@coana-tech/cli 15.2.0 → 15.2.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "15.2.0",
+  "version": "15.2.2",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -35347,8 +35347,8 @@ var require_follow_redirects = __commonJS({
       }
       return parsed;
     }
-    function resolveUrl(relative14, base) {
-      return useNativeURL ? new URL3(relative14, base) : parseUrl(url2.resolve(base, relative14));
+    function resolveUrl(relative15, base) {
+      return useNativeURL ? new URL3(relative15, base) : parseUrl(url2.resolve(base, relative15));
     }
     function validateUrl(input) {
       if (/^\[/.test(input.hostname) && !/^\[[:0-9a-f]+\]$/i.test(input.hostname)) {
@@ -79848,7 +79848,7 @@ function deserializeRustDependencyChainNode(s2) {
 
 // dist/main.js
 var import_lodash25 = __toESM(require_lodash(), 1);
-import { relative as relative13, resolve as resolve27 } from "path";
+import { relative as relative14, resolve as resolve27 } from "path";
 
 // ../utils/src/dashboard-api/coana-api.ts
 import { writeFile } from "fs/promises";
@@ -86287,10 +86287,10 @@ var Ignore = class {
   ignored(p) {
     const fullpath = p.fullpath();
     const fullpaths = `${fullpath}/`;
-    const relative14 = p.relative() || ".";
-    const relatives = `${relative14}/`;
+    const relative15 = p.relative() || ".";
+    const relatives = `${relative15}/`;
     for (const m of this.relative) {
-      if (m.match(relative14) || m.match(relatives))
+      if (m.match(relative15) || m.match(relatives))
         return true;
     }
     for (const m of this.absolute) {
@@ -86301,9 +86301,9 @@ var Ignore = class {
   }
   childrenIgnored(p) {
     const fullpath = p.fullpath() + "/";
-    const relative14 = (p.relative() || ".") + "/";
+    const relative15 = (p.relative() || ".") + "/";
     for (const m of this.relativeChildren) {
-      if (m.match(relative14))
+      if (m.match(relative15))
         return true;
     }
     for (const m of this.absoluteChildren) {
@@ -87126,7 +87126,7 @@ glob.glob = glob;
 var import_lodash18 = __toESM(require_lodash(), 1);
 var import_semver4 = __toESM(require_semver2(), 1);
 import assert10 from "assert";
-import { relative as relative9 } from "path";
+import { relative as relative10 } from "path";
 
 // ../utils/src/telemetry/telemetry-options-factory.ts
 function createTelemetryHandler(dashboardAPI4, analysisMetadataId) {
@@ -87300,7 +87300,7 @@ import { resolve as resolve21 } from "path";
 // ../utils/src/pip-utils.ts
 import { existsSync as existsSync3 } from "node:fs";
 import { readFile as readFile5 } from "node:fs/promises";
-import { dirname, resolve as resolve3 } from "node:path";
+import { dirname, resolve as resolve3, relative as relative2 } from "node:path";
 import util4 from "node:util";
 
 // ../utils/src/command-utils.ts
@@ -88475,10 +88475,10 @@ async function downloadFile(fileUrl, outputFile) {
 // ../utils/src/file-tree-utils.ts
 import { closeSync as closeSync2, lstatSync as lstatSync2, openSync as openSync2, readdirSync as readdirSync3, readSync as readSync2 } from "fs";
 import { readdir as readdir3 } from "fs/promises";
-import { basename as basename3, join as join7, relative as relative3, resolve as resolve5 } from "path";
+import { basename as basename3, join as join7, relative as relative4, resolve as resolve5 } from "path";
 
 // ../utils/src/package-utils.ts
-import { parse as parse2, join as join6, resolve as resolve4, normalize as normalize2, dirname as dirname3, basename as basename2, relative as relative2 } from "path";
+import { parse as parse2, join as join6, resolve as resolve4, normalize as normalize2, dirname as dirname3, basename as basename2, relative as relative3 } from "path";
 import { existsSync as existsSync5, readFileSync as readFileSync2, readdirSync as readdirSync2, statSync, writeFileSync } from "fs";
 function getPackageJsonObject(workspaceRoot) {
