Changelogs
Coana CLI

CLI Changelog

All changes to the Coana CLI are described on this page. All other Coana changes to Coana services and applications are described on the Coana Services page.

13.5.5 (May 10. 2024)

Fix issue in preparation for precomputing reachability results when it can be determined that vulnerabilities are not reachable, just by looking at the dependency code.

13.5.4 (May 10. 2024)

Improved logging for Scala, Kotlin and Java projects.

13.5.3 (May 10. 2024)

Preparation for pipeline blocking. Added CLI-command compare-reports <baseline-report-path> <new-report-path> which compares the two reports and gives an error if new reachable vulnerabilities was found in new-report relative to baseline-report.

Also added option --changed-files to the run command. When provided, Coana will only run on workspaces/modules that contain changed files.

13.5.2 (May 10. 2024)

Python version required for python projects are now also extracted from tool.mypy.python_version in pyproject.toml.

13.5.1 (May 8. 2024)

Improved robustness of handling projects using requirements files for specifying dependencies.

13.5.0 (May 6. 2024)

Added support for Scala projects

13.4.3 (May 6. 2024)

Adjusted python project finding heuristic for projects including a requirements.txt file. Python projects are now expected to include a pyproject.toml, setup.py or setup.cfg file.

13.4.2 (May 6. 2024)

Fixes and improvements to --exclude-dirs. --exclude-dirs can now also exclude modules/workspaces in projects.

13.4.1 (May 6. 2024)

More performance improvements for preparing dependencies for python analysis, and soundness improvements to the Python reachability analysis.

13.4.0 (May 2. 2024)

Added support for Python projects using either pip-compile, traditional requirement files or/and pyproject.toml/setup.py for dependency management.

13.3.0 (May 2. 2024)

Added option --ecosystems <ecosystems...> for specifying what ecosystems to find projects for. To only run on NPM and MAVEN projects, use--ecosystems NPM MAVEN etc. By default, Coana selects all ecosystems. run on NPM and MAVEN projects, --ecosystems NPM MAVEN can now be used.

13.2.5 (Apr 29. 2024)

More performance improvements for preparing dependencies for python analysis, and made logic for installing dependencies more robust.

13.2.4 (Apr 26. 2024)

Performance improvements for preparing dependencies for python analysis, and increased timeout for both the JS and python reachability analyses.

13.2.3 (Apr 26. 2024)

Compute and store dependency trees with vulnerability reports. This is preliminary work for adding support for SBOM generation and licensing scanning.

13.2.2 (Apr 25. 2024)

Fixes in how we install Python packages and to the Python reachability analysis

13.2.1 (Apr 24. 2024)

Improves how we install Python packages needed for reachability analysis.

13.2.0 (Apr 23. 2024)

Added support for pnpm version 9.

13.1.1 (Apr 23. 2024)

Fix bug in finding python files to analyze, and add more logging for python analysis.

13.1.0 (Apr 21. 2024)

Added support for reachability analysis for Python projects (currently only the Poetry package manager is supported).

13.0.0 (Apr 21. 2024)

Breaking changes

Coana now fails if the automatic dependency installation fails for npm ecosystem package managers.

12.6.1 (Apr 19. 2024)

Fix an issue where commit SHA and branch name wasn't included in the reports.

12.6.0 (Apr 17. 2024)

Added support for the Gradle package manager, such that reachability analysis now also works for gradle projects.

12.5.5 (Apr 15. 2024)

Fix an issue where Coana offline version would crash in some rare cases.

12.5.4 (Apr 12. 2024)

Better logging when Coana fails to parse reachability analysis results.

12.5.3 (Apr 11. 2024)

Improved logging of what subprojects and workspaces Coana is analyzing.

12.5.2 (Apr 8. 2024)

Fixed an issue where the CLI in rare instances would misbehave or crash for projects that directly depend on the npm package manager as an explicit dependency.

12.5.1 (Apr 8. 2024)

Minor improvements and fixes to reduce the chance of the CLI failing with 5xx errors.

12.5.0 (Apr 5. 2024)

Add support for traditional SCA for the Poetry package manager for Python projects. Currently only projects where Coana support reachability analysis are included by default. To include Poetry projects in the Coana run, use the new option --include-projects-with-no-reachability-support. The reachability analysis for Python projects is expected to be available in April.

12.4.0 (Apr 5. 2024)

Added CLI command for applying fixes for vulnerabilities with support for npm and pnpm.

