@coana-tech/cli 14.12.71 → 14.12.73

package/cli.mjs

@@ -205801,9 +205801,13 @@ async function fetchManifestFilesFromManifestsTarHash(manifestsTarHash) {
     throw new Error("we should never reach this point");
   }
 }
-async function fetchArtifactsFromManifestsTarHash(manifestsTarHash) {
+async function fetchArtifactsFromManifestsTarHash(manifestsTarHash, includePrecomputedReachabilityResults) {
   try {
-    const url2 = getSocketApiUrl(`orgs/${process.env.SOCKET_ORG_SLUG}/compute-artifacts?tarHash=${manifestsTarHash}`);
+    const params = new URLSearchParams({
+      tarHash: manifestsTarHash,
+      includePrecomputedReachabilityResults: String(includePrecomputedReachabilityResults ?? false)
+    });
+    const url2 = getSocketApiUrl(`orgs/${process.env.SOCKET_ORG_SLUG}/compute-artifacts?${params.toString()}`);
     const responseData = (await axios2.post(url2, {}, { headers: getAuthHeaders() })).data;
     return parseComputeArtifactsResponse(responseData);
   } catch (e) {
@@ -228738,6 +228742,9 @@ function vulnerabilitiesDiff(oldVulnerabilities, newVulnerabilities, dismissedVu
 // ../web-compat-utils/src/vulnerability-reachability.ts
 function getVulnReachability(c3) {
   if (c3.type === "noAnalysisCheck") return "REACHABLE";
+  if (c3.type === "precomputed") {
+    return c3.results.type === "unreachable" ? "UNREACHABLE" : "UNKNOWN";
+  }
   if (c3.type !== "success") {
     return "UNKNOWN";
   }
@@ -229736,6 +229743,29 @@ ${vulnerabilityFixes.map((fix) => `	${fix.dependencyName} from ${fix.currentVers
 // dist/internal/socket-mode-helpers-socket-dependency-trees.js
 import { basename as basename7, dirname as dirname21, join as join24, sep as sep5 } from "path";
 var REQUIREMENTS_FILES_SEARCH_DEPTH2 = 3;
+var venvExcludes = [
+  "venv",
+  ".venv",
+  "env",
+  ".env",
+  "virtualenv",
+  ".virtualenv",
+  "venvs",
+  ".venvs",
+  "envs",
+  ".envs",
+  "__pycache__",
+  ".tox",
+  ".nox",
+  ".pytest_cache",
+  "site-packages",
+  "dist-packages",
+  "conda-meta",
+  "conda-bld",
+  ".mypy_cache",
+  ".ruff_cache",
+  ".hypothesis"
+];
 function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonProjects) {
   switch (ecosystem) {
     case "NPM": {
@@ -229747,6 +229777,9 @@ function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonPro
       return ".";
     }
     case "PIP": {
+      if (venvExcludes.some((exclude) => manifestPath.startsWith(`${exclude}/`) || manifestPath.includes(`/${exclude}/`))) {
+        return void 0;
+      }
       const base = basename7(manifestPath);
       const dir = dirname21(manifestPath);
       const workspaceDir = dir === "" ? "." : dir;
@@ -229819,11 +229852,11 @@ function getAllToplevelAncestors(artifactMap, artifactId) {
   findAncestors(artifactId);
   return Array.from(toplevelAncestors);
 }
-async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash, mode) {
+async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash, mode, includePrecomputedReachabilityResults) {
   logger.info("Fetching artifacts from Socket backend (this may take a while)");
   logger.debug("manifests tar hash", manifestsTarHash);
   try {
-    const { artifacts } = await fetchArtifactsFromManifestsTarHash(manifestsTarHash);
+    const { artifacts } = await fetchArtifactsFromManifestsTarHash(manifestsTarHash, includePrecomputedReachabilityResults);
     const properPythonProjects = [];
     const pipArtifactToRepresentativeManifest = {};
     for (const artifact of artifacts) {
@@ -229831,29 +229864,6 @@ async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash,
         pipArtifactToRepresentativeManifest[simplePurl(artifact.type, artifact.namespace ?? "", artifact.name ?? "", artifact.version ?? "")] = artifact;
       }
     }
-    const venvExcludes = [
-      "venv",
-      ".venv",
-      "env",
-      ".env",
-      "virtualenv",
-      ".virtualenv",
