@coana-tech/cli 14.11.14 → 14.11.16

package/cli.mjs

@@ -197870,6 +197870,41 @@ async function registerAnalysisMetadataSocket(subprojectPath, workspacePath, eco
     handleError(error, "Error registering analysis metadata", false);
   }
 }
+async function getLatestBucketsSocket(subprojectPath, workspacePath) {
+  try {
+    const url2 = getSocketApiUrl("tier1-reachability-scan/latest-buckets");
+    const params = {
+      workspacePath,
+      subprojectPath,
+      repoName: process.env.SOCKET_REPO_NAME,
+      branchName: process.env.SOCKET_BRANCH_NAME
+    };
+    const response = await axios2.get(url2, {
+      headers: getAuthHeaders(),
+      params
+    });
+    const responseData = response.data;
+    if (responseData.type !== "success") {
+      throw new Error(response.data.reason);
+    }
+    return {
+      cliVersion: responseData.value.coana_cli_version,
+      buckets: responseData.value.buckets.map((b) => ({
+        vulnUrls: b.ghsas,
+        heuristicName: b.heuristicName
+      }))
+    };
+  } catch (error) {
+    if (error?.response?.data?.message === "No successful report found") {
+      return void 0;
+    }
+    logger.warn(
+      "Unable to retrieve cached analysis configuration. Will continue with default configuration.",
+      error?.message
+    );
+    return void 0;
+  }
+}
 async function useSocketComputeFixEndpoint(artifacts, vulnerableArtifactIdsForGhsas) {
   try {
     const url2 = getSocketApiUrl("fixes/compute-fixes");
@@ -197945,7 +197980,8 @@ function getSocketAPI() {
     sendErrorReportToSocketDashboard,
     registerSubprojectsSocket,
     registerCLIProgressSocket,
-    registerAnalysisMetadataSocket
+    registerAnalysisMetadataSocket,
+    getLatestBucketsSocket
   };
 }
 
@@ -205338,7 +205374,7 @@ var getNpmBin = once(async () => {
   return npmBin;
 });
 async function actuallyRunInstall(specificPackagesArgs = [], dir) {
-  const installationCommand = cmdt2`${await getNpmBin()} install -f --ignore-scripts --no-fund --no-audit ${specificPackagesArgs}`;
+  const installationCommand = cmdt2`${await getNpmBin()} install -f --ignore-scripts --no-fund --no-audit --no-progress ${specificPackagesArgs}`;
   logger.info(`running installation command: ${installationCommand}`);
   return execAndLogOnFailure2(installationCommand, dir);
 }
@@ -205446,6 +205482,8 @@ var NpmFixingManager = class extends NpmEcosystemFixingManager {
     }
   }
   async finalizeFixes() {
+    logger.info(`Adjusting lock file changes by running a npm install command`);
+    await actuallyRunInstall(void 0, resolve9(this.rootDir, this.subprojectPath));
   }
 };
 
