@coana-tech/cli 14.9.19 → 14.9.21

package/cli.mjs

@@ -212320,7 +212320,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.9.19";
+var version2 = "14.9.21";
 
 // ../../node_modules/.pnpm/axios@1.9.0/node_modules/axios/lib/helpers/bind.js
 function bind2(fn2, thisArg) {
@@ -215677,22 +215677,36 @@ async function scanForVulnerabilitiesSocketMode(dependencyTree) {
     let simplePurlForComponent = simplePurl(c3.purl_type, c3.namespace, c3.name, c3.version);
     if (!(simplePurlForComponent in purlStringsToIdentifier))
       simplePurlForComponent = simplePurl(c3.purl_type, c3.namespace, c3.name, null);
-    const dependencyIdentifier = purlStringsToIdentifier[simplePurlForComponent];
-    dependencyIdentifiersNotFound.delete(dependencyIdentifier);
-    const dependencyTreeNode = dependencyTree.transitiveDependencies[dependencyIdentifier];
-    if (!dependencyTreeNode)
-      throw new Error(`Dependency tree does not contain dependency ${simplePurlForComponent}`);
-    dependencyTreeNode.purl = c3.purl;
-    for (const vulnerability of c3.vulnerabilities) {
-      vulnerabilities.push({
-        url: vulnerability.ghsaId,
-        range: vulnerability.range,
-        name: dependencyTreeNode.packageName,
-        dependency: dependencyTreeNode.packageName,
-        vulnChainDetails: computeVulnChainDetails(dependencyTree, dependencyIdentifier, parentsMap),
-        vulnerabilityAccessPaths: vulnerability.reachabilityData?.pattern,
-        ecosystem: dependencyTree.ecosystem
-      });
+    const dependencyIdentifiers = purlStringsToIdentifier[simplePurlForComponent];
+    for (const dependencyIdentifier of dependencyIdentifiers) {
+      dependencyIdentifiersNotFound.delete(dependencyIdentifier);
+      const dependencyTreeNode = dependencyTree.transitiveDependencies[dependencyIdentifier];
+      if (!dependencyTreeNode)
+        throw new Error(`Dependency tree does not contain dependency ${simplePurlForComponent}`);
+      dependencyTreeNode.purlObj = {
+        type: c3.purl_type,
+        namespace: c3.namespace ?? void 0,
+        name: c3.name,
+        version: c3.version ?? void 0,
+        subpath: c3.subpath ?? void 0,
+        artifactId: c3.artifactId ?? void 0,
+        artifact_id: c3.artifact_id ?? void 0,
+        qualifiers: c3.qualifiers ?? void 0,
+        purlString: c3.purl
+      };
+      for (const vulnerability of c3.vulnerabilities) {
+        vulnerabilities.push({
+          url: vulnerability.ghsaId,
+          purl: c3.purl,
+          purlType: c3.purl_type,
+          range: vulnerability.range,
+          name: dependencyTreeNode.packageName,
+          dependency: dependencyTreeNode.packageName,
+          vulnChainDetails: computeVulnChainDetails(dependencyTree, dependencyIdentifier, parentsMap),
+          vulnerabilityAccessPaths: vulnerability.reachabilityData?.pattern,
+          ecosystem: dependencyTree.ecosystem
+        });
+      }
     }
   }
   for (const dependencyIdentifier of dependencyIdentifiersNotFound) {
@@ -215707,7 +215721,9 @@ function getPurlStrings(dependencyTree) {
     const { namespace: namespace2, name } = getNamespaceAndName(dependencyTree.ecosystem, node.packageName);
     const version3 = node.version;
     const purl = simplePurl(type, namespace2, name, version3);
-    res[purl] = depId;
+    if (!res[purl])
+      res[purl] = /* @__PURE__ */ new Set();
+    res[purl].add(depId);
   }
   return res;
 }
@@ -215753,19 +215769,19 @@ function transformToVulnChainNode(dependencyTree) {
 function getPurlType(ecosystem) {
   switch (ecosystem) {
     case "NPM":
-      return PURL_Type.NPM;
+      return "npm" /* NPM */;
     case "MAVEN":
-      return PURL_Type.MAVEN;
