@coana-tech/cli 14.12.131 → 14.12.133
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.mjs +741 -605
- package/package.json +1 -1
- package/reachability-analyzers-cli.mjs +5 -4
- package/repos/coana-tech/goana/bin/goana-darwin-amd64.gz +0 -0
- package/repos/coana-tech/goana/bin/goana-darwin-arm64.gz +0 -0
- package/repos/coana-tech/goana/bin/goana-linux-amd64.gz +0 -0
- package/repos/coana-tech/goana/bin/goana-linux-arm64.gz +0 -0
- package/repos/coana-tech/javap-service/javap-service.jar +0 -0
- package/repos/coana-tech/jelly-private/dist/bundle/approx.js +3 -3
- package/repos/coana-tech/jelly-private/dist/bundle/{chunk-NNOCQRBG.js → chunk-K5LIJ7OH.js} +8 -6
- package/repos/coana-tech/jelly-private/dist/bundle/{chunk-XK6IPQRH.js → chunk-MZDUAIIH.js} +2 -2
- package/repos/coana-tech/jelly-private/dist/bundle/{chunk-L7Z5ACXW.js → chunk-PYSMGG45.js} +2 -2
- package/repos/coana-tech/jelly-private/dist/bundle/{chunk-D4F3MOY5.js → chunk-QPIPGSUC.js} +2 -2
- package/repos/coana-tech/jelly-private/dist/bundle/hooks.js +3 -3
- package/repos/coana-tech/jelly-private/dist/bundle/jelly.js +64 -19
package/package.json
CHANGED
|
@@ -110513,18 +110513,19 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
|
|
|
110513
110513
|
const logFile = reachabilityAnalysisOptions.analysisLogFile ?? (reachabilityAnalysisOptions.printLogFile && resolve14(projectRoot, "js-analysis.log"));
|
|
110514
110514
|
await writeFile6(vulnerabilitiesFile, JSON.stringify(vulnerabilitiesInJellyFormat));
|
|
110515
110515
|
const useLazy = experiment === "LAZY_EXPERIMENT" || reachabilityAnalysisOptions.lazy;
|
|
110516
|
+
const { includePackages } = jellyOptions;
|
|
110516
110517
|
const jellyCmd = cmdt`
|
|
110517
110518
|
${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}
|
|
110518
110519
|
${jellyExecutable}
|
|
110519
110520
|
--basedir ${mainProjectRoot}
|
|
110520
110521
|
--timeout ${timeoutInSeconds}
|
|
110521
110522
|
--vulnerabilities ${vulnerabilitiesFile}
|
|
110522
|
-
${useLazy && ["--lazy", "--lazy-cleanup"]}
|
|
110523
|
+
${useLazy && ["--lazy", "--lazy-cleanup", "--reparse", "--memory", "0.85"]}
|
|
110523
110524
|
--reachable-json ${affectedPackagesFile}
|
|
110524
110525
|
${getExcludes(mainProjectRoot, projectRoot, reachabilityAnalysisOptions)}
|
|
110525
110526
|
--diagnostics-json ${diagnosticsFile}
|
|
110526
110527
|
--max-indirections=${jellyOptions.maxIndirections}
|
|
110527
|
-
${!!
|
|
110528
|
+
${!!includePackages && (includePackages.length ? ["--include-packages", ...includePackages] : ["--ignore-dependencies"])}
|
|
110528
110529
|
${jellyOptions.approx && "--approx"}
|
|
110529
110530
|
${logFile ? ["--logfile", logFile] : []}
|
|
110530
110531
|
--callstacks-json ${callStackFile}
|
|
@@ -110592,7 +110593,7 @@ async function runJellyImportReachabilityAnalysis(mainProjectRoot, projectRoot,
|
|
|
110592
110593
|
const includePackages = computePackagesOnVulnPath(vulnerabilities, { includeLeafPackages: true });
|
|
110593
110594
|
const reachableModulesFile = resolve14(tmpFolder, "reachable-modules.json");
|
|
110594
110595
|
const jellyCmd = cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${options.memoryLimitInMB}
|
|
110595
|
-
${ToolPathResolver.jellyPath} --basedir ${mainProjectRoot} --modules-only
|
|
110596
|
+
${ToolPathResolver.jellyPath} --basedir ${mainProjectRoot} --modules-only --reparse
|
|
110596
110597
|
${includePackages.length ? ["--include-packages", ...includePackages] : ["--ignore-dependencies"]}
|
|
110597
110598
|
${getExcludes(mainProjectRoot, projectRoot, options)}
|
|
110598
110599
|
--reachable-json ${reachableModulesFile}
|
|
@@ -110663,7 +110664,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
|
|
|
110663
110664
|
return {
|
|
110664
110665
|
type: "success",
|
|
110665
110666
|
diagnostics,
|
|
110666
|
-
terminatedEarly: diagnostics.aborted || diagnostics.timeout,
|
|
110667
|
+
terminatedEarly: diagnostics.aborted || diagnostics.timeout || diagnostics.lowmemory,
|
|
110667
110668
|
reachedDependencies: diagnostics.packages > 0,
|
|
110668
110669
|
affectedPurls: analysisRes.affectedPurls,
|
|
110669
110670
|
computeDetectedOccurrences: ({ url: url3 }) => this.transformSourceLocations(matches[url3] ?? { analysisLevel: "function-level", affectedPackages: [], stacks: [] })