-      "venvs",
-      ".venvs",
-      "envs",
-      ".envs",
-      "__pycache__",
-      ".tox",
-      ".nox",
-      ".pytest_cache",
-      "site-packages",
-      "dist-packages",
-      "conda-meta",
-      "conda-bld",
-      ".mypy_cache",
-      ".ruff_cache",
-      ".hypothesis"
-    ];
     const allFiles = await getFilesRelative(rootWorkingDirectory, venvExcludes);
     for (const file of allFiles) {
       const base = basename7(file);
@@ -229896,7 +229906,7 @@ async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash,
           break;
         }
         case "PIP": {
-          const sPurl = simplePurl(artifact.type, artifact.namespace ?? "", artifact.name ?? "", artifact.version ?? "");
+          const sPurl = simplePurl(artifact.type, artifact.namespace ?? null, artifact.name ?? null, artifact.version ?? null);
           if (pipArtifactToRepresentativeManifest[sPurl]) {
             manifestFiles.push(...(pipArtifactToRepresentativeManifest[sPurl].manifestFiles ?? []).map((ref) => ref.file));
           }
@@ -229925,7 +229935,7 @@ async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash,
         });
       }
       if (Object.keys(workspaceToManifestFiles).length === 0 && artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
-        purlsFailedToFindWorkspace.add(purlToString(artifact));
+        purlsFailedToFindWorkspace.add(simplePurl(artifact.type, artifact.namespace ?? null, artifact.name ?? null, artifact.version ?? null));
       }
       for (const [workspace, manifestFiles2] of Object.entries(workspaceToManifestFiles)) {
         const workspaceData = (ecosystemToWorkspaceToAnalysisData[ecosystem] ??= {})[workspace] ??= {
@@ -229952,7 +229962,8 @@ async function fetchArtifactsFromSocket(rootWorkingDirectory, manifestsTarHash,
               vulnChainDetails: computeVulnChainDetails(artifacts, artifact.id),
               vulnerabilityAccessPaths: vuln.reachabilityData?.undeterminableReachability ? vuln.reachabilityData.publicComment ?? "" : vuln.reachabilityData?.pattern ?? null,
               ecosystem,
-              artifactId: artifact.id
+              artifactId: artifact.id,
+              precomputedReachabilityResult: vuln.reachabilityData?.precomputedReachabilityResult ?? null
             };
             const vulnId = `${ecosystem}-${workspace}-${artifact.namespace}-${artifact.name}-${artifact.version}-${vulnerability.url}`;
             if (!ecosystemWorkspaceVulnIds.has(vulnId)) {
@@ -230455,6 +230466,16 @@ function isShortestPath(root3, vulnPath) {
 // ../web-compat-utils/src/analysis-error-keys.ts
 var CLI_ANALYSIS_ERROR_MESSAGE = "Sharing log due to analysis error";
 
+// ../web-compat-utils/src/pluralize.ts
+function pluralize(count, word) {
+  if (word === "vulnerability") {
+    return count === 1 ? "vulnerability" : "vulnerabilities";
+  } else {
+    word;
+    throw new Error(`Invalid word: ${word}`);
+  }
+}
+
 // ../web-compat-utils/src/package-utils.ts
 function extractNameAndVersion(packageNameAtVersion) {
   const atNpmIdx = packageNameAtVersion.indexOf("@npm:");
@@ -230872,11 +230893,15 @@ function toSocketFacts(report, dependencyTrees, subPjToWsPathToDirectDependencie
       };
       component.reachability.push(reachabilityForGHSA);
     }
-    reachabilityForGHSA.reachability.push({
-      ...toSocketReachabilitySchema(vulnerability),
-      workspacePath: vulnerability.workspacePath,
-      subprojectPath: vulnerability.subprojectPath
-    });
+    if (vulnerability.codeAwareScanResult.type === "precomputed") {
+      reachabilityForGHSA.reachability.push(vulnerability.codeAwareScanResult);
+    } else {
+      reachabilityForGHSA.reachability.push({
+        ...toSocketReachabilitySchema(vulnerability),
+        workspacePath: vulnerability.workspacePath,
+        subprojectPath: vulnerability.subprojectPath
