@coana-tech/cli 14.12.106 → 14.12.108

package/cli.mjs

@@ -250700,10 +250700,11 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.106";
+var version3 = "14.12.108";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
+var bucketedAnalysisTimeoutInSeconds = 60;
 var SEVERITY_ORDER = {
   INFO: 0,
   LOW: 1,
@@ -250737,10 +250738,13 @@ var CliCore = class {
     this.options = options;
     this.analysisMemoryLimitInMb = +this.options.memoryLimit;
     if (this.options.analysisTimeout !== void 0) {
-      this.analysisTimeoutInSeconds = Number(this.options.analysisTimeout);
-      if (isNaN(this.analysisTimeoutInSeconds)) {
+      const parsedTimeout = Number(this.options.analysisTimeout);
+      if (isNaN(parsedTimeout)) {
         throw new Error("Invalid analysis timeout value");
       }
+      this.analysisTimeoutInSeconds = parsedTimeout;
+    } else {
+      this.analysisTimeoutInSeconds = 600;
     }
     this.rootWorkingDirectory = resolve43(rootWorkingDirectory);
     this.spinner = Spinner.instance({
@@ -251354,7 +251358,10 @@ Subproject: ${subproject}`);
       return result;
     this.sendProgress("REACHABILITY_ANALYSIS", true, subprojectPath, workspacePath);
     result.push(...await otherModulesCommunicator.runReachabilityAnalysis(subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities, {
-      timeoutInSeconds: this.analysisTimeoutInSeconds,
+      timeoutSeconds: {
+        allVulnRuns: this.analysisTimeoutInSeconds,
+        bucketedRuns: bucketedAnalysisTimeoutInSeconds
+      },
       memoryLimitInMB: this.analysisMemoryLimitInMb,
       printLogFile: this.options.printAnalysisLogFile,
       // entryPoints are only supported for root workspace atm.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.106",
+  "version": "14.12.108",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -95651,17 +95651,15 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
   apps;
   deps;
   depIdToPurl;
-  timeoutInSeconds;
   statusUpdater;
   name = "COCOA";
-  constructor(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater) {
+  constructor(apps, deps, depIdToPurl, statusUpdater) {
     this.apps = apps;
     this.deps = deps;
     this.depIdToPurl = depIdToPurl;
-    this.timeoutInSeconds = timeoutInSeconds;
     this.statusUpdater = statusUpdater;
   }
-  static initFromDependencyTree(dependencyTree, timeoutInSeconds, statusUpdater) {
+  static initFromDependencyTree(dependencyTree, statusUpdater) {
     const apps = {
       "<app>": {
         src: dependencyTree.src,
@@ -95677,9 +95675,9 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
         bin: dep.bin
       };
     }
-    return new _DotnetCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
+    return new _DotnetCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
   }
-  static async initFromSocketArtifacts(subprojectDir, manifestFiles, artifacts, tmpDir, timeoutInSeconds, statusUpdater) {
+  static async initFromSocketArtifacts(subprojectDir, manifestFiles, artifacts, tmpDir, statusUpdater) {
     const projMatcher = (0, import_picomatch.default)("*.*proj", { basename: true });
     const src = await asyncFlatMap(manifestFiles.filter((f2) => projMatcher(f2)), async (projFile) => {
       const project = await loadNuGetProject(subprojectDir, projFile);
@@ -95691,7 +95689,7 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       }
     };
     const { deps, depIdToPurl } = await convertSocketArtifacts(artifacts, tmpDir);
-    return new _DotnetCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
+    return new _DotnetCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
   }
   static async runOnAlreadyDownloadedPackages([appPath, ...depPaths], vulnerability, options) {
     const apps = {
@@ -95708,8 +95706,8 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
         bin: await isDirectory(depPath) ? await getFiles(depPath) : [depPath]
       };
     }
-    const scanner = new _DotnetCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, options.timeoutInSeconds);
-    const result = await scanner.runAnalysis([vulnerability], CocoaHeuristics.ALL_PACKAGES, false);
+    const scanner = new _DotnetCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl);
+    const result = await scanner.runAnalysis([vulnerability], CocoaHeuristics.ALL_PACKAGES, options.timeoutSeconds.allVulnRuns);
     if (result.type === "error")
       return { error: result.message, terminatedEarly: true };
     return {
@@ -95737,8 +95735,8 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
             bin: dep.bin
           };
         });
-        const scanner = new _DotnetCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
-        const result = await scanner.actuallyRunAnalysis(vulnerability.vulnerabilityAccessPaths);
+        const scanner = new _DotnetCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
+        const result = await scanner.actuallyRunAnalysis(vulnerability.vulnerabilityAccessPaths, timeoutInSeconds);
         if (result.type === "error")
           return { error: result.message, terminatedEarly: false };
         return {
@@ -95750,7 +95748,7 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       }
     });
   }
-  async runPhantomDependencyAnalysis() {
+  async runPhantomDependencyAnalysis(timeoutInSeconds) {
     return withTmpDirectory("dotnet-direct-dependency-analysis", async (tmpDir) => {
       try {
         await ensureDotnet6OrAbove();
@@ -95760,12 +95758,12 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const options = {
         apps: this.apps,
         deps: this.deps,
-        timeoutInSeconds: this.timeoutInSeconds
+        timeoutInSeconds
       };
       const inputFile = resolve10(tmpDir, "input.json");
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile4(inputFile, JSON.stringify(options));
-      const timeoutMs = this.timeoutInSeconds ? Math.max(this.timeoutInSeconds * 1.5, this.timeoutInSeconds + 30) * 1e3 : 750 * 1e3;
+      const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs });
       if (result.error)
         return void 0;
@@ -95773,7 +95771,7 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       return packageIds?.map((packageId) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => purl.name ?? "");
     });
   }
-  async runAnalysis(vulnerabilities, heuristic, _analyzesAllVulns, _experiment) {
+  async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds, _experiment) {
     try {
       this.statusUpdater?.("Preparing code for analysis...");
       const packagesToAnalyze = heuristic.getPackagesToAnalyze(vulnerabilities);
@@ -95782,12 +95780,12 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
         const purl = this.depIdToPurl.get(packageId);
         return purl?.name && packagesToAnalyzeSet.has(purl.name);
       }));
-      return await this.actuallyRunAnalysis(vulnerabilities.flatMap((v) => v.vulnerabilityAccessPaths), filteredDeps);
+      return await this.actuallyRunAnalysis(vulnerabilities.flatMap((v) => v.vulnerabilityAccessPaths), timeoutInSeconds, filteredDeps);
     } catch (e) {
       return { type: "error", message: e.message };