12.3.10 (Apr 3. 2024)

Fix an issue where some crash reports from the CLI weren't sent to the Coana team for analysis (extension of fix from Mar 12.3.6). Coana will now also retry computing vulnerabilities and fixes on 5xx errors.

12.3.9 (Apr 3. 2024)

Improved logging when package installation failures occur.

12.3.8 (Mar 30. 2024)

Improvements to JS/TS reachability analysis for handling vulnerabilities affecting imports or property reads. It also includes some performance improvements to the reachability analysis making it analyze some large applications 30% faster.

12.3.7 (Mar 30. 2024)

Improvements to JS/TS reachability analysis.

12.3.6 (Mar 22. 2024)

Fix an issue where some crash reports from the CLI weren't sent to the Coana team for analysis.

12.3.5 (Mar 22. 2024)

Add new options:

  • --print-analysis-log-file that stores a js-analysis.log file containing log output from the JavaScript/TypeScript reachability analysis.
  • --entry-points <entryPoints...> for defining a list of files that should be considered entry points for the root workspace for the JavaScript/TypeScript reachability analysis. By default, Coana considers all source files as entry points.

12.3.4 (Mar 21. 2024)

Fix an issue where the Java reachability analysis could not find dependencies that used the special version tags RELEASE and LATEST.

12.3.3 (Mar 20. 2024)

Add CLI option for disabling the analysis splitting technique that's used to split the reachability analysis into smaller parts on projects that are too large to analyze in a single run.

12.3.2 (Mar 19. 2024)

Fix an issue where maven dependencies with packaging pom were added to class path for the analysis.

12.3.1 (Mar 18. 2024)

Java analysis no longer treats dependencies as application code when dependencies are bundled in the application jar.

12.3.0 (Mar 16. 2024)

General performance and configurability improvements.

Options updates:

  • Add option -c, --concurrency <concurrency> (default: 1 - previous behavior): Run <concurrency> number of reachability runs concurrently.
  • Add option -a, --analysis-timeout <timeoutInSeconds> (default is 60 - the previous behavior): Sets the timeout for each analysis run to <timeoutInSeconds>.
  • Change default value for --memory-limit <memoryInMB> from 4096 to 8192.

12.2.0 (Mar 14. 2024)

Updates the reachability analysis for JavaScript/TypeScript. Introduces various improvements to Coana's package installation commands that are run as part of the reachability analysis if dependencies are not already installed.

12.1.7 (Mar 13. 2024)

Fix an issue where the CLI would sometimes crash if a JavaScript project had engines restrictions, which the Coana CLI Docker image did not meet. Since Coana doesn't actually run the code, engine restrictions are not relevant to the CLI, so we simply ignore them.

12.1.6 (Mar 11. 2024)

General improvements and fixed some issues related to how we automatically detect Maven project configurations.

12.1.5 (Mar 8. 2024)

Fix an issue where we could not distinguish workspaces with the same workspace path in different subprojects.

12.1.4 (Mar 7. 2024)

Print the CLI version during all runs. The CLI version is useful to have for debugging purposes.

12.1.3 (Mar 6. 2024)

Fix an issue where submitting report to coana failed due to bug in computing dependency type for projects using package aliasing. This update also fixes an issue where security scanning could fail due to missing information about certain packages in the computed dependency tree.

12.1.2 (Mar 5. 2024)

Fix an issue where the CLI failed to scan npm projects using package aliases. This update also improves handling of internal modules in Maven projects.

12.1.1 (Mar 4. 2024)

Improvement to how maven projects are handled - now we only build projects/modules if they have not been built already.

12.1.0 (Mar 1. 2024)

Introduces a new and much faster and more scalable reachability analysis for Java. This update also fixes various bugs in Coana's processing of Java projects.

12.0.1 (Feb 29. 2024)

Fix an issue where the CLI threw an error when it couldn't find a dependency file (package.json, pom.xml etc) in the root of the project.

12.0.0 (Feb 28. 2024)

This update includes a pretty large mostly backward compatible update to the Coana CLI. If your project contains subprojects (see below), you should consider whether they should be excluded using the new --exclude-dirs <folder1> <folder2>.. option.

Support projects that use multiple programming languages and package managers.

For example, Coana can now scan projects that have both a pom.xml and a package.json in the root of the same repository.

Automatically scan subprojects.

