@coana-tech/cli 15.0.9 → 15.0.11

package/cli.mjs

@@ -252023,7 +252023,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "15.0.9";
+var version3 = "15.0.11";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "15.0.9",
+  "version": "15.0.11",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -35347,8 +35347,8 @@ var require_follow_redirects = __commonJS({
       }
       return parsed;
     }
-    function resolveUrl(relative13, base) {
-      return useNativeURL ? new URL3(relative13, base) : parseUrl(url2.resolve(base, relative13));
+    function resolveUrl(relative14, base) {
+      return useNativeURL ? new URL3(relative14, base) : parseUrl(url2.resolve(base, relative14));
     }
     function validateUrl(input) {
       if (/^\[/.test(input.hostname) && !/^\[[:0-9a-f]+\]$/i.test(input.hostname)) {
@@ -54787,7 +54787,7 @@ var require_old = __commonJS({
       if (cache) cache[original] = p;
       return p;
     };
-    exports.realpath = function realpath4(p, cache, cb) {
+    exports.realpath = function realpath5(p, cache, cb) {
       if (typeof cb !== "function") {
         cb = maybeCallback(cache);
         cache = null;
@@ -54875,12 +54875,12 @@ var require_old = __commonJS({
 // ../../node_modules/.pnpm/fs.realpath@1.0.0/node_modules/fs.realpath/index.js
 var require_fs = __commonJS({
   "../../node_modules/.pnpm/fs.realpath@1.0.0/node_modules/fs.realpath/index.js"(exports, module) {
-    module.exports = realpath4;
-    realpath4.realpath = realpath4;
-    realpath4.sync = realpathSync2;
-    realpath4.realpathSync = realpathSync2;
-    realpath4.monkeypatch = monkeypatch;
-    realpath4.unmonkeypatch = unmonkeypatch;
+    module.exports = realpath5;
+    realpath5.realpath = realpath5;
+    realpath5.sync = realpathSync2;
+    realpath5.realpathSync = realpathSync2;
+    realpath5.monkeypatch = monkeypatch;
+    realpath5.unmonkeypatch = unmonkeypatch;
     var fs12 = __require("fs");
     var origRealpath = fs12.realpath;
     var origRealpathSync = fs12.realpathSync;
@@ -54890,7 +54890,7 @@ var require_fs = __commonJS({
     function newError(er) {
       return er && er.syscall === "realpath" && (er.code === "ELOOP" || er.code === "ENOMEM" || er.code === "ENAMETOOLONG");
     }
-    function realpath4(p, cache, cb) {
+    function realpath5(p, cache, cb) {
       if (ok) {
         return origRealpath(p, cache, cb);
       }
@@ -54921,7 +54921,7 @@ var require_fs = __commonJS({
       }
     }
     function monkeypatch() {
-      fs12.realpath = realpath4;
+      fs12.realpath = realpath5;
       fs12.realpathSync = realpathSync2;
     }
     function unmonkeypatch() {
@@ -79848,7 +79848,7 @@ function deserializeRustDependencyChainNode(s2) {
 
 // dist/main.js
 var import_lodash25 = __toESM(require_lodash(), 1);
-import { relative as relative12, resolve as resolve27 } from "path";
+import { relative as relative13, resolve as resolve27 } from "path";
 
 // ../utils/src/dashboard-api/coana-api.ts
 import { writeFile } from "fs/promises";
@@ -86282,10 +86282,10 @@ var Ignore = class {
   ignored(p) {
     const fullpath = p.fullpath();
     const fullpaths = `${fullpath}/`;
-    const relative13 = p.relative() || ".";
-    const relatives = `${relative13}/`;
+    const relative14 = p.relative() || ".";
+    const relatives = `${relative14}/`;
     for (const m of this.relative) {
-      if (m.match(relative13) || m.match(relatives))
+      if (m.match(relative14) || m.match(relatives))
         return true;
     }
     for (const m of this.absolute) {
@@ -86296,9 +86296,9 @@ var Ignore = class {
   }
   childrenIgnored(p) {
     const fullpath = p.fullpath() + "/";
-    const relative13 = (p.relative() || ".") + "/";
+    const relative14 = (p.relative() || ".") + "/";
     for (const m of this.relativeChildren) {
-      if (m.match(relative13))
+      if (m.match(relative14))
         return true;
     }
     for (const m of this.absoluteChildren) {
@@ -98250,10 +98250,10 @@ function compareDocumentPosition(nodeA, nodeB) {
 function uniqueSort(nodes) {
   nodes = nodes.filter((node, i4, arr) => !arr.includes(node, i4 + 1));
   nodes.sort((a2, b) => {
-    const relative13 = compareDocumentPosition(a2, b);
-    if (relative13 & DocumentPosition.PRECEDING) {
+    const relative14 = compareDocumentPosition(a2, b);
+    if (relative14 & DocumentPosition.PRECEDING) {
       return -1;
-    } else if (relative13 & DocumentPosition.FOLLOWING) {
+    } else if (relative14 & DocumentPosition.FOLLOWING) {
       return 1;
     }
     return 0;
@@ -114423,8 +114423,8 @@ async function downloadAndExtractComposerPackage(namespace2, name2, version3, ve
 
