@coana-tech/cli 14.9.31 → 14.9.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.mjs +344 -102
- package/package.json +1 -1
package/cli.mjs
CHANGED
|
@@ -20127,7 +20127,7 @@ var require_lodash = __commonJS({
|
|
|
20127
20127
|
});
|
|
20128
20128
|
return result2;
|
|
20129
20129
|
}
|
|
20130
|
-
function
|
|
20130
|
+
function mapValues2(object, iteratee2) {
|
|
20131
20131
|
var result2 = {};
|
|
20132
20132
|
iteratee2 = getIteratee(iteratee2, 3);
|
|
20133
20133
|
baseForOwn(object, function(value, key, object2) {
|
|
@@ -20821,7 +20821,7 @@ var require_lodash = __commonJS({
|
|
|
20821
20821
|
lodash16.keysIn = keysIn;
|
|
20822
20822
|
lodash16.map = map2;
|
|
20823
20823
|
lodash16.mapKeys = mapKeys;
|
|
20824
|
-
lodash16.mapValues =
|
|
20824
|
+
lodash16.mapValues = mapValues2;
|
|
20825
20825
|
lodash16.matches = matches;
|
|
20826
20826
|
lodash16.matchesProperty = matchesProperty;
|
|
20827
20827
|
lodash16.memoize = memoize4;
|
|
@@ -70978,7 +70978,7 @@ var require_lockfileFormatConverters = __commonJS({
|
|
|
70978
70978
|
snapshots,
|
|
70979
70979
|
packages,
|
|
70980
70980
|
lockfileVersion: constants_1.LOCKFILE_VERSION,
|
|
70981
|
-
importers:
|
|
70981
|
+
importers: mapValues2(lockfile.importers, convertProjectSnapshotToInlineSpecifiersFormat)
|
|
70982
70982
|
};
|
|
70983
70983
|
if (newLockfile.settings?.peersSuffixMaxLength === 1e3) {
|
|
70984
70984
|
newLockfile.settings = (0, omit_1.default)(["peersSuffixMaxLength"], newLockfile.settings);
|
|
@@ -71107,7 +71107,7 @@ var require_lockfileFormatConverters = __commonJS({
|
|
|
71107
71107
|
const { importers, ...rest } = convertFromLockfileFileMutable(lockfile);
|
|
71108
71108
|
const newLockfile = {
|
|
71109
71109
|
...rest,
|
|
71110
|
-
importers:
|
|
71110
|
+
importers: mapValues2(importers ?? {}, revertProjectSnapshot)
|
|
71111
71111
|
};
|
|
71112
71112
|
return newLockfile;
|
|
71113
71113
|
}
|
|
@@ -71210,7 +71210,7 @@ var require_lockfileFormatConverters = __commonJS({
|
|
|
71210
71210
|
return {
|
|
71211
71211
|
...(0, omit_1.default)(["snapshots"], rest),
|
|
71212
71212
|
packages,
|
|
71213
|
-
importers:
|
|
71213
|
+
importers: mapValues2(importers ?? {}, revertProjectSnapshot)
|
|
71214
71214
|
};
|
|
71215
71215
|
}
|
|
71216
71216
|
exports2.convertLockfileV9ToLockfileObject = convertLockfileV9ToLockfileObject;
|
|
@@ -71227,7 +71227,7 @@ var require_lockfileFormatConverters = __commonJS({
|
|
|
71227
71227
|
};
|
|
71228
71228
|
}
|
|
71229
71229
|
function convertResolvedDependenciesToInlineSpecifiersFormat(resolvedDependencies, { specifiers }) {
|
|
71230
|
-
return
|
|
71230
|
+
return mapValues2(resolvedDependencies, (version3, depName) => ({
|
|
71231
71231
|
specifier: specifiers[depName],
|
|
71232
71232
|
version: version3
|
|
71233
71233
|
}));
|
|
@@ -71257,7 +71257,7 @@ var require_lockfileFormatConverters = __commonJS({
|
|
|
71257
71257
|
optionalDependencies
|
|
71258
71258
|
};
|
|
71259
71259
|
}
|
|
71260
|
-
function
|
|
71260
|
+
function mapValues2(obj, mapper) {
|
|
71261
71261
|
const result = {};
|
|
71262
71262
|
for (const [key, value] of Object.entries(obj)) {
|
|
71263
71263
|
result[key] = mapper(value, key);
|
|
@@ -204801,7 +204801,7 @@ var OtherModulesCommunicator = class {
|
|
|
204801
204801
|
workspacePaths
|
|
204802
204802
|
);
|
|
204803
204803
|
}
|
|
204804
|
-
async runReachabilityAnalysis(subprojectPath, workspacePath, workspaceData, vulnerabilities, reachabilityAnalysisOptions, otherAnalysisOptions) {
|
|
204804
|
+
async runReachabilityAnalysis(subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities, reachabilityAnalysisOptions, otherAnalysisOptions) {
|
|
204805
204805
|
const tmpDir = await this.getTmpDirForSubproject(subprojectPath);
|
|
204806
204806
|
const inputFileName = `${v4_default()}-runReachabilityAnalysis-input.json`;
|
|
204807
204807
|
const inputFileThisProcess = join15(tmpDir, inputFileName);
|
|
@@ -204817,7 +204817,7 @@ var OtherModulesCommunicator = class {
|
|
|
204817
204817
|
);
|
|
204818
204818
|
return this.runReachabilityAnalyzerCommandWithOutput(
|
|
204819
204819
|
"runReachabilityAnalysis",
|
|
204820
|
-
|
|
204820
|
+
ecosystem,
|
|
204821
204821
|
subprojectPath,
|
|
204822
204822
|
workspacePath,
|
|
204823
204823
|
argt`-i ${inputFileOtherProcess}`,
|
|
@@ -221973,7 +221973,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
|
|
|
221973
221973
|
}
|
|
221974
221974
|
|
|
221975
221975
|
// dist/version.js
|
|
221976
|
-
var version2 = "14.9.