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
@@ -7,11 +7,11 @@ import "./iterator-helpers-polyfill.js";
|
|
|
7
7
|
import {
|
|
8
8
|
require_hints,
|
|
9
9
|
require_parser
|
|
10
|
-
} from "./chunk-
|
|
10
|
+
} from "./chunk-QPIPGSUC.js";
|
|
11
11
|
import {
|
|
12
12
|
require_proxy,
|
|
13
13
|
require_sandbox
|
|
14
|
-
} from "./chunk-
|
|
14
|
+
} from "./chunk-MZDUAIIH.js";
|
|
15
15
|
import {
|
|
16
16
|
__commonJS,
|
|
17
17
|
__name,
|
|
@@ -21,7 +21,7 @@ import {
|
|
|
21
21
|
require_options,
|
|
22
22
|
require_transform,
|
|
23
23
|
require_util
|
|
24
|
-
} from "./chunk-
|
|
24
|
+
} from "./chunk-K5LIJ7OH.js";
|
|
25
25
|
|
|
26
26
|
// lib/approx/approx.js
|
|
27
27
|
var require_approx = __commonJS({
|
|
@@ -10873,7 +10873,9 @@ var require_options = __commonJS({
|
|
|
10873
10873
|
vulnerabilitiesFull: false,
|
|
10874
10874
|
modulesJson: void 0,
|
|
10875
10875
|
lazy: false,
|
|
10876
|
-
lazyCleanup: false
|
|
10876
|
+
lazyCleanup: false,
|
|
10877
|
+
reparse: false,
|
|
10878
|
+
memory: void 0
|
|
10877
10879
|
};
|
|
10878
10880
|
function setOptions(opts) {
|
|
10879
10881
|
for (const opt of Object.getOwnPropertyNames(exports.options)) {
|
|
@@ -14661,6 +14663,7 @@ var require_nativehelpers = __commonJS({
|
|
|
14661
14663
|
var assert_1 = __importDefault(__require("assert"));
|
|
14662
14664
|
var constraintvars_1 = require_constraintvars();
|
|
14663
14665
|
var accesspaths_1 = require_accesspaths();
|
|
14666
|
+
var infos_1 = require_infos();
|
|
14664
14667
|
function assignParameterToThisProperty(param, prop, p) {
|
|
14665
14668
|
if (p.path.node.arguments.length > param && p.base) {
|
|
14666
14669
|
const arg = p.path.node.arguments[param];
|
|
@@ -14889,7 +14892,7 @@ var require_nativehelpers = __commonJS({
|
|
|
14889
14892
|
__name(invokeCallback, "invokeCallback");
|
|
14890
14893
|
function generatorCall(p) {
|
|
14891
14894
|
if (p.base instanceof tokens_1.AllocationSiteToken && p.base.kind === "Generator") {
|
|
14892
|
-
(0, assert_1.default)((0, types_1.isFunction)(p.base.allocSite));
|
|
14895
|
+
(0, assert_1.default)(!(p.base.allocSite instanceof infos_1.ModuleInfo) && (0, types_1.isFunction)(p.base.allocSite));
|
|
14893
14896
|
const solver = p.solver;
|
|
14894
14897
|
const f = solver.fragmentState;
|
|
14895
14898
|
const a = solver.globalState;
|
|
@@ -15432,9 +15435,8 @@ var require_nodejs = __commonJS({
|
|
|
15432
15435
|
const mod = p.moduleSpecialNatives["module"];
|
|
15433
15436
|
p.solver.addTokenConstraint(exp, vp.objPropVar(mod, "exports"));
|
|
15434
15437
|
p.solver.addTokenConstraint(exp, vp.objPropVar(exp, "default"));
|
|
15435
|
-
const
|
|
15436
|
-
|
|
15437
|
-
p.solver.addTokenConstraint(args, vp.argumentsVar(prog));
|
|
15438
|
+
const args = a.canonicalizeToken(new tokens_1.ArrayToken(p.moduleInfo));
|
|
15439
|
+
p.solver.addTokenConstraint(args, vp.argumentsVar(p.moduleInfo));
|
|
15438
15440
|
p.solver.addTokenConstraint(exp, vp.objPropVar(args, "0"));
|
|
15439
15441
|
p.solver.addTokenConstraint(req, vp.objPropVar(args, "1"));
|
|
15440
15442
|
p.solver.addTokenConstraint(mod, vp.objPropVar(args, "2"));
|
|
@@ -19869,4 +19871,4 @@ fill-range/index.js:
|
|
|
19869
19871
|
* Licensed under the MIT License.
|
|
19870
19872
|
*)
|
|
19871
19873
|
*/
|
|
19872
|
-
//# sourceMappingURL=chunk-
|
|
19874
|
+
//# sourceMappingURL=chunk-K5LIJ7OH.js.map
|
|
@@ -9,7 +9,7 @@ import {
|
|
|
9
9
|
__name,
|
|
10
10
|
__require,
|
|
11
11
|
require_transform
|
|
12
|
-
} from "./chunk-
|
|
12
|
+
} from "./chunk-K5LIJ7OH.js";
|
|
13
13
|
|
|
14
14
|
// lib/approx/proxy.js
|
|
15
15
|
var require_proxy = __commonJS({
|
|
@@ -268,4 +268,4 @@ export {
|
|
|
268
268
|
require_proxy,
|
|
269
269
|
require_sandbox
|
|
270
270
|
};
|
|
271
|
-
//# sourceMappingURL=chunk-
|
|
271
|
+
//# sourceMappingURL=chunk-MZDUAIIH.js.map
|
|
@@ -8,7 +8,7 @@ import {
|
|
|
8
8
|
__commonJS,
|
|
9
9
|
__name,
|
|
10
10
|
__require
|
|
11
|
-
} from "./chunk-
|
|
11
|
+
} from "./chunk-K5LIJ7OH.js";
|
|
12
12
|
|
|
13
13
|
// node_modules/source-map/lib/base64.js
|
|
14
14
|
var require_base64 = __commonJS({
|
|
@@ -224380,4 +224380,4 @@ typescript/lib/typescript.js:
|
|
|
224380
224380
|
and limitations under the License.
