@coana-tech/cli 14.9.29 → 14.9.30

package/cli.mjs

@@ -221972,7 +221972,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.9.29";
+var version2 = "14.9.30";
 
 // ../../node_modules/.pnpm/axios@1.9.0/node_modules/axios/lib/helpers/bind.js
 function bind2(fn2, thisArg) {
@@ -225330,7 +225330,7 @@ function getAdvisoryEcosystemFromPurl(purl) {
 function getPurlStrings(dependencyTree) {
   const res = {};
   for (const [depId, node] of Object.entries(dependencyTree.transitiveDependencies)) {
-    const type = getPurlType(dependencyTree.ecosystem);
+    const type = getPurlType(dependencyTree.ecosystem ?? "NPM");
     const { namespace: namespace2, name } = getNamespaceAndName(dependencyTree.ecosystem, node.packageName);
     const version3 = node.version;
     const purl = simplePurl(type, namespace2, name, version3);
@@ -225935,10 +225935,6 @@ var CliCore = class {
     };
   }
   async runOnSubproject(otherModulesCommunicator, subProjAndWsPath, reachabilitySupported) {
-    const { packageManagerName, subprojectPath, workspacePaths } = subProjAndWsPath;
-    this.sendProgress("RUN_ON_SUBPROJECT", true, subprojectPath);
-    const rootWorkingDirectory = this.rootWorkingDirectory;
-    const ecosystem = subProjAndWsPath.ecosystem;
     try {
       let pruneVulnerablePathsToShortestPathsOnly2 = function(ecosystem2, workspaceToAugmentedVulnerabilities2) {
         const vulnerabilityToWorkspaceToCodeAwareScanSuccess = {};
@@ -225987,43 +225983,8 @@ var CliCore = class {
         }
       };
       var pruneVulnerablePathsToShortestPathsOnly = pruneVulnerablePathsToShortestPathsOnly2;
-      this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", true, subprojectPath);
-      const projectInfo = await otherModulesCommunicator.prepareProjectAndGetProjectData(packageManagerName, subprojectPath, workspacePaths, this.options.lightweightReachability, this.options.providerProject ? await this.runOnProvider(this.options.providerProject) : void 0);
-      this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", false, subprojectPath);
-      const workspaceToPlainDependencyTree = Object.fromEntries(workspacePaths.map((workspacePath) => [
-        workspacePath,
-        toPlainDependencyTree(projectInfo[workspacePath].dataForAnalysis.dependencyTree)
-      ]));
-      const dependencyTrees = workspacePaths.map((workspacePath) => ({
-        treeType: "v1",
-        dependencyTree: workspaceToPlainDependencyTree[workspacePath],
-        ecosystem: workspaceToPlainDependencyTree[workspacePath].ecosystem ?? "NPM",
-        workspacePath,
-        subprojectPath: relative10(rootWorkingDirectory, subprojectPath) || "."
