npm - @coana-tech/cli - Versions diffs - 14.12.200 → 15.0.1 - Mend

@coana-tech/cli 14.12.200 → 15.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/cli.mjs +342 -58
package/package.json +1 -1
package/reachability-analyzers-cli.mjs +361 -97
package/repos/coana-tech/goana/bin/goana-darwin-amd64.gz +0 -0
package/repos/coana-tech/goana/bin/goana-darwin-arm64.gz +0 -0
package/repos/coana-tech/goana/bin/goana-linux-amd64.gz +0 -0
package/repos/coana-tech/goana/bin/goana-linux-arm64.gz +0 -0
package/repos/coana-tech/javap-service/javap-service.jar +0 -0

package/reachability-analyzers-cli.mjs CHANGED Viewed

@@ -79900,6 +79900,16 @@ var ApiUrls = {
   }
 };
+// ../web-compat-utils/src/analysis-error-keys.ts
+var FAILED_TO_INSTALL_PACKAGE_KEY = "[UNABLE_TO_INSTALL_PACKAGE_ERROR]: ";
+var InstallError = class extends Error {
+  constructor(failedPackages) {
+    super(`Failed to install packages: ${failedPackages.join(", ")}`);
+    this.failedPackages = failedPackages;
+    this.name = "InstallError";
+  }
+};
 // ../web-compat-utils/src/maven-dependency-utils.ts
 function deserializeMavenDependency(s2) {
   const [groupId, artifactId, version3] = s2.split(":");
@@ -88108,9 +88118,6 @@ var PromiseQueue = class {
   }
 };
-// ../web-compat-utils/src/analysis-error-keys.ts
-var FAILED_TO_INSTALL_PACKAGE_KEY = "[UNABLE_TO_INSTALL_PACKAGE_ERROR]: ";
 // ../web-compat-utils/src/ghsa.ts
 function extractGHSAIdFromUrl(url2) {
   const match2 = url2.match(/(GHSA-[a-z0-9-]+)/);
@@ -88151,6 +88158,7 @@ function getVulnReachability(c) {
 // dist/analyzers/pip-analyzer.js
 var import_lodash16 = __toESM(require_lodash(), 1);
 import assert7 from "assert";
+import { existsSync as existsSync15 } from "fs";
 import { resolve as resolve19 } from "path";
 // ../utils/src/pip-utils.ts
@@ -88571,8 +88579,8 @@ function addPathToTrie(root3, vulnPath) {
 // dist/whole-program-code-aware-vulnerability-scanner/python/python-code-aware-vulnerability-scanner.js
 var import_lodash14 = __toESM(require_lodash(), 1);
 import assert6 from "assert";
-import { existsSync as existsSync13 } from "fs";
-import { cp as cp7, readdir as readdir4, readFile as readFile12, rm as rm5 } from "fs/promises";
+import { existsSync as existsSync14 } from "fs";
+import { cp as cp7, readdir as readdir6, readFile as readFile12, rm as rm5 } from "fs/promises";
 var import_semver3 = __toESM(require_semver2(), 1);
 import { basename as basename11, dirname as dirname15, join as join17, resolve as resolve17, sep as sep5 } from "path";
 import util5 from "util";
@@ -94244,7 +94252,7 @@ var CocoaHeuristics = {
 // dist/whole-program-code-aware-vulnerability-scanner/dotnet/dotnet-code-aware-vulnerability-scanner.js
 var import_adm_zip = __toESM(require_adm_zip(), 1);
-import { mkdir as mkdir5, readFile as readFile7, writeFile as writeFile5 } from "fs/promises";
+import { mkdir as mkdir5, readdir as readdir4, readFile as readFile7, writeFile as writeFile5 } from "fs/promises";
 import { randomUUID } from "node:crypto";
 // dist/whole-program-code-aware-vulnerability-scanner/dotnet/constants.js
@@ -95565,7 +95573,7 @@ var prereleaseSpecifierNormalization = {
 };
 var postreleaseSpecifiers = ["post", "rev", "r"];
 var devReleaseSpecifiers = ["dev"];
-var epochRegex = /(\d+):/;
+var epochRegex = /(\d+)!/;
 var releaseSegmentRegex = /(\d+(?:\.\d+)*)/;
 var prereleaseRegex = buildRegexWithSpecifier(prereleaseSpecifiers);
 var postreleaseRegex = buildRegexWithSpecifier(postreleaseSpecifiers);
@@ -96464,7 +96472,13 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const outputFile = resolve9(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.dotnet, telemetryHandler, analyzerTelemetryHandler });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, {
+        timeout: timeoutMs,
+        killSignal: "SIGKILL",
+        heartbeat: HEARTBEATS.dotnet,
+        telemetryHandler,
+        analyzerTelemetryHandler
+      });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile7(outputFile, "utf-8")).result;
@@ -96555,18 +96569,29 @@ async function downloadAndExtractNugetPackage(packageName, version3, tmpDir) {
     const packageUrl = getUrlForPackage(packageName, version3);
     const success = await downloadFile(packageUrl, packageFile);
     if (!success) {
-      logger.warn(`Failed to download nuget package ${packageName}/${version3}`);
-      return void 0;
+      throw new Error(`Failed to download nuget package ${packageName}/${version3}`);
     }
   }
   return extractNugetPackage(packageFile, packageName, version3, tmpDir);
 }
 async function convertDependencyChain(dependencyChain, tmpDir) {
+  const runtimePaths = await getDotnetRuntimeSharedPaths();
+  const runtimeFileIndex = await buildRuntimeFileIndex(runtimePaths);
   const nugetDependencyChain = await asyncMap(dependencyChain, async (dep) => {
-    return {
-      ...dep,
-      bin: dep.version ? await downloadAndExtractNugetPackage(dep.packageName, dep.version, tmpDir) : void 0
-    };
+    const binFiles = [];
+    if (dep.version) {
+      try {
+        const extracted = await downloadAndExtractNugetPackage(dep.packageName, dep.version, tmpDir);
+        if (extracted)
+          binFiles.push(...extracted);
+      } catch (e) {
+        logger.warn(`${e.message}`);
+      }
+      const runtimeFiles = findStdlibRuntimeFiles(dep.packageName, runtimeFileIndex);
+      if (runtimeFiles)
+        binFiles.push(...runtimeFiles);
+    }
+    return { ...dep, bin: binFiles.length > 0 ? binFiles : void 0 };
   }, 4);
   return nugetDependencyChain;
 }
@@ -96592,23 +96617,109 @@ async function findNuGetPackageInLocalRepo(repo, packageName, version3, tmpDir)
   const nupkgFile = allFiles.find((file) => basename7(file).toLowerCase() === targetNupkg);
   return nupkgFile ? extractNugetPackage(nupkgFile, packageName, version3, tmpDir) : void 0;
 }
+async function getDotnetRuntimeSharedPaths() {
+  const result = await execNeverFail2(cmdt`dotnet --list-runtimes`);
+  if (result.error ?? !result.stdout)
+    return [];
+  const paths = [];
+  for (const line of result.stdout.split("\n")) {
+    const match2 = line.trim().match(/^(\S+)\s+(\S+)\s+\[(.+)\]$/);
+    if (match2) {
+      const runtimeDir = resolve9(match2[3], match2[2]);
+      if (existsSync7(runtimeDir)) {
+        paths.push(runtimeDir);
+      }
+    }
+  }
+  return paths;
+}
+async function buildRuntimeFileIndex(runtimePaths) {
+  const index2 = /* @__PURE__ */ new Map();
+  for (const runtimePath of runtimePaths) {
+    try {
+      const entries = await readdir4(runtimePath, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isFile())
+          continue;
+        const name2 = entry.name.toLowerCase();
+        const fullPath = resolve9(runtimePath, entry.name);
+        const existing = index2.get(name2);
+        if (existing) {
+          existing.push(fullPath);
+        } else {
+          index2.set(name2, [fullPath]);
+        }
+      }
+    } catch (e) {
