@coana-tech/cli 15.1.1 → 15.2.0

package/cli.mjs

@@ -212004,6 +212004,111 @@ function handleNexeBinaryMode() {
   }
 }
 
+// ../web-compat-utils/src/package-manager-utils.ts
+var ALL_PACKAGE_MANAGERS = [
+  "NPM",
+  "PNPM",
+  "YARN",
+  "RUSH",
+  "MAVEN",
+  "GRADLE",
+  "SBT",
+  "POETRY",
+  "PIP_REQUIREMENTS",
+  "PIPENV",
+  "GO",
+  "CARGO",
+  "NUGET",
+  "RUBYGEMS",
+  "COMPOSER"
+];
+var FILTERABLE_PACKAGE_MANAGER_SET = new Set(ALL_PACKAGE_MANAGERS);
+function getFilterablePackageManagers() {
+  return ALL_PACKAGE_MANAGERS;
+}
+function isFilterablePackageManager(value2) {
+  return FILTERABLE_PACKAGE_MANAGER_SET.has(value2);
+}
+var PURL_TYPE_TO_SOLE_PACKAGE_MANAGER = {
+  ["golang" /* GOLANG */]: "GO",
+  ["cargo" /* CARGO */]: "CARGO",
+  ["nuget" /* NUGET */]: "NUGET",
+  ["gem" /* GEM */]: "RUBYGEMS",
+  ["composer" /* COMPOSER */]: "COMPOSER"
+};
+function basenameOf(file) {
+  const lastSlash = Math.max(file.lastIndexOf("/"), file.lastIndexOf("\\"));
+  return lastSlash === -1 ? file : file.slice(lastSlash + 1);
+}
+function getPackageManagersForManifestFile(file) {
+  const base = basenameOf(file);
+  switch (base) {
+    case "package-lock.json":
+    case "npm-shrinkwrap.json":
+      return ["NPM"];
+    case "pnpm-lock.yaml":
+    case "pnpm-lock.yml":
+      return ["PNPM"];
+    case "yarn.lock":
+      return ["YARN"];
+    case "pom.xml":
+      return ["MAVEN"];
+    case "gradle.lockfile":
+    case "build.gradle":
+    case "build.gradle.kts":
+    case "settings.gradle":
+    case "settings.gradle.kts":
+      return ["GRADLE"];
+    case "build.sbt":
+      return ["SBT"];
+    case "poetry.lock":
+      return ["POETRY"];
+    case "Pipfile":
+    case "Pipfile.lock":
+      return ["PIPENV"];
+    case "go.mod":
+    case "go.sum":
+      return ["GO"];
+    case "Cargo.toml":
+    case "Cargo.lock":
+      return ["CARGO"];
+    case "packages.config":
+      return ["NUGET"];
+    case "Gemfile":
+    case "Gemfile.lock":
+      return ["RUBYGEMS"];
+    case "composer.json":
+    case "composer.lock":
+      return ["COMPOSER"];
+  }
+  if (base.endsWith(".sbt")) return ["SBT"];
+  if (base.endsWith(".csproj") || base.endsWith(".fsproj") || base.endsWith(".vbproj")) return ["NUGET"];
+  if (base.endsWith(".gemspec")) return ["RUBYGEMS"];
+  if (/^requirements[\w.-]*\.txt$/.test(base)) return ["PIP_REQUIREMENTS"];
+  const normalized = file.replace(/\\/g, "/");
+  if (/(^|\/)requirements\/[^/]+\.txt$/.test(normalized)) return ["PIP_REQUIREMENTS"];
+  return [];
+}
+function getPackageManagersFromManifestFiles(manifestFiles, purlType) {
+  const result = /* @__PURE__ */ new Set();
+  for (const file of manifestFiles ?? []) {
+    for (const pm of getPackageManagersForManifestFile(file)) {
+      result.add(pm);
+    }
+  }
+  if (result.size === 0 && purlType != null) {
+    const fallback = PURL_TYPE_TO_SOLE_PACKAGE_MANAGER[purlType];
+    if (fallback) result.add(fallback);
+  }
+  return result;
+}
+function getPackageManagersForArtifact(artifact) {
+  return getPackageManagersFromManifestFiles(
+    (artifact.manifestFiles ?? []).map((ref) => ref.file),
+    artifact.type
+  );
+}
+
 // ../../node_modules/.pnpm/kleur@4.1.5/node_modules/kleur/index.mjs
 var FORCE_COLOR;
 var NODE_DISABLE_COLORS;
@@ -234940,10 +235045,11 @@ async function computeFixesAndUpgradePurls(path9, options, logFile) {
     }
     return { type: "selected-vulnerabilities-do-not-affect-the-current-project" };
   }
-  const filteredFixDetails = filterFixDetailsByPurlTypes(apiResponse.fixDetails, options.purlTypes);
+  const filteredFixDetails = filterFixDetails(apiResponse.fixDetails, options.purlTypes, options.packageManagers);
   const hadFixesBeforeFilter = Object.values(apiResponse.fixDetails).some(hasFixData);
   const hasFixesAfterFilter = Object.values(filteredFixDetails).some(hasFixData);
-  if (options.purlTypes && hadFixesBeforeFilter && !hasFixesAfterFilter) {
+  const hasAnyFilter = options.purlTypes != null || options.packageManagers != null;
+  if (hasAnyFilter && hadFixesBeforeFilter && !hasFixesAfterFilter) {
     logger.info("There is no overlap between the requested fixes and the detected vulnerabilities");
     logger.info("Consider running the tool again, requesting a fix for one of the detected vulnerabilities");
     const detectedList = apiResponse.allDetectedGhsas ?? Object.keys(apiResponse.fixDetails);
@@ -235024,26 +235130,47 @@ async function computeFixesAndUpgradePurls(path9, options, logFile) {
 function hasFixData(detail) {
   return (detail.type === "fixFound" || detail.type === "partialFixFound") && (detail.value.fixDetails?.fixes.length ?? 0) > 0;
 }
-function filterFixDetailsByPurlTypes(fixDetails, purlTypes) {
-  if (!purlTypes)
+function filterFixDetails(fixDetails, purlTypes, packageManagers) {
+  if (!purlTypes && !packageManagers)
     return fixDetails;
-  const allowed = new Set(purlTypes);
-  const matchesType = (fixPurl) => {
-    const parsed = import_packageurl_js.PackageURL.fromString(fixPurl);
-    const purlType = toPurlType(parsed.type);
-    return purlType !== void 0 && allowed.has(purlType);
+  const allowedTypes = purlTypes ? new Set(purlTypes) : void 0;
+  const tryParse = (purl) => {
+    try {
+      return import_packageurl_js.PackageURL.fromString(purl);
+    } catch (err) {
+      logger.warn(`Skipping purl that failed to parse: ${purl} (${err?.message ?? "unknown error"})`);
+      return void 0;
+    }
+  };
+  const matches = (purl, manifestFiles, ghsa) => {
+    const parsed = tryParse(purl);
+    if (parsed === void 0)
+      return true;
+    if (allowedTypes) {
+      const purlType = toPurlType(parsed.type);
+      if (purlType === void 0 || !allowedTypes.has(purlType)) {
+        logger.warn(`Skipping upgrade for ${purl} (${ghsa}) - type '${parsed.type}' not in specified types: ${purlTypes.join(", ")}`);
+        return false;
+      }
+    }
+    if (packageManagers) {
+      const pms = getPackageManagersFromManifestFiles(manifestFiles, parsed.type);
+      if (pms.size === 0) {
+        logger.warn(`Could not determine package manager for ${purl} (${ghsa}) from manifest files [${manifestFiles.join(", ") || "none"}] \u2014 including in --package-managers results`);
+        return true;
+      }
+      if (!packageManagers.some((pm) => pms.has(pm))) {
+        logger.warn(`Skipping upgrade for ${purl} (${ghsa}) - package manager(s) [${[...pms].join(", ")}] not in specified package managers: ${packageManagers.join(", ")}`);
+        return false;
+      }
+    }
+    return true;
   };
   const filtered = {};
   for (const [ghsa, detail] of Object.entries(fixDetails)) {
     if (detail.type === "fixFound" || detail.type === "partialFixFound") {
-      const filteredFixes = (detail.value.fixDetails?.fixes ?? []).filter((fix) => {
-        if (matchesType(fix.purl))
-          return true;
-        const parsed = import_packageurl_js.PackageURL.fromString(fix.purl);
-        logger.warn(`Skipping upgrade for ${fix.purl} (${ghsa}) - type '${parsed.type}' not in specified types: ${purlTypes.join(", ")}`);
-        return false;
-      });
-      const filteredUnfixable = detail.type === "partialFixFound" ? (detail.value.fixDetails?.unfixablePurls ?? []).filter((u8) => matchesType(u8.purl)) : void 0;
+      const filteredFixes = (detail.value.fixDetails?.fixes ?? []).filter((fix) => matches(fix.purl, fix.manifestFiles, ghsa));
+      const filteredUnfixable = detail.type === "partialFixFound" ? (detail.value.fixDetails?.unfixablePurls ?? []).filter((u8) => matches(u8.purl, u8.manifestFiles, ghsa)) : void 0;
       filtered[ghsa] = {
         ...detail,
         value: {
@@ -235056,7 +235183,7 @@ function filterFixDetailsByPurlTypes(fixDetails, purlTypes) {
         }
       };
     } else if (detail.type === "fixNotApplicable" || detail.type === "noFixAvailable") {
-      const filteredVuln = (detail.value.vulnerableArtifacts ?? []).filter((v) => matchesType(v.purl));
+      const filteredVuln = (detail.value.vulnerableArtifacts ?? []).filter((v) => matches(v.purl, v.manifestFiles, ghsa));
       filtered[ghsa] = {
         ...detail,
         value: { ...detail.value, vulnerableArtifacts: filteredVuln }
@@ -252288,7 +252415,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "15.1.1";
+var version3 = "15.2.0";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;
@@ -253671,6 +253798,16 @@ async function writeAnalysisDebugInfo(outputFilePath, ecosystemToWorkspaceToVuln
 
 // dist/index.js
 handleNexeBinaryMode();
+function normalizeAndValidatePackageManagers(values) {
+  if (!values)
+    return void 0;
+  const normalized = values.map((v) => v.toUpperCase());
+  const invalid = normalized.filter((v) => !isFilterablePackageManager(v));
+  if (invalid.length > 0) {
+    throw new Error(`Invalid package manager(s): ${invalid.join(", ")}. Supported values are: ${getFilterablePackageManagers().join(", ")}`);
+  }
+  return normalized;
+}
 var program2 = new Command();
 var run2 = new Command();
 run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).option("--reach-continue-on-install-errors", "Continue analysis when package installation fails, falling back to precomputed (Tier 2) reachability results. By default, the CLI halts on installation errors in socket mode.", process.env.COANA_REACH_CONTINUE_ON_INSTALL_ERRORS === "true" || process.env.COANA_CONTINUE_ON_INSTALL_ERRORS === "true" || void 0).option("--reach-continue-on-analysis-errors", "Continue analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) reachability results. By default, the CLI halts on analysis errors in socket mode.", process.env.COANA_REACH_CONTINUE_ON_ANALYSIS_ERRORS === "true" || void 0).option("--reach-continue-on-no-source-files", "Continue analysis when a workspace contains no source files for its ecosystem. By default, the CLI halts in socket mode.", process.env.COANA_REACH_CONTINUE_ON_NO_SOURCE_FILES === "true" || void 0).option("--reach-continue-on-missing-lock-files", "Continue analysis when a Gradle or SBT project is missing its lock file (or Gradle version catalog / pre-generated SBOM). By default, the CLI halts in socket mode.", process.env.COANA_REACH_CONTINUE_ON_MISSING_LOCK_FILES === "true" || void 0).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).addOption(new Option("--lazy-mode", "Enable lazy analysis mode for JavaScript/TypeScript. This can significantly speed up analysis by only analyzing code that is actually relevant for the vulnerabilities being analyzed.").default(false).implies({ legacyJsAnalysisEngine: true }).hideHelp()).addOption(new Option("--legacy-js-analysis-engine", "Use the legacy Jelly engine for JavaScript/TypeScript reachability analysis instead of SPAR-JS.").default(false).hideHelp()).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).option("--use-unreachable-from-precomputation", "Skip the reachability analysis for vulnerabilities that are already known to be unreachable from the precomputed reachability analysis (Tier 2).", false).addOption(new Option("--use-only-pregenerated-sboms", "Only include artifacts that have CDX or SPDX files in their manifest files.").default(false).hideHelp()).option("--disable-external-tool-checks", "Disable validation of external tools (npm, python, go, etc.) before running analysis.", false).version(version3).configureHelp({ sortOptions: true }).action(async (path9, options) => {
@@ -253690,7 +253827,7 @@ applyFixes.name("apply-fixes").argument("<path>", "File system path to the folde
   await applyFix(path9, fixIds, options);
 }).configureHelp({ sortOptions: true });
 var computeFixesAndUpgradePurlsCmd = new Command();
-computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-i, --include <patterns...>", "Glob patterns to include workspaces").option("-e, --exclude <patterns...>", "Glob patterns to exclude workspaces").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("--range-style <style>", 'Range style to use for the output. Currently only "pin" is supported and it only works for npm.').option("--disable-major-updates", "Do not suggest major updates. If only major update are available, the fix will not be applied.", false).option("-o, --output-file <file>", "Writes output to a JSON file").option("--minimum-release-age <minimumReleaseAge>", "Do not allow upgrades to package versions that are newer than minimumReleaseAge. Format is 2m, 5h, 3d or 1w").option("--show-affected-direct-dependencies", "Show the affected direct dependencies for each vulnerability and what upgrades could fix them - does not apply the upgrades.", false).option("--purl-types <purlTypes...>", "List of PURL types to filter artifacts by (space-separated). Only vulnerabilities from artifacts matching these types will be included.").addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--disable-external-tool-checks", "Disable validation of external tools (npm, python, go, etc.) before running analysis.", false).version(version3).action(async (path9, options) => {
+computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument("<path>", "File system path to the folder containing the project").option("-a, --apply-fixes-to <ghsas...>", 'GHSA IDs to compute fixes for. Use "all" to compute fixes for all vulnerabilities.', []).option("--dry-run", "Show what changes would be made without actually making them", false).option("-i, --include <patterns...>", "Glob patterns to include workspaces").option("-e, --exclude <patterns...>", "Glob patterns to exclude workspaces").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("--range-style <style>", 'Range style to use for the output. Currently only "pin" is supported and it only works for npm.').option("--disable-major-updates", "Do not suggest major updates. If only major update are available, the fix will not be applied.", false).option("-o, --output-file <file>", "Writes output to a JSON file").option("--minimum-release-age <minimumReleaseAge>", "Do not allow upgrades to package versions that are newer than minimumReleaseAge. Format is 2m, 5h, 3d or 1w").option("--show-affected-direct-dependencies", "Show the affected direct dependencies for each vulnerability and what upgrades could fix them - does not apply the upgrades.", false).option("--purl-types <purlTypes...>", "List of PURL types to filter artifacts by (space-separated). Only vulnerabilities from artifacts matching these types will be included.").option("--package-managers <packageManagers...>", `List of package managers to filter artifacts by (space-separated, e.g. NPM PNPM YARN POETRY GRADLE). Valid values: ${getFilterablePackageManagers().join(", ")}. When combined with --purl-types, both filters must match.`).addOption(new Option("--run-without-docker", "Run package managers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--disable-external-tool-checks", "Disable validation of external tools (npm, python, go, etc.) before running analysis.", false).version(version3).action(async (path9, options) => {
   checkNotWindows();
   process.env.DOCKER_IMAGE_TAG ??= version3;
   if (options.outputFile && !options.outputFile.endsWith(".json")) {
@@ -253703,6 +253840,7 @@ computeFixesAndUpgradePurlsCmd.name("compute-fixes-and-upgrade-purls").argument(
     throw new Error('Range style must be "pin"');
   }
   options.purlTypes = options.purlTypes?.map((t4) => t4.toLowerCase());
+  options.packageManagers = normalizeAndValidatePackageManagers(options.packageManagers);
   const tmpDir = await mkdtemp2(join35(tmpdir5(), "compute-fixes-and-upgrade-purls-"));
   const logFile = join35(tmpDir, "compute-fixes-and-upgrade-purls.log");
   logger.initWinstonLogger(options.debug, logFile);
@@ -253762,10 +253900,20 @@ compareReportsCommand.name("compare-reports").argument("<baselineReportPath>", "
   await compareReports(baselineReport, newReport, options);
 });
 var findVulnerabilities = new Command();
-findVulnerabilities.name("find-vulnerabilities").requiredOption("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket.").option("--purl-types <purlTypes...>", "List of PURL types to filter artifacts by (space-separated). Only vulnerabilities from artifacts matching these types will be included.").action(async (options) => {
+findVulnerabilities.name("find-vulnerabilities").requiredOption("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket.").option("--purl-types <purlTypes...>", "List of PURL types to filter artifacts by (space-separated). Only vulnerabilities from artifacts matching these types will be included.").option("--package-managers <packageManagers...>", `List of package managers to filter artifacts by (space-separated, e.g. NPM PNPM YARN POETRY GRADLE). Valid values: ${getFilterablePackageManagers().join(", ")}. When combined with --purl-types, both filters must match.`).action(async (options) => {
   const purlTypes = options.purlTypes?.map((t4) => t4.toLowerCase());
+  const packageManagers = normalizeAndValidatePackageManagers(options.packageManagers);
   const { artifacts } = await fetchArtifactsFromManifestsTarHash(options.manifestsTarHash);
-  const filteredArtifacts = purlTypes ? artifacts.filter((a4) => purlTypes.includes(a4.type)) : artifacts;
+  const filteredArtifacts = artifacts.filter((a4) => {
+    if (purlTypes && !purlTypes.includes(a4.type))
+      return false;
+    if (packageManagers) {
+      const artifactPMs = getPackageManagersForArtifact(a4);
+      if (artifactPMs.size > 0 && !packageManagers.some((pm) => artifactPMs.has(pm)))
+        return false;
+    }
+    return true;
+  });
   console.log(JSON.stringify(i(filteredArtifacts.flatMap((a4) => a4.vulnerabilities?.map((v) => v.ghsaId) ?? []))));
 });
 var generateAnalysisDebugInfo = new Command();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "15.1.1",
+  "version": "15.2.0",
   "description": "Coana CLI",
   "type": "module",
   "bin": {