@coana-tech/cli 14.12.201 → 15.0.1

package/reachability-analyzers-cli.mjs

@@ -79900,6 +79900,16 @@ var ApiUrls = {
   }
 };
 
+// ../web-compat-utils/src/analysis-error-keys.ts
+var FAILED_TO_INSTALL_PACKAGE_KEY = "[UNABLE_TO_INSTALL_PACKAGE_ERROR]: ";
+var InstallError = class extends Error {
+  constructor(failedPackages) {
+    super(`Failed to install packages: ${failedPackages.join(", ")}`);
+    this.failedPackages = failedPackages;
+    this.name = "InstallError";
+  }
+};
+
 // ../web-compat-utils/src/maven-dependency-utils.ts
 function deserializeMavenDependency(s2) {
   const [groupId, artifactId, version3] = s2.split(":");
@@ -88108,9 +88118,6 @@ var PromiseQueue = class {
   }
 };
 
-// ../web-compat-utils/src/analysis-error-keys.ts
-var FAILED_TO_INSTALL_PACKAGE_KEY = "[UNABLE_TO_INSTALL_PACKAGE_ERROR]: ";
-
 // ../web-compat-utils/src/ghsa.ts
 function extractGHSAIdFromUrl(url2) {
   const match2 = url2.match(/(GHSA-[a-z0-9-]+)/);
@@ -88151,6 +88158,7 @@ function getVulnReachability(c) {
 // dist/analyzers/pip-analyzer.js
 var import_lodash16 = __toESM(require_lodash(), 1);
 import assert7 from "assert";
+import { existsSync as existsSync15 } from "fs";
 import { resolve as resolve19 } from "path";
 
 // ../utils/src/pip-utils.ts
@@ -88571,8 +88579,8 @@ function addPathToTrie(root3, vulnPath) {
 // dist/whole-program-code-aware-vulnerability-scanner/python/python-code-aware-vulnerability-scanner.js
 var import_lodash14 = __toESM(require_lodash(), 1);
 import assert6 from "assert";
-import { existsSync as existsSync13 } from "fs";
-import { cp as cp7, readdir as readdir5, readFile as readFile12, rm as rm5 } from "fs/promises";
+import { existsSync as existsSync14 } from "fs";
+import { cp as cp7, readdir as readdir6, readFile as readFile12, rm as rm5 } from "fs/promises";
 var import_semver3 = __toESM(require_semver2(), 1);
 import { basename as basename11, dirname as dirname15, join as join17, resolve as resolve17, sep as sep5 } from "path";
 import util5 from "util";
@@ -95565,7 +95573,7 @@ var prereleaseSpecifierNormalization = {
 };
 var postreleaseSpecifiers = ["post", "rev", "r"];
 var devReleaseSpecifiers = ["dev"];
-var epochRegex = /(\d+):/;
+var epochRegex = /(\d+)!/;
 var releaseSegmentRegex = /(\d+(?:\.\d+)*)/;
 var prereleaseRegex = buildRegexWithSpecifier(prereleaseSpecifiers);
 var postreleaseRegex = buildRegexWithSpecifier(postreleaseSpecifiers);
@@ -110508,7 +110516,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile8(outputFile, "utf-8")).result;
-      return packageIds?.map((packageId) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}}`);
+      return packageIds?.map((packageId) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}`);
     });
   }
   async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds, _experiment, telemetryHandler, analyzerTelemetryHandler) {
@@ -110518,7 +110526,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const packagesToAnalyzeSet = new Set(packagesToAnalyze);
       const filteredDeps = !packagesToAnalyze ? this.deps : Object.fromEntries(Object.entries(this.deps).filter(([packageId]) => {
         const purl = this.depIdToPurl.get(packageId);
-        return purl && packagesToAnalyzeSet.has(`${purl.namespace}:${purl.name}}`);
+        return purl && packagesToAnalyzeSet.has(`${purl.namespace}:${purl.name}`);
       }));
       return await this.actuallyRunAnalysis(vulnerabilities.flatMap((v) => v.vulnerabilityAccessPaths), timeoutInSeconds, filteredDeps, telemetryHandler, analyzerTelemetryHandler);
     } catch (e) {
@@ -110591,7 +110599,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
     };
   }
   getPackagesExcludedUnrelatedToHeuristic() {
-    return Object.entries(this.deps).filter(([_, { src, bin }]) => !src?.length && (!bin || bin.some((f2) => !existsSync9(f2)))).map(([packageId]) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}}`);
+    return Object.entries(this.deps).filter(([_, { src, bin }]) => !src?.length && (!bin || bin.some((f2) => !existsSync9(f2)))).map(([packageId]) => this.depIdToPurl.get(packageId)).filter((purl) => purl !== void 0).map((purl) => `${purl.namespace}:${purl.name}`);
   }
 };
 async function convertDependencyChain2(dependencyChain, tmpDir) {
@@ -110660,6 +110668,9 @@ async function convertSocketArtifacts2(rootDir, artifacts, tmpDir) {
         }
       }
     }
+    const artifactFile = getPathToArtifact(tmpDir, groupId, artifactId, type, classifier, version3);
+    if (existsSync9(artifactFile))
+      return artifactFile;
     if (mavenInstalled && pomFile) {
       try {
         const dependencyGetCmd = cmdt`mvn -f=${basename8(resolve10(rootDir, pomFile))} dependency:get -DgroupId=${groupId} -DartifactId=${artifactId} -Dpackaging=${type} -Dclassifier${classifier} -Dversion=${version3} -Dtransitive=false`;
@@ -110670,7 +110681,6 @@ async function convertSocketArtifacts2(rootDir, artifacts, tmpDir) {
       } catch {
       }
     }
-    const artifactFile = getPathToArtifact(tmpDir, groupId, artifactId, type, classifier, version3);
     await mkdir6(dirname11(artifactFile), { recursive: true });
     const success = await resolveMavenArtifactFromStandardRepositories(groupId, artifactId, type, classifier, version3, artifactFile);
     return success ? artifactFile : void 0;
@@ -110722,21 +110732,41 @@ import { tmpdir as tmpdir4 } from "os";
 import { join as join15 } from "path";
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/dependency-preparation.js
-import { existsSync as existsSync10 } from "fs";
+import { existsSync as existsSync11 } from "fs";
 import { resolve as resolve12 } from "path";
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/setup-npm-dependencies-for-analysis.js
 var import_lodash9 = __toESM(require_lodash(), 1);
-import { link, mkdir as mkdir7 } from "fs/promises";
+import { existsSync as existsSync10 } from "fs";
+import { link, mkdir as mkdir7, readdir as readdir5 } from "fs/promises";
 import { availableParallelism } from "os";
 import { dirname as dirname12, join as join14, resolve as resolve11 } from "path";
 var { chunk } = import_lodash9.default;
