@coana-tech/cli 14.12.112 → 14.12.114

package/cli.mjs

@@ -206052,6 +206052,8 @@ async function fetchManifestFilesFromManifestsTarHash(manifestsTarHash) {
   }
 }
 async function fetchArtifactsFromManifestsTarHash(manifestsTarHash, includePrecomputedReachabilityResults) {
+  logger.info("Fetching artifacts from Socket backend (this may take a while)");
+  logger.debug("manifests tar hash", manifestsTarHash);
   let responseData;
   try {
     const params = new URLSearchParams({
@@ -231911,6 +231913,8 @@ async function copyForNpmAnalysis(srcDir, prefix) {
   try {
     await cp4(srcDir, tmpDir, {
       recursive: true,
+      verbatimSymlinks: true,
+      // Preserve symlinks as symlinks instead of dereferencing them
       filter: async (src) => {
         const relativePath = relative15(srcDir, src);
         if (relativePath === "") return true;
@@ -231919,6 +231923,9 @@ async function copyForNpmAnalysis(srcDir, prefix) {
           return false;
         }
         const stats = await lstat2(src);
+        if (stats.isSymbolicLink()) {
+          return true;
+        }
         if (stats.isDirectory()) {
           return true;
         }
@@ -234402,310 +234409,10 @@ var signalFixApplied = (_fixId, subprojectPath, workspacePath, vulnerabilityFixe
 ${vulnerabilityFixes.map((fix) => `	${fix.dependencyName} from ${fix.currentVersion} to ${fix.fixedVersion}`).join("\n")}`);
 };
 
-// dist/internal/socket-mode-helpers-socket-dependency-trees.js
-import { basename as basename9, dirname as dirname26, join as join27, sep as sep6 } from "path";
-var REQUIREMENTS_FILES_SEARCH_DEPTH2 = 3;
-var venvExcludes = [
-  "venv",
-  ".venv",
-  "env",
-  ".env",
-  "virtualenv",
-  ".virtualenv",
-  "venvs",
-  ".venvs",
-  "envs",
-  ".envs",
-  "__pycache__",
-  ".tox",
-  ".nox",
-  ".pytest_cache",
-  "site-packages",
-  "dist-packages",
-  "conda-meta",
-  "conda-bld",
-  ".mypy_cache",
-  ".ruff_cache",
-  ".hypothesis"
-];
-function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonProjects) {
-  switch (ecosystem) {
-    case "NPM": {
-      const base = basename9(manifestPath);
-      const dir = dirname26(manifestPath);
-      return base === "package.json" ? dir || "." : void 0;
-    }
-    case "MAVEN": {
-      return ".";
-    }
-    case "PIP": {
-      if (venvExcludes.some((exclude) => manifestPath.startsWith(`${exclude}/`) || manifestPath.includes(`/${exclude}/`))) {
-        return void 0;
-      }
-      const base = basename9(manifestPath);
-      const dir = dirname26(manifestPath);
-      const workspaceDir = dir === "" ? "." : dir;
-      if (properPythonProjects.includes(workspaceDir)) {
-        return workspaceDir;
-      }
-      if (base === "poetry.lock" || base === "Pipfile.lock" || base === "uv.lock") {
-        return workspaceDir;
-      }
-      if (base.endsWith(".txt")) {
-        const properProjectDirs = properPythonProjects.filter((properProjectDir) => (properProjectDir === "." || workspaceDir === "." || workspaceDir.startsWith(properProjectDir)) && workspaceDir.replace(properProjectDir, "").split(sep6).length <= REQUIREMENTS_FILES_SEARCH_DEPTH2);
-        const longestProperProjectDir = l(properProjectDirs, [(d4) => d4.length, "desc"]);
-        if (longestProperProjectDir) {
-          return longestProperProjectDir;
-        }
-        return workspaceDir;
-      }
-      logger.warn(`No workspace found for manifest file ${manifestPath}`);
-      return void 0;
-    }
-    case "NUGET": {
-      return ".";
-    }
-    case "RUST": {
-      return dirname26(manifestPath) || ".";
-    }
-    case "GO": {
-      const base = basename9(manifestPath);
-      const dir = dirname26(manifestPath);
-      return base === "go.mod" ? dir || "." : void 0;
-    }
-    case "RUBYGEMS": {
-      return dirname26(manifestPath) || ".";
-    }
-    default: {
-      return ".";
-    }
-  }
-}
-function inferProjectFromManifestPath(ecosystem, manifestPath) {
-  switch (ecosystem) {
-    case "NPM": {
-      const filename = basename9(manifestPath);
-      if (["package-lock.json", "pnpm-lock.yaml", "pnpm-lock.yml", "yarn.lock"].includes(filename)) {
-        return dirname26(manifestPath) || ".";
-      }
-      return void 0;
-    }
-  }
-}
-function getAllToplevelAncestors(artifactMap, artifactId) {
-  const visited = /* @__PURE__ */ new Set();