@@ -205454,7 +205492,16 @@ import { readFile as readFile12, writeFile as writeFile4 } from "fs/promises";
 import { resolve as resolve10 } from "path";
 var import_yaml = __toESM(require_dist10(), 1);
 var import_lockfile_file2 = __toESM(require_lib25(), 1);
+import { existsSync as existsSync9 } from "fs";
 var PnpmFixingManager = class extends NpmEcosystemFixingManager {
+  pnpmMajorVersion;
+  async getPnpmMajorVersion() {
+    if (!this.pnpmMajorVersion) {
+      const pnpmVersion = await runCommandResolveStdOut(cmdt`pnpm -v`);
+      this.pnpmMajorVersion = parseInt(pnpmVersion.trim().split(".")[0]);
+    }
+    return this.pnpmMajorVersion;
+  }
   async installSpecificPackages(workspacePath, isDev, packagesToInstall) {
     try {
       const isInstallingInRootOfWorkspace = workspacePath === "." && (await getWorkspacePathsFromPnpmLockFile(this.rootDir, false)).length > 1;
@@ -205473,7 +205520,7 @@ var PnpmFixingManager = class extends NpmEcosystemFixingManager {
     }
   }
   async actuallyRunInstall(specificPackagesCmd = [], workspacePath = ".") {
-    const installationCommand = cmdt`pnpm install --ignore-scripts ${specificPackagesCmd}`;
+    const installationCommand = cmdt`pnpm install --ignore-scripts${await this.getPnpmMajorVersion() >= 9 && specificPackagesCmd.length === 0 ? "--no-frozen-lockfile" : ""} --config.confirmModulesPurge=false ${specificPackagesCmd}`;
     logger.info(`running installation command: ${installationCommand}`);
     await exec(installationCommand, resolve10(this.rootDir, this.subprojectPath, workspacePath));
   }
@@ -205556,6 +205603,11 @@ var PnpmFixingManager = class extends NpmEcosystemFixingManager {
           ])
         );
         const pnpmWorkspaceYamlFile = resolve10(this.rootDir, this.subprojectPath, "pnpm-workspace.yaml");
+        if (!existsSync9(pnpmWorkspaceYamlFile)) {
+          throw new Error(
+            `pnpm-workspace.yaml could not be found in ${pnpmWorkspaceYamlFile}. The lockfile indicates that pnpm catalogs are used and they must be updated, which is not possible without a pnpm-workspace.yaml file`
+          );
+        }
         const yamlAST = await readYamlFile(pnpmWorkspaceYamlFile);
         fixCatalogVersions(yamlAST, catalogFixes);
         await writeYamlFile(yamlAST, pnpmWorkspaceYamlFile);
@@ -205567,7 +205619,7 @@ var PnpmFixingManager = class extends NpmEcosystemFixingManager {
     }
   }
   async finalizeFixes() {
-    const cmd = cmdt`pnpm install --ignore-scripts --fix-lockfile`;
+    const cmd = cmdt`pnpm install --ignore-scripts --fix-lockfile --config.confirmModulesPurge=false `;
     logger.info(`Adjusting lock file changes by running '${cmd}'`);
     await exec(cmd, resolve10(this.rootDir, this.subprojectPath));
   }
@@ -205621,7 +205673,7 @@ import { resolve as resolve12 } from "path";
 
 // ../utils/src/package-utils.ts
 import { parse as parse2, join as join7, resolve as resolve11, normalize as normalize3, dirname as dirname4, basename as basename3, relative as relative4 } from "path";
-import { existsSync as existsSync9, readFileSync as readFileSync2, readdirSync as readdirSync3, statSync as statSync3, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync10, readFileSync as readFileSync2, readdirSync as readdirSync3, statSync as statSync3, writeFileSync as writeFileSync2 } from "fs";
 function setFieldInPackageJson(workspaceRoot, field, value) {
   const packageJSONContentObj = getPackageJsonObject2(workspaceRoot);
   if (!packageJSONContentObj) return void 0;
@@ -205638,7 +205690,7 @@ function writePackageJsonContent(workspaceRoot, packageJsonContent) {
 }
 function getPackageJsonContent2(workspaceRoot) {
   const packageJsonPath = getPackageJSONPath2(workspaceRoot);
-  if (existsSync9(packageJsonPath)) return readFileSync2(packageJsonPath, "utf8");
+  if (existsSync10(packageJsonPath)) return readFileSync2(packageJsonPath, "utf8");
   return void 0;
 }
 function getPackageJSONPath2(workspaceRoot) {
@@ -205771,9 +205823,10 @@ var YarnFixingManager = class extends NpmEcosystemFixingManager {
       logger.info(`Failed to install packages: ${installResult.error.message}`);
       logger.info(`stdout`, installResult.stdout);
       logger.info(`stderr`, installResult.stderr);
-      logger.info("yarn version", await runCommandResolveStdOut("yarn -v", installDir));
+      logger.info("yarn version", await this.runYarnCommand(cmdt`yarn -v`, installDir));
       throw new Error(`Failed to install packages: ${installResult.error.message}`);
     }
+    logger.info("Installation completed.");
   }
   async getYarnLockObj(filePath) {
     const fileString = await readFile13(filePath, "utf8");
@@ -205875,7 +205928,7 @@ var YarnFixingManager = class extends NpmEcosystemFixingManager {
 
