@coana-tech/cli 14.12.118 → 14.12.119

package/cli.mjs

@@ -250959,7 +250959,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.118";
+var version3 = "14.12.119";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.118",
+  "version": "14.12.119",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -110326,34 +110326,13 @@ function convertToArtifactForInstallation(dep) {
 }
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/heuristics.js
+var largeIndirectionBoundOptions = {
+  maxIndirections: 1024
+};
 var AllPackagesHeuristic = {
   // Analyzing all packages disregarding what vulnerabilities affect the project being analyzed
   name: "ALL_PACKAGES",
-  getOptions: getAllPackagesHeuristicOptions,
-  splitAnalysisInBuckets: false
-};
-var DefaultOptionsHeuristic = {
-  // Analyzing all packages disregarding what vulnerabilities affect the project being analyzed
-  name: "DEFAULT_OPTIONS",
-  getOptions: () => ({}),
-  splitAnalysisInBuckets: false
-};
-var MaxRounds2Heuristic = {
-  // Analyzing all packages disregarding what vulnerabilities affect the project being analyzed and limiting the number of rounds to 3
-  name: "MAX_ROUNDS_2",
-  getOptions: () => getMaxRoundsHeuristicOptions(2),
-  splitAnalysisInBuckets: false
-};
-var MaxRounds3Heuristic = {
-  // Analyzing all packages disregarding what vulnerabilities affect the project being analyzed and limiting the number of rounds to 3
-  name: "MAX_ROUNDS_3",
-  getOptions: () => getMaxRoundsHeuristicOptions(3),
-  splitAnalysisInBuckets: false
-};
-var MaxRounds5Heuristic = {
-  // Analyzing all packages disregarding what vulnerabilities affect the project being analyzed and limiting the number of rounds to 5
-  name: "MAX_ROUNDS_5",
-  getOptions: () => getMaxRoundsHeuristicOptions(5),
+  getOptions: () => largeIndirectionBoundOptions,
   splitAnalysisInBuckets: false
 };
 var OnlyVulnPathPackagesExceptVulnerablePackageHeuristic = {
@@ -110362,37 +110341,10 @@ var OnlyVulnPathPackagesExceptVulnerablePackageHeuristic = {
   getOptions: getOnlyPackagesInVulnPathsWithoutLeafPackagesHeuristicOptions,
   splitAnalysisInBuckets: true
 };
-var OnlyVulnPathPackagesExceptVulnerablePackageAndMaxRounds2Heuristic = {
-  // Analyzing only packages that are in the path of the vulnerabilities being analyzed and limiting the number of rounds to 2
-  name: "ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE_AND_MAX_ROUNDS_2",
-  getOptions: (vulnerabilities) => ({
-    ...getOnlyPackagesInVulnPathsWithoutLeafPackagesHeuristicOptions(vulnerabilities),
-    ...getMaxRoundsHeuristicOptions(2)
-  }),
-  splitAnalysisInBuckets: true
-};
-var OnlyVulnPathPackagesExceptVulnerablePackageAndMaxRounds3Heuristic = {
-  // Analyzing only packages that are in the path of the vulnerabilities being analyzed and limiting the number of rounds to 3
-  name: "ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE_AND_MAX_ROUNDS_3",
-  getOptions: (vulnerabilities) => ({
-    ...getOnlyPackagesInVulnPathsWithoutLeafPackagesHeuristicOptions(vulnerabilities),
-    ...getMaxRoundsHeuristicOptions(3)
-  }),
-  splitAnalysisInBuckets: true
-};
-var OnlyVulnPathPackagesExceptVulnerablePackageAndMaxRounds8Heuristic = {
-  // Analyzing only packages that are in the path of the vulnerabilities being analyzed and limiting the number of rounds to 8
-  name: "ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE_AND_MAX_ROUNDS_8",
-  getOptions: (vulnerabilities) => ({
-    ...getOnlyPackagesInVulnPathsWithoutLeafPackagesHeuristicOptions(vulnerabilities),
-    ...getMaxRoundsHeuristicOptions(8)
-  }),
-  splitAnalysisInBuckets: true
-};
-var IgnoreDependenciesAndMaxRounds3Heuristic = {
+var IgnoreDependenciesAndMaxIndirections3Heuristic = {
   name: "IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3",
-  getOptions: () => ({ includePackages: ["some_non_existing_package"], ...getMaxRoundsHeuristicOptions(3) }),
   // This heuristic will ignore all dependencies, but we need to provide a package name to have a value for the --include-packages option
+  getOptions: () => ({ includePackages: ["some_non_existing_package"], ...getMaxIndirectionsHeuristicOptions(3) }),
   splitAnalysisInBuckets: false
 };
 var ImportReachabilityHeuristic = {
@@ -110403,33 +110355,22 @@ var ImportReachabilityHeuristic = {
 };
 var heuristics = {
   ALL_PACKAGES: AllPackagesHeuristic,
-  DEFAULT_OPTIONS: DefaultOptionsHeuristic,
-  MAX_ROUNDS_2: MaxRounds2Heuristic,
-  MAX_ROUNDS_3: MaxRounds3Heuristic,
-  MAX_ROUNDS_5: MaxRounds5Heuristic,
   ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE: OnlyVulnPathPackagesExceptVulnerablePackageHeuristic,
-  ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE_AND_MAX_ROUNDS_2: OnlyVulnPathPackagesExceptVulnerablePackageAndMaxRounds2Heuristic,
