@coana-tech/cli 14.12.2 → 14.12.5

package/cli.mjs

@@ -6151,7 +6151,7 @@ var require_safe_stable_stringify = __commonJS({
               return circularValue;
             }
             let res = "";
-            let join27 = ",";
+            let join28 = ",";
             const originalIndentation = indentation;
             if (Array.isArray(value)) {
               if (value.length === 0) {
@@ -6165,7 +6165,7 @@ var require_safe_stable_stringify = __commonJS({
                 indentation += spacer;
                 res += `
 ${indentation}`;
-                join27 = `,
+                join28 = `,
 ${indentation}`;
               }
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -6173,13 +6173,13 @@ ${indentation}`;
               for (; i6 < maximumValuesToStringify - 1; i6++) {
                 const tmp2 = stringifyFnReplacer(String(i6), value, stack2, replacer, spacer, indentation);
                 res += tmp2 !== void 0 ? tmp2 : "null";
-                res += join27;
+                res += join28;
               }
               const tmp = stringifyFnReplacer(String(i6), value, stack2, replacer, spacer, indentation);
               res += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res += `${join27}"... ${getItemCount(removedKeys)} not stringified"`;
+                res += `${join28}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               if (spacer !== "") {
                 res += `
@@ -6200,7 +6200,7 @@ ${originalIndentation}`;
             let separator = "";
             if (spacer !== "") {
               indentation += spacer;
-              join27 = `,
+              join28 = `,
 ${indentation}`;
               whitespace2 = " ";
             }
@@ -6214,13 +6214,13 @@ ${indentation}`;
               const tmp = stringifyFnReplacer(key2, value, stack2, replacer, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}:${whitespace2}${tmp}`;
-                separator = join27;
+                separator = join28;
               }
             }
             if (keyLength > maximumBreadth) {
               const removedKeys = keyLength - maximumBreadth;
               res += `${separator}"...":${whitespace2}"${getItemCount(removedKeys)} not stringified"`;
-              separator = join27;
+              separator = join28;
             }
             if (spacer !== "" && separator.length > 1) {
               res = `
@@ -6261,7 +6261,7 @@ ${originalIndentation}`;
             }
             const originalIndentation = indentation;
             let res = "";
-            let join27 = ",";
+            let join28 = ",";
             if (Array.isArray(value)) {
               if (value.length === 0) {
                 return "[]";
@@ -6274,7 +6274,7 @@ ${originalIndentation}`;
                 indentation += spacer;
                 res += `
 ${indentation}`;
-                join27 = `,
+                join28 = `,
 ${indentation}`;
               }
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -6282,13 +6282,13 @@ ${indentation}`;
               for (; i6 < maximumValuesToStringify - 1; i6++) {
                 const tmp2 = stringifyArrayReplacer(String(i6), value[i6], stack2, replacer, spacer, indentation);
                 res += tmp2 !== void 0 ? tmp2 : "null";
-                res += join27;
+                res += join28;
               }
               const tmp = stringifyArrayReplacer(String(i6), value[i6], stack2, replacer, spacer, indentation);
               res += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res += `${join27}"... ${getItemCount(removedKeys)} not stringified"`;
+                res += `${join28}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               if (spacer !== "") {
                 res += `
@@ -6301,7 +6301,7 @@ ${originalIndentation}`;
             let whitespace2 = "";
             if (spacer !== "") {
               indentation += spacer;
-              join27 = `,
+              join28 = `,
 ${indentation}`;
               whitespace2 = " ";
             }
@@ -6310,7 +6310,7 @@ ${indentation}`;
               const tmp = stringifyArrayReplacer(key2, value[key2], stack2, replacer, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}:${whitespace2}${tmp}`;
-                separator = join27;
+                separator = join28;
               }
             }
             if (spacer !== "" && separator.length > 1) {
@@ -6368,20 +6368,20 @@ ${originalIndentation}`;
               indentation += spacer;
               let res2 = `
 ${indentation}`;
-              const join28 = `,
+              const join29 = `,
 ${indentation}`;
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
               let i6 = 0;
               for (; i6 < maximumValuesToStringify - 1; i6++) {
                 const tmp2 = stringifyIndent(String(i6), value[i6], stack2, spacer, indentation);
                 res2 += tmp2 !== void 0 ? tmp2 : "null";
-                res2 += join28;
+                res2 += join29;
               }
               const tmp = stringifyIndent(String(i6), value[i6], stack2, spacer, indentation);
               res2 += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res2 += `${join28}"... ${getItemCount(removedKeys)} not stringified"`;
+                res2 += `${join29}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               res2 += `
 ${originalIndentation}`;
@@ -6397,16 +6397,16 @@ ${originalIndentation}`;
               return '"[Object]"';
             }
             indentation += spacer;
-            const join27 = `,
+            const join28 = `,
 ${indentation}`;
             let res = "";
             let separator = "";
             let maximumPropertiesToStringify = Math.min(keyLength, maximumBreadth);
             if (isTypedArrayWithEntries(value)) {
-              res += stringifyTypedArray(value, join27, maximumBreadth);
+              res += stringifyTypedArray(value, join28, maximumBreadth);
               keys = keys.slice(value.length);
               maximumPropertiesToStringify -= value.length;
-              separator = join27;
+              separator = join28;
             }
             if (deterministic) {
               keys = insertSort(keys);
@@ -6417,13 +6417,13 @@ ${indentation}`;
