@coana-tech/cli 14.12.203 → 14.12.204

package/cli.mjs

@@ -251508,7 +251508,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.203";
+var version3 = "14.12.204";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.203",
+  "version": "14.12.204",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -79680,12 +79680,12 @@ esm_default(axiosClient2, {
     logger.error(`Failed to fetch data after ${retryCount} attempts. Error: ${error.message}`);
   }
 });
-async function getVulnerabilityMetadata(data2, apiKey3, timeout) {
+async function getVulnerabilityMetadata(data2, apiKey4, timeout) {
   try {
-    const url2 = apiKey3.type === "present" ? ApiUrls.post.getVulnerabilityMetadata : ApiUrls.post.getVulnerabilityMetadataPublic;
+    const url2 = apiKey4.type === "present" ? ApiUrls.post.getVulnerabilityMetadata : ApiUrls.post.getVulnerabilityMetadataPublic;
     const headers = {
       "Content-Type": "application/json",
-      ...apiKey3.type === "present" ? { authorization: `api-key ${apiKey3.value}` } : {}
+      ...apiKey4.type === "present" ? { authorization: `api-key ${apiKey4.value}` } : {}
     };
     const response = await axiosClient2.post(url2, { packages: data2.packages }, { headers, timeout: timeout ?? 2e4 });
     return response.data;
@@ -79837,10 +79837,10 @@ var coanaAPIUrls = {
   SUBMIT_REPORT_WARNING: `${coanaAPI}/cli/warn`,
   SUBMIT_REPORT_ERROR: `${coanaAPI}/cli/error`
 };
-async function createCoanaReport(repoUrl, projectName, cliVersion2, commitSha, branchName, cliOptions, apiKey3, cliRunEnv) {
-  if (apiKey3.type === "missing") throw new Error("Don't call createReport with a missing apiKey");
+async function createCoanaReport(repoUrl, projectName, cliVersion2, commitSha, branchName, cliOptions, apiKey4, cliRunEnv) {
+  if (apiKey4.type === "missing") throw new Error("Don't call createReport with a missing apiKey");
   try {
-    return (await sendPostRequest(coanaAPIUrls.CREATE_REPORT, apiKey3.value, { repoUrl, projectName }, {
+    return (await sendPostRequest(coanaAPIUrls.CREATE_REPORT, apiKey4.value, { repoUrl, projectName }, {
       reportType: "v6",
       cliVersion: cliVersion2,
       commitSha,
@@ -79853,26 +79853,26 @@ async function createCoanaReport(repoUrl, projectName, cliVersion2, commitSha, b
     throw new Error("we should never reach this point");
   }
 }
-async function registerSubprojectsCoana(subprojects, reportId, apiKey3) {
-  if (!reportId || apiKey3.type === "missing") return;
+async function registerSubprojectsCoana(subprojects, reportId, apiKey4) {
+  if (!reportId || apiKey4.type === "missing") return;
   try {
     await sendPostRequest(
       `${coanaAPIUrls.REPORT_SUBPROJECTS.replace(":reportId", reportId)}`,
-      apiKey3.value,
+      apiKey4.value,
       {},
       subprojects
     );
   } catch (e) {
-    sendWarningToDashboard("Unable to submit subprojects", { reportId }, subprojects, reportId, apiKey3);
+    sendWarningToDashboard("Unable to submit subprojects", { reportId }, subprojects, reportId, apiKey4);
     logger.warn("Unable to submit subprojects:", e.message);
   }
 }
-async function registerAnalysisMetadataCoana(subprojectPath, workspacePath, ecosystem, analysisMetadata, reportId, apiKey3) {
-  if (!reportId || apiKey3.type === "missing") return;
+async function registerAnalysisMetadataCoana(subprojectPath, workspacePath, ecosystem, analysisMetadata, reportId, apiKey4) {
+  if (!reportId || apiKey4.type === "missing") return;
   try {
     await sendPostRequest(
       coanaAPIUrls.CREATE_ANALYSIS_METADATA.replace(":reportId", reportId),