     }
   }
-  async actuallyRunAnalysis(vulnerabilityAccessPaths, filteredDeps) {
+  async actuallyRunAnalysis(vulnerabilityAccessPaths, timeoutInSeconds, filteredDeps) {
     this.statusUpdater?.("Running analysis...");
     return withTmpDirectory("dotnet-run-analysis", async (tmpDir) => {
       try {
@@ -95799,12 +95797,12 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
         apps: this.apps,
         deps: filteredDeps ?? this.deps,
         vulnerableClasses: uniq2(vulnerabilityAccessPaths?.map((vulnFunction) => vulnFunction.slice(1).split(":")[0])),
-        timeoutInSeconds: this.timeoutInSeconds
+        timeoutInSeconds
       };
       const inputFile = resolve10(tmpDir, "input.json");
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile4(inputFile, JSON.stringify(options));
-      const timeoutMs = this.timeoutInSeconds ? Math.max(this.timeoutInSeconds * 1.5, this.timeoutInSeconds + 30) * 1e3 : 750 * 1e3;
+      const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
@@ -109628,17 +109626,15 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
   apps;
   deps;
   depIdToPurl;
-  timeoutInSeconds;
   statusUpdater;
   name = "ALUCARD";
-  constructor(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater) {
+  constructor(apps, deps, depIdToPurl, statusUpdater) {
     this.apps = apps;
     this.deps = deps;
     this.depIdToPurl = depIdToPurl;
-    this.timeoutInSeconds = timeoutInSeconds;
     this.statusUpdater = statusUpdater;
   }
-  static async initFromDependencyTree(dependencyTree, tmpDir, timeoutInSeconds, statusUpdater) {
+  static async initFromDependencyTree(dependencyTree, tmpDir, statusUpdater) {
     const apps = {
       "<app>": {
         src: dependencyTree.src
@@ -109655,9 +109651,9 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       };
     }
     await extractArchivesIfNeeded(tmpDir, apps, deps);
-    return new _JavaCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
+    return new _JavaCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
   }
-  static async initFromSocketArtifacts(subprojectDir, artifacts, tmpDir, timeoutInSeconds, statusUpdater) {
+  static async initFromSocketArtifacts(subprojectDir, artifacts, tmpDir, statusUpdater) {
     const apps = {
       "<app>": {
         src: [subprojectDir]
@@ -109665,7 +109661,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
     };
     const { deps, depIdToPurl } = await convertSocketArtifacts2(subprojectDir, artifacts, tmpDir);
     await extractArchivesIfNeeded(tmpDir, apps, deps);
-    return new _JavaCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
+    return new _JavaCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
   }
   static async runOnAlreadyDownloadedPackages([appPath, ...depPaths], vulnerability, options) {
     return withTmpDirectory("java-run-on-dependency-chain", async (tmpDir) => {
@@ -109683,8 +109679,8 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
         };
       }
       await extractArchivesIfNeeded(tmpDir, apps, deps);
-      const scanner = new _JavaCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, options.timeoutInSeconds);
-      const result = await scanner.runAnalysis([vulnerability], AlucardHeuristics.ALL_PACKAGES, false);
+      const scanner = new _JavaCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl);
+      const result = await scanner.runAnalysis([vulnerability], AlucardHeuristics.ALL_PACKAGES, options.timeoutSeconds.allVulnRuns);
       if (result.type === "error")
         return { error: result.message, terminatedEarly: true };
       return {
@@ -109715,8 +109711,8 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
           };
         });
         await extractArchivesIfNeeded(tmpDir, apps, deps);
-        const scanner = new _JavaCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
-        const result = await scanner.actuallyRunAnalysis(vulnerability.vulnerabilityAccessPaths);
+        const scanner = new _JavaCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
+        const result = await scanner.actuallyRunAnalysis(vulnerability.vulnerabilityAccessPaths, timeoutInSeconds);
         if (result.type === "error")
           return { error: result.message, terminatedEarly: false };
         return {
@@ -109728,7 +109724,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       }
     });
   }
-  async runPhantomDependencyAnalysis() {
+  async runPhantomDependencyAnalysis(timeoutInSeconds) {
     return withTmpDirectory("java-direct-dependency-analysis", async (tmpDir) => {
       try {
         await ensureJdk8OrAbove();
@@ -109738,12 +109734,12 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const options = {
         apps: this.apps,
         deps: this.deps,
-        timeoutInSeconds: this.timeoutInSeconds
+        timeoutInSeconds
       };
       const inputFile = resolve11(tmpDir, "input.json");
       const outputFile = resolve11(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
-      const timeoutMs = this.timeoutInSeconds ? Math.max(this.timeoutInSeconds * 1.5, this.timeoutInSeconds + 30) * 1e3 : 750 * 1e3;
+      const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs });
       if (result.error)
         return void 0;
@@ -109751,7 +109747,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       return packageIds?.map((packageId) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}}`);
     });
   }
-  async runAnalysis(vulnerabilities, heuristic, _analyzesAllVulns, _experiment) {
+  async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds, _experiment) {
     try {
       this.statusUpdater?.("Preparing code for analysis...");
       const packagesToAnalyze = heuristic.getPackagesToAnalyze(vulnerabilities);
@@ -109760,12 +109756,12 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
         const purl = this.depIdToPurl.get(packageId);
         return purl && packagesToAnalyzeSet.has(`${purl.namespace}:${purl.name}}`);
       }));
-      return await this.actuallyRunAnalysis(vulnerabilities.flatMap((v) => v.vulnerabilityAccessPaths), filteredDeps);
+      return await this.actuallyRunAnalysis(vulnerabilities.flatMap((v) => v.vulnerabilityAccessPaths), timeoutInSeconds, filteredDeps);
     } catch (e) {
       return { type: "error", message: e.message };
     }
   }
-  async actuallyRunAnalysis(vulnerabilityAccessPaths, filteredDeps) {
+  async actuallyRunAnalysis(vulnerabilityAccessPaths, timeoutInSeconds, filteredDeps) {
     this.statusUpdater?.("Running analysis...");
     return withTmpDirectory("java-run-analysis", async (tmpDir) => {
       try {
@@ -109777,12 +109773,12 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
         apps: this.apps,
         deps: filteredDeps ?? this.deps,
         vulnerableClasses: uniq3(vulnerabilityAccessPaths?.map((vulnFunction) => vulnFunction.slice(1).split(":")[0])),
-        timeoutInSeconds: this.timeoutInSeconds
+        timeoutInSeconds
       };
       const inputFile = resolve11(tmpDir, "input.json");
       const outputFile = resolve11(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