 // ../fixing-management/src/fixing-management/npm/npm-ecosystem-socket-fixing-manager.ts
 import { dirname as dirname5, join as join8, relative as relative5 } from "path";
-import { existsSync as existsSync10 } from "fs";
+import { existsSync as existsSync11 } from "fs";
 var NpmSocketUpgradeManager = class {
   constructor(rootDir) {
     this.rootDir = rootDir;
@@ -205909,7 +205962,13 @@ var NpmSocketUpgradeManager = class {
           workspaceToSubproject.set(join8(subprojectDir, workspace), subprojectDir);
         }
       }
-      const packageJsonFiles = artifact.manifestFiles?.filter((a4) => a4.file.endsWith("package.json"));
+      const packageJsonFiles = artifact.manifestFiles?.filter((a4) => a4.file.endsWith("package.json")) ?? [];
+      for (const lockFile of lockFiles ?? []) {
+        const correspondingPackageJsonFile = join8(dirname5(lockFile.file), "package.json");
+        if (!packageJsonFiles.some((p3) => p3.file === correspondingPackageJsonFile) && existsSync11(correspondingPackageJsonFile)) {
+          packageJsonFiles.push({ file: correspondingPackageJsonFile });
+        }
+      }
       for (const packageJsonFile of packageJsonFiles ?? []) {
         const packageJsonDir = dirname5(packageJsonFile.file);
         const subprojectDir = workspaceToSubproject.get(packageJsonDir) ?? packageJsonDir;
@@ -205961,13 +206020,14 @@ function getFixingManagerFromPackageManager(packageManager, rootDir, subprojectP
   }
 }
 function getPackageMangerForDirectory(directory) {
-  if (existsSync10(join8(directory, "pnpm-lock.yaml")) || existsSync10(join8(directory, "pnpm-lock.yml"))) {
+  if (existsSync11(join8(directory, "pnpm-lock.yaml")) || existsSync11(join8(directory, "pnpm-lock.yml"))) {
     return "PNPM";
-  } else if (existsSync10(join8(directory, "yarn.lock"))) {
+  } else if (existsSync11(join8(directory, "yarn.lock"))) {
     return "YARN";
-  } else {
+  } else if (existsSync11(join8(directory, "package-lock.json"))) {
     return "NPM";
   }
+  throw new Error("Upgrading packages is currently only supported for NPM projects using a lock file.");
 }
 
 // ../fixing-management/src/fixing-management/npm/rush-fixing-manager.ts
@@ -206329,7 +206389,7 @@ async function applySocketUpgrades(ecosystem, rootDir, upgrades, artifacts) {
 
 // dist/cli-apply-fix.js
 var import_lodash12 = __toESM(require_lodash(), 1);
-import { existsSync as existsSync15 } from "fs";
+import { existsSync as existsSync16 } from "fs";
 
 // ../other-modules-communicator/src/other-modules-communicator.ts
 import { execFileSync } from "child_process";
@@ -206346,7 +206406,7 @@ import { fileURLToPath as fileURLToPath3 } from "node:url";
 // ../utils/dist/file-utils.js
 var import_lodash5 = __toESM(require_lodash(), 1);
 var import_micromatch = __toESM(require_micromatch(), 1);
-import { existsSync as existsSync11 } from "fs";
+import { existsSync as existsSync12 } from "fs";
 import { access as access2, cp, readdir as readdir3, stat as stat2 } from "fs/promises";
 import { basename as basename4, join as join11, relative as relative6, resolve as resolve13 } from "path";
 var { uniq } = import_lodash5.default;
@@ -207076,7 +207136,7 @@ async function detectVariantMaven(projectDir) {
 }
 
 // ../docker-management/src/maven/gradle-version-detector.ts
-import { existsSync as existsSync12 } from "fs";
+import { existsSync as existsSync13 } from "fs";
 import { join as join13 } from "path";
 import { readFile as readFile15 } from "fs/promises";
 async function detectVariantGradle(projectDir) {
@@ -207084,7 +207144,7 @@ async function detectVariantGradle(projectDir) {
 }
 async function detect(projectDir) {
   const gradleWrapperPropertiesPath = join13(projectDir, "gradle", "wrapper", "gradle-wrapper.properties");
-  const gradleWrapperProperties = existsSync12(gradleWrapperPropertiesPath) ? (await readFile15(gradleWrapperPropertiesPath, "utf-8")).split("\n").map((line) => line.trim()).filter((line) => !line.startsWith("#")).filter((line) => line) : void 0;
+  const gradleWrapperProperties = existsSync13(gradleWrapperPropertiesPath) ? (await readFile15(gradleWrapperPropertiesPath, "utf-8")).split("\n").map((line) => line.trim()).filter((line) => !line.startsWith("#")).filter((line) => line) : void 0;
   if (!gradleWrapperProperties) return void 0;
   const distributionUrlRegex = /.*gradle-(\d+(\.\d+(\.\d+)?)?)/;
   for (const prop2 of gradleWrapperProperties) {
@@ -207098,7 +207158,7 @@ async function detect(projectDir) {
 }
 