 var ROOT_PACKAGE_METADATA_NAME = "UNIQUE_ROOT_PACKAGE_METADATA_NAME";
-async function setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, artifactIdToArtifact) {
+async function setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, artifactIdToArtifact, preinstallDir) {
   return await withTmpDirectory("npm-packages", async (tmpDir) => {
     const dirToInstallDependencies = resolve11(subprojectDir, "node_modules", ".jelly");
-    const { installedPackages, failedPackages } = await downloadDependenciesToDir(Object.values(artifactIdToArtifact), tmpDir);
-    const augmentedInstalledPackages = await extractDownloadedDependenciesToDir(dirToInstallDependencies, tmpDir, installedPackages);
+    let installedPackages;
+    let failedPackages;
+    if (preinstallDir && existsSync10(preinstallDir)) {
+      const existingFiles = await readdir5(preinstallDir);
+      installedPackages = [];
+      failedPackages = [];
+      for (const artifact of Object.values(artifactIdToArtifact)) {
+        const tarballName = artifact.name.replace("@", "").replace("/", "-");
+        const expectedFilename = artifact.version ? `${tarballName}-${artifact.version}.tgz` : void 0;
+        const matchingTgz = existingFiles.find((f2) => expectedFilename ? f2 === expectedFilename : f2.endsWith(".tgz") && f2.startsWith(tarballName + "-"));
+        if (matchingTgz) {
+          installedPackages.push({ artifact, tarFileName: resolve11(preinstallDir, matchingTgz) });
+        } else {
+          failedPackages.push(artifact);
+        }
+      }
+      logger.debug(`Reusing ${installedPackages.length} pre-installed tarballs from ${preinstallDir}`);
+    } else {
+      ({ installedPackages, failedPackages } = await downloadDependenciesToDir(Object.values(artifactIdToArtifact), tmpDir));
+    }
+    const augmentedInstalledPackages = await extractDownloadedDependenciesToDir(dirToInstallDependencies, preinstallDir ?? tmpDir, installedPackages);
     const packageMetadatas = convertToPackageMetadatas(workspaceDir, augmentedInstalledPackages, directDependencies, artifactIdToArtifact);
     const packagePlacements = computePackagePlacements(packageMetadatas, resolve11(subprojectDir, "node_modules"));
     await hardlinkPackages(packagePlacements);
@@ -111041,8 +111071,8 @@ function tarjanAndCondensation(packageMetadatas) {
 }
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/dependency-preparation.js
-async function prepareNpmDependencies(subprojectDir, workspaceDir, artifactIdToArtifact, directDependencies, packageNamesToInstall) {
-  if (existsSync10(resolve12(subprojectDir, "node_modules")))
+async function prepareNpmDependencies(subprojectDir, workspaceDir, artifactIdToArtifact, directDependencies, packageNamesToInstall, preinstallDir) {
+  if (existsSync11(resolve12(subprojectDir, "node_modules")))
     return { failedPackages: [], installedPackages: [] };
   const artifactToOriginal = /* @__PURE__ */ new Map();
   const transitiveDependenciesToInstall = Object.fromEntries(Object.entries(artifactIdToArtifact).filter(([_, dep]) => packageNamesToInstall.includes(getPackageName(dep))).map(([depId, dep]) => {
@@ -111050,7 +111080,7 @@ async function prepareNpmDependencies(subprojectDir, workspaceDir, artifactIdToA
     artifactToOriginal.set(artifact, dep);
     return [depId, artifact];
   }));
-  const result = await setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, transitiveDependenciesToInstall);
+  const result = await setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, transitiveDependenciesToInstall, preinstallDir);
   return {
     failedPackages: result.failedPackages.map((artifact) => artifactToOriginal.get(artifact)),
     installedPackages: result.installedPackages.map((artifact) => artifactToOriginal.get(artifact))
@@ -111070,6 +111100,11 @@ function convertToArtifactForInstallation(dep) {
     dependencies: dep.dependencies
   };
 }
+async function validateNpmDependencyDownloads(artifactIdToArtifact, packageNamesToInstall, preinstallDir) {
+  const artifacts = Object.entries(artifactIdToArtifact).filter(([_, dep]) => packageNamesToInstall.includes(getPackageName(dep))).map(([_, dep]) => convertToArtifactForInstallation(dep));
+  const { failedPackages } = await downloadDependenciesToDir(artifacts, preinstallDir);
+  return failedPackages.map((p) => p.name);
+}
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/heuristics.js
 var lazyIndirectionBoundOptions = {
@@ -111333,7 +111368,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       ...new Set(state.vulnerabilities.flatMap((v) => Object.values(v.vulnChainDetails?.transitiveDependencies ?? {}).filter((d) => d.vulnerable === true).map((d) => d.packageName)))
     ];
     const packagesToInstall = !includePackages ? state.workspaceData.type === "coana" ? Object.values(state.workspaceData.data.dependencyTree.transitiveDependencies).map((dep) => getPackageName(dep)) : state.workspaceData.data.artifacts.map((dep) => getPackageName(dep)) : [.../* @__PURE__ */ new Set([...includePackages, ...vulnerablePackageNames])];
-    const { failedPackages } = await prepareNpmDependencies(state.rootWorkingDir, this.projectDir, state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(state.workspaceData.data.artifacts.map((d) => [d.id, d])), state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.dependencies ?? [] : state.workspaceData.data.artifacts.filter((a2) => a2.direct).map((a2) => a2.id), packagesToInstall);
+    const { failedPackages } = await prepareNpmDependencies(state.rootWorkingDir, this.projectDir, state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(state.workspaceData.data.artifacts.map((d) => [d.id, d])), state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.dependencies ?? [] : state.workspaceData.data.artifacts.filter((a2) => a2.direct).map((a2) => a2.id), packagesToInstall, state.preinstallDir);
     this.packagesExcludedUnrelatedToHeuristic = failedPackages.map((p) => getPackageName(p));
   }
   async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds, experiment, telemetryHandler, analyzerTelemetryHandler) {