|
|
224381
224381
|
***************************************************************************** *)
|
|
224382
224382
|
*/
|
|
224383
|
-
//# sourceMappingURL=chunk-
|
|
224383
|
+
//# sourceMappingURL=chunk-PYSMGG45.js.map
|
|
@@ -14,7 +14,7 @@ import {
|
|
|
14
14
|
require_options,
|
|
15
15
|
require_tokens,
|
|
16
16
|
require_util
|
|
17
|
-
} from "./chunk-
|
|
17
|
+
} from "./chunk-K5LIJ7OH.js";
|
|
18
18
|
|
|
19
19
|
// lib/parsing/parser.js
|
|
20
20
|
var require_parser = __commonJS({
|
|
@@ -516,4 +516,4 @@ export {
|
|
|
516
516
|
require_patching,
|
|
517
517
|
require_hints
|
|
518
518
|
};
|
|
519
|
-
//# sourceMappingURL=chunk-
|
|
519
|
+
//# sourceMappingURL=chunk-QPIPGSUC.js.map
|
|
@@ -6,10 +6,10 @@ import "./iterator-helpers-polyfill.js";
|
|
|
6
6
|
|
|
7
7
|
import {
|
|
8
8
|
require_moduleresolver
|
|
9
|
-
} from "./chunk-
|
|
9
|
+
} from "./chunk-PYSMGG45.js";
|
|
10
10
|
import {
|
|
11
11
|
require_sandbox
|
|
12
|
-
} from "./chunk-
|
|
12
|
+
} from "./chunk-MZDUAIIH.js";
|
|
13
13
|
import {
|
|
14
14
|
__commonJS,
|
|
15
15
|
__name,
|
|
@@ -17,7 +17,7 @@ import {
|
|
|
17
17
|
require_files,
|
|
18
18
|
require_options,
|
|
19
19
|
require_transform
|
|
20
|
-
} from "./chunk-
|
|
20
|
+
} from "./chunk-K5LIJ7OH.js";
|
|
21
21
|
|
|
22
22
|
// lib/approx/hooks.js
|
|
23
23
|
var require_hooks = __commonJS({
|
|
@@ -9,11 +9,11 @@ import {
|
|
|
9
9
|
require_hints,
|
|
10
10
|
require_parser,
|
|
11
11
|
require_patching
|
|
12
|
-
} from "./chunk-
|
|
12
|
+
} from "./chunk-QPIPGSUC.js";
|
|
13
13
|
import {
|
|
14
14
|
require_moduleresolver,
|
|
15
15
|
require_typescript
|
|
16
|
-
} from "./chunk-
|
|
16
|
+
} from "./chunk-PYSMGG45.js";
|
|
17
17
|
import {
|
|
18
18
|
__commonJS,
|
|
19
19
|
__name,
|
|
@@ -37,7 +37,7 @@ import {
|
|
|
37
37
|
require_tokens,
|
|
38
38
|
require_transform,
|
|
39
39
|
require_util
|
|
40
|
-
} from "./chunk-
|
|
40
|
+
} from "./chunk-K5LIJ7OH.js";
|
|
41
41
|
|
|
42
42
|
// lib/misc/timer.js
|
|
43
43
|
var require_timer = __commonJS({
|
|
@@ -172,7 +172,6 @@ var require_globalstate = __commonJS({
|
|
|
172
172
|
moduleInfosByPath = /* @__PURE__ */ new Map();
|
|
173
173
|
moduleInfos = /* @__PURE__ */ new Map();
|
|
174
174
|
dummyModuleInfos = /* @__PURE__ */ new Map();
|
|
175
|
-
modules = /* @__PURE__ */ new Map();
|
|
176
175
|
functionInfos = /* @__PURE__ */ new Map();
|
|
177
176
|
entryFiles = /* @__PURE__ */ new Set();
|
|
178
177
|
reachedFiles = /* @__PURE__ */ new Set();
|
|
@@ -404,7 +403,7 @@ var require_constraintvarproducer = __commonJS({
|
|
|
404
403
|
if (binding)
|
|
405
404
|
return { v: this.nodeVar(binding.identifier) };
|
|
406
405
|
else if (id.name === "arguments")
|
|
407
|
-
return { v: this.argumentsVar((0, asthelpers_1.getEnclosingNonArrowFunction)(path) ??
