@coana-tech/cli 14.12.127 → 14.12.128

package/cli.mjs

@@ -251101,7 +251101,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.127";
+var version3 = "14.12.128";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.127",
+  "version": "14.12.128",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -80232,7 +80232,7 @@ async function sendRegressionsToDashboard(regressions, subprojectPath, workspace
     );
   } catch (e) {
     sendWarningToDashboard(
-      "Unable to get latest buckets",
+      "Unable to send regressions from experimental runs",
       { subprojectPath, workspacePath, reportId },
       void 0,
       reportId,
@@ -95833,7 +95833,7 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile4(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL" });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile6(outputFile, "utf-8")).result;
@@ -95872,7 +95872,7 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile4(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL" });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile6(outputFile, "utf-8")).result;
@@ -109809,7 +109809,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const outputFile = resolve11(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL" });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile7(outputFile, "utf-8")).result;
@@ -109848,7 +109848,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const outputFile = resolve11(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL" });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile7(outputFile, "utf-8")).result;
@@ -110479,9 +110479,8 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
       void 0,
       // If experiment is enabled, fail if Jelly exceeds 1.5x the timeout.
       // Otherwise, fail if Jelly exceeds 3x the timeout.
-      // This helps avoid pathological cases where hitting the memory cap makes GC dominate execution,
-      // causing timeout checks to not trigger promptly.
-      { timeout: timeoutInSeconds * 1e3 * (experiment ? 1.5 : 3) }
+      // Use SIGKILL to ensure termination even if the process is unresponsive (e.g., due to GC pressure).
+      { timeout: timeoutInSeconds * 1e3 * (experiment ? 1.5 : 3), killSignal: "SIGKILL" }
     );
     if (reachabilityAnalysisOptions.printLogFile)
       logger.info("JS analysis log file:", await readFile8(logFile, "utf-8"));
@@ -110522,7 +110521,10 @@ async function runJellyPhantomDependencyAnalysis(projectRoot, options) {
     const jellyCmd = cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${options.memoryLimitInMB}
       ${jellyExecutable} --basedir ${projectRoot} --modules-only --ignore-dependencies
         --reachable-json ${reachablePackagesFile} ${projectRoot}`;
-    await runCommandResolveStdOut2(jellyCmd, void 0, { timeout: options.timeoutSeconds.allVulnRuns * 1e3 });
+    await runCommandResolveStdOut2(jellyCmd, void 0, {
+      timeout: options.timeoutSeconds.allVulnRuns * 1e3,
+      killSignal: "SIGKILL"
+    });
     return JSON.parse(await readFile8(reachablePackagesFile, "utf-8")).packages;
   } finally {
     await rm2(tmpFolder, { recursive: true });
@@ -110539,7 +110541,10 @@ async function runJellyImportReachabilityAnalysis(mainProjectRoot, projectRoot,
         ${getExcludes(mainProjectRoot, projectRoot, options)}
         --reachable-json ${reachableModulesFile}
         ${options.entryPoints ?? projectRoot}`;
-    await runCommandResolveStdOut2(jellyCmd, void 0, { timeout: options.timeoutSeconds.allVulnRuns * 1e3 });
+    await runCommandResolveStdOut2(jellyCmd, void 0, {
+      timeout: options.timeoutSeconds.allVulnRuns * 1e3,
+      killSignal: "SIGKILL"
+    });
     return JSON.parse(await readFile8(reachableModulesFile, "utf-8"));
   } finally {
     await rm2(tmpFolder, { recursive: true });
@@ -110798,6 +110803,7 @@ var GoCodeAwareVulnerabilityScanner = class {
           -topk=4 ${heuristic.includeTests && "-tests"}
           ${this.projectDir} ${vulnAccPaths}`, void 0, {
         timeout: timeoutInSeconds * 1e3,
+        killSignal: "SIGKILL",
         env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${memoryLimitInMB}MiB` } : void 0
       });
       if (error) {
@@ -111197,7 +111203,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       const outputFile = resolve16(tmpDir, "output.json");
       await writeFile8(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL" });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile10(outputFile, "utf-8")).result;
@@ -111233,7 +111239,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       const outputFile = resolve16(tmpDir, "output.json");
       await writeFile8(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(effectiveTimeout * 1.5, effectiveTimeout + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL" });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile10(outputFile, "utf-8")).result;
@@ -111760,8 +111766,10 @@ ${vulnAccPaths.join("\n")}`);
           ...process.env,
           PYPY_GC_MAX: `${reachabilityAnalysisOptions.memoryLimitInMB ?? 0}MB`
         },
-        // Forcefully kill the process if the internal timeout mechanism fails
-        timeout: (timeoutInSeconds * 1.5 + 15) * 1e3
+        // Forcefully kill the process if the internal timeout mechanism fails.
+        // Use SIGKILL to ensure termination even if the process is unresponsive.
