@coana-tech/cli 14.12.156 → 14.12.158

package/cli.mjs

@@ -234633,6 +234633,7 @@ function isShortestPath(root3, vulnPath) {
 }
 
 // ../web-compat-utils/src/analysis-error-keys.ts
+var FAILED_TO_INSTALL_PACKAGE_KEY = "[UNABLE_TO_INSTALL_PACKAGE_ERROR]: ";
 var CLI_ANALYSIS_ERROR_MESSAGE = "Sharing log due to analysis error";
 var ANALYSIS_LOW_CONFIDENCE_MESSAGE = "Analysis had low confidence in result";
 
@@ -235788,7 +235789,7 @@ function displayWorkspaceDiagnosticsSummaryInternal(diagnosticsEntries, vulns) {
       let category = "general";
       if (errorMessageLower.includes(ANALYSIS_LOW_CONFIDENCE_MESSAGE.toLowerCase())) {
         category = "lowConfidence";
-      } else if (errorMessageLower.includes("install") || errorMessageLower.includes("npm") || errorMessageLower.includes("pip") || errorMessageLower.includes("dependency")) {
+      } else if (errorMessage.startsWith(FAILED_TO_INSTALL_PACKAGE_KEY)) {
         category = "install";
       } else if (errorMessageLower.includes("timeout") || errorMessageLower.includes("timed out")) {
         category = "timeout";
@@ -250902,7 +250903,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.156";
+var version3 = "14.12.158";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.156",
+  "version": "14.12.158",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -110803,7 +110803,7 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
         --reachable-json ${affectedPackagesFile}
         ${getExcludes(mainProjectRoot, projectRoot, reachabilityAnalysisOptions)}
         --diagnostics-json ${diagnosticsFile}
-        --max-indirections=${jellyOptions.maxIndirections}
+        --max-indirections=${useLazy ? 2 : jellyOptions.maxIndirections}
         ${!!includePackages && (includePackages.length ? ["--include-packages", ...includePackages] : ["--ignore-dependencies"])}
         ${jellyOptions.approx && "--approx"}
         ${logFile ? ["--logfile", logFile] : []}
@@ -110952,14 +110952,16 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       analysisOptionsFromHeuristic.approx = process.env.JELLY_APPROX === "true" || experiment === "JELLY_APPROX";
       const analysisRes = await runJellyAnalysis(this.mainProjectDir, this.projectDir, analysisOptionsFromHeuristic, this.options, timeoutInSeconds, vulnerabilities, experiment, telemetryHandler, analyzerTelemetryHandler);
       const { analysisDiagnostics: diagnostics, matches } = analysisRes;
-      const lowConfidence = diagnostics.round < 2 && (diagnostics.timeout || diagnostics.aborted);
+      const terminatedEarly = diagnostics.aborted || diagnostics.timeout || diagnostics.lowmemory;
       return {
         type: "success",
         diagnostics,
-        terminatedEarly: diagnostics.aborted || diagnostics.timeout || diagnostics.lowmemory,
+        terminatedEarly,
         reachedDependencies: diagnostics.packages > 0,
         affectedPurls: analysisRes.affectedPurls,
-        lowConfidence,
+        // A round of 0 or 1 indicates that at most 1 level of indirections in the calls was resolved,
+        // which is too few for us to confidently trust the results.
+        lowConfidence: diagnostics.round < 2 && terminatedEarly,
         computeDetectedOccurrences: ({ url: url2 }) => this.transformSourceLocations(matches[url2] ?? { analysisLevel: "function-level", affectedPackages: [], stacks: [] })
       };
     } catch (e) {