@@ -111487,7 +111522,7 @@ function transformSourceLocations(fileMappings, detectedOccurrences) {
 // dist/whole-program-code-aware-vulnerability-scanner/go/go-code-aware-vulnerability-scanner.js
 var import_lodash11 = __toESM(require_lodash(), 1);
 import assert5 from "assert";
-import { existsSync as existsSync11, createReadStream as createReadStream2, createWriteStream as createWriteStream4 } from "fs";
+import { existsSync as existsSync12, createReadStream as createReadStream2, createWriteStream as createWriteStream4 } from "fs";
 import { readFile as readFile10, rm as rm4, cp as cp6 } from "fs/promises";
 import zlib2 from "zlib";
 import { join as join16, resolve as resolve14, sep as sep3 } from "path";
@@ -111526,7 +111561,7 @@ var GoCodeAwareVulnerabilityScanner = class {
   }
   async runAnalysis(vulns, heuristic, timeoutInSeconds, _experiment, telemetryHandler, analyzerTelemetryHandler) {
     logger.info("Started instantiating Go code-aware analysis");
-    if (!existsSync11(join16(this.projectDir, "go.mod")))
+    if (!existsSync12(join16(this.projectDir, "go.mod")))
       throw new Error("go.mod file not found in the project directory");
     const { memoryLimitInMB } = this.options;
     const tmpDir = await createTmpDirectory("goana-output");
@@ -111607,7 +111642,7 @@ ${stderr}`);
     try {
       await cp6(Dir, projectDir, { recursive: true });
       const projGoMod = resolve14(projectDir, "go.mod");
-      if (!existsSync11(projGoMod))
+      if (!existsSync12(projGoMod))
         await cp6(GoMod, projGoMod);
       await exec2(cmdt`chmod --recursive +w ${projectDir}`);
       await runGoModTidy(projectDir);
@@ -111635,7 +111670,7 @@ ${stderr}`);
   }
   static async runOnAlreadyDownloadedPackages(packages, vuln, options) {
     for (const pkg of packages)
-      assert5(existsSync11(join16(pkg, "go.mod")), `${pkg} does not contain a go.mod file`);
+      assert5(existsSync12(join16(pkg, "go.mod")), `${pkg} does not contain a go.mod file`);
     const [app, ...dependencies] = packages;
     const projectDir = await createTmpDirectory("go-run-on-already-downloaded-packages-");
     try {
@@ -111666,6 +111701,8 @@ ${stderr}`);
       await rm4(projectDir, { recursive: true, force: true });
     }
   }
+  // Go dependencies are auto-installed during the reachability analysis process
+  // (e.g. by `go build`), so there are no pre-install failures to track here.
   getPackagesExcludedUnrelatedToHeuristic() {
     return [];
   }
@@ -111673,7 +111710,7 @@ ${stderr}`);
 
 // dist/whole-program-code-aware-vulnerability-scanner/rust/rust-code-aware-vulnerability-scanner.js
 var import_lodash12 = __toESM(require_lodash(), 1);
-import { existsSync as existsSync12 } from "node:fs";
+import { existsSync as existsSync13 } from "node:fs";
 import { readFile as readFile11, writeFile as writeFile9 } from "node:fs/promises";
 import { basename as basename10, dirname as dirname14, resolve as resolve15 } from "node:path";
 
@@ -111774,7 +111811,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
     let appCrateName;
     const appSrc = [];
     const dependencies = {};
-    const appCrateInfo = existsSync12(cargoTomlPath) ? await getCrateInfo(cargoTomlPath) : void 0;
+    const appCrateInfo = existsSync13(cargoTomlPath) ? await getCrateInfo(cargoTomlPath) : void 0;
     if (appCrateInfo?.name) {
       appSrc.push(...i([appCrateInfo.lib, ...appCrateInfo.examples ?? [], ...appCrateInfo.tests ?? []]));
       appCrateName = appCrateInfo.name.replaceAll("-", "_");
@@ -111886,7 +111923,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
         const appDependencies = {};
         if (rustDependencyChain[0].src && rustDependencyChain[0].src.length > 0) {
           const appCargoTomlPath = resolve15(rustDependencyChain[0].src[0], "..", "Cargo.toml");
-          if (existsSync12(appCargoTomlPath)) {
+          if (existsSync13(appCargoTomlPath)) {
             const cargoTomlDeps = await extractDependenciesFromCargoToml(appCargoTomlPath);
             for (const [packageName, names] of cargoTomlDeps.entries()) {
               const depId = packageNameToId.get(packageName);
@@ -111913,7 +111950,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
           const dependencies = {};
           if (dep.src && dep.src.length > 0) {
             const depCargoTomlPath = resolve15(dep.src[0], "..", "Cargo.toml");
-            if (existsSync12(depCargoTomlPath)) {
+            if (existsSync13(depCargoTomlPath)) {
               const cargoTomlDeps = await extractDependenciesFromCargoToml(depCargoTomlPath);
               for (const [packageName, names] of cargoTomlDeps.entries()) {
                 const transDepId = packageNameToId.get(packageName);
@@ -112042,7 +112079,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
     };
   }
   getPackagesExcludedUnrelatedToHeuristic() {
-    return Object.entries(this.deps).filter(([_, { src, bin }]) => !src?.length && (!bin || bin.some((f2) => !existsSync12(f2)))).map(([packageId]) => this.depIdToPurl.get(packageId)?.name).filter((name2) => name2 !== void 0).map((name2) => name2);
+    return Object.entries(this.deps).filter(([_, { src, bin }]) => !src?.length && (!bin || bin.some((f2) => !existsSync13(f2)))).map(([packageId]) => this.depIdToPurl.get(packageId)?.name).filter((name2) => name2 !== void 0).map((name2) => name2);
   }
 };
 async function convertDependencyChain3(dependencyChain, tmpDir) {
@@ -112074,7 +112111,7 @@ function getCargoLocalRepositoryPaths() {
     // Cargo git dependencies
     { path: resolve15(cargoHome, "git", "checkouts"), type: "git" }
   ];
-  return repositories.filter((repo) => existsSync12(repo.path));
+  return repositories.filter((repo) => existsSync13(repo.path));
 }
 async function findCargoPackageInLocalRepo(repo, packageName, version3, tmpDir) {
   try {
@@ -112114,10 +112151,10 @@ async function findCargoPackageInLocalRepo(repo, packageName, version3, tmpDir)
 }
 async function extractCargoCrate(crateFilePath, packageName, version3, tmpDir) {
   const packageDir = resolve15(tmpDir, `${packageName}-${version3}`);