-  ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE_AND_MAX_ROUNDS_3: OnlyVulnPathPackagesExceptVulnerablePackageAndMaxRounds3Heuristic,
-  ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE_AND_MAX_ROUNDS_8: OnlyVulnPathPackagesExceptVulnerablePackageAndMaxRounds8Heuristic,
   createIncludePackagesHeuristic: (packageNames, options) => ({
     // Create a heuristic for only analyzing the packages in the packageNames array
     name: `INCLUDE_PACKAGES_${packageNames.join("_")}`,
     getOptions: () => ({ ...options, includePackages: packageNames }),
     splitAnalysisInBuckets: true
   }),
-  IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3: IgnoreDependenciesAndMaxRounds3Heuristic,
+  IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3: IgnoreDependenciesAndMaxIndirections3Heuristic,
   IMPORT_REACHABILITY: ImportReachabilityHeuristic
 };
-function getAllPackagesHeuristicOptions() {
-  return {};
-}
-function getMaxRoundsHeuristicOptions(maxRounds) {
-  return {
-    maxIndirections: maxRounds
-  };
+function getMaxIndirectionsHeuristicOptions(maxIndirections) {
+  return { maxIndirections };
 }
 function getOnlyPackagesInVulnPathsWithoutLeafPackagesHeuristicOptions(vulnerabilities) {
   return {
+    ...largeIndirectionBoundOptions,
     includePackages: computePackagesOnVulnPath(vulnerabilities)
   };
 }
@@ -110640,7 +110581,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       }) ?? []
     };
   }
-  static async runOnAlreadyDownloadedPackages(packages, vulnerability, reachabilityAnalysisOptions, baseHeuristic = heuristics.DEFAULT_OPTIONS) {
+  static async runOnAlreadyDownloadedPackages(packages, vulnerability, reachabilityAnalysisOptions, baseHeuristic = heuristics.ALL_PACKAGES) {
     return await withTmpDirectory("runOnAlreadyDownloadedPackagesNpm", async (tmpDir) => {
       const nodeModulesDir = join14(tmpDir, "node_modules");
       await mkdir8(nodeModulesDir);
@@ -110682,7 +110623,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       };
     });
   }
-  static async runOnDependencyChain(dependencyChain, vulnerability, reachabilityAnalysisOptions, baseHeuristic = heuristics.DEFAULT_OPTIONS) {
+  static async runOnDependencyChain(dependencyChain, vulnerability, reachabilityAnalysisOptions, baseHeuristic = heuristics.ALL_PACKAGES) {
     const [first2, ...rest] = dependencyChain;
     const packageJSONContent = buildPackageJSONForDependencyChain(first2, rest);
     const tmpDir = mkdtempSync(join14(tmpdir3(), "run-on-dependency-chain"));
@@ -111618,7 +111559,7 @@ async function analyzeAlreadyInstalledPackages(ecosystem, packages, vulnerabilit
   return { analysis: { name: analysisName, version: await getCurrentCommitHash(analysisName.toLowerCase()) }, result };
 }
 async function runWithJSHeuristics(cb) {
-  const orderedHeuristics = [heuristics.DEFAULT_OPTIONS, heuristics.MAX_ROUNDS_3, heuristics.MAX_ROUNDS_2];
+  const orderedHeuristics = [heuristics.ALL_PACKAGES];
   let result;
   for (const heuristic of orderedHeuristics) {
     result = await cb(heuristic);
@@ -112485,6 +112426,11 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
       heuristicName: bucket.heuristicName,
       vulnUrls: bucket.vulnUrls.filter((vulnUrl) => vulnUrls.includes(vulnUrl))
     })).filter((bucket) => bucket.vulnUrls.length > 0);
+    for (const { heuristicName } of newBuckets)
+      if (!getHeuristicFromName(state, heuristicName, ecosystem)) {
+        logger.warn(`Could not find heuristic with name ${heuristicName} - ignoring cached buckets.`);
+        return void 0;
+      }
     const vulnUrlToPackageName = Object.fromEntries(vulnerabilities.map((v) => [v.url, v.dependency]));
     const vulnsNotInBucket = vulnerabilities.filter((v) => !newBuckets.some((b) => b.vulnUrls.includes(v.url)));
     for (const newVuln of vulnsNotInBucket) {
@@ -112915,11 +112861,7 @@ var NpmAnalyzer = class {
     }
   }
   async runReachabilityAnalysis(vulns, analysisMetadataCollector, statusUpdater) {
-    const heuristicsInOrder = this.state.otherAnalysisOptions.lightweightReachability ? [heuristics.IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3] : [
-      heuristics.ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE,
-      heuristics.ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE_AND_MAX_ROUNDS_3,
-      heuristics.ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE_AND_MAX_ROUNDS_2
-    ];
+    const heuristicsInOrder = this.state.otherAnalysisOptions.lightweightReachability ? [heuristics.IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3] : [heuristics.ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE];
     const nodeModulesAlreadyExisted = existsSync13(resolve21(this.state.subprojectDir, "node_modules"));
     this.preinstalledDependencies = nodeModulesAlreadyExisted ? "YES" : "NO";
     const wrappedCollector = (metadata) => {