|
|
221976
|
+
var version2 = "14.9.32";
|
|
221977
221977
|
|
|
221978
221978
|
// ../../node_modules/.pnpm/axios@1.9.0/node_modules/axios/lib/helpers/bind.js
|
|
221979
221979
|
function bind2(fn2, thisArg) {
|
|
@@ -225309,6 +225309,9 @@ function getAdvisoryEcosystemFromPurl(purl) {
|
|
|
225309
225309
|
const [purlSceme, rest] = purl.split(":");
|
|
225310
225310
|
if (purlSceme !== "pkg") throw Error(`Upsupported purl scheme: ${purlSceme}`);
|
|
225311
225311
|
const [purlType] = rest.split("/");
|
|
225312
|
+
return getAdvisoryEcosystemFromPurlType(purlType);
|
|
225313
|
+
}
|
|
225314
|
+
function getAdvisoryEcosystemFromPurlType(purlType) {
|
|
225312
225315
|
switch (purlType) {
|
|
225313
225316
|
case "npm" /* NPM */:
|
|
225314
225317
|
return "NPM";
|
|
@@ -225363,8 +225366,21 @@ function getNamespaceAndName(ecosystem, packageName) {
|
|
|
225363
225366
|
}
|
|
225364
225367
|
return { namespace: namespace2, name };
|
|
225365
225368
|
}
|
|
225369
|
+
function getNameFromNamespaceAndName(purlType, namespace2, name) {
|
|
225370
|
+
if (!name) return "";
|
|
225371
|
+
switch (purlType) {
|
|
225372
|
+
case "npm" /* NPM */:
|
|
225373
|
+
return namespace2 ? `${namespace2}/${name}` : name;
|
|
225374
|
+
case "maven" /* MAVEN */:
|
|
225375
|
+
return namespace2 ? `${namespace2}:${name}` : name;
|
|
225376
|
+
case "pypi" /* PYPI */:
|
|
225377
|
+
return name;
|
|
225378
|
+
default:
|
|
225379
|
+
return name;
|
|
225380
|
+
}
|
|
225381
|
+
}
|
|
225366
225382
|
|
|
225367
|
-
// dist/internal/socket-mode-helpers.js
|
|
225383
|
+
// dist/internal/socket-mode-helpers-coana-dependency-trees.js
|
|
225368
225384
|
var ROOT_IDENTIFIER = "ROOT";
|
|
225369
225385
|
async function scanForVulnerabilitiesSocketMode(dependencyTree) {
|
|
225370
225386
|
if (!dependencyTree.ecosystem)
|
|
@@ -225442,7 +225458,7 @@ async function scanForVulnerabilitiesSocketMode(dependencyTree) {
|
|
|
225442
225458
|
name: dependencyTreeNode.packageName,
|
|
225443
225459
|
dependency: dependencyTreeNode.packageName,
|
|
225444
225460
|
vulnChainDetails: computeVulnChainDetails(dependencyTree, dependencyIdentifier, parentsMap),
|
|
225445
|
-
vulnerabilityAccessPaths: vulnerability.reachabilityData?.pattern,
|
|
225461
|
+
vulnerabilityAccessPaths: vulnerability.reachabilityData?.pattern ?? null,
|
|
225446
225462
|
ecosystem: dependencyTree.ecosystem
|
|
225447
225463
|
});
|
|
225448
225464
|
}
|
|
@@ -225490,7 +225506,7 @@ function transformToVulnChainNode(dependencyTree) {
|
|
|
225490
225506
|
};
|
|
225491
225507
|
}
|
|
225492
225508
|
|
|
225493
|
-
// dist/internal/socket-report.js
|
|
225509
|
+
// dist/internal/socket-report-coana-dependency-tree.js
|
|
225494
225510
|
var MAX_STACKS_TO_SEND = 10;
|
|
225495
225511
|
function toSocketFacts(report, dependencyTrees, subPjToWsPathToDirectDependencies) {
|
|
225496
225512
|
const components = [];
|
|
@@ -225630,8 +225646,195 @@ function toSocketReachabilitySchema(vulnerability) {
|
|
|
225630
225646
|
throw new Error("Unknown codeAwareScanResult type");
|
|
225631
225647
|
}
|
|
225632
225648
|
|
|
225649
|
+
// dist/internal/socket-mode-helpers-socket-dependency-trees.js
|
|
225650
|
+
import { dirname as dirname7 } from "path";
|
|
225651
|
+
var filesToDefineWorkspace = ["package.json"];
|
|
225652
|
+
function inferWorkspaceFromManifestPath(manifestPath) {
|
|
225653
|
+
const dir = dirname7(manifestPath);
|
|
225654
|
+
return dir === "" ? "." : dir;
|
|
225655
|
+
}
|
|
225656
|
+
async function fetchArtifactsFromSocket(manifestsTarHash) {
|
|
225657
|
+
console.log("Fetching artifacts from Socket backend using manifests tar hash", manifestsTarHash);
|
|
225658
|
+
let socketBaseUrl = process.env.SOCKET_CLI_API_BASE_URL ?? "https://api.socket.dev/v0/";
|
|
225659
|
+
if (!socketBaseUrl.endsWith("/"))
|
|
225660
|
+
socketBaseUrl += "/";
|
|
225661
|
+
try {
|
|
225662
|
+
const url3 = `${socketBaseUrl}orgs/${process.env.SOCKET_ORG_SLUG}/compute-artifacts?tarHash=${manifestsTarHash}`;
|
|
225663
|
+
const responseData = (await axios_default2.post(url3, {}, {
|
|
225664
|
+
headers: {
|
|
225665
|
+
"Content-Type": "application/json",
|
|
225666
|
+
Accept: "application/json",
|
|
225667
|
+
Authorization: `Basic ${btoa(`${process.env.SOCKET_CLI_API_TOKEN}:`)}`
|
|
225668
|
+
}
|
|
225669
|
+
})).data;
|
|
225670
|
+
let artifacts;
|
|
225671
|
+
if (typeof responseData === "object") {
|
|
225672
|
+
artifacts = [responseData];
|
|
225673
|
+
} else if (typeof responseData === "string") {
|
|
225674
|
+
artifacts = JSON.parse(`[${responseData.trim().replace(/\n/g, ",")}]`);
|
|
225675
|
+
} else {
|
|
225676
|
+
throw new Error(`Unexpected response type from Socket API: ${typeof responseData}`);
|
|
225677
|
+
}
|
|
225678
|
+
const ecosystemToWorkspaceToAnalysisData = {};
|
|
225679
|
+
const ecosystemToWorkspaceToVulnerabilities = {};
|
|
225680
|
+
for (const artifact of artifacts) {
|
|
225681
|
+
const ecosystem = getAdvisoryEcosystemFromPurlType(artifact.type);
|
|
225682
|
+
if (!ecosystem)
|
|
225683
|
+
continue;
|
|
225684
|
+
