Changelogs
Coana CLI

CLI Changelog

All changes to the Coana CLI are described on this page. All other Coana changes to Coana services and applications are described on the Coana Services page.

13.18.1 (Nov 20. 2024)

Fixed a bug in the Python reachability analysis that disabled modeling of @dataclass initializers.

13.18.0 (Nov 19. 2024)

Added option --lightweight-reachability for running Coana in a faster mode. The option is currently only supported by the JavaScript/TypeScript reachability analysis. Note that some vulnerabilities only reachable through complex dataflow or in indirect dependencies may not be caught when this option is enabled.

13.17.20 (Nov 18. 2024)

Various soundness & precision improvements to the Python reachability analysis. The analysis can now analyze initializers for old-style @attr.s-decorated classes (used in many core libraries, such as aiohttp) through AST-based transformations into native dataclasses.

13.17.19 (Nov 13. 2024)

Add support for multiple .sln files in the same directory for .NET projects. Note, multiple .csproj files in the same directory are not supported.

13.17.18 (Nov 11. 2024)

Do not look for projects in .teamcity folders.

13.17.17 (Nov 11. 2024)

The Python reachability analysis now models the initializer of @dataclass-annotated classes. Data-flow for the sorted built-in, dict.fromkeys and list.{sort,insert} is also modeled.

13.17.16 (Nov 11. 2024)

Fix an issue where timeout metadata was attempted to be read on an undefined object when JVM and .NET analysis fails.

13.17.15 (Nov 7. 2024)

Made dependency resolution lenient when building dependency trees for SBT projects.

13.17.14 (Nov 7. 2024)

Fix an edge-case soundness issue for JVM and .NET projects. The issue could occur when one workspace accesses vulnerable APIs via another workspace and the workspaces disagree on the version vulnerable package.

13.17.13 (Nov 7. 2024)

Fix an issue where the plugin used for computing dependency trees for Maven projects was not properly installed when specifying a custom local repository.

13.17.12 (Nov 6. 2024)

Fix an issue where the wrong file path was used when creating stub projects for .NET projects using packages.config.

13.17.11 (Nov 5. 2024)

Fix issue where not all necessary python dependencies were installed when reusing analysis configuration from a previous run.

13.17.10 (Nov 4. 2024)

Do not send analysis metadata and warnings to Coana when using the option --disable-report-submission.

13.17.9 (Nov 1. 2024)

The Python reachability analysis now models data-flow for attribute accesses on namedtuple instances when the field names of the namedtuple type can be determined statically. Some small performance improvements are also included.

13.17.8 (Nov 1. 2024)

Mark project dependencies as local-workspace when computing dependency trees for .NET and JVM projects.

13.17.7 (Nov 1. 2024)

Improved detection of workspaces for .NET projects.

13.17.6 (Oct 31. 2024)

Support for building dependency trees for legacy .NET framework projects using packages.config.

13.17.5 (Oct 30. 2024)

Add support for applying fixes for .NET projects. Fixes are applied using lock files packages.lock.json and update project files to allow for fixed versions if necessary.

13.17.4 (Oct 30. 2024)

Make our dependency trees more robust in cases where an actual package version cannot be found.

13.17.3 (Oct 29. 2024)

Soundness improvements to the reachability analysis for Python. Data-flow for async generators, async for loops (and comprehensions) and the contextlib.contextmanager decorator is now modeled.

13.17.2 (Oct 24. 2024)

Log output of running dotnet restore for .NET projects.

13.17.1 (Oct 23. 2024)

Change jvm package managers to only use JAVA_HOME fallback mechanism after first error. Clean up logs for maven and gradle package managers by changing to run in batch mode.

13.17.0 (Oct 22. 2024)

Added reachability analysis support for .NET projects.

13.16.28 (Oct 19. 2024)

Fix issue where requiring multiple versions of the same python package in different requirements files crashed the CLI. Now we can compute dependency trees with multiple versions for each python package. The reachability analysis just picks one of the versions to analyze.

13.16.27 (Oct 18. 2024)

Fix issue with pipenv package manager where it crashed if multiple versions for the same package were included in the lock file.

13.16.26 (Oct 17. 2024)

Do not crash CLI when we fail to find the package name of a Python project

13.16.25 (Oct 16. 2024)

Minor fixes/improvements to 13.16.24.

13.16.24 (Oct 15. 2024)

Added extra attempt to retry reachability analysis in different configuration if reachability analysis fails for a project with one vulnerability.

13.16.23 (Oct 15. 2024)

Share what CLI options are used when running Coana and information about the project structure to aid debugging.

13.16.22 (Oct 14. 2024)

Add support for running experimental modes of our analyzers to help evaluate new configurations without introducing regressions.

13.16.21 (Oct 14. 2024)

For yarn projects we now ignore the packageManager field in package.json if it specifies a different version of yarn than what is used to create the lock file.

13.16.20 (Oct 14. 2024)

Better error logging when requests to the Coana backend fail.

13.16.19 (Oct 14. 2024)

Make detected vulnerability occurrences unique when analyzing Java, Kotlin, and Scala projects.