|
|
406
|
+
return { v: this.argumentsVar((0, asthelpers_1.getEnclosingNonArrowFunction)(path) ?? id.loc.module) };
|
|
408
407
|
else
|
|
409
408
|
return { v: this.objPropVar(this.a.globalSpecialNatives["globalThis"], id.name), unbound: true };
|
|
410
409
|
}
|
|
@@ -970,8 +969,10 @@ var require_memory = __commonJS({
|
|
|
970
969
|
return mod && mod.__esModule ? mod : { "default": mod };
|
|
971
970
|
};
|
|
972
971
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
972
|
+
exports.MemoryLowException = void 0;
|
|
973
973
|
exports.getMemoryUsage = getMemoryUsage;
|
|
974
974
|
exports.getMemoryLimit = getMemoryLimit;
|
|
975
|
+
exports.checkMemoryLow = checkMemoryLow;
|
|
975
976
|
var options_1 = require_options();
|
|
976
977
|
var assert_1 = __importDefault(__require("assert"));
|
|
977
978
|
var v8 = __importStar(__require("v8"));
|
|
@@ -993,6 +994,23 @@ var require_memory = __commonJS({
|
|
|
993
994
|
return Math.ceil(v8.getHeapStatistics().heap_size_limit / 1048576);
|
|
994
995
|
}
|
|
995
996
|
__name(getMemoryLimit, "getMemoryLimit");
|
|
997
|
+
function checkMemoryLow() {
|
|
998
|
+
if (options_1.options.memory !== void 0) {
|
|
999
|
+
const s = v8.getHeapStatistics();
|
|
1000
|
+
if (s.used_heap_size / s.heap_size_limit > Number(options_1.options.memory))
|
|
1001
|
+
throw new MemoryLowException();
|
|
1002
|
+
}
|
|
1003
|
+
}
|
|
1004
|
+
__name(checkMemoryLow, "checkMemoryLow");
|
|
1005
|
+
var MemoryLowException = class extends Error {
|
|
1006
|
+
static {
|
|
1007
|
+
__name(this, "MemoryLowException");
|
|
1008
|
+
}
|
|
1009
|
+
constructor() {
|
|
1010
|
+
super("Memory low");
|
|
1011
|
+
}
|
|
1012
|
+
};
|
|
1013
|
+
exports.MemoryLowException = MemoryLowException;
|
|
996
1014
|
}
|
|
997
1015
|
});
|
|
998
1016
|
|
|
@@ -1019,6 +1037,7 @@ var require_diagnostics = __commonJS({
|
|
|
1019
1037
|
uniqueTokens = 0;
|
|
1020
1038
|
aborted = false;
|
|
1021
1039
|
timeout = false;
|
|
1040
|
+
lowmemory = false;
|
|
1022
1041
|
analysisTime = 0n;
|
|
1023
1042
|
codeSize = 0;
|
|
1024
1043
|
codeSizeMain = 0;
|
|
@@ -1196,7 +1215,7 @@ var require_escaping = __commonJS({
|
|
|
1196
1215
|
}
|
|
1197
1216
|
__name(addToWorklist, "addToWorklist");
|
|
1198
1217
|
for (const m of Array.isArray(ms) ? ms : [ms])
|
|
1199
|
-
if (
|
|
1218
|
+
if (m.packageInfo.isEntry && (m.getPath().includes("node_modules") || options_1.options.library)) {
|
|
1200
1219
|
const pi = a.packageJsonInfos.get(m.packageInfo.dir);
|
|
1201
1220
|
if (!pi?.exports || (0, packagejson_1.isInExports)(`./${m.relativePath}`, pi.exports))
|
|
1202
1221
|
addToWorklist(f.varProducer.objPropVar(a.canonicalizeToken(new tokens_1.NativeObjectToken("module", m)), "exports"));
|
|
@@ -1581,6 +1600,7 @@ var require_solver = __commonJS({
|
|
|
1581
1600
|
const f = this.fragmentState;
|
|
1582
1601
|
(0, logger_1.writeStdOut)(`${this.phase}... (total time: ${d}ms, call edges: ${f.numberOfCallToFunctionEdges}` + (options_1.options.diagnostics ? `, vars: ${f.getNumberOfVarsWithTokens()}, tokens: ${f.numberOfTokens}, subsets: ${f.numberOfSubsetEdges}, ` + (options_1.options.maxIndirections !== void 0 ? `round: ${this.diagnostics.round}, ` : "") + `wave: ${this.diagnostics.wave}, propagations: ${this.diagnostics.propagations}, worklist: ${this.diagnostics.unprocessedTokensSize + f.postponedListenerCalls.length + f.postponedListenerCalls2.length - this.postponedListenersProcessed}` : "") + ")");
|
|
1583
1602
|
f.a.timeoutTimer.checkTimeout();
|
|
1603
|
+
(0, memory_1.checkMemoryLow)();
|
|
1584
1604
|
}
|
|
1585
1605
|
}
|
|
1586
1606
|
}
|
|
@@ -1981,6 +2001,7 @@ var require_solver = __commonJS({
|
|
|
1981
2001
|
this.diagnostics.propagations++;
|
|
1982
2002
|
if (this.diagnostics.propagations % 100 === 0) {
|
|
1983
2003
|
this.globalState.timeoutTimer.checkTimeout();
|
|
2004
|
+
(0, memory_1.checkMemoryLow)();
|
|
1984
2005
|
this.printDiagnostics();
|
|
1985
2006
|
}
|
|
1986
2007
|
}
|
|
@@ -1993,6 +2014,7 @@ var require_solver = __commonJS({
|
|
|
1993
2014
|
logger_1.default.debug("Processing constraints until fixpoint...");
|
|
1994
2015
|
const f = this.fragmentState;
|
|
1995
2016
|
f.a.timeoutTimer.checkTimeout();
|
|
2017
|
+
(0, memory_1.checkMemoryLow)();
|
|
1996
2018
|
await this.checkAbort();
|
|
1997
2019
|
if (logger_1.default.isVerboseEnabled())
|
|
1998
2020
|
logger_1.default.verbose(`Propagating (tokens: ${this.unprocessedTokens.size}, non-bounded: ${f.postponedListenerCalls.length}, bounded: ${f.postponedListenerCalls2.length})`);
|
|
@@ -2066,6 +2088,7 @@ var require_solver = __commonJS({
|
|
|
2066
2088
|
fun(arg);
|
|
2067
2089
|
if (++this.postponedListenersProcessed % 100 === 0) {
|
|
2068
2090
|
f.a.timeoutTimer.checkTimeout();
|
|
2091
|
+
(0, memory_1.checkMemoryLow)();
|
|
2069
2092
|
this.printDiagnostics();
|
|
2070
2093
|
}
|
|
2071
2094
|
}
|
|
@@ -2090,6 +2113,7 @@ var require_solver = __commonJS({
|
|
|
2090
2113
|
fun.apply(void 0, Array.isArray(args) ? args : [args]);
|
|
2091
2114
|
if (++this.postponedListenersProcessed % 100 === 0) {
|
|
2092
2115
|
f.a.timeoutTimer.checkTimeout();