-  if (existsSync12(packageDir)) {
+  if (existsSync13(packageDir)) {
     try {
       const cargoTomlPath = resolve15(packageDir, "Cargo.toml");
-      if (existsSync12(cargoTomlPath)) {
+      if (existsSync13(cargoTomlPath)) {
         const depCrateInfo = await getCrateInfo(cargoTomlPath);
         return [depCrateInfo.lib];
       }
@@ -112137,7 +112174,7 @@ async function extractCargoCrate(crateFilePath, packageName, version3, tmpDir) {
 }
 async function downloadAndExtractCargoCrate(packageName, version3, tmpDir) {
   const packageFile = resolve15(tmpDir, `${packageName}-${version3}.crate`);
-  if (!existsSync12(packageFile)) {
+  if (!existsSync13(packageFile)) {
     const packageUrl = getUrlForCrate(packageName, version3);
     const success = await downloadFile(packageUrl, packageFile);
     if (!success) {
@@ -112170,7 +112207,7 @@ async function convertSocketArtifacts3(artifacts, tmpDir, artifactNameToId) {
     const dependencies = {};
     if (src && src.length > 0) {
       const cargoTomlPath = resolve15(dirname14(src[0]), "Cargo.toml");
-      if (existsSync12(cargoTomlPath)) {
+      if (existsSync13(cargoTomlPath)) {
         const cargoTomlDeps = await extractDependenciesFromCargoToml(cargoTomlPath);
         for (const [packageName, names] of cargoTomlDeps.entries()) {
           const depArtifactId = artifactNameToId.get(packageName);
@@ -112443,12 +112480,12 @@ var PythonCodeAwareVulnerabilityScanner = class {
     this.projectDir = projectDir;
     this.vm = new PythonVersionsManager(state.rootWorkingDir);
   }
-  async prepareDependencies(preInstalledDepInfos, vulns, heuristic) {
+  async prepareDependencies(preInstalledDepInfos, vulns, heuristic, preinstallDir) {
     const packagesToExclude = heuristic.getPackagesToExcludeFromAnalysis?.(vulns);
     const packagesToInstall = uniqBy(preInstalledDepInfos.filter((n) => !packagesToExclude?.has(n.packageName)), "packageName");
-    if (!await this.tryUsingPreinstalledVirtualEnv(packagesToInstall)) {
+    if (!await this.tryUsingPreinstalledVirtualEnv(packagesToInstall) && !(preinstallDir && await this.tryUsingVenvFromPreinstallDir(preinstallDir))) {
       logger.info(`Setting up virtual environment`);
-      await this.prepareVirtualEnv(packagesToInstall);
+      await this.prepareVirtualEnv(packagesToInstall, preinstallDir);
       logger.info("Done setting up virtual environment");
     }
   }
@@ -112663,7 +112700,7 @@ ${msg}`;
   // public for testing only
   async tryUsingPreinstalledVirtualEnv(packages) {
     const preinstallVirtualEnvPath = resolve17(this.projectDir, ".venv");
-    if (!existsSync13(preinstallVirtualEnvPath))
+    if (!existsSync14(preinstallVirtualEnvPath))
       return false;
     logger.info(`Checking preinstalled virtual environment at ${preinstallVirtualEnvPath}`);
     try {
@@ -112684,12 +112721,20 @@ ${msg}`;
     await this.updateVirtualEnvInfo(this.projectDir);
     return true;
   }
+  async tryUsingVenvFromPreinstallDir(preinstallDir) {
+    const venvPath = join17(preinstallDir, ".venv");
+    if (!existsSync14(venvPath))
+      return false;
+    logger.info(`Reusing virtual environment from pre-install at ${venvPath}`);
+    await this.updateVirtualEnvInfo(preinstallDir);
+    return true;
+  }
   // public for testing only
-  async prepareVirtualEnv(packages) {
+  async prepareVirtualEnv(packages, preinstallDir) {
     const uvCommand = getUvCommand();
     if (!await hasUv())
       throw new Error("uv (https://docs.astral.sh/uv/) is missing, but is required for Python analysis");
-    const tmpDir = await createTmpDirectory("coana-python-analysis-venv");
+    const tmpDir = preinstallDir ?? await createTmpDirectory("coana-python-analysis-venv");
     const virtualEnvFolder = join17(tmpDir, ".venv");
     const pythonExecutable = await this.vm.getPythonExecutableForWorkspace(this.projectDir, false);
     await exec2(cmdt`${uvCommand} venv --python ${pythonExecutable} .venv`, tmpDir);
@@ -112762,7 +112807,7 @@ ${msg}`;
     await this.updateVirtualEnvInfo(tmpDir, installStats);
   }
   async updateVirtualEnvInfo(virtualEnvFolder, packageInstallationStats) {
-    const entries = await readdir5(join17(virtualEnvFolder, ".venv", "lib"));
+    const entries = await readdir6(join17(virtualEnvFolder, ".venv", "lib"));
     const pydir = entries.find((entry) => entry.startsWith("python"));
     assert6(pydir, `No python* directory found in virtual environment: ${util5.inspect(entries)}`);
     this.virtualEnvInfo = {
@@ -112859,7 +112904,7 @@ async function setupMambalade() {
   logger.debug(`Using Python interpreter: ${python}`);
   await exec2(cmdt`${uvCommand} venv --no-project --no-config --python=${python} .`, venvDir);
   const mambaladeWheelsPath = ToolPathResolver.mambaladeDistPath;
-  const mambaladeWheels = (await readdir5(mambaladeWheelsPath)).filter((f2) => f2.endsWith(".whl")).map((f2) => join17(mambaladeWheelsPath, f2));
+  const mambaladeWheels = (await readdir6(mambaladeWheelsPath)).filter((f2) => f2.endsWith(".whl")).map((f2) => join17(mambaladeWheelsPath, f2));
   if (!mambaladeWheels.length)
     throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
   logger.debug(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
@@ -112995,6 +113040,13 @@ async function processProject(projectDir) {
   }, 4)).flat());
 }
 
+// dist/analyzers/analyzer.js
+function checkForInstallErrors(failedPackages, otherAnalysisOptions) {
+  if (failedPackages.length > 0 && otherAnalysisOptions.haltOnInstallErrors) {
+    throw new InstallError(failedPackages);
+  }
+}
+
 // dist/analyzers/pip-analyzer.js
 var { once: once4 } = import_lodash16.default;
 var PipAnalyzer = class {
@@ -113013,9 +113065,16 @@ var PipAnalyzer = class {
     this.heuristic = MambaladeHeuristics.createOnlyVulnPathPackagesHeuristic(this.preInstalledDepInfos);
   }
   prepareScanner = once4(async () => {
-    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic);
+    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic, this.state.preinstallDir);
     return this.scanner;
   });