-      }));
-      if (this.options.socketMode)
-        this.reportDependencyTrees = dependencyTrees;
-      if (this.shareWithDashboard)
-        sendDependencyTreesToDashboard(dependencyTrees, this.reportId, this.apiKey);
-      const workspaceToVulnerabilities = Object.fromEntries(await asyncMap(workspacePaths, async (workspacePath, idx) => this.spinner.wrap(`Scanning for vulnerabilities: (${subProjAndWsPath.packageManagerName}) (${idx + 1}/${workspacePaths.length}) ${workspacePath}`, async () => {
-        const dependencyTree = projectInfo[workspacePath].dataForAnalysis.dependencyTree;
-        this.sendProgress("SCAN_FOR_VULNERABILITIES", true, subprojectPath, workspacePath);
-        try {
-          return [
-            workspacePath,
-            this.options.socketMode ? await scanForVulnerabilitiesSocketMode(workspaceToPlainDependencyTree[workspacePath]) : (await scanForVulnerabilities(dependencyTree, this.options.offlineDatabase, this.apiKey, Number(this.options.timeout))).vulnerabilities
-          ];
-        } catch (e) {
-          logger.error(`Scanning for vulnerabilities failed for subproject ${subprojectPath} in workspace ${workspacePath}`);
-          throw e;
-        } finally {
-          this.sendProgress("SCAN_FOR_VULNERABILITIES", false, subprojectPath, workspacePath);
-        }
-      })));
-      const workspaceToDependencyTree = Object.fromEntries(workspacePaths.map((workspacePath) => [
-        workspacePath,
-        projectInfo[workspacePath].dataForAnalysis.dependencyTree
-      ]));
+      const { ecosystem, subprojectPath, workspacePaths } = subProjAndWsPath;
+      const { projectInfo, workspaceToVulnerabilities } = await this.getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subProjAndWsPath);
       const workspaceToAugmentedVulnerabilities = Object.fromEntries(await asyncMap(workspacePaths, async (workspacePath) => {
         const dataForAnalysis = projectInfo[workspacePath].dataForAnalysis;
         const vulnerabilities = workspaceToVulnerabilities[workspacePath];
@@ -226041,13 +226002,13 @@ var CliCore = class {
       }
       return workspacePaths.map((workspacePath) => {
         const codeAwareScanResultsForAllPackages = [];
-        codeAwareScanResultsForAllPackages.push(...this.transformToReportVulnerabilities(workspaceToAugmentedVulnerabilities[workspacePath], projectInfo[workspacePath].directDependenciesMap ?? {}, subprojectPath, workspacePath, rootWorkingDirectory));
+        codeAwareScanResultsForAllPackages.push(...this.transformToReportVulnerabilities(workspaceToAugmentedVulnerabilities[workspacePath], projectInfo[workspacePath].directDependenciesMap ?? {}, subprojectPath, workspacePath, this.rootWorkingDirectory));
         return {
-          subprojectPath: relative10(rootWorkingDirectory, subprojectPath) || ".",
+          subprojectPath: relative10(this.rootWorkingDirectory, subprojectPath) || ".",
           workspacePath,
           directDependencies: projectInfo[workspacePath].directDependenciesMap ?? {},
           vulnerabilities: codeAwareScanResultsForAllPackages,
-          dependencyTree: workspaceToDependencyTree[workspacePath]
+          dependencyTree: projectInfo[workspacePath].dataForAnalysis.dependencyTree
         };
       });
     } finally {
@@ -226117,6 +226078,45 @@ var CliCore = class {
       };
     });
   }
+  async getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subProjAndWsPath) {
+    const { packageManagerName, subprojectPath, workspacePaths } = subProjAndWsPath;
+    this.sendProgress("RUN_ON_SUBPROJECT", true, subprojectPath);
+    const rootWorkingDirectory = this.rootWorkingDirectory;
+    this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", true, subprojectPath);
+    const projectInfo = await otherModulesCommunicator.prepareProjectAndGetProjectData(packageManagerName, subprojectPath, workspacePaths, this.options.lightweightReachability, this.options.providerProject ? await this.runOnProvider(this.options.providerProject) : void 0);
+    this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", false, subprojectPath);
+    const workspaceToPlainDependencyTree = Object.fromEntries(workspacePaths.map((workspacePath) => [
+      workspacePath,
+      toPlainDependencyTree(projectInfo[workspacePath].dataForAnalysis.dependencyTree)
+    ]));
+    const dependencyTrees = workspacePaths.map((workspacePath) => ({
+      treeType: "v1",
+      dependencyTree: workspaceToPlainDependencyTree[workspacePath],
+      ecosystem: workspaceToPlainDependencyTree[workspacePath].ecosystem ?? "NPM",
+      workspacePath,
+      subprojectPath: relative10(rootWorkingDirectory, subprojectPath) || "."