const workspaces = /* @__PURE__ */ new Set();
|
|
225685
|
+
if (artifact.manifestFiles) {
|
|
225686
|
+
for (const manifestRef of artifact.manifestFiles) {
|
|
225687
|
+
if (manifestRef.file.endsWith("package.json")) {
|
|
225688
|
+
workspaces.add(inferWorkspaceFromManifestPath(manifestRef.file));
|
|
225689
|
+
}
|
|
225690
|
+
}
|
|
225691
|
+
}
|
|
225692
|
+
if (!artifact.direct && artifact.toplevelAncestors) {
|
|
225693
|
+
for (const ancestorId of artifact.toplevelAncestors) {
|
|
225694
|
+
const ancestor = artifacts.find((a4) => a4.id === ancestorId);
|
|
225695
|
+
if (ancestor && ancestor.manifestFiles) {
|
|
225696
|
+
for (const manifestRef of ancestor.manifestFiles) {
|
|
225697
|
+
if (filesToDefineWorkspace.some((file) => manifestRef.file.endsWith(file))) {
|
|
225698
|
+
workspaces.add(inferWorkspaceFromManifestPath(manifestRef.file));
|
|
225699
|
+
}
|
|
225700
|
+
}
|
|
225701
|
+
}
|
|
225702
|
+
}
|
|
225703
|
+
}
|
|
225704
|
+
if (workspaces.size === 0) {
|
|
225705
|
+
workspaces.add(".");
|
|
225706
|
+
}
|
|
225707
|
+
for (const workspace of workspaces) {
|
|
225708
|
+
if (!ecosystemToWorkspaceToAnalysisData[ecosystem]) {
|
|
225709
|
+
ecosystemToWorkspaceToAnalysisData[ecosystem] = {};
|
|
225710
|
+
}
|
|
225711
|
+
if (!ecosystemToWorkspaceToAnalysisData[ecosystem][workspace]) {
|
|
225712
|
+
ecosystemToWorkspaceToAnalysisData[ecosystem][workspace] = {
|
|
225713
|
+
type: "socket",
|
|
225714
|
+
data: []
|
|
225715
|
+
};
|
|
225716
|
+
}
|
|
225717
|
+
const workspaceData = ecosystemToWorkspaceToAnalysisData[ecosystem][workspace];
|
|
225718
|
+
if (workspaceData.type === "socket") {
|
|
225719
|
+
workspaceData.data.push(artifact);
|
|
225720
|
+
}
|
|
225721
|
+
if (artifact.vulnerabilities && artifact.vulnerabilities.length > 0) {
|
|
225722
|
+
for (const vuln of artifact.vulnerabilities) {
|
|
225723
|
+
const vulnerability = {
|
|
225724
|
+
url: vuln.ghsaId,
|
|
225725
|
+
purlType: artifact.type,
|
|
225726
|
+
range: vuln.range,
|
|
225727
|
+
name: artifact.name ?? "",
|
|
225728
|
+
dependency: artifact.name ?? "",
|
|
225729
|
+
vulnChainDetails: computeVulnChainDetails2(artifacts, artifact.id),
|
|
225730
|
+
vulnerabilityAccessPaths: vuln.reachabilityData?.pattern ?? null,
|
|
225731
|
+
ecosystem,
|
|
225732
|
+
artifactId: artifact.id
|
|
225733
|
+
};
|
|
225734
|
+
((ecosystemToWorkspaceToVulnerabilities[ecosystem] ??= {})[workspace] ??= []).push(vulnerability);
|
|
225735
|
+
}
|
|
225736
|
+
}
|
|
225737
|
+
}
|
|
225738
|
+
}
|
|
225739
|
+
return {
|
|
225740
|
+
artifacts,
|
|
225741
|
+
ecosystemToWorkspaceToAnalysisData,
|
|
225742
|
+
ecosystemToWorkspaceToVulnerabilities
|
|
225743
|
+
};
|
|
225744
|
+
} catch (error) {
|
|
225745
|
+
logger.error("Failed to fetch artifacts from Socket backend", error);
|
|
225746
|
+
throw error;
|
|
225747
|
+
}
|
|
225748
|
+
}
|
|
225749
|
+
function computeVulnChainDetails2(artifacts, vulnerableArtifactId) {
|
|
225750
|
+
const artifactMap = /* @__PURE__ */ new Map();
|
|
225751
|
+
for (const artifact of artifacts) {
|
|
225752
|
+
artifactMap.set(artifact.id, artifact);
|
|
225753
|
+
}
|
|
225754
|
+
const parentsMap = /* @__PURE__ */ new Map();
|
|
225755
|
+
for (const artifact of artifacts) {
|
|
225756
|
+
if (artifact.dependencies) {
|
|
225757
|
+
for (const depId of artifact.dependencies) {
|
|
225758
|
+
if (!parentsMap.has(depId)) {
|
|
225759
|
+
parentsMap.set(depId, []);
|
|
225760
|
+
}
|
|
225761
|
+
parentsMap.get(depId).push(artifact.id);
|
|
225762
|
+
}
|
|
225763
|
+
}
|
|
225764
|
+
}
|
|
225765
|
+
const res = {
|
|
225766
|
+
packageName: "root",
|
|
225767
|
+
version: "0.0.0",
|
|
225768
|
+
children: [],
|
|
225769
|
+
transitiveDependencies: {}
|
|
225770
|
+
};
|
|
225771
|
+
function addNode(currentId, childId, visited) {
|
|
225772
|
+
if (visited.has(currentId))
|
|
225773
|
+
return;
|
|
225774
|
+
const currentArtifact = artifactMap.get(currentId);
|
|
225775
|
+
if (!currentArtifact)
|
|
225776
|
+
return;
|
|
225777
|
+
const parents2 = parentsMap.get(currentId);
|
|
225778
|
+
const newCurrentNode = {
|
|
225779
|
+
packageName: getNameFromNamespaceAndName(currentArtifact.type, currentArtifact.namespace, currentArtifact.name),
|
|
225780
|
+
version: currentArtifact.version ?? void 0,
|
|
225781
|
+
children: []
|
|
225782
|
+
};
|
|
225783
|
+
res.transitiveDependencies[currentId] = newCurrentNode;
|
|
225784
|
+
if (childId && !newCurrentNode.children.includes(childId)) {
|
|
225785
|
+
newCurrentNode.children.push(childId);
|
|
225786
|
+
}
|
|
225787
|
+
if (currentId === vulnerableArtifactId) {
|
|
225788
|
+
newCurrentNode.vulnerable = true;
|
|
225789
|
+
}
|
|
225790
|
+
if (currentArtifact.direct) {
|
|
225791
|
+
if (!res.children.includes(currentId)) {
|
|
225792
|
+
res.children.push(currentId);
|
|
225793
|
+
}
|
|
225794
|
+
}
|
|
225795
|
+
visited.add(currentId);
|
|
225796
|
+
if (parents2) {
|
|
225797
|
+
for (const parentId of parents2) {
|
|
225798
|
+
addNode(parentId, currentId, visited);
|
|
225799
|
+
}
|
|
225800
|
+
}
|
|
225801
|
+
}
|
|
225802
|
+