+  async installDependencies(preinstallDir) {
+    if (existsSync15(resolve19(this.projectDir, ".venv")))
+      return [];
+    const scanner = new PythonCodeAwareVulnerabilityScanner(this.state, this.projectDir);
+    await scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic, preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     const info = (await this.prepareScanner()).getVirtualEnvInfo();
     assert7(info !== void 0);
@@ -113038,6 +113097,7 @@ var PipAnalyzer = class {
     };
     try {
       const scanner = await this.prepareScanner();
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       const venvInfo = scanner.getVirtualEnvInfo();
       this.preinstalledDependencies = venvInfo !== void 0 && !venvInfo.temporary ? "YES" : "NO";
       return await analyzeWithHeuristics(this.state, vulns, [this.heuristic], false, scanner, wrappedCollector, statusUpdater);
@@ -113514,6 +113574,15 @@ var GoAnalyzer = class {
     this.state = state;
     this.projectDir = projectDir;
   }
+  async installDependencies(_preinstallDir) {
+    try {
+      await runCommandResolveStdOut2(cmdt`go build ./...`, this.projectDir);
+      return [];
+    } catch (e) {
+      logger.warn(`go build failed for ${this.projectDir}: ${e instanceof Error ? e.message : String(e)}`);
+      return ["(go build failure)"];
+    }
+  }
   async runPhantomDependencyAnalysis() {
     return void 0;
   }
@@ -113601,9 +113670,16 @@ var MavenAnalyzer = class {
   constructor(state) {
     this.state = state;
   }
+  async createScanner(tmpDir, statusUpdater) {
+    return this.state.workspaceData.type === "coana" ? JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir, statusUpdater) : JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+  }
+  async installDependencies(preinstallDir) {
+    const scanner = await this.createScanner(preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("maven-phantom-dependency-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? await JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir) : await JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir);
+      const scanner = await this.createScanner(tmpDir);
       return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
@@ -113615,11 +113691,17 @@ var MavenAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
-    return withTmpDirectory("maven-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? await JavaCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, tmpDir, statusUpdater) : await JavaCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+    const preinstallDir = this.state.preinstallDir;
+    const runWithTmpDir = async (tmpDir) => {
+      const scanner = await this.createScanner(tmpDir, statusUpdater);
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       const heuristicsInOrder = [AlucardHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, wrappedCollector, statusUpdater);
-    });
+    };
+    if (preinstallDir) {
+      return runWithTmpDir(preinstallDir);
+    }
+    return withTmpDirectory("maven-reachability-analysis", runWithTmpDir);
   }
   async getWorkspaceDiagnostics() {
     let sourceFilesDetected;
@@ -113648,7 +113730,7 @@ var MavenAnalyzer = class {
 // dist/analyzers/npm-analyzer.js
 var import_lodash19 = __toESM(require_lodash(), 1);
 var import_picomatch4 = __toESM(require_picomatch2(), 1);
-import { existsSync as existsSync14 } from "fs";
+import { existsSync as existsSync16 } from "fs";
 import { rm as rm6 } from "fs/promises";
 import { relative as relative8, resolve as resolve20 } from "path";
 
@@ -113675,6 +113757,17 @@ var NpmAnalyzer = class {
     this.state = state;
     this.projectDir = projectDir;
   }
+  async installDependencies(preinstallDir) {
+    if (existsSync16(resolve20(this.state.subprojectDir, "node_modules")))
+      return [];
+    const artifactIdToArtifact = this.state.workspaceData.type === "coana" ? this.state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(this.state.workspaceData.data.artifacts.map((d) => [d.id, d]));
+    const vulnPathPackages = computePackagesOnVulnPath(this.state.vulnerabilities);
+    const vulnerablePackageNames = [
+      ...new Set(this.state.vulnerabilities.flatMap((v) => Object.values(v.vulnChainDetails?.transitiveDependencies ?? {}).filter((d) => d.vulnerable === true).map((d) => d.packageName)))
+    ];
+    const packagesToInstall = [.../* @__PURE__ */ new Set([...vulnPathPackages, ...vulnerablePackageNames])];
+    return validateNpmDependencyDownloads(artifactIdToArtifact, packagesToInstall, preinstallDir);
+  }
   async runPhantomDependencyAnalysis() {
     try {
       return (await runJellyPhantomDependencyAnalysis(this.projectDir, this.state.reachabilityAnalysisOptions)).map((r) => r.name);
@@ -113684,7 +113777,7 @@ var NpmAnalyzer = class {
   }
   async runReachabilityAnalysis(vulns, analysisMetadataCollector, statusUpdater) {
     const heuristicsInOrder = this.state.otherAnalysisOptions.lightweightReachability ? [heuristics.IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3] : [heuristics.ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE];
-    const nodeModulesAlreadyExisted = existsSync14(resolve20(this.state.subprojectDir, "node_modules"));
+    const nodeModulesAlreadyExisted = existsSync16(resolve20(this.state.subprojectDir, "node_modules"));
     this.preinstalledDependencies = nodeModulesAlreadyExisted ? "YES" : "NO";
     const wrappedCollector = (metadata) => {
       const jellyDiagnostics = metadata.analysisDiagnostics;
@@ -113696,6 +113789,7 @@ var NpmAnalyzer = class {
     try {
       const vulnerabilityScanner = new JSCodeAwareVulnerabilityScanner(this.state.rootWorkingDir, this.projectDir, this.state.reachabilityAnalysisOptions);
       await vulnerabilityScanner.prepareDependencies(this.state, heuristicsInOrder[0]);
+      checkForInstallErrors(vulnerabilityScanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       logger.info(`Running import reachability analysis for ${vulns.length} ${pluralize(vulns.length, "vulnerability")}`);
       let reachable;
