@coana-tech/cli 14.12.58 → 14.12.61

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.58",
+  "version": "14.12.61",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -18277,7 +18277,7 @@ var require_lodash = __commonJS({
         var mergeWith = createAssigner(function(object, source, srcIndex, customizer) {
           baseMerge(object, source, srcIndex, customizer);
         });
-        var omit3 = flatRest(function(object, paths) {
+        var omit2 = flatRest(function(object, paths) {
           var result2 = {};
           if (object == null) {
             return result2;
@@ -18968,7 +18968,7 @@ var require_lodash = __commonJS({
         lodash22.mixin = mixin;
         lodash22.negate = negate;
         lodash22.nthArg = nthArg;
-        lodash22.omit = omit3;
+        lodash22.omit = omit2;
         lodash22.omitBy = omitBy;
         lodash22.once = once6;
         lodash22.orderBy = orderBy;
@@ -62479,7 +62479,7 @@ var require_micromatch = __commonJS({
     var micromatch2 = (list2, patterns, options) => {
       patterns = [].concat(patterns);
       list2 = [].concat(list2);
-      let omit3 = /* @__PURE__ */ new Set();
+      let omit2 = /* @__PURE__ */ new Set();
       let keep = /* @__PURE__ */ new Set();
       let items = /* @__PURE__ */ new Set();
       let negatives = 0;
@@ -62498,15 +62498,15 @@ var require_micromatch = __commonJS({
           let match2 = negated ? !matched.isMatch : matched.isMatch;
           if (!match2) continue;
           if (negated) {
-            omit3.add(matched.output);
+            omit2.add(matched.output);
           } else {
-            omit3.delete(matched.output);
+            omit2.delete(matched.output);
             keep.add(matched.output);
           }
         }
       }
       let result = negatives === patterns.length ? [...items] : [...keep];
-      let matches = result.filter((item) => !omit3.has(item));
+      let matches = result.filter((item) => !omit2.has(item));
       if (options && matches.length === 0) {
         if (options.failglob === true) {
           throw new Error(`No matches found for "${patterns.join(", ")}"`);
@@ -76824,14 +76824,14 @@ async function createSocketTier1Scan(cliOptions, coanaCliVersion) {
     throw new Error("we should never reach this point");
   }
 }
-async function sendErrorReportToSocketDashboard(stackTrace, shouldLogSharing, reportId, logContent) {
+async function sendErrorReportToSocketDashboard(stackTrace, shouldLogSharing, errorType, reportId, logContent) {
   if (shouldLogSharing) {
-    console.log("Sending crash report to Socket");
-    console.log("The report will help team Socket debug the crash");
-    console.log("No source code is included in the crash report");
+    console.log(`Sending ${errorType} report to Socket`);
+    console.log("The report will help team Socket debug the problem");
+    console.log("No source code is included in the report");
   }
   try {
-    const url2 = getSocketApiUrl("tier1-reachability-scan/failure");
+    const url2 = errorType === "analysis-error" ? getSocketApiUrl("tier1-reachability-scan/analysis-error") : getSocketApiUrl("tier1-reachability-scan/failure");
     const data2 = {
       stack_trace: stackTrace,
       log_content: logContent,
@@ -77070,12 +77070,18 @@ var DashboardAPI = class {
       );
     }
   }
-  async sendErrorReport(apiKey3, stackTrace, shouldLogSharing, reportId, repoUrl, projectName, logContent) {
+  async sendErrorReport(apiKey3, stackTrace, shouldLogSharing, errorType, reportId, repoUrl, projectName, logContent) {
     if (this.disableAnalyticsSharing) {
       return;
     }
     if (this.socketMode) {
-      await this.socketAPI.sendErrorReportToSocketDashboard(stackTrace, shouldLogSharing, reportId, logContent);