|
|
2116
|
+
(0, memory_1.checkMemoryLow)();
|
|
2093
2117
|
this.printDiagnostics();
|
|
2094
2118
|
}
|
|
2095
2119
|
}
|
|
@@ -3783,7 +3807,7 @@ var require_finalization = __commonJS({
|
|
|
3783
3807
|
const f = solver.fragmentState;
|
|
3784
3808
|
const a = solver.globalState;
|
|
3785
3809
|
const d = solver.diagnostics;
|
|
3786
|
-
if (d.aborted || d.timeout || d.waveLimitReached > 0 || d.indirectionsLimitReached > 0) {
|
|
3810
|
+
if (d.aborted || d.timeout || d.lowmemory || d.waveLimitReached > 0 || d.indirectionsLimitReached > 0) {
|
|
3787
3811
|
for (const n of f.callLocations) {
|
|
3788
3812
|
const caller = f.callToContainingFunction.get(n);
|
|
3789
3813
|
(0, assert_1.default)(caller);
|
|
@@ -4182,9 +4206,6 @@ var require_analyzer = __commonJS({
|
|
|
4182
4206
|
return result;
|
|
4183
4207
|
};
|
|
4184
4208
|
})();
|
|
4185
|
-
var __importDefault = exports && exports.__importDefault || function(mod) {
|
|
4186
|
-
return mod && mod.__esModule ? mod : { "default": mod };
|
|
4187
|
-
};
|
|
4188
4209
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
4189
4210
|
exports.analyzeFiles = analyzeFiles;
|
|
4190
4211
|
var fs_1 = __importStar(__require("fs"));
|
|
@@ -4211,10 +4232,10 @@ var require_analyzer = __commonJS({
|
|
|
4211
4232
|
var patching_1 = require_patching();
|
|
4212
4233
|
var diagnostics_1 = require_diagnostics2();
|
|
4213
4234
|
var patchthis_1 = require_patchthis();
|
|
4214
|
-
var assert_1 = __importDefault(__require("assert"));
|
|
4215
4235
|
var accesspaths_1 = require_accesspaths();
|
|
4216
4236
|
var tokens_1 = require_tokens();
|
|
4217
4237
|
var types_1 = __require("@babel/types");
|
|
4238
|
+
var memory_1 = require_memory();
|
|
4218
4239
|
async function analyzeFiles(files, solver) {
|
|
4219
4240
|
const a = solver.globalState;
|
|
4220
4241
|
const d = solver.diagnostics;
|
|
@@ -4257,8 +4278,6 @@ var require_analyzer = __commonJS({
|
|
|
4257
4278
|
continue;
|
|
4258
4279
|
}
|
|
4259
4280
|
moduleInfo.loc = ast.program.loc;
|
|
4260
|
-
moduleInfo.ast = ast;
|
|
4261
|
-
a.modules.set(moduleInfo, ast.program);
|
|
4262
4281
|
a.filesAnalyzed.push(file);
|
|
4263
4282
|
const fileSize = (0, fs_1.statSync)(file).size;
|
|
4264
4283
|
d.modules++;
|
|
@@ -4281,12 +4300,24 @@ var require_analyzer = __commonJS({
|
|
|
4281
4300
|
} else {
|
|
4282
4301
|
a.reachedModuleFull(moduleInfo);
|
|
4283
4302
|
}
|
|
4284
|
-
if (
|
|
4303
|
+
if (!options_1.options.reparse || a.reachedModulesFull.has(moduleInfo))
|
|
4304
|
+
moduleInfo.ast = ast;
|
|
4305
|
+
if (d.modules % 16 === 0) {
|
|
4285
4306
|
a.timeoutTimer.checkTimeout();
|
|
4307
|
+
(0, memory_1.checkMemoryLow)();
|
|
4308
|
+
}
|
|
4286
4309
|
}
|
|
4287
4310
|
for (const moduleInfo of a.pendingModulesFull) {
|
|
4288
|
-
|
|
4289
|
-
|
|
4311
|
+
let ast = moduleInfo.ast;
|
|
4312
|
+
if (!ast) {
|
|
4313
|
+
if (!moduleInfo.loc)
|
|
4314
|
+
continue;
|
|
4315
|
+
if (!options_1.options.printProgress)
|
|
4316
|
+
logger_1.default.info(`Reloading ${moduleInfo} (${d.modules})`);
|
|
4317
|
+
const file = moduleInfo.getPath();
|
|
4318
|
+
const str = fs_1.default.readFileSync(file, "utf8");
|
|
4319
|
+
ast = (0, parser_1.parseAndDesugar)(str, file, solver.fragmentState);
|
|
4320
|
+
}
|
|
4290
4321
|
d.modulesFull++;
|
|
4291
4322
|
if (!options_1.options.modulesOnly && options_1.options.printProgress)
|
|
4292
4323
|
logger_1.default.info(`Analyzing ${moduleInfo}`);
|
|
@@ -4435,6 +4466,8 @@ var require_analyzer = __commonJS({
|
|
|
4435
4466
|
} catch (ex) {
|
|
4436
4467
|
if (ex instanceof timer_1.TimeoutException)
|
|
4437
4468
|
d.timeout = true;
|
|
4469
|
+
else if (ex instanceof memory_1.MemoryLowException)
|
|
4470
|
+
d.lowmemory = true;
|
|
4438
4471
|
else if (ex instanceof solver_1.AbortedException)
|
|
4439
4472
|
d.aborted = true;
|
|
4440
4473
|
else
|
|
@@ -4450,6 +4483,8 @@ var require_analyzer = __commonJS({
|
|
|
4450
4483
|
logger_1.default.warn("Received abort signal, analysis aborted");
|
|
4451
4484
|
else if (d.timeout)
|
|
4452
4485
|
logger_1.default.warn("Time limit reached, analysis aborted");
|
|
4486
|
+
else if (d.lowmemory)
|
|
4487
|
+
logger_1.default.warn("Memory low, analysis aborted");
|
|
4453
4488
|
else if (d.waveLimitReached > 0)
|
|
4454
4489
|
logger_1.default.warn("Warning: Wave limit reached, analysis terminated early");
|
|
4455
4490
|
else if (d.indirectionsLimitReached > 0)
|
|
@@ -8885,6 +8920,7 @@ var require_tapirpatterns = __commonJS({
|
|
|
8885
8920
|
var util_1 = require_util();
|
|
8886
8921
|
var timer_1 = require_timer();
|
|
8887
8922
|
var patternmatcher_1 = require_patternmatcher();
|
|
8923
|
+
var memory_1 = require_memory();
|
|
8888
8924
|
function tapirLoadPatterns(patternFiles) {
|
|
8889
8925
|
const tapirPatterns = (0, patternloader_1.removeObsoletePatterns)((0, patternloader_1.loadTapirDetectionPatternFiles)(patternFiles));
|
|
8890
8926
|
const patterns = (0, patternloader_1.convertTapirPatterns)(tapirPatterns);
|
|
@@ -8915,6 +8951,7 @@ var require_tapirpatterns = __commonJS({
|
|
|
8915
8951
|
const p = patterns[i];
|