               const tmp = stringifyIndent(key2, value[key2], stack2, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}: ${tmp}`;
-                separator = join27;
+                separator = join28;
               }
             }
             if (keyLength > maximumBreadth) {
               const removedKeys = keyLength - maximumBreadth;
               res += `${separator}"...": "${getItemCount(removedKeys)} not stringified"`;
-              separator = join27;
+              separator = join28;
             }
             if (separator !== "") {
               res = `
@@ -7990,7 +7990,7 @@ var require_buffer_list = __commonJS({
         }
       }, {
         key: "join",
-        value: function join27(s4) {
+        value: function join28(s4) {
           if (this.length === 0) return "";
           var p3 = this.head;
           var ret = "" + p3.data;
@@ -19073,7 +19073,7 @@ var require_lodash = __commonJS({
           }
           return mapped.length && mapped[0] === arrays[0] ? baseIntersection(mapped, undefined2, comparator) : [];
         });
-        function join27(array, separator) {
+        function join28(array, separator) {
           return array == null ? "" : nativeJoin.call(array, separator);
         }
         function last2(array) {
@@ -20992,7 +20992,7 @@ var require_lodash = __commonJS({
         lodash16.isUndefined = isUndefined2;
         lodash16.isWeakMap = isWeakMap;
         lodash16.isWeakSet = isWeakSet;
-        lodash16.join = join27;
+        lodash16.join = join28;
         lodash16.kebabCase = kebabCase;
         lodash16.last = last2;
         lodash16.lastIndexOf = lastIndexOf;
@@ -29988,7 +29988,7 @@ var require_builder = __commonJS({
       }
     };
     exports2.SeqBuilder = SeqBuilder;
-    function join27(first2, second, ...others) {
+    function join28(first2, second, ...others) {
       const seq = new SeqBuilder(first2, second);
       if (!others.length) {
         return seq;
@@ -29997,7 +29997,7 @@ var require_builder = __commonJS({
         return res.join(query);
       }, seq);
     }
-    exports2.join = join27;
+    exports2.join = join28;
     var SymBuilder = class extends AbstractBuilder {
       constructor(opts) {
         super();
@@ -190952,25 +190952,25 @@ var Spinner = class _Spinner {
 };
 
 // ../utils/src/command-utils.ts
-async function execAndLogOnFailure(cmd, dir, options) {
+async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
-  if (result.error) logCommandOutput(result, cmd, dir);
+  if (result.error) logCommandOutput(result, cmd, dir, logLevel);
   return !result.error;
 }
 async function execPipeAndLogOnFailure(cmd, dir, options) {
   return execAndLogOnFailure(cmd, dir, { ...options, pipe: true });
 }
-function logCommandOutput(cmdResult, cmd, dir) {
+function logCommandOutput(cmdResult, cmd, dir, logLevel = "info") {
   const { error, stdout, stderr } = cmdResult;
-  logger.info(error ? `Error running command: ${cmd}` : `Result of running command: ${cmd}`);
-  logger.info(`Directory: ${dir}`);
+  logger[logLevel](error ? `Error running command: ${cmd}` : `Result of running command: ${cmd}`);
+  logger[logLevel](`Directory: ${dir}`);
   if (error) {
     const em = error.message;
-    logger.info(`Error: ${em?.endsWith?.(`
+    logger[logLevel](`Error: ${em?.endsWith?.(`
 ${stderr}`) ? em.slice(0, -stderr.length - 1) : em}`);
   }
-  logger.info(`stdout: ${stdout}`);
-  logger.info(`stderr: ${stderr}`);
+  logger[logLevel](`stdout: ${stdout}`);
+  logger[logLevel](`stderr: ${stderr}`);
 }
 async function execNeverFail(cmd, dir, options) {
   return new Promise((resolve24) => {
@@ -197761,6 +197761,14 @@ function parseSocketResponse(responseData) {
     throw new Error(`Unexpected response type from Socket API: ${typeof responseData}`);
   }
 }
+function parseComputeArtifactsResponse(responseData) {
+  const response = parseSocketResponse(responseData);
+  return {
+    artifacts: response.filter((r2) => r2.type === "artifact").map((r2) => r2.value),
+    metadata: response.filter((r2) => r2.type === "metadata").flatMap((r2) => r2.value)
+    // There should always only be one metadata object
+  };
+}
 async function createSocketTier1Scan(cliOptions, coanaCliVersion) {
   try {
     const url2 = getSocketApiUrl("tier1-reachability-scan");
@@ -197948,7 +197956,7 @@ async function fetchArtifactsFromManifestsTarHash(manifestsTarHash) {
   try {
     const url2 = getSocketApiUrl(`orgs/${process.env.SOCKET_ORG_SLUG}/compute-artifacts?tarHash=${manifestsTarHash}`);
     const responseData = (await axios2.post(url2, {}, { headers: getAuthHeaders() })).data;
-    return parseSocketResponse(responseData);
+    return parseComputeArtifactsResponse(responseData);
   } catch (e) {
     if (e instanceof AxiosError2) {
       prettyPrintAxiosError(e);
@@ -197975,12 +197983,7 @@ async function computeSocketFactArtifacts(rootDir, relativeManifestFilePaths) {
     if (!uploadData.tarHash) {
       throw new Error("No tarHash received from upload-manifest-files response");
     }
-    const computeUrl = getSocketApiUrl(
-      `orgs/${process.env.SOCKET_ORG_SLUG}/compute-artifacts?tarHash=${uploadData.tarHash}`
-    );
-    const computeResponse = await axios2.post(computeUrl, {}, { headers: getAuthHeaders() });
-    const responseData = computeResponse.data;
-    return parseSocketResponse(responseData);
+    return (await fetchArtifactsFromManifestsTarHash(uploadData.tarHash)).artifacts;
   } catch (error) {
     logger.warn("Failed to compute socket fact artifacts", error);
     return void 0;
@@ -205296,23 +205299,23 @@ var Spinner2 = class _Spinner {
 };
 
 // ../utils/dist/command-utils.js
-async function execAndLogOnFailure2(cmd, dir, options) {
+async function execAndLogOnFailure2(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail2(cmd, dir, options);
   if (result.error)
-    logCommandOutput2(result, cmd, dir);
+    logCommandOutput2(result, cmd, dir, logLevel);
   return !result.error;
 }
-function logCommandOutput2(cmdResult, cmd, dir) {
+function logCommandOutput2(cmdResult, cmd, dir, logLevel = "info") {
   const { error, stdout, stderr } = cmdResult;
-  logger.info(error ? `Error running command: ${cmd}` : `Result of running command: ${cmd}`);