+      });
+    }
   }
   return {
     components
@@ -230955,11 +230980,15 @@ function toSocketFactsSocketDependencyTree(artifacts, vulnerabilities, tier1Reac
       };
       component.reachability.push(reachabilityForGHSA);
     }
-    reachabilityForGHSA.reachability.push({
-      ...toSocketReachabilitySchema(vulnerability),
-      workspacePath: vulnerability.workspacePath,
-      subprojectPath: vulnerability.subprojectPath
-    });
+    if (vulnerability.codeAwareScanResult.type === "precomputed") {
+      reachabilityForGHSA.reachability.push(vulnerability.codeAwareScanResult);
+    } else {
+      reachabilityForGHSA.reachability.push({
+        ...toSocketReachabilitySchema(vulnerability),
+        workspacePath: vulnerability.workspacePath,
+        subprojectPath: vulnerability.subprojectPath
+      });
+    }
   }
   return {
     components: artifacts,
@@ -245855,7 +245884,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.12.71";
+var version2 = "14.12.73";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -246017,7 +246046,7 @@ var CliCore = class {
   async computeAndOutputReportSocketMode(otherModulesCommunicator) {
     logger.info("Fetching artifacts from Socket backend");
     this.sendProgress("SCAN_FOR_VULNERABILITIES", true, ".", ".");
-    const { artifacts, ecosystemToWorkspaceToAnalysisData, ecosystemToWorkspaceToVulnerabilities } = await fetchArtifactsFromSocket(this.rootWorkingDirectory, this.options.manifestsTarHash, "reachability");
+    const { artifacts, ecosystemToWorkspaceToAnalysisData, ecosystemToWorkspaceToVulnerabilities } = await fetchArtifactsFromSocket(this.rootWorkingDirectory, this.options.manifestsTarHash, "reachability", this.options.useUnreachableFromPrecomputation);
     this.sendProgress("SCAN_FOR_VULNERABILITIES", false, ".", ".");
     const subProjects = Object.entries(ecosystemToWorkspaceToAnalysisData).flatMap(([ecosystem, workspaceToAnalysisData]) => {
       return Object.entries(workspaceToAnalysisData).map(([workspace, analysisData]) => {
@@ -246242,7 +246271,9 @@ Subproject: ${subproject}`);
       "timeout",
       "analysisTimeout",
       "concurrency",
-      "excludeDirs"
+      "excludeDirs",
+      "useUnreachableFromPrecomputation",
+      "minSeverity"
     ]), null, 2));
     logger.info("available memory: %i MiB", os.freemem() / (1024 * 1024));
     try {
@@ -246320,9 +246351,11 @@ Subproject: ${subproject}`);
     const workspaceToAugmentedVulnerabilities = Object.fromEntries(await asyncMap(workspaces, async (workspacePath, index2) => {
       analysisStarting?.(workspacePath, index2 + 1, totalWorkspaces);
       const vulnerabilities = workspaceToVulnerabilities[workspacePath] ?? [];
+      logger.info(`Process workspace ${workspacePath} with ${vulnerabilities.length} ${pluralize(vulnerabilities.length, "vulnerability")}`);
       try {
         const dataForAnalysis = workspacePathToDataForAnalysis[workspacePath];
-        const [vulnerabilitiesToAnalyze, vulnerabilitiesBelowThreshold] = this.options.minSeverity ? partition(vulnerabilities, (v) => !v.severity || shouldAnalyzeBasedOnSeverity(v.severity, this.options.minSeverity)) : [vulnerabilities, []];
+        const [vulnsSatisfyingThreshold, vulnerabilitiesBelowThreshold] = this.options.minSeverity ? partition(vulnerabilities, (v) => !v.severity || shouldAnalyzeBasedOnSeverity(v.severity, this.options.minSeverity)) : [vulnerabilities, []];
+        const [vulnsUnreachableFromPrecomputation, vulnerabilitiesToAnalyze] = this.options.useUnreachableFromPrecomputation ? partition(vulnsSatisfyingThreshold, (v) => "precomputedReachabilityResult" in v && v.precomputedReachabilityResult?.type === "unreachable") : [[], vulnsSatisfyingThreshold];
         const vulnerabilitiesBelowThresholdWithResults = vulnerabilitiesBelowThreshold.map((v) => ({
           ...v,