addNode(vulnerableArtifactId, void 0, /* @__PURE__ */ new Set());
|
|
225803
|
+
return res;
|
|
225804
|
+
}
|
|
225805
|
+
|
|
225806
|
+
// dist/internal/socket-report-socket-dependency-tree.js
|
|
225807
|
+
function toSocketFactsSocketDependencyTree(artifacts, vulnerabilities) {
|
|
225808
|
+
const artifactIdToArtifact = Object.fromEntries(artifacts.map((artifact) => [artifact.id, artifact]));
|
|
225809
|
+
for (const vulnerability of vulnerabilities) {
|
|
225810
|
+
const component = artifactIdToArtifact[vulnerability.artifactId];
|
|
225811
|
+
if (!component) {
|
|
225812
|
+
throw new Error(`Component not found for vulnerability ${vulnerability.purl}`);
|
|
225813
|
+
}
|
|
225814
|
+
if (!component.reachability) {
|
|
225815
|
+
component.reachability = [];
|
|
225816
|
+
}
|
|
225817
|
+
let reachabilityForGHSA = component.reachability?.find((r2) => r2.ghsa_id === vulnerability.vulnerabilityUrl.replace("https://github.com/advisories/", ""));
|
|
225818
|
+
if (!reachabilityForGHSA) {
|
|
225819
|
+
reachabilityForGHSA = {
|
|
225820
|
+
ghsa_id: vulnerability.vulnerabilityUrl.replace("https://github.com/advisories/", ""),
|
|
225821
|
+
reachability: []
|
|
225822
|
+
};
|
|
225823
|
+
component.reachability.push(reachabilityForGHSA);
|
|
225824
|
+
}
|
|
225825
|
+
reachabilityForGHSA.reachability.push({
|
|
225826
|
+
...toSocketReachabilitySchema(vulnerability),
|
|
225827
|
+
workspacePath: vulnerability.workspacePath,
|
|
225828
|
+
subprojectPath: vulnerability.subprojectPath
|
|
225829
|
+
});
|
|
225830
|
+
}
|
|
225831
|
+
return {
|
|
225832
|
+
components: artifacts
|
|
225833
|
+
};
|
|
225834
|
+
}
|
|
225835
|
+
|
|
225633
225836
|
// dist/cli-core.js
|
|
225634
|
-
var { omit, partition, pick } = import_lodash15.default;
|
|
225837
|
+
var { mapValues, omit, partition, pick } = import_lodash15.default;
|
|
225635
225838
|
var CliCore = class {
|
|
225636
225839
|
options;
|
|
225637
225840
|
spinner;
|
|
@@ -225711,6 +225914,9 @@ var CliCore = class {
|
|
|
225711
225914
|
throw new Error(`Invalid ecosystem: ${ecosystem}.`);
|
|
225712
225915
|
}
|
|
225713
225916
|
});
|
|
225917
|
+
if (this.options.manifestsTarHash && !this.options.socketMode) {
|
|
225918
|
+
throw new Error("The --manifests-tar-hash option is only supported when using --socket-mode");
|
|
225919
|
+
}
|
|
225714
225920
|
}
|
|
225715
225921
|
async main() {
|
|
225716
225922
|
this.coanaLogPath = join20(await createTmpDirectory("coana-cli-"), "coana-log.txt");
|
|
@@ -225722,24 +225928,58 @@ var CliCore = class {
|
|
|
225722
225928
|
logger.error(e.message);
|
|
225723
225929
|
process.exit(1);
|
|
225724
225930
|
}
|
|
225931
|
+
const otherModulesCommunicator = new OtherModulesCommunicator(this.rootWorkingDirectory, {
|
|
225932
|
+
runWithoutDocker: this.options.runWithoutDocker,
|
|
225933
|
+
debug: this.options.debug,
|
|
225934
|
+
silent: this.options.silent,
|
|
225935
|
+
coanaLogPath: this.coanaLogPath,
|
|
225936
|
+
reportId: this.reportId,
|
|
225937
|
+
socketMode: !!this.options.socketMode
|
|
225938
|
+
}, this.apiKey);
|
|
225725
225939
|
this.spinner.start();
|
|
225726
225940
|
try {
|
|
225941
|
+
if (this.options.manifestsTarHash) {
|
|
225942
|
+
await this.computeAndOutputReportSocketMode(otherModulesCommunicator);
|
|
225943
|
+
this.spinner.stop();
|
|
225944
|
+
return;
|
|
225945
|
+
}
|
|
225727
225946
|
if (this.shareWithDashboard && this.apiKey.type === "present") {
|
|
225728
225947
|
const gitData = await getGitDataToMetadataIfAvailable(this.rootWorkingDirectory);
|
|
225729
225948
|
this.reportId = await createReport(this.options.repoUrl, this.options.projectName, version2, gitData?.sha, gitData?.branchName, omit(this.options, "apiKey", "print-report", "repoUrl", "projectName", "writeReportToFile"), this.apiKey, this.options.runEnv);
|
|
225730
225949
|
}
|
|
225731
|
-
const { report, subPjToWsPathToDirectDependencies } = await this.computeReport();
|
|
225950
|
+
const { report, subPjToWsPathToDirectDependencies } = await this.computeReport(otherModulesCommunicator);
|
|
225732
225951
|
logger.info("Report computed successfully");
|
|
225733
225952
|
await this.outputAndShareReport(report, subPjToWsPathToDirectDependencies);
|
|
225734
225953
|
this.spinner.stop();
|
|
225735
225954
|
return report;
|
|
225736
225955
|
} catch (e) {
|
|
225737
225956
|
await this.spinner.fail();
|
|
225738
|
-
logger.error("CLI failed with error:", e
|
|
225957
|
+
logger.error("CLI failed with error:", e);
|
|
225739
225958
|
await this.shareErrorLogWithDashboard(e, true);
|
|
225740
225959
|
process.exit(1);
|
|
225741
225960
|
}
|
|
225742
225961
|
}
|
|
225962
|
+
async computeAndOutputReportSocketMode(otherModulesCommunicator) {
|
|
225963
|
+
logger.info("Fetching artifacts from Socket backend");
|
|
225964
|
+
const { artifacts, ecosystemToWorkspaceToAnalysisData, ecosystemToWorkspaceToVulnerabilities } = await fetchArtifactsFromSocket(this.options.manifestsTarHash);
|
|
225965
|
+
const vulnsWithResults = [];
|
|
225966
|
+
for (const [ecosystem, workspaceToAnalysisData] of Object.entries(ecosystemToWorkspaceToAnalysisData)) {