+    }));
+    if (this.options.socketMode)
+      this.reportDependencyTrees = dependencyTrees;
+    if (this.shareWithDashboard)
+      sendDependencyTreesToDashboard(dependencyTrees, this.reportId, this.apiKey);
+    const workspaceToVulnerabilities = Object.fromEntries(await asyncMap(workspacePaths, async (workspacePath, idx) => this.spinner.wrap(`Scanning for vulnerabilities: (${subProjAndWsPath.packageManagerName}) (${idx + 1}/${workspacePaths.length}) ${workspacePath}`, async () => {
+      const dependencyTree = projectInfo[workspacePath].dataForAnalysis.dependencyTree;
+      this.sendProgress("SCAN_FOR_VULNERABILITIES", true, subprojectPath, workspacePath);
+      try {
+        return [
+          workspacePath,
+          this.options.socketMode ? await scanForVulnerabilitiesSocketMode(projectInfo[workspacePath].dataForAnalysis.dependencyTree) : (await scanForVulnerabilities(dependencyTree, this.options.offlineDatabase, this.apiKey, Number(this.options.timeout))).vulnerabilities
+        ];
+      } catch (e) {
+        logger.error(`Scanning for vulnerabilities failed for subproject ${subprojectPath} in workspace ${workspacePath}`);
+        throw e;
+      } finally {
+        this.sendProgress("SCAN_FOR_VULNERABILITIES", false, subprojectPath, workspacePath);
+      }
+    })));
+    return { projectInfo, workspaceToVulnerabilities };
+  }
 };
 function getRelativeSubprojectPath(subprojectPath, projectDir) {
   return relative10(projectDir, subprojectPath) || ".";
@@ -226238,6 +226238,140 @@ var signalFixApplied = (_fixId, subprojectPath, workspacePath, vulnerabilityFixe
 ${vulnerabilityFixes.map((fix) => `	${fix.dependencyName} from ${fix.currentVersion} to ${fix.fixedVersion}`).join("\n")}`);
 };
 
+// dist/cli-compute-fixes-and-upgrade-purls.js
+async function computeFixesAndUpgradePurls(path2, options) {
+  const { artifacts, vulnerableArtifactIdsPerVulnerability } = await computeInputForComputingFixes(path2, options);
+  if (vulnerableArtifactIdsPerVulnerability.size === 0) {
+    logger.info("No vulnerabilities to compute fixes for");
+    return;
+  }
+  if (options.applyFixesTo.length === 0) {
+    logger.info("Vulnerabilities found:", Array.from(vulnerableArtifactIdsPerVulnerability.keys()).join(", "));
+    logger.info("Run again with --apply-fixes-to GHSA_IDS to fix those vulnerabilities by computing packages to upgrade and apply them");
+    return;
+  }
+  const vulnerableArtifactIdsForGhsas = options.applyFixesTo.flatMap((ghsa) => [
+    ...vulnerableArtifactIdsPerVulnerability.get(ghsa)?.values() ?? []
+  ]);
+  const computedFix = await useSocketComputeFixEndpoint(artifacts, vulnerableArtifactIdsForGhsas);
+  if (computedFix.type !== "fix_found") {
+    throw new Error(`No fix found for the given vulnerabilities`);
+  }
+  if (options.dryRun) {
+    logger.info("Fixes found:");
+    for (const fix of computedFix.fixes) {
+      logger.info(`  - ${fix.purl} -> ${fix.fixedVersion}`);
+    }
+    logger.info("Run again without --dry-run to apply the fixes");
+    return;
+  }
+  try {
+    await upgradePurl(path2, computedFix.fixes.map((fix) => ({ purl: fix.purl, upgradeVersion: fix.fixedVersion })), {
+      debug: options.debug,
+      silent: options.silent,
+      runWithoutDocker: false,
+      concurrency: "1",
+      globPattern: options.globPattern
+    });
+  } catch (error) {
+    logger.error("Error applying fixes:", error);
+    throw error;
+  }
+}
+async function computeInputForComputingFixes(path2, options) {
+  const otherModulesCommunicator = new OtherModulesCommunicator(path2, options, {
+    type: "missing"
+  });
+  const manager = await ProjectManager.create(path2, otherModulesCommunicator);