           results: {
@@ -246330,10 +246363,23 @@ Subproject: ${subproject}`);
             message: `Reachability analysis not run since the severity of the vulnerability (${v.severity}) is lower than the min severity threshold: ${this.options.minSeverity}`
           }
         }));
+        const vulnerabilitiesDeterminedUnreachableFromPrecomputation = vulnsUnreachableFromPrecomputation.map((v) => ({
+          ...v,
+          results: {
+            type: "precomputed",
+            results: v.precomputedReachabilityResult
+          }
+        }));
         if (vulnerabilitiesBelowThreshold.length > 0) {
-          logger.info(`Reachability analysis not run for ${vulnerabilitiesBelowThreshold.length} vulnerabilities with severity level ${this.options.minSeverity} in workspace ${workspacePath}`);
+          logger.info(`Reachability analysis skipped for ${vulnerabilitiesBelowThreshold.length} ${pluralize(vulnerabilities.length, "vulnerability")} with severity below the min severity threshold: ${this.options.minSeverity}`);
+        }
+        if (vulnsUnreachableFromPrecomputation.length > 0) {
+          logger.info(`Reachability analysis skipped for ${vulnsUnreachableFromPrecomputation.length} ${pluralize(vulnerabilities.length, "vulnerability")} that ${vulnerabilities.length !== 1 ? "are" : "is"} already known to be unreachable from precomputed (Tier 2) reachability analysis`);
+        }
+        if (vulnerabilitiesToAnalyze.length > 0) {
+          logger.info(`Running reachability analysis for ${vulnerabilitiesToAnalyze.length} ${pluralize(vulnerabilities.length, "vulnerability")}`);
         }
-        const augmentedVulnerabilitiesToAnalyze = reachabilitySupported && !this.shouldExcludeAnalyzingWorkspace(subprojectPath, workspacePath) ? await this.runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, dataForAnalysis, ecosystem, vulnerabilitiesToAnalyze) : vulnerabilitiesToAnalyze.map((v) => ({
+        const augmentedVulnerabilitiesToAnalyze = vulnerabilitiesToAnalyze.length === 0 ? [] : reachabilitySupported && !this.shouldExcludeAnalyzingWorkspace(subprojectPath, workspacePath) ? await this.runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, dataForAnalysis, ecosystem, vulnerabilitiesToAnalyze) : vulnerabilitiesToAnalyze.map((v) => ({
           ...v,
           results: {
             type: "otherError",
@@ -246341,6 +246387,7 @@ Subproject: ${subproject}`);
           }
         }));
         const augmentedVulnerabilities = [
+          ...vulnerabilitiesDeterminedUnreachableFromPrecomputation,
           ...augmentedVulnerabilitiesToAnalyze,
           ...vulnerabilitiesBelowThresholdWithResults
         ];
@@ -246427,6 +246474,7 @@ Subproject: ${subproject}`);
     const [vulnsWithActualAPIPatterns, result] = partition(vulnerabilities, (v) => Array.isArray(v.vulnerabilityAccessPaths));
     for (const v of result)
       v.results = typeof v.vulnerabilityAccessPaths === "string" ? { type: "noAnalysisCheck", message: v.vulnerabilityAccessPaths } : { type: "missingVulnerabilityPattern" };
+    logger.info(`Reachability analysis not possible for ${result.length} of the ${pluralize(vulnerabilities.length, "vulnerability")}`);
     if (!vulnsWithActualAPIPatterns.length)
       return result;
     this.sendProgress("REACHABILITY_ANALYSIS", true, subprojectPath, workspacePath);
@@ -246469,7 +246517,7 @@ Subproject: ${subproject}`);
       }
       return {
         vulnerabilityUrl: v.url,
-        vulnerabilityUnreachableByPrecomputation: v.unreachableByPrecomputation ? v.unreachableByPrecomputation : "NOT_COMPUTED",
+        vulnerabilityUnreachableByPrecomputation: "NOT_COMPUTED",
         // vulnChainDetails is always present
         // we only keep it as optional (potentially undefined) to
         // handle requests to the backend from old version of the CLI.