|
|
225967
|
+
vulnsWithResults.push(...Object.values(await this.runReachabilityAnalysisForWorkspaces(
|
|
225968
|
+
workspaceToAnalysisData,
|
|
225969
|
+
ecosystemToWorkspaceToVulnerabilities[ecosystem] ?? {},
|
|
225970
|
+
{},
|
|
225971
|
+
// We do not need the direct dependencies for socket mode
|
|
225972
|
+
otherModulesCommunicator,
|
|
225973
|
+
".",
|
|
225974
|
+
ecosystem,
|
|
225975
|
+
true
|
|
225976
|
+
)).flat());
|
|
225977
|
+
}
|
|
225978
|
+
const socketReport = toSocketFactsSocketDependencyTree(artifacts, vulnsWithResults);
|
|
225979
|
+
const outputFile = resolve24(this.options.socketMode);
|
|
225980
|
+
await writeFile8(outputFile, JSON.stringify(socketReport, null, 2));
|
|
225981
|
+
logger.info(kleur_default.green(`Socket report written to: ${outputFile}`));
|
|
225982
|
+
}
|
|
225743
225983
|
async getLogContent() {
|
|
225744
225984
|
await logger.finish();
|
|
225745
225985
|
let logContent;
|
|
@@ -225801,15 +226041,7 @@ var CliCore = class {
|
|
|
225801
226041
|
logger.info(JSON.stringify(omit(report, "dependencyTrees"), null, 2));
|
|
225802
226042
|
}
|
|
225803
226043
|
}
|
|
225804
|
-
async computeReport() {
|
|
225805
|
-
const otherModulesCommunicator = new OtherModulesCommunicator(this.rootWorkingDirectory, {
|
|
225806
|
-
runWithoutDocker: this.options.runWithoutDocker,
|
|
225807
|
-
debug: this.options.debug,
|
|
225808
|
-
silent: this.options.silent,
|
|
225809
|
-
coanaLogPath: this.coanaLogPath,
|
|
225810
|
-
reportId: this.reportId,
|
|
225811
|
-
socketMode: !!this.options.socketMode
|
|
225812
|
-
}, this.apiKey);
|
|
226044
|
+
async computeReport(otherModulesCommunicator) {
|
|
225813
226045
|
const startTime = (/* @__PURE__ */ new Date()).toISOString();
|
|
225814
226046
|
this.sendProgress("CREATE_PROJECT_MANAGER", true);
|
|
225815
226047
|
const manager = await ProjectManager.create(this.rootWorkingDirectory, otherModulesCommunicator, this.options.ecosystems, this.options.includeDirs, this.options.excludeDirs, this.options.changedFiles);
|
|
@@ -225937,93 +226169,95 @@ var CliCore = class {
|
|
|
225937
226169
|
}
|
|
225938
226170
|
async runOnSubproject(otherModulesCommunicator, subProjAndWsPath, reachabilitySupported) {
|
|
225939
226171
|
try {
|
|
225940
|
-
let pruneVulnerablePathsToShortestPathsOnly2 = function(ecosystem2, workspaceToAugmentedVulnerabilities2) {
|
|
225941
|
-
const vulnerabilityToWorkspaceToCodeAwareScanSuccess = {};
|
|
225942
|
-
for (const [workspacePath, augmentedVulnerabilities] of Object.entries(workspaceToAugmentedVulnerabilities2)) {
|
|
225943
|
-
augmentedVulnerabilities.forEach((augmentedVulnerability) => {
|
|
225944
|
-
const url3 = augmentedVulnerability.url;
|
|
225945
|
-
const results = augmentedVulnerability.results;
|
|
225946
|
-
if (results.type === "success") {
|
|
225947
|
-
(vulnerabilityToWorkspaceToCodeAwareScanSuccess[url3] ??= {})[workspacePath] = results;
|
|
225948
|
-
}
|
|
225949
|
-
});
|
|
225950
|
-
}
|
|
225951
|
-
const serialize3 = (t4) => `${t4.package}#${t4.class}`.toLowerCase();
|
|
225952
|
-
for (const workspaceToCodeAwareScanSuccess of Object.values(vulnerabilityToWorkspaceToCodeAwareScanSuccess)) {
|
|
225953
|
-
const trie = mkTrie();
|
|
225954
|
-
for (const codeAwareScanSuccess of Object.values(workspaceToCodeAwareScanSuccess)) {
|
|
225955
|
-
const stacks = Array.isArray(codeAwareScanSuccess.detectedOccurrences) ? codeAwareScanSuccess.detectedOccurrences.flatMap((occ) => occ.affectedAppCodePoints) : codeAwareScanSuccess.detectedOccurrences.stacks;
|
|
225956
|
-
stacks.forEach((stack2) => {
|
|
225957
|
-
addPathToTrie(trie, stack2.map(serialize3));
|
|
225958
|
-
});
|
|
225959
|
-
}
|
|
225960
|
-
for (const codeAwareScanSuccess of Object.values(workspaceToCodeAwareScanSuccess)) {
|
|
225961
|
-
const detectedOccurrences = codeAwareScanSuccess.detectedOccurrences;
|
|
225962
|
-
detectedOccurrences.stacks = detectedOccurrences.stacks.filter((stack2) => isShortestPath(trie, stack2.map(serialize3)));
|
|
225963
|
-
if (detectedOccurrences.stacks.length === 0)
|
|
225964
|
-
detectedOccurrences.affectedPackages = [];
|
|
225965
|
-
detectedOccurrences.affectedPackages = detectedOccurrences.affectedPackages.filter((affectedPackage) => {
|
|
225966
|
-
if (affectedPackage === ROOT_NODE_STR || affectedPackage === "UNKNOWN")
|
|
225967
|
-
return true;
|
|
225968
|
-
const [packageName, version3] = affectedPackage.split("@");
|
|
225969
|
-
return detectedOccurrences.stacks.some((stack2) => stack2.some((stackElm) => {
|
|
225970
|
-
if (ecosystem2 === "MAVEN") {
|
|
225971
|
-
const [groupId, artifactId, ...rest] = stackElm.package.split(":");
|
|
225972
|
-
const expectedPackageName = `${groupId}:${artifactId}`;
|
|
225973
|
-
const expectedVersion = rest[rest.length - 1];
|
|
225974
|
-
return expectedPackageName === packageName && expectedVersion === version3;
|
|
225975
|
-
}
|
|
225976
|
-
if (ecosystem2 === "NUGET") {
|
|
225977
|
-
const [expectedPackageName, expectedVersion] = stackElm.package.split("/");
|
|
225978
|
-