The analysis has always supported workspaces (opens in a new tab). However, now the CLI also supports a concept we call subprojects, where a subproject is a project that's not in the root of the repository. For example, imagine a repository where you have a Maven project in the root, but then also a subdirectory that contains a React project with some documentation. The CLI will now automatically scan both the Maven project and the React project in the same run. If you want to exclude a folder from the analysis, you can use the --exclude-dirs <folder1> <folder2>.. option.

Automatically install dependencies prior to running the analysis if needed.

If the CLI detects that the dependencies are not installed, it will now automatically install them before running the analysis. It's still recommended that you manually install dependencies in case you use any kind of specialized caching (like the pnpm GitHub action caching feature (opens in a new tab)) or pass any special flags to the package manager.

11.6.11 (Feb 25. 2024)

Fix an issue where the Coana CLI would crash on npm-based projects that use globs to resolve workspace paths.

11.6.10 (Feb 24. 2024)

Include environment variable MAVEN_CLI_OPTS in all mvn commands run by the Coana CLI.

11.6.9 (Feb 22. 2024)

Fix max buffer length exceeded error that could occur on some Maven projects.

11.6.8 (Feb 13. 2024)

Fix an issue where the CLI didn't extract dependency types correctly for peer and optional dependencies in npm.

11.6.7 (Feb 12. 2024)

Collect better errors reports if the Coana CLI crashes. Helps the Coana team to identify and fix bugs.

11.6.6 (Feb 10. 2024)

Increase default memory limit assigned to the static analyses from 4GB to 8GB.

11.6.5 (Feb 9. 2024)

Improves compatibility with yarn berry workspace projects.

11.6.4 (Feb 8. 2024)

Improvements to the static analyses.

11.6.2 (Feb 5. 2024)

Fix an issue where vulnerabilities were not reported correctly for git-based dependencies in pnpm projects.

11.6.1 (Jan 31. 2024)

  • Remove some debug logging enabled by default.
  • Improved the structure of debug logging when using the --debug flag.

11.6.0 (Jan 24. 2024)

Add support for Java (Maven) security scanning.

11.5.5 (Jan 10. 2024)

  • Various minor bug fixes mostly affecting yarn classic (< 2.x.y)
  • Record ecosystem. Change required to support non-JS languages.

11.5.1 (Jan 4. 2024)

Fix an issue where the CLI's compute dependency type feature would crash in some rare edge cases where the static analysis and the package manager disagrees on the dependency structure. Adds support for security scanning of Maven-based Java projects.

11.4.1 (Jan 2. 2024)

  • Fix an issue where the CLI didn't handle pre-release and build identifiers for some pnpm versions.

11.4.0 (Dec 27. 2023)

  • Record the name and version of packages affected by vulnerabilities.
  • Record the dependency type of direct dependencies on chains leading vulnerabilities.
  • Fix an issue where Coana would crash on npm workspace projects where at least of the workspaces used a scoped package name, e.g., @scope/pkg.

11.3.3 (Dec 18. 2023)

Better debug logging.

11.3.2 (Nov 29. 2023)

Better debug logging.

11.3.1 (Nov 28. 2023)

Fix a bug where the static analysis did not process some functions correctly.

11.3.0 (Nov 27. 2023)

  • Record dependency type (dev, prod, or dev&prod).
  • Fix an issue where not all vulnerability fixes were enabled by default.
  • Better debugging output.

11.2.0 (Nov 23. 2023)

The Coana report now includes information about dependency upgrades that can fix vulnerabilities.

11.1.1 (Nov 21. 2023)

Ensure Coana doesn't crash when it encounters an unlikely scenario where it cannot extract a file name.

11.1.0 (Nov 20. 2023)

Coana reports now include enough information to allow it to show version numbers in dependency chains.

11.0.0 (Nov 10. 2023)

Breaking changes

Includes a new and much simplified report format.

Other changes

The new format fixes a bug where the vulnChainDetails field was incorrectly shared between the same vulnerability across multiple workspaces.

10.0.1 (Nov 1. 2023)

Fix a bug where the analysis could enter an infinite loop on projects with 0 vulnerabilities.

10.0.0 (Oct 26. 2023)

Upgrade the CLI to use Node version 20, which just entered LTS.

9.1.0 (Oct 26. 2023)

Fix an issue where the offline mode would complain about a missing access paths file when running through Docker.