|
8916
8952
|
if (p) {
|
|
8917
8953
|
solver.globalState.timeoutTimer.checkTimeout();
|
|
8954
|
+
(0, memory_1.checkMemoryLow)();
|
|
8918
8955
|
const ms = matcher.findDetectionPatternMatches(p, solver.diagnostics);
|
|
8919
8956
|
for (const m of ms) {
|
|
8920
8957
|
logger_1.default.info(`Pattern #${tpId}: ${tpPattern}${tpVersion} matches ${(0, util_1.locationToStringWithFileAndEnd)(m.exp.loc)} (confidence: ${isHigh(m) ? "high" : "low"})`);
|
|
@@ -8971,6 +9008,10 @@ var require_tapirpatterns = __commonJS({
|
|
|
8971
9008
|
logger_1.default.error("Time limit reached, pattern matching aborted");
|
|
8972
9009
|
if (solver.diagnostics)
|
|
8973
9010
|
solver.diagnostics.timeout = true;
|
|
9011
|
+
} else if (ex instanceof memory_1.MemoryLowException) {
|
|
9012
|
+
logger_1.default.error("Memory low, pattern matching aborted");
|
|
9013
|
+
if (solver.diagnostics)
|
|
9014
|
+
solver.diagnostics.lowmemory = true;
|
|
8974
9015
|
} else
|
|
8975
9016
|
throw ex;
|
|
8976
9017
|
}
|
|
@@ -12424,7 +12465,7 @@ var require_paths = __commonJS({
|
|
|
12424
12465
|
}
|
|
12425
12466
|
__name(isPathExistInArray, "isPathExistInArray");
|
|
12426
12467
|
function removeBestCandidate(candidates) {
|
|
12427
|
-
return candidates.sort((a, b) =>
|
|
12468
|
+
return candidates.sort((a, b) => b.totalCost - a.totalCost).pop();
|
|
12428
12469
|
}
|
|
12429
12470
|
__name(removeBestCandidate, "removeBestCandidate");
|
|
12430
12471
|
function dijkstra(g, source, removed) {
|
|
@@ -12595,6 +12636,7 @@ var require_vulnerabilitydetector = __commonJS({
|
|
|
12595
12636
|
var assert_1 = __importDefault(__require("assert"));
|
|
12596
12637
|
var paths_1 = require_paths();
|
|
12597
12638
|
var options_1 = require_options();
|
|
12639
|
+
var memory_1 = require_memory();
|
|
12598
12640
|
var MAX_PATHS_PER_SOURCE = 5;
|
|
12599
12641
|
var MAX_SOURCES = 5;
|
|
12600
12642
|
var VulnerabilityDetector = class {
|
|
@@ -12787,7 +12829,7 @@ ${p} (${(0, vulnerabilities_1.getVulnerabilityId)(v)})`);
|
|
|
12787
12829
|
}
|
|
12788
12830
|
logger_1.default.info(`Vulnerability summary:
|
|
12789
12831
|
Entry packages that depend on package with vulnerability: ${cp}
|
|
12790
|
-
Entry package that depend on module with vulnerability: ${cm}
|
|
12832
|
+
Entry package modules that depend on module with vulnerability: ${cm}
|
|
12791
12833
|
Entry package functions that may reach function with vulnerability: ${cf}
|
|
12792
12834
|
Entry package function call site that may reach function vulnerability: ${cc}`);
|
|
12793
12835
|
if (logger_1.default.isDebugEnabled()) {
|
|
@@ -12893,6 +12935,9 @@ ${p} (${(0, vulnerabilities_1.getVulnerabilityId)(v)})`);
|
|
|
12893
12935
|
if (ex instanceof timer_1.TimeoutException) {
|
|
12894
12936
|
logger_1.default.error("Time limit reached, pattern matching aborted");
|
|
12895
12937
|
diagnostics.timeout = true;
|
|
12938
|
+
} else if (ex instanceof memory_1.MemoryLowException) {
|
|
12939
|
+
logger_1.default.error("Memory low, pattern matching aborted");
|
|
12940
|
+
diagnostics.lowmemory = true;
|
|
12896
12941
|
} else
|
|
12897
12942
|
throw ex;
|
|
12898
12943
|
}
|
|
@@ -13416,7 +13461,7 @@ var require_main = __commonJS({
|
|
|
13416
13461
|
var assert_1 = __importDefault(__require("assert"));
|
|
13417
13462
|
var semver_1 = __importDefault(require_semver2());
|
|
13418
13463
|
var ENGINES_NODE = require_package()?.engines?.node;
|
|
13419
|
-
commander_1.program.name("jelly").version(options_1.VERSION).addHelpText("before", options_1.COPYRIGHT).option("-b, --basedir <directory>", "base directory for files to analyze (default: auto-detect)").option("-f, --logfile <file>", "log to file (default: log to stdout)").option("-l, --loglevel <level>", "log level (debug/verbose/info/warn/error)", "info").option("-i, --timeout <seconds>", "limit analysis time").option("-a, --dataflow-html <file>", "save data-flow graph as HTML file").option("-m, --callgraph-html <file>", "save call graph as HTML file").option("-j, --callgraph-json <file>", "save call graph as JSON file").option("-s, --soundness <file>", "compare with dynamic call graph").option("-n, --graal-home <directory>", "home of graal-nodejs (default: $GRAAL_HOME)").option("-d, --dynamic <file>", "generate call graph dynamically, no static analysis").option("--approx", "enable approximate interpretation").option("--approx-only <file>", "perform approximate interpretation, no static analysis").option("--approx-load <file>", "use pre-computed approximate interpretation results").option("-p, --patterns <file...>", "files containing API usage patterns to detect").option("-v, --vulnerabilities <file>", "report vulnerability matches").option("--vulnerabilities-json <json>", "report vulnerability matches (patterns given as JSON string)").option("--include-packages <package...>", "include only dependencies in this list").option("--exclude-packages <package...