-  logger.info(`Directory: ${dir}`);
+  logger[logLevel](error ? `Error running command: ${cmd}` : `Result of running command: ${cmd}`);
+  logger[logLevel](`Directory: ${dir}`);
   if (error) {
     const em = error.message;
-    logger.info(`Error: ${em?.endsWith?.(`
+    logger[logLevel](`Error: ${em?.endsWith?.(`
 ${stderr}`) ? em.slice(0, -stderr.length - 1) : em}`);
   }
-  logger.info(`stdout: ${stdout}`);
-  logger.info(`stderr: ${stderr}`);
+  logger[logLevel](`stdout: ${stdout}`);
+  logger[logLevel](`stderr: ${stderr}`);
 }
 async function execNeverFail2(cmd, dir, options) {
   return new Promise((resolve24) => {
@@ -206483,18 +206486,19 @@ import { access as access2, cp, readdir as readdir3, stat as stat2 } from "fs/pr
 import { basename as basename4, join as join11, relative as relative6, resolve as resolve13 } from "path";
 var { uniq } = import_lodash5.default;
 var { isMatch } = import_micromatch.default;
-function findParent(dir, predicate, wholePath) {
-  let curr = dir;
-  let last2 = dir;
+function* parents(dir) {
+  let [curr, last2] = [dir, dir];
   do {
-    const name = wholePath ? curr : basename4(curr);
-    if (predicate(name))
-      return curr;
-    last2 = curr;
-    curr = resolve13(curr, "..");
+    yield curr;
+    [last2, curr] = [curr, resolve13(curr, "..")];
   } while (curr !== last2);
   return void 0;
 }
+function findParent(dir, predicate, wholePath) {
+  for (const parent2 of parents(dir))
+    if (predicate(wholePath ? parent2 : basename4(parent2)))
+      return parent2;
+}
 
 // ../utils/dist/constants.js
 var { once: once2 } = import_lodash6.default;
@@ -207378,17 +207382,18 @@ import { access as access3, cp as cp2, readdir as readdir4, stat as stat3 } from
 import { basename as basename5, join as join16, relative as relative7, resolve as resolve15 } from "path";
 var { uniq: uniq2 } = import_lodash8.default;
 var { isMatch: isMatch2 } = import_micromatch2.default;
-function findParent2(dir, predicate, wholePath) {
-  let curr = dir;
-  let last2 = dir;
+function* parents2(dir) {
+  let [curr, last2] = [dir, dir];
   do {
-    const name = wholePath ? curr : basename5(curr);
-    if (predicate(name)) return curr;
-    last2 = curr;
-    curr = resolve15(curr, "..");
+    yield curr;
+    [last2, curr] = [curr, resolve15(curr, "..")];
   } while (curr !== last2);
   return void 0;
 }
+function findParent2(dir, predicate, wholePath) {
+  for (const parent2 of parents2(dir))
+    if (predicate(wholePath ? parent2 : basename5(parent2))) return parent2;
+}
 async function getFilesRelative(dir, excludeDirs) {
   async function helper(subDir, arrayOfFiles) {
     for (const item of await readdir4(join16(dir, subDir), { withFileTypes: true })) {
@@ -209354,6 +209359,7 @@ import { join as join20, resolve as resolve18 } from "path";
 import util3 from "util";
 var { once: once7 } = import_lodash13.default;
 var systemPython = once7(() => execFileSync2("which", ["python"], { encoding: "utf8" }).trim());
+var hasPyenv = once7(async () => !(await execNeverFail("which pyenv")).error);
 
 // ../utils/src/pip-utils.ts
 async function isSetupPySetuptools(file) {
@@ -209805,7 +209811,7 @@ var kleur_default = $;
 // dist/cli-core.js
 var import_lodash15 = __toESM(require_lodash(), 1);
 import os from "os";
-import { join as join24, relative as relative11, resolve as resolve23 } from "path";
+import { join as join25, relative as relative11, resolve as resolve23 } from "path";
 
 // ../utils/src/dashboard-api/shared-api.ts
 var DashboardAPI = class {
@@ -210102,8 +210108,8 @@ function getVulnerabilityDependencyType(vulnChainDetails, directDependencies, af
         finalDepType = depType;
       }
     }
-    const parents2 = vcd.parentsMap.get(devIdentifier);
-    for (const p3 of parents2 ?? []) {
+    const parents4 = vcd.parentsMap.get(devIdentifier);
+    for (const p3 of parents4 ?? []) {
       if (p3 === ROOT_NODE_STR) continue;
       const parentNode = vcd.transitiveDependencies[p3];
       if (afd && !afd.has(parentNode)) continue;
@@ -210225,17 +210231,17 @@ function computeVulnChainDetails(dependencyTree, dependencyIdentifier, parentsMa
   function addNode(currentIdentifier, childIdentifier, visited) {
     if (visited.has(currentIdentifier))
       return;
-    const parents2 = parentsMap.get(currentIdentifier);
+    const parents4 = parentsMap.get(currentIdentifier);
     const newCurrentNode = transformToVulnChainNode(dependencyTree.transitiveDependencies[currentIdentifier]);
     res.transitiveDependencies[currentIdentifier] = newCurrentNode;
     if (childIdentifier && !newCurrentNode.children.includes(childIdentifier))
       newCurrentNode.children.push(childIdentifier);
     if (!childIdentifier)
       newCurrentNode.vulnerable = true;
-    if (!parents2)
+    if (!parents4)
       return res;
     visited.add(currentIdentifier);
-    for (const parent2 of parents2) {
+    for (const parent2 of parents4) {
       if (parent2 === ROOT_IDENTIFIER)
         res.children.push(currentIdentifier);
       else
@@ -210253,9 +210259,9 @@ function transformToVulnChainNode(dependencyTree) {
 }
 
 // dist/internal/socket-mode-helpers-socket-dependency-trees.js
-var import_picomatch2 = __toESM(require_picomatch2(), 1);
-import { basename as basename7, dirname as dirname8, sep as sep5 } from "path";
 var import_packageurl_js = __toESM(require_packageurl_js(), 1);
+var import_picomatch2 = __toESM(require_picomatch2(), 1);
+import { basename as basename7, dirname as dirname8, join as join23, sep as sep5 } from "path";
 var REQUIREMENTS_FILES_SEARCH_DEPTH2 = 3;
 function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonProjects) {
   switch (ecosystem) {
@@ -210339,7 +210345,7 @@ function getAllToplevelAncestors(artifactMap, artifactId) {
 async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash) {
   logger.info("Fetching artifacts from Socket backend using manifests tar hash", manifestsTarHash);
   try {
-    const artifacts = await fetchArtifactsFromManifestsTarHash(manifestsTarHash);
+    const { artifacts } = await fetchArtifactsFromManifestsTarHash(manifestsTarHash);
     const properPythonProjects = [];
     const venvExcludes = [
       "venv",
