@coana-tech/cli 14.12.2 → 14.12.3

package/cli.mjs

@@ -6151,7 +6151,7 @@ var require_safe_stable_stringify = __commonJS({
               return circularValue;
             }
             let res = "";
-            let join27 = ",";
+            let join28 = ",";
             const originalIndentation = indentation;
             if (Array.isArray(value)) {
               if (value.length === 0) {
@@ -6165,7 +6165,7 @@ var require_safe_stable_stringify = __commonJS({
                 indentation += spacer;
                 res += `
 ${indentation}`;
-                join27 = `,
+                join28 = `,
 ${indentation}`;
               }
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -6173,13 +6173,13 @@ ${indentation}`;
               for (; i6 < maximumValuesToStringify - 1; i6++) {
                 const tmp2 = stringifyFnReplacer(String(i6), value, stack2, replacer, spacer, indentation);
                 res += tmp2 !== void 0 ? tmp2 : "null";
-                res += join27;
+                res += join28;
               }
               const tmp = stringifyFnReplacer(String(i6), value, stack2, replacer, spacer, indentation);
               res += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res += `${join27}"... ${getItemCount(removedKeys)} not stringified"`;
+                res += `${join28}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               if (spacer !== "") {
                 res += `
@@ -6200,7 +6200,7 @@ ${originalIndentation}`;
             let separator = "";
             if (spacer !== "") {
               indentation += spacer;
-              join27 = `,
+              join28 = `,
 ${indentation}`;
               whitespace2 = " ";
             }
@@ -6214,13 +6214,13 @@ ${indentation}`;
               const tmp = stringifyFnReplacer(key2, value, stack2, replacer, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}:${whitespace2}${tmp}`;
-                separator = join27;
+                separator = join28;
               }
             }
             if (keyLength > maximumBreadth) {
               const removedKeys = keyLength - maximumBreadth;
               res += `${separator}"...":${whitespace2}"${getItemCount(removedKeys)} not stringified"`;
-              separator = join27;
+              separator = join28;
             }
             if (spacer !== "" && separator.length > 1) {
               res = `
@@ -6261,7 +6261,7 @@ ${originalIndentation}`;
             }
             const originalIndentation = indentation;
             let res = "";
-            let join27 = ",";
+            let join28 = ",";
             if (Array.isArray(value)) {
               if (value.length === 0) {
                 return "[]";
@@ -6274,7 +6274,7 @@ ${originalIndentation}`;
                 indentation += spacer;
                 res += `
 ${indentation}`;
-                join27 = `,
+                join28 = `,
 ${indentation}`;
               }
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -6282,13 +6282,13 @@ ${indentation}`;
               for (; i6 < maximumValuesToStringify - 1; i6++) {
                 const tmp2 = stringifyArrayReplacer(String(i6), value[i6], stack2, replacer, spacer, indentation);
                 res += tmp2 !== void 0 ? tmp2 : "null";
-                res += join27;
+                res += join28;
               }
               const tmp = stringifyArrayReplacer(String(i6), value[i6], stack2, replacer, spacer, indentation);
               res += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res += `${join27}"... ${getItemCount(removedKeys)} not stringified"`;
+                res += `${join28}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               if (spacer !== "") {
                 res += `
@@ -6301,7 +6301,7 @@ ${originalIndentation}`;
             let whitespace2 = "";
             if (spacer !== "") {
               indentation += spacer;
-              join27 = `,
+              join28 = `,
 ${indentation}`;
               whitespace2 = " ";
             }
@@ -6310,7 +6310,7 @@ ${indentation}`;