-  const toplevelAncestors = /* @__PURE__ */ new Set();
-  function findAncestors(currentId) {
-    if (visited.has(currentId)) {
-      return;
-    }
-    visited.add(currentId);
-    const artifact = artifactMap.get(currentId);
-    if (!artifact) {
-      return;
-    }
-    if (artifact.toplevelAncestors && artifact.toplevelAncestors.length > 0) {
-      for (const ancestorId of artifact.toplevelAncestors) {
-        toplevelAncestors.add(ancestorId);
-        findAncestors(ancestorId);
-      }
-    }
-  }
-  findAncestors(artifactId);
-  return Array.from(toplevelAncestors);
-}
-async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash, mode, includePrecomputedReachabilityResults) {
-  logger.info("Fetching artifacts from Socket backend (this may take a while)");
-  logger.debug("manifests tar hash", manifestsTarHash);
-  try {
-    const { artifacts } = await fetchArtifactsFromManifestsTarHash(manifestsTarHash, includePrecomputedReachabilityResults);
-    const properPythonProjects = [];
-    const pipArtifactToRepresentativeManifest = {};
-    for (const artifact of artifacts) {
-      if (artifact.type === "pypi" && artifact.manifestFiles) {
-        pipArtifactToRepresentativeManifest[simplePurl(artifact.type, artifact.namespace ?? "", artifact.name ?? "", artifact.version ?? "")] = artifact;
-      }
-    }
-    const allFiles = await getFilesRelative(rootWorkingDirectory, venvExcludes);
-    for (const file of allFiles) {
-      const base = basename9(file);
-      const workspaceDir = dirname26(file) || ".";
-      if (base === "pyproject.toml" || base === "setup.py" && await isSetupPySetuptools(join27(rootWorkingDirectory, file))) {
-        if (!properPythonProjects.includes(workspaceDir)) {
-          properPythonProjects.push(workspaceDir);
-        }
-      }
-    }
-    const dotnetManifestFiles = await glob([
-      "*.sln",
-      "*.*proj",
-      "*.targets",
-      "*.props",
-      "*.projitems",
-      "*.nuspec",
-      "packages.config",
-      "packages.*.config",
-      "packages.lock.json"
-    ], { cwd: rootWorkingDirectory, nodir: true, ignore: ["**/obj/**", "**/bin/**"], matchBase: true });
-    const artifactMap = new Map(artifacts.map((a4) => [a4.id, a4]));
-    const ecosystemToWorkspaceToAnalysisData = {};
-    const ecosystemWorkspaceVulnIds = /* @__PURE__ */ new Set();
-    const ecosystemToWorkspaceToVulnerabilities = {};
-    const purlsFailedToFindWorkspace = /* @__PURE__ */ new Set();
-    for (const artifact of artifacts) {
-      let processToplevelAncestors2 = function(artifact2) {
-        const allAncestorIds = getAllToplevelAncestors(artifactMap, artifact2.id);
-        allAncestorIds.forEach((ancestorId) => artifactMap.get(ancestorId)?.manifestFiles?.forEach((ref) => manifestFiles.push(ref.file)));
-      };
-      var processToplevelAncestors = processToplevelAncestors2;
-      const ecosystem = getAdvisoryEcosystemFromPurlType(artifact.type);
-      if (!ecosystem)
-        continue;
-      const manifestFiles = [];
-      switch (ecosystem) {
-        case "NUGET": {
-          manifestFiles.push(...dotnetManifestFiles);
-          break;
-        }
-        case "PIP": {
-          const sPurl = simplePurl(artifact.type, artifact.namespace ?? null, artifact.name ?? null, artifact.version ?? null);
-          if (pipArtifactToRepresentativeManifest[sPurl]) {
-            manifestFiles.push(...(pipArtifactToRepresentativeManifest[sPurl].manifestFiles ?? []).map((ref) => ref.file));
-          }
-          processToplevelAncestors2(artifact);
-          break;
-        }
-        default: {
-          artifact.manifestFiles?.forEach((ref) => manifestFiles.push(ref.file));
-          processToplevelAncestors2(artifact);
-          break;
-        }
-      }
-      const workspaceToManifestFiles = {};
-      manifestFiles.forEach((manifestFile) => {
-        const workspace = inferWorkspaceFromManifestPath(ecosystem, manifestFile, properPythonProjects);
-        if (!workspace)
-          return;
-        (workspaceToManifestFiles[workspace] ??= []).push(manifestFile);
-      });
-      if (Object.keys(workspaceToManifestFiles).length === 0) {
-        manifestFiles.forEach((manifestFile) => {
-          const workspace = inferProjectFromManifestPath(ecosystem, manifestFile);
-          if (!workspace)
-            return;