>", "exclude dependencies in this list").option("--ignore-dependencies", "don't include dependencies in analysis").option("--ignore-unresolved", "don't report errors about unresolved modules").option("--npm-test <dir>", "run 'npm test' instead of 'node' (use with -d)").option("--callgraph", "report call graph").option("--tokens-json <file>", "save tokens for constraint variables as JSON file").option("--tokens", "report tokens for constraint variables").option("--largest", "report largest token sets and subset relations").option("--no-cycle-elimination", "disable cycle elimination").option("--no-natives", "disable nonessential models of native libraries").option("--test-graal", "test graal-nodejs (use with -d)").option("--no-print-progress", "don't print analysis progress information").option("--no-tty", "don't print solver progress for TTY").option("--warnings-unsupported", "print warnings about unsupported features").option("--gc", "enable garbage collection for more accurate memory usage reporting").option("--typescript", "enable TypeScript type inference (use with -p)").option("--api-usage", "report API usage of external packages (implies --ignore-dependencies)").option("--api-exported", "report API of modules").option("--find-access-paths <location>", "find access paths for source location (file:line)").option("--higher-order-functions", "report higher-order functions").option("--zeros", "report calls with zero callees and functions with zero callers").option("--exclude-entries <glob...>", "files to exclude when specifying entry directories").option("--tracked-modules <glob...>", "modules to track usage of (default: auto-detect)").option("--external-matches", "enable pattern matches from external code").option("--no-callgraph-implicit", "omit implicit calls in call graph").option("--no-callgraph-native", "omit native calls in call graph").option("--no-callgraph-require", "omit module loading in call graph").option("--no-callgraph-external", "omit heuristic external callbacks in call graph").option("--diagnostics", "report internal analysis diagnostics").option("--diagnostics-json <file>", "save analysis diagnostics in JSON file").option("--variable-kinds", "report constraint variable kinds").option("--max-waves <number>", "limit number of fixpoint waves").option("--max-indirections <number>", "limit number of function call and property write indirections").option("--full-indirection-bounding", "enable indirection bounding for method calls and property reads (use with --max-indirections)").option("--typescript-library-usage <file>", "save TypeScript library usage in JSON file, no analysis").option("--modules-only", "report reachable packages and modules only, no analysis").option("--compare-callgraphs", "compare two call graphs given as JSON files, no analysis").option("--reachability", "compare call graph reachability (use with -s or --compare-callgraphs)").option("--library", "assume program is a library (default: true if in node_modules)").option("--skip-tests", "skip files that look like tests").option("--no-patch-escaping", "disable patching using escape analysis").option("--patch-dynamics", "enable dynamic property access patching heuristic").option("--patch-method-calls", "enable method call patching heuristic").option("--no-patch-this", "disable 'this' patching heuristic").option("--proto", "enable model of assignments to the __proto__ property").option("--obj-spread", "enable model of spread syntax for object literals ({...obj})").option("--native-overwrites", "allow overwriting of native object properties").option("--ignore-imprecise-native-calls", "ignore imprecise native calls").option("--matches-json <file>", "save vulnerability pattern matches in JSON file").option("--reachable-json <file>", "save reachable packages and modules in JSON file").option("--callstacks-json <file>", "save vulnerability call stacks in JSON file").option("--vulnerabilities-full", "full report of vulnerabilities").option("--modules-json <file>", "save modules dependencies in JSON file").option("--lazy", "lazy analysis of modules").option("--lazy-cleanup", "lazily clean up redundant tokens for lazy module analysis").usage("[options] [files]").addHelpText("after", `
|
|
13464
|
+
commander_1.program.name("jelly").version(options_1.VERSION).addHelpText("before", options_1.COPYRIGHT).option("-b, --basedir <directory>", "base directory for files to analyze (default: auto-detect)").option("-f, --logfile <file>", "log to file (default: log to stdout)").option("-l, --loglevel <level>", "log level (debug/verbose/info/warn/error)", "info").option("-i, --timeout <seconds>", "limit analysis time").option("-a, --dataflow-html <file>", "save data-flow graph as HTML file").option("-m, --callgraph-html <file>", "save call graph as HTML file").option("-j, --callgraph-json <file>", "save call graph as JSON file").option("-s, --soundness <file>", "compare with dynamic call graph").option("-n, --graal-home <directory>", "home of graal-nodejs (default: $GRAAL_HOME)").option("-d, --dynamic <file>", "generate call graph dynamically, no static analysis").option("--approx", "enable approximate interpretation").option("--approx-only <file>", "perform approximate interpretation, no static analysis").option("--approx-load <file>", "use pre-computed approximate interpretation results").option("-p, --patterns <file...