-      const timeoutMs = this.timeoutInSeconds ? Math.max(this.timeoutInSeconds * 1.5, this.timeoutInSeconds + 30) * 1e3 : 750 * 1e3;
+      const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
@@ -110416,24 +110412,11 @@ function getMaxRoundsHeuristicOptions(maxRounds) {
 }
 function getOnlyPackagesInVulnPathsWithoutLeafPackagesHeuristicOptions(vulnerabilities) {
   return {
-    includePackages: computePackagesOnVulnPathExcludingVulnerablePackage(vulnerabilities)
+    includePackages: computePackagesOnVulnPath(vulnerabilities)
   };
 }
-function computePackagesOnVulnPathExcludingVulnerablePackage(vulnerabilities) {
-  const packagesToAnalyze = /* @__PURE__ */ new Set();
-  vulnerabilities.filter((v) => !v.vulnerabilityAccessPaths || typeof v.vulnerabilityAccessPaths !== "string").forEach((v) => {
-    const visitedIdentifiers = [];
-    const helper = (node) => {
-      if (node.children && node.children.length > 0)
-        packagesToAnalyze.add(node.packageName);
-      node.children?.filter((c) => !visitedIdentifiers.includes(c)).forEach((c) => {
-        visitedIdentifiers.push(c);
-        helper(v.vulnChainDetails.transitiveDependencies[c]);
-      });
-    };
-    helper(v.vulnChainDetails);
-  });
-  return [...packagesToAnalyze];
+function computePackagesOnVulnPath(vulnerabilities, { includeLeafPackages = false } = {}) {
+  return [...new Set(vulnerabilities.filter((v) => !v.vulnerabilityAccessPaths || typeof v.vulnerabilityAccessPaths !== "string").flatMap((v) => Object.values(v.vulnChainDetails?.transitiveDependencies ?? {}).filter((d) => includeLeafPackages || d.children?.length).map((d) => d.packageName)))];
 }
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/jelly-runner.js
@@ -110442,10 +110425,10 @@ import { readFile as readFile8, rm as rm2, writeFile as writeFile6 } from "fs/pr
 import { relative as relative6, resolve as resolve14 } from "path";
 var { map: map2, uniq: uniq4 } = import_lodash10.default;
 var PRINT_JELLY_COMMAND = false;
-async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reachabilityAnalysisOptions, vulnerabilities, experiment) {
+async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reachabilityAnalysisOptions, timeoutInSeconds, vulnerabilities, experiment) {
   const tmpFolder = await createTmpDirectory("jelly-analysis");
   try {
-    const filesToAnalyze = reachabilityAnalysisOptions.entryPoints ? reachabilityAnalysisOptions.entryPoints : [projectRoot];
+    const filesToAnalyze = reachabilityAnalysisOptions.entryPoints ?? [projectRoot];
     const jellyExecutable = ToolPathResolver.jellyPath;
     const vulnerabilitiesInJellyFormat = vulnerabilities.map((v) => ({
       osv: v,
@@ -110458,23 +110441,17 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
     const affectedPackagesFile = resolve14(tmpFolder, "affected-packages.json");
     const logFile = reachabilityAnalysisOptions.analysisLogFile ?? (reachabilityAnalysisOptions.printLogFile && resolve14(projectRoot, "js-analysis.log"));
     await writeFile6(vulnerabilitiesFile, JSON.stringify(vulnerabilitiesInJellyFormat));
-    let excludeEntries;
-    if (reachabilityAnalysisOptions.excludeDirs?.length) {
-      const excludeDirsRelativeToProjectRoot = reachabilityAnalysisOptions.excludeDirs.map((d) => relative6(projectRoot, resolve14(mainProjectRoot, d)));
-      const excludeDirsRelativeToProjectRootWithWildcards = excludeDirsRelativeToProjectRoot.map((d) => `${d}/**`);
-      excludeEntries = [...excludeDirsRelativeToProjectRoot, ...excludeDirsRelativeToProjectRootWithWildcards];
-    }
     const jellyCmd = cmdt`
       ${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}
         ${jellyExecutable}
         --basedir ${mainProjectRoot}
-        --timeout ${reachabilityAnalysisOptions.timeoutInSeconds ?? 60}
+        --timeout ${timeoutInSeconds}
         --vulnerabilities ${vulnerabilitiesFile}
         --reachable-json ${affectedPackagesFile}
-        ${excludeEntries && ["--exclude-entries", ...excludeEntries]}
+        ${getExcludes(mainProjectRoot, projectRoot, reachabilityAnalysisOptions)}
         --diagnostics-json ${diagnosticsFile}
         --max-indirections=${jellyOptions.maxIndirections}
-        ${jellyOptions.includePackages && ["--include-packages", ...jellyOptions.includePackages]}
+        ${!!jellyOptions.includePackages?.length && ["--include-packages", ...jellyOptions.includePackages]}
         ${jellyOptions.approx && "--approx"}
         ${logFile ? ["--logfile", logFile] : []}
         --callstacks-json ${callStackFile}
@@ -110487,7 +110464,7 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
       void 0,
       // If it is an experimental run, make sure to crash the process if Jelly takes more than 50% longer than the timeout.
       // This is done to mitigate the scenario where the Jelly process gets close to the memory limit and thus ends up spending most of its time on garbage collection, which can increase the time between timeout checks dramatically.
-      experiment && reachabilityAnalysisOptions.timeoutInSeconds ? { timeout: reachabilityAnalysisOptions.timeoutInSeconds * 1e3 * 1.5 } : void 0
+      experiment ? { timeout: timeoutInSeconds * 1e3 * 1.5 } : void 0
     );
     if (reachabilityAnalysisOptions.printLogFile)
       logger.info("JS analysis log file:", await readFile8(logFile, "utf-8"));
@@ -110526,26 +110503,36 @@ async function runJellyPhantomDependencyAnalysis(projectRoot, options) {
     const jellyCmd = cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${options.memoryLimitInMB}
       ${jellyExecutable} --basedir ${projectRoot} --modules-only --ignore-dependencies
         --reachable-json ${reachablePackagesFile} ${projectRoot}`;
-    await runCommandResolveStdOut2(jellyCmd);
+    await runCommandResolveStdOut2(jellyCmd, void 0, { timeout: options.timeoutSeconds.allVulnRuns * 1e3 });
     return JSON.parse(await readFile8(reachablePackagesFile, "utf-8")).packages;
   } finally {
     await rm2(tmpFolder, { recursive: true });
   }
 }
-async function runJellyImportReachabilityAnalysis(baseDir, projectDir, options) {
+async function runJellyImportReachabilityAnalysis(mainProjectRoot, projectRoot, vulnerabilities, options) {
   const tmpFolder = await createTmpDirectory("jelly-analysis");
   try {
-    const jellyExecutable = ToolPathResolver.jellyPath;
+    const includePackages = computePackagesOnVulnPath(vulnerabilities, { includeLeafPackages: true });
     const reachableModulesFile = resolve14(tmpFolder, "reachable-modules.json");
     const jellyCmd = cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${options.memoryLimitInMB}
-      ${jellyExecutable} --basedir ${baseDir} --modules-only
-        --reachable-json ${reachableModulesFile} ${projectDir}`;
-    await runCommandResolveStdOut2(jellyCmd);
+      ${ToolPathResolver.jellyPath} --basedir ${mainProjectRoot} --modules-only
+        ${!!includePackages.length && ["--include-packages", ...includePackages]}
+        ${getExcludes(mainProjectRoot, projectRoot, options)}
+        --reachable-json ${reachableModulesFile}
+        ${options.entryPoints ?? projectRoot}`;
