders.push(zlib2.createGunzip({
+                    decoders.push(zlib3.createGunzip({
                       // Be less strict when decoding compressed responses, since sometimes
                       // servers send slightly invalid responses that are still accepted
                       // by common browsers.
                       // Always using Z_SYNC_FLUSH is what cURL does.
-                      flush: zlib2.constants.Z_SYNC_FLUSH,
-                      finishFlush: zlib2.constants.Z_SYNC_FLUSH
+                      flush: zlib3.constants.Z_SYNC_FLUSH,
+                      finishFlush: zlib3.constants.Z_SYNC_FLUSH
                     }));
                   } else if (coding === "deflate") {
-                    decoders.push(zlib2.createInflate());
+                    decoders.push(zlib3.createInflate());
                   } else if (coding === "br") {
-                    decoders.push(zlib2.createBrotliDecompress());
+                    decoders.push(zlib3.createBrotliDecompress());
                   } else {
                     decoders.length = 0;
                     break;
@@ -50795,7 +50795,7 @@ var require_fetch = __commonJS({
                 status,
                 statusText,
                 headersList: headers[kHeadersList],
-                body: decoders.length ? pipeline(this.body, ...decoders, () => {
+                body: decoders.length ? pipeline2(this.body, ...decoders, () => {
                 }) : this.body.on("error", () => {
                 })
               });
@@ -59413,7 +59413,7 @@ var require_upload_gzip = __commonJS({
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.createGZipFileInBuffer = exports.createGZipFileOnDisk = void 0;
     var fs12 = __importStar(__require("fs"));
-    var zlib2 = __importStar(__require("zlib"));
+    var zlib3 = __importStar(__require("zlib"));
     var util_1 = __require("util");
     var stat3 = (0, util_1.promisify)(fs12.stat);
     var gzipExemptFileExtensions = [
@@ -59449,7 +59449,7 @@ var require_upload_gzip = __commonJS({
         }
         return new Promise((resolve17, reject) => {
           const inputStream = fs12.createReadStream(originalFilePath);
-          const gzip = zlib2.createGzip();
+          const gzip = zlib3.createGzip();
           const outputStream = fs12.createWriteStream(tempFilePath);
           inputStream.pipe(gzip).pipe(outputStream);
           outputStream.on("finish", () => __awaiter(this, void 0, void 0, function* () {
@@ -59469,7 +59469,7 @@ var require_upload_gzip = __commonJS({
         return new Promise((resolve17) => __awaiter(this, void 0, void 0, function* () {
           var _a2, e_1, _b, _c;
           const inputStream = fs12.createReadStream(originalFilePath);
-          const gzip = zlib2.createGzip();
+          const gzip = zlib3.createGzip();
           inputStream.pipe(gzip);
           const chunks = [];
           try {
@@ -60071,7 +60071,7 @@ var require_download_http_client = __commonJS({
     exports.DownloadHttpClient = void 0;
     var fs12 = __importStar(__require("fs"));
     var core = __importStar(require_core());
-    var zlib2 = __importStar(__require("zlib"));
+    var zlib3 = __importStar(__require("zlib"));
     var utils_1 = require_utils3();
     var url_1 = __require("url");
     var status_reporter_1 = require_status_reporter();
@@ -60249,7 +60249,7 @@ var require_download_http_client = __commonJS({
         return __awaiter(this, void 0, void 0, function* () {
           yield new Promise((resolve17, reject) => {
             if (isGzip) {
-              const gunzip = zlib2.createGunzip();
+              const gunzip = zlib3.createGunzip();
               response.message.on("error", (error) => {
                 core.info(`An error occurred while attempting to read the response stream`);
                 gunzip.close();
@@ -66504,14 +66504,14 @@ var require_headers2 = __commonJS({
 var require_deflater = __commonJS({
   "../../node_modules/.pnpm/adm-zip@0.5.16/node_modules/adm-zip/methods/deflater.js"(exports, module) {
     module.exports = function(inbuf) {