+      logger.debug(`Failed to read runtime path ${runtimePath}: ${e.message}`);
+    }
+  }
+  return index2;
+}
+function findStdlibRuntimeFiles(packageName, runtimeFileIndex) {
+  if (runtimeFileIndex.size === 0)
+    return void 0;
+  const possibleFileNames = /* @__PURE__ */ new Set();
+  if (packageName.toLowerCase() === "netstandard.library") {
+    possibleFileNames.add("netstandard.dll");
+  } else {
+    const lowerName = packageName.toLowerCase();
+    const componentName = lowerName.startsWith("runtime.native.") ? lowerName.slice("runtime.native.".length) : lowerName;
+    const nameVariants = [componentName, `${componentName}.Native`];
+    const lastDotIndex = componentName.lastIndexOf(".");
+    if (lastDotIndex !== -1) {
+      nameVariants.push(componentName.slice(0, lastDotIndex) + ".Native" + componentName.slice(lastDotIndex));
+    }
+    for (const name2 of nameVariants) {
+      possibleFileNames.add(`${name2}.dll`.toLowerCase());
+      possibleFileNames.add(`lib${name2}.dylib`.toLowerCase());
+      possibleFileNames.add(`lib${name2}.so`.toLowerCase());
+    }
+  }
+  const matchedFiles = [];
+  for (const fileName2 of possibleFileNames) {
+    const files = runtimeFileIndex.get(fileName2);
+    if (files)
+      matchedFiles.push(...files);
+  }
+  return matchedFiles.length > 0 ? matchedFiles : void 0;
+}
 async function convertSocketArtifacts(artifacts, tmpDir) {
   const localRepositories = getNuGetLocalRepositoryPaths();
+  const runtimePaths = await getDotnetRuntimeSharedPaths();
+  const runtimeFileIndex = await buildRuntimeFileIndex(runtimePaths);
   async function resolveNuGetPackage(packageName, version3) {
+    const binFiles = [];
     for (const repo of localRepositories) {
       const localPackage = await findNuGetPackageInLocalRepo(repo, packageName, version3, tmpDir);
-      if (localPackage)
-        return localPackage;
+      if (localPackage) {
+        binFiles.push(...localPackage);
+        break;
+      }
+    }
+    if (binFiles.length === 0) {
+      const downloaded = await downloadAndExtractNugetPackage(packageName, version3, tmpDir);
+      if (downloaded)
+        binFiles.push(...downloaded);
     }
-    return await downloadAndExtractNugetPackage(packageName, version3, tmpDir);
+    const runtimeFiles = findStdlibRuntimeFiles(packageName, runtimeFileIndex);
+    if (runtimeFiles)
+      binFiles.push(...runtimeFiles);
+    return binFiles.length > 0 ? binFiles : void 0;
   }
   const deps = {};
   const depIdToPurl = /* @__PURE__ */ new Map();
   await asyncForEach(artifacts, async (artifact) => {
     depIdToPurl.set(artifact.id, getPurlFromSocketFactArtifact(artifact));
-    deps[artifact.id] = {
-      bin: artifact.name && artifact.version ? await resolveNuGetPackage(artifact.name, artifact.version) : void 0
-    };
+    let bin;
+    if (artifact.name && artifact.version) {
+      try {
+        bin = await resolveNuGetPackage(artifact.name, artifact.version);
+      } catch (e) {
+        logger.warn(`${e.message}`);
+      }
+    }
+    deps[artifact.id] = { bin };
   }, 4);
   return { deps, depIdToPurl };
 }
@@ -110405,7 +110516,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile8(outputFile, "utf-8")).result;
-      return packageIds?.map((packageId) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}}`);
+      return packageIds?.map((packageId) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}`);
     });
   }
   async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds, _experiment, telemetryHandler, analyzerTelemetryHandler) {
@@ -110415,7 +110526,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const packagesToAnalyzeSet = new Set(packagesToAnalyze);
       const filteredDeps = !packagesToAnalyze ? this.deps : Object.fromEntries(Object.entries(this.deps).filter(([packageId]) => {
         const purl = this.depIdToPurl.get(packageId);
-        return purl && packagesToAnalyzeSet.has(`${purl.namespace}:${purl.name}}`);
+        return purl && packagesToAnalyzeSet.has(`${purl.namespace}:${purl.name}`);
       }));
       return await this.actuallyRunAnalysis(vulnerabilities.flatMap((v) => v.vulnerabilityAccessPaths), timeoutInSeconds, filteredDeps, telemetryHandler, analyzerTelemetryHandler);
     } catch (e) {
@@ -110488,7 +110599,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
     };
   }
   getPackagesExcludedUnrelatedToHeuristic() {
-    return Object.entries(this.deps).filter(([_, { src, bin }]) => !src?.length && (!bin || bin.some((f2) => !existsSync9(f2)))).map(([packageId]) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}}`);
+    return Object.entries(this.deps).filter(([_, { src, bin }]) => !src?.length && (!bin || bin.some((f2) => !existsSync9(f2)))).map(([packageId]) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}`);
   }
 };
 async function convertDependencyChain2(dependencyChain, tmpDir) {
@@ -110557,6 +110668,9 @@ async function convertSocketArtifacts2(rootDir, artifacts, tmpDir) {
         }
       }
     }
+    const artifactFile = getPathToArtifact(tmpDir, groupId, artifactId, type, classifier, version3);
+    if (existsSync9(artifactFile))
+      return artifactFile;
     if (mavenInstalled && pomFile) {
       try {
         const dependencyGetCmd = cmdt`mvn -f=${basename8(resolve10(rootDir, pomFile))} dependency:get -DgroupId=${groupId} -DartifactId=${artifactId} -Dpackaging=${type} -Dclassifier${classifier} -Dversion=${version3} -Dtransitive=false`;
@@ -110567,7 +110681,6 @@ async function convertSocketArtifacts2(rootDir, artifacts, tmpDir) {
       } catch {
       }
     }
-    const artifactFile = getPathToArtifact(tmpDir, groupId, artifactId, type, classifier, version3);
     await mkdir6(dirname11(artifactFile), { recursive: true });
     const success = await resolveMavenArtifactFromStandardRepositories(groupId, artifactId, type, classifier, version3, artifactFile);
     return success ? artifactFile : void 0;
@@ -110619,21 +110732,41 @@ import { tmpdir as tmpdir4 } from "os";
 import { join as join15 } from "path";
 // dist/whole-program-code-aware-vulnerability-scanner/js/dependency-preparation.js
-import { existsSync as existsSync10 } from "fs";
+import { existsSync as existsSync11 } from "fs";
 import { resolve as resolve12 } from "path";
 // dist/whole-program-code-aware-vulnerability-scanner/js/setup-npm-dependencies-for-analysis.js
 var import_lodash9 = __toESM(require_lodash(), 1);
-import { link, mkdir as mkdir7 } from "fs/promises";
+import { existsSync as existsSync10 } from "fs";
+import { link, mkdir as mkdir7, readdir as readdir5 } from "fs/promises";
 import { availableParallelism } from "os";
 import { dirname as dirname12, join as join14, resolve as resolve11 } from "path";
 var { chunk } = import_lodash9.default;
 var ROOT_PACKAGE_METADATA_NAME = "UNIQUE_ROOT_PACKAGE_METADATA_NAME";
-async function setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, artifactIdToArtifact) {