@@ -210368,7 +210374,7 @@ async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash)
     for (const file of allFiles) {
       const base = basename7(file);
       const workspaceDir = dirname8(file) || ".";
-      if (base === "pyproject.toml" || base === "setup.py" && await isSetupPySetuptools(file)) {
+      if (base === "pyproject.toml" || base === "setup.py" && await isSetupPySetuptools(join23(rootWorkingDirectory, file))) {
         if (!properPythonProjects.includes(workspaceDir)) {
           properPythonProjects.push(workspaceDir);
         }
@@ -210442,7 +210448,7 @@ async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash)
               name: artifact.name ?? "",
               dependency: artifact.name ?? "",
               vulnChainDetails: computeVulnChainDetails2(artifacts, artifact.id),
-              vulnerabilityAccessPaths: vuln.reachabilityData?.pattern ?? null,
+              vulnerabilityAccessPaths: vuln.reachabilityData?.undeterminableReachability ? vuln.reachabilityData.publicComment ?? "" : vuln.reachabilityData?.pattern ?? null,
               ecosystem,
               artifactId: artifact.id
             };
@@ -210493,7 +210499,7 @@ function computeVulnChainDetails2(artifacts, vulnerableArtifactId) {
     const currentArtifact = artifactMap.get(currentId);
     if (!currentArtifact)
       return;
-    const parents2 = parentsMap.get(currentId);
+    const parents4 = parentsMap.get(currentId);
     const newCurrentNode = {
       packageName: getNameFromNamespaceAndName(currentArtifact.type, currentArtifact.namespace, currentArtifact.name),
       version: currentArtifact.version ?? void 0,
@@ -210512,8 +210518,8 @@ function computeVulnChainDetails2(artifacts, vulnerableArtifactId) {
       }
     }
     visited.add(currentId);
-    if (parents2) {
-      for (const parentId of parents2) {
+    if (parents4) {
+      for (const parentId of parents4) {
         addNode(parentId, currentId, visited);
       }
     }
@@ -213022,7 +213028,7 @@ __export(traversing_exports, {
   nextUntil: () => nextUntil,
   not: () => not,
   parent: () => parent,
-  parents: () => parents,
+  parents: () => parents3,
   parentsUntil: () => parentsUntil,
   prev: () => prev,
   prevAll: () => prevAll,
@@ -214284,7 +214290,7 @@ function _removeDuplicates(elems) {
   return Array.from(new Set(elems));
 }
 var parent = _singleMatcher(({ parent: parent2 }) => parent2 && !isDocument(parent2) ? parent2 : null, _removeDuplicates);
-var parents = _matcher((elem) => {
+var parents3 = _matcher((elem) => {
   const matched = [];
   while (elem.parent && !isDocument(elem.parent)) {
     matched.push(elem.parent);
@@ -224212,7 +224218,7 @@ var { root: root2 } = static_exports;
 // ../utils/src/maven-utils.ts
 var import_lodash14 = __toESM(require_lodash(), 1);
 import { existsSync as existsSync20, readdirSync as readdirSync4, statSync as statSync4 } from "fs";
-import { join as join23 } from "path";
+import { join as join24 } from "path";
 var { memoize: memoize3 } = import_lodash14.default;
 var memoizedParseShellArgs = memoize3(parseShellArgs);
 var MAVEN_PUBLIC_REPOSITORIES = [
@@ -225028,10 +225034,10 @@ var FixesTask = class {
           return;
         }
       }
-      const parents2 = this.getParents(pId, vulnChainDetails);
+      const parents4 = this.getParents(pId, vulnChainDetails);
       let allowedVersionsForCId = potentialVersionsForFix[cId] ? [...potentialVersionsForFix[cId]] : await this.getSafeVersionsOfPackage(vulnChainDetails.transitiveDependencies[cId].packageName);
-      if (parents2.length !== 0) {
-        for (const parent2 of parents2) {
+      if (parents4.length !== 0) {
+        for (const parent2 of parents4) {
           await computeFix(parent2, pId, [key, ...visited]);
           if (res[pId])
             allowedVersionsForCId = await this.filterVersionsAllowedByParent(pId, res[pId], cId, allowedVersionsForCId);
@@ -225060,11 +225066,11 @@ var FixesTask = class {
     const deps = vulnChainDetails.transitiveDependencies;
     const vulnerablePackageIdentifiers = Object.entries(deps ?? []).filter(([_identifier, node]) => node.vulnerable).map(([identifier, _node]) => identifier);
     for (const pId of vulnerablePackageIdentifiers) {
-      const parents2 = this.getParents(pId, vulnChainDetails);
-      if (parents2.length === 0) {
+      const parents4 = this.getParents(pId, vulnChainDetails);
+      if (parents4.length === 0) {
         pickVersionWrapper(pId, [...potentialVersionsForFix[pId]]);
       } else {
-        for (const parent2 of parents2) {
+        for (const parent2 of parents4) {
           await computeFix(parent2, pId, []);
         }
       }
@@ -225125,9 +225131,9 @@ var FixesTask = class {
           safeVersionsForC
         );
         const vs = await filterVersions(pId, versionsOfPAllowingSomeSafeVersions);
-        const parents2 = this.getParents(pId, vuln.vulnChainDetails);
-        if (parents2.length !== 0) {
-          for (const parent2 of parents2) {
+        const parents4 = this.getParents(pId, vuln.vulnChainDetails);
+        if (parents4.length !== 0) {
+          for (const parent2 of parents4) {
             await computePotentialVersionsForFixWithCache(parent2, pId, vs);
           }
         } else {
@@ -225139,17 +225145,17 @@ var FixesTask = class {
     const deps = vuln.vulnChainDetails?.transitiveDependencies;
     const vulnerablePackageIdentifiers = Object.entries(deps ?? []).filter(([_identifier, node]) => node.vulnerable).map(([identifier, _node]) => identifier);
     for (const pId of vulnerablePackageIdentifiers) {
-      const parents2 = this.getParents(pId, vuln.vulnChainDetails);
+      const parents4 = this.getParents(pId, vuln.vulnChainDetails);
       const safeVersionsForVulnerablePackage = await safeVersions(pId);
       const { upgrades, downgrades } = this.groupVersionsInUpgradesAndDowngrades(
         assertDefined(this.packageStructure.transitiveDependencies[pId].version),
         safeVersionsForVulnerablePackage
       );
-      if (parents2.length === 0) {
+      if (parents4.length === 0) {
         if (upgrades.length > 0) res[pId] = upgrades;
         else if (downgrades.length > 0) res[pId] = downgrades;
       } else {