13.16.18 (Oct 10. 2024)

Leverage previous analysis runs in some cases even though new vulnerabilities are found.

13.16.17 (Oct 9. 2024)

Soundness improvements to the reachability analysis for Python. Data-flow for sets, dict.update, the dict(...) constructor and the builtin map function is now modeled. Reads and writes with constant string keys to the globals() dictionary are now modeled (some libraries, such as gevent, contain such writes to work around cython limitations).

13.16.16 (Oct 9. 2024)

Fix issue where Coana did not use fallback configuration when an analysis run failed due to out-of-memory. Also some minor fixes to the content of some warnings.

13.16.15 (Oct 8. 2024)

Fix an issue where Coana could produce analysis errors without trying to fix them with a fallback configuration.

13.16.14 (Oct 8. 2024)

Add support for specifying a provider project when analyzing projects with provided dependencies. The system path to a provider project can be set using option --provider-project and paths to specific workspaces can be set using option --provider-workspaces. Provider projects are supported when analyzing Maven, Gradle, and SBT projects.

13.16.13 (Oct 7. 2024)

Send warnings to the Coana team when Coana fails to leverage analysis results from prior runs.

13.16.12 (Oct 7. 2024)

Send message to the Coana team in case of some unexpected behaviors when running Coana.

13.16.11 (Oct 7. 2024)

Move source set filtering to execution phase in gradle script.

13.16.10 (Oct 4. 2024)

Fix a bug that could lead to the same analysis run being performed multiple times.

13.16.9 (Oct 3. 2024)

Internal restructure of applying fixes, improving performance and preparing for major release.

13.16.8 (Oct 3. 2024)

Fix an issue where logging to console from a child process would conflict with the spinner in the main process.

13.16.7 (Oct 3. 2024)

Add openssh-client to docker images. SSH hosts and credentials should be set up prior to running Coana and can be mounted into the docker using -v ~/.ssh:/root/.ssh assuming that the .ssh folder is located under ~.

13.16.6 (Oct 2. 2024)

Fix issues related to leveraging analysis results from previous runs (13.16.0). The first Coana run after this update will not leverage the previous results but subsequent runs will.

13.16.5 (Oct 1. 2024)

When Coana's reachability analysis encounters a Python project with an existing virtual environment, it now checks whether the expected dependencies are already installed. If not, the dependencies will be installed in a new environment before running the analysis. Previously the virtual environment was used as-is, which could lead to incorrect analysis results.

13.16.4 (Oct 1. 2024)

Add support for the pipenv Python package manager.

13.16.3 (Oct 1. 2024)

Fix a regression in 13.16.0 where the timeout for some analysis runs changed.

13.16.2 (Oct 1. 2024)

Fix an issue with logger and spinner when running multiple package managers or reachability analyzers in parallel.

13.16.1 (Oct 1. 2024)

Change default docker image PWD from /coana to /please-point-coana-to-the-forwardslash-project-path. This ensures users see a more helpful error message if they forget to point coana to the /project directory into the docker container.

13.16.0 (Sep 30. 2024)

Generally improve performance of reachability analyzers by leveraging analysis results from last successful run to tune the analysis configuration.

13.15.12 (Sep 28. 2024)

Share statistics on how Coana spents time during execution to aid improving overall performance.

13.15.11 (Sep 27. 2024)

Performance improvement for computing dependency trees for JavaScript/TypeScript projects.

13.15.10 (Sep 26. 2024)

Fix issue where Go analysis failed for projects using the vips package.

13.15.9 (Sep 26. 2024)

The heuristic for assigning module names to Python source files for the reachability analysis has been updated. Previously we would assign a module name based on the relative path of the file from its deepest ancestor directory not containing an __init__.py file. This gave incorrect results for files in implicit namespace packages (PEP 420), i.e. directories not containing an __init__.py file, which are easy to accidentally introduce. The new heuristic looks for the shallowest ancestor directory containing an __init__.py file and assigns a name relative to that directory's parent.

This should fix issues with failed relative imports in implicit namespace packages, module name clashes, and other import-related issues between application modules.

13.15.8 (Sep 26. 2024)

Fix issue where Coana crashed when using option --print-analysis-log-file.

13.15.7 (Sep 26. 2024)

Fix an issue where analysis statistics were not properly sent to Coana.

13.15.6 (Sep 25. 2024)

Add logging for spawned commands that fail before logging is initialized.

13.15.5 (Sep 25. 2024)

Fix issue where computing dependency trees failed for rush projects that use pnpm and have the pnpm-config option useWorkspaces set to false. Finding workspaces for rush projects is now more robust, and we also log more information in case of errors.

13.15.4 (Sep 24. 2024)

Fix an issue when attempting to write undefined package specifier to file.

13.15.3 (Sep 24. 2024)

Clean up log files produced when running in non-debug mode by using a new custom level file. Fix a potential issue where logs were not properly flushed before spawning child processes.

13.15.2 (Sep 24. 2024)

Fix to getting workspaces for rush projects.