+async function setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, artifactIdToArtifact, preinstallDir) {
   return await withTmpDirectory("npm-packages", async (tmpDir) => {
     const dirToInstallDependencies = resolve11(subprojectDir, "node_modules", ".jelly");
-    const { installedPackages, failedPackages } = await downloadDependenciesToDir(Object.values(artifactIdToArtifact), tmpDir);
-    const augmentedInstalledPackages = await extractDownloadedDependenciesToDir(dirToInstallDependencies, tmpDir, installedPackages);
+    let installedPackages;
+    let failedPackages;
+    if (preinstallDir && existsSync10(preinstallDir)) {
+      const existingFiles = await readdir5(preinstallDir);
+      installedPackages = [];
+      failedPackages = [];
+      for (const artifact of Object.values(artifactIdToArtifact)) {
+        const tarballName = artifact.name.replace("@", "").replace("/", "-");
+        const expectedFilename = artifact.version ? `${tarballName}-${artifact.version}.tgz` : void 0;
+        const matchingTgz = existingFiles.find((f2) => expectedFilename ? f2 === expectedFilename : f2.endsWith(".tgz") && f2.startsWith(tarballName + "-"));
+        if (matchingTgz) {
+          installedPackages.push({ artifact, tarFileName: resolve11(preinstallDir, matchingTgz) });
+        } else {
+          failedPackages.push(artifact);
+        }
+      }
+      logger.debug(`Reusing ${installedPackages.length} pre-installed tarballs from ${preinstallDir}`);
+    } else {
+      ({ installedPackages, failedPackages } = await downloadDependenciesToDir(Object.values(artifactIdToArtifact), tmpDir));
+    }
+    const augmentedInstalledPackages = await extractDownloadedDependenciesToDir(dirToInstallDependencies, preinstallDir ?? tmpDir, installedPackages);
     const packageMetadatas = convertToPackageMetadatas(workspaceDir, augmentedInstalledPackages, directDependencies, artifactIdToArtifact);
     const packagePlacements = computePackagePlacements(packageMetadatas, resolve11(subprojectDir, "node_modules"));
     await hardlinkPackages(packagePlacements);
@@ -110938,8 +111071,8 @@ function tarjanAndCondensation(packageMetadatas) {
 }
 // dist/whole-program-code-aware-vulnerability-scanner/js/dependency-preparation.js
-async function prepareNpmDependencies(subprojectDir, workspaceDir, artifactIdToArtifact, directDependencies, packageNamesToInstall) {
-  if (existsSync10(resolve12(subprojectDir, "node_modules")))
+async function prepareNpmDependencies(subprojectDir, workspaceDir, artifactIdToArtifact, directDependencies, packageNamesToInstall, preinstallDir) {
+  if (existsSync11(resolve12(subprojectDir, "node_modules")))
     return { failedPackages: [], installedPackages: [] };
   const artifactToOriginal = /* @__PURE__ */ new Map();
   const transitiveDependenciesToInstall = Object.fromEntries(Object.entries(artifactIdToArtifact).filter(([_, dep]) => packageNamesToInstall.includes(getPackageName(dep))).map(([depId, dep]) => {
@@ -110947,7 +111080,7 @@ async function prepareNpmDependencies(subprojectDir, workspaceDir, artifactIdToA
     artifactToOriginal.set(artifact, dep);
     return [depId, artifact];
   }));
-  const result = await setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, transitiveDependenciesToInstall);
+  const result = await setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, transitiveDependenciesToInstall, preinstallDir);
   return {
     failedPackages: result.failedPackages.map((artifact) => artifactToOriginal.get(artifact)),
     installedPackages: result.installedPackages.map((artifact) => artifactToOriginal.get(artifact))
@@ -110967,6 +111100,11 @@ function convertToArtifactForInstallation(dep) {
     dependencies: dep.dependencies
   };
 }
+async function validateNpmDependencyDownloads(artifactIdToArtifact, packageNamesToInstall, preinstallDir) {
+  const artifacts = Object.entries(artifactIdToArtifact).filter(([_, dep]) => packageNamesToInstall.includes(getPackageName(dep))).map(([_, dep]) => convertToArtifactForInstallation(dep));
+  const { failedPackages } = await downloadDependenciesToDir(artifacts, preinstallDir);
+  return failedPackages.map((p) => p.name);
+}
 // dist/whole-program-code-aware-vulnerability-scanner/js/heuristics.js
 var lazyIndirectionBoundOptions = {
@@ -111230,7 +111368,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       ...new Set(state.vulnerabilities.flatMap((v) => Object.values(v.vulnChainDetails?.transitiveDependencies ?? {}).filter((d) => d.vulnerable === true).map((d) => d.packageName)))
     ];
     const packagesToInstall = !includePackages ? state.workspaceData.type === "coana" ? Object.values(state.workspaceData.data.dependencyTree.transitiveDependencies).map((dep) => getPackageName(dep)) : state.workspaceData.data.artifacts.map((dep) => getPackageName(dep)) : [.../* @__PURE__ */ new Set([...includePackages, ...vulnerablePackageNames])];
-    const { failedPackages } = await prepareNpmDependencies(state.rootWorkingDir, this.projectDir, state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(state.workspaceData.data.artifacts.map((d) => [d.id, d])), state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.dependencies ?? [] : state.workspaceData.data.artifacts.filter((a2) => a2.direct).map((a2) => a2.id), packagesToInstall);
+    const { failedPackages } = await prepareNpmDependencies(state.rootWorkingDir, this.projectDir, state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(state.workspaceData.data.artifacts.map((d) => [d.id, d])), state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.dependencies ?? [] : state.workspaceData.data.artifacts.filter((a2) => a2.direct).map((a2) => a2.id), packagesToInstall, state.preinstallDir);
     this.packagesExcludedUnrelatedToHeuristic = failedPackages.map((p) => getPackageName(p));
   }
   async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds, experiment, telemetryHandler, analyzerTelemetryHandler) {
@@ -111384,7 +111522,7 @@ function transformSourceLocations(fileMappings, detectedOccurrences) {
 // dist/whole-program-code-aware-vulnerability-scanner/go/go-code-aware-vulnerability-scanner.js
 var import_lodash11 = __toESM(require_lodash(), 1);
 import assert5 from "assert";
-import { existsSync as existsSync11, createReadStream as createReadStream2, createWriteStream as createWriteStream4 } from "fs";
+import { existsSync as existsSync12, createReadStream as createReadStream2, createWriteStream as createWriteStream4 } from "fs";
 import { readFile as readFile10, rm as rm4, cp as cp6 } from "fs/promises";
 import zlib2 from "zlib";
 import { join as join16, resolve as resolve14, sep as sep3 } from "path";
@@ -111423,7 +111561,7 @@ var GoCodeAwareVulnerabilityScanner = class {
   }
   async runAnalysis(vulns, heuristic, timeoutInSeconds, _experiment, telemetryHandler, analyzerTelemetryHandler) {
     logger.info("Started instantiating Go code-aware analysis");
-    if (!existsSync11(join16(this.projectDir, "go.mod")))