+        timeout: (timeoutInSeconds * 1.5 + 15) * 1e3,
+        killSignal: "SIGKILL"
       });
       logger.debug("Done running mambalade");
       const errors = stderr.split("\n").filter((line) => line.startsWith("ERROR:") && !/^ERROR: Excluded distribution/.test(line));
@@ -112420,23 +112428,22 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
       const experimentalUrlToReachability = transformVulnsToUrlToReachability(experimentalRes.augmentedVulnerabilities);
       const vulnUrlsWithPotentialRegressions = experimentalRes.augmentedVulnerabilities.filter((v) => previousAnalysisResults.reachabilityResults[v.url] && // If the vulnerability is new we do not have a previous reachability result
       getVulnReachability(v.results) !== previousAnalysisResults.reachabilityResults[v.url]).map((v) => v.url);
-      const bucketsToRecompute = experimentalRes.analysisMetadata.filter((am) => am.vulnUrls.some((v) => vulnUrlsWithPotentialRegressions.includes(v)));
-      const bucketsNotToRecompute = experimentalRes.analysisMetadata.filter((am) => !am.vulnUrls.some((v) => vulnUrlsWithPotentialRegressions.includes(v)));
-      bucketsToRecompute.forEach((b) => {
-        analysisMetadataCollector?.(Object.assign({}, b, { finalResult: false }));
-      });
-      bucketsNotToRecompute.forEach((b) => {
+      const [bucketsToRecompute, bucketsNotToRecompute] = import_lodash17.default.partition(experimentalRes.analysisMetadata, (am) => am.vulnUrls.some((v) => vulnUrlsWithPotentialRegressions.includes(v)));
+      for (const b of bucketsToRecompute)
+        analysisMetadataCollector?.({ ...b, finalResult: false });
+      for (const b of bucketsNotToRecompute)
         analysisMetadataCollector?.(b);
-      });
-      sendTimeRegressionsToDashboard(expHeuristicName, previousAnalysisResults.analysisMetadata, bucketsNotToRecompute);
+      await sendTimeRegressionsToDashboard(expHeuristicName, previousAnalysisResults.analysisMetadata, bucketsNotToRecompute);
       let resWithoutExperimentalHeuristic;
       if (bucketsToRecompute.length > 0) {
         resWithoutExperimentalHeuristic = await analyzeAndAugmentVulns(bucketsToRecompute.map((b) => ({
           heuristic: getHeuristicFromName(state, b.heuristicName, ecosystem),
           vulnerabilities: b.vulnUrls.map((vUrl) => vulnerabilities.find((v) => v.url === vUrl))
         })), analysisMetadataCollector, true);
-        sendTimeRegressionsToDashboard(expHeuristicName, resWithoutExperimentalHeuristic.analysisMetadata, bucketsToRecompute);
-        sendReachabilityRegressionsToDashboard(resWithoutExperimentalHeuristic.analysisMetadata[0].heuristicName, expHeuristicName, transformVulnsToUrlToReachability(resWithoutExperimentalHeuristic.augmentedVulnerabilities), experimentalUrlToReachability);
+        await Promise.all([
+          sendTimeRegressionsToDashboard(expHeuristicName, resWithoutExperimentalHeuristic.analysisMetadata, bucketsToRecompute),
+          sendReachabilityRegressionsToDashboard(resWithoutExperimentalHeuristic.analysisMetadata[0].heuristicName, expHeuristicName, transformVulnsToUrlToReachability(resWithoutExperimentalHeuristic.augmentedVulnerabilities), experimentalUrlToReachability)
+        ]);
       }
       const vulnsToGetFromExperimental = bucketsNotToRecompute.flatMap((b) => b.vulnUrls);
       return {
@@ -112610,52 +112617,51 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
       return false;
     return oldDiagnostics.timings?.totalTime * 1.3 < newDiagnostics.timings?.totalTime && oldDiagnostics.timings?.totalTime + 5e3 < newDiagnostics.timings?.totalTime;
   }
-  function sendTimeRegressionsToDashboard(experimentName, oldAnalysisMetadata, newAnalysisMetadata) {
+  async function sendTimeRegressionsToDashboard(experimentName, oldAnalysisMetadata, newAnalysisMetadata) {
     const regressions = [];
-    newAnalysisMetadata.forEach((newMd) => {
+    for (const newMd of newAnalysisMetadata) {
       const oldMd = oldAnalysisMetadata.find((oldMd2) => newMd.vulnUrls.some((vulnUrl) => oldMd2.vulnUrls.includes(vulnUrl)));
       if (!oldMd) {
-        sendWarningToDashboard("Could not find corresponding analysis metadata to compare time regressions with", {
+        await sendWarningToDashboard("Could not find corresponding analysis metadata to compare time regressions with", {
           subprojectPath: relative8(state.rootWorkingDir, state.subprojectDir) || ".",