-          (workspaceToManifestFiles[workspace] ??= []).push(manifestFile);
-        });
-      }
-      if (Object.keys(workspaceToManifestFiles).length === 0 && artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
-        purlsFailedToFindWorkspace.add(simplePurl(artifact.type, artifact.namespace ?? null, artifact.name ?? null, artifact.version ?? null));
-      }
-      for (const [workspace, manifestFiles2] of Object.entries(workspaceToManifestFiles)) {
-        const workspaceData = (ecosystemToWorkspaceToAnalysisData[ecosystem] ??= {})[workspace] ??= {
-          type: "socket",
-          data: {
-            type: ecosystem,
-            manifestFiles: manifestFiles2,
-            artifacts: []
-          }
-        };
-        workspaceData.type;
-        workspaceData.data.artifacts.push(artifact);
-      }
-      if (artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
-        for (const workspace of Object.keys(workspaceToManifestFiles)) {
-          for (const vuln of artifact.vulnerabilities) {
-            const vulnerability = {
-              url: vuln.ghsaId,
-              severity: vuln.severity,
-              purlType: artifact.type,
-              range: vuln.range,
-              name: artifact.name ?? "",
-              dependency: artifact.name ?? "",
-              vulnChainDetails: computeVulnChainDetails(artifacts, artifact.id),
-              vulnerabilityAccessPaths: vuln.reachabilityData?.undeterminableReachability ? vuln.reachabilityData.publicComment ?? "" : vuln.reachabilityData?.pattern ?? null,
-              ecosystem,
-              artifactId: artifact.id,
-              precomputedReachabilityResult: vuln.reachabilityData?.precomputedReachabilityResult ?? null
-            };
-            const vulnId = `${ecosystem}-${workspace}-${artifact.namespace}-${artifact.name}-${artifact.version}-${vulnerability.url}`;
-            if (!ecosystemWorkspaceVulnIds.has(vulnId)) {
-              ecosystemWorkspaceVulnIds.add(vulnId);
-              ((ecosystemToWorkspaceToVulnerabilities[ecosystem] ??= {})[workspace] ??= []).push(vulnerability);
-            }
-          }
-        }
-      }
-    }
-    if (purlsFailedToFindWorkspace.size > 0) {
-      logger.warn(`Failed to find workspace for the following purls with vulnerabilities: ${Array.from(purlsFailedToFindWorkspace).join(", ")}.
-${mode === "reachability" ? "This means that we will not do a full reachability analysis for these vulnerabilities, but fallback to the results from the pre-computed reachability analysis." : ""}`);
-    }
-    return {
-      artifacts,
-      ecosystemToWorkspaceToAnalysisData,
-      ecosystemToWorkspaceToVulnerabilities
-    };
-  } catch (error) {
-    logger.error("Failed to fetch artifacts from Socket backend", error);
-    throw error;
-  }
-}
-function computeVulnChainDetails(artifacts, vulnerableArtifactId) {
-  const artifactMap = new Map(artifacts.map((a4) => [a4.id, a4]));
-  const parentsMap = /* @__PURE__ */ new Map();
-  for (const artifact of artifacts) {
-    if (artifact.dependencies) {
-      for (const depId of artifact.dependencies) {
-        if (!parentsMap.has(depId)) {
-          parentsMap.set(depId, []);
-        }
-        parentsMap.get(depId).push(artifact.id);
-      }
-    }
-  }
-  const res = {
-    packageName: "root",
-    version: "0.0.0",
-    children: [],
-    transitiveDependencies: {}
-  };
-  function addNode(currentId, childId, visited) {
-    if (visited.has(currentId))
-      return;
-    const currentArtifact = artifactMap.get(currentId);
-    if (!currentArtifact)
-      return;
-    const parents4 = parentsMap.get(currentId);
-    const newCurrentNode = {
-      packageName: getNameFromNamespaceAndName(currentArtifact.type, currentArtifact.namespace, currentArtifact.name),
-      version: currentArtifact.version ?? void 0,
-      children: []
-    };
-    res.transitiveDependencies[currentId] = newCurrentNode;
-    if (childId && !newCurrentNode.children.includes(childId)) {
-      newCurrentNode.children.push(childId);
-    }
-    if (currentId === vulnerableArtifactId) {
-      newCurrentNode.vulnerable = true;
-    }
-    if (currentArtifact.direct && !res.children.includes(currentId)) {
-      res.children.push(currentId);
-    }
-    visited.add(currentId);
-    if (parents4) {
-      for (const parentId of parents4) {