-        for (const parent2 of parents2) {
+        for (const parent2 of parents4) {
           const resClone = { ...res };
           const alreadyComputedCacheClone = new Map(alreadyComputedCache);
           try {
@@ -225583,7 +225589,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.12.2";
+var version2 = "14.12.5";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -225685,7 +225691,7 @@ var CliCore = class {
     }
   }
   async main() {
-    this.coanaLogPath = join24(await createTmpDirectory("coana-cli-"), "coana-log.txt");
+    this.coanaLogPath = join25(await createTmpDirectory("coana-cli-"), "coana-log.txt");
     logger.initWinstonLogger(this.options.debug, this.coanaLogPath);
     logger.silent = this.options.silent;
     try {
@@ -226266,7 +226272,7 @@ async function getGitDataToMetadataIfAvailable(rootWorkingDirectory) {
 }
 
 // dist/cli-upgrade-purl.js
-import { join as join25, relative as relative12 } from "node:path";
+import { join as join26, relative as relative12 } from "node:path";
 var import_packageurl_js2 = __toESM(require_packageurl_js(), 1);
 var ECOSYSTEMS_WITH_SOCKET_UPGRADES = ["NPM", "MAVEN"];
 async function upgradePurl(path2, upgrades, options, logFile, cliFixRunId) {
@@ -226347,7 +226353,7 @@ ${upgrades.map((upgrade) => `	${upgrade.purl} -> ${upgrade.upgradeVersion}`).joi
     const subprojectPromiseQueue = new PromiseQueue(Number(options.concurrency));
     supportedSubprojects.forEach((subproject) => {
       subprojectPromiseQueue.enqueueTask(async () => {
-        const workspacePathsMatchingGlob = subproject.workspacePaths.filter((wsPath) => minimatch(join25(subproject.subprojectPath, wsPath), options.globPattern ?? "**"));
+        const workspacePathsMatchingGlob = subproject.workspacePaths.filter((wsPath) => minimatch(join26(subproject.subprojectPath, wsPath), options.globPattern ?? "**"));
         if (workspacePathsMatchingGlob.length === 0)
           return;
         logger.info(`Found workspaces for subproject ${subproject.subprojectPath}${options.globPattern ? `matching glob ${options.globPattern}` : ""}:
@@ -226376,7 +226382,7 @@ ${workspacePathsMatchingGlob.map((wsPath) => `	${wsPath}`).join("\n")}`);
           });
           if (vulnerabilityFixes.length === 0)
             return;
-          logger.info(`Found ${vulnerabilityFixes.length} ${vulnerabilityFixes.length === 1 ? "dependency" : "dependencies"} matching upgrade specs for ${join25(subproject.subprojectPath, wsPath)}`);
+          logger.info(`Found ${vulnerabilityFixes.length} ${vulnerabilityFixes.length === 1 ? "dependency" : "dependencies"} matching upgrade specs for ${join26(subproject.subprojectPath, wsPath)}`);
           workspaceToFixes[wsPath] = [
             {
               fixId: "dummy",
@@ -226397,7 +226403,7 @@ ${workspacePathsMatchingGlob.map((wsPath) => `	${wsPath}`).join("\n")}`);
   }
 }
 var signalFixApplied = (_fixId, subprojectPath, workspacePath, vulnerabilityFixes) => {
-  logger.info(`Successfully upgraded purls for: ${join25(subprojectPath, workspacePath)}`);
+  logger.info(`Successfully upgraded purls for: ${join26(subprojectPath, workspacePath)}`);
   logger.info(`Upgraded: 
 ${vulnerabilityFixes.map((fix) => `	${fix.dependencyName} from ${fix.currentVersion} to ${fix.fixedVersion}`).join("\n")}`);
 };
@@ -226554,7 +226560,7 @@ function computeSBOMTaskArtifacts(dependencyTrees) {
 }
 
 // dist/index.js
-import { join as join26 } from "path";
+import { join as join27 } from "path";
 var program2 = new Command();
 var run2 = new Command();
 run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).configureHelp({ sortOptions: true }).action(async (path2, options) => {
@@ -226572,7 +226578,7 @@ var upgradePurls = new Command();
 upgradePurls.name("upgrade-purls").argument("<path>", "File system path to the folder containing the project").argument("<specs...>", "Package upgrade specifications in the format 'purl -> newVersion' (e.g., 'pkg:maven/io.micrometer/micrometer-core@1.10.9 -> 1.15.0')").option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--socket-mode", "Use Socket for computing dependency trees").default(process.env.SOCKET_MODE === "true").hideHelp()).version(version2).action(async (path2, specs2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
   await withTmpDirectory("upgrade-purls", async (tmpDir) => {
-    const logFile = join26(tmpDir, "upgrade-purls.log");
+    const logFile = join27(tmpDir, "upgrade-purls.log");
     logger.initWinstonLogger(options.debug, logFile);
     const upgradeSpecs = specs2.map((spec) => {
       const [purl, upgradeVersion] = spec.split("->").map((s4) => s4.trim());
@@ -226590,7 +226596,7 @@ var computeFixesAndUpgradePurlsCmd = new Command();
 computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).action(async (path2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
   await withTmpDirectory("compute-fixes-and-upgrade-purls", async (tmpDir) => {
-    const logFile = join26(tmpDir, "compute-fixes-and-upgrade-purls.log");
+    const logFile = join27(tmpDir, "compute-fixes-and-upgrade-purls.log");
     logger.initWinstonLogger(options.debug, logFile);
     await computeFixesAndUpgradePurls(path2, options, logFile);
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.2",
+  "version": "14.12.5",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -73587,22 +73587,22 @@ import { join as join3 } from "path";
 // ../utils/src/command-utils.ts
 import assert from "assert";
 import { execFile } from "child_process";
-async function execAndLogOnFailure(cmd, dir, options) {
+async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
-  if (result.error) logCommandOutput(result, cmd, dir);
+  if (result.error) logCommandOutput(result, cmd, dir, logLevel);
   return !result.error;
 }
-function logCommandOutput(cmdResult, cmd, dir) {
+function logCommandOutput(cmdResult, cmd, dir, logLevel = "info") {
   const { error, stdout, stderr } = cmdResult;
-  logger.info(error ? `Error running command: ${cmd}` : `Result of running command: ${cmd}`);
-  logger.info(`Directory: ${dir}`);
+  logger[logLevel](error ? `Error running command: ${cmd}` : `Result of running command: ${cmd}`);
+  logger[logLevel](`Directory: ${dir}`);
   if (error) {