       const ghsaIds = extractGhsaIdsFromVulnUrls(vulns.map((v) => v.url));
@@ -113809,9 +113903,9 @@ ${e.stack}` : String(e),
       return res;
     } finally {
       if (!nodeModulesAlreadyExisted) {
-        if (existsSync14(resolve20(this.state.subprojectDir, "node_modules")))
+        if (existsSync16(resolve20(this.state.subprojectDir, "node_modules")))
           await rm6(resolve20(this.state.subprojectDir, "node_modules"), { recursive: true });
-        if (existsSync14(resolve20(this.projectDir, "node_modules")))
+        if (existsSync16(resolve20(this.projectDir, "node_modules")))
           await rm6(resolve20(this.projectDir, "node_modules"), { recursive: true });
       }
     }
@@ -113852,9 +113946,16 @@ var NugetAnalyzer = class {
   constructor(state) {
     this.state = state;
   }
+  async createScanner(tmpDir, statusUpdater) {
+    return this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+  }
+  async installDependencies(preinstallDir) {
+    const scanner = await this.createScanner(preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("nuget-phantom-dependency-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree) : await DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir);
+      const scanner = await this.createScanner(tmpDir);
       return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
@@ -113866,11 +113967,17 @@ var NugetAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
-    return withTmpDirectory("nuget-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? DotnetCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : await DotnetCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspaceData.data.manifestFiles, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+    const preinstallDir = this.state.preinstallDir;
+    const runWithTmpDir = async (tmpDir) => {
+      const scanner = await this.createScanner(tmpDir, statusUpdater);
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       const heuristicsInOrder = [CocoaHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, wrappedCollector, statusUpdater);
-    });
+    };
+    if (preinstallDir) {
+      return runWithTmpDir(preinstallDir);
+    }
+    return withTmpDirectory("nuget-reachability-analysis", runWithTmpDir);
   }
   async getWorkspaceDiagnostics() {
     let sourceFilesDetected;
@@ -113898,13 +114005,13 @@ var NugetAnalyzer = class {
 
 // dist/analyzers/ruby-analyzer.js
 var import_lodash21 = __toESM(require_lodash(), 1);
-import { existsSync as existsSync16 } from "fs";
+import { existsSync as existsSync18 } from "fs";
 import { resolve as resolve21 } from "path";
 
 // dist/whole-program-code-aware-vulnerability-scanner/ruby/ruby-code-aware-vulnerability-scanner.js
 var import_lodash20 = __toESM(require_lodash(), 1);
-import { createWriteStream as createWriteStream5, existsSync as existsSync15 } from "fs";
-import { mkdir as mkdir9, readdir as readdir6, readFile as readFile13, rm as rm7 } from "fs/promises";
+import { createWriteStream as createWriteStream5, existsSync as existsSync17 } from "fs";
+import { mkdir as mkdir9, readdir as readdir7, readFile as readFile13, rm as rm7 } from "fs/promises";
 import { join as join18, relative as relative9 } from "path";
 import { pipeline as pipeline3 } from "stream/promises";
 var PRINT_ANALYSIS_COMMAND = false;
@@ -113921,12 +114028,12 @@ var RubyCodeAwareVulnerabilityScanner = class {
     this.projectDir = projectDir;
     this.options = options;
   }
-  async prepareDependencies(preInstalledDepInfos, vulns, heuristic) {
-    const vendorDir = join18(this.projectDir, "vendor");
-    if (existsSync15(vendorDir)) {
+  async prepareDependencies(preInstalledDepInfos, vulns, heuristic, preinstallDir) {
+    const vendorDir = preinstallDir ?? join18(this.projectDir, "vendor");
+    if (existsSync17(vendorDir)) {
       logger.info(`Vendor directory already exists at ${vendorDir}, skipping gem installation`);
       this.vendorDir = vendorDir;
-      this.vendorDirWasCreated = false;
+      this.vendorDirWasCreated = !preinstallDir;
       return;
     }
     const packagesToIncludeNames = heuristic.getPackagesToIncludeInAnalysis?.(vulns)?.map((p) => p.packageName);
@@ -113957,7 +114064,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
       if (!this.vendorDir)
         throw new Error("Assertion error: The vendor directory is not correctly initialized");
       const analyzerPath = ToolPathResolver.callgraphReachabilityAnalyzersCliPath;
-      if (!existsSync15(analyzerPath))
+      if (!existsSync17(analyzerPath))
         throw new Error(`callgraph-reachability-analyzers CLI not found at ${analyzerPath}`);
       const vulnAccPaths = sortedUniq2(vulns.flatMap((v) => v.vulnerabilityAccessPaths).sort());
       const vulnsOutputFile = join18(tmpDir, "vulns.json");
@@ -113968,12 +114075,12 @@ var RubyCodeAwareVulnerabilityScanner = class {
       const loadPaths = Array.from(loadPathsToPackageNames.keys());
       if (failedToFindLoadPath.length > 0) {
         this.packagesExcludedUnrelatedToHeuristic.push(...failedToFindLoadPath.map((p) => p.packageName));
-        logger.warn(`Failed to find package installation path for ${failedToFindLoadPath.map((p) => p.packageName).join(", ")}`);
+        logger.debug(`Failed to find package installation path for ${failedToFindLoadPath.map((p) => p.packageName).join(", ")}`);
       }
       if (loadPaths.length === 0) {
         return {
           type: "error",
-          message: "No load paths found for the packages to analyze"
+          message: `${FAILED_TO_INSTALL_PACKAGE_KEY}No load paths found for the packages to analyze`
         };
       }
       const cmd = cmdt`
@@ -114032,7 +114139,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
     return this.packagesExcludedUnrelatedToHeuristic;
   }
   async cleanup() {
-    if (this.vendorDirWasCreated && this.vendorDir && existsSync15(this.vendorDir)) {
+    if (this.vendorDirWasCreated && this.vendorDir && existsSync17(this.vendorDir)) {
       logger.info(`Deleting auto-generated vendor directory at ${this.vendorDir}`);