-      var zlib2 = __require("zlib");
+      var zlib3 = __require("zlib");
       var opts = { chunkSize: (parseInt(inbuf.length / 1024) + 1) * 1024 };
       return {
         deflate: function() {
-          return zlib2.deflateRawSync(inbuf, opts);
+          return zlib3.deflateRawSync(inbuf, opts);
         },
         deflateAsync: function(callback) {
-          var tmp = zlib2.createDeflateRaw(opts), parts = [], total = 0;
+          var tmp = zlib3.createDeflateRaw(opts), parts = [], total = 0;
           tmp.on("data", function(data2) {
             parts.push(data2);
             total += data2.length;
@@ -66538,14 +66538,14 @@ var require_inflater = __commonJS({
   "../../node_modules/.pnpm/adm-zip@0.5.16/node_modules/adm-zip/methods/inflater.js"(exports, module) {
     var version3 = +(process.versions ? process.versions.node : "").split(".")[0] || 0;
     module.exports = function(inbuf, expectedLength) {
-      var zlib2 = __require("zlib");
+      var zlib3 = __require("zlib");
       const option = version3 >= 15 && expectedLength > 0 ? { maxOutputLength: expectedLength } : {};
       return {
         inflate: function() {
-          return zlib2.inflateRawSync(inbuf, option);
+          return zlib3.inflateRawSync(inbuf, option);
         },
         inflateAsync: function(callback) {
-          var tmp = zlib2.createInflateRaw(option), parts = [], total = 0;
+          var tmp = zlib3.createInflateRaw(option), parts = [], total = 0;
           tmp.on("data", function(data2) {
             parts.push(data2);
             total += data2.length;
@@ -94983,32 +94983,48 @@ function transformSourceLocations(fileMappings, detectedOccurrences) {
 // dist/whole-program-code-aware-vulnerability-scanner/go/go-code-aware-vulnerability-scanner.js
 var import_lodash11 = __toESM(require_lodash(), 1);
 import assert4 from "assert";
-import { existsSync as existsSync9 } from "fs";
+import { existsSync as existsSync9, createReadStream, createWriteStream as createWriteStream2 } from "fs";
 import { readFile as readFile7, rm as rm4, cp as cp4 } from "fs/promises";
+import zlib2 from "zlib";
 import { join as join13, resolve as resolve10, sep } from "path";
+import { pipeline } from "stream/promises";
 var { uniq: uniq5 } = import_lodash11.default;
 var GoCodeAwareVulnerabilityScanner = class {
   projectDir;
-  timeoutInSeconds;
+  options;
   name = "GOANA";
-  constructor(projectDir, timeoutInSeconds) {
+  constructor(projectDir, options = {}) {
     this.projectDir = projectDir;
-    this.timeoutInSeconds = timeoutInSeconds;
+    this.options = options;
+  }
+  get compressedGoanaBinaryName() {
+    const { platform: platform6, arch } = process;
+    const rarch = arch === "arm" ? "arm64" : arch === "x64" ? "amd64" : arch;
+    return `goana-${platform6}-${rarch}.gz`;
   }
   async runAnalysis(vulns, heuristic, _analyzesAllVulns) {
     logger.info("Started instantiating Go code-aware analysis");
     if (!existsSync9(join13(this.projectDir, "go.mod")))
       throw new Error("go.mod file not found in the project directory");
+    const { timeoutInSeconds, memoryLimitInMB } = this.options;
     const tmpDir = await createTmpDirectory("goana-output");
     const vulnsOutputFile = join13(tmpDir, "vulns.json");
     const diagnosticsOutputFile = join13(tmpDir, "diagnostics.json");
     try {
+      const binaryName = this.compressedGoanaBinaryName;
+      const binaryPath = join13(COANA_REPOS_PATH(), "goana/bin", binaryName);
+      if (!await exists(binaryPath))
+        throw new Error(`goana binary '${binaryName}' not found`);
+      await pipeline(createReadStream(binaryPath), zlib2.createGunzip(), createWriteStream2(join13(tmpDir, "goana"), { mode: 493 }));
       const vulnAccPaths = uniq5(vulns.flatMap((v) => v.vulnerabilityAccessPaths));
-      const { error, stderr } = await execNeverFail(cmdt`${COANA_REPOS_PATH()}/goana/goana
+      const { error, stderr } = await execNeverFail(cmdt`${join13(tmpDir, "goana")}
           -output-vulnerabilities ${vulnsOutputFile}
           -output-diagnostics ${diagnosticsOutputFile}
           -topk=4 ${heuristic.includeTests && "-tests"}