+    await runCommandResolveStdOut2(jellyCmd, void 0, { timeout: options.timeoutSeconds.allVulnRuns * 1e3 });
     return JSON.parse(await readFile8(reachableModulesFile, "utf-8"));
   } finally {
     await rm2(tmpFolder, { recursive: true });
   }
 }
+function getExcludes(mainProjectRoot, projectRoot, options) {
+  if (options.excludeDirs?.length) {
+    const excludeDirsRelativeToProjectRoot = options.excludeDirs.map((d) => relative6(projectRoot, resolve14(mainProjectRoot, d)));
+    const excludeDirsRelativeToProjectRootWithWildcards = excludeDirsRelativeToProjectRoot.map((d) => `${d}/**`);
+    return [...excludeDirsRelativeToProjectRoot, ...excludeDirsRelativeToProjectRootWithWildcards];
+  }
+}
 function relativizeSourceLocations(projectDir, paths) {
   return {
     ...paths,
@@ -110571,7 +110558,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
   numberAnalysesRun = 0;
   packagesExcludedUnrelatedToHeuristic = [];
   socketMode = false;
-  constructor(mainProjectDir, projectDir, options = {}) {
+  constructor(mainProjectDir, projectDir, options) {
     this.mainProjectDir = mainProjectDir;
     this.projectDir = projectDir;
     this.options = options;
@@ -110587,15 +110574,11 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
     const { failedPackages } = await prepareNpmDependencies(state.rootWorkingDir, this.projectDir, state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(state.workspaceData.data.artifacts.map((d) => [d.id, d])), state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.dependencies ?? [] : state.workspaceData.data.artifacts.filter((a2) => a2.direct).map((a2) => a2.id), packagesToInstall);
     this.packagesExcludedUnrelatedToHeuristic = failedPackages.map((p) => getPackageName(p));
   }
-  async runAnalysis(vulnerabilities, heuristic, analyzesAllVulns, experiment) {
+  async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds, experiment) {
     const analysisOptionsFromHeuristic = heuristic.getOptions(vulnerabilities);
-    const timeoutInSeconds = analyzesAllVulns ? this.options.timeoutInSeconds ?? 600 : 60;
     try {
       analysisOptionsFromHeuristic.approx = process.env.JELLY_APPROX === "true" || experiment === "JELLY_APPROX";
-      const analysisRes = await runJellyAnalysis(this.mainProjectDir, this.projectDir, analysisOptionsFromHeuristic, {
-        ...this.options,
-        timeoutInSeconds
-      }, vulnerabilities, experiment);
+      const analysisRes = await runJellyAnalysis(this.mainProjectDir, this.projectDir, analysisOptionsFromHeuristic, this.options, timeoutInSeconds, vulnerabilities, experiment);
       const { analysisDiagnostics: diagnostics, matches } = analysisRes;
       return {
         type: "success",
@@ -110659,7 +110642,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       const projectDir = join14(tmpDir, "node_modules", firstPackageName);
       const scanner = new _JSCodeAwareVulnerabilityScanner(projectDir, projectDir, reachabilityAnalysisOptions);
       logger.info(`Started analysis of ${projectDir}`);
-      const result = await scanner.runAnalysis([vulnerability], heuristics.createIncludePackagesHeuristic(otherPackageNames, baseHeuristic.getOptions([vulnerability])), true);
+      const result = await scanner.runAnalysis([vulnerability], heuristics.createIncludePackagesHeuristic(otherPackageNames, baseHeuristic.getOptions([vulnerability])), reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
       if (result.type === "error") {
         return {
           error: result.message,
@@ -110683,7 +110666,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
     const restWithoutLast = rest.slice(0, -1);
     const projectDir = join14(tmpDir, "node_modules", first2.packageName);
     const scanner = new _JSCodeAwareVulnerabilityScanner(tmpDir, projectDir, reachabilityAnalysisOptions);
-    const result = await scanner.runAnalysis([vulnerability], heuristics.createIncludePackagesHeuristic(restWithoutLast.map((p) => p.packageName), baseHeuristic.getOptions([vulnerability])), true);
+    const result = await scanner.runAnalysis([vulnerability], heuristics.createIncludePackagesHeuristic(restWithoutLast.map((p) => p.packageName), baseHeuristic.getOptions([vulnerability])), reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     await rm3(tmpDir, { recursive: true, force: true });
     if (result.type === "error") {
       return {
@@ -110774,11 +110757,11 @@ var GoCodeAwareVulnerabilityScanner = class {
     this.projectDir = projectDir;
     this.options = options;
   }
-  async runAnalysis(vulns, heuristic, analyzesAllVulns) {
+  async runAnalysis(vulns, heuristic, timeoutInSeconds) {
     logger.info("Started instantiating Go code-aware analysis");
     if (!existsSync10(join15(this.projectDir, "go.mod")))
       throw new Error("go.mod file not found in the project directory");
-    const { timeoutInSeconds, memoryLimitInMB } = this.options;
+    const { memoryLimitInMB } = this.options;
     const tmpDir = await createTmpDirectory("goana-output");
     const vulnsOutputFile = join15(tmpDir, "vulns.json");
     const diagnosticsOutputFile = join15(tmpDir, "diagnostics.json");
@@ -110795,7 +110778,7 @@ var GoCodeAwareVulnerabilityScanner = class {
           -output-reached-modules ${reachedModulesOutputFile}
           -topk=4 ${heuristic.includeTests && "-tests"}
           ${this.projectDir} ${vulnAccPaths}`, void 0, {
-        timeout: timeoutInSeconds ? timeoutInSeconds * 1e3 : analyzesAllVulns ? 600 * 1e3 : 60 * 1e3,
+        timeout: timeoutInSeconds * 1e3,
         env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${memoryLimitInMB}MiB` } : void 0
       });
       if (error) {
@@ -110840,7 +110823,7 @@ ${stderr}`);
       await rm4(tmpDir, { recursive: true, force: true });
     }
   }
-  static async runOnDependencyChain([first2, ...rest], vuln, options = {}) {
+  static async runOnDependencyChain([first2, ...rest], vuln, options) {
     assert4(first2.version);
     const { Dir, GoMod } = JSON.parse(await runCommandResolveStdOut2(cmdt`go mod download -json ${first2.packageName}@v${first2.version}`));
     const projectDir = await createTmpDirectory("go-run-on-dependency-chain-");
@@ -110857,7 +110840,7 @@ ${stderr}`);
         await runGoModTidy(projectDir);
       }
       const heuristic = GoanaHeuristics.NO_TESTS;
-      const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, true);
+      const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, options.timeoutSeconds.allVulnRuns);
       if (result.type === "error")
         return {
           error: result.message,
@@ -110873,7 +110856,7 @@ ${stderr}`);
       await rm4(projectDir, { recursive: true, force: true });
     }
   }
-  static async runOnAlreadyDownloadedPackages(packages, vuln, options = {}) {
+  static async runOnAlreadyDownloadedPackages(packages, vuln, options) {
     for (const pkg of packages)
       assert4(existsSync10(join15(pkg, "go.mod")), `${pkg} does not contain a go.mod file`);
     const [app, ...dependencies] = packages;
@@ -110890,7 +110873,7 @@ ${stderr}`);
         await runGoModTidy(projectDir);
       }
       const heuristic = GoanaHeuristics.NO_TESTS;