return expectedPackageName === packageName && expectedVersion === version3;
|
|
225979
|
-
}
|
|
225980
|
-
return true;
|
|
225981
|
-
}));
|
|
225982
|
-
});
|
|
225983
|
-
}
|
|
225984
|
-
}
|
|
225985
|
-
};
|
|
225986
|
-
var pruneVulnerablePathsToShortestPathsOnly = pruneVulnerablePathsToShortestPathsOnly2;
|
|
225987
226172
|
const { ecosystem, subprojectPath, workspacePaths } = subProjAndWsPath;
|
|
225988
226173
|
const { projectInfo, workspaceToVulnerabilities } = await this.getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subProjAndWsPath);
|
|
225989
|
-
const
|
|
225990
|
-
|
|
225991
|
-
const vulnerabilities = workspaceToVulnerabilities[workspacePath];
|
|
225992
|
-
const augmentedVulnerabilities = reachabilitySupported ? await this.runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, dataForAnalysis, vulnerabilities) : vulnerabilities.map((v) => ({
|
|
225993
|
-
...v,
|
|
225994
|
-
results: {
|
|
225995
|
-
type: "otherError",
|
|
225996
|
-
message: `Reachability analysis for languages using ${ecosystem} not supported yet`
|
|
225997
|
-
}
|
|
225998
|
-
}));
|
|
225999
|
-
return [workspacePath, augmentedVulnerabilities];
|
|
226000
|
-
}));
|
|
226001
|
-
if (ecosystem === "MAVEN" || ecosystem === "NUGET" || ecosystem === "RUST") {
|
|
226002
|
-
pruneVulnerablePathsToShortestPathsOnly2(ecosystem, workspaceToAugmentedVulnerabilities);
|
|
226003
|
-
}
|
|
226174
|
+
const workspacePathToDataForAnalysis = Object.fromEntries(Object.entries(projectInfo).map(([workspacePath, projectInfo2]) => [workspacePath, projectInfo2.dataForAnalysis]));
|
|
226175
|
+
const workspaceToAugmentedVulnerabilities = await this.runReachabilityAnalysisForWorkspaces(workspacePathToDataForAnalysis, workspaceToVulnerabilities, Object.fromEntries(workspacePaths.map((wsPath) => [wsPath, projectInfo[wsPath].dataForAnalysis.directDependenciesMap ?? {}])), otherModulesCommunicator, subprojectPath, ecosystem, reachabilitySupported);
|
|
226004
226176
|
return workspacePaths.map((workspacePath) => {
|
|
226005
|
-
const codeAwareScanResultsForAllPackages = [];
|
|
226006
|
-
codeAwareScanResultsForAllPackages.push(...this.transformToReportVulnerabilities(workspaceToAugmentedVulnerabilities[workspacePath], projectInfo[workspacePath].directDependenciesMap ?? {}, subprojectPath, workspacePath, this.rootWorkingDirectory));
|
|
226007
226177
|
return {
|
|
226008
226178
|
subprojectPath: relative10(this.rootWorkingDirectory, subprojectPath) || ".",
|
|
226009
226179
|
workspacePath,
|
|
226010
|
-
directDependencies: projectInfo[workspacePath].directDependenciesMap ?? {},
|
|
226011
|
-
vulnerabilities:
|
|
226012
|
-
dependencyTree: projectInfo[workspacePath].dataForAnalysis.dependencyTree
|
|
226180
|
+
directDependencies: projectInfo[workspacePath].dataForAnalysis.directDependenciesMap ?? {},
|
|
226181
|
+
vulnerabilities: workspaceToAugmentedVulnerabilities[workspacePath],
|
|
226182
|
+
dependencyTree: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree
|
|
226013
226183
|
};
|
|
226014
226184
|
});
|
|
226015
226185
|
} finally {
|
|
226016
226186
|
this.sendProgress("RUN_ON_SUBPROJECT", false, subProjAndWsPath.subprojectPath);
|
|
226017
226187
|
}
|
|
226018
226188
|
}
|
|
226019
|
-
async
|
|
226189
|
+
async runReachabilityAnalysisForWorkspaces(workspacePathToDataForAnalysis, workspaceToVulnerabilities, workspaceToDirectDependencies, otherModulesCommunicator, subprojectPath, ecosystem, reachabilitySupported) {
|
|
226190
|
+
const workspaceToAugmentedVulnerabilities = Object.fromEntries(await asyncMap(Object.keys(workspacePathToDataForAnalysis), async (workspacePath) => {
|
|
226191
|
+
const dataForAnalysis = workspacePathToDataForAnalysis[workspacePath];
|
|
226192
|
+
const vulnerabilities = workspaceToVulnerabilities[workspacePath];
|
|
226193
|
+
const augmentedVulnerabilities = reachabilitySupported ? await this.runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, dataForAnalysis, ecosystem, vulnerabilities) : vulnerabilities.map((v) => ({
|
|
226194
|
+
...v,
|
|
226195
|
+
results: {
|
|
226196
|
+
type: "otherError",
|
|
226197
|
+
message: `Reachability analysis for languages using ${ecosystem} not supported yet`
|
|
226198
|
+
}
|
|
226199
|
+
}));
|
|
226200
|
+
return [workspacePath, augmentedVulnerabilities];
|
|
226201
|
+
}));
|
|
226202
|
+
if (ecosystem === "MAVEN" || ecosystem === "NUGET" || ecosystem === "RUST") {
|
|
226203
|
+
pruneVulnerablePathsToShortestPathsOnly(ecosystem, workspaceToAugmentedVulnerabilities);
|
|
226204
|
+
}
|
|
226205
|
+
return mapValues(workspaceToAugmentedVulnerabilities, (augmentedVulnerabilities, workspacePath) => this.transformToReportVulnerabilities(augmentedVulnerabilities, workspaceToDirectDependencies[workspacePath] ?? {}, subprojectPath, workspacePath, this.rootWorkingDirectory));
|
|
226206
|
+
function pruneVulnerablePathsToShortestPathsOnly(ecosystem2, workspaceToAugmentedVulnerabilities2) {
|
|
226207
|
+
const vulnerabilityToWorkspaceToCodeAwareScanSuccess = {};
|
|
226208
|
+