13.15.1 (Sep 23. 2024)

Fix an issue wherein the log file was not properly updated if exceptions were thrown. Change log file logging level to debug. Flag --debug now only controls whether debug messages are printed to console. Fix an issue related to the spinner stopping too quickly. Add spinner information to debug logger.

13.15.0 (Sep 23. 2024)

Added support for rush projects that uses pnpm

13.14.11 (Sep 21. 2024)

Do not crash CLI when finding project specifier fails.

13.14.10 (Sep 20. 2024)

Include more statistics about time spent by the Python reachability analyzer.

13.14.9 (Sep 20. 2024)

Send analysis statistics in more cases where errors can occur.

13.14.8 (Sep 20. 2024)

Include more statistics about time spent by the Go reachability analyzer.

13.14.7 (Sep 19. 2024)

Include more statistics about time spent by the JVM reachability analyzer. Improved memory handling during computation of workspaces for gradle projects.

13.14.6 (Sep 19. 2024)

Performance improvement for JavaScript/TypeScript reachability analysis: Disable leveraging typescript for marking vulnerabilities as unreachable based on argument types to vulnerable APIs. It rarely provides more precision but is expensive to do.

13.14.5 (Sep 19. 2024)

Generate unique temporary files while running package manager commands.

13.14.4 (Sep 19. 2024)

Include more statistics about time spent by the JavaScript/TypeScript reachability analyzer and share them while running Coana instead of including it in the report that is sent when Coana finishes.

13.14.3 (Sep 18. 2024)

Fix bug in computing dependency tree for NPM that could result in packages missing in the dependency tree.

13.14.2 (Sep 18. 2024)

Fix an issue introduced in 13.14.0 related to the JAVA_HOME fallback mechanism wherein the fallback would be triggered for each new package manager command. Improve reporting of errors thrown while executing package manager commands. Fix a potential issue related to gradle caches not being properly handled while computing workspaces for gradle projects.

13.14.1 (Sep 18. 2024)

Minor improvements to the reachability analysis for JavaScript/TypeScript.

13.14.0 (Sep 17. 2024)

Internal restructure of Coana to prepare for major release.

13.13.18 (Sep 16. 2024)

Send message to Coana when a run starts to better monitor runs that fail.

13.13.17 (Sep 13. 2024)

When reachability analyses encounter an error, for instance an out-of-memory error, Coana will apply the same analysis splitting technique that's used for analyses that time out.

13.13.16 (Sep 12. 2024)

Add support for applying fixes to catalog versions in pnpm.

13.13.15 (Sep 11. 2024)

Improvements to the reachability analysis for Python. Data-flow for dictionary comprehensions, copies and async with statements is now modeled. The update also improves precision for functions decorated by user-defined decorators - previously the analysis mixed together all functions decorated by the same decorator.

13.13.14 (Sep 11. 2024)

Added support for applying security fixes in maven, gradle, and sbt projects.

13.13.13 (Sep 9. 2024)

Fix issue for reachability analysis of JavaScript and TypeScript projects where the analysis failed to resolve some modules.

13.13.12 (Sep 7. 2024)

Add CLI option --include-dirs for selecting specific directories that Coana should scan for vulnerabilities.

13.13.11 (Sep 4. 2024)

Fix issue related to computing dependency trees for npm projects using aliases.

13.13.10 (Sep 4. 2024)

Various improvements to the reachability analysis for JavaScript/TypeScript.

13.13.9 (Sep 4. 2024)

For python projects, previously all requirements.txt files in subfolders of a directory with a setup.py or pyproject.toml was considered part of the same project. We now consider them separate projects if they have a nesting level deeper than two. I.e., relative to the setup.py or pyproject.toml, a requirements.txt file in a/b would be considered part of the same project, while requirements.txt files in a/b/c would be considered separate projects.

13.13.8 (Sep 4. 2024)

Fix issue where Coana sometimes printed sending crash report to Coana without Coana actually crashing.

13.13.7 (Sep 3. 2024)

Add support for go modules prior to 'Go Modules' management system (v1.11)

13.13.6 (Sep 3. 2024)

Fix issue where package managers were throwing an error for already applied fixes

13.13.5 (Sep 3. 2024)

Fix a bug in the new aliased packages support

13.13.4 (Sep 2. 2024)

Gracefully handle out-of-memory errors in the Python reachability analysis.

13.13.3 (Sep 2. 2024)

Include information about subproject and workspace in log if Coana fails to find vulnerabilities for a project

13.13.2 (Sep 1. 2024)

Include more information in log if Coana fails to find vulnerabilities for a project

13.13.1 (Aug 31. 2024)

Fix issue (introduced in 13.13.0) where Coana assumed the presence of package-lock.json file for NPM projects without any lock file.

13.13.0 (Aug 30. 2024)

Fixed issue where NPM package managers did not handle aliased packages correctly.

13.12.5 (Aug 30. 2024)

Fix regression in 13.12.2 that caused dependency resolution to fail for some projects that depend on libraries with Python version upper bounds.