-      apiKey3.value,
+      apiKey4.value,
       {},
       { subprojectPath, workspacePath, ecosystem, ...analysisMetadata }
     );
@@ -79880,13 +79880,13 @@ async function registerAnalysisMetadataCoana(subprojectPath, workspacePath, ecos
     handleError(e, "Unable to create analysis metadata");
   }
 }
-async function getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, newReportId, apiKey3) {
-  if (!newReportId || apiKey3.type === "missing") return;
+async function getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, newReportId, apiKey4) {
+  if (!newReportId || apiKey4.type === "missing") return;
   try {
     return (await axios_default.get(coanaAPIUrls.GET_LATEST_BUCKETS, {
       headers: {
         "Content-Type": "application/json",
-        apiKey: apiKey3.value
+        apiKey: apiKey4.value
       },
       params: { newReportId, subprojectPath, workspacePath, ecosystem }
     })).data;
@@ -79897,18 +79897,18 @@ async function getBucketsForLastReport(subprojectPath, workspacePath, ecosystem,
       { subprojectPath, workspacePath, newReportId },
       void 0,
       newReportId,
-      apiKey3
+      apiKey4
     );
     logger.warn("Unable to get latest buckets:", e.message);
   }
 }
-async function getPreviousAnalysisResults(subprojectPath, workspacePath, newReportId, apiKey3) {
-  if (!newReportId || apiKey3.type === "missing") return;
+async function getPreviousAnalysisResults(subprojectPath, workspacePath, newReportId, apiKey4) {
+  if (!newReportId || apiKey4.type === "missing") return;
   try {
     return (await axios_default.get(coanaAPIUrls.GET_LATEST_RESULTS, {
       headers: {
         "Content-Type": "application/json",
-        apiKey: apiKey3.value
+        apiKey: apiKey4.value
       },
       params: { newReportId, subprojectPath, workspacePath }
     })).data;
@@ -79918,7 +79918,7 @@ async function getPreviousAnalysisResults(subprojectPath, workspacePath, newRepo
       { subprojectPath, workspacePath, newReportId },
       void 0,
       newReportId,
-      apiKey3
+      apiKey4
     );
     logger.warn(
       "Unable to fetch cached configurations from previous runs - Analysis will continue without cache:",
@@ -79926,12 +79926,12 @@ async function getPreviousAnalysisResults(subprojectPath, workspacePath, newRepo
     );
   }
 }
-async function sendRegressionsToDashboard(regressions, subprojectPath, workspacePath, reportId, apiKey3) {
-  if (!reportId || apiKey3.type === "missing") return;
+async function sendRegressionsToDashboard(regressions, subprojectPath, workspacePath, reportId, apiKey4) {
+  if (!reportId || apiKey4.type === "missing") return;
   try {
     await sendPostRequest(
       coanaAPIUrls.CREATE_REGRESSIONS.replace(":reportId", reportId),
-      apiKey3.value,
+      apiKey4.value,
       { subprojectPath, workspacePath },
       regressions
     );
@@ -79941,7 +79941,7 @@ async function sendRegressionsToDashboard(regressions, subprojectPath, workspace
       { subprojectPath, workspacePath, reportId },
       void 0,
       reportId,
-      apiKey3
+      apiKey4
     );
     logger.warn(
       "Unable to send regressions from experimental runs to Coana - The analysis will continue with non-experimental scans:",
@@ -79949,13 +79949,13 @@ async function sendRegressionsToDashboard(regressions, subprojectPath, workspace
     );
   }
 }
-async function getExperimentName(subprojectPath, workspacePath, ecosystem, reportId, apiKey3) {
-  if (!reportId || apiKey3.type === "missing") return;