 // dist/whole-program-code-aware-vulnerability-scanner/php/spar-php-runner.js
 import { createReadStream as createReadStream4, createWriteStream as createWriteStream6, existsSync as existsSync17 } from "fs";
-import { readFile as readFile15, rm as rm9, writeFile as writeFile12 } from "fs/promises";
-import { join as join20 } from "path";
+import { readFile as readFile15, realpath as realpath4, rm as rm9, writeFile as writeFile12 } from "fs/promises";
+import { join as join20, relative as relative10 } from "path";
 import { pipeline as pipeline4 } from "stream/promises";
 import zlib4 from "zlib";
 async function runSparPhpAnalysis(projectDir, vulns, includePackages, timeoutInSeconds, telemetryHandler, analyzerTelemetryHandler) {
@@ -114474,13 +114474,16 @@ async function runSparPhpAnalysis(projectDir, vulns, includePackages, timeoutInS
       logger.debug(`PHP code-aware analysis stderr
 ${stderr}`);
     const callstacksRaw = existsSync17(callstacksOutputFile) ? JSON.parse(await readFile15(callstacksOutputFile, "utf8")) : [];
+    const realProjectRoot = await realpath4(projectDir);
+    const vendorDir = join20(projectDir, "vendor");
+    const realVendorRoot = existsSync17(vendorDir) ? await realpath4(vendorDir) : vendorDir;
     const matchesByUrl = {};
     for (const entry of callstacksRaw) {
       const url2 = entry.vulnerability;
       const stacks = entry.paths.map((path10) => path10.map((frame) => ({
         package: frame.package === "" ? ROOT_NODE_STR : frame.package,
         sourceLocation: {
-          filename: frame.file,
+          filename: normalizeFilename(frame.file, frame.package, realProjectRoot, realVendorRoot),
           start: frame.start,
           end: frame.end
         },
@@ -114521,6 +114524,16 @@ ${stderr}`);
     await rm9(tmpDir, { recursive: true, force: true });
   }
 }
+function normalizeFilename(file, pkg, realProjectRoot, realVendorRoot) {
+  if (pkg) {
+    const relToVendor = relative10(realVendorRoot, file);
+    const pkgPrefix = `${pkg}/`;
+    if (!relToVendor.startsWith("..") && relToVendor.startsWith(pkgPrefix)) {
+      return relToVendor.substring(pkgPrefix.length);
+    }
+  }
+  return relative10(realProjectRoot, file);
+}
 
 // dist/whole-program-code-aware-vulnerability-scanner/php/php-code-aware-vulnerability-scanner.js
 var { uniqBy: uniqBy2 } = import_lodash19.default;
@@ -114892,7 +114905,7 @@ var import_lodash22 = __toESM(require_lodash(), 1);
 var import_picomatch4 = __toESM(require_picomatch2(), 1);
 import { existsSync as existsSync20 } from "fs";
 import { rm as rm11 } from "fs/promises";
-import { relative as relative10, resolve as resolve25 } from "path";
+import { relative as relative11, resolve as resolve25 } from "path";
 
 // ../web-compat-utils/src/pluralize.ts
 function pluralize(count, word) {
@@ -114956,7 +114969,7 @@ var NpmAnalyzer = class {
       logger.info(`Running import reachability analysis for ${vulns.length} ${pluralize(vulns.length, "vulnerability")}`);
       let reachable;
       const ghsaIds = extractGhsaIdsFromVulnUrls(vulns.map((v) => v.url));
-      const importAnalysisMetadataId = COANA_REPORT_ID ? await dashboardAPI2.createAnalysisMetadata(COANA_REPORT_ID, relative10(this.state.rootWorkingDir, this.state.subprojectDir) || ".", this.state.workspacePath, "NPM", ghsaIds, heuristics.IMPORT_REACHABILITY.name) : void 0;
+      const importAnalysisMetadataId = COANA_REPORT_ID ? await dashboardAPI2.createAnalysisMetadata(COANA_REPORT_ID, relative11(this.state.rootWorkingDir, this.state.subprojectDir) || ".", this.state.workspacePath, "NPM", ghsaIds, heuristics.IMPORT_REACHABILITY.name) : void 0;
       if (COANA_REPORT_ID && !importAnalysisMetadataId) {
         logger.debug("Failed to create analysis metadata for import analysis");
       }
@@ -115176,7 +115189,7 @@ import { resolve as resolve26 } from "path";
 var import_lodash23 = __toESM(require_lodash(), 1);
 import { createWriteStream as createWriteStream7, existsSync as existsSync21 } from "fs";
 import { mkdir as mkdir11, readdir as readdir8, readFile as readFile16, rm as rm12 } from "fs/promises";
-import { join as join22, relative as relative11 } from "path";
+import { join as join22, relative as relative12 } from "path";
 import { pipeline as pipeline5 } from "stream/promises";
 var PRINT_ANALYSIS_COMMAND = false;
 var { uniqBy: uniqBy3, sortedUniq: sortedUniq2 } = import_lodash23.default;
@@ -115269,7 +115282,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
           telemetryHandler
         });
         const result = JSON.parse(await readFile16(vulnsOutputFile, "utf-8"));
-        const relativeLoadPathsToPackageNames = new Map([...loadPathsToPackageNames.entries()].map(([k, v]) => [join22("vendor", relative11(this.vendorDir, k)), v]));
+        const relativeLoadPathsToPackageNames = new Map([...loadPathsToPackageNames.entries()].map(([k, v]) => [join22("vendor", relative12(this.vendorDir, k)), v]));
         const { timedOut, ...diagnostics } = JSON.parse(await readFile16(diagnosticsOutputFile, "utf-8"));
         const reachedPackages = JSON.parse(await readFile16(reachedPackagesOutputFile, "utf-8"));
         logger.debug("Reached packages: %O", reachedPackages);
@@ -115573,7 +115586,7 @@ var dashboardAPI3 = new DashboardAPI(process.env.SOCKET_MODE === "true", process
 async function installDependenciesForAnalysis(state, preinstallDir) {
   const projectDir = resolve27(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
-  logger.info(`Pre-installing dependencies for project at "${relative12(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
+  logger.info(`Pre-installing dependencies for project at "${relative13(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
   const constructor = ecosystemAnalyzer[ecosystem];
   if (!constructor)
     throw Error(`No analyzer associated with ecosystem ${ecosystem}`);
@@ -115584,14 +115597,14 @@ async function installDependenciesForAnalysis(state, preinstallDir) {
 async function runReachabilityAnalysis(state) {
   const projectDir = resolve27(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
-  logger.info(`Preparing to run reachability analysis for project at "${relative12(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
+  logger.info(`Preparing to run reachability analysis for project at "${relative13(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
   const constructor = ecosystemAnalyzer[ecosystem];
   if (!constructor)
     throw Error(`No analyzer associated with ecosystem ${ecosystem}`);
   const analyzer = new constructor(state, projectDir);
   const [vulnerabilitiesWithPrecomputedResults, vulnerabilitiesWithoutPrecomputedResults] = partition4(state.vulnerabilities, (v) => "results" in v);
   const augmentedVulnerabilities = await runWholeProgramCodeAwareVulnerabilityScanner(analyzer, vulnerabilitiesWithoutPrecomputedResults, async (amd) => {
-    await dashboardAPI3.registerAnalysisMetadata(relative12(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey2);
+    await dashboardAPI3.registerAnalysisMetadata(relative13(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey2);
   });
   const diagnostics = await analyzer.getWorkspaceDiagnostics();
   return {