@coana-tech/cli 14.12.200 → 14.12.201

package/cli.mjs

@@ -251677,7 +251677,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.200";
+var version3 = "14.12.201";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.200",
+  "version": "14.12.201",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -88572,7 +88572,7 @@ function addPathToTrie(root3, vulnPath) {
 var import_lodash14 = __toESM(require_lodash(), 1);
 import assert6 from "assert";
 import { existsSync as existsSync13 } from "fs";
-import { cp as cp7, readdir as readdir4, readFile as readFile12, rm as rm5 } from "fs/promises";
+import { cp as cp7, readdir as readdir5, readFile as readFile12, rm as rm5 } from "fs/promises";
 var import_semver3 = __toESM(require_semver2(), 1);
 import { basename as basename11, dirname as dirname15, join as join17, resolve as resolve17, sep as sep5 } from "path";
 import util5 from "util";
@@ -94244,7 +94244,7 @@ var CocoaHeuristics = {
 
 // dist/whole-program-code-aware-vulnerability-scanner/dotnet/dotnet-code-aware-vulnerability-scanner.js
 var import_adm_zip = __toESM(require_adm_zip(), 1);
-import { mkdir as mkdir5, readFile as readFile7, writeFile as writeFile5 } from "fs/promises";
+import { mkdir as mkdir5, readdir as readdir4, readFile as readFile7, writeFile as writeFile5 } from "fs/promises";
 import { randomUUID } from "node:crypto";
 
 // dist/whole-program-code-aware-vulnerability-scanner/dotnet/constants.js
@@ -96464,7 +96464,13 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const outputFile = resolve9(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.dotnet, telemetryHandler, analyzerTelemetryHandler });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, {
+        timeout: timeoutMs,
+        killSignal: "SIGKILL",
+        heartbeat: HEARTBEATS.dotnet,
+        telemetryHandler,
+        analyzerTelemetryHandler
+      });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile7(outputFile, "utf-8")).result;
@@ -96555,18 +96561,29 @@ async function downloadAndExtractNugetPackage(packageName, version3, tmpDir) {
     const packageUrl = getUrlForPackage(packageName, version3);
     const success = await downloadFile(packageUrl, packageFile);
     if (!success) {
-      logger.warn(`Failed to download nuget package ${packageName}/${version3}`);
-      return void 0;
+      throw new Error(`Failed to download nuget package ${packageName}/${version3}`);
     }
   }
   return extractNugetPackage(packageFile, packageName, version3, tmpDir);
 }
 async function convertDependencyChain(dependencyChain, tmpDir) {
+  const runtimePaths = await getDotnetRuntimeSharedPaths();
+  const runtimeFileIndex = await buildRuntimeFileIndex(runtimePaths);
   const nugetDependencyChain = await asyncMap(dependencyChain, async (dep) => {
-    return {
-      ...dep,
-      bin: dep.version ? await downloadAndExtractNugetPackage(dep.packageName, dep.version, tmpDir) : void 0
-    };
+    const binFiles = [];
+    if (dep.version) {
+      try {
+        const extracted = await downloadAndExtractNugetPackage(dep.packageName, dep.version, tmpDir);
+        if (extracted)
+          binFiles.push(...extracted);
+      } catch (e) {
+        logger.warn(`${e.message}`);
+      }
+      const runtimeFiles = findStdlibRuntimeFiles(dep.packageName, runtimeFileIndex);
+      if (runtimeFiles)
+        binFiles.push(...runtimeFiles);
+    }
+    return { ...dep, bin: binFiles.length > 0 ? binFiles : void 0 };
   }, 4);
   return nugetDependencyChain;
 }
@@ -96592,23 +96609,109 @@ async function findNuGetPackageInLocalRepo(repo, packageName, version3, tmpDir)