+      await this.socketAPI.sendErrorReportToSocketDashboard(
+        stackTrace,
+        shouldLogSharing,
+        errorType,
+        reportId,
+        logContent
+      );
     } else {
       await this.coanaAPI.sendErrorReportToCoanaDashboard(
         apiKey3,
@@ -77135,13 +77141,7 @@ var DashboardAPI = class {
     if (this.socketMode) {
       return await this.socketAPI.getLatestBucketsSocket(subprojectPath, workspacePath);
     } else {
-      return await this.coanaAPI.getBucketsForLastReport(
-        subprojectPath,
-        workspacePath,
-        ecosystem,
-        reportId,
-        apiKey3
-      );
+      return await this.coanaAPI.getBucketsForLastReport(subprojectPath, workspacePath, ecosystem, reportId, apiKey3);
     }
   }
 };
@@ -98730,8 +98730,10 @@ import { existsSync as existsSync8 } from "fs";
 import { resolve as resolve11 } from "path";
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/setup-npm-dependencies-for-analysis.js
-import { resolve as resolve10, dirname as dirname10, join as join14 } from "path";
-import { mkdir as mkdir6, link } from "fs/promises";
+var import_lodash9 = __toESM(require_lodash(), 1);
+import { link, mkdir as mkdir6 } from "fs/promises";
+import { availableParallelism } from "os";
+import { dirname as dirname10, join as join14, resolve as resolve10 } from "path";
 
 // ../../node_modules/.pnpm/@isaacs+fs-minipass@4.0.1/node_modules/@isaacs/fs-minipass/dist/esm/index.js
 import EE from "events";
@@ -103843,8 +103845,6 @@ var mtimeFilter = (opt) => {
 };
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/setup-npm-dependencies-for-analysis.js
-var import_lodash9 = __toESM(require_lodash(), 1);
-import { availableParallelism } from "os";
 var { chunk } = import_lodash9.default;
 var ROOT_PACKAGE_METADATA_NAME = "UNIQUE_ROOT_PACKAGE_METADATA_NAME";
 async function setupDependenciesForAnalysis(subprojectDir, workspaceDir, directDependencies, artifactIdToArtifact) {
@@ -103947,6 +103947,8 @@ async function downloadDependenciesToDir(dependenciesToInstall, tmpDir) {
             tarFileName: resolve10(tmpDir, npmPackRes[idx].filename)
           })));
         } catch (e) {
+          logger.debug("Error downloading dependencies:", e.message);
+          logger.debug("Chunks in error:", chunk2.map((p) => `${p.name}@${p.version ?? "null"}_${p.resolutionString ?? "null"}${p.dependencies?.map((d) => `_${d}`).join("")}`).join(", "));
           const messageWithoutCommand = e.message.split("\n").slice(1).join("\n");
           const newFailedPackages = chunk2.filter((p) => messageWithoutCommand.includes(`/${p.name} `) || messageWithoutCommand.includes(`${p.name}@${p.version}`));
           if (newFailedPackages.length === 0) {
@@ -106057,8 +106059,9 @@ function detectedOccurrencesFromAPMatchesRuby(matches, pathPrefixToPackage) {
         if (cl.package === "<app>")
           cl.package = ROOT_NODE_STR;
         const prefixPath2 = `${cl.sourceLocation.filename.split("/lib/")[0]}/lib`;
-        if (pathPrefixToPackage.has(prefixPath2)) {
-          cl.package = pathPrefixToPackage.get(prefixPath2);
+        const pkg = pathPrefixToPackage.get(prefixPath2);
+        if (pkg) {
+          cl.package = pkg;
           cl.sourceLocation.filename = cl.sourceLocation.filename.slice(prefixPath2.length + 1);
         }
       }
@@ -107237,7 +107240,7 @@ import { mkdir as mkdir8, rm as rm7, readFile as readFile11, readdir as readdir5
 import { join as join19, relative as relative7 } from "path";
 import { pipeline as pipeline2 } from "stream/promises";
 var PRINT_ANALYSIS_COMMAND = false;
-var { uniqBy: uniqBy2, sortedUniq: sortedUniq2, omit: omit2 } = import_lodash19.default;
+var { uniqBy: uniqBy2, sortedUniq: sortedUniq2 } = import_lodash19.default;
 var RubyCodeAwareVulnerabilityScanner = class {
   projectDir;
   options;
@@ -107262,65 +107265,25 @@ var RubyCodeAwareVulnerabilityScanner = class {
     const packagesToInstall = uniqBy2(packagesToIncludeNames ? preInstalledDepInfos.filter((n) => packagesToIncludeNames.includes(n.packageName)) : preInstalledDepInfos, "packageName");
     logger.info(`Installing ${packagesToInstall.length} gems into the vendor directory`);
     await mkdir8(vendorDir, { recursive: true });
-    const failedGems = [];
-    await asyncFilter(packagesToInstall, async ({ packageName, version: version3 }) => {
+    const failedGems = await asyncFilter(packagesToInstall, async ({ packageName, version: version3 }) => {
       if (!version3) {
         logger.warn(`Skipping gem ${packageName} - no version information`);
-        failedGems.push(packageName);
-        return false;
+        return true;
       }
       try {
-        await this.downloadAndExtractGem(packageName, version3, vendorDir);
-        return true;
+        await downloadAndExtractGem(packageName, version3, vendorDir);
+        return false;
       } catch (e) {
         logger.warn(`Failed to install gem ${packageName}@${version3}: ${e.message}`);
-        failedGems.push(packageName);
-        return false;
+        return true;
       }
     }, 4);
-    if (failedGems.length > 0) {
+    if (failedGems.length > 0)
       logger.info(`Failed to install ${failedGems.length} gems: ${failedGems.join(", ")}`);
-    }
     this.vendorDir = vendorDir;
     this.vendorDirWasCreated = true;
     logger.info("Done setting up vendor directory");
   }
-  async downloadAndExtractGem(gemName, version3, vendorDir) {
-    const gemDir = join19(vendorDir, `${gemName}-${version3}`);
-    if (existsSync13(gemDir)) {
-      logger.debug(`Gem ${gemName}@${version3} already extracted`);
-      return;
-    }
-    const tempGemFile = join19(vendorDir, `${gemName}-${version3}.gem`);
-    try {
-      logger.debug(`Downloading gem ${gemName}@${version3}`);
-      const response = await fetch(`https://rubygems.org/gems/${gemName}-${version3}.gem`);
-      if (!response.ok) {
-        throw new Error(`Failed to download gem: ${response.statusText}`);
-      }
-      if (!response.body) {
-        throw new Error("Response body is null");
-      }
-      await pipeline2(response.body, createWriteStream3(tempGemFile));
-      await mkdir8(gemDir, { recursive: true });
-      logger.debug(`Extracting gem ${gemName}@${version3}`);
-      await exec(["tar", "-xf", tempGemFile, "data.tar.gz"], gemDir);
-      await exec(["tar", "-xzf", "data.tar.gz"], gemDir);
-      await rm7(join19(gemDir, "data.tar.gz"));
-      const hasValidStructure = [`${gemName}.gemspec`, "Rakefile"].some((f2) => existsSync13(join19(gemDir, f2)));
-      if (!hasValidStructure) {
-        throw new Error(`Invalid gem structure: Could not find ${gemName}.gemspec or Rakefile`);
-      }
-      await rm7(tempGemFile, { force: true });
-    } catch (e) {
-      await rm7(gemDir, { recursive: true, force: true });
-      await rm7(tempGemFile, { force: true });
-      throw e;
-    }
-  }
-  getVendorDir() {
-    return this.vendorDir;
-  }
   async runAnalysis(vulns, heuristic, analyzesAllVulns, _experiment) {
     return await withTmpDirectory("ruby-analyzer-output", async (tmpDir) => {
       if (!this.vendorDir)
@@ -107328,53 +107291,47 @@ var RubyCodeAwareVulnerabilityScanner = class {
       const analyzerPath = join19(COANA_REPOS_PATH(), "callgraph-reachability-analyzers", "packages", "cli", "dist", "index.js");
       if (!existsSync13(analyzerPath))
         throw new Error(`callgraph-reachability-analyzers is not cloned`);
-      const packagesToAnalyze = heuristic.getPackagesToIncludeInAnalysis?.(vulns);
       const vulnAccPaths = sortedUniq2(vulns.flatMap((v) => v.vulnerabilityAccessPaths).sort());
       const vulnsOutputFile = join19(tmpDir, "vulns.json");
+      const reachedPackagesOutputFile = join19(tmpDir, "reached-packages.json");
       const diagnosticsOutputFile = join19(tmpDir, "diagnostics.json");
+      const packagesToAnalyze = heuristic.getPackagesToIncludeInAnalysis?.(vulns);
       const { loadPathsToPackageNames, failedToFindLoadPath } = await this.computeLoadPath(packagesToAnalyze ?? []);
       const loadPaths = Array.from(loadPathsToPackageNames.keys());
       if (failedToFindLoadPath.length > 0) {
         this.packagesExcludedUnrelatedToHeuristic.push(...failedToFindLoadPath.map((p) => p.packageName));
         logger.warn(`Failed to find package installation path for ${failedToFindLoadPath.map((p) => p.packageName).join(", ")}`);
       }
-      const timeoutInSeconds = analyzesAllVulns ? this.options.timeoutInSeconds ?? 600 : 60;
-      const cmd = [
-        "node",
-        `--max-old-space-size=${this.options.memoryLimitInMB}`,
-        analyzerPath,
-        "--timeout",
-        `${timeoutInSeconds}`,
-        "--output-diagnostics",
-        diagnosticsOutputFile,
-        "--load-path",
-        ...loadPaths,
-        "--vulnerabilities",
-        ...vulnAccPaths,
-        "--output-vulnerabilities",
-        vulnsOutputFile,
-        "--",
-        "."
-      ];
+      const cmd = cmdt`
+        node --max-old-space-size=${this.options.memoryLimitInMB}
+        ${analyzerPath}
+        --timeout ${analyzesAllVulns ? this.options.timeoutInSeconds ?? 600 : 60}
+        --load-path ${loadPaths}
+        --vulnerabilities ${vulnAccPaths}
+        --output-diagnostics ${diagnosticsOutputFile}
+        --output-reached-packages ${reachedPackagesOutputFile}
+        --output-vulnerabilities ${vulnsOutputFile}
+        .`;
       if (PRINT_ANALYSIS_COMMAND)
         logger.info("Ruby analysis command:", cmd.join(" "));
       try {
         this.numberAnalysesRun++;
-        await exec(cmd);
+        await exec(cmd, this.projectDir);
         const result = JSON.parse(await readFile11(vulnsOutputFile, "utf-8"));
         const relativeLoadPathsToPackageNames = new Map([...loadPathsToPackageNames.entries()].map(([k, v]) => [join19("vendor", relative7(this.vendorDir, k)), v]));
-        const diagnostics = JSON.parse(await readFile11(diagnosticsOutputFile, "utf-8"));
+        const { timedOut, ...diagnostics } = JSON.parse(await readFile11(diagnosticsOutputFile, "utf-8"));
+        const reachedPackages = JSON.parse(await readFile11(reachedPackagesOutputFile, "utf-8"));
+        logger.debug("Reached packages: %O", reachedPackages);
         return {
           type: "success",
-          diagnostics: omit2({
+          diagnostics: {
             ...diagnostics,
-            timeout: diagnostics.timedOut,
+            timeout: timedOut,
             aborted: false
-          }, "timedOut"),
+          },
           reachedDependencies: true,
-          terminatedEarly: diagnostics.timedOut,
-          affectedPurls: [],
-          // TODO: add affected purls
+          terminatedEarly: timedOut,
+          affectedPurls: reachedPackages.map(({ name: name2, version: version3 }) => ({ type: "gem" /* GEM */, name: name2, version: version3 ?? void 0 })),
           computeDetectedOccurrences: detectedOccurrencesFromAPMatchesRuby(result, relativeLoadPathsToPackageNames)
         };
       } catch (e) {
@@ -107406,11 +107363,10 @@ var RubyCodeAwareVulnerabilityScanner = class {
     if (this.vendorDirWasCreated) {
       for (const pkg of packagesToAnalyze) {
