@coana-tech/cli 14.12.215 → 14.12.216

package/cli.mjs

@@ -205353,6 +205353,7 @@ var AnalyzerTelemetryServer = class {
 
 // ../utils/src/command-utils.ts
 var DEFAULT_TIMEOUT_MS = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS = 60 * 1e3;
 async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
   if (result.error) logCommandOutput(result, cmd, dir, logLevel);
@@ -205425,7 +205426,7 @@ function wrapWithMemoryLimit(cmd, options) {
                   2
                 )} MiB). Terminating process.`
               );
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -205461,15 +205462,38 @@ async function execNeverFail(cmd, dir, options) {
       let args2;
       if (typeof cmd !== "string") [cmd, ...args2] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
+      let sigtermTimer;
+      let sigkillTimer;
       const childProcess = execFile2(
         cmd,
         args2,
-        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout },
+        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout: 0 },
         (error, stdout, stderr) => {
+          if (sigtermTimer) clearTimeout(sigtermTimer);
+          if (sigkillTimer) clearTimeout(sigkillTimer);
           resolve45({ error, stdout, stderr });
         }
       );
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null) return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(
+                  `Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`
+                );
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -224779,6 +224803,7 @@ var AnalyzerTelemetryServer2 = class {
 
 // ../utils/dist/command-utils.js
 var DEFAULT_TIMEOUT_MS2 = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS2 = 60 * 1e3;
 async function execAndLogOnFailure3(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail3(cmd, dir, options);
   if (result.error)
@@ -224847,7 +224872,7 @@ function wrapWithMemoryLimit2(cmd, options) {
           onTelemetry(metrics) {
             if (subprocess?.exitCode === null && metrics.rss >= memoryLimitKiB * 1024) {
               logger.debug(`Memory limit of ${options.memoryLimitInMB} MiB exceeded (RSS: ${(metrics.rss / 1024 / 1024).toFixed(2)} MiB). Terminating process.`);
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -224882,10 +224907,34 @@ async function execNeverFail3(cmd, dir, options) {
       if (typeof cmd !== "string")
         [cmd, ...args2] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS2;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS2;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
-      const childProcess = execFile4(cmd, args2, { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout }, (error, stdout, stderr) => {
+      let sigtermTimer;
+      let sigkillTimer;
+      const childProcess = execFile4(cmd, args2, { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout: 0 }, (error, stdout, stderr) => {
+        if (sigtermTimer)
+          clearTimeout(sigtermTimer);
+        if (sigkillTimer)
+          clearTimeout(sigkillTimer);
         resolve45({ error, stdout, stderr });
       });
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null)
+            return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(`Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`);
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry2(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -251742,7 +251791,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.215";
+var version3 = "14.12.216";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.215",
+  "version": "14.12.216",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -81033,6 +81033,7 @@ var AnalyzerTelemetryServer = class {
 
 // ../utils/src/command-utils.ts
 var DEFAULT_TIMEOUT_MS = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS = 60 * 1e3;
 async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
   if (result.error) logCommandOutput(result, cmd, dir, logLevel);
@@ -81102,7 +81103,7 @@ function wrapWithMemoryLimit(cmd, options) {
                   2
                 )} MiB). Terminating process.`
               );
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -81138,15 +81139,38 @@ async function execNeverFail(cmd, dir, options) {
       let args;
       if (typeof cmd !== "string") [cmd, ...args] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
+      let sigtermTimer;
+      let sigkillTimer;
       const childProcess = execFile2(
         cmd,
         args,
-        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args === void 0, timeout },
+        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args === void 0, timeout: 0 },
         (error, stdout, stderr) => {
+          if (sigtermTimer) clearTimeout(sigtermTimer);
+          if (sigkillTimer) clearTimeout(sigkillTimer);
           resolve25({ error, stdout, stderr });
         }
       );
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null) return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(
+                  `Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`
+                );
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -96281,7 +96305,7 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const outputFile = resolve9(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.dotnet });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.dotnet });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile7(outputFile, "utf-8")).result;
@@ -96322,7 +96346,6 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, {
         timeout: timeoutMs,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.dotnet,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -110360,7 +110383,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile6(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.java });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.java });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile8(outputFile, "utf-8")).result;
@@ -110399,7 +110422,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile6(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.java, telemetryHandler, analyzerTelemetryHandler });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.java, telemetryHandler, analyzerTelemetryHandler });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile8(outputFile, "utf-8")).result;
@@ -111007,7 +111030,6 @@ var JSAnalysisEngine = class {
         ${options.entryPoints ?? projectRoot}`;
       await runCommandResolveStdOut2(cmd, void 0, {
         timeout: options.timeoutSeconds.allVulnRuns * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.js,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -111102,10 +111124,11 @@ var JellyJSAnalysisEngine = class extends JSAnalysisEngine {
       await runCommandResolveStdOut2(
         cmdToRun,
         void 0,
-        // Use SIGKILL to ensure termination even if the process is unresponsive 50% above the timeout (e.g., due to GC pressure).
+        // Terminate if the process exceeds 1.5x the timeout (e.g., due to GC pressure making
+        // Jelly's internal timeout checks unreliable). execNeverFail sends SIGTERM first and
+        // escalates to SIGKILL after a grace period if the process remains alive.
         {
           timeout: timeoutInSeconds * 1e3 * 1.5,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.js,
           telemetryHandler,
           analyzerTelemetryHandler,
@@ -111156,7 +111179,6 @@ var JellyJSAnalysisEngine = class extends JSAnalysisEngine {
           --reachable-json ${reachablePackagesFile} ${projectRoot}`;
       await runCommandResolveStdOut2(jellyCmd, void 0, {
         timeout: options.timeoutSeconds.allVulnRuns * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.js,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -111881,10 +111903,10 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
       await runCommandResolveStdOut2(
         cmd,
         void 0,
-        // Use SIGKILL to ensure termination even if the process is unresponsive 50% above the timeout
+        // Terminate if the process exceeds 1.5x the timeout. execNeverFail sends SIGTERM
+        // first and escalates to SIGKILL after a grace period if the process remains alive.
         {
           timeout: timeoutInSeconds * 1e3 * 1.5,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.js,
           telemetryHandler,
           analyzerTelemetryHandler,
@@ -112255,7 +112277,6 @@ var GoCodeAwareVulnerabilityScanner = class {
           -topk=4 ${heuristic.includeTests && "-tests"}
           ${this.projectDir} ${vulnAccPaths}`, void 0, {
         timeout: timeoutInSeconds * 1e3,
-        killSignal: "SIGKILL",
         memoryLimitInMB,
         env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${Math.max(Math.ceil(memoryLimitInMB - 256), 0)}MiB` } : void 0,
         heartbeat: HEARTBEATS.go,
@@ -112664,7 +112685,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       const outputFile = resolve17(tmpDir, "output.json");
       await writeFile10(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.rust });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.rust });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile13(outputFile, "utf-8")).result;
@@ -112700,7 +112721,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       const outputFile = resolve17(tmpDir, "output.json");
       await writeFile10(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(effectiveTimeout * 1.5, effectiveTimeout + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.rust, telemetryHandler, analyzerTelemetryHandler });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.rust, telemetryHandler, analyzerTelemetryHandler });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile13(outputFile, "utf-8")).result;
@@ -113214,9 +113235,8 @@ var PythonCodeAwareVulnerabilityScanner = class {
           PYPY_GC_MAX: `${memoryLimitInMB ? Math.max(Math.ceil(memoryLimitInMB - 256), 1) : 0}MB`
         },
         // Forcefully kill the process if the internal timeout mechanism fails.
-        // Use SIGKILL to ensure termination even if the process is unresponsive.
+        // execNeverFail sends SIGTERM first and escalates to SIGKILL after a grace period.
         timeout: (timeoutInSeconds * 1.5 + 15) * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.python,
         telemetryHandler,
         analyzerTelemetryHandler,
@@ -114708,7 +114728,6 @@ var RubyCodeAwareVulnerabilityScanner = class {
         this.numberAnalysesRun++;
         await exec2(cmd, this.projectDir, {
           timeout: (timeoutInSeconds * 1.5 + 10) * 1e3,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.ruby,
           telemetryHandler
         });