@@ -246594,7 +246642,7 @@ async function getGitDataToMetadataIfAvailable(rootWorkingDirectory) {
 // dist/index.js
 var program2 = new Command();
 var run2 = new Command();
-run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).version(version2).configureHelp({ sortOptions: true }).action(async (path2, options) => {
+run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).option("--use-unreachable-from-precomputation", "Skip the reachability analysis for vulnerabilities that are already known to be unreachable from the precomputed reachability analysis (Tier 2).", false).version(version2).configureHelp({ sortOptions: true }).action(async (path2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
   options.ecosystems = options.ecosystems?.map((e) => e.toUpperCase());
   options.minSeverity = options.minSeverity?.toUpperCase();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.71",
+  "version": "14.12.73",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -80792,6 +80792,9 @@ function hasReachableMatches(detectedOccurrences) {
 // ../web-compat-utils/src/vulnerability-reachability.ts
 function getVulnReachability(c) {
   if (c.type === "noAnalysisCheck") return "REACHABLE";
+  if (c.type === "precomputed") {
+    return c.results.type === "unreachable" ? "UNREACHABLE" : "UNKNOWN";
+  }
   if (c.type !== "success") {
     return "UNKNOWN";
   }
@@ -109133,7 +109136,7 @@ async function setupDependenciesForAnalysis(subprojectDir, workspaceDir, directD
   });
 }
 function convertToPackageMetadatas(workspaceDir, dependenciesToInstall, directDependencies, artifactIdToArtifact) {
-  const artifactIdToDepedenciesToInstallIdx = Object.fromEntries(dependenciesToInstall.map((dep, idx) => [
+  const artifactIdToDependenciesToInstallIdx = Object.fromEntries(dependenciesToInstall.map((dep, idx) => [
     Object.entries(artifactIdToArtifact).find(([_, artifact]) => artifact === dep.artifact)[0],
     idx + 1
   ]));
@@ -109146,16 +109149,16 @@ function convertToPackageMetadatas(workspaceDir, dependenciesToInstall, directDe
     installedPath: workspaceDir
   });
   for (const [parentId, parent2] of Object.entries(artifactIdToArtifact)) {
-    if (!(parentId in artifactIdToDepedenciesToInstallIdx))
+    if (!(parentId in artifactIdToDependenciesToInstallIdx))
       continue;
     for (const child of parent2.dependencies ?? []) {
       const childArtifact = artifactIdToArtifact[child];
-      if (!artifactIdToDepedenciesToInstallIdx[child])
+      if (!artifactIdToDependenciesToInstallIdx[child])
         continue;
       if (!artifactToParents.has(childArtifact)) {
         artifactToParents.set(childArtifact, []);
       }
-      artifactToParents.get(childArtifact).push(artifactIdToDepedenciesToInstallIdx[parentId]);
+      artifactToParents.get(childArtifact).push(artifactIdToDependenciesToInstallIdx[parentId]);
     }
   }
   for (const directDependency of directDependencies) {
@@ -109262,9 +109265,9 @@ function computePackagePlacements(packageMetadatas, nodeModulesDir) {
         addPlacementToRelativeInstallDirsForSCC(sccToPlace, /* @__PURE__ */ new Set([nodeModulesDir]), installNames);
         return;
       }
-      const parentMetadatas = Array.from(curParents).map((parentIndex) => packageMetadataDag.sccs[parentIndex].packages).flat();
+      const parentMetadatas = Array.from(curParents, (parentIndex) => packageMetadataDag.sccs[parentIndex].packages).flat();
       if (curSCC !== sccToPlace) {
-        const anyParentDependsOnDifferentPackageToPlace = parentMetadatas.some((parentPackage) => sccToPlace.packages.some((packageToPlace) => parentPackage.dependencies[packageToPlace.name] && // If the package to place has the parentPackage as a parent, then the version it depends on is actually the one to place, and therefore it should not have a different installation