     const em = error.message;
-    logger.info(`Error: ${em?.endsWith?.(`
+    logger[logLevel](`Error: ${em?.endsWith?.(`
 ${stderr}`) ? em.slice(0, -stderr.length - 1) : em}`);
   }
-  logger.info(`stdout: ${stdout}`);
-  logger.info(`stderr: ${stderr}`);
+  logger[logLevel](`stdout: ${stdout}`);
+  logger[logLevel](`stderr: ${stderr}`);
 }
 async function execNeverFail(cmd, dir, options) {
   return new Promise((resolve16) => {
@@ -73747,17 +73747,18 @@ function excludeFiles(excludedDirsRoot, filesRoot, files, excludeDirs) {
     )
   ).map((f2) => relative(filesRoot, f2));
 }
-function findParent(dir, predicate, wholePath) {
-  let curr = dir;
-  let last2 = dir;
+function* parents(dir) {
+  let [curr, last2] = [dir, dir];
   do {
-    const name2 = wholePath ? curr : basename(curr);
-    if (predicate(name2)) return curr;
-    last2 = curr;
-    curr = resolve(curr, "..");
+    yield curr;
+    [last2, curr] = [curr, resolve(curr, "..")];
   } while (curr !== last2);
   return void 0;
 }
+function findParent(dir, predicate, wholePath) {
+  for (const parent2 of parents(dir))
+    if (predicate(wholePath ? parent2 : basename(parent2))) return parent2;
+}
 async function getFiles(dir, excludeDirs) {
   async function helper(currDir, arrayOfFiles) {
     for (const item of await readdir(currDir, { withFileTypes: true })) {
@@ -74201,6 +74202,7 @@ import { join as join4, resolve as resolve2 } from "path";
 import util3 from "util";
 var { once } = import_lodash4.default;
 var systemPython = once(() => execFileSync("which", ["python"], { encoding: "utf8" }).trim());
+var hasPyenv = once(async () => !(await execNeverFail("which pyenv")).error);
 async function getPythonVersion(executable) {
   return runCommandResolveStdOut([executable, "-SIc", `import sys; print(*sys.version_info[:3], sep='.')`]);
 }
@@ -74231,11 +74233,9 @@ var PythonVersionsManager = class _PythonVersionsManager {
   // Extracts the python version specifier from the workspace and returns it as an array of semver parts.
   async getPythonSpecifier(workspacePath, checkPyProject = true) {
     const absPath = resolve2(this.projectDir, workspacePath);
-    const pyenvOrigin = await runCommandResolveStdOut("pyenv version-origin", absPath);
-    const pyenvRoot = process.env.PYENV_ROOT ?? await runCommandResolveStdOut("pyenv root");
-    if (pyenvOrigin !== join4(pyenvRoot, "version"))
+    for (const parent2 of parents(absPath))
       try {
-        return [(await readFile3(pyenvOrigin, "utf-8")).split("\n")[0].trim()];
+        return [(await readFile3(join4(parent2, ".python-version"), "utf-8")).split("\n")[0].trim()];
       } catch (e) {
         if (e.code !== "ENOENT") logger.warn("Failed to read python version file with error", e);
       }
@@ -74283,7 +74283,12 @@ var PythonVersionsManager = class _PythonVersionsManager {
     if (semVerSpec) {
       const systemVer = await getPythonVersion(systemPython());
       if (versionMatchesSemverParts(systemVer, semVerSpec)) return systemPython();
-    }
+      if (!await hasPyenv())
+        throw Error(
+          `System Python (${systemVer}) does not satisfy the specifier '${semVerSpec.join(", ")}'. A matching interpreter can automatically be installed if 'pyenv' is available.`
+        );
+    } else if (!await hasPyenv() || _PythonVersionsManager.getGlobalPythonVersion() === "system")
+      return systemPython();
     return resolve2(await _PythonVersionsManager.getPythonPrefixMatchingSpecifier(semVerSpec), "bin", "python");
   }
   // Throws an error if the python version is not installed.
@@ -77166,7 +77171,7 @@ __export(traversing_exports, {
   nextUntil: () => nextUntil,
   not: () => not,
   parent: () => parent,
-  parents: () => parents,
+  parents: () => parents2,
   parentsUntil: () => parentsUntil,
   prev: () => prev,
   prevAll: () => prevAll,
@@ -78428,7 +78433,7 @@ function _removeDuplicates(elems) {
   return Array.from(new Set(elems));
 }
 var parent = _singleMatcher(({ parent: parent2 }) => parent2 && !isDocument(parent2) ? parent2 : null, _removeDuplicates);
-var parents = _matcher((elem) => {
+var parents2 = _matcher((elem) => {
   const matched = [];
   while (elem.parent && !isDocument(elem.parent)) {
     matched.push(elem.parent);
@@ -96448,9 +96453,9 @@ var PythonCodeAwareVulnerabilityScanner = class {
     const packagesToExclude = heuristic.getPackagesToExcludeFromAnalysis?.(vulns);
     const packagesToInstall = uniqBy(preInstalledDepInfos.filter((n) => !packagesToExclude?.has(n.packageName)), "packageName");
     if (!await this.tryUsingPreinstalledVirtualEnv(packagesToInstall)) {
-      logger.info("Setting up virtual environment");
+      logger.info(`Setting up virtual environment`);
       await this.prepareVirtualEnv(packagesToInstall);
-      logger.debug("Done setting up virtual environment");
+      logger.info("Done setting up virtual environment");
     }
   }
   async runAnalysis(vulns, heuristic, analyzesAllVulns) {
@@ -96512,7 +96517,7 @@ runpy.run_module("mambalade", alter_sys=True)
       "--",
       ...filesToAnalyze
     ];
-    logger.info(`Running mambalade on ${filesToAnalyze.length} files for vulnerabilities:
+    logger.debug(`Running mambalade on ${filesToAnalyze.length} files for vulnerabilities:
 ${vulnAccPaths.join("\n")}`);
     logger.debug(`Running python executable: ${pythonExecutable}`);
     logger.debug(`With args: ${mambaladeArgs.slice(1).join(" ")}`);
@@ -96521,7 +96526,7 @@ ${vulnAccPaths.join("\n")}`);
       logger.debug("Done running mambalade");
       const errors = stderr.split("\n").filter((line) => line.startsWith("ERROR:") && !/^ERROR: Excluded distribution/.test(line));
       if (errors.length > 0)
-        logger.info(`Error messages from mambalade:
+        logger.debug(`Error messages from mambalade:
 ${errors.join("\n")}`);
       const result = JSON.parse(await readFile10(vulnsOutputFile, "utf-8"));
       logger.debug("Analysis result:", JSON.stringify(result, null, 2));
@@ -96546,8 +96551,8 @@ ${errors.join("\n")}`);
         packageInstallationStats: this.virtualEnvInfo.packageInstallationStats
         // Including stats in all analysis diagnostics since we might discard the first one that actually installs it due to analysis timeout.