+    if (!existsSync12(join16(this.projectDir, "go.mod")))
       throw new Error("go.mod file not found in the project directory");
     const { memoryLimitInMB } = this.options;
     const tmpDir = await createTmpDirectory("goana-output");
@@ -111504,7 +111642,7 @@ ${stderr}`);
     try {
       await cp6(Dir, projectDir, { recursive: true });
       const projGoMod = resolve14(projectDir, "go.mod");
-      if (!existsSync11(projGoMod))
+      if (!existsSync12(projGoMod))
         await cp6(GoMod, projGoMod);
       await exec2(cmdt`chmod --recursive +w ${projectDir}`);
       await runGoModTidy(projectDir);
@@ -111532,7 +111670,7 @@ ${stderr}`);
   }
   static async runOnAlreadyDownloadedPackages(packages, vuln, options) {
     for (const pkg of packages)
-      assert5(existsSync11(join16(pkg, "go.mod")), `${pkg} does not contain a go.mod file`);
+      assert5(existsSync12(join16(pkg, "go.mod")), `${pkg} does not contain a go.mod file`);
     const [app, ...dependencies] = packages;
     const projectDir = await createTmpDirectory("go-run-on-already-downloaded-packages-");
     try {
@@ -111563,6 +111701,8 @@ ${stderr}`);
       await rm4(projectDir, { recursive: true, force: true });
     }
   }
+  // Go dependencies are auto-installed during the reachability analysis process
+  // (e.g. by `go build`), so there are no pre-install failures to track here.
   getPackagesExcludedUnrelatedToHeuristic() {
     return [];
   }
@@ -111570,7 +111710,7 @@ ${stderr}`);
 // dist/whole-program-code-aware-vulnerability-scanner/rust/rust-code-aware-vulnerability-scanner.js
 var import_lodash12 = __toESM(require_lodash(), 1);
-import { existsSync as existsSync12 } from "node:fs";
+import { existsSync as existsSync13 } from "node:fs";
 import { readFile as readFile11, writeFile as writeFile9 } from "node:fs/promises";
 import { basename as basename10, dirname as dirname14, resolve as resolve15 } from "node:path";
@@ -111671,7 +111811,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
     let appCrateName;
     const appSrc = [];
     const dependencies = {};
-    const appCrateInfo = existsSync12(cargoTomlPath) ? await getCrateInfo(cargoTomlPath) : void 0;
+    const appCrateInfo = existsSync13(cargoTomlPath) ? await getCrateInfo(cargoTomlPath) : void 0;
     if (appCrateInfo?.name) {
       appSrc.push(...i([appCrateInfo.lib, ...appCrateInfo.examples ?? [], ...appCrateInfo.tests ?? []]));
       appCrateName = appCrateInfo.name.replaceAll("-", "_");
@@ -111783,7 +111923,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
         const appDependencies = {};
         if (rustDependencyChain[0].src && rustDependencyChain[0].src.length > 0) {
           const appCargoTomlPath = resolve15(rustDependencyChain[0].src[0], "..", "Cargo.toml");
-          if (existsSync12(appCargoTomlPath)) {
+          if (existsSync13(appCargoTomlPath)) {
             const cargoTomlDeps = await extractDependenciesFromCargoToml(appCargoTomlPath);
             for (const [packageName, names] of cargoTomlDeps.entries()) {
               const depId = packageNameToId.get(packageName);
@@ -111810,7 +111950,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
           const dependencies = {};
           if (dep.src && dep.src.length > 0) {
             const depCargoTomlPath = resolve15(dep.src[0], "..", "Cargo.toml");
-            if (existsSync12(depCargoTomlPath)) {
+            if (existsSync13(depCargoTomlPath)) {
               const cargoTomlDeps = await extractDependenciesFromCargoToml(depCargoTomlPath);
               for (const [packageName, names] of cargoTomlDeps.entries()) {
                 const transDepId = packageNameToId.get(packageName);
@@ -111939,7 +112079,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
     };
   }
   getPackagesExcludedUnrelatedToHeuristic() {
-    return Object.entries(this.deps).filter(([_, { src, bin }]) => !src?.length && (!bin || bin.some((f2) => !existsSync12(f2)))).map(([packageId]) => this.depIdToPurl.get(packageId)?.name).filter((name2) => name2 !== void 0).map((name2) => name2);
+    return Object.entries(this.deps).filter(([_, { src, bin }]) => !src?.length && (!bin || bin.some((f2) => !existsSync13(f2)))).map(([packageId]) => this.depIdToPurl.get(packageId)?.name).filter((name2) => name2 !== void 0).map((name2) => name2);
   }
 };
 async function convertDependencyChain3(dependencyChain, tmpDir) {
@@ -111971,7 +112111,7 @@ function getCargoLocalRepositoryPaths() {
     // Cargo git dependencies
     { path: resolve15(cargoHome, "git", "checkouts"), type: "git" }
   ];
-  return repositories.filter((repo) => existsSync12(repo.path));
+  return repositories.filter((repo) => existsSync13(repo.path));
 }
 async function findCargoPackageInLocalRepo(repo, packageName, version3, tmpDir) {
   try {
@@ -112011,10 +112151,10 @@ async function findCargoPackageInLocalRepo(repo, packageName, version3, tmpDir)
 }
 async function extractCargoCrate(crateFilePath, packageName, version3, tmpDir) {
   const packageDir = resolve15(tmpDir, `${packageName}-${version3}`);
-  if (existsSync12(packageDir)) {
+  if (existsSync13(packageDir)) {
     try {
       const cargoTomlPath = resolve15(packageDir, "Cargo.toml");
-      if (existsSync12(cargoTomlPath)) {
+      if (existsSync13(cargoTomlPath)) {
         const depCrateInfo = await getCrateInfo(cargoTomlPath);
         return [depCrateInfo.lib];
       }
@@ -112034,7 +112174,7 @@ async function extractCargoCrate(crateFilePath, packageName, version3, tmpDir) {
 }
 async function downloadAndExtractCargoCrate(packageName, version3, tmpDir) {
   const packageFile = resolve15(tmpDir, `${packageName}-${version3}.crate`);
-  if (!existsSync12(packageFile)) {
+  if (!existsSync13(packageFile)) {
     const packageUrl = getUrlForCrate(packageName, version3);
     const success = await downloadFile(packageUrl, packageFile);
     if (!success) {
@@ -112067,7 +112207,7 @@ async function convertSocketArtifacts3(artifacts, tmpDir, artifactNameToId) {
     const dependencies = {};
     if (src && src.length > 0) {
       const cargoTomlPath = resolve15(dirname14(src[0]), "Cargo.toml");
-      if (existsSync12(cargoTomlPath)) {
+      if (existsSync13(cargoTomlPath)) {
         const cargoTomlDeps = await extractDependenciesFromCargoToml(cargoTomlPath);
         for (const [packageName, names] of cargoTomlDeps.entries()) {
           const depArtifactId = artifactNameToId.get(packageName);
@@ -112340,12 +112480,12 @@ var PythonCodeAwareVulnerabilityScanner = class {
     this.projectDir = projectDir;
     this.vm = new PythonVersionsManager(state.rootWorkingDir);
   }
-  async prepareDependencies(preInstalledDepInfos, vulns, heuristic) {
+  async prepareDependencies(preInstalledDepInfos, vulns, heuristic, preinstallDir) {
     const packagesToExclude = heuristic.getPackagesToExcludeFromAnalysis?.(vulns);
     const packagesToInstall = uniqBy(preInstalledDepInfos.filter((n) => !packagesToExclude?.has(n.packageName)), "packageName");