 // ../docker-management/src/maven/sbt-version-detector.ts
-import { existsSync as existsSync13 } from "fs";
+import { existsSync as existsSync14 } from "fs";
 import { join as join14 } from "path";
 import { readFile as readFile16 } from "fs/promises";
 async function detectVariantSbt(projectDir) {
@@ -207106,7 +207166,7 @@ async function detectVariantSbt(projectDir) {
 }
 async function detect2(projectDir) {
   const sbtBuildPropertiesPath = join14(projectDir, "project", "build.properties");
-  const sbtBuildProperties = existsSync13(sbtBuildPropertiesPath) ? (await readFile16(sbtBuildPropertiesPath, "utf-8")).split("\n").map((line) => line.trim()).filter((line) => !line.startsWith("#")).filter((line) => line) : void 0;
+  const sbtBuildProperties = existsSync14(sbtBuildPropertiesPath) ? (await readFile16(sbtBuildPropertiesPath, "utf-8")).split("\n").map((line) => line.trim()).filter((line) => !line.startsWith("#")).filter((line) => line) : void 0;
   if (!sbtBuildProperties) return void 0;
   for (const prop2 of sbtBuildProperties) {
     const [key, value] = prop2.split("=");
@@ -207227,7 +207287,7 @@ import { join as join17, posix as posix2, relative as relative8, sep as sep3 } f
 // ../utils/src/file-utils.ts
 var import_lodash8 = __toESM(require_lodash(), 1);
 var import_micromatch2 = __toESM(require_micromatch(), 1);
-import { existsSync as existsSync14 } from "fs";
+import { existsSync as existsSync15 } from "fs";
 import { access as access3, cp as cp2, readdir as readdir4, stat as stat3 } from "fs/promises";
 import { basename as basename5, join as join15, relative as relative7, resolve as resolve16 } from "path";
 var { uniq: uniq2 } = import_lodash8.default;
@@ -208029,6 +208089,28 @@ async function registerAnalysisMetadataCoana(subprojectPath, workspacePath, ecos
     handleError(e, "Unable to create analysis metadata");
   }
 }
+async function getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, newReportId, apiKey) {
+  if (!newReportId || apiKey.type === "missing") return;
+  try {
+    return (await axios_default.get(coanaAPIUrls.GET_LATEST_BUCKETS, {
+      headers: {
+        "Content-Type": "application/json",
+        apiKey: apiKey.value
+      },
+      params: { newReportId, subprojectPath, workspacePath, ecosystem }
+    })).data;
+  } catch (e) {
+    if (e.response?.data?.message === "No successful report found") return;
+    sendWarningToDashboard(
+      "Unable to get latest buckets",
+      { subprojectPath, workspacePath, newReportId },
+      void 0,
+      newReportId,
+      apiKey
+    );
+    logger.warn("Unable to get latest buckets:", e.message);
+  }
+}
 async function registerCLIProgressCoana(cliProgressEvent, isStartEvent, reportId, apiKey) {
   if (!reportId || apiKey.type === "missing") return;
   try {
@@ -208148,7 +208230,8 @@ function getCoanaAPI() {
     registerSubprojectsCoana,
     registerAnalysisMetadataCoana,
     registerCLIProgressCoana,
-    sendErrorReportToCoanaDashboard
+    sendErrorReportToCoanaDashboard,
+    getBucketsForLastReport
   };
 }
 
@@ -208344,7 +208427,7 @@ async function verifyFixes(fixes, otherModulesCommunicator, rootPath) {
   if (pathsForEachFixIdData.length !== new Set(pathsForEachFixIdData).size) {
     throw new Error("Multiple fix IDs found for the same subproject, workspace and ecosystem");
   }
-  const subprojectsNotFound = uniq3(fixes.filter(({ vulnerabilityInstance: v }) => !existsSync15(resolve19(rootPath, v.subprojectPath))).map(({ vulnerabilityInstance: v }) => `${v.subprojectPath}:${v.ecosystem}`));
+  const subprojectsNotFound = uniq3(fixes.filter(({ vulnerabilityInstance: v }) => !existsSync16(resolve19(rootPath, v.subprojectPath))).map(({ vulnerabilityInstance: v }) => `${v.subprojectPath}:${v.ecosystem}`));
   if (subprojectsNotFound.length > 0) {
     throw new Error(`Cannot find the following subprojects: ${subprojectsNotFound.join(", ")}`);
   }
@@ -209150,12 +209233,12 @@ import { readdir as readdir6 } from "fs/promises";
 import { join as join20, relative as relative9, resolve as resolve22 } from "path";
 
 // ../project-management/src/project-management/ecosystem-management/ecosystem-specs.ts
-import { existsSync as existsSync17 } from "fs";
+import { existsSync as existsSync18 } from "fs";
 import { readdir as readdir5, readFile as readFile20 } from "fs/promises";
 import { join as join19, sep as sep4 } from "path";
 