13.12.4 (Aug 30. 2024)

Option --print-analysis-log-file now stores the analysis log file in the root of each workspace

13.12.3 (Aug 30. 2024)

Soundness improvements to the Python reachability analysis. The analysis now models data flow from iterating over dictionaries. Models were also added for the weakref standard library module. The update also contains minor performance improvements.

13.12.2 (Aug 29. 2024)

Improved speed of dependency installation for Python projects.

13.12.1 (Aug 29. 2024)

Do not find subprojects in .next and venv folders. Also do not consider directories with a package-lock.json, pnpm-lock.yaml or yarn.lock as npm projects if the directory does not also contain a package.json file.

13.12.0 (Aug 23. 2024)

Added reachability analysis support for Go projects.

13.11.9 (Aug 12. 2024)

Fix issue in JS reachability analysis that could lead to false negatives.

13.11.8 (Aug 12. 2024)

Fix bug introduced in 13.11.7 where excluding files from analysis was broken.

13.11.7 (Aug 10. 2024)

Internal restructuring for simplifying how we run the JavaScript/TypeScript analysis.

13.11.6 (Aug 7. 2024)

Internal restructuring for making it easier to support new ecosystems.

13.11.5 (Aug 6. 2024)

Fix for Flow type annotations in JavaScript analysis

13.11.4 (Aug 2. 2024)

Fixed dependency version resolution for Go projects. Previously Coana could report vulnerabilities for versions of Go dependencies that were older than the actual version used in the project. Coana can now also filter Go dependencies that are never used in the scanned project, for example, transitive dependencies' test dependencies.

13.11.3 (Aug 2. 2024)

Fixed issue where Coana could treat analysis results as successful even through the analysis failed.

13.11.2 (Aug 1. 2024)

Add support for yarn projects without the packageManager field set in package.json

13.11.1 (Jul 29. 2024)

Fixed an issue with the JAVA_HOME fallback mechanism for sbt projects.

13.11.0 (Jul 26. 2024)

Various improvements to the JS static analysis.

13.10.9 (Jul 26. 2024)

Default to same Yarn version as prior to 13.10.8.

13.10.8 (Jul 25. 2024)

Improve error messages when scanning unsupported projects/ecosystems.

13.10.7 (Jul 23. 2024)

Fix an issue where git commit SHAs and branch names were not included in scans using GitHub workflows.

13.10.6 (Jul 23. 2024)

Refactored Python version handling to be more robust.

13.10.5 (Jul 16. 2024)

Fixed an issue where dependencies trees weren't computed correctly for some Go projects.

13.10.4 (Jul 15. 2024)

Disable traditional SCA scanning for Go by default (can still be enabled with --include-projects-with-no-reachability-support).

13.10.3 (Jul 15. 2024)

Fix issue where Coana could crash when using the --concurrency option with values greater than 1.

13.10.2 (Jul 13. 2024)

Fix issue when using a .python-version file for specifying required python version.

13.10.1 (Jul 13. 2024)

Fixed issue where Coana was not notified about failing Coana runs.

13.10.0 (Jul 12. 2024)

Significantly improved the robustness and speed of dependency resolution for requirements-based Python projects.

13.9.1 (Jul 11. 2024)

Improved robustness of dependency resolution for requirements-based Python projects.

13.9.0 (Jul 10. 2024)

Added support for SCA without reachability for Go.

13.8.3 (Jul 10. 2024)

If a Python pyproject.toml/setuptools project has a subdirectory with requirements files, the subdirectory is no longer considered a Python project (unless it also contains a pyproject.toml or a setup.py file).

13.8.2 (Jul 9. 2024)

Minor improvements to the precision, soundness and performance of the Python reachability analysis.

13.8.1 (Jul 9. 2024)

Fix issue where we failed to find some python projects due to requirements files being named differently than requirements.txt. We now consider files with names matching the regex requirements.*.txt as python requirements files.

13.8.0 (Jul 3. 2024)

Switch to a new security auditor backend for greater stability and speed.

13.7.28 (Jul 1. 2024)

Fixed some issues for applying fixes for yarn, npm and pnpm.

13.7.27 (Jun 28. 2024)

Fixed bug where Coana did not autoinstall the version of Python specified through a .python-version file.

13.7.26 (Jun 28. 2024)

Improve performance of Python reachability analysis by up to 50%.

13.7.25 (Jun 27. 2024)

Fix crash during Python AST parsing. This bug affected (in particular) projects that depend on Apache Airflow.

13.7.24 (Jun 27. 2024)

Increased the timeout for the first Python reachability analysis to 10 minutes.

13.7.23 (Jun 27. 2024)

Add support for specifying python version through a .python-version file.

13.7.22 (Jun 26. 2024)

Also treat directories with only a requirements.txt (i.e., no pyproject.toml or setup.py) file as python projects.

13.7.21 (Jun 25. 2024)

Fix issue where Python project finding failed for projects that included both a pyproject.toml and a setup.py file.

13.7.20 (Jun 21. 2024)

Reimplement maven version comparison logic. New version comparison is based on the java source code for maven artifact version comparison.