-        addNode(parentId, currentId, visited);
-      }
-    }
-  }
-  addNode(vulnerableArtifactId, void 0, /* @__PURE__ */ new Set());
-  return res;
-}
-
 // dist/cli-compute-fixes-and-upgrade-purls.js
 async function computeFixesAndUpgradePurls(path9, options, logFile) {
   const autofixRunId = options.manifestsTarHash && await getSocketAPI().registerAutofixOrUpgradePurlRun(options.manifestsTarHash, options, "autofix");
-  const { artifacts, ghsaToVulnerableArtifactIds, socketFactArtifacts } = await computeInputForComputingFixes(path9, options);
+  const { artifacts, ghsaToVulnerableArtifactIds, socketFactArtifacts } = await computeInputForComputingFixes(options);
   if (Object.keys(ghsaToVulnerableArtifactIds).length === 0) {
     logger.info("Found no vulnerabilities in the project");
     return { type: "no-vulnerabilities-found" };
@@ -234715,7 +234422,21 @@ async function computeFixesAndUpgradePurls(path9, options, logFile) {
     logger.info("Consider running the tool again, requesting a fix for one of the detected vulnerabilities");
     return { type: "no-ghsas-fix-requested", ghsas: Object.keys(ghsaToVulnerableArtifactIds) };
   }
-  const ghsaToVulnerableArtifactIdsToApply = options.applyFixesTo.includes("all") ? ghsaToVulnerableArtifactIds : Object.fromEntries(Object.entries(ghsaToVulnerableArtifactIds).filter(([ghsa]) => options.applyFixesTo.includes(ghsa)));
+  const ghsaToVulnerableArtifactIdsToApplyBeforePurlTypeFilter = options.applyFixesTo.includes("all") ? ghsaToVulnerableArtifactIds : Object.fromEntries(Object.entries(ghsaToVulnerableArtifactIds).filter(([ghsa]) => options.applyFixesTo.includes(ghsa)));
+  const ghsaToVulnerableArtifactIdsToApply = {};
+  for (const [ghsa, artifactIds] of Object.entries(ghsaToVulnerableArtifactIdsToApplyBeforePurlTypeFilter)) {
+    const filteredIds = artifactIds.filter((id) => {
+      const artifact = socketFactArtifacts[id];
+      if (!options.purlTypes || options.purlTypes.includes(artifact.type)) {
+        return true;
+      }
+      logger.warn(`Skipping upgrade for ${purlToString(artifact)} (${ghsa}) - type '${artifact.type}' not in specified types: ${options.purlTypes.join(", ")}`);
+      return false;
+    });
+    if (filteredIds.length > 0) {
+      ghsaToVulnerableArtifactIdsToApply[ghsa] = filteredIds;
+    }
+  }
   if (Object.keys(ghsaToVulnerableArtifactIdsToApply).length === 0) {
     logger.info("There is no overlap between the requested fixes and the detected vulnerabilities");
     logger.info("Consider running the tool again, requesting a fix for one of the detected vulnerabilities");
@@ -234820,10 +234541,10 @@ async function computeFixesAndUpgradePurls(path9, options, logFile) {
     throw error;
   }
 }
-async function computeInputForComputingFixes(path9, options) {
+async function computeInputForComputingFixes(options) {
   if (!options.manifestsTarHash)
     throw new Error("Manifests tar hash is required for computing fixes");
-  const { artifacts } = await fetchArtifactsFromSocket(path9, options.manifestsTarHash, "autofix");
+  const { artifacts } = await fetchArtifactsFromManifestsTarHash(options.manifestsTarHash);
   const ghsaToVulnerableArtifactIds = {};
   for (const [index2, artifact] of artifacts.entries()) {
     if (!artifact.vulnerabilities)
@@ -234866,7 +234587,6 @@ async function computeDirectDependencyUpgrades(artifacts, fixesFound) {
         } else {
           directUpdates[purl] = { transitiveFixes: [indirectFix] };
         }
-        directUpdates[purl] = { transitiveFixes: [indirectFix] };
       }
     }
     packageFixes[ghsa] = {
@@ -235573,7 +235293,7 @@ var DEFAULT_REPORT_FILENAME_BASE = "coana-report";
 // dist/internal/exclude-dirs-from-configuration-files.js
 import { existsSync as existsSync22 } from "fs";
 import { readFile as readFile32 } from "fs/promises";
-import { basename as basename10, resolve as resolve42 } from "path";
+import { basename as basename9, resolve as resolve42 } from "path";
 var import_yaml2 = __toESM(require_dist12(), 1);
 async function inferExcludeDirsFromConfigurationFiles(rootWorkingDir) {
   const socketYmlConfigFile = resolve42(rootWorkingDir, "socket.yml");
@@ -235593,7 +235313,7 @@ async function inferExcludeDirsFromSocketConfig(socketConfigFile) {
       return void 0;
     if (ignorePaths.some((ignorePath) => ignorePath.includes("!")))
