@socketsecurity/cli-with-sentry 1.0.101 → 1.0.102

package/external/@coana-tech/cli/reachability-analyzers-cli.mjs

@@ -73587,22 +73587,22 @@ import { join as join3 } from "path";
 // ../utils/src/command-utils.ts
 import assert from "assert";
 import { execFile } from "child_process";
-async function execAndLogOnFailure(cmd, dir, options) {
+async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
-  if (result.error) logCommandOutput(result, cmd, dir);
+  if (result.error) logCommandOutput(result, cmd, dir, logLevel);
   return !result.error;
 }
-function logCommandOutput(cmdResult, cmd, dir) {
+function logCommandOutput(cmdResult, cmd, dir, logLevel = "info") {
   const { error, stdout, stderr } = cmdResult;
-  logger.info(error ? `Error running command: ${cmd}` : `Result of running command: ${cmd}`);
-  logger.info(`Directory: ${dir}`);
+  logger[logLevel](error ? `Error running command: ${cmd}` : `Result of running command: ${cmd}`);
+  logger[logLevel](`Directory: ${dir}`);
   if (error) {
     const em = error.message;
-    logger.info(`Error: ${em?.endsWith?.(`
+    logger[logLevel](`Error: ${em?.endsWith?.(`
 ${stderr}`) ? em.slice(0, -stderr.length - 1) : em}`);
   }
-  logger.info(`stdout: ${stdout}`);
-  logger.info(`stderr: ${stderr}`);
+  logger[logLevel](`stdout: ${stdout}`);
+  logger[logLevel](`stderr: ${stderr}`);
 }
 async function execNeverFail(cmd, dir, options) {
   return new Promise((resolve16) => {
@@ -73747,17 +73747,18 @@ function excludeFiles(excludedDirsRoot, filesRoot, files, excludeDirs) {
     )
   ).map((f2) => relative(filesRoot, f2));
 }
-function findParent(dir, predicate, wholePath) {
-  let curr = dir;
-  let last2 = dir;
+function* parents(dir) {
+  let [curr, last2] = [dir, dir];
   do {
-    const name2 = wholePath ? curr : basename(curr);
-    if (predicate(name2)) return curr;
-    last2 = curr;
-    curr = resolve(curr, "..");
+    yield curr;
+    [last2, curr] = [curr, resolve(curr, "..")];
   } while (curr !== last2);
   return void 0;
 }
+function findParent(dir, predicate, wholePath) {
+  for (const parent2 of parents(dir))
+    if (predicate(wholePath ? parent2 : basename(parent2))) return parent2;
+}
 async function getFiles(dir, excludeDirs) {
   async function helper(currDir, arrayOfFiles) {
     for (const item of await readdir(currDir, { withFileTypes: true })) {
@@ -74201,6 +74202,7 @@ import { join as join4, resolve as resolve2 } from "path";
 import util3 from "util";
 var { once } = import_lodash4.default;
 var systemPython = once(() => execFileSync("which", ["python"], { encoding: "utf8" }).trim());
+var hasPyenv = once(async () => !(await execNeverFail("which pyenv")).error);
 async function getPythonVersion(executable) {
   return runCommandResolveStdOut([executable, "-SIc", `import sys; print(*sys.version_info[:3], sep='.')`]);
 }
@@ -74231,11 +74233,9 @@ var PythonVersionsManager = class _PythonVersionsManager {
   // Extracts the python version specifier from the workspace and returns it as an array of semver parts.