         const libPath = join19(this.vendorDir, `${pkg.packageName}-${pkg.version}`, "lib");
-        if (existsSync13(libPath)) {
+        if (existsSync13(libPath))
           loadPathsToPackageNames.set(libPath, `${pkg.packageName}@${pkg.version}`);
-        } else {
+        else
           failedToFindLoadPath.push(pkg);
-        }
       }
       return { loadPathsToPackageNames, failedToFindLoadPath };
     }
@@ -107420,30 +107376,66 @@ var RubyCodeAwareVulnerabilityScanner = class {
       for (const rubyVersion of rubyVersions) {
         const gemsDir = join19(bundlerGemsDir, rubyVersion, "gems");
         if (existsSync13(gemsDir)) {
+          const nameToEntry = /* @__PURE__ */ new Map();
+          for (const entry of await readdir5(gemsDir, { withFileTypes: true }))
+            if (entry.isDirectory()) {
+              const match2 = entry.name.match(/^([\w-_]+)-(\d+\.\d+\.\d+)/);
+              if (match2)
+                nameToEntry.set(`${match2[1]}-${match2[2]}`, entry.name);
+            }
           for (const pkg of packagesToAnalyze) {
-            const gemDir = join19(gemsDir, `${pkg.packageName}-${pkg.version}`);
-            const libDir = join19(gemDir, "lib");
-            if (existsSync13(libDir)) {
+            const entry = nameToEntry.get(`${pkg.packageName}-${pkg.version}`);
+            if (!entry)
+              continue;
+            const libDir = join19(gemsDir, entry, "lib");
+            if (existsSync13(libDir))
               loadPathsToPackageNames.set(libDir, `${pkg.packageName}@${pkg.version}`);
-            } else {
+            else
               failedToFindLoadPath.push(pkg);
-            }
           }
         }
       }
-    } else {
+    } else
       for (const pkg of packagesToAnalyze) {
         const libPath = join19(this.vendorDir, `${pkg.packageName}-${pkg.version}`, "lib");
-        if (existsSync13(libPath)) {
+        if (existsSync13(libPath))
           loadPathsToPackageNames.set(libPath, `${pkg.packageName}@${pkg.version}`);
-        } else {
+        else
           failedToFindLoadPath.push(pkg);
-        }
       }
-    }
     return { loadPathsToPackageNames, failedToFindLoadPath };
   }
 };
+async function downloadAndExtractGem(gemName, version3, vendorDir) {
+  const gemDir = join19(vendorDir, `${gemName}-${version3}`);
+  if (existsSync13(gemDir)) {
+    logger.debug(`Gem ${gemName}@${version3} already extracted`);
+    return;
+  }
+  const tempGemFile = join19(vendorDir, `${gemName}-${version3}.gem`);
+  try {
+    logger.debug(`Downloading gem ${gemName}@${version3}`);
+    const response = await fetch(`https://rubygems.org/gems/${gemName}-${version3}.gem`);
+    if (!response.ok)
+      throw new Error(`Failed to download gem: ${response.statusText}`);
+    if (!response.body)
+      throw new Error("Response body is null");
+    await pipeline2(response.body, createWriteStream3(tempGemFile));
+    await mkdir8(gemDir, { recursive: true });
+    logger.debug(`Extracting gem ${gemName}@${version3}`);
+    await exec(["tar", "-xf", tempGemFile, "data.tar.gz"], gemDir);
+    await exec(["tar", "-xzf", "data.tar.gz"], gemDir);
+    await rm7(join19(gemDir, "data.tar.gz"));
+    const hasValidStructure = [`${gemName}.gemspec`, "Rakefile"].some((f2) => existsSync13(join19(gemDir, f2)));
+    if (!hasValidStructure)
+      throw new Error(`Invalid gem structure: Could not find ${gemName}.gemspec or Rakefile`);
+    await rm7(tempGemFile, { force: true });
+  } catch (e) {
+    await rm7(gemDir, { recursive: true, force: true });
+    await rm7(tempGemFile, { force: true });
+    throw e;
+  }
+}
 
 // dist/analyzers/ruby-analyzer.js
 var { once: once5 } = import_lodash20.default;