       return void 0;
-    logger.info(`Inferring paths to exclude based on Socket config file: ${basename10(socketConfigFile)}`);
+    logger.info(`Inferring paths to exclude based on Socket config file: ${basename9(socketConfigFile)}`);
     return config3.projectIgnorePaths;
   } catch (e) {
     return void 0;
@@ -235701,7 +235421,7 @@ async function scanForVulnerabilitiesSocketMode(dependencyTree) {
           range: vulnerability.range,
           name: dependencyTreeNode.packageName,
           dependency: dependencyTreeNode.packageName,
-          vulnChainDetails: computeVulnChainDetails2(dependencyTree, dependencyIdentifier, parentsMap),
+          vulnChainDetails: computeVulnChainDetails(dependencyTree, dependencyIdentifier, parentsMap),
           vulnerabilityAccessPaths: vulnerability.reachabilityData?.pattern ?? null,
           ecosystem: dependencyTree.ecosystem
         });
@@ -235713,7 +235433,7 @@ async function scanForVulnerabilitiesSocketMode(dependencyTree) {
   }
   return vulnerabilities;
 }
-function computeVulnChainDetails2(dependencyTree, dependencyIdentifier, parentsMap) {
+function computeVulnChainDetails(dependencyTree, dependencyIdentifier, parentsMap) {
   const res = {
     packageName: "root",
     version: "0.0.0",
@@ -235750,6 +235470,304 @@ function transformToVulnChainNode(dependencyTree) {
   };
 }
 
+// dist/internal/socket-mode-helpers-socket-dependency-trees.js
+import { basename as basename10, dirname as dirname26, join as join27, sep as sep6 } from "path";
+var REQUIREMENTS_FILES_SEARCH_DEPTH2 = 3;
+var venvExcludes = [
+  "venv",
+  ".venv",
+  "env",
+  ".env",
+  "virtualenv",
+  ".virtualenv",
+  "venvs",
+  ".venvs",
+  "envs",
+  ".envs",
+  "__pycache__",
+  ".tox",
+  ".nox",
+  ".pytest_cache",
+  "site-packages",
+  "dist-packages",
+  "conda-meta",
+  "conda-bld",
+  ".mypy_cache",
+  ".ruff_cache",
+  ".hypothesis"
+];
+function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonProjects) {
+  switch (ecosystem) {
+    case "NPM": {
+      const base = basename10(manifestPath);
+      const dir = dirname26(manifestPath);
+      return base === "package.json" ? dir || "." : void 0;
+    }
+    case "MAVEN": {
+      return ".";
+    }
+    case "PIP": {
+      if (venvExcludes.some((exclude) => manifestPath.startsWith(`${exclude}/`) || manifestPath.includes(`/${exclude}/`))) {
+        return void 0;
+      }
+      const base = basename10(manifestPath);
+      const dir = dirname26(manifestPath);
+      const workspaceDir = dir === "" ? "." : dir;
+      if (properPythonProjects.includes(workspaceDir)) {
+        return workspaceDir;
+      }
+      if (base === "poetry.lock" || base === "Pipfile.lock" || base === "uv.lock") {
+        return workspaceDir;
+      }
+      if (base.endsWith(".txt")) {
+        const properProjectDirs = properPythonProjects.filter((properProjectDir) => (properProjectDir === "." || workspaceDir === "." || workspaceDir.startsWith(properProjectDir)) && workspaceDir.replace(properProjectDir, "").split(sep6).length <= REQUIREMENTS_FILES_SEARCH_DEPTH2);
+        const longestProperProjectDir = l(properProjectDirs, [(d4) => d4.length, "desc"]);
+        if (longestProperProjectDir) {
+          return longestProperProjectDir;
+        }
+        return workspaceDir;
+      }
+      logger.warn(`No workspace found for manifest file ${manifestPath}`);
+      return void 0;
+    }
+    case "NUGET": {
+      return ".";
+    }
+    case "RUST": {
+      return dirname26(manifestPath) || ".";
+    }
+    case "GO": {
+      const base = basename10(manifestPath);
+      const dir = dirname26(manifestPath);
+      return base === "go.mod" ? dir || "." : void 0;
+    }
+    case "RUBYGEMS": {
+      return dirname26(manifestPath) || ".";
+    }
+    default: {
+      return ".";
+    }
+  }
+}
+function inferProjectFromManifestPath(ecosystem, manifestPath) {
+  switch (ecosystem) {
+    case "NPM": {
+      const filename = basename10(manifestPath);
+      if (["package-lock.json", "pnpm-lock.yaml", "pnpm-lock.yml", "yarn.lock"].includes(filename)) {
+        return dirname26(manifestPath) || ".";
+      }
+      return void 0;
+    }
+  }
+}
+function getAllToplevelAncestors(artifactMap, artifactId) {
+  const visited = /* @__PURE__ */ new Set();
+  const toplevelAncestors = /* @__PURE__ */ new Set();
+  function findAncestors(currentId) {
+    if (visited.has(currentId)) {
+      return;
+    }
+    visited.add(currentId);
+    const artifact = artifactMap.get(currentId);
+    if (!artifact) {
+      return;
+    }
+    if (artifact.toplevelAncestors && artifact.toplevelAncestors.length > 0) {