   const nupkgFile = allFiles.find((file) => basename7(file).toLowerCase() === targetNupkg);
   return nupkgFile ? extractNugetPackage(nupkgFile, packageName, version3, tmpDir) : void 0;
 }
+async function getDotnetRuntimeSharedPaths() {
+  const result = await execNeverFail2(cmdt`dotnet --list-runtimes`);
+  if (result.error ?? !result.stdout)
+    return [];
+  const paths = [];
+  for (const line of result.stdout.split("\n")) {
+    const match2 = line.trim().match(/^(\S+)\s+(\S+)\s+\[(.+)\]$/);
+    if (match2) {
+      const runtimeDir = resolve9(match2[3], match2[2]);
+      if (existsSync7(runtimeDir)) {
+        paths.push(runtimeDir);
+      }
+    }
+  }
+  return paths;
+}
+async function buildRuntimeFileIndex(runtimePaths) {
+  const index2 = /* @__PURE__ */ new Map();
+  for (const runtimePath of runtimePaths) {
+    try {
+      const entries = await readdir4(runtimePath, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isFile())
+          continue;
+        const name2 = entry.name.toLowerCase();
+        const fullPath = resolve9(runtimePath, entry.name);
+        const existing = index2.get(name2);
+        if (existing) {
+          existing.push(fullPath);
+        } else {
+          index2.set(name2, [fullPath]);
+        }
+      }
+    } catch (e) {
+      logger.debug(`Failed to read runtime path ${runtimePath}: ${e.message}`);
+    }
+  }
+  return index2;
+}
+function findStdlibRuntimeFiles(packageName, runtimeFileIndex) {
+  if (runtimeFileIndex.size === 0)
+    return void 0;
+  const possibleFileNames = /* @__PURE__ */ new Set();
+  if (packageName.toLowerCase() === "netstandard.library") {
+    possibleFileNames.add("netstandard.dll");
+  } else {
+    const lowerName = packageName.toLowerCase();
+    const componentName = lowerName.startsWith("runtime.native.") ? lowerName.slice("runtime.native.".length) : lowerName;
+    const nameVariants = [componentName, `${componentName}.Native`];
+    const lastDotIndex = componentName.lastIndexOf(".");
+    if (lastDotIndex !== -1) {
+      nameVariants.push(componentName.slice(0, lastDotIndex) + ".Native" + componentName.slice(lastDotIndex));
+    }
+    for (const name2 of nameVariants) {
+      possibleFileNames.add(`${name2}.dll`.toLowerCase());
+      possibleFileNames.add(`lib${name2}.dylib`.toLowerCase());
+      possibleFileNames.add(`lib${name2}.so`.toLowerCase());
+    }
+  }
+  const matchedFiles = [];
+  for (const fileName2 of possibleFileNames) {
+    const files = runtimeFileIndex.get(fileName2);
+    if (files)
+      matchedFiles.push(...files);
+  }
+  return matchedFiles.length > 0 ? matchedFiles : void 0;
+}
 async function convertSocketArtifacts(artifacts, tmpDir) {
   const localRepositories = getNuGetLocalRepositoryPaths();
+  const runtimePaths = await getDotnetRuntimeSharedPaths();
+  const runtimeFileIndex = await buildRuntimeFileIndex(runtimePaths);
   async function resolveNuGetPackage(packageName, version3) {
+    const binFiles = [];
     for (const repo of localRepositories) {
       const localPackage = await findNuGetPackageInLocalRepo(repo, packageName, version3, tmpDir);
-      if (localPackage)
-        return localPackage;
+      if (localPackage) {
+        binFiles.push(...localPackage);
+        break;
+      }
+    }
+    if (binFiles.length === 0) {
+      const downloaded = await downloadAndExtractNugetPackage(packageName, version3, tmpDir);
+      if (downloaded)
+        binFiles.push(...downloaded);
     }
-    return await downloadAndExtractNugetPackage(packageName, version3, tmpDir);