               const tmp = stringifyArrayReplacer(key2, value[key2], stack2, replacer, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}:${whitespace2}${tmp}`;
-                separator = join27;
+                separator = join28;
               }
             }
             if (spacer !== "" && separator.length > 1) {
@@ -6368,20 +6368,20 @@ ${originalIndentation}`;
               indentation += spacer;
               let res2 = `
 ${indentation}`;
-              const join28 = `,
+              const join29 = `,
 ${indentation}`;
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
               let i6 = 0;
               for (; i6 < maximumValuesToStringify - 1; i6++) {
                 const tmp2 = stringifyIndent(String(i6), value[i6], stack2, spacer, indentation);
                 res2 += tmp2 !== void 0 ? tmp2 : "null";
-                res2 += join28;
+                res2 += join29;
               }
               const tmp = stringifyIndent(String(i6), value[i6], stack2, spacer, indentation);
               res2 += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res2 += `${join28}"... ${getItemCount(removedKeys)} not stringified"`;
+                res2 += `${join29}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               res2 += `
 ${originalIndentation}`;
@@ -6397,16 +6397,16 @@ ${originalIndentation}`;
               return '"[Object]"';
             }
             indentation += spacer;
-            const join27 = `,
+            const join28 = `,
 ${indentation}`;
             let res = "";
             let separator = "";
             let maximumPropertiesToStringify = Math.min(keyLength, maximumBreadth);
             if (isTypedArrayWithEntries(value)) {
-              res += stringifyTypedArray(value, join27, maximumBreadth);
+              res += stringifyTypedArray(value, join28, maximumBreadth);
               keys = keys.slice(value.length);
               maximumPropertiesToStringify -= value.length;
-              separator = join27;
+              separator = join28;
             }
             if (deterministic) {
               keys = insertSort(keys);
@@ -6417,13 +6417,13 @@ ${indentation}`;
               const tmp = stringifyIndent(key2, value[key2], stack2, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}: ${tmp}`;
-                separator = join27;
+                separator = join28;
               }
             }
             if (keyLength > maximumBreadth) {
               const removedKeys = keyLength - maximumBreadth;
               res += `${separator}"...": "${getItemCount(removedKeys)} not stringified"`;
-              separator = join27;
+              separator = join28;
             }
             if (separator !== "") {
               res = `
@@ -7990,7 +7990,7 @@ var require_buffer_list = __commonJS({
         }
       }, {
         key: "join",
-        value: function join27(s4) {
+        value: function join28(s4) {
           if (this.length === 0) return "";
           var p3 = this.head;
           var ret = "" + p3.data;
@@ -19073,7 +19073,7 @@ var require_lodash = __commonJS({
           }
           return mapped.length && mapped[0] === arrays[0] ? baseIntersection(mapped, undefined2, comparator) : [];
         });
-        function join27(array, separator) {
+        function join28(array, separator) {
           return array == null ? "" : nativeJoin.call(array, separator);
         }
         function last2(array) {
@@ -20992,7 +20992,7 @@ var require_lodash = __commonJS({
         lodash16.isUndefined = isUndefined2;
         lodash16.isWeakMap = isWeakMap;
         lodash16.isWeakSet = isWeakSet;
-        lodash16.join = join27;
+        lodash16.join = join28;
         lodash16.kebabCase = kebabCase;
         lodash16.last = last2;
         lodash16.lastIndexOf = lastIndexOf;
@@ -29988,7 +29988,7 @@ var require_builder = __commonJS({
       }
     };
     exports2.SeqBuilder = SeqBuilder;
-    function join27(first2, second, ...others) {
+    function join28(first2, second, ...others) {
       const seq = new SeqBuilder(first2, second);