-    if (!await this.tryUsingPreinstalledVirtualEnv(packagesToInstall)) {
+    if (!await this.tryUsingPreinstalledVirtualEnv(packagesToInstall) && !(preinstallDir && await this.tryUsingVenvFromPreinstallDir(preinstallDir))) {
       logger.info(`Setting up virtual environment`);
-      await this.prepareVirtualEnv(packagesToInstall);
+      await this.prepareVirtualEnv(packagesToInstall, preinstallDir);
       logger.info("Done setting up virtual environment");
     }
   }
@@ -112560,7 +112700,7 @@ ${msg}`;
   // public for testing only
   async tryUsingPreinstalledVirtualEnv(packages) {
     const preinstallVirtualEnvPath = resolve17(this.projectDir, ".venv");
-    if (!existsSync13(preinstallVirtualEnvPath))
+    if (!existsSync14(preinstallVirtualEnvPath))
       return false;
     logger.info(`Checking preinstalled virtual environment at ${preinstallVirtualEnvPath}`);
     try {
@@ -112581,12 +112721,20 @@ ${msg}`;
     await this.updateVirtualEnvInfo(this.projectDir);
     return true;
   }
+  async tryUsingVenvFromPreinstallDir(preinstallDir) {
+    const venvPath = join17(preinstallDir, ".venv");
+    if (!existsSync14(venvPath))
+      return false;
+    logger.info(`Reusing virtual environment from pre-install at ${venvPath}`);
+    await this.updateVirtualEnvInfo(preinstallDir);
+    return true;
+  }
   // public for testing only
-  async prepareVirtualEnv(packages) {
+  async prepareVirtualEnv(packages, preinstallDir) {
     const uvCommand = getUvCommand();
     if (!await hasUv())
       throw new Error("uv (https://docs.astral.sh/uv/) is missing, but is required for Python analysis");
-    const tmpDir = await createTmpDirectory("coana-python-analysis-venv");
+    const tmpDir = preinstallDir ?? await createTmpDirectory("coana-python-analysis-venv");
     const virtualEnvFolder = join17(tmpDir, ".venv");
     const pythonExecutable = await this.vm.getPythonExecutableForWorkspace(this.projectDir, false);
     await exec2(cmdt`${uvCommand} venv --python ${pythonExecutable} .venv`, tmpDir);
@@ -112659,7 +112807,7 @@ ${msg}`;
     await this.updateVirtualEnvInfo(tmpDir, installStats);
   }
   async updateVirtualEnvInfo(virtualEnvFolder, packageInstallationStats) {
-    const entries = await readdir4(join17(virtualEnvFolder, ".venv", "lib"));
+    const entries = await readdir6(join17(virtualEnvFolder, ".venv", "lib"));
     const pydir = entries.find((entry) => entry.startsWith("python"));
     assert6(pydir, `No python* directory found in virtual environment: ${util5.inspect(entries)}`);
     this.virtualEnvInfo = {
@@ -112756,7 +112904,7 @@ async function setupMambalade() {
   logger.debug(`Using Python interpreter: ${python}`);
   await exec2(cmdt`${uvCommand} venv --no-project --no-config --python=${python} .`, venvDir);
   const mambaladeWheelsPath = ToolPathResolver.mambaladeDistPath;
-  const mambaladeWheels = (await readdir4(mambaladeWheelsPath)).filter((f2) => f2.endsWith(".whl")).map((f2) => join17(mambaladeWheelsPath, f2));
+  const mambaladeWheels = (await readdir6(mambaladeWheelsPath)).filter((f2) => f2.endsWith(".whl")).map((f2) => join17(mambaladeWheelsPath, f2));
   if (!mambaladeWheels.length)
     throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
   logger.debug(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
@@ -112892,6 +113040,13 @@ async function processProject(projectDir) {
   }, 4)).flat());
 }
+// dist/analyzers/analyzer.js
+function checkForInstallErrors(failedPackages, otherAnalysisOptions) {
+  if (failedPackages.length > 0 && otherAnalysisOptions.haltOnInstallErrors) {
+    throw new InstallError(failedPackages);
+  }
+}
 // dist/analyzers/pip-analyzer.js
 var { once: once4 } = import_lodash16.default;
 var PipAnalyzer = class {
@@ -112910,9 +113065,16 @@ var PipAnalyzer = class {
     this.heuristic = MambaladeHeuristics.createOnlyVulnPathPackagesHeuristic(this.preInstalledDepInfos);
   }
   prepareScanner = once4(async () => {
-    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic);
+    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic, this.state.preinstallDir);
     return this.scanner;
   });
+  async installDependencies(preinstallDir) {
+    if (existsSync15(resolve19(this.projectDir, ".venv")))
+      return [];
+    const scanner = new PythonCodeAwareVulnerabilityScanner(this.state, this.projectDir);
+    await scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic, preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     const info = (await this.prepareScanner()).getVirtualEnvInfo();
     assert7(info !== void 0);
@@ -112935,6 +113097,7 @@ var PipAnalyzer = class {
     };
     try {
       const scanner = await this.prepareScanner();
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       const venvInfo = scanner.getVirtualEnvInfo();
       this.preinstalledDependencies = venvInfo !== void 0 && !venvInfo.temporary ? "YES" : "NO";
       return await analyzeWithHeuristics(this.state, vulns, [this.heuristic], false, scanner, wrappedCollector, statusUpdater);
@@ -113411,6 +113574,15 @@ var GoAnalyzer = class {
     this.state = state;
     this.projectDir = projectDir;
   }
+  async installDependencies(_preinstallDir) {
+    try {
+      await runCommandResolveStdOut2(cmdt`go build ./...`, this.projectDir);
+      return [];
+    } catch (e) {
+      logger.warn(`go build failed for ${this.projectDir}: ${e instanceof Error ? e.message : String(e)}`);
+      return ["(go build failure)"];
+    }
+  }
   async runPhantomDependencyAnalysis() {
     return void 0;
   }
@@ -113498,9 +113670,16 @@ var MavenAnalyzer = class {
   constructor(state) {
     this.state = state;
   }
+  async createScanner(tmpDir, statusUpdater) {
+    return this.state.workspaceData.type === "coana" ? JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir, statusUpdater) : JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+  }
+  async installDependencies(preinstallDir) {
+    const scanner = await this.createScanner(preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("maven-phantom-dependency-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? await JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir) : await JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir);
+      const scanner = await this.createScanner(tmpDir);
       return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
@@ -113512,11 +113691,17 @@ var MavenAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
-    return withTmpDirectory("maven-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? await JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir, statusUpdater) : await JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+    const preinstallDir = this.state.preinstallDir;
+    const runWithTmpDir = async (tmpDir) => {
+      const scanner = await this.createScanner(tmpDir, statusUpdater);