   async getPythonSpecifier(workspacePath, checkPyProject = true) {
     const absPath = resolve2(this.projectDir, workspacePath);
-    const pyenvOrigin = await runCommandResolveStdOut("pyenv version-origin", absPath);
-    const pyenvRoot = process.env.PYENV_ROOT ?? await runCommandResolveStdOut("pyenv root");
-    if (pyenvOrigin !== join4(pyenvRoot, "version"))
+    for (const parent2 of parents(absPath))
       try {
-        return [(await readFile3(pyenvOrigin, "utf-8")).split("\n")[0].trim()];
+        return [(await readFile3(join4(parent2, ".python-version"), "utf-8")).split("\n")[0].trim()];
       } catch (e) {
         if (e.code !== "ENOENT") logger.warn("Failed to read python version file with error", e);
       }
@@ -74283,7 +74283,12 @@ var PythonVersionsManager = class _PythonVersionsManager {
     if (semVerSpec) {
       const systemVer = await getPythonVersion(systemPython());
       if (versionMatchesSemverParts(systemVer, semVerSpec)) return systemPython();
-    }
+      if (!await hasPyenv())
+        throw Error(
+          `System Python (${systemVer}) does not satisfy the specifier '${semVerSpec.join(", ")}'. A matching interpreter can automatically be installed if 'pyenv' is available.`
+        );
+    } else if (!await hasPyenv() || _PythonVersionsManager.getGlobalPythonVersion() === "system")
+      return systemPython();
     return resolve2(await _PythonVersionsManager.getPythonPrefixMatchingSpecifier(semVerSpec), "bin", "python");
   }
   // Throws an error if the python version is not installed.
@@ -77166,7 +77171,7 @@ __export(traversing_exports, {
   nextUntil: () => nextUntil,
   not: () => not,
   parent: () => parent,
-  parents: () => parents,
+  parents: () => parents2,
   parentsUntil: () => parentsUntil,
   prev: () => prev,
   prevAll: () => prevAll,
@@ -78428,7 +78433,7 @@ function _removeDuplicates(elems) {
   return Array.from(new Set(elems));
 }
 var parent = _singleMatcher(({ parent: parent2 }) => parent2 && !isDocument(parent2) ? parent2 : null, _removeDuplicates);
-var parents = _matcher((elem) => {
+var parents2 = _matcher((elem) => {
   const matched = [];
   while (elem.parent && !isDocument(elem.parent)) {
     matched.push(elem.parent);
@@ -96448,9 +96453,9 @@ var PythonCodeAwareVulnerabilityScanner = class {
     const packagesToExclude = heuristic.getPackagesToExcludeFromAnalysis?.(vulns);
     const packagesToInstall = uniqBy(preInstalledDepInfos.filter((n) => !packagesToExclude?.has(n.packageName)), "packageName");
     if (!await this.tryUsingPreinstalledVirtualEnv(packagesToInstall)) {
-      logger.info("Setting up virtual environment");
+      logger.info(`Setting up virtual environment`);
       await this.prepareVirtualEnv(packagesToInstall);
-      logger.debug("Done setting up virtual environment");
+      logger.info("Done setting up virtual environment");
     }
   }
   async runAnalysis(vulns, heuristic, analyzesAllVulns) {
@@ -96512,7 +96517,7 @@ runpy.run_module("mambalade", alter_sys=True)
       "--",
       ...filesToAnalyze
     ];
-    logger.info(`Running mambalade on ${filesToAnalyze.length} files for vulnerabilities:
+    logger.debug(`Running mambalade on ${filesToAnalyze.length} files for vulnerabilities:
 ${vulnAccPaths.join("\n")}`);
     logger.debug(`Running python executable: ${pythonExecutable}`);
     logger.debug(`With args: ${mambaladeArgs.slice(1).join(" ")}`);
@@ -96521,7 +96526,7 @@ ${vulnAccPaths.join("\n")}`);
       logger.debug("Done running mambalade");
       const errors = stderr.split("\n").filter((line) => line.startsWith("ERROR:") && !/^ERROR: Excluded distribution/.test(line));
       if (errors.length > 0)
-        logger.info(`Error messages from mambalade:
+        logger.debug(`Error messages from mambalade:
 ${errors.join("\n")}`);
       const result = JSON.parse(await readFile10(vulnsOutputFile, "utf-8"));
       logger.debug("Analysis result:", JSON.stringify(result, null, 2));
@@ -96546,8 +96551,8 @@ ${errors.join("\n")}`);
         packageInstallationStats: this.virtualEnvInfo.packageInstallationStats
         // Including stats in all analysis diagnostics since we might discard the first one that actually installs it due to analysis timeout.