+async function getExperimentName(subprojectPath, workspacePath, ecosystem, reportId, apiKey4) {
+  if (!reportId || apiKey4.type === "missing") return;
   try {
     return (await axios_default.get(coanaAPIUrls.GET_EXPERIMENT_NAME, {
       headers: {
         "Content-Type": "application/json",
-        apiKey: apiKey3.value
+        apiKey: apiKey4.value
       },
       params: { subprojectPath, workspacePath, ecosystem, reportId }
     })).data;
@@ -79965,16 +79965,16 @@ async function getExperimentName(subprojectPath, workspacePath, ecosystem, repor
       { subprojectPath, workspacePath, ecosystem, reportId },
       void 0,
       reportId,
-      apiKey3
+      apiKey4
     );
   }
 }
-async function registerCLIProgressCoana(cliProgressEvent, isStartEvent, reportId, apiKey3) {
-  if (!reportId || apiKey3.type === "missing") return;
+async function registerCLIProgressCoana(cliProgressEvent, isStartEvent, reportId, apiKey4) {
+  if (!reportId || apiKey4.type === "missing") return;
   try {
     await sendPostRequest(
       coanaAPIUrls.REPORT_CLI_PROGRESS.replace(":reportId", reportId),
-      apiKey3.value,
+      apiKey4.value,
       { isStartEvent, time: (/* @__PURE__ */ new Date()).toISOString() },
       cliProgressEvent
     );
@@ -79982,12 +79982,12 @@ async function registerCLIProgressCoana(cliProgressEvent, isStartEvent, reportId
     handleError(error, "Error sending CLI progress to dashboard", false);
   }
 }
-async function sendWarningToDashboard(message, data2, additionalData, reportId, apiKey3) {
-  if (!reportId || apiKey3.type === "missing") return;
+async function sendWarningToDashboard(message, data2, additionalData, reportId, apiKey4) {
+  if (!reportId || apiKey4.type === "missing") return;
   try {
     await sendPostRequest(
       coanaAPIUrls.SUBMIT_REPORT_WARNING,
-      apiKey3.value,
+      apiKey4.value,
       { reportId },
       { message, data: data2, additionalData }
     );
@@ -79995,8 +79995,8 @@ async function sendWarningToDashboard(message, data2, additionalData, reportId,
     handleError(error, "Error sending warning to dashboard", false);
   }
 }
-async function sendErrorReportToCoanaDashboard(apiKey3, stackTrace, shouldLogSharing, reportId, repoUrl, projectName, logContent) {
-  if (apiKey3.type === "missing") return;
+async function sendErrorReportToCoanaDashboard(apiKey4, stackTrace, shouldLogSharing, reportId, repoUrl, projectName, logContent) {
+  if (apiKey4.type === "missing") return;
   if (shouldLogSharing) {
     console.log("Sending crash report to Coana");
     console.log("The report will help team Coana debug the crash");
@@ -80007,7 +80007,7 @@ async function sendErrorReportToCoanaDashboard(apiKey3, stackTrace, shouldLogSha
       stackTrace,
       logContent
     };
-    await sendPostRequest(coanaAPIUrls.SUBMIT_REPORT_ERROR, apiKey3.value, { repoUrl, projectName, reportId }, report);
+    await sendPostRequest(coanaAPIUrls.SUBMIT_REPORT_ERROR, apiKey4.value, { repoUrl, projectName, reportId }, report);
     if (shouldLogSharing) {
       console.log("Crash report submitted to dashboard successfully");
     }
@@ -80015,11 +80015,11 @@ async function sendErrorReportToCoanaDashboard(apiKey3, stackTrace, shouldLogSha
     handleError(e, "Error submitting crash report to dashboard", false);
   }
 }
-async function sendPostRequest(url2, apiKey3, params, data2) {
+async function sendPostRequest(url2, apiKey4, params, data2) {
   const axiosConfig = {
     headers: {
       "Content-Type": "application/json",
-      apiKey: apiKey3
+      apiKey: apiKey4
     },
     params
   };
@@ -80543,7 +80543,7 @@ var DashboardAPI = class {
     this.coanaAPI = getCoanaAPI();
     this.socketAPI = getSocketAPI();
   }
-  async createReport(repoUrl, projectName, cliVersion2, commitSha, branchName, cliOptions, apiKey3, cliRunEnv, systemInformation) {
+  async createReport(repoUrl, projectName, cliVersion2, commitSha, branchName, cliOptions, apiKey4, cliRunEnv, systemInformation) {
     if (this.disableAnalyticsSharing) {
       return;
     }
@@ -80557,12 +80557,12 @@ var DashboardAPI = class {
         commitSha,
         branchName,
         cliOptions,
-        apiKey3,
+        apiKey4,
         cliRunEnv
       );
     }
   }
-  async sendErrorReport(apiKey3, stackTrace, shouldLogSharing, errorType, reportId, repoUrl, projectName, logContent) {
+  async sendErrorReport(apiKey4, stackTrace, shouldLogSharing, errorType, reportId, repoUrl, projectName, logContent) {
     if (this.disableAnalyticsSharing) {
       return;
     }
@@ -80576,7 +80576,7 @@ var DashboardAPI = class {
       );
     } else {
       await this.coanaAPI.sendErrorReportToCoanaDashboard(
-        apiKey3,
+        apiKey4,
         stackTrace,
         shouldLogSharing,
         reportId,
@@ -80586,27 +80586,27 @@ var DashboardAPI = class {
       );
     }
   }
-  async registerSubprojects(subprojects, reportId, apiKey3) {
+  async registerSubprojects(subprojects, reportId, apiKey4) {
     if (this.disableAnalyticsSharing) {
       return;
     }
     if (this.socketMode) {
       await this.socketAPI.registerSubprojectsSocket(subprojects, reportId);
     } else {
-      await this.coanaAPI.registerSubprojectsCoana(subprojects, reportId, apiKey3);
+      await this.coanaAPI.registerSubprojectsCoana(subprojects, reportId, apiKey4);
     }
   }
-  async registerCLIProgress(cliProgressEvent, isStartEvent, reportId, apiKey3) {
+  async registerCLIProgress(cliProgressEvent, isStartEvent, reportId, apiKey4) {
     if (this.disableAnalyticsSharing) {
       return;
     }
     if (this.socketMode) {
       await this.socketAPI.registerCLIProgressSocket(isStartEvent, cliProgressEvent, reportId);
     } else {
-      await this.coanaAPI.registerCLIProgressCoana(cliProgressEvent, isStartEvent, reportId, apiKey3);
+      await this.coanaAPI.registerCLIProgressCoana(cliProgressEvent, isStartEvent, reportId, apiKey4);
     }
   }
-  async registerAnalysisMetadata(subprojectPath, workspacePath, ecosystem, analysisMetadata, reportId, apiKey3) {
+  async registerAnalysisMetadata(subprojectPath, workspacePath, ecosystem, analysisMetadata, reportId, apiKey4) {
     if (this.disableAnalyticsSharing) {
       return;
     }
@@ -80625,15 +80625,15 @@ var DashboardAPI = class {
         ecosystem,
         analysisMetadata,
         reportId,
-        apiKey3
+        apiKey4
       );
     }
   }
-  async getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey3) {
+  async getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey4) {
     if (this.socketMode) {
       return await this.socketAPI.getLatestBucketsSocket(subprojectPath, workspacePath);
     } else {
-      return await this.coanaAPI.getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey3);
+      return await this.coanaAPI.getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey4);
     }
   }
   async sendLogChunk(reportId, logs) {
@@ -88663,6 +88663,9 @@ var ToolPathResolver = class {
     }[`${platform7}-${arch === "arm" ? "arm64" : arch}`];
     return resolve6(COANA_REPOS_PATH(), "spar", `sparjs-${name2}.gz`);
   }
+  static get sparJSRuntimeDir() {
+    return resolve6(COANA_REPOS_PATH(), "spar/runtime/dist");
+  }
   /**
    * Get the path to the Javap Service JAR file
    */
@@ -114157,7 +114160,7 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
       return extracted;
     })();
   }
-  async runAnalysis(mainProjectRoot, projectRoot, { maxIndirections, includePackages }, reachabilityAnalysisOptions, timeoutInSeconds, vulnerabilities, _experiment, telemetryHandler, analyzerTelemetryHandler) {
+  async runAnalysis(mainProjectRoot, projectRoot, { maxIndirections, includePackages, approx }, reachabilityAnalysisOptions, timeoutInSeconds, vulnerabilities, _experiment, telemetryHandler, analyzerTelemetryHandler) {
     const tmpFolder = await createTmpDirectory("sparjs-analysis");
     try {
       const filesToAnalyze = reachabilityAnalysisOptions.entryPoints ?? [projectRoot];
@@ -114188,6 +114191,8 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
           --diagnostics-json ${diagnosticsFile}
           --max-indirections ${maxIndirections}
           ${!!includePackages && (includePackages.length ? ["--include-packages", ...includePackages] : ["--ignore-dependencies"])}
+          ${/* XXX: Requires Node 22+ */
+      approx && "--approx"}
           --callstacks-json ${callStackFile}
           --unresolved-non-vulnerable
           ${parseShellArgs(process.env.COANA_SPARJS_ADDITIONAL_FLAGS ?? "")}
@@ -114203,7 +114208,12 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
           heartbeat: HEARTBEATS.js,
           telemetryHandler,
           analyzerTelemetryHandler,
-          outputLogFile: logFile
+          outputLogFile: logFile,
+          env: {
+            ...process.env,
+            // Required for approximate interpretation
+            SPAR_RUNTIME_DIR: ToolPathResolver.sparJSRuntimeDir
+          }
         }
       );
       if (reachabilityAnalysisOptions.printLogFile)
@@ -114327,20 +114337,33 @@ function pluralize(count, word) {
 var { partition: partition3, memoize: memoize2 } = import_lodash20.default;
 var SOCKET_MODE2 = process.env.SOCKET_MODE === "true";
 var dashboardAPI2 = new DashboardAPI(SOCKET_MODE2, process.env.DISABLE_ANALYTICS_SHARING === "true");
+var apiKey2 = COANA_API_KEY ? { type: "present", value: COANA_API_KEY } : { type: "missing" };
 var NpmAnalyzer = class {
   state;
   projectDir;
   statsSourceFilesAnalyzed;
   preinstalledDependencies = "NO";
-  engine;
+  _enginePromise;
   constructor(state, projectDir) {
     this.state = state;
     this.projectDir = projectDir;
-    this.engine = state.otherAnalysisOptions.jsAnalysisEngine === "sparjs" ? new SparJSAnalysisEngine() : new JellyJSAnalysisEngine();
+  }
+  get engine() {
+    return this._enginePromise ??= this.resolveEngine();
+  }
+  async resolveEngine() {
+    const engine = this.state.otherAnalysisOptions.jsAnalysisEngine;
+    let useSparJS = engine === "sparjs";
+    if (!engine) {
+      const expName = await getExperimentName(relative10(this.state.rootWorkingDir, this.state.subprojectDir) || ".", this.state.workspacePath, "NPM", COANA_REPORT_ID, apiKey2);
+      useSparJS = expName === "SPARJS_EXPERIMENT";
+    }
+    return new (useSparJS ? SparJSAnalysisEngine : JellyJSAnalysisEngine)();
   }
   async runPhantomDependencyAnalysis() {
     try {
-      return (await this.engine.runPhantomDependencyAnalysis(this.projectDir, this.state.reachabilityAnalysisOptions)).map((r) => r.name);
+      const engine = await this.engine;
+      return (await engine.runPhantomDependencyAnalysis(this.projectDir, this.state.reachabilityAnalysisOptions)).map((r) => r.name);
     } catch (e) {
       logger.debug("Error while running phantom dependency analysis: ", e);
     }
@@ -114356,8 +114379,9 @@ var NpmAnalyzer = class {
       }
       analysisMetadataCollector?.(metadata);
     };
+    const engine = await this.engine;
     try {
-      const vulnerabilityScanner = new JSCodeAwareVulnerabilityScanner(this.engine, this.state.rootWorkingDir, this.projectDir, this.state.reachabilityAnalysisOptions);
+      const vulnerabilityScanner = new JSCodeAwareVulnerabilityScanner(engine, this.state.rootWorkingDir, this.projectDir, this.state.reachabilityAnalysisOptions);
       await vulnerabilityScanner.prepareDependencies(this.state, heuristicsInOrder[0]);
       logger.info(`Running import reachability analysis for ${vulns.length} ${pluralize(vulns.length, "vulnerability")}`);
       let reachable;
@@ -114370,7 +114394,7 @@ var NpmAnalyzer = class {
       try {
         statusUpdater?.("Running import reachability analysis");
         logger.debug("Starting import reachability analysis");
-        reachable = await this.engine.runImportReachabilityAnalysis(this.state.rootWorkingDir, this.projectDir, vulns, this.state.reachabilityAnalysisOptions, createTelemetryHandler(dashboardAPI2, importAnalysisMetadataId), createAnalyzerTelemetryHandler(dashboardAPI2, importAnalysisMetadataId));
+        reachable = await engine.runImportReachabilityAnalysis(this.state.rootWorkingDir, this.projectDir, vulns, this.state.reachabilityAnalysisOptions, createTelemetryHandler(dashboardAPI2, importAnalysisMetadataId), createAnalyzerTelemetryHandler(dashboardAPI2, importAnalysisMetadataId));
         dashboardAPI2.registerDiagnosticsToAnalysisMetadata(importAnalysisMetadataId, {
           analysisDiagnostics: {
             timeout: false,
@@ -114471,7 +114495,7 @@ ${e.stack}` : String(e),
       }
       return res;
     } finally {
-      await this.engine.cleanup();
+      await engine.cleanup();
       if (!nodeModulesAlreadyExisted) {
         if (existsSync14(resolve22(this.state.subprojectDir, "node_modules")))
           await rm8(resolve22(this.state.subprojectDir, "node_modules"), { recursive: true });
@@ -114939,7 +114963,7 @@ var ecosystemAnalyzer = {
   RUST: RustAnalyzer,
   RUBYGEMS: RubyGemsAnalyzer
 };
-var apiKey2 = COANA_API_KEY ? { type: "present", value: COANA_API_KEY } : { type: "missing" };
+var apiKey3 = COANA_API_KEY ? { type: "present", value: COANA_API_KEY } : { type: "missing" };
 var dashboardAPI3 = new DashboardAPI(process.env.SOCKET_MODE === "true", process.env.DISABLE_ANALYTICS_SHARING === "true");
 async function runReachabilityAnalysis(state) {
   const projectDir = resolve24(state.subprojectDir, state.workspacePath);
@@ -114951,7 +114975,7 @@ async function runReachabilityAnalysis(state) {
   const analyzer = new constructor(state, projectDir);
   const [vulnerabilitiesWithPrecomputedResults, vulnerabilitiesWithoutPrecomputedResults] = partition4(state.vulnerabilities, (v) => "results" in v);
   const augmentedVulnerabilities = await runWholeProgramCodeAwareVulnerabilityScanner(analyzer, vulnerabilitiesWithoutPrecomputedResults, async (amd) => {
-    await dashboardAPI3.registerAnalysisMetadata(relative12(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey2);
+    await dashboardAPI3.registerAnalysisMetadata(relative12(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey3);
   });
   const diagnostics = await analyzer.getWorkspaceDiagnostics();
   return {