 // ../utils/src/pip-utils.ts
-import { existsSync as existsSync16 } from "fs";
+import { existsSync as existsSync17 } from "fs";
 import { readFile as readFile19 } from "fs/promises";
 import { resolve as resolve21 } from "path";
 import util4 from "util";
@@ -209252,7 +209335,7 @@ function getEcosystemSpecs(ecosystems) {
 }
 function packageManagerIfPackageJSONExistsAndValid(packageManager) {
   return async (projectDir) => {
-    if (!existsSync17(join19(projectDir, "package.json"))) return void 0;
+    if (!existsSync18(join19(projectDir, "package.json"))) return void 0;
     const packageJSONPath = join19(projectDir, "package.json");
     try {
       JSON.parse(await readFile20(packageJSONPath, "utf-8"));
@@ -209715,6 +209798,19 @@ var DashboardAPI = class {
       );
     }
   }
+  async getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey) {
+    if (this.socketMode) {
+      return await this.socketAPI.getLatestBucketsSocket(subprojectPath, workspacePath);
+    } else {
+      return await this.coanaAPI.getBucketsForLastReport(
+        subprojectPath,
+        workspacePath,
+        ecosystem,
+        reportId,
+        apiKey
+      );
+    }
+  }
 };
 
 // ../utils/src/promise-queue.ts
@@ -209927,16 +210023,16 @@ function isVulnChainWithParentsMap(v) {
 var DEFAULT_REPORT_FILENAME_BASE = "coana-report";
 
 // dist/internal/exclude-dirs-from-configuration-files.js
-import { existsSync as existsSync18 } from "fs";
+import { existsSync as existsSync19 } from "fs";
 import { readFile as readFile21 } from "fs/promises";
 import { basename as basename6, resolve as resolve24 } from "path";
 var import_yaml2 = __toESM(require_dist11(), 1);
 async function inferExcludeDirsFromConfigurationFiles(rootWorkingDir) {
   const socketYmlConfigFile = resolve24(rootWorkingDir, "socket.yml");
-  if (existsSync18(socketYmlConfigFile))
+  if (existsSync19(socketYmlConfigFile))
     return inferExcludeDirsFromSocketConfig(socketYmlConfigFile);
   const socketYamlConfigFile = resolve24(rootWorkingDir, "socket.yaml");
-  if (existsSync18(socketYamlConfigFile))
+  if (existsSync19(socketYamlConfigFile))
     return inferExcludeDirsFromSocketConfig(socketYamlConfigFile);
   return void 0;
 }
@@ -224025,7 +224121,7 @@ var { root: root2 } = static_exports;
 
 // ../utils/src/maven-utils.ts
 var import_lodash14 = __toESM(require_lodash(), 1);
-import { existsSync as existsSync19, readdirSync as readdirSync4, statSync as statSync4 } from "fs";
+import { existsSync as existsSync20, readdirSync as readdirSync4, statSync as statSync4 } from "fs";
 import { join as join21 } from "path";
 var { memoize: memoize3 } = import_lodash14.default;
 var memoizedParseShellArgs = memoize3(parseShellArgs);
@@ -225397,7 +225493,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.11.14";
+var version2 = "14.11.16";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -226200,43 +226296,44 @@ ${vulnerabilityFixes.map((fix) => `	${fix.dependencyName} from ${fix.currentVers
 