       await rm7(this.vendorDir, { recursive: true, force: true }).catch(() => {
       });
@@ -114048,7 +114155,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
     if (this.vendorDirWasCreated) {
       for (const pkg of packagesToAnalyze) {
         const libPath = join18(this.vendorDir, `${pkg.packageName}-${pkg.version}`, "lib");
-        if (existsSync15(libPath))
+        if (existsSync17(libPath))
           loadPathsToPackageNames.set(libPath, `${pkg.packageName}@${pkg.version}`);
         else
           failedToFindLoadPath.push(pkg);
@@ -114056,13 +114163,13 @@ var RubyCodeAwareVulnerabilityScanner = class {
       return { loadPathsToPackageNames, failedToFindLoadPath };
     }
     const bundlerGemsDir = join18(this.vendorDir, "bundle", "ruby");
-    if (existsSync15(bundlerGemsDir)) {
-      const rubyVersions = await readdir6(bundlerGemsDir);
+    if (existsSync17(bundlerGemsDir)) {
+      const rubyVersions = await readdir7(bundlerGemsDir);
       for (const rubyVersion of rubyVersions) {
         const gemsDir = join18(bundlerGemsDir, rubyVersion, "gems");
-        if (existsSync15(gemsDir)) {
+        if (existsSync17(gemsDir)) {
           const nameToEntry = /* @__PURE__ */ new Map();
-          for (const entry of await readdir6(gemsDir, { withFileTypes: true }))
+          for (const entry of await readdir7(gemsDir, { withFileTypes: true }))
             if (entry.isDirectory()) {
               const match2 = entry.name.match(/^([\w-_]+)-(\d+\.\d+\.\d+)/);
               if (match2)
@@ -114073,7 +114180,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
             if (!entry)
               continue;
             const libDir = join18(gemsDir, entry, "lib");
-            if (existsSync15(libDir))
+            if (existsSync17(libDir))
               loadPathsToPackageNames.set(libDir, `${pkg.packageName}@${pkg.version}`);
             else
               failedToFindLoadPath.push(pkg);
@@ -114083,7 +114190,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
     } else
       for (const pkg of packagesToAnalyze) {
         const libPath = join18(this.vendorDir, `${pkg.packageName}-${pkg.version}`, "lib");
-        if (existsSync15(libPath))
+        if (existsSync17(libPath))
           loadPathsToPackageNames.set(libPath, `${pkg.packageName}@${pkg.version}`);
         else
           failedToFindLoadPath.push(pkg);
@@ -114093,7 +114200,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
 };
 async function downloadAndExtractGem(gemName, version3, vendorDir) {
   const gemDir = join18(vendorDir, `${gemName}-${version3}`);
-  if (existsSync15(gemDir)) {
+  if (existsSync17(gemDir)) {
     logger.debug(`Gem ${gemName}@${version3} already extracted`);
     return;
   }
@@ -114146,9 +114253,16 @@ var RubyGemsAnalyzer = class {
     this.scanner = new RubyCodeAwareVulnerabilityScanner(state, projectDir);
   }
   prepareScanner = once5(async () => {
-    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), RubyHeuristics.ONLY_VULN_PATH_PACKAGES);
+    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), RubyHeuristics.ONLY_VULN_PATH_PACKAGES, this.state.preinstallDir);
     return this.scanner;
   });
+  async installDependencies(preinstallDir) {
+    if (existsSync18(resolve21(this.projectDir, "vendor")))
+      return [];
+    const scanner = new RubyCodeAwareVulnerabilityScanner(this.state, this.projectDir);
+    await scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), RubyHeuristics.ONLY_VULN_PATH_PACKAGES, preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     return void 0;
   }
@@ -114160,9 +114274,11 @@ var RubyGemsAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
-    this.preinstalledDependencies = existsSync16(resolve21(this.projectDir, "vendor")) ? "YES" : "NO";
+    this.preinstalledDependencies = existsSync18(resolve21(this.projectDir, "vendor")) ? "YES" : "NO";
     try {
-      return await analyzeWithHeuristics(this.state, vulns, [RubyHeuristics.ONLY_VULN_PATH_PACKAGES], false, await this.prepareScanner(), wrappedCollector, statusUpdater);
+      const scanner = await this.prepareScanner();
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
+      return await analyzeWithHeuristics(this.state, vulns, [RubyHeuristics.ONLY_VULN_PATH_PACKAGES], false, scanner, wrappedCollector, statusUpdater);
     } finally {
       await this.scanner.cleanup();
     }
@@ -114220,9 +114336,16 @@ var RustAnalyzer = class {
   constructor(state) {
     this.state = state;
   }
+  async createScanner(tmpDir, statusUpdater) {
+    return this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+  }
+  async installDependencies(preinstallDir) {
+    const scanner = await this.createScanner(preinstallDir);
+    return scanner.getPackagesExcludedUnrelatedToHeuristic();
+  }
   async runPhantomDependencyAnalysis() {
     return withTmpDirectory("cargo-phantom-dependency-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree) : await RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir);
+      const scanner = await this.createScanner(tmpDir);
       return scanner.runPhantomDependencyAnalysis(this.state.reachabilityAnalysisOptions.timeoutSeconds.allVulnRuns);
     });
   }
@@ -114234,11 +114357,17 @@ var RustAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
-    return withTmpDirectory("cargo-reachability-analysis", async (tmpDir) => {
-      const scanner = this.state.workspaceData.type === "coana" ? RustCodeAwareVulnerabilityScanner.initFromDependencyTree(this.state.workspaceData.data.dependencyTree, statusUpdater) : await RustCodeAwareVulnerabilityScanner.initFromSocketArtifacts(this.state.subprojectDir, this.state.workspacePath, this.state.workspaceData.data.artifacts, tmpDir, statusUpdater);
+    const preinstallDir = this.state.preinstallDir;
+    const runWithTmpDir = async (tmpDir) => {
+      const scanner = await this.createScanner(tmpDir, statusUpdater);
+      checkForInstallErrors(scanner.getPackagesExcludedUnrelatedToHeuristic(), this.state.otherAnalysisOptions);
       const heuristicsInOrder = [RusticaHeuristics.ALL_PACKAGES];