+      for (const ancestorId of artifact.toplevelAncestors) {
+        toplevelAncestors.add(ancestorId);
+        findAncestors(ancestorId);
+      }
+    }
+  }
+  findAncestors(artifactId);
+  return Array.from(toplevelAncestors);
+}
+async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash, mode, includePrecomputedReachabilityResults) {
+  try {
+    const { artifacts } = await fetchArtifactsFromManifestsTarHash(manifestsTarHash, includePrecomputedReachabilityResults);
+    const properPythonProjects = [];
+    const pipArtifactToRepresentativeManifest = {};
+    for (const artifact of artifacts) {
+      if (artifact.type === "pypi" && artifact.manifestFiles) {
+        pipArtifactToRepresentativeManifest[simplePurl(artifact.type, artifact.namespace ?? "", artifact.name ?? "", artifact.version ?? "")] = artifact;
+      }
+    }
+    const allFiles = await getFilesRelative(rootWorkingDirectory, venvExcludes);
+    for (const file of allFiles) {
+      const base = basename10(file);
+      const workspaceDir = dirname26(file) || ".";
+      if (base === "pyproject.toml" || base === "setup.py" && await isSetupPySetuptools(join27(rootWorkingDirectory, file))) {
+        if (!properPythonProjects.includes(workspaceDir)) {
+          properPythonProjects.push(workspaceDir);
+        }
+      }
+    }
+    const dotnetManifestFiles = await glob([
+      "*.sln",
+      "*.*proj",
+      "*.targets",
+      "*.props",
+      "*.projitems",
+      "*.nuspec",
+      "packages.config",
+      "packages.*.config",
+      "packages.lock.json"
+    ], { cwd: rootWorkingDirectory, nodir: true, ignore: ["**/obj/**", "**/bin/**"], matchBase: true });
+    const artifactMap = new Map(artifacts.map((a4) => [a4.id, a4]));
+    const ecosystemToWorkspaceToAnalysisData = {};
+    const ecosystemWorkspaceVulnIds = /* @__PURE__ */ new Set();
+    const ecosystemToWorkspaceToVulnerabilities = {};
+    const purlsFailedToFindWorkspace = /* @__PURE__ */ new Set();
+    for (const artifact of artifacts) {
+      let processToplevelAncestors2 = function(artifact2) {
+        const allAncestorIds = getAllToplevelAncestors(artifactMap, artifact2.id);
+        allAncestorIds.forEach((ancestorId) => artifactMap.get(ancestorId)?.manifestFiles?.forEach((ref) => manifestFiles.push(ref.file)));
+      };
+      var processToplevelAncestors = processToplevelAncestors2;
+      const ecosystem = getAdvisoryEcosystemFromPurlType(artifact.type);
+      if (!ecosystem)
+        continue;
+      const manifestFiles = [];
+      switch (ecosystem) {
+        case "NUGET": {
+          manifestFiles.push(...dotnetManifestFiles);
+          break;
+        }
+        case "PIP": {
+          const sPurl = simplePurl(artifact.type, artifact.namespace ?? null, artifact.name ?? null, artifact.version ?? null);
+          if (pipArtifactToRepresentativeManifest[sPurl]) {
+            manifestFiles.push(...(pipArtifactToRepresentativeManifest[sPurl].manifestFiles ?? []).map((ref) => ref.file));
+          }
+          processToplevelAncestors2(artifact);
+          break;
+        }
+        default: {
+          artifact.manifestFiles?.forEach((ref) => manifestFiles.push(ref.file));
+          processToplevelAncestors2(artifact);
+          break;
+        }
+      }
+      const workspaceToManifestFiles = {};
+      manifestFiles.forEach((manifestFile) => {
+        const workspace = inferWorkspaceFromManifestPath(ecosystem, manifestFile, properPythonProjects);
+        if (!workspace)
+          return;
+        (workspaceToManifestFiles[workspace] ??= []).push(manifestFile);
+      });
+      if (Object.keys(workspaceToManifestFiles).length === 0) {
+        manifestFiles.forEach((manifestFile) => {
+          const workspace = inferProjectFromManifestPath(ecosystem, manifestFile);
+          if (!workspace)
+            return;
+          (workspaceToManifestFiles[workspace] ??= []).push(manifestFile);
+        });
+      }
+      if (Object.keys(workspaceToManifestFiles).length === 0 && artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
+        purlsFailedToFindWorkspace.add(simplePurl(artifact.type, artifact.namespace ?? null, artifact.name ?? null, artifact.version ?? null));
+      }
+      for (const [workspace, manifestFiles2] of Object.entries(workspaceToManifestFiles)) {
+        const workspaceData = (ecosystemToWorkspaceToAnalysisData[ecosystem] ??= {})[workspace] ??= {
+          type: "socket",
+          data: {
+            type: ecosystem,
+            manifestFiles: manifestFiles2,
+            artifacts: []
+          }
+        };