-          ${this.projectDir} ${vulnAccPaths}`, void 0, { timeout: this.timeoutInSeconds ? this.timeoutInSeconds * 1e3 : void 0 });
+          ${this.projectDir} ${vulnAccPaths}`, void 0, {
+        timeout: timeoutInSeconds ? timeoutInSeconds * 1e3 : void 0,
+        env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${memoryLimitInMB}MiB` } : void 0
+      });
       if (error) {
         logger.error("Error running Go code-aware analysis", error);
         const timeout = !!error.killed;
@@ -95045,7 +95061,7 @@ ${stderr}`);
       await rm4(tmpDir, { recursive: true, force: true });
     }
   }
-  static async runOnDependencyChain([first2, ...rest], vuln, timeoutInSeconds) {
+  static async runOnDependencyChain([first2, ...rest], vuln, options = {}) {
     assert4(first2.version);
     const { Dir, GoMod } = JSON.parse(await runCommandResolveStdOut(cmdt`go mod download -json ${first2.packageName}@v${first2.version}`));
     const projectDir = await createTmpDirectory("go-run-on-dependency-chain-");
@@ -95062,7 +95078,7 @@ ${stderr}`);
         await runGoModTidy(projectDir);
       }
       const heuristic = GoanaHeuristics.NO_TESTS;
-      const result = await new this(projectDir, timeoutInSeconds).runAnalysis([vuln], heuristic, true);
+      const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, true);
       if (result.type === "error")
         return {
           error: result.message,
@@ -95078,7 +95094,7 @@ ${stderr}`);
       await rm4(projectDir, { recursive: true, force: true });
     }
   }
-  static async runOnAlreadyDownloadedPackages(packages, vuln, timeoutInSeconds) {
+  static async runOnAlreadyDownloadedPackages(packages, vuln, options = {}) {
     for (const pkg of packages)
       assert4(existsSync9(join13(pkg, "go.mod")), `${pkg} does not contain a go.mod file`);
     const [app, ...dependencies] = packages;
@@ -95095,7 +95111,7 @@ ${stderr}`);
         await runGoModTidy(projectDir);
       }
       const heuristic = GoanaHeuristics.NO_TESTS;
-      const result = await new this(projectDir, timeoutInSeconds).runAnalysis([vuln], heuristic, true);
+      const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, true);
       if (result.type === "error")
         return {
           error: result.message,
@@ -96170,7 +96186,10 @@ async function analyzePackages(ecosystem, packages, vulnerability, options) {
       break;
     case "GO":
       analysisName = "Goana";
-      result = await GoCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options?.timeoutInSeconds ?? 60);
+      result = await GoCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, {
+        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
+        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
+      });
       break;
     case "RUST":
       analysisName = "Rustica";
@@ -96215,7 +96234,10 @@ async function analyzeAlreadyInstalledPackages(ecosystem, packages, vulnerabilit
       break;
     case "GO":
       analysisName = "Goana";
-      result = await GoCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, options?.timeoutInSeconds ?? 60);
+      result = await GoCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
+        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
+        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
+      });
       break;
     case "RUST":
       analysisName = "Rustica";
@@ -96270,7 +96292,7 @@ async function getVersion(analysisName) {
 // dist/whole-program-code-aware-vulnerability-scanner/python/python-code-aware-vulnerability-scanner.js
 var import_semver2 = __toESM(require_semver2(), 1);
 var { omit, once: once3, pick, sortedUniq, uniqBy } = import_lodash14.default;
-var PythonCodeAwareVulnerabilityScanner = class _PythonCodeAwareVulnerabilityScanner {
+var PythonCodeAwareVulnerabilityScanner = class {
   state;
   projectDir;
   name = "MAMBALADE";
@@ -96295,9 +96317,7 @@ var PythonCodeAwareVulnerabilityScanner = class _PythonCodeAwareVulnerabilitySca
   async runAnalysis(vulns, heuristic, analyzesAllVulns) {
     if (!this.virtualEnvInfo)