+    const runtimeFiles = findStdlibRuntimeFiles(packageName, runtimeFileIndex);
+    if (runtimeFiles)
+      binFiles.push(...runtimeFiles);
+    return binFiles.length > 0 ? binFiles : void 0;
   }
   const deps = {};
   const depIdToPurl = /* @__PURE__ */ new Map();
   await asyncForEach(artifacts, async (artifact) => {
     depIdToPurl.set(artifact.id, getPurlFromSocketFactArtifact(artifact));
-    deps[artifact.id] = {
-      bin: artifact.name && artifact.version ? await resolveNuGetPackage(artifact.name, artifact.version) : void 0
-    };
+    let bin;
+    if (artifact.name && artifact.version) {
+      try {
+        bin = await resolveNuGetPackage(artifact.name, artifact.version);
+      } catch (e) {
+        logger.warn(`${e.message}`);
+      }
+    }
+    deps[artifact.id] = { bin };
   }, 4);
   return { deps, depIdToPurl };
 }
@@ -112659,7 +112762,7 @@ ${msg}`;
     await this.updateVirtualEnvInfo(tmpDir, installStats);
   }
   async updateVirtualEnvInfo(virtualEnvFolder, packageInstallationStats) {
-    const entries = await readdir4(join17(virtualEnvFolder, ".venv", "lib"));
+    const entries = await readdir5(join17(virtualEnvFolder, ".venv", "lib"));
     const pydir = entries.find((entry) => entry.startsWith("python"));
     assert6(pydir, `No python* directory found in virtual environment: ${util5.inspect(entries)}`);
     this.virtualEnvInfo = {
@@ -112756,7 +112859,7 @@ async function setupMambalade() {
   logger.debug(`Using Python interpreter: ${python}`);
   await exec2(cmdt`${uvCommand} venv --no-project --no-config --python=${python} .`, venvDir);
   const mambaladeWheelsPath = ToolPathResolver.mambaladeDistPath;
-  const mambaladeWheels = (await readdir4(mambaladeWheelsPath)).filter((f2) => f2.endsWith(".whl")).map((f2) => join17(mambaladeWheelsPath, f2));
+  const mambaladeWheels = (await readdir5(mambaladeWheelsPath)).filter((f2) => f2.endsWith(".whl")).map((f2) => join17(mambaladeWheelsPath, f2));
   if (!mambaladeWheels.length)
     throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
   logger.debug(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
@@ -113801,7 +113904,7 @@ import { resolve as resolve21 } from "path";
 // dist/whole-program-code-aware-vulnerability-scanner/ruby/ruby-code-aware-vulnerability-scanner.js
 var import_lodash20 = __toESM(require_lodash(), 1);
 import { createWriteStream as createWriteStream5, existsSync as existsSync15 } from "fs";
-import { mkdir as mkdir9, readdir as readdir5, readFile as readFile13, rm as rm7 } from "fs/promises";
+import { mkdir as mkdir9, readdir as readdir6, readFile as readFile13, rm as rm7 } from "fs/promises";
 import { join as join18, relative as relative9 } from "path";
 import { pipeline as pipeline3 } from "stream/promises";
 var PRINT_ANALYSIS_COMMAND = false;
@@ -113954,12 +114057,12 @@ var RubyCodeAwareVulnerabilityScanner = class {
     }
     const bundlerGemsDir = join18(this.vendorDir, "bundle", "ruby");
     if (existsSync15(bundlerGemsDir)) {
-      const rubyVersions = await readdir5(bundlerGemsDir);
+      const rubyVersions = await readdir6(bundlerGemsDir);
       for (const rubyVersion of rubyVersions) {
         const gemsDir = join18(bundlerGemsDir, rubyVersion, "gems");
         if (existsSync15(gemsDir)) {
           const nameToEntry = /* @__PURE__ */ new Map();
-          for (const entry of await readdir5(gemsDir, { withFileTypes: true }))
+          for (const entry of await readdir6(gemsDir, { withFileTypes: true }))
             if (entry.isDirectory()) {
               const match2 = entry.name.match(/^([\w-_]+)-(\d+\.\d+\.\d+)/);
               if (match2)