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       const heuristicsInOrder = [AlucardHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, wrappedCollector, statusUpdater);
-    });
+    };
+    if (preinstallDir) {
+      return runWithTmpDir(preinstallDir);
+    }
+    return withTmpDirectory("maven-reachability-analysis", runWithTmpDir);
   }
   async getWorkspaceDiagnostics() {
     let sourceFilesDetected;
@@ -113545,7 +113730,7 @@ var MavenAnalyzer = class {
 // dist/analyzers/npm-analyzer.js
 var import_lodash19 = __toESM(require_lodash(), 1);
 var import_picomatch4 = __toESM(require_picomatch2(), 1);
-import { existsSync as existsSync14 } from "fs";
+import { existsSync as existsSync16 } from "fs";
 import { rm as rm6 } from "fs/promises";
 import { relative as relative8, resolve as resolve20 } from "path";
@@ -113572,6 +113757,17 @@ var NpmAnalyzer = class {
     this.state = state;
     this.projectDir = projectDir;
   }
+  async installDependencies(preinstallDir) {
+    if (existsSync16(resolve20(this.state.subprojectDir, "node_modules")))
+      return [];
+    const artifactIdToArtifact = this.state.workspaceData.type === "coana" ? this.state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(this.state.workspaceData.data.artifacts.map((d) => [d.id, d]));
+    const vulnPathPackages = computePackagesOnVulnPath(this.state.vulnerabilities);
+    const vulnerablePackageNames = [
+      ...new Set(this.state.vulnerabilities.flatMap((v) => Object.values(v.vulnChainDetails?.transitiveDependencies ?? {}).filter((d) => d.vulnerable === true).map((d) => d.packageName)))
+    ];
+    const packagesToInstall = [.../* @__PURE__ */ new Set([...vulnPathPackages, ...vulnerablePackageNames])];
+    return validateNpmDependencyDownloads(artifactIdToArtifact, packagesToInstall, preinstallDir);
+  }
   async runPhantomDependencyAnalysis() {
     try {
       return (await runJellyPhantomDependencyAnalysis(this.projectDir, this.state.reachabilityAnalysisOptions)).map((r) => r.name);
@@ -113581,7 +113777,7 @@ var NpmAnalyzer = class {
   }
   async runReachabilityAnalysis(vulns, analysisMetadataCollector, statusUpdater) {
     const heuristicsInOrder = this.state.otherAnalysisOptions.lightweightReachability ? [heuristics.IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3] : [heuristics.ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE];
-    const nodeModulesAlreadyExisted = existsSync14(resolve20(this.state.subprojectDir, "node_modules"));
+    const nodeModulesAlreadyExisted = existsSync16(resolve20(this.state.subprojectDir, "node_modules"));
     this.preinstalledDependencies = nodeModulesAlreadyExisted ? "YES" : "NO";
     const wrappedCollector = (metadata) => {
       const jellyDiagnostics = metadata.analysisDiagnostics;
@@ -113593,6 +113789,7 @@ var NpmAnalyzer = class {
     try {
       const vulnerabilityScanner = new JSCodeAwareVulnerabilityScanner(this.state.rootWorkingDir, this.projectDir, this.state.reachabilityAnalysisOptions);
       await vulnerabilityScanner.prepareDependencies(this.state, heuristicsInOrder[0]);
+      checkForInstallErrors(vulnerabilityScanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       logger.info(`Running import reachability analysis for ${vulns.length} ${pluralize(vulns.length, "vulnerability")}`);
       let reachable;
       const ghsaIds = extractGhsaIdsFromVulnUrls(vulns.map((v) => v.url));
@@ -113706,9 +113903,9 @@ ${e.stack}` : String(e),
       return res;
     } finally {
       if (!nodeModulesAlreadyExisted) {
-        if (existsSync14(resolve20(this.state.subprojectDir, "node_modules")))
+        if (existsSync16(resolve20(this.state.subprojectDir, "node_modules")))
           await rm6(resolve20(this.state.subprojectDir, "node_modules"), { recursive: true });
-        if (existsSync14(resolve20(this.projectDir, "node_modules")))
+        if (existsSync16(resolve20(this.projectDir, "node_modules")))
           await rm6(resolve20(this.projectDir, "node_modules"), { recursive: true });
       }
     }
@@ -113749,9 +113946,16 @@ var NugetAnalyzer = class {
   constructor(state) {
     this.state = state;
   }
+  async createScanner(tmpDir, statusUpdater) {
+    return this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+  }
+  async installDependencies(preinstallDir) {
+    const scanner = await this.createScanner(preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("nuget-phantom-dependency-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree) : await DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir);
+      const scanner = await this.createScanner(tmpDir);
       return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
@@ -113763,11 +113967,17 @@ var NugetAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
-    return withTmpDirectory("nuget-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : await DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+    const preinstallDir = this.state.preinstallDir;
+    const runWithTmpDir = async (tmpDir) => {
+      const scanner = await this.createScanner(tmpDir, statusUpdater);
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       const heuristicsInOrder = [CocoaHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, wrappedCollector, statusUpdater);
-    });
+    };
+    if (preinstallDir) {
+      return runWithTmpDir(preinstallDir);
+    }
+    return withTmpDirectory("nuget-reachability-analysis", runWithTmpDir);
   }
   async getWorkspaceDiagnostics() {
     let sourceFilesDetected;
@@ -113795,13 +114005,13 @@ var NugetAnalyzer = class {
 // dist/analyzers/ruby-analyzer.js
 var import_lodash21 = __toESM(require_lodash(), 1);
-import { existsSync as existsSync16 } from "fs";
+import { existsSync as existsSync18 } from "fs";
 import { resolve as resolve21 } from "path";
 // dist/whole-program-code-aware-vulnerability-scanner/ruby/ruby-code-aware-vulnerability-scanner.js
 var import_lodash20 = __toESM(require_lodash(), 1);
-import { createWriteStream as createWriteStream5, existsSync as existsSync15 } from "fs";
-import { mkdir as mkdir9, readdir as readdir5, readFile as readFile13, rm as rm7 } from "fs/promises";
+import { createWriteStream as createWriteStream5, existsSync as existsSync17 } from "fs";
+import { mkdir as mkdir9, readdir as readdir7, readFile as readFile13, rm as rm7 } from "fs/promises";
 import { join as join18, relative as relative9 } from "path";
 import { pipeline as pipeline3 } from "stream/promises";
 var PRINT_ANALYSIS_COMMAND = false;
@@ -113818,12 +114028,12 @@ var RubyCodeAwareVulnerabilityScanner = class {
     this.projectDir = projectDir;
     this.options = options;
   }
-  async prepareDependencies(preInstalledDepInfos, vulns, heuristic) {
-    const vendorDir = join18(this.projectDir, "vendor");
-    if (existsSync15(vendorDir)) {
+  async prepareDependencies(preInstalledDepInfos, vulns, heuristic, preinstallDir) {
+    const vendorDir = preinstallDir ?? join18(this.projectDir, "vendor");
+    if (existsSync17(vendorDir)) {