for (const [workspacePath, augmentedVulnerabilities] of Object.entries(workspaceToAugmentedVulnerabilities2)) {
|
|
226209
|
+
augmentedVulnerabilities.forEach((augmentedVulnerability) => {
|
|
226210
|
+
const url3 = augmentedVulnerability.url;
|
|
226211
|
+
const results = augmentedVulnerability.results;
|
|
226212
|
+
if (results.type === "success") {
|
|
226213
|
+
(vulnerabilityToWorkspaceToCodeAwareScanSuccess[url3] ??= {})[workspacePath] = results;
|
|
226214
|
+
}
|
|
226215
|
+
});
|
|
226216
|
+
}
|
|
226217
|
+
const serialize3 = (t4) => `${t4.package}#${t4.class}`.toLowerCase();
|
|
226218
|
+
for (const workspaceToCodeAwareScanSuccess of Object.values(vulnerabilityToWorkspaceToCodeAwareScanSuccess)) {
|
|
226219
|
+
const trie = mkTrie();
|
|
226220
|
+
for (const codeAwareScanSuccess of Object.values(workspaceToCodeAwareScanSuccess)) {
|
|
226221
|
+
const stacks = Array.isArray(codeAwareScanSuccess.detectedOccurrences) ? codeAwareScanSuccess.detectedOccurrences.flatMap((occ) => occ.affectedAppCodePoints) : codeAwareScanSuccess.detectedOccurrences.stacks;
|
|
226222
|
+
stacks.forEach((stack2) => {
|
|
226223
|
+
addPathToTrie(trie, stack2.map(serialize3));
|
|
226224
|
+
});
|
|
226225
|
+
}
|
|
226226
|
+
for (const codeAwareScanSuccess of Object.values(workspaceToCodeAwareScanSuccess)) {
|
|
226227
|
+
const detectedOccurrences = codeAwareScanSuccess.detectedOccurrences;
|
|
226228
|
+
detectedOccurrences.stacks = detectedOccurrences.stacks.filter((stack2) => isShortestPath(trie, stack2.map(serialize3)));
|
|
226229
|
+
if (detectedOccurrences.stacks.length === 0)
|
|
226230
|
+
detectedOccurrences.affectedPackages = [];
|
|
226231
|
+
detectedOccurrences.affectedPackages = detectedOccurrences.affectedPackages.filter((affectedPackage) => {
|
|
226232
|
+
if (affectedPackage === ROOT_NODE_STR || affectedPackage === "UNKNOWN")
|
|
226233
|
+
return true;
|
|
226234
|
+
const [packageName, version3] = affectedPackage.split("@");
|
|
226235
|
+
return detectedOccurrences.stacks.some((stack2) => stack2.some((stackElm) => {
|
|
226236
|
+
if (ecosystem2 === "MAVEN") {
|
|
226237
|
+
const [groupId, artifactId, ...rest] = stackElm.package.split(":");
|
|
226238
|
+
const expectedPackageName = `${groupId}:${artifactId}`;
|
|
226239
|
+
const expectedVersion = rest[rest.length - 1];
|
|
226240
|
+
return expectedPackageName === packageName && expectedVersion === version3;
|
|
226241
|
+
}
|
|
226242
|
+
if (ecosystem2 === "NUGET") {
|
|
226243
|
+
const [expectedPackageName, expectedVersion] = stackElm.package.split("/");
|
|
226244
|
+
return expectedPackageName === packageName && expectedVersion === version3;
|
|
226245
|
+
}
|
|
226246
|
+
return true;
|
|
226247
|
+
}));
|
|
226248
|
+
});
|
|
226249
|
+
}
|
|
226250
|
+
}
|
|
226251
|
+
}
|
|
226252
|
+
}
|
|
226253
|
+
async runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities) {
|
|
226020
226254
|
const [vulnsWithActualAPIPatterns, result] = partition(vulnerabilities, (v) => Array.isArray(v.vulnerabilityAccessPaths));
|
|
226021
226255
|
for (const v of result)
|
|
226022
226256
|
v.results = typeof v.vulnerabilityAccessPaths === "string" ? { type: "noAnalysisCheck", message: v.vulnerabilityAccessPaths } : { type: "missingVulnerabilityPattern" };
|
|
226023
226257
|
if (!vulnsWithActualAPIPatterns.length)
|
|
226024
226258
|
return result;
|
|
226025
226259
|
this.sendProgress("REACHABILITY_ANALYSIS", true, subprojectPath, workspacePath);
|
|
226026
|
-
result.push(...await otherModulesCommunicator.runReachabilityAnalysis(subprojectPath, workspacePath, workspaceData, vulnerabilities, {
|
|
226260
|
+
result.push(...await otherModulesCommunicator.runReachabilityAnalysis(subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities, {
|
|
226027
226261
|
timeoutInSeconds: this.analysisTimeoutInSeconds,
|
|
226028
226262
|
memoryLimitInMB: this.analysisMemoryLimitInMb,
|
|
226029
226263
|
printLogFile: this.options.printAnalysisLogFile,
|
|
@@ -226075,7 +226309,8 @@ var CliCore = class {
|
|
|
226075
226309
|
dependencyType,
|
|
226076
226310
|
reachability,
|
|
226077
226311
|
purl: v.purl,
|
|
226078
|
-
purlType: v.purlType
|
|
226312
|
+
purlType: v.purlType,
|
|
226313
|
+
artifactId: v.artifactId
|
|
226079
226314
|
};
|
|
226080
226315
|
});
|
|
226081
226316
|
}
|
|
@@ -226088,7 +226323,7 @@ var CliCore = class {
|
|
|
226088
226323
|
this.sendProgress("PREPARE_PROJECT_AND_GET_PROJECT_DATA", false, subprojectPath);
|
|
226089
226324
|
const workspaceToPlainDependencyTree = Object.fromEntries(workspacePaths.map((workspacePath) => [
|
|
226090
226325
|
workspacePath,
|
|
226091
|
-
toPlainDependencyTree(projectInfo[workspacePath].dataForAnalysis.dependencyTree)
|
|
226326
|
+
toPlainDependencyTree(projectInfo[workspacePath].dataForAnalysis.data.dependencyTree)
|
|
226092
226327
|
]));
|
|
226093
226328
|
const dependencyTrees = workspacePaths.map((workspacePath) => ({
|
|
226094
226329
|
treeType: "v1",
|
|
@@ -226097,17 +226332,24 @@ var CliCore = class {
|
|
|
226097
226332
|
workspacePath,
|
|
226098
226333
|
subprojectPath: relative10(rootWorkingDirectory, subprojectPath) || "."
|
|
226099
226334
|
}));
|
|
226100
|
-
if (this.options.socketMode)
|
|
226101
|
-
this.reportDependencyTrees =
|
|
226335
|
+
if (this.options.socketMode) {
|
|
226336
|
+
this.reportDependencyTrees = workspacePaths.map((workspacePath) => ({
|
|
226337
|
+
treeType: "v1",
|
|
226338
|
+
dependencyTree: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree,
|
|
226339
|
+
ecosystem: projectInfo[workspacePath].dataForAnalysis.data.dependencyTree.ecosystem ?? "NPM",
|
|
226340
|
+
workspacePath,
|
|
226341
|
+
subprojectPath: relative10(rootWorkingDirectory, subprojectPath) || "."
|
|
226342
|
+
}));
|
|
226343
|
+
}
|
|
226102
226344
|
if (this.shareWithDashboard)
|
|
226103
226345
|
sendDependencyTreesToDashboard(dependencyTrees, this.reportId, this.apiKey);
|
|
226104
226346
|
const workspaceToVulnerabilities = Object.fromEntries(await asyncMap(workspacePaths, async (workspacePath, idx) => this.spinner.wrap(`Scanning for vulnerabilities: (${subProjAndWsPath.packageManagerName}) (${idx + 1}/${workspacePaths.length}) ${workspacePath}`, async () => {
|
|
226105
|
-
const dependencyTree = projectInfo[workspacePath].dataForAnalysis.dependencyTree;
|
|
226347
|
+
const dependencyTree = projectInfo[workspacePath].dataForAnalysis.data.dependencyTree;
|
|
226106
226348
|
this.sendProgress("SCAN_FOR_VULNERABILITIES", true, subprojectPath, workspacePath);
|
|
226107
226349
|
try {
|
|
226108
226350
|
return [
|
|
226109
226351
|
workspacePath,
|
|
226110
|
-
this.options.socketMode ? await scanForVulnerabilitiesSocketMode(projectInfo[workspacePath].dataForAnalysis.dependencyTree) : (await scanForVulnerabilities(dependencyTree, this.options.offlineDatabase, this.apiKey, Number(this.options.timeout))).vulnerabilities
|
|
226352
|
+
this.options.socketMode ? await scanForVulnerabilitiesSocketMode(projectInfo[workspacePath].dataForAnalysis.data.dependencyTree) : (await scanForVulnerabilities(dependencyTree, this.options.offlineDatabase, this.apiKey, Number(this.options.timeout))).vulnerabilities
|
|
226111
226353
|
];
|
|
226112
226354
|
} catch (e) {
|
|
226113
226355
|
logger.error(`Scanning for vulnerabilities failed for subproject ${subprojectPath} in workspace ${workspacePath}`);
|
|
@@ -226291,7 +226533,7 @@ async function computeInputForComputingFixes(path2, options) {
|
|
|
226291
226533
|
}
|
|
226292
226534
|
const cliCore = new CliCore(path2, { ...defaultCliOptions, socketMode: "true" });
|
|
226293
226535
|
const results = await asyncMap(supportedSubprojects, async (subproject) => cliCore.getDependencyTreeAndVulnerabilities(otherModulesCommunicator, subproject));
|
|
226294
|
-
const { artifacts, purlToIndex } = computeSBOMTaskArtifacts(results.flatMap((r2) => Object.values(r2.projectInfo).map((info) => info.dataForAnalysis.dependencyTree)));
|
|
226536
|
+
const { artifacts, purlToIndex } = computeSBOMTaskArtifacts(results.flatMap((r2) => Object.values(r2.projectInfo).map((info) => info.dataForAnalysis.data.dependencyTree)));
|
|
226295
226537
|
const vulnerableArtifactIdsPerVulnerability = computeVulnerableArtifactIdsPerVulnerability(results.flatMap((r2) => Object.values(r2.workspaceToVulnerabilities).flat()), purlToIndex);
|
|
226296
226538
|
return { artifacts, vulnerableArtifactIdsPerVulnerability };
|
|
226297
226539
|
}
|
|
@@ -226376,7 +226618,7 @@ async function useSocketComputeFixEndpoint(artifacts, vulnerableArtifactIdsForGh
|
|
|
226376
226618
|
// dist/index.js
|
|
226377
226619
|
var program2 = new Command();
|
|
226378
226620
|
var run2 = new Command();
|
|
226379
|
-
run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <dirs...>", "globs for directories to include from the detection of subprojects (space-separated). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <dirs...>", "globs for directories to exclude from the detection of subprojects (space-separated). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze. Currently NPM, PIP, MAVEN and GO are supported. Default is all supported ecosystems.", (ecosystems) => ecosystems.split(" ").map((e) => e.toUpperCase())).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).version(version2).configureHelp({ sortOptions: true }).action(async (path2, options) => {
|
|
226621
|
+
run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <dirs...>", "globs for directories to include from the detection of subprojects (space-separated). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <dirs...>", "globs for directories to exclude from the detection of subprojects (space-separated). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze. Currently NPM, PIP, MAVEN and GO are supported. Default is all supported ecosystems.", (ecosystems) => ecosystems.split(" ").map((e) => e.toUpperCase())).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).configureHelp({ sortOptions: true }).action(async (path2, options) => {
|
|
226380
226622
|
process.env.DOCKER_IMAGE_TAG ??= version2;
|
|
226381
226623
|
await new CliCore(path2, options).main();
|
|
226382
226624
|
});
|