+      return "maven" /* MAVEN */;
     case "PIP":
-      return PURL_Type.PYPI;
+      return "pypi" /* PYPI */;
     case "NUGET":
-      return PURL_Type.NUGET;
+      return "nuget" /* NUGET */;
     case "GO":
-      return PURL_Type.GOLANG;
+      return "golang" /* GOLANG */;
     case "RUST":
-      return PURL_Type.CARGO;
+      return "cargo" /* CARGO */;
     case "RUBYGEMS":
-      return PURL_Type.GEM;
+      return "gem" /* GEM */;
     default:
       throw new Error(`Unsupported ecosystem: ${ecosystem}`);
   }
@@ -215794,39 +215810,112 @@ function getNamespaceAndName(ecosystem, packageName) {
   }
   return { namespace: namespace2, name };
 }
-var PURL_Type;
-(function(PURL_Type2) {
-  PURL_Type2["ALPM"] = "alpm";
-  PURL_Type2["APK"] = "apk";
-  PURL_Type2["BITBUCKET"] = "bitbucket";
-  PURL_Type2["COCOAPODS"] = "cocoapods";
-  PURL_Type2["CARGO"] = "cargo";
-  PURL_Type2["COMPOSER"] = "composer";
-  PURL_Type2["CONAN"] = "conan";
-  PURL_Type2["CONDA"] = "conda";
-  PURL_Type2["CRAN"] = "cran";
-  PURL_Type2["DEB"] = "deb";
-  PURL_Type2["DOCKER"] = "docker";
-  PURL_Type2["GEM"] = "gem";
-  PURL_Type2["GENERIC"] = "generic";
-  PURL_Type2["GITHUB"] = "github";
-  PURL_Type2["GOLANG"] = "golang";
-  PURL_Type2["HACKAGE"] = "hackage";
-  PURL_Type2["HEX"] = "hex";
-  PURL_Type2["HUGGINGFACE"] = "huggingface";
-  PURL_Type2["MAVEN"] = "maven";
-  PURL_Type2["MLFLOW"] = "mlflow";
-  PURL_Type2["NPM"] = "npm";
-  PURL_Type2["NUGET"] = "nuget";
-  PURL_Type2["QPKG"] = "qpkg";
-  PURL_Type2["OCI"] = "oci";
-  PURL_Type2["PUB"] = "pub";
-  PURL_Type2["PYPI"] = "pypi";
-  PURL_Type2["RPM"] = "rpm";
-  PURL_Type2["SWID"] = "swid";
-  PURL_Type2["SWIFT"] = "swift";
-  PURL_Type2["UNKNOWN"] = "unknown";
-})(PURL_Type || (PURL_Type = {}));
+
+// dist/internal/socket-report.js
+function toSocketFacts(report, dependencyTrees) {
+  const components = [];
+  const purlToIndex = /* @__PURE__ */ new Map();
+  for (const dependencyTree of dependencyTrees) {
+    const depIdentifierToPurl = Object.fromEntries(Object.entries(dependencyTree.dependencyTree.transitiveDependencies).map(([depIdentifier, dep]) => {
+      const purl = dep.purlObj.purlString;
+      if (purl && !purlToIndex.has(purl)) {
+        purlToIndex.set(purl, components.length);
+        const depTreeNode = dependencyTree.dependencyTree.transitiveDependencies[depIdentifier];
+        components[purlToIndex.get(purl)] = {
+          id: purlToIndex.get(purl).toString(),
+          type: depTreeNode.purlObj.type,
+          name: depTreeNode.purlObj.name,
+          version: depTreeNode.purlObj.version,
+          namespace: depTreeNode.purlObj.namespace,
+          subpath: depTreeNode.purlObj.subpath,
+          artifact_id: depTreeNode.purlObj.artifact_id,
+          artifactId: depTreeNode.purlObj.artifactId,
+          qualifiers: depTreeNode.purlObj.qualifiers,
+          // direct: false, // TODO: add direct flag
+          // dev: false, // TODO: add dev flag
+          dependencies: []
+        };
+      }
+      return [depIdentifier, purl];
+    }));
+    for (const [depIdentifier, purl] of Object.entries(depIdentifierToPurl)) {
+      const depTreeNode = dependencyTree.dependencyTree.transitiveDependencies[depIdentifier];
+      const component = components[purlToIndex.get(purl)];
+      depTreeNode.dependencies?.forEach((dep) => {
+        const depPurl = depIdentifierToPurl[dep];
+        const depIndex = purlToIndex.get(depPurl);
+        if (!component.dependencies?.includes(depIndex.toString())) {
+          component.dependencies.push(depIndex.toString());
+        }
+      });
+    }
+  }
+  for (const vulnerability of report.vulnerabilities) {