 // dist/cli-compute-fixes-and-upgrade-purls.js
 async function computeFixesAndUpgradePurls(path2, options) {
-  const { artifacts, vulnerableArtifactIdsPerVulnerability } = await computeInputForComputingFixes(path2, options);
-  if (vulnerableArtifactIdsPerVulnerability.size === 0) {
+  const { artifacts, ghsaToVulnerableArtifactIds } = await computeInputForComputingFixes(path2, options);
+  if (Object.keys(ghsaToVulnerableArtifactIds).length === 0) {
     logger.info("No vulnerabilities to compute fixes for");
     return;
   }
   if (options.applyFixesTo.length === 0) {
-    logger.info("Vulnerabilities found:", Array.from(vulnerableArtifactIdsPerVulnerability.keys()).join(", "));
+    logger.info("Vulnerabilities found:", Object.keys(ghsaToVulnerableArtifactIds).join(", "));
     logger.info("Run again with --apply-fixes-to GHSA_IDS to fix those vulnerabilities by computing packages to upgrade and apply them");
     return;
   }
-  const vulnerableArtifactIdsForGhsas = options.applyFixesTo.includes("all") ? Array.from(vulnerableArtifactIdsPerVulnerability.values()).flatMap((ids) => Array.from(ids)) : options.applyFixesTo.flatMap((ghsa) => [...vulnerableArtifactIdsPerVulnerability.get(ghsa)?.values() ?? []]);
-  const computedFix = await useSocketComputeFixEndpoint(artifacts, vulnerableArtifactIdsForGhsas);
+  const ghsaToVulnerableArtifactIdsToApply = options.applyFixesTo.includes("all") ? ghsaToVulnerableArtifactIds : Object.fromEntries(Object.entries(ghsaToVulnerableArtifactIds).filter(([ghsa]) => options.applyFixesTo.includes(ghsa)));
+  const computedFix = await useSocketComputeFixEndpoint(artifacts, ghsaToVulnerableArtifactIdsToApply);
   if (computedFix.type !== "success") {
     throw new Error(`No fix found for the given vulnerabilities`);
   }
-  if (computedFix.failedArtifacts) {
-    const ghsasFailedToFix = options.applyFixesTo.filter((ghsa) => {
-      const artifactIds = vulnerableArtifactIdsPerVulnerability.get(ghsa);
-      if (!artifactIds)
-        return false;
-      return Array.from(artifactIds).some((vuln) => computedFix.failedArtifacts?.includes(vuln));
-    });
+  const ghsasFailedToFix = options.applyFixesTo.filter((ghsa) => {
+    const artifactIds = ghsaToVulnerableArtifactIdsToApply[ghsa];
+    if (!artifactIds)
+      return false;
+    return artifactIds.some((artifactId) => computedFix.ghsaToResult[ghsa].failedArtifacts?.includes(artifactId));
+  });
+  if (ghsasFailedToFix.length > 0) {
     logger.info("Failed to compute fixes for the following vulnerabilities:");
-    for (const ghsa of ghsasFailedToFix) {
-      logger.info(`  - ${ghsa} (${Array.from(vulnerableArtifactIdsPerVulnerability.get(ghsa)).map((id) => simplePurl(artifacts[id].type, artifacts[id].namespace ?? null, artifacts[id].name ?? "", artifacts[id].version ?? null)).join(", ")})`);
-    }
   }
+  for (const ghsa of ghsasFailedToFix) {
+    logger.info(`  - ${ghsa} (${ghsaToVulnerableArtifactIdsToApply[ghsa].map((id) => simplePurl(artifacts[id].type, artifacts[id].namespace ?? null, artifacts[id].name ?? "", artifacts[id].version ?? null)).join(", ")})`);
+  }
+  const combinedFixes = Object.values(computedFix.ghsaToResult).filter((result) => result.failedArtifacts === void 0 || result.failedArtifacts.length === 0).flatMap((result) => result.fixes);
   if (options.dryRun) {
     logger.info("Fixes found:");
-    for (const fix of computedFix.fixes) {
+    for (const fix of combinedFixes) {
       logger.info(`  - ${fix.purl} -> ${fix.fixedVersion}`);
     }
     logger.info("Run again without --dry-run to apply the fixes");
     return;
   }
   try {
-    await upgradePurl(path2, computedFix.fixes.map((fix) => ({ purl: fix.purl, upgradeVersion: fix.fixedVersion })), {
+    await upgradePurl(path2, combinedFixes.map((fix) => ({ purl: fix.purl, upgradeVersion: fix.fixedVersion })), {
       debug: options.debug,
       silent: options.silent,
       runWithoutDocker: options.runWithoutDocker,
@@ -226252,13 +226349,13 @@ async function computeFixesAndUpgradePurls(path2, options) {
 async function computeInputForComputingFixes(path2, options) {
   if (options.manifestsTarHash) {
     const { artifacts: artifacts2 } = await fetchArtifactsFromSocket(path2, options.manifestsTarHash);
-    const vulnerableArtifactIdsPerVulnerability2 = /* @__PURE__ */ new Map();
+    const ghsaToVulnerableArtifactIds2 = {};
     for (const [index2, artifact] of artifacts2.entries()) {
-      if (artifact.vulnerabilities) {
-        for (const vulnerability of artifact.vulnerabilities) {
-          if (!vulnerableArtifactIdsPerVulnerability2.has(vulnerability.ghsaId))
-            vulnerableArtifactIdsPerVulnerability2.set(vulnerability.ghsaId, /* @__PURE__ */ new Set());
-          vulnerableArtifactIdsPerVulnerability2.get(vulnerability.ghsaId).add(index2);
+      if (!artifact.vulnerabilities)
+        continue;
+      for (const vulnerability of artifact.vulnerabilities) {
+        if (!(ghsaToVulnerableArtifactIds2[vulnerability.ghsaId] ??= []).includes(index2)) {
+          ghsaToVulnerableArtifactIds2[vulnerability.ghsaId].push(index2);
         }
       }
     }
@@ -226269,7 +226366,7 @@ async function computeInputForComputingFixes(path2, options) {
       namespace: artifact.namespace ?? void 0,
       adj: artifact.dependencies?.map((dep) => artifacts2.findIndex((a4) => a4.id === dep)) ?? []
     }));
-    return { artifacts: sbomTaskArtifacts, vulnerableArtifactIdsPerVulnerability: vulnerableArtifactIdsPerVulnerability2 };
+    return { artifacts: sbomTaskArtifacts, ghsaToVulnerableArtifactIds: ghsaToVulnerableArtifactIds2 };
   }
   const otherModulesCommunicator = new OtherModulesCommunicator(path2, options, {
     type: "missing"
@@ -226283,21 +226380,24 @@ async function computeInputForComputingFixes(path2, options) {
   const cliCore = new CliCore(path2, { ...defaultCliOptions, socketMode: "true" });
   const results = await asyncMap(supportedSubprojects, async (subproject) => cliCore.getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subproject));
   const { artifacts, purlToIndex } = computeSBOMTaskArtifacts(results.flatMap((r2) => Object.values(r2.projectInfo).map((info) => info.dataForAnalysis.data.dependencyTree)));
-  const vulnerableArtifactIdsPerVulnerability = computeVulnerableArtifactIdsPerVulnerability(results.flatMap((r2) => Object.values(r2.workspaceToVulnerabilities).flat()), purlToIndex);
-  return { artifacts, vulnerableArtifactIdsPerVulnerability };
+  const ghsaToVulnerableArtifactIds = computeVulnerableArtifactIdsPerVulnerability(results.flatMap((r2) => Object.values(r2.workspaceToVulnerabilities).flat()), purlToIndex);
+  return { artifacts, ghsaToVulnerableArtifactIds };
 }
 function computeVulnerableArtifactIdsPerVulnerability(vulnerabilities, purlToIndex) {
-  const vulnerableArtifactIdsPerVulnerability = /* @__PURE__ */ new Map();
+  const vulnerableArtifactIdsPerVulnerability = {};
   for (const vulnerability of vulnerabilities) {
-    if (!vulnerableArtifactIdsPerVulnerability.has(vulnerability.url)) {
-      vulnerableArtifactIdsPerVulnerability.set(vulnerability.url, /* @__PURE__ */ new Set());
+    if (!vulnerableArtifactIdsPerVulnerability[vulnerability.url]) {
+      vulnerableArtifactIdsPerVulnerability[vulnerability.url] = [];
     }
     if (!vulnerability.purl)
       throw new Error(`Vulnerability ${vulnerability.url} has no purl`);
     if (!purlToIndex.has(vulnerability.purl)) {
       throw new Error(`Vulnerability ${vulnerability.url} has no purl in sbomTaskArtifacts`);
     }
-    vulnerableArtifactIdsPerVulnerability.get(vulnerability.url).add(purlToIndex.get(vulnerability.purl));
+    const index2 = purlToIndex.get(vulnerability.purl);
+    if (!vulnerableArtifactIdsPerVulnerability[vulnerability.url].includes(index2)) {
+      vulnerableArtifactIdsPerVulnerability[vulnerability.url].push(index2);
+    }
   }
   return vulnerableArtifactIdsPerVulnerability;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.11.14",
+  "version": "14.11.16",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -73178,7 +73178,8 @@ function getCoanaAPI() {
     registerSubprojectsCoana,
     registerAnalysisMetadataCoana,
     registerCLIProgressCoana,
-    sendErrorReportToCoanaDashboard
+    sendErrorReportToCoanaDashboard,
+    getBucketsForLastReport
   };
 }
 