   const packageJSONContent = getPackageJsonContent(workspaceRoot);
@@ -88510,7 +88510,7 @@ async function findFilesInPythonProjectMatching(projectDir, fileMatcher, maxDept
         if (shouldIgnoreDir(fileOrDirectory.name, projectDir === path10)) continue;
         directoriesToTraverse.push(fileOrDirectory.name);
       } else if (fileOrDirectory.isFile()) {
-        if (fileMatcher(fullPath)) files.push(relative3(projectDir, fullPath));
+        if (fileMatcher(fullPath)) files.push(relative4(projectDir, fullPath));
       }
     }
     if (depthLeft === 0) return;
@@ -88528,7 +88528,7 @@ async function findFilesInPythonProjectMatching(projectDir, fileMatcher, maxDept
 // ../utils/src/tmp-file.ts
 import { rm, mkdtemp, cp as cp2, lstat as lstat2 } from "fs/promises";
 import { tmpdir as tmpdir2 } from "os";
-import { join as join8, relative as relative4, sep as sep2, extname } from "path";
+import { join as join8, relative as relative5, sep as sep2, extname } from "path";
 async function createTmpDirectory(prefix) {
   try {
     const tmpDir = await mkdtemp(join8(tmpdir2(), prefix));
@@ -94158,7 +94158,7 @@ function getClassGraphAnalysisCliPath() {
 // ../utils/src/nuget-project-utils.ts
 var import_parse_xml2 = __toESM(require_dist(), 1);
 import { readFile as readFile6 } from "node:fs/promises";
-import { dirname as dirname9, join as join11, relative as relative5, resolve as resolve8, basename as basename6, extname as extname2 } from "node:path";
+import { dirname as dirname9, join as join11, relative as relative6, resolve as resolve8, basename as basename6, extname as extname2 } from "node:path";
 
 // ../utils/src/xml-utils.ts
 var import_parse_xml = __toESM(require_dist(), 1);
@@ -95845,7 +95845,7 @@ async function loadNuGetProjectOrTarget(rootDir, projectFile, mainProject, visit
       });
       currentProject.sourceFiles.push(...files);
     } catch (err) {
-      logger.debug(`Failed to glob default pattern for ${relative5(rootDir, validatedProjectPath)}: ${err}`);
+      logger.debug(`Failed to glob default pattern for ${relative6(rootDir, validatedProjectPath)}: ${err}`);
     }
   }
   mainProject ??= currentProject;
@@ -96068,11 +96068,11 @@ async function handleCompileItem(project, child) {
       } catch (err) {
         if (evaluatedExclude) {
           logger.debug(
-            `Failed to glob Compile Include ${includePatterns}, Exclude ${excludePatterns} in ${relative5(project.rootDir, project.validatedProjectPath)}: ${err}`
+            `Failed to glob Compile Include ${includePatterns}, Exclude ${excludePatterns} in ${relative6(project.rootDir, project.validatedProjectPath)}: ${err}`
           );
         } else {
           logger.debug(
-            `Failed to glob Compile Include ${includePatterns} in ${relative5(project.rootDir, project.validatedProjectPath)}: ${err}`
+            `Failed to glob Compile Include ${includePatterns} in ${relative6(project.rootDir, project.validatedProjectPath)}: ${err}`
           );
         }
       }
@@ -96092,7 +96092,7 @@ async function handleCompileItem(project, child) {
         project.sourceFiles = project.sourceFiles.filter((f2) => !removeSet.has(f2));
       } catch (err) {
         logger.debug(
-          `Failed to glob Compile Remove pattern ${evaluatedRemove} in ${relative5(project.rootDir, project.validatedProjectPath)}: ${err}`
+          `Failed to glob Compile Remove pattern ${evaluatedRemove} in ${relative6(project.rootDir, project.validatedProjectPath)}: ${err}`
         );
       }
     }
@@ -96102,7 +96102,7 @@ function handlePropertyGroupElement(project, propertyGroup) {
   const condition = createAttributeMap(propertyGroup, project.sourceText).get("Condition");
   if (condition) {
     logger.debug(
-      `Skipping conditional property group ${propertyGroup.name} (${propertyGroup.start}, ${propertyGroup.end}) with condition ${condition.text} in file ${relative5(project.rootDir, project.validatedProjectPath)}`
+      `Skipping conditional property group ${propertyGroup.name} (${propertyGroup.start}, ${propertyGroup.end}) with condition ${condition.text} in file ${relative6(project.rootDir, project.validatedProjectPath)}`
     );
     return;
   }
@@ -96112,7 +96112,7 @@ function handlePropertyGroupElement(project, propertyGroup) {
     const condition2 = createAttributeMap(propertyElement, project.sourceText).get("Condition");
     if (condition2) {
       logger.debug(
-        `Skipping conditional property ${propertyElement.name} (${propertyElement.start}, ${propertyElement.end}) with condition ${condition2.text} in file ${relative5(project.rootDir, project.validatedProjectPath)}`
+        `Skipping conditional property ${propertyElement.name} (${propertyElement.start}, ${propertyElement.end}) with condition ${condition2.text} in file ${relative6(project.rootDir, project.validatedProjectPath)}`
       );
       continue;
     }
@@ -96153,7 +96153,7 @@ function evaluate(expression, project) {
   function evaluateWithContext(value2, depth) {
     if (depth > 50) {
       logger.warn(
-        `Recursion limit hit while evaluating expression ${expression} in project ${relative5(project.rootDir, project.validatedProjectPath)}`
+        `Recursion limit hit while evaluating expression ${expression} in project ${relative6(project.rootDir, project.validatedProjectPath)}`
       );
       isFullyEvaluated = false;
       return value2;
@@ -96164,7 +96164,7 @@ function evaluate(expression, project) {
         return evaluateWithContext(property.text, depth + 1);
       } else {
         logger.debug(
-          `Unknown property ${propertyName} for project ${relative5(project.rootDir, project.validatedProjectPath)}`
+          `Unknown property ${propertyName} for project ${relative6(project.rootDir, project.validatedProjectPath)}`
         );
         isFullyEvaluated = false;
         return "";
@@ -98255,10 +98255,10 @@ function compareDocumentPosition(nodeA, nodeB) {
 function uniqueSort(nodes) {
   nodes = nodes.filter((node, i4, arr) => !arr.includes(node, i4 + 1));
   nodes.sort((a2, b) => {
-    const relative14 = compareDocumentPosition(a2, b);
-    if (relative14 & DocumentPosition.PRECEDING) {
+    const relative15 = compareDocumentPosition(a2, b);
+    if (relative15 & DocumentPosition.PRECEDING) {
       return -1;
-    } else if (relative14 & DocumentPosition.FOLLOWING) {
+    } else if (relative15 & DocumentPosition.FOLLOWING) {
       return 1;
     }
     return 0;
@@ -110559,7 +110559,7 @@ async function convertSocketArtifacts2(rootDir, artifacts, tmpDir) {
       return artifactFile;
     if (mavenInstalled && pomFile) {
       try {
-        const dependencyGetCmd = cmdt`mvn -f=${basename8(resolve10(rootDir, pomFile))} dependency:get -DgroupId=${groupId} -DartifactId=${artifactId} -Dpackaging=${type} -Dclassifier${classifier} -Dversion=${version3} -Dtransitive=false`;
+        const dependencyGetCmd = cmdt`mvn -f=${basename8(resolve10(rootDir, pomFile))} dependency:get -DgroupId=${groupId} -DartifactId=${artifactId} -Dpackaging=${type} -Dclassifier=${classifier} -Dversion=${version3} -Dtransitive=false`;
         await execNeverFail2(dependencyGetCmd, dirname11(resolve10(rootDir, pomFile)));
         const mavenArtifact = getPathToArtifact(mavenLocalRepo, groupId, artifactId, type, classifier, version3);
         if (existsSync9(mavenArtifact))
@@ -111052,11 +111052,11 @@ function computePackagesOnVulnPath(vulnerabilities, { includeLeafPackages = fals
 var import_lodash10 = __toESM(require_lodash(), 1);
 import assert4 from "assert";
 import { readFile as readFile10, realpath as realpath2, rm as rm3, writeFile as writeFile7 } from "fs/promises";
-import { relative as relative7, resolve as resolve14 } from "path";
+import { relative as relative8, resolve as resolve14 } from "path";
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/js-analysis-engine.js
 import { readFile as readFile9, rm as rm2 } from "fs/promises";
-import { relative as relative6, resolve as resolve13 } from "path";
+import { relative as relative7, resolve as resolve13 } from "path";
 var JSAnalysisEngine = class {
   /** Run import graph reachability analysis */
   async runImportReachabilityAnalysis(mainProjectRoot, projectRoot, vulnerabilities, options, telemetryHandler, analyzerTelemetryHandler) {
@@ -111094,7 +111094,7 @@ var JSAnalysisEngine = class {
 };
 function getExcludes(mainProjectRoot, projectRoot, options) {
   if (options.excludeDirs?.length) {
-    const excludeDirsRelativeToProjectRoot = options.excludeDirs.map((d) => relative6(projectRoot, resolve13(mainProjectRoot, d)));
+    const excludeDirsRelativeToProjectRoot = options.excludeDirs.map((d) => relative7(projectRoot, resolve13(mainProjectRoot, d)));
     const excludeDirsRelativeToProjectRootWithWildcards = excludeDirsRelativeToProjectRoot.map((d) => `${d}/**`);
     return ["--exclude-entries", ...excludeDirsRelativeToProjectRoot, ...excludeDirsRelativeToProjectRootWithWildcards];
   }
@@ -111241,7 +111241,7 @@ function relativizeSourceLocations(projectDir, paths) {
     ...paths,
     stacks: paths.stacks.map((stack) => stack.map((s2) => ({
       ...s2,
-      sourceLocation: { ...s2.sourceLocation, filename: relative7(projectDir, s2.sourceLocation.filename) }
+      sourceLocation: { ...s2.sourceLocation, filename: relative8(projectDir, s2.sourceLocation.filename) }
     })))
   };
 }
@@ -111260,7 +111260,7 @@ import zlib2 from "node:zlib";
 import { pipeline as pipeline2 } from "stream/promises";
 import { createReadStream as createReadStream2, createWriteStream as createWriteStream4 } from "node:fs";
 import { readFile as readFile11, realpath as realpath3, rm as rm4, writeFile as writeFile8 } from "node:fs/promises";
-import { dirname as dirname13, join as join14, relative as relative8, resolve as resolve15 } from "node:path";
+import { dirname as dirname13, join as join14, relative as relative9, resolve as resolve15 } from "node:path";
 import assert6 from "assert";
 var import_lodash11 = __toESM(require_lodash(), 1);
 
@@ -111975,7 +111975,7 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
           package: s2.package,
           sourceLocation: {
             ...pick(s2, "start", "end"),
-            filename: relative8(realProjectRoot, s2.file)
+            filename: relative9(realProjectRoot, s2.file)
           },
           confidence: 0
         }))));
@@ -113957,7 +113957,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
   let analysisNumber = 0;
   const newAnalysisRunListener = () => statusUpdater?.(`Static analysis run number ${++analysisNumber} in progress...`);
   const ecosystem = vulnerabilities[0].ecosystem ?? "NPM";
-  const expHeuristicName = process.env.ONLY_APPLICATION_SOURCE_FILES_FOR_KNOWN_LANGUAGES === "true" ? "ONLY_APPLICATION_SOURCE_FILES_FOR_KNOWN_LANGUAGES" : await getExperimentName(relative9(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, ecosystem, COANA_REPORT_ID, apiKey);
+  const expHeuristicName = process.env.ONLY_APPLICATION_SOURCE_FILES_FOR_KNOWN_LANGUAGES === "true" ? "ONLY_APPLICATION_SOURCE_FILES_FOR_KNOWN_LANGUAGES" : await getExperimentName(relative10(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, ecosystem, COANA_REPORT_ID, apiKey);
   let bucketsToAnalyze = state.otherAnalysisOptions.lightweightReachability ? void 0 : await getBucketsBasedOnPreviousResults();
   let useExperimentalHeuristic = Boolean(expHeuristicName && bucketsToAnalyze);
   if (!bucketsToAnalyze)
@@ -113992,7 +113992,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
   }
   async function analyzeWithExperimentalHeuristic(buckets) {
     try {
-      const previousAnalysisResults = await getPreviousAnalysisResults(relative9(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
+      const previousAnalysisResults = await getPreviousAnalysisResults(relative10(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
       if (!expHeuristicName || !previousAnalysisResults)
         return;
       const experimentalRes = await analyzeAndAugmentVulns(buckets, void 0, true, expHeuristicName);
@@ -114041,7 +114041,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
     } catch (e) {
       logger.warn("Error while running experimental heuristic - scan will continue in normal mode.", e);
       sendWarningToDashboard("Error while running experimental heuristic", {
-        subprojectPath: relative9(state.rootWorkingDir, state.subprojectDir) || ".",
+        subprojectPath: relative10(state.rootWorkingDir, state.subprojectDir) || ".",
         workspacePath: state.workspacePath,
         errorMessage: e.message,
         errorStack: e.stack
@@ -114052,7 +114052,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
   async function getBucketsBasedOnPreviousResults() {
     if (state.otherAnalysisOptions.skipCacheUsage || !SOCKET_MODE && (!COANA_REPORT_ID || apiKey.type === "missing"))
       return void 0;
-    const bucketsFromLastAnalysisAndCliVersion = await dashboardAPI.getBucketsForLastReport(relative9(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, vulnerabilities[0].ecosystem ?? "NPM", COANA_REPORT_ID, apiKey);
+    const bucketsFromLastAnalysisAndCliVersion = await dashboardAPI.getBucketsForLastReport(relative10(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, vulnerabilities[0].ecosystem ?? "NPM", COANA_REPORT_ID, apiKey);
     if (!bucketsFromLastAnalysisAndCliVersion)
       return void 0;
     const { cliVersion: cliVersion2, buckets: rawBucketsFromLastAnalysis } = bucketsFromLastAnalysisAndCliVersion;
@@ -114068,7 +114068,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
     const duplicateUrls = findDuplicateVulnsInBuckets(bucketsFromLastAnalysis);
     if (duplicateUrls.length > 0) {
       sendWarningToDashboard(`Assertion error: Detected bucket(s) with non-unique vulnerability URLs. Non-unique URLs: ${duplicateUrls.join(" ")}.`, {
-        subprojectPath: relative9(state.rootWorkingDir, state.subprojectDir) || ".",
+        subprojectPath: relative10(state.rootWorkingDir, state.subprojectDir) || ".",
         workspacePath: state.workspacePath
       }, bucketsFromLastAnalysisAndCliVersion, COANA_REPORT_ID, apiKey);
       return void 0;
@@ -114120,7 +114120,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
       const vulnDepIdentifierToVulns = groupBy(bucket.vulnerabilities, getVulnDepIdentifier);
       const vulnDepIdentifiers = Object.keys(vulnDepIdentifierToVulns);
       const ghsaIds = extractGhsaIdsFromVulnUrls(vulnsForBucket.map((v) => v.url));
-      const analysisMetadataId = COANA_REPORT_ID ? await dashboardAPI.createAnalysisMetadata(COANA_REPORT_ID, relative9(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, ecosystem, ghsaIds, bucket.heuristic.name, experiment) : void 0;
+      const analysisMetadataId = COANA_REPORT_ID ? await dashboardAPI.createAnalysisMetadata(COANA_REPORT_ID, relative10(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, ecosystem, ghsaIds, bucket.heuristic.name, experiment) : void 0;
       try {
         newAnalysisRunListener();
         const initialBucketContainingAllVulns = buckets.length === 1 && buckets[0] === bucket;
@@ -114214,7 +114214,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
       const oldMd = oldAnalysisMetadata.find((oldMd2) => newMd.vulnUrls.some((vulnUrl) => oldMd2.vulnUrls.includes(vulnUrl)));
       if (!oldMd) {
         await sendWarningToDashboard("Could not find corresponding analysis metadata to compare time regressions with", {
-          subprojectPath: relative9(state.rootWorkingDir, state.subprojectDir) || ".",
+          subprojectPath: relative10(state.rootWorkingDir, state.subprojectDir) || ".",
           workspacePath: state.workspacePath
         }, void 0, COANA_REPORT_ID, apiKey);
         continue;
@@ -114240,7 +114240,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
     }
     if (regressions.length === 0)
       return;
-    await sendRegressionsToDashboard(regressions, relative9(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
+    await sendRegressionsToDashboard(regressions, relative10(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
   }
   async function sendReachabilityRegressionsToDashboard(heuristicName, experimentName, origRes, experimentRes, ignoredVulnerabilities) {
     const regressions = Object.entries(origRes).filter(([vulnUrl]) => !ignoredVulnerabilities.has(vulnUrl)).filter(([vulnUrl, oRes]) => experimentRes[vulnUrl] && oRes.reachability !== experimentRes[vulnUrl].reachability).map(([vulnUrl, originalResult]) => ({
@@ -114252,7 +114252,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
       originalResult,
       experimentResult: experimentRes[vulnUrl]
     }));
-    await sendRegressionsToDashboard(regressions, relative9(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
+    await sendRegressionsToDashboard(regressions, relative10(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, COANA_REPORT_ID, apiKey);
   }
 }
 function getHeuristicFromName(state, heuristicName, ecosystem) {
@@ -114445,7 +114445,7 @@ async function downloadAndExtractComposerPackage(namespace2, name2, version3, ve
 // dist/whole-program-code-aware-vulnerability-scanner/php/spar-php-runner.js
 import { createReadStream as createReadStream4, createWriteStream as createWriteStream6, existsSync as existsSync17 } from "fs";
 import { readFile as readFile15, realpath as realpath4, rm as rm9, writeFile as writeFile12 } from "fs/promises";
-import { join as join20, relative as relative10 } from "path";
+import { join as join20, relative as relative11 } from "path";
 import { pipeline as pipeline4 } from "stream/promises";
 import zlib4 from "zlib";
 async function runSparPhpAnalysis(projectDir, vulns, includePackages, timeoutInSeconds, telemetryHandler, analyzerTelemetryHandler) {
@@ -114547,13 +114547,13 @@ ${stderr}`);
 }
 function normalizeFilename(file, pkg, realProjectRoot, realVendorRoot) {
   if (pkg) {
-    const relToVendor = relative10(realVendorRoot, file);
+    const relToVendor = relative11(realVendorRoot, file);
     const pkgPrefix = `${pkg}/`;
     if (!relToVendor.startsWith("..") && relToVendor.startsWith(pkgPrefix)) {
       return relToVendor.substring(pkgPrefix.length);
     }
   }
-  return relative10(realProjectRoot, file);
+  return relative11(realProjectRoot, file);
 }
 
 // dist/whole-program-code-aware-vulnerability-scanner/php/php-code-aware-vulnerability-scanner.js
@@ -114926,7 +114926,7 @@ var import_lodash22 = __toESM(require_lodash(), 1);
 var import_picomatch4 = __toESM(require_picomatch2(), 1);
 import { existsSync as existsSync20 } from "fs";
 import { rm as rm11 } from "fs/promises";
-import { relative as relative11, resolve as resolve25 } from "path";
+import { relative as relative12, resolve as resolve25 } from "path";
 
 // ../web-compat-utils/src/pluralize.ts
 function pluralize(count, word) {
@@ -114990,7 +114990,7 @@ var NpmAnalyzer = class {
       logger.info(`Running import reachability analysis for ${vulns.length} ${pluralize(vulns.length, "vulnerability")}`);
       let reachable;
       const ghsaIds = extractGhsaIdsFromVulnUrls(vulns.map((v) => v.url));
-      const importAnalysisMetadataId = COANA_REPORT_ID ? await dashboardAPI2.createAnalysisMetadata(COANA_REPORT_ID, relative11(this.state.rootWorkingDir, this.state.subprojectDir) || ".", this.state.workspacePath, "NPM", ghsaIds, heuristics.IMPORT_REACHABILITY.name) : void 0;
+      const importAnalysisMetadataId = COANA_REPORT_ID ? await dashboardAPI2.createAnalysisMetadata(COANA_REPORT_ID, relative12(this.state.rootWorkingDir, this.state.subprojectDir) || ".", this.state.workspacePath, "NPM", ghsaIds, heuristics.IMPORT_REACHABILITY.name) : void 0;
       if (COANA_REPORT_ID && !importAnalysisMetadataId) {
         logger.debug("Failed to create analysis metadata for import analysis");
       }
@@ -115210,7 +115210,7 @@ import { resolve as resolve26 } from "path";
 var import_lodash23 = __toESM(require_lodash(), 1);
 import { createWriteStream as createWriteStream7, existsSync as existsSync21 } from "fs";
 import { mkdir as mkdir11, readdir as readdir8, readFile as readFile16, rm as rm12 } from "fs/promises";
-import { join as join22, relative as relative12 } from "path";
+import { join as join22, relative as relative13 } from "path";
 import { pipeline as pipeline5 } from "stream/promises";
 var PRINT_ANALYSIS_COMMAND = false;
 var { uniqBy: uniqBy3, sortedUniq: sortedUniq2 } = import_lodash23.default;
@@ -115303,7 +115303,7 @@ var RubyCodeAwareVulnerabilityScanner = class {
           telemetryHandler
         });
         const result = JSON.parse(await readFile16(vulnsOutputFile, "utf-8"));
-        const relativeLoadPathsToPackageNames = new Map([...loadPathsToPackageNames.entries()].map(([k, v]) => [join22("vendor", relative12(this.vendorDir, k)), v]));
+        const relativeLoadPathsToPackageNames = new Map([...loadPathsToPackageNames.entries()].map(([k, v]) => [join22("vendor", relative13(this.vendorDir, k)), v]));
         const { timedOut, ...diagnostics } = JSON.parse(await readFile16(diagnosticsOutputFile, "utf-8"));
         const reachedPackages = JSON.parse(await readFile16(reachedPackagesOutputFile, "utf-8"));
         logger.debug("Reached packages: %O", reachedPackages);
@@ -115607,7 +115607,7 @@ var dashboardAPI3 = new DashboardAPI(process.env.SOCKET_MODE === "true", process
 async function installDependenciesForAnalysis(state, preinstallDir) {
   const projectDir = resolve27(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
-  logger.info(`Pre-installing dependencies for project at "${relative13(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
+  logger.info(`Pre-installing dependencies for project at "${relative14(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
   const constructor = ecosystemAnalyzer[ecosystem];
   if (!constructor)
     throw Error(`No analyzer associated with ecosystem ${ecosystem}`);
@@ -115618,14 +115618,14 @@ async function installDependenciesForAnalysis(state, preinstallDir) {
 async function runReachabilityAnalysis(state) {
   const projectDir = resolve27(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
-  logger.info(`Preparing to run reachability analysis for project at "${relative13(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
+  logger.info(`Preparing to run reachability analysis for project at "${relative14(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
   const constructor = ecosystemAnalyzer[ecosystem];
   if (!constructor)
     throw Error(`No analyzer associated with ecosystem ${ecosystem}`);
   const analyzer = new constructor(state, projectDir);
   const [vulnerabilitiesWithPrecomputedResults, vulnerabilitiesWithoutPrecomputedResults] = partition4(state.vulnerabilities, (v) => "results" in v);
   const augmentedVulnerabilities = await runWholeProgramCodeAwareVulnerabilityScanner(analyzer, vulnerabilitiesWithoutPrecomputedResults, async (amd) => {
-    await dashboardAPI3.registerAnalysisMetadata(relative13(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey2);
+    await dashboardAPI3.registerAnalysisMetadata(relative14(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey2);
   });
   const diagnostics = await analyzer.getWorkspaceDiagnostics();
   return {