+  const { reachabilitySupport, traditionalScaSupport } = manager.getSubprojectsWithWorkspacePaths();
+  const supportedSubprojects = reachabilitySupport.concat(traditionalScaSupport).filter((p3) => getPackageManagerSupport(p3.packageManagerName).supportsApplyingFixes);
+  if (supportedSubprojects.length === 0) {
+    throw new Error(`No supported projects found in ${path2}.`);
+  }
+  const cliCore = new CliCore(path2, { ...defaultCliOptions, socketMode: "true" });
+  const results = await asyncMap(supportedSubprojects, async (subproject) => cliCore.getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subproject));
+  const { artifacts, purlToIndex } = computeSBOMTaskArtifacts(results.flatMap((r2) => Object.values(r2.projectInfo).map((info) => info.dataForAnalysis.dependencyTree)));
+  const vulnerableArtifactIdsPerVulnerability = computeVulnerableArtifactIdsPerVulnerability(results.flatMap((r2) => Object.values(r2.workspaceToVulnerabilities).flat()), purlToIndex);
+  return { artifacts, vulnerableArtifactIdsPerVulnerability };
+}
+function computeVulnerableArtifactIdsPerVulnerability(vulnerabilities, purlToIndex) {
+  const vulnerableArtifactIdsPerVulnerability = /* @__PURE__ */ new Map();
+  for (const vulnerability of vulnerabilities) {
+    if (!vulnerableArtifactIdsPerVulnerability.has(vulnerability.url)) {
+      vulnerableArtifactIdsPerVulnerability.set(vulnerability.url, /* @__PURE__ */ new Set());
+    }
+    if (!vulnerability.purl)
+      throw new Error(`Vulnerability ${vulnerability.url} has no purl`);
+    if (!purlToIndex.has(vulnerability.purl)) {
+      throw new Error(`Vulnerability ${vulnerability.url} has no purl in sbomTaskArtifacts`);
+    }
+    vulnerableArtifactIdsPerVulnerability.get(vulnerability.url).add(purlToIndex.get(vulnerability.purl));
+  }
+  return vulnerableArtifactIdsPerVulnerability;
+}
+function computeSBOMTaskArtifacts(dependencyTrees) {
+  const components = [];
+  const purlToIndex = /* @__PURE__ */ new Map();
+  for (const dependencyTree of dependencyTrees) {
+    const depIdentifierToPurl = Object.fromEntries(Object.entries(dependencyTree.transitiveDependencies).filter(([_depIdentifier, dep]) => dep.purlObj).map(([depIdentifier, dep]) => {
+      const purl = dep.purlObj.purlString;
+      if (purl && !purlToIndex.has(purl)) {
+        purlToIndex.set(purl, components.length);
+        const depTreeNode = dependencyTree.transitiveDependencies[depIdentifier];
+        components[purlToIndex.get(purl)] = {
+          type: depTreeNode.purlObj.type,
+          name: depTreeNode.purlObj.name,
+          version: depTreeNode.purlObj.version,
+          namespace: depTreeNode.purlObj.namespace,
+          adj: []
+        };
+      }
+      return [depIdentifier, purl];
+    }));
+    for (const [depIdentifier, purl] of Object.entries(depIdentifierToPurl)) {
+      const depTreeNode = dependencyTree.transitiveDependencies[depIdentifier];
+      if (!depTreeNode.purlObj) {
+        continue;
+      }
+      const component = components[purlToIndex.get(purl)];
+      depTreeNode.dependencies?.forEach((dep) => {
+        const depPurl = depIdentifierToPurl[dep];
+        const depIndex = purlToIndex.get(depPurl);
+        if (depIndex && !component.adj?.includes(depIndex)) {
+          component.adj.push(depIndex);
+        }
+      });
+    }
+  }
+  return { artifacts: components, purlToIndex };
+}
+async function useSocketComputeFixEndpoint(artifacts, vulnerableArtifactIdsForGhsas) {
+  let socketBaseUrl = process.env.SOCKET_CLI_API_BASE_URL ?? "https://api.socket.dev/v0/";
+  if (!socketBaseUrl.endsWith("/"))
+    socketBaseUrl += "/";