9.0.0 (Oct 20. 2023)

Breaking changes

This updates contains considerable breaking changes to the CLI. A lot of legacy features have been removed including the ability to generate HTML and markdown reports. It's still possible to generate JSON reports, but now -o . should be used in place -o json -p .. The JSON report format has also changed to make it compatible with DTO that's submitted to the dashboard.

Other changes

The CLI now includes an offline mode where it can run the entire Coana vulnerability scanning without access to the internet. An offline vulnerability database most be provided using the --offline-database argument.

8.6.0 (Oct 19. 2023)

Updates the underlying static analysis.

8.5.0 (Oct 18. 2023)

Using the --write-report-to-file in a GitHub action will now upload the dashboard-report.json as an artifact.

8.4.1 (Oct 6. 2023)

Supress internal errors when the CLI fails to extract git SHAs and branch names.

8.4.0 (Oct 6. 2023)

The CLI now also captures git commit shas and branch names.

8.3.0 (Oct 2. 2023)

  • Fix an issue where the CLI execution was not calculated correctly.
  • Coana will now gather more data about the performance of the static analysis. We expect this data will help us better identify bottlenecks and improve the analysis going forward. We want to emphasize that we still don't gather source code or any other sensitive information.

8.2.0 (Sep 24. 2023)

new --write-report-to-file debug option.

8.1.0 (Sep 22. 2023)

Switch to newer more efficient security auditor backend.

8.0.0 (Sep 18. 2023)

Breaking changes

Removes a lot of the non-security-related features since these are no longer a priority for us. Since you are unlikely to use any of these features, you probably won't feel the breaking changes. The CLI is now also slightly more performant.

7.2.0 (Sep 15. 2023)

The static analysis engine has been updated.

7.1.0 (Sep 14. 2023)

The static analysis engine has been updated.

7.0.0

The Coana CLI now integrates with the Coana dashboard using the --api-key option.

6.2.2 (Sep 7. 2023)

Fixed an issue where the Coana APIs could not be reached

6.2.1 (Aug 22. 2023)

Fixed an issue where an error getaddrinfo ENOTFOUND was thrown occasionally. The error is due to a DNS lookup timeout, so we now try to resend the request instead of throwing an error when it occurs.

6.2.0 (Aug 14. 2023)

Add --timeout/-t option for specifying the timeout of API calls to the Coana backend.

6.1.0 (Aug 4. 2023)

Breaking changes

  • --jsonReport has been renamed to --json-report such that the naming better matches the name given to the other report types.
  • --json-report, --markdown-report and --json-report have been deprecated in favor of -o, --output <html,json,md>. For example, replace --json-report with -o json. Use -p, --output-path if you want to write the output to some other folder than the current working directory.

Other changes

  • The backend API has been partially re-implemented. This change should alleviate the problem of long periods of downtime.
  • Various improvements to the precision and speed of the static analysis.
  • Fix an issue where the CLI did not work on Windows due to a bug in the mechanism that initiated the static analysis.

5.0.0 (June 23. 2023)

Breaking changes

This update shouldn't be breaking. Various new fields have been added to the Coana report json object, but it's still backward compatible.

Other changes

Contains lot of minor bug fixes and improvements. Most notably, the layout of the HTML report has improved considerable.

4.0.0 (Apr 27. 2023)

Breaking changes

The JSON output type of the Coana CLI has changed. This change was made to align the JSON output type of the CLI, with the output type used to generate the HTML and markdown reports. The new return type definition is found here (opens in a new tab). Notice, the name is also changed from CoanaCLIOutput to CoanaReport.

Adapting to the new output type

Assuming you were working in a non-workspace project (only a single package.json). If you were previously reading output.unusedPackages, you have to make the following change:

- output.unusedPackages;
+ output.packageSummaries['.'].unusedPackages;

If you were previously reading output.vulnerablePackages, you have to make the following change:

- output.vulnerablePackages;
+ output.vulnerablePackages['.'].vulnerablePackages.map(pkg => pkg.packageName);

If you were previously reading output.packageDetails, you have to make the following change:

- output.packageDetails[somePkgName];
+ output.packageDetails['.'][somePkgName];

For workspace projects (muliple package.json), the change is slightly more complicated. Since Coana now groups the output by workspace name, you have to iterate over the workspace names to extract all of the data. For example:

- output.unusedPackages;
+ import { resolve } from 'path';
+ Object.keys(output.unusedPackages).flatMap(workspace => output.unusedPackages[workspace].map(pkg => resolve(workspace, pkg)));

Other changes

  • The Coana CLI now supports config files in YAML format. You can continue to use the old JSON5 format if you prefer.
  • The security auditor algorithm has changed quite dramatically. The CLI tool should run a lot faster as a consequence.