       };
-      logger.info("Analysis diagnostics:");
-      logger.info(JSON.stringify(omit(diagnostics, this.numberAnalysesRun === 0 ? [] : ["packageInstallationStats"]), null, 2));
+      logger.debug("Analysis diagnostics:");
+      logger.debug(JSON.stringify(omit(diagnostics, this.numberAnalysesRun === 0 ? [] : ["packageInstallationStats"]), null, 2));
       return {
         type: "success",
         diagnostics,
@@ -96592,21 +96597,25 @@ ${msg}`;
         rootWorkingDir: projectTmpDir,
         reachabilityAnalysisOptions: options
       }, projectTmpDir);
-      await scanner.prepareVirtualEnv([]);
-      const sitePackagesDir = scanner.virtualEnvInfo.virtualEnvPathToSitePackages;
-      for (const dep of dependencies) {
-        const dependencyDir = join20(sitePackagesDir, basename9(dep));
-        logger.info(`Copying ${dep} to ${dependencyDir}`);
-        await cp5(dep, dependencyDir, { recursive: true });
-        fileMappings.set(dependencyDir, dep);
-      }
-      const result = await scanner.runAnalysis([vuln], MambaladeHeuristics.ALL_PACKAGES, false);
-      if (result.type === "error")
-        return { error: result.message, terminatedEarly: true };
-      return {
-        detectedOccurrences: transformSourceLocations2(app, fileMappings, result.computeDetectedOccurrences({ ...vuln, url: "" })),
-        terminatedEarly: result.terminatedEarly
-      };
+      try {
+        await scanner.prepareVirtualEnv([]);
+        const sitePackagesDir = scanner.virtualEnvInfo.virtualEnvPathToSitePackages;
+        for (const dep of dependencies) {
+          const dependencyDir = join20(sitePackagesDir, basename9(dep));
+          logger.info(`Copying ${dep} to ${dependencyDir}`);
+          await cp5(dep, dependencyDir, { recursive: true });
+          fileMappings.set(dependencyDir, dep);
+        }
+        const result = await scanner.runAnalysis([vuln], MambaladeHeuristics.ALL_PACKAGES, false);
+        if (result.type === "error")
+          return { error: result.message, terminatedEarly: true };
+        return {
+          detectedOccurrences: transformSourceLocations2(app, fileMappings, result.computeDetectedOccurrences({ ...vuln, url: "" })),
+          terminatedEarly: result.terminatedEarly
+        };
+      } finally {
+        await scanner.cleanup();
+      }
     });
   }
   static async runOnDependencyChain(chain, vuln, options) {
@@ -96628,7 +96637,7 @@ ${msg}`;
             const candidate = findBestWheel(packageName, version3, meta);
             if (candidate) {
               const filename = candidate.url.split("/").at(-1);
-              if (await downloadFile(candidate.url, join20(tmpDir, filename)) && await execAndLogOnFailure(["unzip", filename], tmpDir))
+              if (await downloadFile(candidate.url, join20(tmpDir, filename)) && await execAndLogOnFailure(["unzip", filename], tmpDir, void 0, "debug"))
                 return;
             }
             await exec(cmdt`uv pip install --python-platform ${uvPythonPlatform} --target ${tmpDir} --no-deps ${packageName}==${version3}`);
@@ -96677,6 +96686,8 @@ ${msg}`;
   }
   // public for testing only
   async prepareVirtualEnv(packages) {
+    if (!await hasUv())
+      throw new Error("uv (https://docs.astral.sh/uv/) is missing, but is required for Python analysis");
     const tmpDir = await createTmpDirectory("coana-python-analysis-venv");
     const virtualEnvFolder = join20(tmpDir, ".venv");
     const pythonExecutable = await this.vm.getPythonExecutableForWorkspace(this.projectDir, false);
@@ -96709,12 +96720,12 @@ ${msg}`;
           return true;
         const filename = candidate.url.split("/").at(-1);
         if (await downloadFile(candidate.url, join20(tmpDir, filename)) && await execAndLogOnFailure(cmdt`${uvTool(pythonExecutable)} --from installer==0.7.0 python -m installer
-                --no-compile-bytecode --prefix .venv ${filename}`, tmpDir)) {
+                --no-compile-bytecode --prefix .venv ${filename}`, tmpDir, void 0, "debug")) {
           installStats.installedUsingSpecializedInstallCommand.push(packageName);
           return false;
         }
       } catch (e) {
-        logger.info(`Failed to construct specialized install command for ${packageName}==${version3}`, e);
+        logger.debug(`Failed to construct specialized install command for ${packageName}==${version3}`, e);
       }
       return true;
     }, 4);
@@ -96723,13 +96734,7 @@ ${msg}`;
       const installPipDeps = once3(async () => exec([...uvInstallBase, "pip", "wheel"]));
       for (const { packageName, version: version3, requirement } of failingPackages) {
         const requirementToInstall = requirement ?? `${packageName}==${version3}`;
-        let success = await execAndLogOnFailure([
-          ...uvInstallBase,
-          "--no-deps",
-          "--no-binary",
-          packageName,
-          requirementToInstall
-        ]);
+        let success = await execAndLogOnFailure([...uvInstallBase, "--no-deps", "--no-binary", packageName, requirementToInstall], void 0, void 0, "debug");
         if (!success) {
           await installPipDeps();
           success = await execAndLogOnFailure(
@@ -96738,7 +96743,9 @@ ${msg}`;
             cmdt`.venv/bin/python -m pip
               --no-input --require-virtualenv --disable-pip-version-check --no-cache-dir --isolated install
               --no-deps --ignore-requires-python --no-compile --no-binary ${packageName} ${requirementToInstall}`,
-            tmpDir
+            tmpDir,
+            void 0,
+            "debug"
           );
         }
         (success ? installStats.installedWithoutOnlyBinary : installStats.failedToInstall).push(packageName);