+  try {
+    const url3 = `${socketBaseUrl}fixes/compute-fixes`;
+    const data2 = {
+      artifacts,
+      vulnerableArtifactIndexes: vulnerableArtifactIdsForGhsas
+    };
+    return (await axios_default2.post(url3, data2, {
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+        Authorization: `Basic ${btoa(`${process.env.SOCKET_CLI_API_TOKEN}:`)}`
+      }
+    })).data;
+  } catch (error) {
+    logger.error("Request to compute fixes failed:", error);
+    return {
+      type: "error during computation",
+      message: "Error during computation",
+      fixes: []
+    };
+  }
+}
+
 // dist/index.js
 var program2 = new Command();
 var run2 = new Command();
@@ -226264,6 +226398,11 @@ upgradePurls.name("upgrade-purls").argument("<path>", "File system path to the f
   });
   await upgradePurl(path2, upgradeSpecs, options);
 }).configureHelp({ sortOptions: true });
+var computeFixesAndUpgradePurlsCmd = new Command();
+computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", "GHSA IDs to compute fixes for", []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-g, --glob <pattern>", "Glob pattern to filter workspaces by absolute file path").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).version(version2).action(async (path2, options) => {
+  process.env.DOCKER_IMAGE_TAG ??= version2;
+  await computeFixesAndUpgradePurls(path2, options);
+}).configureHelp({ sortOptions: true });
 var compareReportsCommand = new Command();
 compareReportsCommand.name("compare-reports").argument("<baselineReportPath>", "Path to the baseline report").argument("<newReportPath>", "Path to the new report").option("--api-key <key>", "Set the Coana dashboard API key.").option("-d, --debug", "Enable debug logging", false).option("--no-pr-comment", "Disable pull request comments (only relevant when run from a PR)", true).option("--no-block", "Do not fail with a non-zero exit code when new reachable vulnerabilities are detected", true).option("--ignore-undeterminable-reachability", "Ignore vulnerabilities with undeterminable reachability", false).action(async (baselineReportPath, newReportPath, options) => {
   async function readReport(reportPath) {
@@ -226273,8 +226412,29 @@ compareReportsCommand.name("compare-reports").argument("<baselineReportPath>", "
   const newReport = await readReport(newReportPath);
   await compareReports(baselineReport, newReport, options);
 });
-program2.name("coana-cli").addCommand(run2, { isDefault: true }).addCommand(applyFixes).addCommand(upgradePurls, { hidden: true }).addCommand(compareReportsCommand).configureHelp({ sortSubcommands: true }).version(version2);
+program2.name("coana-cli").addCommand(run2, { isDefault: true }).addCommand(applyFixes).addCommand(upgradePurls, { hidden: true }).addCommand(compareReportsCommand).addCommand(computeFixesAndUpgradePurlsCmd, { hidden: true }).configureHelp({ sortSubcommands: true }).version(version2);
 program2.parseAsync();
+var defaultCliOptions = {
+  debug: false,
+  silent: false,
+  printReport: false,
+  memoryLimit: "8192",
+  timeout: "300000",
+  concurrency: "1",
+  writeReportToFile: false,
+  printAnalysisLogFile: false,
+  includeProjectsWithNoReachabilitySupport: false,
+  providerProject: void 0,
+  providerWorkspaces: void 0,
+  disableReportSubmission: false,
+  runWithoutDocker: false,
+  lightweightReachability: false,
+  runEnv: "UNKNOWN",
+  guardrailMode: false
+};
+export {
+  defaultCliOptions
+};
 /*! Bundled license information:
 
 safe-buffer/index.js:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.9.29",
+  "version": "14.9.30",
   "description": "Coana CLI",
   "type": "module",
   "bin": {