13.7.19 (Jun 20. 2024)

Fix issue in the Python reachability analysis where analysis of dependencies could terminate prematurely. Also added test for whether a setup.py file actually is a python project setup file.

13.7.18 (Jun 20. 2024)

Fix bug in yarn berry package manager, where we did not previously find dependencies for packages that have been patched using yarn patches.

13.7.17 (Jun 20. 2024)

Fix issue in Gradle dependency trees where some dependencies potentially could be missing.

13.7.16 (Jun 20. 2024)

Improved robustness of dependency installation for Python projects.

13.7.15 (Jun 19. 2024)

Add more logging to when report is not shared with dashboard.

13.7.14 (Jun 15. 2024)

Fix issue where some files in an excluded directory could still be analyzed by the JavaScript analysis.

13.7.13 (Jun 14. 2024)

Fix potential StackOverflow when printing maven and gradle dependency trees.

13.7.12 (Jun 11. 2024)

Fix issue where we did not detect whether a yarn project was using yarn berry or yarn classic correctly.

13.7.11 (Jun 11. 2024)

Improved robustness for sbt projects. All jvm projects now share JAVA_HOME fallback mechanism supporting Java LTS releases.

13.7.10 (Jun 11. 2024)

Added support for applying security fixes in yarn projects

13.7.9 (Jun 11. 2024)

Improved representation of dependency tree nodes for gradle and sbt projects. Made dependency tree representation consistent for jvm projects.

13.7.8 (Jun 11. 2024)

Fix issue related to test artifacts in jvm package managers.

13.7.7 (Jun 10. 2024)

--exclude-dirs now also supports excluding files from the JavaScript analysis.

13.7.6 (Jun 9. 2024)

Package manager operations performed on each workspace are now computed sequentially.

13.7.5 (Jun 8. 2024)

Fix issue where --exclude-dirs did not exclude files in subfolders of an excluded folder when using glob patterns for the directory to exclude.

13.7.4 (Jun 7. 2024)

Fix issue where report name always was "No root project found" (bug introduced in 13.7.0).

13.7.3 (Jun 5. 2024)

Improved robustness for maven projects. Maven projects now have a JAVA_HOME fallback mechanism supporting Java LTS releases, similar to gradle projects.

13.7.2 (Jun 5. 2024)

Skip building JVM projects if all compile artifacts already exist.

13.7.1 (Jun 5. 2024)

Fixes a bug in the computation of subproject paths introduced in 13.7.0.

13.7.0 (Jun 4. 2024)

Major restructure of CLI for preparing improved support for projects requiring specific versions of package managers or languages.

13.6.14 (Jun 4. 2024)

Improved robustness for gradle projects. Gradle projects now have a JAVA_HOME fallback mechanism supporting Java LTS releases.

13.6.13 (Jun 3. 2024)

Fix issue related to the handling of scopes in dependency trees generated for sbt projects.

13.6.12 (Jun 3. 2024)

Performance improvements to the reachability analysis for JavaScript/TypeScript.

13.6.11 (Jun 3. 2024)

Improved performance and robustness of preparing dependencies for python reachability analysis

13.6.10 (May 31. 2024)

Fix to algorithm for computing dependency trees for python projects

13.6.9 (May 30. 2024)

Fix issue with computing relative workspace paths in JVM package managers when analyzing projects in symlink directories.

13.6.8 (May 30. 2024)

CLI spinner can now list the tasks current being worked on. Updated JVM package managers to use the new spinner features.

13.6.7 (May 30. 2024)

Various minor bug fixes for Yarn applications.

13.6.6 (May 28. 2024)

Improved flexibility of workflow for JVM package managers.

13.6.5 (May 29. 2024)

Fix issue when applying a security fix using the pnpm package manager

13.6.4 (May 27. 2024)

Improved robustness of building dependency trees for Gradle projects with unresolved dependencies. Unresolved dependencies are omitted from the analysis.

13.6.3 (May 27. 2024)

The --exclude-dirs option now also excludes directories for finding files to analyze inside a project as opposed to only working for excluding what projects to analyze.

13.6.2 (May 27. 2024)

Yet further improvements to gradle script compatibility.

13.6.1 (May 24. 2024)

Further improvements to gradle script compatibility.

13.6.0 (May 24. 2024)

Fixes are now computed after submitting reports to the Coana backend. This reduces network traffic and speeds up the CLI runs.

13.5.15 (May 23. 2024)

Fix issues related to running coana on projects using older versions of gradle and with platform dependent dependencies.

13.5.14 (May 23. 2024)

The python analysis now uses preinstalled versions of dependencies if they are located in the .venv folder of the project being analyzed.

13.5.13 (May 22. 2024)

Improved robustness of building dependency trees for the Python package manager Poetry.

13.5.12 (May 22. 2024)

Gradle projects with gradle wrapper version below 7.0 now use Java 11.

13.5.11 (May 21. 2024)

Improved gradle script compatibility with older versions of gradle.

13.5.10 (May 16. 2024)

Consistency of JVM package manager dependency trees. Changed dockerfile to use fixed versions of maven and gradle and to set JAVA_HOME.