@@ -96829,7 +96836,7 @@ async function getPythonInterpreter() {
 }
 async function setupMambalade() {
   const venvDir = await createTmpDirectory("mambalade-venv");
-  logger.info("Creating Mambalade virtual environment");
+  logger.debug("Creating Mambalade virtual environment");
   const pythonInterpreter = await getPythonInterpreter();
   await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
   const mambaladeWheelsPath = join20(COANA_REPOS_PATH(), "mambalade", "dist");
@@ -96837,11 +96844,12 @@ async function setupMambalade() {
   const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join20(mambaladeWheelsPath, f2));
   if (!mambaladeWheels.length)
     throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
-  logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
+  logger.debug(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
   await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
-  logger.info("Mambalade virtual environment setup complete");
+  logger.debug("Mambalade virtual environment setup complete");
   return venvDir;
 }
+var hasUv = once3(async () => !(await execNeverFail("which uv")).error);
 
 // dist/whole-program-code-aware-vulnerability-scanner/python/phantom-deps.js
 var { uniq: uniq8 } = import_lodash15.default;
@@ -96937,8 +96945,7 @@ var PipAnalyzer = class {
     this.heuristic = MambaladeHeuristics.createOnlyVulnPathPackagesHeuristic(this.preInstalledDepInfos);
   }
   prepareScanner = once4(async () => {
-    const { vulnerabilities } = this.state;
-    await this.scanner.prepareDependencies(this.preInstalledDepInfos, vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic);
+    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic);
     return this.scanner;
   });
   async runPhantomDependencyAnalysis() {
@@ -96970,14 +96977,13 @@ function getPreInstalledDepInfos(workspaceData) {
     }));
   } else {
     workspaceData.type;
-    const artifactsWithVersion = workspaceData.data.artifacts.filter((a2) => {
+    return workspaceData.data.artifacts.filter((a2) => {
       if (!a2.version) {
         logger.warn(`Artifact ${a2.name} has no version information`);
         return false;
       }
       return true;
-    });
-    return artifactsWithVersion.map((a2) => ({ packageName: a2.name, version: a2.version }));
+    }).map(({ name: name2, version: version3 }) => ({ packageName: name2, version: version3 }));
   }
 }
 
@@ -97168,6 +97174,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
           const enqueueWithoutSplitting = !allowSplitInBuckets && initialBucketContainingAllVulns && !state.reachabilityAnalysisOptions.timeoutInSeconds;
           await sendErrorAnalysisMetadata(result.message, !allowSplitInBuckets && isLastHeuristic(bucket.heuristic.name) && !enqueueWithoutSplitting, !allowSplitInBuckets);
           if (enqueueWithoutSplitting) {
+            logger.info("Analysis failed, retrying different configuration.");
             enqueueBucket(vulnDepIdentifiers);
             return;
           }
@@ -97177,6 +97184,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
           }
         }
         if (allowSplitInBuckets) {
+          logger.info("Analysis failed, rerunning analysis multiple times with fewer vulnerabilities per run.");
           const middle = Math.floor(vulnDepIdentifiers.length / 2);
           enqueueBucket(vulnDepIdentifiers.slice(0, middle));
           enqueueBucket(vulnDepIdentifiers.slice(middle));
@@ -97279,9 +97287,6 @@ function getHeuristicFromName(state, heuristicName, ecosystem) {
   if (ecosystem === "NPM") {
     return heuristics[heuristicName];
   } else if (ecosystem === "PIP") {
-    if (state.workspaceData.type !== "coana") {
-      throw new Error("MambaladeHeuristics only supports Coana data for analysis");
-    }
     if (heuristicName in MambaladeHeuristics)
       return MambaladeHeuristics[heuristicName];
     else if (heuristicName === "ONLY_VULN_PATH_PACKAGES") {
@@ -97517,16 +97522,16 @@ function canDismissVulnerability(phantomDependencies, vulnChainDetails) {
   const recHelper = (nodeIdentifier, depth) => {
     if (depth === 0)
       return void 0;
-    const parents2 = parentsMap.get(nodeIdentifier).filter((parent2) => parent2 !== ROOT_NODE_STR);
+    const parents3 = parentsMap.get(nodeIdentifier).filter((parent2) => parent2 !== ROOT_NODE_STR);
     const thisReachabilityPrecomp = nodeIdentifier === vulnNodeIdentifier ? "Reachable" : vulnChainDetails.transitiveDependencies[nodeIdentifier].reachabilityPrecomp;
     if (!thisReachabilityPrecomp)
       return void 0;
     const thisMayReachVulnerableNode = ["Reachable", "Unknown"].includes(thisReachabilityPrecomp);
-    if (parents2.length === 0 && thisMayReachVulnerableNode) {
+    if (parents3.length === 0 && thisMayReachVulnerableNode) {
       canDismiss = false;
     }
-    if (parents2) {
-      const parentsReachabilityPrecomp = parents2.map((p) => recHelper(p, depth - 1));
+    if (parents3) {
+      const parentsReachabilityPrecomp = parents3.map((p) => recHelper(p, depth - 1));
       if (parentsReachabilityPrecomp.some((reachabilityPrecomp) => !reachabilityPrecomp) && thisMayReachVulnerableNode) {
         canDismiss = false;
       }
@@ -97555,6 +97560,7 @@ var dashboardAPI2 = new DashboardAPI(process.env.SOCKET_MODE === "true", process
 async function runReachabilityAnalysis(state) {
   const projectDir = resolve15(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
+  logger.info(`Preparing for running reachability analysis for project at "${relative6(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
   const constructor = ecosystemAnalyzer[ecosystem];
   if (!constructor)
     throw Error(`No analyzer associated with ecosystem ${ecosystem}`);