-      const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, true);
+      const result = await new this(projectDir, options).runAnalysis([vuln], heuristic, options.timeoutSeconds.allVulnRuns);
       if (result.type === "error")
         return {
           error: result.message,
@@ -110948,17 +110931,15 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
   apps;
   deps;
   depIdToPurl;
-  timeoutInSeconds;
   statusUpdater;
   name = "RUSTICA";
-  constructor(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater) {
+  constructor(apps, deps, depIdToPurl, statusUpdater) {
     this.apps = apps;
     this.deps = deps;
     this.depIdToPurl = depIdToPurl;
-    this.timeoutInSeconds = timeoutInSeconds;
     this.statusUpdater = statusUpdater;
   }
-  static initFromDependencyTree(dependencyTree, timeoutInSeconds, statusUpdater) {
+  static initFromDependencyTree(dependencyTree, statusUpdater) {
     const appDependencies = {};
     if (dependencyTree.dependenciesWithAliases) {
       for (const [depId, names] of Object.entries(dependencyTree.dependenciesWithAliases)) {
@@ -110992,9 +110973,9 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
         }
       };
     }
-    return new _RustCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
+    return new _RustCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
   }
-  static async initFromSocketArtifacts(subprojectDir, workspacePath, artifacts, tmpDir, timeoutInSeconds, statusUpdater) {
+  static async initFromSocketArtifacts(subprojectDir, workspacePath, artifacts, tmpDir, statusUpdater) {
     const cargoTomlToArtifacts = /* @__PURE__ */ new Map();
     for (const artifact of artifacts) {
       for (const mf of artifact.manifestFiles ?? []) {
@@ -111048,7 +111029,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       }
     };
     const { deps, depIdToPurl } = await convertSocketArtifacts3(artifacts, tmpDir, artifactNameToId);
-    return new _RustCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
+    return new _RustCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
   }
   /** @deprecated */
   static async runOnAlreadyDownloadedPackages([appPath, ...depPaths], vulnerability, options) {
@@ -111106,8 +111087,8 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
         deps[packageId] = packageInfo;
       }
     }
-    const scanner = new _RustCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, options.timeoutInSeconds);
-    const result = await scanner.runAnalysis([vulnerability], RusticaHeuristics.ALL_PACKAGES, false);
+    const scanner = new _RustCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl);
+    const result = await scanner.runAnalysis([vulnerability], RusticaHeuristics.ALL_PACKAGES, options.timeoutSeconds.allVulnRuns);
     if (result.type === "error")
       return { error: result.message, terminatedEarly: true };
     return {
@@ -111173,8 +111154,8 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
             }
           };
         }
-        const scanner = new _RustCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, timeoutInSeconds, statusUpdater);
-        const result = await scanner.actuallyRunAnalysis(vulnerability.vulnerabilityAccessPaths);
+        const scanner = new _RustCodeAwareVulnerabilityScanner(apps, deps, depIdToPurl, statusUpdater);
+        const result = await scanner.actuallyRunAnalysis(vulnerability.vulnerabilityAccessPaths, timeoutInSeconds);
         if (result.type === "error")
           return { error: result.message, terminatedEarly: false };
         return {
@@ -111186,17 +111167,17 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       }
     });
   }
-  async runPhantomDependencyAnalysis() {
+  async runPhantomDependencyAnalysis(timeoutInSeconds) {
     return withTmpDirectory("rust-direct-dependency-analysis", async (tmpDir) => {
       const options = {
         apps: this.apps,
         deps: this.deps,
-        timeoutInSeconds: this.timeoutInSeconds
+        timeoutInSeconds
       };
       const inputFile = resolve16(tmpDir, "input.json");
       const outputFile = resolve16(tmpDir, "output.json");
       await writeFile8(inputFile, JSON.stringify(options));
-      const timeoutMs = this.timeoutInSeconds ? Math.max(this.timeoutInSeconds * 1.5, this.timeoutInSeconds + 30) * 1e3 : 750 * 1e3;
+      const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs });
       if (result.error)
         return void 0;
@@ -111204,7 +111185,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       return packageIds?.map((packageId) => this.depIdToPurl.get(packageId)?.name).filter((name2) => name2 !== void 0).map((name2) => name2);
     });
   }
-  async runAnalysis(vulnerabilities, heuristic, _analyzesAllVulns) {
+  async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds) {
     try {
       this.statusUpdater?.("Preparing code for analysis...");
       const packagesToAnalyze = heuristic.getPackagesToAnalyze(vulnerabilities);
@@ -111213,25 +111194,26 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
         const purl = this.depIdToPurl.get(packageId);
         return purl?.name && packagesToAnalyzeSet.has(purl.name);
       }));
-      return await this.actuallyRunAnalysis(vulnerabilities.flatMap((v) => v.vulnerabilityAccessPaths), filteredDeps);
+      return await this.actuallyRunAnalysis(vulnerabilities.flatMap((v) => v.vulnerabilityAccessPaths), timeoutInSeconds, filteredDeps);
     } catch (e) {
       return { type: "error", message: e.message };
     }
   }
-  async actuallyRunAnalysis(vulnerabilityAccessPaths, filteredDeps) {
+  async actuallyRunAnalysis(vulnerabilityAccessPaths, timeoutInSeconds, filteredDeps) {
     this.statusUpdater?.("Running analysis...");
     return withTmpDirectory("rust-run-analysis", async (tmpDir) => {
+      const effectiveTimeout = timeoutInSeconds;
       const options = {
         apps: this.apps,
         deps: filteredDeps ?? this.deps,
         // Note, rust uses '::' as path separator, so we need to split on ': ' and not only ':'
         vulnerableClasses: uniq6(vulnerabilityAccessPaths?.map((vulnFunction) => vulnFunction.slice(1).split(": ")[0])),
-        timeoutInSeconds: this.timeoutInSeconds
+        timeoutInSeconds: effectiveTimeout
       };
       const inputFile = resolve16(tmpDir, "input.json");
       const outputFile = resolve16(tmpDir, "output.json");
       await writeFile8(inputFile, JSON.stringify(options));
-      const timeoutMs = this.timeoutInSeconds ? Math.max(this.timeoutInSeconds * 1.5, this.timeoutInSeconds + 30) * 1e3 : 750 * 1e3;
+      const timeoutMs = Math.max(effectiveTimeout * 1.5, effectiveTimeout + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
@@ -111549,36 +111531,27 @@ async function analyzePackages(ecosystem, packages, vulnerability, options) {
   switch (ecosystem) {
     case "NPM":
       analysisName = "Jelly";
-      result = await runWithJSHeuristics(async (h) => await JSCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      }, h));
+      result = await runWithJSHeuristics(async (h) => await JSCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options, h));
       break;
     case "MAVEN":
       analysisName = "Alucard";
-      result = await JavaCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options?.timeoutInSeconds ?? 60);
+      result = await JavaCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options.timeoutSeconds.allVulnRuns);
       break;
     case "NUGET":
       analysisName = "Cocoa";
-      result = await DotnetCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options?.timeoutInSeconds ?? 60);
+      result = await DotnetCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options.timeoutSeconds.allVulnRuns);
       break;
     case "PIP":
       analysisName = "Mambalade";
-      result = await PythonCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      });
+      result = await PythonCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options);
       break;
     case "GO":
       analysisName = "Goana";
-      result = await GoCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      });
+      result = await GoCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options);
       break;
     case "RUST":
       analysisName = "Rustica";
-      result = await RustCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options?.timeoutInSeconds ?? 60);
+      result = await RustCodeAwareVulnerabilityScanner.runOnDependencyChain(packages, vulnerability, options.timeoutSeconds.allVulnRuns);
       break;
     default:
       throw new Error(`Analyze dependency chain not implemented for ${ecosystem}.`);
@@ -111591,45 +111564,27 @@ async function analyzeAlreadyInstalledPackages(ecosystem, packages, vulnerabilit
   switch (ecosystem) {
     case "NPM":
       analysisName = "Jelly";
-      result = await runWithJSHeuristics(async (h) => await JSCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      }, h));
+      result = await runWithJSHeuristics(async (h) => await JSCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, options, h));
       break;
     case "MAVEN":
       analysisName = "Alucard";
-      result = await JavaCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      });
+      result = await JavaCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, options);
       break;
     case "NUGET":
       analysisName = "Cocoa";
-      result = await DotnetCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      });
+      result = await DotnetCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, options);
       break;
     case "PIP":
       analysisName = "Mambalade";
-      result = await PythonCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      });
+      result = await PythonCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, options);
       break;
     case "GO":
       analysisName = "Goana";
-      result = await GoCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      });
+      result = await GoCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, options);
       break;
     case "RUST":
       analysisName = "Rustica";
-      result = await RustCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, {
-        timeoutInSeconds: options?.timeoutInSeconds ?? 60,
-        memoryLimitInMB: options?.memoryLimitInMB ?? 16384
-      });
+      result = await RustCodeAwareVulnerabilityScanner.runOnAlreadyDownloadedPackages(packages, vulnerability, options);
       break;
     default:
       throw new Error(`analyzePackageRegistryPackage is not implemented for ${ecosystem}.`);
@@ -111723,7 +111678,7 @@ var PythonCodeAwareVulnerabilityScanner = class {
       logger.info("Done setting up virtual environment");
     }
   }
-  async runAnalysis(vulns, heuristic, analyzesAllVulns) {
+  async runAnalysis(vulns, heuristic, timeoutInSeconds) {
     if (!this.virtualEnvInfo)
       throw new Error("Virtual environment not set up");
     this.mambaladeVenvPath ??= await setupMambalade();
@@ -111753,8 +111708,6 @@ var PythonCodeAwareVulnerabilityScanner = class {
     const vulnsOutputFile = join16(tmpDir, "vulns.json");
     const diagnosticsOutputFile = join16(tmpDir, "diagnostics.json");
     const reachedPackagesOutputFile = join16(tmpDir, "reached-packages.json");
-    const timeout = reachabilityAnalysisOptions.timeoutInSeconds ?? // 10 minutes for the first analysis, 1 minute for subsequent analyses
-    (analyzesAllVulns ? 60 * 10 : 60);
     const pythonExecutable = join16(this.mambaladeVenvPath, "bin", "python");
     const mambaladeArgs = cmdt`\
       ${pythonExecutable} - ${reachabilityAnalysisOptions.memoryLimitInMB ?? 0}
@@ -111764,7 +111717,7 @@ var PythonCodeAwareVulnerabilityScanner = class {
       --output-vulnerabilities ${vulnsOutputFile}
       --output-diagnostics ${diagnosticsOutputFile}
       --output-reached-distributions ${reachedPackagesOutputFile}
-      --timeout=${timeout}
+      --timeout=${timeoutInSeconds}
       ${packagesToExclude?.size ? ["--exclude-distributions", ...packagesToExclude] : []}
       --
       ${filesToAnalyze}`;
@@ -111782,7 +111735,7 @@ ${vulnAccPaths.join("\n")}`);
           PYPY_GC_MAX: `${reachabilityAnalysisOptions.memoryLimitInMB ?? 0}MB`
         },
         // Forcefully kill the process if the internal timeout mechanism fails
-        timeout: (timeout * 1.5 + 15) * 1e3
+        timeout: (timeoutInSeconds * 1.5 + 15) * 1e3
       });
       logger.debug("Done running mambalade");
       const errors = stderr.split("\n").filter((line) => line.startsWith("ERROR:") && !/^ERROR: Excluded distribution/.test(line));
@@ -111876,7 +111829,7 @@ ${msg}`;
           await cp6(dep, dependencyDir, { recursive: true });
           fileMappings.set(dependencyDir, dep);
         }
-        const result = await scanner.runAnalysis([vuln], MambaladeHeuristics.ALL_PACKAGES, false);
+        const result = await scanner.runAnalysis([vuln], MambaladeHeuristics.ALL_PACKAGES, options.timeoutSeconds.allVulnRuns);
         if (result.type === "error")
           return { error: result.message, terminatedEarly: true };
         return {
@@ -111916,7 +111869,7 @@ ${msg}`;
         ]);
         if (scanner.virtualEnvInfo.packageInstallationStats.failedToInstall.length)
           throw new Error("Failed to install some packages");
-        const result = await scanner.runAnalysis([vuln], MambaladeHeuristics.ALL_PACKAGES, false);
+        const result = await scanner.runAnalysis([vuln], MambaladeHeuristics.ALL_PACKAGES, options.timeoutSeconds.allVulnRuns);
         if (result.type === "error")
           return { error: result.message, terminatedEarly: true };
         return {
@@ -112510,8 +112463,9 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
       try {
         newAnalysisRunListener();
         const initialBucketContainingAllVulns = buckets.length === 1 && buckets[0] === bucket;
+        const timeoutInSeconds = initialBucketContainingAllVulns ? state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns : state.reachabilityAnalysisOptions.timeoutSeconds.bucketedRuns;
         logger.info(`Running full reachability analysis for ${vulnsForBucket.length}/${vulnerabilities.length} vulnerabilities.`);