       logger.info(`Vendor directory already exists at ${vendorDir}, skipping gem installation`);
       this.vendorDir = vendorDir;
-      this.vendorDirWasCreated = false;
+      this.vendorDirWasCreated = !preinstallDir;
       return;
     }
     const packagesToIncludeNames = heuristic.getPackagesToIncludeInAnalysis?.(vulns)?.map((p) => p.packageName);
@@ -113854,7 +114064,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
       if (!this.vendorDir)
         throw new Error("Assertion error: The vendor directory is not correctly initialized");
       const analyzerPath = ToolPathResolver.callgraphReachabilityAnalyzersCliPath;
-      if (!existsSync15(analyzerPath))
+      if (!existsSync17(analyzerPath))
         throw new Error(`callgraph-reachability-analyzers CLI not found at ${analyzerPath}`);
       const vulnAccPaths = sortedUniq2(vulns.flatMap((v) => v.vulnerabilityAccessPaths).sort());
       const vulnsOutputFile = join18(tmpDir, "vulns.json");
@@ -113865,12 +114075,12 @@ var RubyCodeAwareVulnerabilityScanner = class {
       const loadPaths = Array.from(loadPathsToPackageNames.keys());
       if (failedToFindLoadPath.length > 0) {
         this.packagesExcludedUnrelatedToHeuristic.push(...failedToFindLoadPath.map((p) => p.packageName));
-        logger.warn(`Failed to find package installation path for ${failedToFindLoadPath.map((p) => p.packageName).join(", ")}`);
+        logger.debug(`Failed to find package installation path for ${failedToFindLoadPath.map((p) => p.packageName).join(", ")}`);
       }
       if (loadPaths.length === 0) {
         return {
           type: "error",
-          message: "No load paths found for the packages to analyze"
+          message: `${FAILED_TO_INSTALL_PACKAGE_KEY}No load paths found for the packages to analyze`
         };
       }
       const cmd = cmdt`
@@ -113929,7 +114139,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
     return this.packagesExcludedUnrelatedToHeuristic;
   }
   async cleanup() {
-    if (this.vendorDirWasCreated && this.vendorDir && existsSync15(this.vendorDir)) {
+    if (this.vendorDirWasCreated && this.vendorDir && existsSync17(this.vendorDir)) {
       logger.info(`Deleting auto-generated vendor directory at ${this.vendorDir}`);
       await rm7(this.vendorDir, { recursive: true, force: true }).catch(() => {
       });
@@ -113945,7 +114155,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
     if (this.vendorDirWasCreated) {
       for (const pkg of packagesToAnalyze) {
         const libPath = join18(this.vendorDir, `${pkg.packageName}-${pkg.version}`, "lib");
-        if (existsSync15(libPath))
+        if (existsSync17(libPath))
           loadPathsToPackageNames.set(libPath, `${pkg.packageName}@${pkg.version}`);
         else
           failedToFindLoadPath.push(pkg);
@@ -113953,13 +114163,13 @@ var RubyCodeAwareVulnerabilityScanner = class {
       return { loadPathsToPackageNames, failedToFindLoadPath };
     }
     const bundlerGemsDir = join18(this.vendorDir, "bundle", "ruby");
-    if (existsSync15(bundlerGemsDir)) {
-      const rubyVersions = await readdir5(bundlerGemsDir);
+    if (existsSync17(bundlerGemsDir)) {
+      const rubyVersions = await readdir7(bundlerGemsDir);
       for (const rubyVersion of rubyVersions) {
         const gemsDir = join18(bundlerGemsDir, rubyVersion, "gems");
-        if (existsSync15(gemsDir)) {
+        if (existsSync17(gemsDir)) {
           const nameToEntry = /* @__PURE__ */ new Map();
-          for (const entry of await readdir5(gemsDir, { withFileTypes: true }))
+          for (const entry of await readdir7(gemsDir, { withFileTypes: true }))
             if (entry.isDirectory()) {
               const match2 = entry.name.match(/^([\w-_]+)-(\d+\.\d+\.\d+)/);
               if (match2)
@@ -113970,7 +114180,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
             if (!entry)
               continue;
             const libDir = join18(gemsDir, entry, "lib");
-            if (existsSync15(libDir))
+            if (existsSync17(libDir))
               loadPathsToPackageNames.set(libDir, `${pkg.packageName}@${pkg.version}`);
             else
               failedToFindLoadPath.push(pkg);
@@ -113980,7 +114190,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
     } else
       for (const pkg of packagesToAnalyze) {
         const libPath = join18(this.vendorDir, `${pkg.packageName}-${pkg.version}`, "lib");
-        if (existsSync15(libPath))
+        if (existsSync17(libPath))
           loadPathsToPackageNames.set(libPath, `${pkg.packageName}@${pkg.version}`);
         else
           failedToFindLoadPath.push(pkg);
@@ -113990,7 +114200,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
 };
 async function downloadAndExtractGem(gemName, version3, vendorDir) {
   const gemDir = join18(vendorDir, `${gemName}-${version3}`);
-  if (existsSync15(gemDir)) {
+  if (existsSync17(gemDir)) {
     logger.debug(`Gem ${gemName}@${version3} already extracted`);
     return;
   }
@@ -114043,9 +114253,16 @@ var RubyGemsAnalyzer = class {
     this.scanner = new RubyCodeAwareVulnerabilityScanner(state, projectDir);
   }
   prepareScanner = once5(async () => {
-    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), RubyHeuristics.ONLY_VULN_PATH_PACKAGES);
+    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), RubyHeuristics.ONLY_VULN_PATH_PACKAGES, this.state.preinstallDir);
     return this.scanner;
   });
+  async installDependencies(preinstallDir) {
+    if (existsSync18(resolve21(this.projectDir, "vendor")))
+      return [];
+    const scanner = new RubyCodeAwareVulnerabilityScanner(this.state, this.projectDir);
+    await scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), RubyHeuristics.ONLY_VULN_PATH_PACKAGES, preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     return void 0;
   }
@@ -114057,9 +114274,11 @@ var RubyGemsAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
-    this.preinstalledDependencies = existsSync16(resolve21(this.projectDir, "vendor")) ? "YES" : "NO";
+    this.preinstalledDependencies = existsSync18(resolve21(this.projectDir, "vendor")) ? "YES" : "NO";
     try {
-      return await analyzeWithHeuristics(this.state, vulns, [RubyHeuristics.ONLY_VULN_PATH_PACKAGES], false, await this.prepareScanner(), wrappedCollector, statusUpdater);
+      const scanner = await this.prepareScanner();
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
+      return await analyzeWithHeuristics(this.state, vulns, [RubyHeuristics.ONLY_VULN_PATH_PACKAGES], false, scanner, wrappedCollector, statusUpdater);
     } finally {
       await this.scanner.cleanup();
     }
@@ -114117,9 +114336,16 @@ var RustAnalyzer = class {
   constructor(state) {
     this.state = state;
   }
+  async createScanner(tmpDir, statusUpdater) {
+    return this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+  }
+  async installDependencies(preinstallDir) {