       if (!others.length) {
         return seq;
@@ -29997,7 +29997,7 @@ var require_builder = __commonJS({
         return res.join(query);
       }, seq);
     }
-    exports2.join = join27;
+    exports2.join = join28;
     var SymBuilder = class extends AbstractBuilder {
       constructor(opts) {
         super();
@@ -209805,7 +209805,7 @@ var kleur_default = $;
 // dist/cli-core.js
 var import_lodash15 = __toESM(require_lodash(), 1);
 import os from "os";
-import { join as join24, relative as relative11, resolve as resolve23 } from "path";
+import { join as join25, relative as relative11, resolve as resolve23 } from "path";
 
 // ../utils/src/dashboard-api/shared-api.ts
 var DashboardAPI = class {
@@ -210253,9 +210253,9 @@ function transformToVulnChainNode(dependencyTree) {
 }
 
 // dist/internal/socket-mode-helpers-socket-dependency-trees.js
-var import_picomatch2 = __toESM(require_picomatch2(), 1);
-import { basename as basename7, dirname as dirname8, sep as sep5 } from "path";
 var import_packageurl_js = __toESM(require_packageurl_js(), 1);
+var import_picomatch2 = __toESM(require_picomatch2(), 1);
+import { basename as basename7, dirname as dirname8, join as join23, sep as sep5 } from "path";
 var REQUIREMENTS_FILES_SEARCH_DEPTH2 = 3;
 function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonProjects) {
   switch (ecosystem) {
@@ -210368,7 +210368,7 @@ async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash)
     for (const file of allFiles) {
       const base = basename7(file);
       const workspaceDir = dirname8(file) || ".";
-      if (base === "pyproject.toml" || base === "setup.py" && await isSetupPySetuptools(file)) {
+      if (base === "pyproject.toml" || base === "setup.py" && await isSetupPySetuptools(join23(rootWorkingDirectory, file))) {
         if (!properPythonProjects.includes(workspaceDir)) {
           properPythonProjects.push(workspaceDir);
         }
@@ -210442,7 +210442,7 @@ async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash)
               name: artifact.name ?? "",
               dependency: artifact.name ?? "",
               vulnChainDetails: computeVulnChainDetails2(artifacts, artifact.id),
-              vulnerabilityAccessPaths: vuln.reachabilityData?.pattern ?? null,
+              vulnerabilityAccessPaths: vuln.reachabilityData?.undeterminableReachability ? vuln.reachabilityData.publicComment ?? "" : vuln.reachabilityData?.pattern ?? null,
               ecosystem,
               artifactId: artifact.id
             };
@@ -224212,7 +224212,7 @@ var { root: root2 } = static_exports;
 // ../utils/src/maven-utils.ts
 var import_lodash14 = __toESM(require_lodash(), 1);
 import { existsSync as existsSync20, readdirSync as readdirSync4, statSync as statSync4 } from "fs";
-import { join as join23 } from "path";
+import { join as join24 } from "path";
 var { memoize: memoize3 } = import_lodash14.default;
 var memoizedParseShellArgs = memoize3(parseShellArgs);
 var MAVEN_PUBLIC_REPOSITORIES = [
@@ -225583,7 +225583,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.12.2";
+var version2 = "14.12.3";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -225685,7 +225685,7 @@ var CliCore = class {
     }
   }
   async main() {
-    this.coanaLogPath = join24(await createTmpDirectory("coana-cli-"), "coana-log.txt");
+    this.coanaLogPath = join25(await createTmpDirectory("coana-cli-"), "coana-log.txt");
     logger.initWinstonLogger(this.options.debug, this.coanaLogPath);
     logger.silent = this.options.silent;
     try {
@@ -226266,7 +226266,7 @@ async function getGitDataToMetadataIfAvailable(rootWorkingDirectory) {
 }
 
 // dist/cli-upgrade-purl.js
-import { join as join25, relative as relative12 } from "node:path";
+import { join as join26, relative as relative12 } from "node:path";
 var import_packageurl_js2 = __toESM(require_packageurl_js(), 1);
 var ECOSYSTEMS_WITH_SOCKET_UPGRADES = ["NPM", "MAVEN"];
 async function upgradePurl(path2, upgrades, options, logFile, cliFixRunId) {