           workspacePath: state.workspacePath
         }, void 0, COANA_REPORT_ID, apiKey);
-        return;
+        continue;
       }
-      if (!hasTimeRegression(oldMd.analysisDiagnostics, newMd.analysisDiagnostics))
-        return;
-      regressions.push({
-        type: "ANALYSIS_TIME",
-        heuristicName: oldMd.heuristicName,
-        experimentName,
-        vulnUrls: oldMd.vulnUrls,
-        analyzerName: codeAwareScanner.name,
-        originalResult: {
-          timedOut: oldMd.analysisDiagnostics.timeout,
-          aborted: oldMd.analysisDiagnostics.aborted,
-          totalTime: oldMd.analysisDiagnostics.timings.totalTime
-        },
-        experimentResult: {
-          timedOut: newMd.analysisDiagnostics.timeout,
-          aborted: newMd.analysisDiagnostics.aborted,
-          totalTime: newMd.analysisDiagnostics.timings.totalTime
-        }
-      });
-    });
+      if (hasTimeRegression(oldMd.analysisDiagnostics, newMd.analysisDiagnostics))
+        regressions.push({
+          type: "ANALYSIS_TIME",
+          heuristicName: oldMd.heuristicName,
+          experimentName,
+          vulnUrls: oldMd.vulnUrls,
+          analyzerName: codeAwareScanner.name,
+          originalResult: {
+            timedOut: oldMd.analysisDiagnostics.timeout,
+            aborted: oldMd.analysisDiagnostics.aborted,
+            totalTime: oldMd.analysisDiagnostics.timings.totalTime
+          },
+          experimentResult: {
+            timedOut: newMd.analysisDiagnostics.timeout,
+            aborted: newMd.analysisDiagnostics.aborted,
+            totalTime: newMd.analysisDiagnostics.timings.totalTime
+          }
+        });
+    }
     if (regressions.length === 0)
       return;
-    sendRegressionsToDashboard(regressions, relative8(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
+    await sendRegressionsToDashboard(regressions, relative8(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
   }
-  function sendReachabilityRegressionsToDashboard(heuristicName, experimentName, origRes, experimentRes) {
-    const regressions = Object.keys(origRes).filter((vulnUrl) => experimentRes[vulnUrl] && origRes[vulnUrl] !== experimentRes[vulnUrl]).map((vulnUrl) => ({
+  async function sendReachabilityRegressionsToDashboard(heuristicName, experimentName, origRes, experimentRes) {
+    const regressions = Object.entries(origRes).filter(([vulnUrl, oRes]) => experimentRes[vulnUrl] && oRes.reachability !== experimentRes[vulnUrl].reachability).map(([vulnUrl, originalResult]) => ({
       type: "REACHABILITY",
       heuristicName,
       experimentName,
       analyzerName: codeAwareScanner.name,
       vulnUrl,
-      originalResult: origRes[vulnUrl],
+      originalResult,
       experimentResult: experimentRes[vulnUrl]
     }));
-    sendRegressionsToDashboard(regressions, relative8(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
+    await sendRegressionsToDashboard(regressions, relative8(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
   }
 }
 function getHeuristicFromName(state, heuristicName, ecosystem) {
@@ -112738,7 +112744,10 @@ function findDuplicateVulnsInBuckets(bucketsFromLastAnalysis) {
   return duplicateUrls;
 }
 function transformVulnsToUrlToReachability(oldHeuristicAugmentedVulnerabilities) {
-  return Object.fromEntries(oldHeuristicAugmentedVulnerabilities.map((v) => [v.url, getVulnReachability(v.results)]));
+  return Object.fromEntries(oldHeuristicAugmentedVulnerabilities.map((v) => [
+    v.url,
+    { reachability: getVulnReachability(v.results), terminatedEarly: v.results.type === "success" && v.results.terminatedEarly }
+  ]));
 }
 
 // dist/analyzers/go-analyzer.js
@@ -116504,7 +116513,10 @@ var RubyCodeAwareVulnerabilityScanner = class {
         logger.info("Ruby analysis command:", cmd.join(" "));
       try {
         this.numberAnalysesRun++;
-        await exec2(cmd, this.projectDir, { timeout: (timeoutInSeconds * 1.5 + 10) * 1e3 });
+        await exec2(cmd, this.projectDir, {
+          timeout: (timeoutInSeconds * 1.5 + 10) * 1e3,
+          killSignal: "SIGKILL"
+        });
         const result = JSON.parse(await readFile12(vulnsOutputFile, "utf-8"));
         const relativeLoadPathsToPackageNames = new Map([...loadPathsToPackageNames.entries()].map(([k, v]) => [join17("vendor", relative9(this.vendorDir, k)), v]));
         const { timedOut, ...diagnostics } = JSON.parse(await readFile12(diagnosticsOutputFile, "utf-8"));