npm - @coana-tech/cli - Versions diffs - 14.9.20 → 14.9.21 - Mend

@coana-tech/cli 14.9.20 → 14.9.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/cli.mjs +122 -7
package/package.json +1 -1

package/cli.mjs CHANGED Viewed

@@ -212320,7 +212320,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 // dist/version.js
-var version2 = "14.9.20";
+var version2 = "14.9.21";
 // ../../node_modules/.pnpm/axios@1.9.0/node_modules/axios/lib/helpers/bind.js
 function bind2(fn2, thisArg) {
@@ -215683,7 +215683,17 @@ async function scanForVulnerabilitiesSocketMode(dependencyTree) {
       const dependencyTreeNode = dependencyTree.transitiveDependencies[dependencyIdentifier];
       if (!dependencyTreeNode)
         throw new Error(`Dependency tree does not contain dependency ${simplePurlForComponent}`);
-      dependencyTreeNode.purl = c3.purl;
+      dependencyTreeNode.purlObj = {
+        type: c3.purl_type,
+        namespace: c3.namespace ?? void 0,
+        name: c3.name,
+        version: c3.version ?? void 0,
+        subpath: c3.subpath ?? void 0,
+        artifactId: c3.artifactId ?? void 0,
+        artifact_id: c3.artifact_id ?? void 0,
+        qualifiers: c3.qualifiers ?? void 0,
+        purlString: c3.purl
+      };
       for (const vulnerability of c3.vulnerabilities) {
         vulnerabilities.push({
           url: vulnerability.ghsaId,
@@ -215801,6 +215811,112 @@ function getNamespaceAndName(ecosystem, packageName) {
   return { namespace: namespace2, name };
 }
+// dist/internal/socket-report.js
+function toSocketFacts(report, dependencyTrees) {
+  const components = [];
+  const purlToIndex = /* @__PURE__ */ new Map();
+  for (const dependencyTree of dependencyTrees) {
+    const depIdentifierToPurl = Object.fromEntries(Object.entries(dependencyTree.dependencyTree.transitiveDependencies).map(([depIdentifier, dep]) => {
+      const purl = dep.purlObj.purlString;
+      if (purl && !purlToIndex.has(purl)) {
+        purlToIndex.set(purl, components.length);
+        const depTreeNode = dependencyTree.dependencyTree.transitiveDependencies[depIdentifier];
+        components[purlToIndex.get(purl)] = {
+          id: purlToIndex.get(purl).toString(),
+          type: depTreeNode.purlObj.type,
+          name: depTreeNode.purlObj.name,
+          version: depTreeNode.purlObj.version,
+          namespace: depTreeNode.purlObj.namespace,
+          subpath: depTreeNode.purlObj.subpath,
+          artifact_id: depTreeNode.purlObj.artifact_id,
+          artifactId: depTreeNode.purlObj.artifactId,
+          qualifiers: depTreeNode.purlObj.qualifiers,
+          // direct: false, // TODO: add direct flag
+          // dev: false, // TODO: add dev flag
+          dependencies: []
+        };
+      }
+      return [depIdentifier, purl];
+    }));
+    for (const [depIdentifier, purl] of Object.entries(depIdentifierToPurl)) {
+      const depTreeNode = dependencyTree.dependencyTree.transitiveDependencies[depIdentifier];
+      const component = components[purlToIndex.get(purl)];
+      depTreeNode.dependencies?.forEach((dep) => {
+        const depPurl = depIdentifierToPurl[dep];
+        const depIndex = purlToIndex.get(depPurl);
+        if (!component.dependencies?.includes(depIndex.toString())) {
+          component.dependencies.push(depIndex.toString());
+        }
+      });
+    }
+  }
+  for (const vulnerability of report.vulnerabilities) {
+    const component = components[purlToIndex.get(vulnerability.purl)];
+    if (!component) {
+      throw new Error(`Component not found for vulnerability ${vulnerability.purl}`);
+    }
+    if (!component.reachability) {
+      component.reachability = [];
+    }
+    let reachabilityForGHSA = component.reachability?.find((r2) => r2.ghsa_id === vulnerability.vulnerabilityUrl.replace("https://github.com/advisories/", ""));
+    if (!reachabilityForGHSA) {
+      reachabilityForGHSA = {
+        ghsa_id: vulnerability.vulnerabilityUrl.replace("https://github.com/advisories/", ""),
+        reachability: []
+      };
+      component.reachability.push(reachabilityForGHSA);
+    }
+    reachabilityForGHSA.reachability.push({
+      ...toSocketReachabilitySchema(vulnerability),
+      workspacePath: vulnerability.workspacePath,
+      subprojectPath: vulnerability.subprojectPath
+    });
+  }
+  return {
+    components
+  };
+}
+function toSocketReachabilitySchema(vulnerability) {
+  if (vulnerability.codeAwareScanResult.type === "missingVulnerabilityPattern") {
+    return { type: "missing_support" };
+  }
+  if (vulnerability.codeAwareScanResult.type === "noAnalysisCheck") {
+    return { type: "undeterminable_reachability" };
+  }
+  if (vulnerability.codeAwareScanResult.type === "analysisError") {
+    return { type: "error", error: vulnerability.codeAwareScanResult.message };
+  }
+  if (vulnerability.codeAwareScanResult.type === "otherError") {
+    return { type: "error", error: vulnerability.codeAwareScanResult.message };
+  }
+  if (vulnerability.codeAwareScanResult.type === "success") {
+    if (Array.isArray(vulnerability.codeAwareScanResult.detectedOccurrences)) {
+      if (vulnerability.codeAwareScanResult.detectedOccurrences.length === 0) {
+        return { type: "unreachable" };
+      }
+      throw new Error("Detected occurrences is an array with elements. This is a bug.");
+    }
+    const detOccWithStacks = vulnerability.codeAwareScanResult.detectedOccurrences;
+    if (detOccWithStacks.stacks.length === 0) {
+      return { type: "unreachable" };
+    }
+    if (detOccWithStacks.analysisLevel === "function-level") {
+      return {
+        type: "reachable",
+        analysisLevel: detOccWithStacks.analysisLevel,
+        matches: detOccWithStacks.stacks
+      };
+    } else if (detOccWithStacks.analysisLevel === "class-level") {
+      return {
+        type: "reachable",
+        analysisLevel: detOccWithStacks.analysisLevel,
+        matches: detOccWithStacks.stacks
+      };
+    }
+  }
+  throw new Error("Unknown codeAwareScanResult type");
+}
 // dist/cli-core.js
 var { omit, partition, pick } = import_lodash15.default;
 var CliCore = class {
@@ -215936,10 +216052,7 @@ var CliCore = class {
       if (!this.reportDependencyTrees) {
         throw new Error("Dependency trees should be available when using --socket-mode");
       }
-      const socketReport = {
-        ...report,
-        dependencyTrees: this.reportDependencyTrees
-      };
+      const socketReport = toSocketFacts(report, this.reportDependencyTrees);
       const outputFile = resolve24(this.options.socketMode);
       await writeFile10(outputFile, JSON.stringify(socketReport, null, 2));
       logger.info(kleur_default.green(`Socket report written to: ${outputFile}`));
@@ -216278,7 +216391,9 @@ var CliCore = class {
         packageVersion: vulnerableNode.version ?? "",
         ecosystem: v.ecosystem ?? "NPM",
         dependencyType,
-        reachability
+        reachability,
+        purl: v.purl,
+        purlType: v.purlType
       };
     });
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.9.20",
+  "version": "14.9.21",
   "description": "Coana CLI",
   "type": "module",
   "bin": {