+    const scanner = await this.createScanner(preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("cargo-phantom-dependency-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree) : await RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir);
+      const scanner = await this.createScanner(tmpDir);
       return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
@@ -114131,11 +114357,17 @@ var RustAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
-    return withTmpDirectory("cargo-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : await RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+    const preinstallDir = this.state.preinstallDir;
+    const runWithTmpDir = async (tmpDir) => {
+      const scanner = await this.createScanner(tmpDir, statusUpdater);
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       const heuristicsInOrder = [RusticaHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, wrappedCollector, statusUpdater);
-    });
+    };
+    if (preinstallDir) {
+      return runWithTmpDir(preinstallDir);
+    }
+    return withTmpDirectory("cargo-reachability-analysis", runWithTmpDir);
   }
   async getWorkspaceDiagnostics() {
     let sourceFilesDetected;
@@ -114174,6 +114406,17 @@ var ecosystemAnalyzer = {
 };
 var apiKey2 = COANA_API_KEY ? { type: "present", value: COANA_API_KEY } : { type: "missing" };
 var dashboardAPI3 = new DashboardAPI(process.env.SOCKET_MODE === "true", process.env.DISABLE_ANALYTICS_SHARING === "true");
+async function installDependenciesForAnalysis(state, preinstallDir) {
+  const projectDir = resolve22(state.subprojectDir, state.workspacePath);
+  const ecosystem = state.workspaceData.data.type;
+  logger.info(`Pre-installing dependencies for project at "${relative10(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
+  const constructor = ecosystemAnalyzer[ecosystem];
+  if (!constructor)
+    throw Error(`No analyzer associated with ecosystem ${ecosystem}`);
+  const analyzer = new constructor(state, projectDir);
+  const failedPackages = await analyzer.installDependencies(preinstallDir);
+  return { failedPackages };
+}
 async function runReachabilityAnalysis(state) {
   const projectDir = resolve22(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
@@ -114205,9 +114448,30 @@ async function getReachabilityAnalyzersStateFromInput(rootWorkingDir, subproject
 }
 // dist/reachability-analyzers-cli.js
-var runReachabilityAnalysisCmd = new Command().name("runReachabilityAnalysis").argument("<rootWorkingDir>", "Directory where Coana is run").argument("<subprojectDir>", "Project root of directory being analyzed").argument("<workspacePath>", "Path to directory to analyze relative to subprojectDir").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--coana-socket-path <socketPath>", "Coana socket path").option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).requiredOption("-i, --input-file <inputFile>", "Input file for data and vulnerabilities").requiredOption("-o, --output-file <outputFile>", "Output file for the results").configureHelp({ sortSubcommands: true, sortOptions: true }).action(async (rootWorkingDir, subprojectDir, workspacePath, options) => withLoggerAndSpinner("Coana Reachability Analyzers", options, async () => {
+var runReachabilityAnalysisCmd = new Command().name("runReachabilityAnalysis").argument("<rootWorkingDir>", "Directory where Coana is run").argument("<subprojectDir>", "Project root of directory being analyzed").argument("<workspacePath>", "Path to directory to analyze relative to subprojectDir").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--coana-socket-path <socketPath>", "Coana socket path").option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("--preinstall-dir <preinstallDir>", "Directory with pre-installed dependencies").requiredOption("-i, --input-file <inputFile>", "Input file for data and vulnerabilities").requiredOption("-o, --output-file <outputFile>", "Output file for the results").configureHelp({ sortSubcommands: true, sortOptions: true }).action(async (rootWorkingDir, subprojectDir, workspacePath, options) => withLoggerAndSpinner("Coana Reachability Analyzers", options, async () => {
+  try {
+    const state = await getReachabilityAnalyzersStateFromInput(rootWorkingDir, subprojectDir, workspacePath, options.inputFile);
+    if (options.preinstallDir) {
+      state.preinstallDir = options.preinstallDir;
+    }
+    const result = await runReachabilityAnalysis(state);
+    if (options.outputFile) {
+      logger.debug("Writing result to file", options.outputFile);
+      await writeFile10(options.outputFile, JSON.stringify({ result }));
+    } else {
+      logger.info("Result:", JSON.stringify(result, null, 2));
+    }
+  } catch (e) {
+    if (e instanceof InstallError && options.outputFile) {
+      await writeFile10(options.outputFile, JSON.stringify({ error: { type: "InstallError", failedPackages: e.failedPackages } }));
+      return;
+    }
+    throw e;
+  }
+}, "reachability-analyzer"));
+var installDependenciesCmd = new Command().name("installDependencies").argument("<rootWorkingDir>", "Directory where Coana is run").argument("<subprojectDir>", "Project root of directory being analyzed").argument("<workspacePath>", "Path to directory to analyze relative to subprojectDir").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--coana-socket-path <socketPath>", "Coana socket path").option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).requiredOption("-i, --input-file <inputFile>", "Input file for data and vulnerabilities").requiredOption("-o, --output-file <outputFile>", "Output file for the results").requiredOption("--preinstall-dir <preinstallDir>", "Directory to install dependencies into").configureHelp({ sortSubcommands: true, sortOptions: true }).action(async (rootWorkingDir, subprojectDir, workspacePath, options) => withLoggerAndSpinner("Coana Reachability Analyzers - Install Dependencies", options, async () => {
   const state = await getReachabilityAnalyzersStateFromInput(rootWorkingDir, subprojectDir, workspacePath, options.inputFile);
-  const result = await runReachabilityAnalysis(state);
+  const result = await installDependenciesForAnalysis(state, options.preinstallDir);
   if (options.outputFile) {
     logger.debug("Writing result to file", options.outputFile);
     await writeFile10(options.outputFile, JSON.stringify({ result }));
@@ -114263,7 +114527,7 @@ var runOnPackageRegistryPackageCmd = new Command().name("runOnPackageRegistryPac
     }
   }, "reachability-analyzer");
 });
-new Command().addCommand(runReachabilityAnalysisCmd, { isDefault: true }).addCommand(runOnDependencyChainCmd).addCommand(runOnPackageRegistryPackageCmd).parseAsync();
+new Command().addCommand(runReachabilityAnalysisCmd, { isDefault: true }).addCommand(installDependenciesCmd).addCommand(runOnDependencyChainCmd).addCommand(runOnPackageRegistryPackageCmd).parseAsync();
 /*! Bundled license information:
 safe-buffer/index.js: