@coana-tech/cli 14.12.201 → 15.0.1

package/cli.mjs

@@ -199895,7 +199895,7 @@ var {
 } = import_index.default;
 
 // dist/index.js
-import { mkdir as mkdir7, mkdtemp as mkdtemp2, readFile as readFile38, rm as rm3, writeFile as writeFile17 } from "fs/promises";
+import { mkdir as mkdir7, mkdtemp as mkdtemp2, readFile as readFile38, rm as rm4, writeFile as writeFile17 } from "fs/promises";
 import { tmpdir as tmpdir5 } from "os";
 import { dirname as dirname26, join as join35, resolve as resolve44 } from "path";
 
@@ -214060,7 +214060,7 @@ var prereleaseSpecifierNormalization = {
 };
 var postreleaseSpecifiers = ["post", "rev", "r"];
 var devReleaseSpecifiers = ["dev"];
-var epochRegex = /(\d+):/;
+var epochRegex = /(\d+)!/;
 var releaseSegmentRegex = /(\d+(?:\.\d+)*)/;
 var prereleaseRegex = buildRegexWithSpecifier(prereleaseSpecifiers);
 var postreleaseRegex = buildRegexWithSpecifier(postreleaseSpecifiers);
@@ -227584,7 +227584,7 @@ var prereleaseSpecifierNormalization2 = {
 };
 var postreleaseSpecifiers2 = ["post", "rev", "r"];
 var devReleaseSpecifiers2 = ["dev"];
-var epochRegex2 = /(\d+):/;
+var epochRegex2 = /(\d+)!/;
 var releaseSegmentRegex2 = /(\d+(?:\.\d+)*)/;
 var prereleaseRegex2 = buildRegexWithSpecifier2(prereleaseSpecifiers2);
 var postreleaseRegex2 = buildRegexWithSpecifier2(postreleaseSpecifiers2);
@@ -231909,6 +231909,16 @@ import assert15 from "node:assert";
 import { platform as platform8 } from "os";
 import { join as join27, posix as posix2, relative as relative18, sep as sep3 } from "path";
 
+// ../web-compat-utils/dist/analysis-error-keys.js
+var InstallError = class extends Error {
+  failedPackages;
+  constructor(failedPackages) {
+    super(`Failed to install packages: ${failedPackages.join(", ")}`);
+    this.failedPackages = failedPackages;
+    this.name = "InstallError";
+  }
+};
+
 // ../utils/src/tmp-file.ts
 import { rm, mkdtemp, cp as cp4, lstat as lstat2 } from "fs/promises";
 import { tmpdir as tmpdir4 } from "os";
@@ -232301,6 +232311,7 @@ var pullDockerImage = memoize(async (image) => {
 var ONE_DAY_IN_MS = 24 * 60 * 60 * 1e3;
 var TMP_DIR_IN_DOCKER = "/coana-tmp";
 var SOCKET_PATH_IN_DOCKER = "/coana.sock";
+var PREINSTALL_DIR_IN_DOCKER = "/coana-preinstall";
 var OtherModulesCommunicator = class {
   constructor(rootWorkingDir, options, apiKey) {
     this.rootWorkingDir = rootWorkingDir;
@@ -232337,6 +232348,8 @@ var OtherModulesCommunicator = class {
       switch (cmd) {
         case "runReachabilityAnalysis":
           return "Running reachability analysis";
+        case "installDependencies":
+          return "Pre-installing dependencies";
         case "runOnDependencyChain":
           return "Running reachability analysis on dependency chain";
         case "runOnPackageRegistryPackage":
@@ -232408,7 +232421,7 @@ var OtherModulesCommunicator = class {
     );
     return JSON.parse(await readFile32(outputFilePathThisProcess, "utf-8")).result;
   }
-  async runReachabilityAnalyzerCommand(commandName, ecosystem, subprojectPath, workspacePath, args2, env, rootWorkingDirOverride, displaySubprojectPath) {
+  async runReachabilityAnalyzerCommand(commandName, ecosystem, subprojectPath, workspacePath, args2, env, rootWorkingDirOverride, displaySubprojectPath, extraDockerArgs) {
     const tmpDir = await this.getTmpDirForSubproject(displaySubprojectPath ?? subprojectPath);
     const effectiveRootWorkingDir = rootWorkingDirOverride ?? this.rootWorkingDir;
     const effectiveSubprojectPath = rootWorkingDirOverride ?? subprojectPath;
@@ -232455,7 +232468,8 @@ var OtherModulesCommunicator = class {
             finalArgs,
             subprojectPath,
             tmpDir,
-            env
+            env,
+            extraDockerArgs
           );
         }
         if (!succeeded)
@@ -232465,7 +232479,7 @@ var OtherModulesCommunicator = class {
       }
     );
   }
-  async runReachabilityAnalyzerCommandWithOutput(commandName, ecosystem, subprojectPath, workspacePath, args2, env, rootWorkingDirOverride, displaySubprojectPath) {
+  async runReachabilityAnalyzerCommandWithOutput(commandName, ecosystem, subprojectPath, workspacePath, args2, env, rootWorkingDirOverride, displaySubprojectPath, extraDockerArgs) {
     const tmpDir = await this.getTmpDirForSubproject(displaySubprojectPath ?? subprojectPath);
     const outputFileName = `${v4_default()}-${commandName}-output.json`;
     const outputFilePathThisProcess = join27(tmpDir, outputFileName);
@@ -232478,16 +232492,22 @@ var OtherModulesCommunicator = class {
       [...args2, "-o", outputFilePathOtherProcess],
       env,
       rootWorkingDirOverride,
-      displaySubprojectPath
+      displaySubprojectPath,
+      extraDockerArgs
     );
-    return JSON.parse(await readFile32(outputFilePathThisProcess, "utf-8")).result;
+    const output = JSON.parse(await readFile32(outputFilePathThisProcess, "utf-8"));
+    if (output.error?.type === "InstallError") {
+      throw new InstallError(output.error.failedPackages);
+    }
+    return output.result;
   }
-  async runInDocker(ecosystem, image, entryPoint, commandName, args2, subprojectPath, tmpDir, env = process.env) {
+  async runInDocker(ecosystem, image, entryPoint, commandName, args2, subprojectPath, tmpDir, env = process.env, extraDockerArgs) {
     if (!await pullDockerImage(image)) return false;
     const envArgs = Object.keys(env).filter((key) => DOCKER_ENV_WHITE_LIST.some((whiteListedKey) => key.includes(whiteListedKey))).flatMap((key) => ["-e", key]);
     const cmd = cmdt`docker run --pull=never --rm -v ${this.rootWorkingDir}:/project -v ${tmpDir}:${TMP_DIR_IN_DOCKER}
       -v=${this.options.coanaSocketPath}:${SOCKET_PATH_IN_DOCKER}
       ${await getEcosystemSpecificDockerArgs(ecosystem)}
+      ${extraDockerArgs ?? []}
       ${envArgs} ${image} ${entryPoint} ${commandName} ${args2}`;
     return execPipeAndLogOnFailure2(cmd, subprojectPath, { env, timeout: ONE_DAY_IN_MS });
   }
@@ -232548,7 +232568,42 @@ var OtherModulesCommunicator = class {
       workspacePaths
     );
   }
-  async runReachabilityAnalysis(subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities, reachabilityAnalysisOptions, otherAnalysisOptions, rootWorkingDirOverride, displaySubprojectPath) {
+  async installDependencies(subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities, reachabilityAnalysisOptions, otherAnalysisOptions, preinstallDir) {
+    const tmpDir = await this.getTmpDirForSubproject(subprojectPath);
+    if (isNexeMode()) {
+      await extractAllToolsForNexeMode();
+    }
+    const inputFileName = `${v4_default()}-installDependencies-input.json`;
+    const inputFileThisProcess = join27(tmpDir, inputFileName);
+    const inputFileOtherProcess = this.options.runWithoutDocker ? inputFileThisProcess : posix2.join(TMP_DIR_IN_DOCKER, inputFileName);
+    const preinstallDirOtherProcess = this.options.runWithoutDocker ? preinstallDir : PREINSTALL_DIR_IN_DOCKER;
+    const extraDockerArgs = this.options.runWithoutDocker ? void 0 : ["-v", `${preinstallDir}:${PREINSTALL_DIR_IN_DOCKER}`];
+    await writeFile12(
+      inputFileThisProcess,
+      JSON.stringify({
+        workspaceData,
+        vulnerabilities,
+        reachabilityAnalysisOptions,
+        otherAnalysisOptions
+      })
+    );
+    return this.runReachabilityAnalyzerCommandWithOutput(
+      "installDependencies",
+      ecosystem,
+      subprojectPath,
+      workspacePath,
+      argt`-i ${inputFileOtherProcess} --preinstall-dir ${preinstallDirOtherProcess}`,
+      {
+        ...process.env,
+        COANA_REPORT_ID: this.options.reportId,
+        COANA_API_KEY: this.apiKey.type === "present" ? this.apiKey.value : ""
+      },
+      void 0,
+      void 0,
+      extraDockerArgs
+    );
+  }
+  async runReachabilityAnalysis(subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities, reachabilityAnalysisOptions, otherAnalysisOptions, rootWorkingDirOverride, displaySubprojectPath, preinstallDir) {
     const tmpDir = await this.getTmpDirForSubproject(displaySubprojectPath ?? subprojectPath);
     if (isNexeMode()) {
       await extractAllToolsForNexeMode();
@@ -232556,6 +232611,8 @@ var OtherModulesCommunicator = class {
     const inputFileName = `${v4_default()}-runReachabilityAnalysis-input.json`;
     const inputFileThisProcess = join27(tmpDir, inputFileName);
     const inputFileOtherProcess = this.options.runWithoutDocker ? inputFileThisProcess : posix2.join(TMP_DIR_IN_DOCKER, inputFileName);
+    const preinstallDirOtherProcess = preinstallDir ? this.options.runWithoutDocker ? preinstallDir : PREINSTALL_DIR_IN_DOCKER : void 0;
+    const extraDockerArgs = preinstallDir && !this.options.runWithoutDocker ? ["-v", `${preinstallDir}:${PREINSTALL_DIR_IN_DOCKER}`] : void 0;
     await writeFile12(
       inputFileThisProcess,
       JSON.stringify({