       throw new Error("Virtual environment not set up");
-    if (!this.mambaladeVenvPath) {
-      await this.setupMambalade();
-    }
+    this.mambaladeVenvPath ??= await setupMambalade();
     logger.info("Started instantiating Python code-aware analysis");
     logger.debug(`Trying to find files to analyze from projectDir: ${this.projectDir}`);
     const { rootWorkingDir, reachabilityAnalysisOptions } = this.state;
@@ -96429,7 +96449,7 @@ ${msg}`;
       logger.info(`Copying ${app} to ${projectDir}`);
       await cp5(app, projectDir, { recursive: true });
       fileMappings.set(projectDir, app);
-      const scanner = new _PythonCodeAwareVulnerabilityScanner({
+      const scanner = new this({
         rootWorkingDir: projectTmpDir,
         reachabilityAnalysisOptions: options
       }, projectTmpDir);
@@ -96608,22 +96628,6 @@ ${msg}`;
   getVirtualEnvInfo() {
     return this.virtualEnvInfo;
   }
-  async setupMambalade() {
-    const venvDir = await createTmpDirectory("mambalade-venv");
-    logger.info("Creating Mambalade virtual environment");
-    const pythonInterpreter = await getPythonInterpreter();
-    await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
-    const mambaladeWheelsPath = join15(COANA_REPOS_PATH(), "mambalade", "dist");
-    const wheelFiles = await readdir3(mambaladeWheelsPath);
-    const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join15(mambaladeWheelsPath, f2));
-    if (mambaladeWheels.length === 0) {
-      throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
-    }
-    logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
-    await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
-    this.mambaladeVenvPath = venvDir;
-    logger.info("Mambalade virtual environment setup complete");
-  }
   // async [Symbol.asyncDispose]() {
   async cleanup() {
     if (this.virtualEnvInfo?.temporary) {
@@ -96684,6 +96688,21 @@ async function getPythonInterpreter() {
     return "python3";
   throw new Error(`No Python ${pythonVersionRequired} interpreter found`);
 }
+async function setupMambalade() {
+  const venvDir = await createTmpDirectory("mambalade-venv");
+  logger.info("Creating Mambalade virtual environment");
+  const pythonInterpreter = await getPythonInterpreter();
+  await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
+  const mambaladeWheelsPath = join15(COANA_REPOS_PATH(), "mambalade", "dist");
+  const wheelFiles = await readdir3(mambaladeWheelsPath);
+  const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join15(mambaladeWheelsPath, f2));
+  if (!mambaladeWheels.length)
+    throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
+  logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
+  await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
+  logger.info("Mambalade virtual environment setup complete");
+  return venvDir;
+}
 
 // dist/whole-program-code-aware-vulnerability-scanner/python/phantom-deps.js
 var { uniq: uniq8 } = import_lodash15.default;
@@ -97208,7 +97227,7 @@ var GoAnalyzer = class {
     const vulnerablePackages = uniq9(vulns.flatMap((v) => v.vulnerabilityAccessPaths.map((vap) => vap.split(":")[0])));
     const irrelevantPackages = new Set(await getIrrelevantPackages(this.projectDir, vulnerablePackages));
     const [unreachableVulns, otherVulns] = partition2(vulns, (v) => v.vulnerabilityAccessPaths.every((vap) => irrelevantPackages.has(vap.split(":")[0])));
-    const res = otherVulns.length ? await analyzeWithHeuristics(this.state, otherVulns, [GoanaHeuristics.DEFAULT], false, new GoCodeAwareVulnerabilityScanner(this.projectDir, this.state.reachabilityAnalysisOptions.timeoutInSeconds), analysisMetadataCollector, statusUpdater) : [];
+    const res = otherVulns.length ? await analyzeWithHeuristics(this.state, otherVulns, [GoanaHeuristics.DEFAULT], false, new GoCodeAwareVulnerabilityScanner(this.projectDir, this.state.reachabilityAnalysisOptions), analysisMetadataCollector, statusUpdater) : [];
     if (unreachableVulns.length) {
       const heuristicName = GoanaHeuristics.IMPORT_REACHABILITY.name;
       const detectedOccurrences = {