+    const component = components[purlToIndex.get(vulnerability.purl)];
+    if (!component) {
+      throw new Error(`Component not found for vulnerability ${vulnerability.purl}`);
+    }
+    if (!component.reachability) {
+      component.reachability = [];
+    }
+    let reachabilityForGHSA = component.reachability?.find((r2) => r2.ghsa_id === vulnerability.vulnerabilityUrl.replace("https://github.com/advisories/", ""));
+    if (!reachabilityForGHSA) {
+      reachabilityForGHSA = {
+        ghsa_id: vulnerability.vulnerabilityUrl.replace("https://github.com/advisories/", ""),
+        reachability: []
+      };
+      component.reachability.push(reachabilityForGHSA);
+    }
+    reachabilityForGHSA.reachability.push({
+      ...toSocketReachabilitySchema(vulnerability),
+      workspacePath: vulnerability.workspacePath,
+      subprojectPath: vulnerability.subprojectPath
+    });
+  }
+  return {
+    components
+  };
+}
+function toSocketReachabilitySchema(vulnerability) {
+  if (vulnerability.codeAwareScanResult.type === "missingVulnerabilityPattern") {
+    return { type: "missing_support" };
+  }
+  if (vulnerability.codeAwareScanResult.type === "noAnalysisCheck") {
+    return { type: "undeterminable_reachability" };
+  }
+  if (vulnerability.codeAwareScanResult.type === "analysisError") {
+    return { type: "error", error: vulnerability.codeAwareScanResult.message };
+  }
+  if (vulnerability.codeAwareScanResult.type === "otherError") {
+    return { type: "error", error: vulnerability.codeAwareScanResult.message };
+  }
+  if (vulnerability.codeAwareScanResult.type === "success") {
+    if (Array.isArray(vulnerability.codeAwareScanResult.detectedOccurrences)) {
+      if (vulnerability.codeAwareScanResult.detectedOccurrences.length === 0) {
+        return { type: "unreachable" };
+      }
+      throw new Error("Detected occurrences is an array with elements. This is a bug.");
+    }
+    const detOccWithStacks = vulnerability.codeAwareScanResult.detectedOccurrences;
+    if (detOccWithStacks.stacks.length === 0) {
+      return { type: "unreachable" };
+    }
+    if (detOccWithStacks.analysisLevel === "function-level") {
+      return {
+        type: "reachable",
+        analysisLevel: detOccWithStacks.analysisLevel,
+        matches: detOccWithStacks.stacks
+      };
+    } else if (detOccWithStacks.analysisLevel === "class-level") {
+      return {
+        type: "reachable",
+        analysisLevel: detOccWithStacks.analysisLevel,
+        matches: detOccWithStacks.stacks
+      };
+    }
+  }
+  throw new Error("Unknown codeAwareScanResult type");
+}
 
 // dist/cli-core.js
 var { omit, partition, pick } = import_lodash15.default;
@@ -215963,10 +216052,7 @@ var CliCore = class {
       if (!this.reportDependencyTrees) {
         throw new Error("Dependency trees should be available when using --socket-mode");
       }
-      const socketReport = {
-        ...report,
-        dependencyTrees: this.reportDependencyTrees
-      };
+      const socketReport = toSocketFacts(report, this.reportDependencyTrees);
       const outputFile = resolve24(this.options.socketMode);
       await writeFile10(outputFile, JSON.stringify(socketReport, null, 2));
       logger.info(kleur_default.green(`Socket report written to: ${outputFile}`));
@@ -216305,7 +216391,9 @@ var CliCore = class {
         packageVersion: vulnerableNode.version ?? "",
         ecosystem: v.ecosystem ?? "NPM",
         dependencyType,
-        reachability
+        reachability,
+        purl: v.purl,
+        purlType: v.purlType
       };
     });
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.9.19",
+  "version": "14.9.21",
   "description": "Coana CLI",
   "type": "module",
   "bin": {