@@ -226347,7 +226347,7 @@ ${upgrades.map((upgrade) => `	${upgrade.purl} -> ${upgrade.upgradeVersion}`).joi
     const subprojectPromiseQueue = new PromiseQueue(Number(options.concurrency));
     supportedSubprojects.forEach((subproject) => {
       subprojectPromiseQueue.enqueueTask(async () => {
-        const workspacePathsMatchingGlob = subproject.workspacePaths.filter((wsPath) => minimatch(join25(subproject.subprojectPath, wsPath), options.globPattern ?? "**"));
+        const workspacePathsMatchingGlob = subproject.workspacePaths.filter((wsPath) => minimatch(join26(subproject.subprojectPath, wsPath), options.globPattern ?? "**"));
         if (workspacePathsMatchingGlob.length === 0)
           return;
         logger.info(`Found workspaces for subproject ${subproject.subprojectPath}${options.globPattern ? `matching glob ${options.globPattern}` : ""}:
@@ -226376,7 +226376,7 @@ ${workspacePathsMatchingGlob.map((wsPath) => `	${wsPath}`).join("\n")}`);
           });
           if (vulnerabilityFixes.length === 0)
             return;
-          logger.info(`Found ${vulnerabilityFixes.length} ${vulnerabilityFixes.length === 1 ? "dependency" : "dependencies"} matching upgrade specs for ${join25(subproject.subprojectPath, wsPath)}`);
+          logger.info(`Found ${vulnerabilityFixes.length} ${vulnerabilityFixes.length === 1 ? "dependency" : "dependencies"} matching upgrade specs for ${join26(subproject.subprojectPath, wsPath)}`);
           workspaceToFixes[wsPath] = [
             {
               fixId: "dummy",
@@ -226397,7 +226397,7 @@ ${workspacePathsMatchingGlob.map((wsPath) => `	${wsPath}`).join("\n")}`);
   }
 }
 var signalFixApplied = (_fixId, subprojectPath, workspacePath, vulnerabilityFixes) => {
-  logger.info(`Successfully upgraded purls for: ${join25(subprojectPath, workspacePath)}`);
+  logger.info(`Successfully upgraded purls for: ${join26(subprojectPath, workspacePath)}`);
   logger.info(`Upgraded: 
 ${vulnerabilityFixes.map((fix) => `	${fix.dependencyName} from ${fix.currentVersion} to ${fix.fixedVersion}`).join("\n")}`);
 };
@@ -226554,7 +226554,7 @@ function computeSBOMTaskArtifacts(dependencyTrees) {
 }
 
 // dist/index.js
-import { join as join26 } from "path";
+import { join as join27 } from "path";
 var program2 = new Command();
 var run2 = new Command();
 run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).configureHelp({ sortOptions: true }).action(async (path2, options) => {
@@ -226572,7 +226572,7 @@ var upgradePurls = new Command();
 upgradePurls.name("upgrade-purls").argument("<path>", "File system path to the folder containing the project").argument("<specs...>", "Package upgrade specifications in the format 'purl -> newVersion' (e.g., 'pkg:maven/io.micrometer/micrometer-core@1.10.9 -> 1.15.0')").option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--socket-mode", "Use Socket for computing dependency trees").default(process.env.SOCKET_MODE === "true").hideHelp()).version(version2).action(async (path2, specs2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
   await withTmpDirectory("upgrade-purls", async (tmpDir) => {
-    const logFile = join26(tmpDir, "upgrade-purls.log");
+    const logFile = join27(tmpDir, "upgrade-purls.log");
     logger.initWinstonLogger(options.debug, logFile);
     const upgradeSpecs = specs2.map((spec) => {
       const [purl, upgradeVersion] = spec.split("->").map((s4) => s4.trim());
@@ -226590,7 +226590,7 @@ var computeFixesAndUpgradePurlsCmd = new Command();
 computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).action(async (path2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
   await withTmpDirectory("compute-fixes-and-upgrade-purls", async (tmpDir) => {
-    const logFile = join26(tmpDir, "compute-fixes-and-upgrade-purls.log");
+    const logFile = join27(tmpDir, "compute-fixes-and-upgrade-purls.log");
     logger.initWinstonLogger(options.debug, logFile);
     await computeFixesAndUpgradePurls(path2, options, logFile);
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.2",
+  "version": "14.12.3",
   "description": "Coana CLI",
   "type": "module",
   "bin": {