-        const result = await codeAwareScanner.runAnalysis(vulnsForBucket, bucket.heuristic, initialBucketContainingAllVulns, experiment);
+        const result = await codeAwareScanner.runAnalysis(vulnsForBucket, bucket.heuristic, timeoutInSeconds, experiment);
         const allowSplitInBuckets = !disableBucketing && bucket.heuristic.splitAnalysisInBuckets && !state.otherAnalysisOptions.disableBucketing && vulnDepIdentifiers.length > 1 && (result.type === "error" || result.reachedDependencies);
         if (result.type === "success") {
           result.diagnostics.timings ??= {};
@@ -112532,13 +112486,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
           await analysisMetadataCollector2?.(finalAnalysisMetadata);
         } else {
           result.type;
-          const enqueueWithoutSplitting = !allowSplitInBuckets && initialBucketContainingAllVulns && !state.reachabilityAnalysisOptions.timeoutInSeconds;
-          await sendErrorAnalysisMetadata(result.message, !allowSplitInBuckets && isLastHeuristic(bucket.heuristic.name) && !enqueueWithoutSplitting, !allowSplitInBuckets);
-          if (enqueueWithoutSplitting) {
-            logger.info("Analysis failed, retrying different configuration.");
-            enqueueBucket(vulnDepIdentifiers);
-            return;
-          }
+          await sendErrorAnalysisMetadata(result.message, !allowSplitInBuckets && isLastHeuristic(bucket.heuristic.name), !allowSplitInBuckets);
           if (!allowSplitInBuckets) {
             augmentVulnsWithErrorMessage(vulnsForBucket, result.message);
             return;
@@ -112794,12 +112742,12 @@ var MavenAnalyzer = class {
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("maven-phantom-dependency-analysis", async (tmpDir) => {
       const scanner = this.state.workspaceData.type === "coana" ? await JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir) : await JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir);
-      return scanner.runPhantomDependencyAnalysis();
+      return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
   async runReachabilityAnalysis(vulns, analysisMetadataCollector, statusUpdater) {
     return withTmpDirectory("maven-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? await JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir, this.state.reachabilityAnalysisOptions.timeoutInSeconds, statusUpdater) : await JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir, this.state.reachabilityAnalysisOptions.timeoutInSeconds, statusUpdater);
+      const scanner = this.state.workspaceData.type === "coana" ? await JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir, statusUpdater) : await JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
       const heuristicsInOrder = [AlucardHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, analysisMetadataCollector, statusUpdater);
     });
@@ -112854,7 +112802,7 @@ var NpmAnalyzer = class {
       try {
         statusUpdater?.("Running import reachability analysis");
         logger.debug("Starting jelly import reachability analysis");
-        reachable = await runJellyImportReachabilityAnalysis(this.state.rootWorkingDir, this.projectDir, this.state.reachabilityAnalysisOptions);
+        reachable = await runJellyImportReachabilityAnalysis(this.state.rootWorkingDir, this.projectDir, vulns, this.state.reachabilityAnalysisOptions);
       } catch (e) {
         logger.debug("Error while running jelly import reachability analysis:", e);
       }
@@ -112932,12 +112880,12 @@ var NugetAnalyzer = class {
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("nuget-phantom-dependency-analysis", async (tmpDir) => {
       const scanner = this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree) : await DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir);
-      return scanner.runPhantomDependencyAnalysis();
+      return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
   async runReachabilityAnalysis(vulns, analysisMetadataCollector, statusUpdater) {
     return withTmpDirectory("nuget-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, this.state.reachabilityAnalysisOptions.timeoutInSeconds, statusUpdater) : await DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir, this.state.reachabilityAnalysisOptions.timeoutInSeconds, statusUpdater);
+      const scanner = this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : await DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
       const heuristicsInOrder = [CocoaHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, analysisMetadataCollector, statusUpdater);
     });
@@ -116307,7 +116255,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
     this.vendorDirWasCreated = true;
     logger.info("Done setting up vendor directory");
   }
-  async runAnalysis(vulns, heuristic, analyzesAllVulns, _experiment) {
+  async runAnalysis(vulns, heuristic, timeoutInSeconds, _experiment) {
     return await withTmpDirectory("ruby-analyzer-output", async (tmpDir) => {
       if (!this.vendorDir)
         throw new Error("Assertion error: The vendor directory is not correctly initialized");
@@ -116334,7 +116282,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
       const cmd = cmdt`
         ${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${this.options.memoryLimitInMB}
         ${analyzerPath}
-        --timeout ${analyzesAllVulns ? this.options.timeoutInSeconds ?? 600 : 60}
+        --timeout ${timeoutInSeconds}
         --load-path ${loadPaths}
         --vulnerabilities ${vulnAccPaths}
         --output-diagnostics ${diagnosticsOutputFile}
@@ -116533,12 +116481,12 @@ var RustAnalyzer = class {
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("cargo-phantom-dependency-analysis", async (tmpDir) => {
       const scanner = this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree) : await RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir);
-      return scanner.runPhantomDependencyAnalysis();
+      return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
   async runReachabilityAnalysis(vulns, analysisMetadataCollector, statusUpdater) {
     return withTmpDirectory("cargo-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, this.state.reachabilityAnalysisOptions.timeoutInSeconds, statusUpdater) : await RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir, this.state.reachabilityAnalysisOptions.timeoutInSeconds, statusUpdater);
+      const scanner = this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : await RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
       const heuristicsInOrder = [RusticaHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, analysisMetadataCollector, statusUpdater);
     });
@@ -116597,7 +116545,11 @@ var runReachabilityAnalysisCmd = new Command().name("runReachabilityAnalysis").a
 }, "reachability-analyzer"));
 var runOnDependencyChainCmd = new Command().name("runOnDependencyChain").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--coana-socket-path <socketPath>", "Coana socket path").option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).requiredOption("-i, --input-file <inputFile>", "Input file for data and vulnerabilities").requiredOption("-o, --output-file <outputFile>", "Output file for the results").configureHelp({ sortSubcommands: true, sortOptions: true }).action(async (options) => withLoggerAndSpinner("Coana Reachability Analyzers", options, async () => {