       };
-      logger.info("Analysis diagnostics:");
-      logger.info(JSON.stringify(omit(diagnostics, this.numberAnalysesRun === 0 ? [] : ["packageInstallationStats"]), null, 2));
+      logger.debug("Analysis diagnostics:");
+      logger.debug(JSON.stringify(omit(diagnostics, this.numberAnalysesRun === 0 ? [] : ["packageInstallationStats"]), null, 2));
       return {
         type: "success",
         diagnostics,
@@ -96592,21 +96597,25 @@ ${msg}`;
         rootWorkingDir: projectTmpDir,
         reachabilityAnalysisOptions: options
       }, projectTmpDir);
-      await scanner.prepareVirtualEnv([]);
-      const sitePackagesDir = scanner.virtualEnvInfo.virtualEnvPathToSitePackages;
-      for (const dep of dependencies) {
-        const dependencyDir = join20(sitePackagesDir, basename9(dep));
-        logger.info(`Copying ${dep} to ${dependencyDir}`);
-        await cp5(dep, dependencyDir, { recursive: true });
-        fileMappings.set(dependencyDir, dep);
-      }
-      const result = await scanner.runAnalysis([vuln], MambaladeHeuristics.ALL_PACKAGES, false);
-      if (result.type === "error")
-        return { error: result.message, terminatedEarly: true };
-      return {
-        detectedOccurrences: transformSourceLocations2(app, fileMappings, result.computeDetectedOccurrences({ ...vuln, url: "" })),
-        terminatedEarly: result.terminatedEarly
-      };
+      try {
+        await scanner.prepareVirtualEnv([]);
+        const sitePackagesDir = scanner.virtualEnvInfo.virtualEnvPathToSitePackages;
+        for (const dep of dependencies) {
+          const dependencyDir = join20(sitePackagesDir, basename9(dep));
+          logger.info(`Copying ${dep} to ${dependencyDir}`);
+          await cp5(dep, dependencyDir, { recursive: true });
+          fileMappings.set(dependencyDir, dep);
+        }
+        const result = await scanner.runAnalysis([vuln], MambaladeHeuristics.ALL_PACKAGES, false);
+        if (result.type === "error")
+          return { error: result.message, terminatedEarly: true };
+        return {
+          detectedOccurrences: transformSourceLocations2(app, fileMappings, result.computeDetectedOccurrences({ ...vuln, url: "" })),
+          terminatedEarly: result.terminatedEarly
+        };
+      } finally {
+        await scanner.cleanup();
+      }
     });
   }
   static async runOnDependencyChain(chain, vuln, options) {
@@ -96628,7 +96637,7 @@ ${msg}`;
             const candidate = findBestWheel(packageName, version3, meta);
             if (candidate) {
               const filename = candidate.url.split("/").at(-1);
-              if (await downloadFile(candidate.url, join20(tmpDir, filename)) && await execAndLogOnFailure(["unzip", filename], tmpDir))
+              if (await downloadFile(candidate.url, join20(tmpDir, filename)) && await execAndLogOnFailure(["unzip", filename], tmpDir, void 0, "debug"))
                 return;
             }
             await exec(cmdt`uv pip install --python-platform ${uvPythonPlatform} --target ${tmpDir} --no-deps ${packageName}==${version3}`);
@@ -96677,6 +96686,8 @@ ${msg}`;
   }
   // public for testing only
   async prepareVirtualEnv(packages) {
+    if (!await hasUv())
+      throw new Error("uv (https://docs.astral.sh/uv/) is missing, but is required for Python analysis");
     const tmpDir = await createTmpDirectory("coana-python-analysis-venv");
     const virtualEnvFolder = join20(tmpDir, ".venv");
     const pythonExecutable = await this.vm.getPythonExecutableForWorkspace(this.projectDir, false);
@@ -96709,12 +96720,12 @@ ${msg}`;
           return true;
         const filename = candidate.url.split("/").at(-1);
         if (await downloadFile(candidate.url, join20(tmpDir, filename)) && await execAndLogOnFailure(cmdt`${uvTool(pythonExecutable)} --from installer==0.7.0 python -m installer
-                --no-compile-bytecode --prefix .venv ${filename}`, tmpDir)) {
+                --no-compile-bytecode --prefix .venv ${filename}`, tmpDir, void 0, "debug")) {