+        const anyParentDependsOnDifferentPackageToPlace = parentMetadatas.some((parentPackage) => sccToPlace.packages.some((packageToPlace) => Object.hasOwn(parentPackage.dependencies, packageToPlace.name) && // If the package to place has the parentPackage as a parent, then the version it depends on is actually the one to place, and therefore it should not have a different installation
         !packageToPlace.parents.some((p2p) => packageMetadatas[p2p] === parentPackage)));
         if (anyParentDependsOnDifferentPackageToPlace) {
           addPlacementToRelativeToPackages(sccToPlace, curSCC.packages, installNames);
@@ -109272,16 +109275,16 @@ function computePackagePlacements(packageMetadatas, nodeModulesDir) {
         }
       }
       const installNamesClone = new Map([...installNames.entries()].map(([packageName, installNames2]) => [packageName, new Set(installNames2)]));
-      const newInstallNames = parentMetadatas.flatMap((parentPackage) => sccToPlace.packages.flatMap((packageToPlace) => Object.entries(parentPackage.dependencies).filter(([name2, version3]) => name2 === packageToPlace.name || version3.startsWith("npm:") && version3.includes(`${packageToPlace.name}@`)).map(([name2, _version]) => [packageToPlace.name, name2])));
-      for (const [packageName, installName] of newInstallNames) {
-        if (!installNamesClone.has(packageName)) {
-          installNamesClone.set(packageName, /* @__PURE__ */ new Set());
-        }
-        installNamesClone.get(packageName).add(installName);
+      const newInstallNames = parentMetadatas.flatMap((parentPackage) => sccToPlace.packages.flatMap((packageToPlace) => Object.entries(parentPackage.dependencies).filter(([name2, version3]) => name2 === packageToPlace.name || version3.startsWith("npm:") && version3.includes(`${packageToPlace.name}@`)).map(([name2]) => [packageToPlace, name2])));
+      for (const [packageMetadata, installName] of newInstallNames) {
+        const installNamesSet = installNamesClone.get(packageMetadata);
+        if (!installNamesSet)
+          installNamesClone.set(packageMetadata, /* @__PURE__ */ new Set([installName]));
+        else
+          installNamesSet.add(installName);
       }
-      for (const parent2 of curParents) {
+      for (const parent2 of curParents)
         recHelper2(parent2, installNamesClone);
-      }
     };
     var recHelper = recHelper2;
     addPlacementsDirectIfMultipleVersions(sccToPlace);
@@ -109304,8 +109307,8 @@ function computePackagePlacements(packageMetadatas, nodeModulesDir) {
         const parentMetadata = packageMetadatas[parent2];
         const parentInstallDirs = computedPlacements.get(parentMetadata);
         if (parentInstallDirs) {
-          const dependencyInstallName = metadataToPlace.name in parentMetadata.dependencies ? metadataToPlace.name : Object.entries(parentMetadata.dependencies).find(([_name, version3]) => version3.startsWith("npm:") && version3.includes(`${metadataToPlace.name}@`))?.[0];
-          addPlacementToRelativeInstallDirs(metadataToPlace, parentInstallDirs, /* @__PURE__ */ new Map([[metadataToPlace.name, /* @__PURE__ */ new Set([dependencyInstallName ?? metadataToPlace.name])]]));
+          const dependencyInstallName = Object.hasOwn(parentMetadata.dependencies, metadataToPlace.name) ? metadataToPlace.name : Object.entries(parentMetadata.dependencies).find(([, version3]) => version3.startsWith("npm:") && version3.includes(`${metadataToPlace.name}@`))?.[0];
+          addPlacementToRelativeInstallDirs(metadataToPlace, parentInstallDirs, /* @__PURE__ */ new Map([[metadataToPlace, /* @__PURE__ */ new Set([dependencyInstallName ?? metadataToPlace.name])]]));
         }
       }
     }
@@ -109317,24 +109320,23 @@ function computePackagePlacements(packageMetadatas, nodeModulesDir) {
     }
   }
   function addPlacementToRelativeInstallDirsForSCC(sccToPlace, installDirs, installNames) {
-    for (const metadataToPlace of sccToPlace.packages) {
+    for (const metadataToPlace of sccToPlace.packages)
       addPlacementToRelativeInstallDirs(metadataToPlace, installDirs, installNames);
-    }
   }
