@coana-tech/cli 14.12.103 → 14.12.105

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.103",
+  "version": "14.12.105",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -111651,7 +111651,7 @@ async function getCurrentCommitHash(project) {
 }
 function detectedOccurrencesFromAPMatches(matches, pathPrefixToRemove) {
   for (const match2 of Object.values(matches))
-    for (const stack of Array.isArray(match2) ? match2 : match2.stacks)
+    for (const stack of match2.stacks)
       for (const cl of stack) {
         if (cl.package === "<app>")
           cl.package = ROOT_NODE_STR;
@@ -111661,8 +111661,8 @@ function detectedOccurrencesFromAPMatches(matches, pathPrefixToRemove) {
   return ({ vulnerabilityAccessPaths }) => getStacksFromAccPaths(matches, { vulnerabilityAccessPaths });
 }
 function detectedOccurrencesFromAPMatchesRuby(matches, pathPrefixToPackage) {
-  for (const match2 of Object.values(matches))
-    for (const stack of Array.isArray(match2) ? match2 : match2.stacks)
+  for (const stacks of Object.values(matches))
+    for (const stack of stacks)
       for (const cl of stack) {
         if (cl.package === "<app>")
           cl.package = ROOT_NODE_STR;
@@ -111694,9 +111694,11 @@ var { omit, once: once3, pick, sortedUniq, uniqBy } = import_lodash14.default;
 var memlimitWrapper = `import sys, runpy, resource
 if memory_limit := int(sys.argv.pop(1)):
   try:
-    resource.setrlimit(resource.RLIMIT_AS, (memory_limit * 1024 ** 2, -1))
+    resource.setrlimit(resource.RLIMIT_AS, (memory_limit * 1024 ** 2, resource.RLIM_INFINITY))
   except ValueError as e:
-    print("ERROR: Failed to set memory limit", e, file=sys.stderr)
+    # If we're running on PyPy, memory is bounded by PYPY_GC_MAX env var
+    if sys.implementation.name != "pypy":
+      print("ERROR: Failed to set memory limit", e, file=sys.stderr)
 runpy.run_module("mambalade", alter_sys=True)
 `;
 var PythonCodeAwareVulnerabilityScanner = class {
@@ -111739,7 +111741,11 @@ var PythonCodeAwareVulnerabilityScanner = class {
         reachedDependencies: false,
         terminatedEarly: false,
         diagnostics: { timeout: false, aborted: false },
-        computeDetectedOccurrences: () => []
+        computeDetectedOccurrences: import_lodash14.default.constant({
+          analysisLevel: "function-level",
+          affectedPackages: [],
+          stacks: []
+        })
       };
     const packagesToExclude = heuristic.getPackagesToExcludeFromAnalysis?.(vulns);
     const vulnAccPaths = sortedUniq(vulns.flatMap((v) => v.vulnerabilityAccessPaths).sort());
@@ -111769,7 +111775,15 @@ ${vulnAccPaths.join("\n")}`);
       logger.debug(`With args: ${mambaladeArgs.slice(1).join(" ")}`);
     }
     try {
-      const { stderr } = await exec2(mambaladeArgs, this.projectDir, { stdin: memlimitWrapper });
+      const { stderr } = await exec2(mambaladeArgs, this.projectDir, {
+        stdin: memlimitWrapper,
+        env: {
+          ...process.env,
+          PYPY_GC_MAX: `${reachabilityAnalysisOptions.memoryLimitInMB ?? 0}MB`
+        },
+        // Forcefully kill the process if the internal timeout mechanism fails
+        timeout: (timeout * 1.5 + 15) * 1e3
+      });
       logger.debug("Done running mambalade");
       const errors = stderr.split("\n").filter((line) => line.startsWith("ERROR:") && !/^ERROR: Excluded distribution/.test(line));
       if (errors.length > 0)
@@ -112667,7 +112681,7 @@ function augmentVulnsWithDetectedOccurrences(vulns, codeAwareScanner, heuristic,
   const packagesFailedToInstall = codeAwareScanner.getPackagesExcludedUnrelatedToHeuristic();
   for (const v of vulns) {
     const detectedOccurrences = result.computeDetectedOccurrences(v);
-    if (Array.isArray(detectedOccurrences) ? detectedOccurrences.length === 0 : detectedOccurrences.stacks.length === 0) {
+    if (detectedOccurrences.stacks.length === 0) {
       if (SOCKET_MODE && result.terminatedEarly && !result.reachedDependencies && Object.keys(v.vulnChainDetails.transitiveDependencies).length > 1) {
         v.results = {
           type: "analysisError",
@@ -112745,16 +112759,15 @@ var GoAnalyzer = class {
     const res = otherVulns.length ? await analyzeWithHeuristics(this.state, otherVulns, [GoanaHeuristics.DEFAULT], false, new GoCodeAwareVulnerabilityScanner(this.projectDir, this.state.reachabilityAnalysisOptions), analysisMetadataCollector, statusUpdater) : [];
     if (unreachableVulns.length) {
       const heuristicName = GoanaHeuristics.IMPORT_REACHABILITY.name;
-      const detectedOccurrences = {
-        analysisLevel: "function-level",
-        affectedPackages: [],
-        stacks: []
-      };
       const scanResult = {
         type: "success",
         heuristicName,
         terminatedEarly: false,
-        detectedOccurrences
+        detectedOccurrences: {
+          analysisLevel: "function-level",
+          affectedPackages: [],
+          stacks: []
+        }
       };
       analysisMetadataCollector?.({
         vulnUrls: unreachableVulns.map((v) => v.url),