@@ -73352,13 +73353,49 @@ async function registerAnalysisMetadataSocket(subprojectPath, workspacePath, eco
     handleError(error, "Error registering analysis metadata", false);
   }
 }
+async function getLatestBucketsSocket(subprojectPath, workspacePath) {
+  try {
+    const url2 = getSocketApiUrl("tier1-reachability-scan/latest-buckets");
+    const params = {
+      workspacePath,
+      subprojectPath,
+      repoName: process.env.SOCKET_REPO_NAME,
+      branchName: process.env.SOCKET_BRANCH_NAME
+    };
+    const response = await axios2.get(url2, {
+      headers: getAuthHeaders(),
+      params
+    });
+    const responseData = response.data;
+    if (responseData.type !== "success") {
+      throw new Error(response.data.reason);
+    }
+    return {
+      cliVersion: responseData.value.coana_cli_version,
+      buckets: responseData.value.buckets.map((b) => ({
+        vulnUrls: b.ghsas,
+        heuristicName: b.heuristicName
+      }))
+    };
+  } catch (error) {
+    if (error?.response?.data?.message === "No successful report found") {
+      return void 0;
+    }
+    logger.warn(
+      "Unable to retrieve cached analysis configuration. Will continue with default configuration.",
+      error?.message
+    );
+    return void 0;
+  }
+}
 function getSocketAPI() {
   return {
     createSocketTier1Scan,
     sendErrorReportToSocketDashboard,
     registerSubprojectsSocket,
     registerCLIProgressSocket,
-    registerAnalysisMetadataSocket
+    registerAnalysisMetadataSocket,
+    getLatestBucketsSocket
   };
 }
 