   const { ecosystem, dependencyChain, vulnerability } = JSON.parse(await readFile14(options.inputFile, "utf-8"));
-  const result = await analyzePackages(ecosystem, deserializeDependencyChain(ecosystem, dependencyChain), vulnerability);
+  const defaultOptions2 = {
+    timeoutSeconds: { allVulnRuns: 60, bucketedRuns: 60 },
+    memoryLimitInMB: 16384
+  };
+  const result = await analyzePackages(ecosystem, deserializeDependencyChain(ecosystem, dependencyChain), vulnerability, defaultOptions2);
   if (options.outputFile) {
     logger.debug("Writing result to file", options.outputFile);
     await writeFile9(options.outputFile, JSON.stringify({ result }));
@@ -116625,7 +116577,12 @@ var runOnPackageRegistryPackageCmd = new Command().name("runOnPackageRegistryPac
     else if (typeof vulnerability.vulnerabilityAccessPaths === "string")
       throw new Error(`Vulnerability ${options.vulnerability} has undeterminable reachability, so running the reachability analysis is not possible.`);
     const isFile4 = mainPackage.startsWith("file://");
-    const result = isFile4 ? await analyzeAlreadyInstalledPackages(options.ecosystem, [mainPackage, ...options.dependencies].map((p) => p.replace("file://", "")), vulnerability, { timeoutInSeconds: +options.analysisTimeout, memoryLimitInMB: +options.memoryLimit }) : await analyzePackages(options.ecosystem, deserializeDependencyChain(options.ecosystem, `${mainPackage}${options.dependencies.length > 0 ? ` > ${options.dependencies.join(" > ")}` : ""}`), vulnerability, { timeoutInSeconds: +options.analysisTimeout, memoryLimitInMB: +options.memoryLimit });
+    const analysisTimeout = +options.analysisTimeout;
+    const reachabilityOptions = {
+      timeoutSeconds: { allVulnRuns: analysisTimeout, bucketedRuns: analysisTimeout },
+      memoryLimitInMB: +options.memoryLimit
+    };
+    const result = isFile4 ? await analyzeAlreadyInstalledPackages(options.ecosystem, [mainPackage, ...options.dependencies].map((p) => p.replace("file://", "")), vulnerability, reachabilityOptions) : await analyzePackages(options.ecosystem, deserializeDependencyChain(options.ecosystem, `${mainPackage}${options.dependencies.length > 0 ? ` > ${options.dependencies.join(" > ")}` : ""}`), vulnerability, reachabilityOptions);
     if (options.outputFile) {
       logger.info("Writing result to file", options.outputFile);
       await writeFile9(options.outputFile, JSON.stringify(result, null, 2));

package/repos/coana-tech/jelly-private/dist/bundle/approx.js

@@ -7,11 +7,11 @@ import "./iterator-helpers-polyfill.js";
 import {
   require_hints,
   require_parser
-} from "./chunk-VD62II65.js";
+} from "./chunk-PAV2YSLW.js";
 import {
   require_proxy,
   require_sandbox
-} from "./chunk-GSPO4CLX.js";
+} from "./chunk-XJM6ACML.js";
 import {
   __commonJS,
   __name,
@@ -21,7 +21,7 @@ import {
   require_options,
   require_transform,
   require_util
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/approx/approx.js
 var require_approx = __commonJS({

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-QVZRZ7F3.js → chunk-AO2BBATE.js}

@@ -10,7 +10,7 @@ import {
   __require,
   require_logger,
   require_options
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // node_modules/source-map/lib/base64.js
 var require_base64 = __commonJS({
@@ -224314,4 +224314,4 @@ typescript/lib/typescript.js:
   and limitations under the License.
   ***************************************************************************** *)
 */
-//# sourceMappingURL=chunk-QVZRZ7F3.js.map
+//# sourceMappingURL=chunk-AO2BBATE.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-VD62II65.js → chunk-PAV2YSLW.js}

@@ -14,7 +14,7 @@ import {
   require_options,
   require_tokens,
   require_util
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/parsing/parser.js
 var require_parser = __commonJS({
@@ -516,4 +516,4 @@ export {
   require_patching,
   require_hints
 };
-//# sourceMappingURL=chunk-VD62II65.js.map
+//# sourceMappingURL=chunk-PAV2YSLW.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-LY4UAG7A.js → chunk-VDHMBLB5.js}

@@ -10924,6 +10924,16 @@ var require_logger2 = __commonJS({
     exports.default = logger;
     function setLogLevel(level) {
       logger.level = options_1.options.loglevel = level;
+      for (const lvl of Object.keys(colors)) {
+        const fnName = `is${lvl.charAt(0).toUpperCase() + lvl.slice(1)}Enabled`;
+        delete logger[fnName];
+        Object.defineProperty(logger, fnName, {
+          value: logger.isLevelEnabled(lvl) ? () => true : () => false,
+          writable: false,
+          configurable: true,
+          enumerable: false
+        });
+      }
     }
     __name(setLogLevel, "setLogLevel");
     function logToFile(file) {
@@ -19701,4 +19711,4 @@ fill-range/index.js:
    * Licensed under the MIT License.
    *)
 */
-//# sourceMappingURL=chunk-LY4UAG7A.js.map
+//# sourceMappingURL=chunk-VDHMBLB5.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-GSPO4CLX.js → chunk-XJM6ACML.js}

@@ -9,7 +9,7 @@ import {
   __name,
   __require,
   require_transform
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/approx/proxy.js
 var require_proxy = __commonJS({
@@ -268,4 +268,4 @@ export {
   require_proxy,
   require_sandbox
 };
-//# sourceMappingURL=chunk-GSPO4CLX.js.map
+//# sourceMappingURL=chunk-XJM6ACML.js.map

package/repos/coana-tech/jelly-private/dist/bundle/hooks.js

@@ -6,10 +6,10 @@ import "./iterator-helpers-polyfill.js";
 
 import {
   require_moduleresolver
-} from "./chunk-QVZRZ7F3.js";
+} from "./chunk-AO2BBATE.js";
 import {
   require_sandbox
-} from "./chunk-GSPO4CLX.js";
+} from "./chunk-XJM6ACML.js";
 import {
   __commonJS,
   __name,
@@ -17,7 +17,7 @@ import {
   require_files,
   require_options,
   require_transform
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/approx/hooks.js
 var require_hooks = __commonJS({

package/repos/coana-tech/jelly-private/dist/bundle/jelly.js

@@ -9,11 +9,11 @@ import {
   require_hints,
   require_parser,
   require_patching
-} from "./chunk-VD62II65.js";
+} from "./chunk-PAV2YSLW.js";
 import {
   require_moduleresolver,
   require_typescript
-} from "./chunk-QVZRZ7F3.js";
+} from "./chunk-AO2BBATE.js";
 import {
   __commonJS,
   __name,
@@ -37,7 +37,7 @@ import {
   require_tokens,
   require_transform,
   require_util
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/misc/timer.js
 var require_timer = __commonJS({
@@ -4367,6 +4367,8 @@ var require_analyzer = __commonJS({
             }
             if (options_1.options.modulesOnly) {
               (0, modulefinder_1.findModules)(ast, solver.fragmentState, moduleInfo);
+              if (d.modules % 16 === 0)
+                a.timeoutTimer.checkTimeout();
             } else {
               const moduleParams = (0, extras_1.preprocessAst)(ast, moduleInfo);
               (0, logger_1.writeStdOutIfActive)("Initializing...");