       return await analyzeWithHeuristics(this.state, vulns, heuristicsInOrder, false, scanner, wrappedCollector, statusUpdater);
-    });
+    };
+    if (preinstallDir) {
+      return runWithTmpDir(preinstallDir);
+    }
+    return withTmpDirectory("cargo-reachability-analysis", runWithTmpDir);
   }
   async getWorkspaceDiagnostics() {
     let sourceFilesDetected;
@@ -114277,6 +114406,17 @@ var ecosystemAnalyzer = {
 };
 var apiKey2 = COANA_API_KEY ? { type: "present", value: COANA_API_KEY } : { type: "missing" };
 var dashboardAPI3 = new DashboardAPI(process.env.SOCKET_MODE === "true", process.env.DISABLE_ANALYTICS_SHARING === "true");
+async function installDependenciesForAnalysis(state, preinstallDir) {
+  const projectDir = resolve22(state.subprojectDir, state.workspacePath);
+  const ecosystem = state.workspaceData.data.type;
+  logger.info(`Pre-installing dependencies for project at "${relative10(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
+  const constructor = ecosystemAnalyzer[ecosystem];
+  if (!constructor)
+    throw Error(`No analyzer associated with ecosystem ${ecosystem}`);
+  const analyzer = new constructor(state, projectDir);
+  const failedPackages = await analyzer.installDependencies(preinstallDir);
+  return { failedPackages };
+}
 async function runReachabilityAnalysis(state) {
   const projectDir = resolve22(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
@@ -114308,9 +114448,30 @@ async function getReachabilityAnalyzersStateFromInput(rootWorkingDir, subproject
 }
 
 // dist/reachability-analyzers-cli.js
-var runReachabilityAnalysisCmd = new Command().name("runReachabilityAnalysis").argument("<rootWorkingDir>", "Directory where Coana is run").argument("<subprojectDir>", "Project root of directory being analyzed").argument("<workspacePath>", "Path to directory to analyze relative to subprojectDir").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--coana-socket-path <socketPath>", "Coana socket path").option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).requiredOption("-i, --input-file <inputFile>", "Input file for data and vulnerabilities").requiredOption("-o, --output-file <outputFile>", "Output file for the results").configureHelp({ sortSubcommands: true, sortOptions: true }).action(async (rootWorkingDir, subprojectDir, workspacePath, options) => withLoggerAndSpinner("Coana Reachability Analyzers", options, async () => {
+var runReachabilityAnalysisCmd = new Command().name("runReachabilityAnalysis").argument("<rootWorkingDir>", "Directory where Coana is run").argument("<subprojectDir>", "Project root of directory being analyzed").argument("<workspacePath>", "Path to directory to analyze relative to subprojectDir").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--coana-socket-path <socketPath>", "Coana socket path").option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("--preinstall-dir <preinstallDir>", "Directory with pre-installed dependencies").requiredOption("-i, --input-file <inputFile>", "Input file for data and vulnerabilities").requiredOption("-o, --output-file <outputFile>", "Output file for the results").configureHelp({ sortSubcommands: true, sortOptions: true }).action(async (rootWorkingDir, subprojectDir, workspacePath, options) => withLoggerAndSpinner("Coana Reachability Analyzers", options, async () => {
+  try {
+    const state = await getReachabilityAnalyzersStateFromInput(rootWorkingDir, subprojectDir, workspacePath, options.inputFile);
+    if (options.preinstallDir) {
+      state.preinstallDir = options.preinstallDir;
+    }
+    const result = await runReachabilityAnalysis(state);
+    if (options.outputFile) {
+      logger.debug("Writing result to file", options.outputFile);
+      await writeFile10(options.outputFile, JSON.stringify({ result }));
+    } else {
+      logger.info("Result:", JSON.stringify(result, null, 2));
+    }
+  } catch (e) {
+    if (e instanceof InstallError && options.outputFile) {
+      await writeFile10(options.outputFile, JSON.stringify({ error: { type: "InstallError", failedPackages: e.failedPackages } }));
+      return;
+    }
+    throw e;
+  }
+}, "reachability-analyzer"));
+var installDependenciesCmd = new Command().name("installDependencies").argument("<rootWorkingDir>", "Directory where Coana is run").argument("<subprojectDir>", "Project root of directory being analyzed").argument("<workspacePath>", "Path to directory to analyze relative to subprojectDir").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--coana-socket-path <socketPath>", "Coana socket path").option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).requiredOption("-i, --input-file <inputFile>", "Input file for data and vulnerabilities").requiredOption("-o, --output-file <outputFile>", "Output file for the results").requiredOption("--preinstall-dir <preinstallDir>", "Directory to install dependencies into").configureHelp({ sortSubcommands: true, sortOptions: true }).action(async (rootWorkingDir, subprojectDir, workspacePath, options) => withLoggerAndSpinner("Coana Reachability Analyzers - Install Dependencies", options, async () => {
   const state = await getReachabilityAnalyzersStateFromInput(rootWorkingDir, subprojectDir, workspacePath, options.inputFile);
-  const result = await runReachabilityAnalysis(state);
+  const result = await installDependenciesForAnalysis(state, options.preinstallDir);
   if (options.outputFile) {
     logger.debug("Writing result to file", options.outputFile);
     await writeFile10(options.outputFile, JSON.stringify({ result }));
@@ -114366,7 +114527,7 @@ var runOnPackageRegistryPackageCmd = new Command().name("runOnPackageRegistryPac
     }
   }, "reachability-analyzer");
 });
-new Command().addCommand(runReachabilityAnalysisCmd, { isDefault: true }).addCommand(runOnDependencyChainCmd).addCommand(runOnPackageRegistryPackageCmd).parseAsync();
+new Command().addCommand(runReachabilityAnalysisCmd, { isDefault: true }).addCommand(installDependenciesCmd).addCommand(runOnDependencyChainCmd).addCommand(runOnPackageRegistryPackageCmd).parseAsync();
 /*! Bundled license information:
 
 safe-buffer/index.js: