npm - @coana-tech/cli - Versions diffs - 14.12.214 → 14.12.216 - Mend

@coana-tech/cli 14.12.214 → 14.12.216

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/cli.mjs CHANGED Viewed

@@ -205353,6 +205353,7 @@ var AnalyzerTelemetryServer = class {
 // ../utils/src/command-utils.ts
 var DEFAULT_TIMEOUT_MS = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS = 60 * 1e3;
 async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
   if (result.error) logCommandOutput(result, cmd, dir, logLevel);
@@ -205425,7 +205426,7 @@ function wrapWithMemoryLimit(cmd, options) {
                   2
                 )} MiB). Terminating process.`
               );
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -205461,15 +205462,38 @@ async function execNeverFail(cmd, dir, options) {
       let args2;
       if (typeof cmd !== "string") [cmd, ...args2] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
+      let sigtermTimer;
+      let sigkillTimer;
       const childProcess = execFile2(
         cmd,
         args2,
-        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout },
+        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout: 0 },
         (error, stdout, stderr) => {
+          if (sigtermTimer) clearTimeout(sigtermTimer);
+          if (sigkillTimer) clearTimeout(sigkillTimer);
           resolve45({ error, stdout, stderr });
         }
       );
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null) return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(
+                  `Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`
+                );
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -224779,6 +224803,7 @@ var AnalyzerTelemetryServer2 = class {
 // ../utils/dist/command-utils.js
 var DEFAULT_TIMEOUT_MS2 = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS2 = 60 * 1e3;
 async function execAndLogOnFailure3(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail3(cmd, dir, options);
   if (result.error)
@@ -224847,7 +224872,7 @@ function wrapWithMemoryLimit2(cmd, options) {
           onTelemetry(metrics) {
             if (subprocess?.exitCode === null && metrics.rss >= memoryLimitKiB * 1024) {
               logger.debug(`Memory limit of ${options.memoryLimitInMB} MiB exceeded (RSS: ${(metrics.rss / 1024 / 1024).toFixed(2)} MiB). Terminating process.`);
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -224882,10 +224907,34 @@ async function execNeverFail3(cmd, dir, options) {
       if (typeof cmd !== "string")
         [cmd, ...args2] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS2;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS2;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
-      const childProcess = execFile4(cmd, args2, { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout }, (error, stdout, stderr) => {
+      let sigtermTimer;
+      let sigkillTimer;
+      const childProcess = execFile4(cmd, args2, { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout: 0 }, (error, stdout, stderr) => {
+        if (sigtermTimer)
+          clearTimeout(sigtermTimer);
+        if (sigkillTimer)
+          clearTimeout(sigkillTimer);
         resolve45({ error, stdout, stderr });
       });
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null)
+            return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(`Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`);
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry2(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -251742,7 +251791,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 // dist/version.js
-var version3 = "14.12.214";
+var version3 = "14.12.216";
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.214",
+  "version": "14.12.216",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs CHANGED Viewed

@@ -81033,6 +81033,7 @@ var AnalyzerTelemetryServer = class {
 // ../utils/src/command-utils.ts
 var DEFAULT_TIMEOUT_MS = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS = 60 * 1e3;
 async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
   if (result.error) logCommandOutput(result, cmd, dir, logLevel);
@@ -81102,7 +81103,7 @@ function wrapWithMemoryLimit(cmd, options) {
                   2
                 )} MiB). Terminating process.`
               );
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -81138,15 +81139,38 @@ async function execNeverFail(cmd, dir, options) {
       let args;
       if (typeof cmd !== "string") [cmd, ...args] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
+      let sigtermTimer;
+      let sigkillTimer;
       const childProcess = execFile2(
         cmd,
         args,
-        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args === void 0, timeout },
+        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args === void 0, timeout: 0 },
         (error, stdout, stderr) => {
+          if (sigtermTimer) clearTimeout(sigtermTimer);
+          if (sigkillTimer) clearTimeout(sigkillTimer);
           resolve25({ error, stdout, stderr });
         }
       );
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null) return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(
+                  `Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`
+                );
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -96281,7 +96305,7 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const outputFile = resolve9(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.dotnet });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.dotnet });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile7(outputFile, "utf-8")).result;
@@ -96322,7 +96346,6 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, {
         timeout: timeoutMs,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.dotnet,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -110360,7 +110383,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile6(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.java });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.java });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile8(outputFile, "utf-8")).result;
@@ -110399,7 +110422,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile6(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.java, telemetryHandler, analyzerTelemetryHandler });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.java, telemetryHandler, analyzerTelemetryHandler });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile8(outputFile, "utf-8")).result;
@@ -111007,7 +111030,6 @@ var JSAnalysisEngine = class {
         ${options.entryPoints ?? projectRoot}`;
       await runCommandResolveStdOut2(cmd, void 0, {
         timeout: options.timeoutSeconds.allVulnRuns * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.js,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -111102,10 +111124,11 @@ var JellyJSAnalysisEngine = class extends JSAnalysisEngine {
       await runCommandResolveStdOut2(
         cmdToRun,
         void 0,
-        // Use SIGKILL to ensure termination even if the process is unresponsive 50% above the timeout (e.g., due to GC pressure).
+        // Terminate if the process exceeds 1.5x the timeout (e.g., due to GC pressure making
+        // Jelly's internal timeout checks unreliable). execNeverFail sends SIGTERM first and
+        // escalates to SIGKILL after a grace period if the process remains alive.
         {
           timeout: timeoutInSeconds * 1e3 * 1.5,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.js,
           telemetryHandler,
           analyzerTelemetryHandler,
@@ -111156,7 +111179,6 @@ var JellyJSAnalysisEngine = class extends JSAnalysisEngine {
           --reachable-json ${reachablePackagesFile} ${projectRoot}`;
       await runCommandResolveStdOut2(jellyCmd, void 0, {
         timeout: options.timeoutSeconds.allVulnRuns * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.js,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -111881,10 +111903,10 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
       await runCommandResolveStdOut2(
         cmd,
         void 0,
-        // Use SIGKILL to ensure termination even if the process is unresponsive 50% above the timeout
+        // Terminate if the process exceeds 1.5x the timeout. execNeverFail sends SIGTERM
+        // first and escalates to SIGKILL after a grace period if the process remains alive.
         {
           timeout: timeoutInSeconds * 1e3 * 1.5,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.js,
           telemetryHandler,
           analyzerTelemetryHandler,
@@ -111919,12 +111941,14 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
       for (const match2 of Object.values(matches))
         match2.affectedPackages = uniq5(match2.stacks.flatMap((stack) => map3(stack, "package")));
       const affectedPackages = JSON.parse(await readFile11(affectedPackagesFile, "utf-8")).packages;
+      const aborted = analysisDiagnostics.solver.aborted;
       return {
         matches,
         analysisDiagnostics: {
           ...analysisDiagnostics,
-          aborted: analysisDiagnostics.solver.aborted,
-          timeout: analysisDiagnostics.totalTime / 1e6 >= timeoutInSeconds,
+          aborted: !!aborted,
+          timeout: aborted === "timeout",
+          lowmemory: aborted === "out_of_memory",
           timings: {
             analysisTime: (analysisDiagnostics.totalTime - analysisDiagnostics.patternMatchingTime) / 1e3,
             patternMatchingTime: analysisDiagnostics.patternMatchingTime / 1e3,
@@ -112049,7 +112073,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       analysisOptionsFromHeuristic.approx = process.env.JELLY_APPROX === "true" || experiment === "JELLY_APPROX";
       const analysisRes = await this.resolveEngine(experiment).runAnalysis(this.mainProjectDir, this.projectDir, analysisOptionsFromHeuristic, this.options, timeoutInSeconds, vulnerabilities, experiment, telemetryHandler, analyzerTelemetryHandler);
       const { analysisDiagnostics: diagnostics, matches } = analysisRes;
-      const terminatedEarly = diagnostics.lowmemory ?? diagnostics.rangeError ?? (diagnostics.aborted || diagnostics.timeout);
+      const terminatedEarly = diagnostics.rangeError ?? (diagnostics.aborted || diagnostics.timeout || diagnostics.lowmemory);
       return {
         type: "success",
         diagnostics,
@@ -112253,7 +112277,6 @@ var GoCodeAwareVulnerabilityScanner = class {
           -topk=4 ${heuristic.includeTests && "-tests"}
           ${this.projectDir} ${vulnAccPaths}`, void 0, {
         timeout: timeoutInSeconds * 1e3,
-        killSignal: "SIGKILL",
         memoryLimitInMB,
         env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${Math.max(Math.ceil(memoryLimitInMB - 256), 0)}MiB` } : void 0,
         heartbeat: HEARTBEATS.go,
@@ -112662,7 +112685,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       const outputFile = resolve17(tmpDir, "output.json");
       await writeFile10(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.rust });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.rust });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile13(outputFile, "utf-8")).result;
@@ -112698,7 +112721,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       const outputFile = resolve17(tmpDir, "output.json");
       await writeFile10(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(effectiveTimeout * 1.5, effectiveTimeout + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.rust, telemetryHandler, analyzerTelemetryHandler });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.rust, telemetryHandler, analyzerTelemetryHandler });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile13(outputFile, "utf-8")).result;
@@ -113212,9 +113235,8 @@ var PythonCodeAwareVulnerabilityScanner = class {
           PYPY_GC_MAX: `${memoryLimitInMB ? Math.max(Math.ceil(memoryLimitInMB - 256), 1) : 0}MB`
         },
         // Forcefully kill the process if the internal timeout mechanism fails.
-        // Use SIGKILL to ensure termination even if the process is unresponsive.
+        // execNeverFail sends SIGTERM first and escalates to SIGKILL after a grace period.
         timeout: (timeoutInSeconds * 1.5 + 15) * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.python,
         telemetryHandler,
         analyzerTelemetryHandler,
@@ -114706,7 +114728,6 @@ var RubyCodeAwareVulnerabilityScanner = class {
         this.numberAnalysesRun++;
         await exec2(cmd, this.projectDir, {
           timeout: (timeoutInSeconds * 1.5 + 10) * 1e3,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.ruby,
           telemetryHandler
         });