   function addPlacementToRelativeInstallDirs(metadataToPlace, installDirs, installNames) {
     if (metadataToPlace.name === ROOT_PACKAGE_METADATA_NAME) {
       return;
     }
-    if (!computedPlacements.has(metadataToPlace)) {
-      computedPlacements.set(metadataToPlace, /* @__PURE__ */ new Set());
-    }
+    let computedPlacementsForMetadata = computedPlacements.get(metadataToPlace);
+    if (!computedPlacementsForMetadata)
+      computedPlacements.set(metadataToPlace, computedPlacementsForMetadata = /* @__PURE__ */ new Set());
     for (const installDir of [...installDirs]) {
-      for (const installName of installNames.get(metadataToPlace.name) ?? /* @__PURE__ */ new Set([metadataToPlace.name])) {
+      for (const installName of installNames.get(metadataToPlace) ?? /* @__PURE__ */ new Set([metadataToPlace.name])) {
         if (installDir.endsWith(`/node_modules/${installName}`))
           continue;
         const computedInstallDir = installDir.endsWith(nodeModulesDir) ? resolve11(installDir, installName) : resolve11(installDir, "node_modules", installName);
         if (!allInstallDirs.has(computedInstallDir)) {
-          computedPlacements.get(metadataToPlace).add(computedInstallDir);
+          computedPlacementsForMetadata.add(computedInstallDir);
           allInstallDirs.add(computedInstallDir);
         }
       }
@@ -112172,7 +112174,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
       try {
         newAnalysisRunListener();
         const initialBucketContainingAllVulns = buckets.length === 1 && buckets[0] === bucket;
-        logger.info(`Running analysis for ${vulnsForBucket.length}/${vulnerabilities.length} vulnerabilities.`);
+        logger.info(`Running full reachability analysis for ${vulnsForBucket.length}/${vulnerabilities.length} vulnerabilities.`);
         const result = await codeAwareScanner.runAnalysis(vulnsForBucket, bucket.heuristic, initialBucketContainingAllVulns, experiment);
         const allowSplitInBuckets = !disableBucketing && bucket.heuristic.splitAnalysisInBuckets && !state.otherAnalysisOptions.disableBucketing && vulnDepIdentifiers.length > 1 && (result.type === "error" || result.reachedDependencies);
         if (result.type === "success") {
@@ -112462,6 +112464,18 @@ var import_picomatch4 = __toESM(require_picomatch4(), 1);
 import { existsSync as existsSync13 } from "fs";
 import { rm as rm6 } from "fs/promises";
 import { resolve as resolve20 } from "path";
+
+// ../web-compat-utils/src/pluralize.ts
+function pluralize(count, word) {
+  if (word === "vulnerability") {
+    return count === 1 ? "vulnerability" : "vulnerabilities";
+  } else {
+    word;
+    throw new Error(`Invalid word: ${word}`);
+  }
+}
+
+// dist/analyzers/npm-analyzer.js
 var { partition: partition3, memoize: memoize2 } = import_lodash19.default;
 var NpmAnalyzer = class {
   state;
@@ -112487,6 +112501,7 @@ var NpmAnalyzer = class {
     try {
       const vulnerabilityScanner = new JSCodeAwareVulnerabilityScanner(this.state.rootWorkingDir, this.projectDir, this.state.reachabilityAnalysisOptions);
       await vulnerabilityScanner.prepareDependencies(this.state, heuristicsInOrder[0]);
+      logger.info(`Running import reachability analysis for ${vulns.length} ${pluralize(vulns.length, "vulnerability")}`);
       let reachable;
       try {
         statusUpdater?.("Running import reachability analysis");
@@ -112520,6 +112535,7 @@ var NpmAnalyzer = class {
             return /[*?{}]/.test(modGlob) ? checkGlob(modGlob) : !reachableModuleNames.has(modGlob);
           });
         }));
+        logger.info(`Found ${unreachableVulns.length} ${pluralize(unreachableVulns.length, "vulnerability")} that ${unreachableVulns.length !== 1 ? "are" : "is"} unreachable from the import graph`);
       }
       const res = otherVulns.length ? await analyzeWithHeuristics(this.state, otherVulns, heuristicsInOrder, true, vulnerabilityScanner, analysisMetadataCollector, statusUpdater) : [];
       if (unreachableVulns.length) {