@@ -73454,6 +73491,19 @@ var DashboardAPI = class {
       );
     }
   }
+  async getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey3) {
+    if (this.socketMode) {
+      return await this.socketAPI.getLatestBucketsSocket(subprojectPath, workspacePath);
+    } else {
+      return await this.coanaAPI.getBucketsForLastReport(
+        subprojectPath,
+        workspacePath,
+        ecosystem,
+        reportId,
+        apiKey3
+      );
+    }
+  }
 };
 
 // dist/analyzers/go-analyzer.js
@@ -96850,6 +96900,7 @@ function assertVulnChainDetails(vs) {
   assert8(vs.every((v) => v.vulnChainDetails));
 }
 var apiKey = COANA_API_KEY ? { type: "present", value: COANA_API_KEY } : { type: "missing" };
+var dashboardAPI = new DashboardAPI(process.env.SOCKET_MODE === "true", process.env.DISABLE_ANALYTICS_SHARING === "true");
 async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecomputeForTimeoutsAndAborts, codeAwareScanner, analysisMetadataCollector, statusUpdater) {
   logger.debug("Starting analyzeWithHeuristics");
   assertVulnChainDetails(vulns);
@@ -96937,9 +96988,9 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
     }
   }
   async function getBucketsBasedOnPreviousResults() {
-    if (!COANA_REPORT_ID || apiKey.type === "missing")
+    if (process.env.SOCKET_MODE !== "true" && (!COANA_REPORT_ID || apiKey.type === "missing"))
       return void 0;
-    const bucketsFromLastAnalysisAndCliVersion = await getBucketsForLastReport(relative5(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, vulnerabilities[0].ecosystem ?? "NPM", COANA_REPORT_ID, apiKey);
+    const bucketsFromLastAnalysisAndCliVersion = await dashboardAPI.getBucketsForLastReport(relative5(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, vulnerabilities[0].ecosystem ?? "NPM", COANA_REPORT_ID, apiKey);
     if (!bucketsFromLastAnalysisAndCliVersion)
       return void 0;
     const { cliVersion, buckets: bucketsFromLastAnalysis } = bucketsFromLastAnalysisAndCliVersion;
@@ -97411,7 +97462,7 @@ var ecosystemAnalyzer = {
   RUST: RustAnalyzer
 };
 var apiKey2 = COANA_API_KEY ? { type: "present", value: COANA_API_KEY } : { type: "missing" };
-var dashboardAPI = new DashboardAPI(process.env.SOCKET_MODE === "true", process.env.DISABLE_ANALYTICS_SHARING === "true");
+var dashboardAPI2 = new DashboardAPI(process.env.SOCKET_MODE === "true", process.env.DISABLE_ANALYTICS_SHARING === "true");
 async function runReachabilityAnalysis(state) {
   const projectDir = resolve16(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
@@ -97425,7 +97476,7 @@ async function runReachabilityAnalysis(state) {
   }
   const [vulnerabilitiesWithPrecomputedResults, vulnerabilitiesWithoutPrecomputedResults] = partition3(state.vulnerabilities, (v) => "results" in v);
   const augmentedVulnerabilities = await runWholeProgramCodeAwareVulnerabilityScanner(analyzer, vulnerabilitiesWithoutPrecomputedResults, async (amd) => {
-    await dashboardAPI.registerAnalysisMetadata(relative6(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey2);
+    await dashboardAPI2.registerAnalysisMetadata(relative6(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey2);
   });
   return [...vulnerabilitiesWithPrecomputedResults, ...augmentedVulnerabilities];
 }