3.1.0 (Apr 23. 2023)

The coana CLI is now ready to be used with GitHub actions. The GitHub actions are available here https://github.com/coana-tech/coana-action (opens in a new tab) (documentation will follow later).

3.0.0 (Apr 19. 2023)

Breaking changes

The --out <path> or -o <path> option has been replaced with --jsonReport <path>. The <path> passed to --out used to include the file name, e.g., --out ./report.json, but now it should instead point to the folder where a report (coana-report.json) is written. For example --jsonReport . writes coana-report.json to the current directory. This change was made to align the behavior of out/jsonReport with HTML and markdown reports.

Other changes

Use the --silent to remove all logging and debug output. Also disables the spinner.

2.1.0 (Apr 18. 2023)

Coana can now output a HTML and markdown report. Pass either the --html-report . or --markdown-report . option to Coana generate the report in the CWD.

For example:

docker run -v $PWD:/project coana/coana:latest coana --html-report . /project

2.0.0 (Apr 12. 2023)

Breaking changes

  • See the new support for workspaces above. For non-workspaces projects, no breaking changes should be observed.

  • The vulnerability scanning mechanism has been optimized slightly to perform better with the new workspaces mechanism. Previously, if you had a project ./packages/package-a that depends on the local workspace ./packages/package-b and package-b is affected by a vulnerability, Coana would also report that vulnerability in package-a. However, since package-b is now also analyzed separate from package-a, Coana refrains from also reporting its vulnerabilities together with package-a in version 2.0.0 and above. Notice, this change only affects where vulnerabilities are reported (NOT which vulnerabilities that are found).

Other changes

Coana now supports workspaces (mono repositories). If you use workspaces (both npm, Yarn, or pnpm are supported), the Coana CLI can now aggregate the data from each workspace in a single run. For example, if you previously had a workspaces project with the following structure:

package.json
packages/package-a/package.json
packages/package-b/package.json

You would have had do 3 invocations of the CLI to gather data from each workspace:

docker run -v $PWD:/project coana/coana:latest coana ./
docker run -v $PWD:/project coana/coana:latest coana ./packages/packaga-a
docker run -v $PWD:/project coana/coana:latest coana ./packages/packaga-b

A single invocation will now gather data for each workspace

docker run -v $PWD:/project coana/coana:latest coana ./

The output type is different for workspace projects, where the packageDetails is now a 2-layer map from workspace path to package name to details for that package (See the version 2.x.x and 3.x.x types (opens in a new tab) for more details).

1.5.0 (Apr 3. 2023)

Don't show a package as unused if it appears to be used as a plugin in a config file. This feature is a heuristic (not always correct), and can be disabled by setting 'reportUnusedConfigPlugins' to true in coana-config.json.

1.4.0 (Apr 3. 2023)

Support for Yarn classic (Yarn below version 2) projects.

1.3.0 (Apr 1. 2023)

  • Do not report packages as unused if they are peer dependencies of used packages.
  • Use --version to print the version of the Coana CLI.

1.2.1 (Mar 24. 2023)

There is a new minAuditLevel property to be set in coana-config.json. It takes the values 'info', 'low', 'moderate', 'high', 'critical' or 'none' and defaults to 'info'. Packages that are only affected by vulnerabilities below minAuditLevel are not reported in vulnerablePackages.

1.2.0 (Mar 23. 2023)

  • The Docker image now uses alpine Linux instead of Debian (it has reduced its size from about 1GB to around 250MB (370MB to 60MB in the compressed fomat)).
  • The vulnerability scanner now contains suggested fixes computed by the Coana backend. To actually apply the fixes, you can use the Coana VSCode Extension (opens in a new tab).
  • The 'check for unused packages' feature now matches bins provided by a package with the scripts in the package.json (before it would only match on package names). This change means that if you depend on TypeScript, and use the TypeScript bin 'tsc' in one of your scripts, then TypeScript will not be flagged as unused.

1.1.1 (Feb 27. 2023)

Don't report a package as unused if:

  • It's a developer dependency
  • It's used in the script section of the package.json
  • It's a @types package
Coana ServicesNewsletter