@@ -232565,19 +232622,21 @@ var OtherModulesCommunicator = class {
         otherAnalysisOptions
       })
     );
+    const preinstallArgs = preinstallDirOtherProcess ? argt`--preinstall-dir ${preinstallDirOtherProcess}` : [];
     return this.runReachabilityAnalyzerCommandWithOutput(
       "runReachabilityAnalysis",
       ecosystem,
       subprojectPath,
       workspacePath,
-      argt`-i ${inputFileOtherProcess}`,
+      [...argt`-i ${inputFileOtherProcess}`, ...preinstallArgs],
       {
         ...process.env,
         COANA_REPORT_ID: this.options.reportId,
         COANA_API_KEY: this.apiKey.type === "present" ? this.apiKey.value : ""
       },
       rootWorkingDirOverride,
-      displaySubprojectPath
+      displaySubprojectPath,
+      extraDockerArgs
     );
   }
 };
@@ -234834,7 +234893,7 @@ function prettyApplyFixesTo(applyFixesToOption) {
 // dist/cli-core.js
 import assert16 from "node:assert";
 import { existsSync as existsSync28, writeFileSync as writeFileSync3 } from "fs";
-import { mkdir as mkdir6, writeFile as writeFile15 } from "fs/promises";
+import { mkdir as mkdir6, rm as rm3, writeFile as writeFile15 } from "fs/promises";
 var import_lodash15 = __toESM(require_lodash(), 1);
 import os2 from "os";
 import { join as join34, relative as relative22, resolve as resolve42 } from "path";
@@ -235300,6 +235359,20 @@ function isShortestPath(root3, vulnPath) {
 var FAILED_TO_INSTALL_PACKAGE_KEY = "[UNABLE_TO_INSTALL_PACKAGE_ERROR]: ";
 var CLI_ANALYSIS_ERROR_MESSAGE = "Sharing log due to analysis error";
 var ANALYSIS_LOW_CONFIDENCE_MESSAGE = "Analysis had low confidence in result";
+var InstallError2 = class extends Error {
+  constructor(failedPackages) {
+    super(`Failed to install packages: ${failedPackages.join(", ")}`);
+    this.failedPackages = failedPackages;
+    this.name = "InstallError";
+  }
+};
+var AnalysisHaltError = class extends Error {
+  constructor(errorMessages) {
+    super(`Analysis failed with errors: ${errorMessages.join("; ")}`);
+    this.errorMessages = errorMessages;
+    this.name = "AnalysisHaltError";
+  }
+};
 
 // ../web-compat-utils/src/pluralize.ts
 function pluralize(count, word) {
@@ -236215,9 +236288,10 @@ function toSocketReachabilitySchema(vulnerability) {
   if (codeAwareScanResult.type === "analysisError") {
     return { type: "error", error: codeAwareScanResult.message };
   }
+  if (codeAwareScanResult.type === "skippedUnsupportedEcosystem") {
+    return { type: "unknown", reason: codeAwareScanResult.message };
+  }
   if (codeAwareScanResult.type === "otherError") {
-    if (codeAwareScanResult.message.includes("Reachability analysis for languages using"))
-      return { type: "unknown", reason: codeAwareScanResult.message };
     return { type: "error", error: codeAwareScanResult.message };
   }
   if (codeAwareScanResult.type === "success") {
@@ -251677,7 +251751,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.201";
+var version3 = "15.0.1";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;
@@ -251864,8 +251938,11 @@ var CliCore = class {
       await this.cleanupLogging();
     } catch (e) {
       await this.spinner.fail();
-      logger.error("CLI failed with error:", e);
-      await this.shareErrorLogWithBackend(e, true, "cli-error");
+      const isExpectedHalt = e instanceof InstallError2 || e instanceof AnalysisHaltError;
+      if (!isExpectedHalt) {
+        logger.error("CLI failed with error:", e);
+      }
+      await this.shareErrorLogWithBackend(e, !isExpectedHalt, "cli-error");
       await this.cleanupLogging();
       process.exit(1);
     }
@@ -251913,46 +251990,70 @@ var CliCore = class {
       logger.info(bold(`  ${ecosystem} (${workspaces.length}):`));
       workspaces.forEach((workspace) => logger.info(bold(`    ${workspace}`)));
     });
+    let preinstallDir;
+    try {
+      logger.info(bold("Pre-installing dependencies for all projects..."));
+      preinstallDir = await createTmpDirectory("coana-preinstall");
+      await this.preInstallAllDependencies(preinstallDir, ecosystemToWorkspaceToAnalysisData, ecosystemToWorkspaceToVulnerabilities, otherModulesCommunicator);
+      logger.info(bold("All dependencies pre-installed successfully"));
+    } catch (e) {
+      if (this.options.reachContinueOnInstallErrors) {
+        logger.info("Continuing with pre-installed dependencies despite errors");
+      } else {
+        if (preinstallDir) {
+          await rm3(preinstallDir, { recursive: true, force: true }).catch((err) => logger.debug(`Failed to cleanup preinstall dir: ${err instanceof Error ? err.message : String(err)}`));
+        }
+        throw e;
+      }
+    }
     const vulnsWithResults = [];
     const allWorkspaceDiagnostics = [];
     const allWorkspaceTimings = /* @__PURE__ */ new Map();
     const allEcosystems = Object.entries(ecosystemToWorkspaceToAnalysisData);
     const totalEcosystems = allEcosystems.length;
     let currentOverallWorkspace = 0;
-    for (const [ecosystemIndex, [ecosystem, workspaceToAnalysisData]] of allEcosystems.entries()) {
-      this.sendProgress("RUN_ON_SUBPROJECT", true, this.rootWorkingDirectory);
-      const isEcosystemToAnalyze = !this.options.purlTypes || this.options.purlTypes.some((purlType) => getAdvisoryEcosystemFromPurlType(purlType) === ecosystem);
-      if (!isEcosystemToAnalyze) {
-        logger.info(`Skipping reachability analysis for ecosystem ${getPurlType(ecosystem)} since it is not included in the list of ecosystems to analyze.`);
-      }
-      const { vulnerabilities, diagnostics, timings } = await this.runReachabilityAnalysisForWorkspaces(
-        workspaceToAnalysisData,
-        ecosystemToWorkspaceToVulnerabilities[ecosystem] ?? {},
-        {},
-        // We do not need the direct dependencies for socket mode
-        otherModulesCommunicator,
-        this.rootWorkingDirectory,
-        ecosystem,
-        ["NPM", "PIP", "GO", "MAVEN", "NUGET", "RUST", "RUBYGEMS"].includes(ecosystem) && isEcosystemToAnalyze,
-        (workspaceName, workspaceNumber, totalWorkspacesForCurrentEcosystem) => {
-          currentOverallWorkspace++;
-          logger.info(bold(`Analyzing ecosystem ${ecosystem} for project ${workspaceName} (${workspaceNumber}/${totalWorkspacesForCurrentEcosystem}) - Overall progress: Project ${currentOverallWorkspace}/${totalWorkspaces}, ecosystem ${ecosystemIndex + 1}/${totalEcosystems}`));
-        }
-      );
-      vulnsWithResults.push(...Object.values(vulnerabilities).flat());
-      for (const [workspacePath, workspaceDiagnostics] of Object.entries(diagnostics)) {
-        allWorkspaceDiagnostics.push({
-          // the workspace path is the subproject path in socket mode
-          subprojectPath: workspacePath ?? ".",
-          workspacePath: ".",
-          purl_type: getPurlType(ecosystem),
-          diagnostics: workspaceDiagnostics
-        });
-        if (timings[workspacePath] !== void 0) {
-          allWorkspaceTimings.set(`${ecosystem}:${workspacePath}`, timings[workspacePath]);
+    try {
+      for (const [ecosystemIndex, [ecosystem, workspaceToAnalysisData]] of allEcosystems.entries()) {
+        this.sendProgress("RUN_ON_SUBPROJECT", true, this.rootWorkingDirectory);
+        const isEcosystemToAnalyze = !this.options.purlTypes || this.options.purlTypes.some((purlType) => getAdvisoryEcosystemFromPurlType(purlType) === ecosystem);
+        if (!isEcosystemToAnalyze) {
+          logger.info(`Skipping reachability analysis for ecosystem ${getPurlType(ecosystem)} since it is not included in the list of ecosystems to analyze.`);
+        }
+        const ecosystemPreinstallDir = preinstallDir ? join34(preinstallDir, ecosystem) : void 0;
+        const { vulnerabilities, diagnostics, timings } = await this.runReachabilityAnalysisForWorkspaces(
+          workspaceToAnalysisData,
+          ecosystemToWorkspaceToVulnerabilities[ecosystem] ?? {},
+          {},
+          // We do not need the direct dependencies for socket mode
+          otherModulesCommunicator,
+          this.rootWorkingDirectory,
+          ecosystem,
+          ["NPM", "PIP", "GO", "MAVEN", "NUGET", "RUST", "RUBYGEMS"].includes(ecosystem) && isEcosystemToAnalyze,
+          (workspaceName, workspaceNumber, totalWorkspacesForCurrentEcosystem) => {
+            currentOverallWorkspace++;
+            logger.info(bold(`Analyzing ecosystem ${ecosystem} for project ${workspaceName} (${workspaceNumber}/${totalWorkspacesForCurrentEcosystem}) - Overall progress: Project ${currentOverallWorkspace}/${totalWorkspaces}, ecosystem ${ecosystemIndex + 1}/${totalEcosystems}`));
+          },
+          ecosystemPreinstallDir
+        );
+        vulnsWithResults.push(...Object.values(vulnerabilities).flat());
+        for (const [workspacePath, workspaceDiagnostics] of Object.entries(diagnostics)) {
+          allWorkspaceDiagnostics.push({
+            // the workspace path is the subproject path in socket mode
+            subprojectPath: workspacePath ?? ".",
+            workspacePath: ".",
+            purl_type: getPurlType(ecosystem),
+            diagnostics: workspaceDiagnostics
+          });
+          if (timings[workspacePath] !== void 0) {
+            allWorkspaceTimings.set(`${ecosystem}:${workspacePath}`, timings[workspacePath]);
+          }
         }
+        this.sendProgress("RUN_ON_SUBPROJECT", false, this.rootWorkingDirectory);
+      }
+    } finally {
+      if (preinstallDir) {
+        await rm3(preinstallDir, { recursive: true, force: true }).catch((err) => logger.debug(`Failed to cleanup preinstall dir: ${err instanceof Error ? err.message : String(err)}`));
       }
-      this.sendProgress("RUN_ON_SUBPROJECT", false, this.rootWorkingDirectory);
     }
     for (const vuln of vulnsWithResults) {
       if (vuln.codeAwareScanResult.type === "success" && vuln.codeAwareScanResult.lowConfidence === true && vuln.codeAwareScanResult.detectedOccurrences?.stacks?.length === 0) {
@@ -251963,6 +252064,15 @@ var CliCore = class {
         vuln.reachability = "UNKNOWN";
       }
     }
+    if (!this.options.reachContinueOnAnalysisErrors) {
+      const isInstallError = (msg) => msg.startsWith(FAILED_TO_INSTALL_PACKAGE_KEY);
+      const errorMessages = vulnsWithResults.filter((v) => v.codeAwareScanResult.type === "analysisError" || v.codeAwareScanResult.type === "otherError").map((v) => v.codeAwareScanResult.message).filter((msg) => !this.options.reachContinueOnInstallErrors || !isInstallError(msg));
+      if (errorMessages.length > 0) {
+        const uniqueErrors = [...new Set(errorMessages)];
+        this.logAnalysisErrors(errorMessages.length, uniqueErrors);
+        throw new AnalysisHaltError(uniqueErrors);
+      }
+    }
     displayResultsSummary(vulnsWithResults, allWorkspaceTimings);
     displayWorkspaceDiagnosticsSummary(allWorkspaceDiagnostics, vulnsWithResults);
     await this.shareLogIfAnalysisError(vulnsWithResults);
@@ -252216,7 +252326,7 @@ Subproject: ${subproject}`);
       this.sendProgress("RUN_ON_SUBPROJECT", false, subProjAndWsPath.subprojectPath);
     }
   }
-  async runReachabilityAnalysisForWorkspaces(workspacePathToDataForAnalysis, workspaceToVulnerabilities, workspaceToDirectDependencies, otherModulesCommunicator, subprojectPath, ecosystem, reachabilitySupported, analysisStarting) {
+  async runReachabilityAnalysisForWorkspaces(workspacePathToDataForAnalysis, workspaceToVulnerabilities, workspaceToDirectDependencies, otherModulesCommunicator, subprojectPath, ecosystem, reachabilitySupported, analysisStarting, preinstallDir) {
     const workspaces = Object.keys(workspacePathToDataForAnalysis);
     const totalWorkspaces = workspaces.length;
     const concurrency = Number(this.options.concurrency);
@@ -252281,6 +252391,8 @@ Subproject: ${subproject}`);
               [effectiveSubprojectPath, releaseDir] = await npmProjectDirPool.acquire();
             }
             try {
+              const perProjectEcosystems = ["PIP", "RUBYGEMS"];
+              const effectivePreinstallDir = preinstallDir && perProjectEcosystems.includes(ecosystem) ? join34(preinstallDir, workspacePath.replace(/\//g, "_")) : preinstallDir;
               const resAndDiagnostics = await this.runReachabilityAnalysis(
                 otherModulesCommunicator,
                 effectiveSubprojectPath,
@@ -252292,7 +252404,8 @@ Subproject: ${subproject}`);
                 // When using temp copy for concurrent analysis, override rootWorkingDir
                 npmProjectDirPool ? effectiveSubprojectPath : void 0,
                 // Pass original subprojectPath for display when using temp copy
-                npmProjectDirPool ? subprojectPath : void 0
+                npmProjectDirPool ? subprojectPath : void 0,
+                effectivePreinstallDir
               );
               augmentedVulnerabilitiesToAnalyze = resAndDiagnostics.vulnerabilities;
               workspaceDiagnostics = resAndDiagnostics.diagnostics;
@@ -252303,7 +252416,7 @@ Subproject: ${subproject}`);
             augmentedVulnerabilitiesToAnalyze = vulnerabilitiesToAnalyze.map((v) => ({
               ...v,
               results: {
-                type: "otherError",
+                type: "skippedUnsupportedEcosystem",
                 message: `Reachability analysis for languages using ${ecosystem} not supported yet`
               }
             }));
@@ -252315,6 +252428,10 @@ Subproject: ${subproject}`);
           ];
           return [workspacePath, { vulnerabilities: augmentedVulnerabilities, diagnostics: workspaceDiagnostics }];
         } catch (e) {
+          if (e instanceof InstallError2) {
+            this.logInstallError(e.failedPackages, ecosystem);
+            throw e;
+          }
           logger.error(`${workspacePrefix}Reachability analysis failed for workspace ${workspacePath} in subproject ${subprojectPath}: ${e.message}`);
           return [
             workspacePath,
@@ -252391,6 +252508,141 @@ Subproject: ${subproject}`);
       }
     }
   }
+  /**
+   * Pre-installs all dependencies across all ecosystems and workspaces to the given dir.
+   * If any installations fail, reports all failures and throws an InstallError.
+   */
+  async preInstallAllDependencies(preinstallDir, ecosystemToWorkspaceToAnalysisData, ecosystemToWorkspaceToVulnerabilities, otherModulesCommunicator) {
+    const installTasks = [];
+    for (const [ecosystem, workspaceToAnalysisData] of Object.entries(ecosystemToWorkspaceToAnalysisData)) {
+      if (ecosystem === "GO" && this.options.reachContinueOnInstallErrors)
+        continue;
+      const ecosystemDir = join34(preinstallDir, ecosystem);
+      await mkdir6(ecosystemDir, { recursive: true });
+      for (const [workspace, analysisData] of Object.entries(workspaceToAnalysisData)) {
+        const perProjectEcosystems = ["PIP", "RUBYGEMS"];
+        const installDir = perProjectEcosystems.includes(ecosystem) ? join34(ecosystemDir, workspace.replace(/\//g, "_")) : ecosystemDir;
+        if (installDir !== ecosystemDir) {
+          await mkdir6(installDir, { recursive: true });
+        }
+        installTasks.push({
+          ecosystem,
+          workspace,
+          analysisData,
+          vulnerabilities: ecosystemToWorkspaceToVulnerabilities[ecosystem]?.[workspace] ?? [],
+          installDir
+        });
+      }
+    }
+    const allFailures = [];
+    await asyncMap(installTasks, async ({ ecosystem, workspace, analysisData, vulnerabilities, installDir }) => {
+      try {
+        const result = await otherModulesCommunicator.installDependencies(workspace, ".", analysisData, ecosystem, vulnerabilities, {
+          timeoutSeconds: {
+            allVulnRuns: this.analysisTimeoutInSeconds,
+            bucketedRuns: bucketedAnalysisTimeoutInSeconds
+          },
+          memoryLimitInMB: this.analysisMemoryLimitInMb
+        }, {
+          haltOnInstallErrors: false
+        }, installDir);
+        if (result.failedPackages.length > 0) {
+          logger.info(`  ${ecosystem}/${workspace}: failed to install ${result.failedPackages.join(", ")}`);
+          allFailures.push({ ecosystem, workspace, failedPackages: result.failedPackages });
+        } else {
+          logger.info(`  ${ecosystem}/${workspace}: all packages installed successfully`);
+        }
+      } catch (e) {
+        const message2 = e instanceof Error ? e.message : String(e);
+        logger.info(`  ${ecosystem}/${workspace}: pre-install failed (${message2})`);
+        allFailures.push({ ecosystem, workspace, failedPackages: [`(pre-install error: ${message2})`] });
+      }
+    }, Number(this.options.concurrency));
+    if (allFailures.length > 0) {
+      this.logAggregatedInstallErrors(allFailures);
+      const allFailed = allFailures.flatMap((f6) => f6.failedPackages);
+      throw new InstallError2(allFailed);
+    }
+  }
+  logAggregatedInstallErrors(failures) {
+    const displayLines = [""];
+    const goFailures = failures.filter((f6) => f6.ecosystem === "GO");
+    const installFailures = failures.filter((f6) => f6.ecosystem !== "GO");
+    if (installFailures.length > 0) {
+      displayLines.push(kleur_default.red().bold("Installation Errors"));
+      displayLines.push("The following packages failed to install during dependency pre-installation:");
+      displayLines.push("");
+      const byEcosystem = /* @__PURE__ */ new Map();
+      for (const f6 of installFailures) {
+        if (!byEcosystem.has(f6.ecosystem))
+          byEcosystem.set(f6.ecosystem, []);
+        byEcosystem.get(f6.ecosystem).push(f6);
+      }
+      for (const [ecosystem, ecosystemFailures] of byEcosystem) {
+        displayLines.push(kleur_default.bold(`  ${ecosystem}:`));
+        for (const f6 of ecosystemFailures) {
+          const pkgList = f6.failedPackages.sort();
+          const pkgLines = pkgList.slice(0, 10).map((pkg) => `      - ${pkg}`);
+          if (pkgList.length > 10) {
+            pkgLines.push(`      ... and ${pkgList.length - 10} more`);
+          }
+          displayLines.push(`    ${f6.workspace}:`);
+          displayLines.push(...pkgLines);
+        }
+        displayLines.push("");
+      }
+      displayLines.push("Pre-installing dependencies before running the analysis might fix this problem.", "");
+    }
+    if (goFailures.length > 0) {
+      displayLines.push(kleur_default.red().bold("Build Errors"));
+      displayLines.push("The following Go projects failed to build:");
+      displayLines.push("");
+      for (const f6 of goFailures) {
+        displayLines.push(`    ${f6.workspace}`);
+      }
+      displayLines.push("");
+    }
+    displayLines.push("Use --reach-continue-on-install-errors to proceed with precomputed (Tier 2) reachability results for affected vulnerabilities.", "");
+    logger.error(displayLines.join("\n"));
+  }
+  logInstallError(failedPackages, ecosystem) {
+    const pkgList = failedPackages.sort();
+    const pkgLines = pkgList.slice(0, 20).map((pkg) => `  - ${pkg}`);
+    if (pkgList.length > 20) {
+      pkgLines.push(`  ... and ${pkgList.length - 20} more`);
+    }
+    const installCmd = getInstallCommandForEcosystem(ecosystem);
+    const displayLines = [
+      "",
+      kleur_default.red().bold("Installation Error"),
+      "The following packages failed to install during reachability analysis:",
+      ...pkgLines,
+      "",
+      "To fix this, pre-install dependencies before running the analysis:",
+      "",
+      `  ${installCmd}`,
+      "",
+      "Alternatively, use --reach-continue-on-install-errors to proceed with precomputed (Tier 2) reachability results for affected vulnerabilities.",
+      ""
+    ];
+    logger.error(displayLines.join("\n"));
+  }
+  logAnalysisErrors(totalErrorCount, uniqueErrors) {
+    const errorLines = uniqueErrors.slice(0, 20).map((msg) => `  - ${msg}`);
+    if (uniqueErrors.length > 20) {
+      errorLines.push(`  ... and ${uniqueErrors.length - 20} more`);
+    }
+    const displayLines = [
+      "",
+      kleur_default.red().bold("Analysis Error"),
+      `Reachability analysis failed for ${totalErrorCount} ${totalErrorCount === 1 ? "vulnerability" : "vulnerabilities"}:`,
+      ...errorLines,
+      "",
+      "Use --reach-continue-on-analysis-errors to continue when encountering analysis errors and fallback to precomputed (Tier 2) reachability results for affected vulnerabilities.",
+      ""
+    ];
+    logger.error(displayLines.join("\n"));
+  }
   shouldExcludeAnalyzingWorkspace(subprojectPath, workspacePath, workspacePrefix = "") {
     const shouldExcludeWorkspaceForAnalysis = shouldIgnoreDueToExcludeDirsOrChangedFiles({
       mainProjectDir: this.rootWorkingDirectory,
@@ -252403,7 +252655,7 @@ Subproject: ${subproject}`);
     }
     return shouldExcludeWorkspaceForAnalysis;
   }
-  async runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities, workspacePrefix = "", rootWorkingDirOverride, displaySubprojectPath) {
+  async runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities, workspacePrefix = "", rootWorkingDirOverride, displaySubprojectPath, preinstallDir) {
     const [vulnsWithActualAPIPatterns, result] = partition(vulnerabilities, (v) => Array.isArray(v.vulnerabilityAccessPaths));
     for (const v of result)
       v.results = typeof v.vulnerabilityAccessPaths === "string" ? { type: "noAnalysisCheck", message: v.vulnerabilityAccessPaths } : { type: "missingVulnerabilityPattern" };
@@ -252429,8 +252681,9 @@ Subproject: ${subproject}`);
     }, {
       disableBucketing: !!this.options.disableAnalysisSplitting,
       lightweightReachability: this.options.lightweightReachability,
-      skipCacheUsage: this.options.skipCacheUsage
-    }, rootWorkingDirOverride, displaySubprojectPath);
+      skipCacheUsage: this.options.skipCacheUsage,
+      haltOnInstallErrors: !!this.options.socketMode && !this.options.reachContinueOnInstallErrors
+    }, rootWorkingDirOverride, displaySubprojectPath, preinstallDir);
     result.push(...analysisResult.vulnerabilities);
     this.sendProgress("REACHABILITY_ANALYSIS", false, subprojectPath, workspacePath);
     return { vulnerabilities: result, diagnostics: analysisResult.diagnostics };
@@ -252569,6 +252822,37 @@ async function getGitDataToMetadataIfAvailable(rootWorkingDirectory) {
     logger.debug("Unable to get git data. Is the folder even in a git repository?", e);
   }
 }
+function getInstallCommandForEcosystem(ecosystem) {
+  switch (ecosystem) {
+    case "NPM":
+      return "npm install";
+    case "PIP":
+      return "uv sync  (or your project-specific install command)";
+    case "GO":
+      return "go mod download";
+    case "MAVEN":
+      return "mvn dependency:resolve";
+    case "NUGET":
+      return "dotnet restore";
+    case "RUST":
+      return "cargo fetch";
+    case "RUBYGEMS":
+      return "bundle config set --local deployment true; bundle install";
+    case "COMPOSER":
+      return "composer install";
+    case "ERLANG":
+      return "rebar3 get-deps";
+    case "PUB":
+      return "dart pub get";
+    case "SWIFT":
+      return "swift package resolve";
+    case "ACTIONS":
+      return "Install project dependencies using your package manager";
+    default:
+      ecosystem;
+      return "Install project dependencies using your package manager";
+  }
+}
 
 // dist/internal/analysis-debug-info-transformer.js
 import { writeFile as writeFile16 } from "fs/promises";
@@ -252691,7 +252975,7 @@ async function writeAnalysisDebugInfo(outputFilePath, ecosystemToWorkspaceToVuln
 handleNexeBinaryMode();
 var program2 = new Command();
 var run2 = new Command();
-run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).addOption(new Option("--lazy-mode", "Enable lazy analysis mode for JavaScript/TypeScript. This can significantly speed up analysis by only analyzing code that is actually relevant for the vulnerabilities being analyzed.").default(false).hideHelp()).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).option("--use-unreachable-from-precomputation", "Skip the reachability analysis for vulnerabilities that are already known to be unreachable from the precomputed reachability analysis (Tier 2).", false).addOption(new Option("--use-only-pregenerated-sboms", "Only include artifacts that have CDX or SPDX files in their manifest files.").default(false).hideHelp()).option("--disable-external-tool-checks", "Disable validation of external tools (npm, python, go, etc.) before running analysis.", false).version(version3).configureHelp({ sortOptions: true }).action(async (path9, options) => {
+run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).option("--reach-continue-on-install-errors", "Continue analysis when package installation fails, falling back to precomputed (Tier 2) reachability results. By default, the CLI halts on installation errors in socket mode.", process.env.COANA_CONTINUE_ON_INSTALL_ERRORS === "true").option("--reach-continue-on-analysis-errors", "Continue analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) reachability results. By default, the CLI halts on analysis errors in socket mode.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).addOption(new Option("--lazy-mode", "Enable lazy analysis mode for JavaScript/TypeScript. This can significantly speed up analysis by only analyzing code that is actually relevant for the vulnerabilities being analyzed.").default(false).hideHelp()).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).option("--use-unreachable-from-precomputation", "Skip the reachability analysis for vulnerabilities that are already known to be unreachable from the precomputed reachability analysis (Tier 2).", false).addOption(new Option("--use-only-pregenerated-sboms", "Only include artifacts that have CDX or SPDX files in their manifest files.").default(false).hideHelp()).option("--disable-external-tool-checks", "Disable validation of external tools (npm, python, go, etc.) before running analysis.", false).version(version3).configureHelp({ sortOptions: true }).action(async (path9, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version3;
   options.ecosystems = options.ecosystems?.map((e) => e.toUpperCase());
   options.minSeverity = options.minSeverity?.toUpperCase();
@@ -252734,7 +253018,7 @@ computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument(
       await writeFile17(outputFile, JSON.stringify(output, null, 2));
       logger.info(`Result written to: ${outputFile}`);
     }
-    await rm3(tmpDir, { recursive: true, force: true });
+    await rm4(tmpDir, { recursive: true, force: true });
   } catch (error) {
     handleUpgradeError(error, logFile);
   }