           installStats.installedUsingSpecializedInstallCommand.push(packageName);
           return false;
         }
       } catch (e) {
-        logger.info(`Failed to construct specialized install command for ${packageName}==${version3}`, e);
+        logger.debug(`Failed to construct specialized install command for ${packageName}==${version3}`, e);
       }
       return true;
     }, 4);
@@ -96723,13 +96734,7 @@ ${msg}`;
       const installPipDeps = once3(async () => exec([...uvInstallBase, "pip", "wheel"]));
       for (const { packageName, version: version3, requirement } of failingPackages) {
         const requirementToInstall = requirement ?? `${packageName}==${version3}`;
-        let success = await execAndLogOnFailure([
-          ...uvInstallBase,
-          "--no-deps",
-          "--no-binary",
-          packageName,
-          requirementToInstall
-        ]);
+        let success = await execAndLogOnFailure([...uvInstallBase, "--no-deps", "--no-binary", packageName, requirementToInstall], void 0, void 0, "debug");
         if (!success) {
           await installPipDeps();
           success = await execAndLogOnFailure(
@@ -96738,7 +96743,9 @@ ${msg}`;
             cmdt`.venv/bin/python -m pip
               --no-input --require-virtualenv --disable-pip-version-check --no-cache-dir --isolated install
               --no-deps --ignore-requires-python --no-compile --no-binary ${packageName} ${requirementToInstall}`,
-            tmpDir
+            tmpDir,
+            void 0,
+            "debug"
           );
         }
         (success ? installStats.installedWithoutOnlyBinary : installStats.failedToInstall).push(packageName);
@@ -96829,7 +96836,7 @@ async function getPythonInterpreter() {
 }
 async function setupMambalade() {
   const venvDir = await createTmpDirectory("mambalade-venv");
-  logger.info("Creating Mambalade virtual environment");
+  logger.debug("Creating Mambalade virtual environment");
   const pythonInterpreter = await getPythonInterpreter();
   await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
   const mambaladeWheelsPath = join20(COANA_REPOS_PATH(), "mambalade", "dist");
@@ -96837,11 +96844,12 @@ async function setupMambalade() {
   const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join20(mambaladeWheelsPath, f2));
   if (!mambaladeWheels.length)
     throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
-  logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
+  logger.debug(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
   await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
-  logger.info("Mambalade virtual environment setup complete");
+  logger.debug("Mambalade virtual environment setup complete");
   return venvDir;
 }
+var hasUv = once3(async () => !(await execNeverFail("which uv")).error);
 
 // dist/whole-program-code-aware-vulnerability-scanner/python/phantom-deps.js
 var { uniq: uniq8 } = import_lodash15.default;
@@ -96937,8 +96945,7 @@ var PipAnalyzer = class {
     this.heuristic = MambaladeHeuristics.createOnlyVulnPathPackagesHeuristic(this.preInstalledDepInfos);
   }
   prepareScanner = once4(async () => {
-    const { vulnerabilities } = this.state;
-    await this.scanner.prepareDependencies(this.preInstalledDepInfos, vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic);
+    await this.scanner.prepareDependencies(this.preInstalledDepInfos, this.state.vulnerabilities.filter((v) => Array.isArray(v.vulnerabilityAccessPaths)), this.heuristic);
     return this.scanner;
   });
   async runPhantomDependencyAnalysis() {
@@ -96970,14 +96977,13 @@ function getPreInstalledDepInfos(workspaceData) {
     }));
   } else {
     workspaceData.type;
-    const artifactsWithVersion = workspaceData.data.artifacts.filter((a2) => {
+    return workspaceData.data.artifacts.filter((a2) => {
       if (!a2.version) {
         logger.warn(`Artifact ${a2.name} has no version information`);
         return false;
       }
       return true;
-    });
-    return artifactsWithVersion.map((a2) => ({ packageName: a2.name, version: a2.version }));
+    }).map(({ name: name2, version: version3 }) => ({ packageName: name2, version: version3 }));
   }
 }
 
@@ -97168,6 +97174,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
           const enqueueWithoutSplitting = !allowSplitInBuckets && initialBucketContainingAllVulns && !state.reachabilityAnalysisOptions.timeoutInSeconds;
           await sendErrorAnalysisMetadata(result.message, !allowSplitInBuckets && isLastHeuristic(bucket.heuristic.name) && !enqueueWithoutSplitting, !allowSplitInBuckets);
           if (enqueueWithoutSplitting) {
+            logger.info("Analysis failed, retrying different configuration.");
             enqueueBucket(vulnDepIdentifiers);
             return;
           }
@@ -97177,6 +97184,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
           }
         }
         if (allowSplitInBuckets) {
+          logger.info("Analysis failed, rerunning analysis multiple times with fewer vulnerabilities per run.");
           const middle = Math.floor(vulnDepIdentifiers.length / 2);
           enqueueBucket(vulnDepIdentifiers.slice(0, middle));
           enqueueBucket(vulnDepIdentifiers.slice(middle));
@@ -97279,9 +97287,6 @@ function getHeuristicFromName(state, heuristicName, ecosystem) {
   if (ecosystem === "NPM") {
     return heuristics[heuristicName];
   } else if (ecosystem === "PIP") {
-    if (state.workspaceData.type !== "coana") {
-      throw new Error("MambaladeHeuristics only supports Coana data for analysis");
-    }
     if (heuristicName in MambaladeHeuristics)
       return MambaladeHeuristics[heuristicName];
     else if (heuristicName === "ONLY_VULN_PATH_PACKAGES") {
@@ -97517,16 +97522,16 @@ function canDismissVulnerability(phantomDependencies, vulnChainDetails) {
   const recHelper = (nodeIdentifier, depth) => {
     if (depth === 0)
       return void 0;
-    const parents2 = parentsMap.get(nodeIdentifier).filter((parent2) => parent2 !== ROOT_NODE_STR);
+    const parents3 = parentsMap.get(nodeIdentifier).filter((parent2) => parent2 !== ROOT_NODE_STR);
     const thisReachabilityPrecomp = nodeIdentifier === vulnNodeIdentifier ? "Reachable" : vulnChainDetails.transitiveDependencies[nodeIdentifier].reachabilityPrecomp;
     if (!thisReachabilityPrecomp)
       return void 0;
     const thisMayReachVulnerableNode = ["Reachable", "Unknown"].includes(thisReachabilityPrecomp);
-    if (parents2.length === 0 && thisMayReachVulnerableNode) {
+    if (parents3.length === 0 && thisMayReachVulnerableNode) {
       canDismiss = false;
     }
-    if (parents2) {
-      const parentsReachabilityPrecomp = parents2.map((p) => recHelper(p, depth - 1));
+    if (parents3) {
+      const parentsReachabilityPrecomp = parents3.map((p) => recHelper(p, depth - 1));
       if (parentsReachabilityPrecomp.some((reachabilityPrecomp) => !reachabilityPrecomp) && thisMayReachVulnerableNode) {
         canDismiss = false;
       }
@@ -97555,6 +97560,7 @@ var dashboardAPI2 = new DashboardAPI(process.env.SOCKET_MODE === "true", process
 async function runReachabilityAnalysis(state) {
   const projectDir = resolve15(state.subprojectDir, state.workspacePath);
   const ecosystem = state.workspaceData.data.type;
+  logger.info(`Preparing for running reachability analysis for project at "${relative6(state.rootWorkingDir, projectDir) || "."}" (${ecosystem})`);
   const constructor = ecosystemAnalyzer[ecosystem];
   if (!constructor)
     throw Error(`No analyzer associated with ecosystem ${ecosystem}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli-with-sentry",
-  "version": "1.0.101",
+  "version": "1.0.102",
   "description": "CLI for Socket.dev, includes Sentry error handling, otherwise identical to the regular `socket` package",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT",
@@ -86,7 +86,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.3",
     "@biomejs/biome": "2.2.2",
-    "@coana-tech/cli": "14.12.3",
+    "@coana-tech/cli": "14.12.5",
     "@cyclonedx/cdxgen": "11.6.0",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",