+        workspaceData.type;
+        workspaceData.data.artifacts.push(artifact);
+      }
+      if (artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
+        for (const workspace of Object.keys(workspaceToManifestFiles)) {
+          for (const vuln of artifact.vulnerabilities) {
+            const vulnerability = {
+              url: vuln.ghsaId,
+              severity: vuln.severity,
+              purlType: artifact.type,
+              range: vuln.range,
+              name: artifact.name ?? "",
+              dependency: artifact.name ?? "",
+              vulnChainDetails: computeVulnChainDetails2(artifacts, artifact.id),
+              vulnerabilityAccessPaths: vuln.reachabilityData?.undeterminableReachability ? vuln.reachabilityData.publicComment ?? "" : vuln.reachabilityData?.pattern ?? null,
+              ecosystem,
+              artifactId: artifact.id,
+              precomputedReachabilityResult: vuln.reachabilityData?.precomputedReachabilityResult ?? null
+            };
+            const vulnId = `${ecosystem}-${workspace}-${artifact.namespace}-${artifact.name}-${artifact.version}-${vulnerability.url}`;
+            if (!ecosystemWorkspaceVulnIds.has(vulnId)) {
+              ecosystemWorkspaceVulnIds.add(vulnId);
+              ((ecosystemToWorkspaceToVulnerabilities[ecosystem] ??= {})[workspace] ??= []).push(vulnerability);
+            }
+          }
+        }
+      }
+    }
+    if (purlsFailedToFindWorkspace.size > 0) {
+      logger.warn(`Failed to find workspace for the following purls with vulnerabilities: ${Array.from(purlsFailedToFindWorkspace).join(", ")}.
+${mode === "reachability" ? "This means that we will not do a full reachability analysis for these vulnerabilities, but fallback to the results from the pre-computed reachability analysis." : ""}`);
+    }
+    return {
+      artifacts,
+      ecosystemToWorkspaceToAnalysisData,
+      ecosystemToWorkspaceToVulnerabilities
+    };
+  } catch (error) {
+    logger.error("Failed to fetch artifacts from Socket backend", error);
+    throw error;
+  }
+}
+function computeVulnChainDetails2(artifacts, vulnerableArtifactId) {
+  const artifactMap = new Map(artifacts.map((a4) => [a4.id, a4]));
+  const parentsMap = /* @__PURE__ */ new Map();
+  for (const artifact of artifacts) {
+    if (artifact.dependencies) {
+      for (const depId of artifact.dependencies) {
+        if (!parentsMap.has(depId)) {
+          parentsMap.set(depId, []);
+        }
+        parentsMap.get(depId).push(artifact.id);
+      }
+    }
+  }
+  const res = {
+    packageName: "root",
+    version: "0.0.0",
+    children: [],
+    transitiveDependencies: {}
+  };
+  function addNode(currentId, childId, visited) {
+    if (visited.has(currentId))
+      return;
+    const currentArtifact = artifactMap.get(currentId);
+    if (!currentArtifact)
+      return;
+    const parents4 = parentsMap.get(currentId);
+    const newCurrentNode = {
+      packageName: getNameFromNamespaceAndName(currentArtifact.type, currentArtifact.namespace, currentArtifact.name),
+      version: currentArtifact.version ?? void 0,
+      children: []
+    };
+    res.transitiveDependencies[currentId] = newCurrentNode;
+    if (childId && !newCurrentNode.children.includes(childId)) {
+      newCurrentNode.children.push(childId);
+    }
+    if (currentId === vulnerableArtifactId) {
+      newCurrentNode.vulnerable = true;
+    }
+    if (currentArtifact.direct && !res.children.includes(currentId)) {
+      res.children.push(currentId);
+    }
+    visited.add(currentId);
+    if (parents4) {
+      for (const parentId of parents4) {
+        addNode(parentId, currentId, visited);
+      }
+    }
+  }
+  addNode(vulnerableArtifactId, void 0, /* @__PURE__ */ new Set());
+  return res;
+}
+
 // dist/internal/socket-report-coana-dependency-tree.js
 var MAX_STACKS_TO_SEND = 10;
 function toSocketFacts(report, dependencyTrees, subPjToWsPathToDirectDependencies) {
@@ -250816,7 +250834,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.112";
+var version3 = "14.12.114";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -251744,7 +251762,7 @@ applyFixes.name("apply-fixes").argument("<path>", "File system path to the folde
   await applyFix(path9, fixIds, options);
 }).configureHelp({ sortOptions: true });
 var computeFixesAndUpgradePurlsCmd = new Command();
-computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-i, --include <patterns...>", "Glob patterns to include workspaces").option("-e, --exclude <patterns...>", "Glob patterns to exclude workspaces").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("--range-style <style>", 'Range style to use for the output. Currently only "pin" is supported and it only works for npm.').option("--disable-major-updates", "Do not suggest major updates. If only major update are available, the fix will not be applied.", false).option("-o, --output-file <file>", "Writes output to a JSON file").option("--minimum-release-age <minimumReleaseAge>", "Do not allow upgrades to package versions that are newer than minimumReleaseAge. Format is 2m, 5h, 3d or 1w").option("--show-affected-direct-dependencies", "Show the affected direct dependencies for each vulnerability and what upgrades could fix them - does not apply the upgrades.", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version3).action(async (path9, options) => {
+computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-i, --include <patterns...>", "Glob patterns to include workspaces").option("-e, --exclude <patterns...>", "Glob patterns to exclude workspaces").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("--range-style <style>", 'Range style to use for the output. Currently only "pin" is supported and it only works for npm.').option("--disable-major-updates", "Do not suggest major updates. If only major update are available, the fix will not be applied.", false).option("-o, --output-file <file>", "Writes output to a JSON file").option("--minimum-release-age <minimumReleaseAge>", "Do not allow upgrades to package versions that are newer than minimumReleaseAge. Format is 2m, 5h, 3d or 1w").option("--show-affected-direct-dependencies", "Show the affected direct dependencies for each vulnerability and what upgrades could fix them - does not apply the upgrades.", false).option("--purl-types <purlTypes...>", "List of PURL types to filter artifacts by (space-separated). Only vulnerabilities from artifacts matching these types will be included.").addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version3).action(async (path9, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version3;
   if (options.outputFile && !options.outputFile.endsWith(".json")) {
     throw new Error("Output file must have a .json extension");
@@ -251755,6 +251773,7 @@ computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument(
   if (options.rangeStyle && options.rangeStyle !== "pin") {
     throw new Error('Range style must be "pin"');
   }
+  options.purlTypes = options.purlTypes?.map((t4) => t4.toLowerCase());
   const tmpDir = await mkdtemp2(join30(tmpdir3(), "compute-fixes-and-upgrade-purls-"));
   const logFile = join30(tmpDir, "compute-fixes-and-upgrade-purls.log");
   logger.initWinstonLogger(options.debug, logFile);
@@ -251806,11 +251825,13 @@ compareReportsCommand.name("compare-reports").argument("<baselineReportPath>", "
   await compareReports(baselineReport, newReport, options);
 });
 var findVulnerabilities = new Command();
-findVulnerabilities.name("find-vulnerabilities").requiredOption("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket.").action(async (options) => {
+findVulnerabilities.name("find-vulnerabilities").requiredOption("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket.").option("--purl-types <purlTypes...>", "List of PURL types to filter artifacts by (space-separated). Only vulnerabilities from artifacts matching these types will be included.").action(async (options) => {
+  const purlTypes = options.purlTypes?.map((t4) => t4.toLowerCase());
   const { artifacts } = await fetchArtifactsFromManifestsTarHash(options.manifestsTarHash);
-  console.log(JSON.stringify(i(artifacts.flatMap((a4) => a4.vulnerabilities?.map((v) => v.ghsaId) ?? []))));
+  const filteredArtifacts = purlTypes ? artifacts.filter((a4) => purlTypes.includes(a4.type)) : artifacts;
+  console.log(JSON.stringify(i(filteredArtifacts.flatMap((a4) => a4.vulnerabilities?.map((v) => v.ghsaId) ?? []))));
 });
-program2.name("coana-cli").addCommand(run2, { isDefault: true }).addCommand(findVulnerabilities).addCommand(applyFixes).addCommand(compareReportsCommand).addCommand(computeFixesAndUpgradePurlsCmd, { hidden: true }).configureHelp({ sortSubcommands: true }).version(version3);
+program2.name("coana-cli").addCommand(run2, { isDefault: true }).addCommand(findVulnerabilities, { hidden: true }).addCommand(applyFixes).addCommand(compareReportsCommand).addCommand(computeFixesAndUpgradePurlsCmd, { hidden: true }).configureHelp({ sortSubcommands: true }).version(version3);
 program2.parseAsync();
 var defaultCliOptions = {
   debug: false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.112",
+  "version": "14.12.114",
   "description": "Coana CLI",
   "type": "module",
   "bin": {