>", "files containing API usage patterns to detect").option("-v, --vulnerabilities <file>", "report vulnerability matches").option("--vulnerabilities-json <json>", "report vulnerability matches (patterns given as JSON string)").option("--include-packages <package...>", "include only dependencies in this list").option("--exclude-packages <package...>", "exclude dependencies in this list").option("--ignore-dependencies", "don't include dependencies in analysis").option("--ignore-unresolved", "don't report errors about unresolved modules").option("--npm-test <dir>", "run 'npm test' instead of 'node' (use with -d)").option("--callgraph", "report call graph").option("--tokens-json <file>", "save tokens for constraint variables as JSON file").option("--tokens", "report tokens for constraint variables").option("--largest", "report largest token sets and subset relations").option("--no-cycle-elimination", "disable cycle elimination").option("--no-natives", "disable nonessential models of native libraries").option("--test-graal", "test graal-nodejs (use with -d)").option("--no-print-progress", "don't print analysis progress information").option("--no-tty", "don't print solver progress for TTY").option("--warnings-unsupported", "print warnings about unsupported features").option("--gc", "enable garbage collection for more accurate memory usage reporting").option("--typescript", "enable TypeScript type inference (use with -p)").option("--api-usage", "report API usage of external packages (implies --ignore-dependencies)").option("--api-exported", "report API of modules").option("--find-access-paths <location>", "find access paths for source location (file:line)").option("--higher-order-functions", "report higher-order functions").option("--zeros", "report calls with zero callees and functions with zero callers").option("--exclude-entries <glob...>", "files to exclude when specifying entry directories").option("--tracked-modules <glob...>", "modules to track usage of (default: auto-detect)").option("--external-matches", "enable pattern matches from external code").option("--no-callgraph-implicit", "omit implicit calls in call graph").option("--no-callgraph-native", "omit native calls in call graph").option("--no-callgraph-require", "omit module loading in call graph").option("--no-callgraph-external", "omit heuristic external callbacks in call graph").option("--diagnostics", "report internal analysis diagnostics").option("--diagnostics-json <file>", "save analysis diagnostics in JSON file").option("--variable-kinds", "report constraint variable kinds").option("--max-waves <number>", "limit number of fixpoint waves").option("--max-indirections <number>", "limit number of function call and property write indirections").option("--full-indirection-bounding", "enable indirection bounding for method calls and property reads (use with --max-indirections)").option("--typescript-library-usage <file>", "save TypeScript library usage in JSON file, no analysis").option("--modules-only", "report reachable packages and modules only, no analysis").option("--compare-callgraphs", "compare two call graphs given as JSON files, no analysis").option("--reachability", "compare call graph reachability (use with -s or --compare-callgraphs)").option("--library", "assume program is a library (default: true if in node_modules)").option("--skip-tests", "skip files that look like tests").option("--no-patch-escaping", "disable patching using escape analysis").option("--patch-dynamics", "enable dynamic property access patching heuristic").option("--patch-method-calls", "enable method call patching heuristic").option("--no-patch-this", "disable 'this' patching heuristic").option("--proto", "enable model of assignments to the __proto__ property").option("--obj-spread", "enable model of spread syntax for object literals ({...obj})").option("--native-overwrites", "allow overwriting of native object properties").option("--ignore-imprecise-native-calls", "ignore imprecise native calls").option("--matches-json <file>", "save vulnerability pattern matches in JSON file").option("--reachable-json <file>", "save reachable packages and modules in JSON file").option("--callstacks-json <file>", "save vulnerability call stacks in JSON file").option("--vulnerabilities-full", "full report of vulnerabilities").option("--modules-json <file>", "save modules dependencies in JSON file").option("--lazy", "lazy analysis of modules").option("--lazy-cleanup", "lazily clean up redundant tokens for lazy module analysis").option("--reparse", "reparse by need (use with --lazy)").option("--memory <limit>", "abort if reaching selected fraction of memory limit").usage("[options] [files]").addHelpText("after", `
|
|
13420
13465
|
All modules reachable by require/import from the given files are included in the analysis
|
|
13421
13466
|
(except when using --ignore-dependencies, --include-packages or --exclude-packages).
|
|
13422
13467
|
If specifying directories instead of files, the files in the directories and their
|