13.5.9 (May 14. 2024)

Improved robustness of java analysis by reporting non-existing and unsupported input files instead of throwing exception.

13.5.8 (May 14. 2024)

Soundness and performance improvements for the Python reachability analysis.

13.5.7 (May 10. 2024)

Increase default timeout for requests for computing vulnerabilities and fixes.

13.5.6 (May 10. 2024)

Fix bug in gradle package manager that could result in some dependencies missing in the computed dependency tree.

13.5.5 (May 10. 2024)

Fix issue in preparation for precomputing reachability results when it can be determined that vulnerabilities are not reachable, just by looking at the dependency code.

13.5.4 (May 10. 2024)

Improved logging for Scala, Kotlin and Java projects.

13.5.3 (May 10. 2024)

Preparation for pipeline blocking. Added CLI-command compare-reports <baseline-report-path> <new-report-path> which compares the two reports and gives an error if new reachable vulnerabilities was found in new-report relative to baseline-report.

Also added option --changed-files to the run command. When provided, Coana will only run on workspaces/modules that contain changed files.

13.5.2 (May 10. 2024)

Python version required for python projects are now also extracted from tool.mypy.python_version in pyproject.toml.

13.5.1 (May 8. 2024)

Improved robustness of handling projects using requirements files for specifying dependencies.

13.5.0 (May 6. 2024)

Added support for Scala projects

13.4.3 (May 6. 2024)

Adjusted python project finding heuristic for projects including a requirements.txt file. Python projects are now expected to include a pyproject.toml, setup.py or setup.cfg file.

13.4.2 (May 6. 2024)

Fixes and improvements to --exclude-dirs. --exclude-dirs can now also exclude modules/workspaces in projects.

13.4.1 (May 6. 2024)

More performance improvements for preparing dependencies for python analysis, and soundness improvements to the Python reachability analysis.

13.4.0 (May 2. 2024)

Added support for Python projects using either pip-compile, traditional requirement files or/and pyproject.toml/setup.py for dependency management.

13.3.0 (May 2. 2024)

Added option --ecosystems <ecosystems...> for specifying what ecosystems to find projects for. To only run on NPM and MAVEN projects, use--ecosystems NPM MAVEN etc. By default, Coana selects all ecosystems. run on NPM and MAVEN projects, --ecosystems NPM MAVEN can now be used.

13.2.5 (Apr 29. 2024)

More performance improvements for preparing dependencies for python analysis, and made logic for installing dependencies more robust.

13.2.4 (Apr 26. 2024)

Performance improvements for preparing dependencies for python analysis, and increased timeout for both the JS and python reachability analyses.

13.2.3 (Apr 26. 2024)

Compute and store dependency trees with vulnerability reports. This is preliminary work for adding support for SBOM generation and licensing scanning.

13.2.2 (Apr 25. 2024)

Fixes in how we install Python packages and to the Python reachability analysis

13.2.1 (Apr 24. 2024)

Improves how we install Python packages needed for reachability analysis.

13.2.0 (Apr 23. 2024)

Added support for pnpm version 9.

13.1.1 (Apr 23. 2024)

Fix bug in finding python files to analyze, and add more logging for python analysis.

13.1.0 (Apr 21. 2024)

Added support for reachability analysis for Python projects (currently only the Poetry package manager is supported).

13.0.0 (Apr 21. 2024)

Breaking changes

Coana now fails if the automatic dependency installation fails for npm ecosystem package managers.

12.6.1 (Apr 19. 2024)

Fix an issue where commit SHA and branch name wasn't included in the reports.

12.6.0 (Apr 17. 2024)

Added support for the Gradle package manager, such that reachability analysis now also works for gradle projects.

12.5.5 (Apr 15. 2024)

Fix an issue where Coana offline version would crash in some rare cases.

12.5.4 (Apr 12. 2024)

Better logging when Coana fails to parse reachability analysis results.

12.5.3 (Apr 11. 2024)

Improved logging of what subprojects and workspaces Coana is analyzing.

12.5.2 (Apr 8. 2024)

Fixed an issue where the CLI in rare instances would misbehave or crash for projects that directly depend on the npm package manager as an explicit dependency.

12.5.1 (Apr 8. 2024)

Minor improvements and fixes to reduce the chance of the CLI failing with 5xx errors.

12.5.0 (Apr 5. 2024)

Add support for traditional SCA for the Poetry package manager for Python projects. Currently only projects where Coana support reachability analysis are included by default. To include Poetry projects in the Coana run, use the new option --include-projects-with-no-reachability-support. The reachability analysis for Python projects is expected to be available in April.

12.4.0 (Apr 5. 2024)

Added CLI command for applying fixes for vulnerabilities with support for npm and pnpm.

12.3.10 (Apr 3. 2024)

Fix an issue where some crash reports from the CLI weren't sent to the Coana team for analysis (extension of fix from Mar 12.3.6). Coana will now also retry computing vulnerabilities and fixes on 5xx errors.

12.3.9 (Apr 3. 2024)

Improved logging when package installation failures occur.

12.3.8 (Mar 30. 2024)

Improvements to JS/TS reachability analysis for handling vulnerabilities affecting imports or property reads. It also includes some performance improvements to the reachability analysis making it analyze some large applications 30% faster.

12.3.7 (Mar 30. 2024)

Improvements to JS/TS reachability analysis.

12.3.6 (Mar 22. 2024)

Fix an issue where some crash reports from the CLI weren't sent to the Coana team for analysis.

12.3.5 (Mar 22. 2024)

Add new options:

  • --print-analysis-log-file that stores a js-analysis.log file containing log output from the JavaScript/TypeScript reachability analysis.
  • --entry-points <entryPoints...> for defining a list of files that should be considered entry points for the root workspace for the JavaScript/TypeScript reachability analysis. By default, Coana considers all source files as entry points.

12.3.4 (Mar 21. 2024)

Fix an issue where the Java reachability analysis could not find dependencies that used the special version tags RELEASE and LATEST.

12.3.3 (Mar 20. 2024)

Add CLI option for disabling the analysis splitting technique that's used to split the reachability analysis into smaller parts on projects that are too large to analyze in a single run.

12.3.2 (Mar 19. 2024)

Fix an issue where maven dependencies with packaging pom were added to class path for the analysis.

12.3.1 (Mar 18. 2024)

Java analysis no longer treats dependencies as application code when dependencies are bundled in the application jar.

12.3.0 (Mar 16. 2024)

General performance and configurability improvements.

Options updates:

  • Add option -c, --concurrency <concurrency> (default: 1 - previous behavior): Run <concurrency> number of reachability runs concurrently.
  • Add option -a, --analysis-timeout <timeoutInSeconds> (default is 60 - the previous behavior): Sets the timeout for each analysis run to <timeoutInSeconds>.
  • Change default value for --memory-limit <memoryInMB> from 4096 to 8192.

12.2.0 (Mar 14. 2024)

Updates the reachability analysis for JavaScript/TypeScript. Introduces various improvements to Coana's package installation commands that are run as part of the reachability analysis if dependencies are not already installed.

12.1.7 (Mar 13. 2024)

Fix an issue where the CLI would sometimes crash if a JavaScript project had engines restrictions, which the Coana CLI Docker image did not meet. Since Coana doesn't actually run the code, engine restrictions are not relevant to the CLI, so we simply ignore them.

12.1.6 (Mar 11. 2024)

General improvements and fixed some issues related to how we automatically detect Maven project configurations.

12.1.5 (Mar 8. 2024)

Fix an issue where we could not distinguish workspaces with the same workspace path in different subprojects.

12.1.4 (Mar 7. 2024)

Print the CLI version during all runs. The CLI version is useful to have for debugging purposes.

12.1.3 (Mar 6. 2024)

Fix an issue where submitting report to coana failed due to bug in computing dependency type for projects using package aliasing. This update also fixes an issue where security scanning could fail due to missing information about certain packages in the computed dependency tree.

12.1.2 (Mar 5. 2024)

Fix an issue where the CLI failed to scan npm projects using package aliases. This update also improves handling of internal modules in Maven projects.

12.1.1 (Mar 4. 2024)

Improvement to how maven projects are handled - now we only build projects/modules if they have not been built already.

12.1.0 (Mar 1. 2024)

Introduces a new and much faster and more scalable reachability analysis for Java. This update also fixes various bugs in Coana's processing of Java projects.

12.0.1 (Feb 29. 2024)

Fix an issue where the CLI threw an error when it couldn't find a dependency file (package.json, pom.xml etc) in the root of the project.

12.0.0 (Feb 28. 2024)

This update includes a pretty large mostly backward compatible update to the Coana CLI. If your project contains subprojects (see below), you should consider whether they should be excluded using the new --exclude-dirs <folder1> <folder2>.. option.

Support projects that use multiple programming languages and package managers.

For example, Coana can now scan projects that have both a pom.xml and a package.json in the root of the same repository.

Automatically scan subprojects.

The analysis has always supported workspaces (opens in a new tab). However, now the CLI also supports a concept we call subprojects, where a subproject is a project that's not in the root of the repository. For example, imagine a repository where you have a Maven project in the root, but then also a subdirectory that contains a React project with some documentation. The CLI will now automatically scan both the Maven project and the React project in the same run. If you want to exclude a folder from the analysis, you can use the --exclude-dirs <folder1> <folder2>.. option.

Automatically install dependencies prior to running the analysis if needed.

If the CLI detects that the dependencies are not installed, it will now automatically install them before running the analysis. It's still recommended that you manually install dependencies in case you use any kind of specialized caching (like the pnpm GitHub action caching feature (opens in a new tab)) or pass any special flags to the package manager.

11.6.11 (Feb 25. 2024)

Fix an issue where the Coana CLI would crash on npm-based projects that use globs to resolve workspace paths.

11.6.10 (Feb 24. 2024)

Include environment variable MAVEN_CLI_OPTS in all mvn commands run by the Coana CLI.

11.6.9 (Feb 22. 2024)

Fix max buffer length exceeded error that could occur on some Maven projects.

11.6.8 (Feb 13. 2024)

Fix an issue where the CLI didn't extract dependency types correctly for peer and optional dependencies in npm.

11.6.7 (Feb 12. 2024)

Collect better errors reports if the Coana CLI crashes. Helps the Coana team to identify and fix bugs.

11.6.6 (Feb 10. 2024)

Increase default memory limit assigned to the static analyses from 4GB to 8GB.

11.6.5 (Feb 9. 2024)

Improves compatibility with yarn berry workspace projects.

11.6.4 (Feb 8. 2024)

Improvements to the static analyses.

11.6.2 (Feb 5. 2024)

Fix an issue where vulnerabilities were not reported correctly for git-based dependencies in pnpm projects.

11.6.1 (Jan 31. 2024)

  • Remove some debug logging enabled by default.
  • Improved the structure of debug logging when using the --debug flag.

11.6.0 (Jan 24. 2024)

Add support for Java (Maven) security scanning.

11.5.5 (Jan 10. 2024)

  • Various minor bug fixes mostly affecting yarn classic (< 2.x.y)
  • Record ecosystem. Change required to support non-JS languages.

11.5.1 (Jan 4. 2024)

Fix an issue where the CLI's compute dependency type feature would crash in some rare edge cases where the static analysis and the package manager disagrees on the dependency structure. Adds support for security scanning of Maven-based Java projects.

11.4.1 (Jan 2. 2024)

  • Fix an issue where the CLI didn't handle pre-release and build identifiers for some pnpm versions.

11.4.0 (Dec 27. 2023)

  • Record the name and version of packages affected by vulnerabilities.
  • Record the dependency type of direct dependencies on chains leading vulnerabilities.
  • Fix an issue where Coana would crash on npm workspace projects where at least of the workspaces used a scoped package name, e.g., @scope/pkg.

11.3.3 (Dec 18. 2023)

Better debug logging.

11.3.2 (Nov 29. 2023)

Better debug logging.

11.3.1 (Nov 28. 2023)

Fix a bug where the static analysis did not process some functions correctly.

11.3.0 (Nov 27. 2023)

  • Record dependency type (dev, prod, or dev&prod).
  • Fix an issue where not all vulnerability fixes were enabled by default.
  • Better debugging output.

11.2.0 (Nov 23. 2023)

The Coana report now includes information about dependency upgrades that can fix vulnerabilities.

11.1.1 (Nov 21. 2023)

Ensure Coana doesn't crash when it encounters an unlikely scenario where it cannot extract a file name.

11.1.0 (Nov 20. 2023)

Coana reports now include enough information to allow it to show version numbers in dependency chains.

11.0.0 (Nov 10. 2023)

Breaking changes

Includes a new and much simplified report format.

Other changes

The new format fixes a bug where the vulnChainDetails field was incorrectly shared between the same vulnerability across multiple workspaces.

10.0.1 (Nov 1. 2023)

Fix a bug where the analysis could enter an infinite loop on projects with 0 vulnerabilities.

10.0.0 (Oct 26. 2023)

Upgrade the CLI to use Node version 20, which just entered LTS.

9.1.0 (Oct 26. 2023)

Fix an issue where the offline mode would complain about a missing access paths file when running through Docker.

9.0.0 (Oct 20. 2023)

Breaking changes

This updates contains considerable breaking changes to the CLI. A lot of legacy features have been removed including the ability to generate HTML and markdown reports. It's still possible to generate JSON reports, but now -o . should be used in place -o json -p .. The JSON report format has also changed to make it compatible with DTO that's submitted to the dashboard.

Other changes

The CLI now includes an offline mode where it can run the entire Coana vulnerability scanning without access to the internet. An offline vulnerability database most be provided using the --offline-database argument.

8.6.0 (Oct 19. 2023)

Updates the underlying static analysis.

8.5.0 (Oct 18. 2023)

Using the --write-report-to-file in a GitHub action will now upload the dashboard-report.json as an artifact.

8.4.1 (Oct 6. 2023)

Suppress internal errors when the CLI fails to extract git SHAs and branch names.

8.4.0 (Oct 6. 2023)

The CLI now also captures git commit shas and branch names.

8.3.0 (Oct 2. 2023)

  • Fix an issue where the CLI execution was not calculated correctly.
  • Coana will now gather more data about the performance of the static analysis. We expect this data will help us better identify bottlenecks and improve the analysis going forward. We want to emphasize that we still don't gather source code or any other sensitive information.

8.2.0 (Sep 24. 2023)

new --write-report-to-file debug option.

8.1.0 (Sep 22. 2023)

Switch to newer more efficient security auditor backend.

8.0.0 (Sep 18. 2023)

Breaking changes

Removes a lot of the non-security-related features since these are no longer a priority for us. Since you are unlikely to use any of these features, you probably won't feel the breaking changes. The CLI is now also slightly more performant.

7.2.0 (Sep 15. 2023)

The static analysis engine has been updated.

7.1.0 (Sep 14. 2023)

The static analysis engine has been updated.

7.0.0

The Coana CLI now integrates with the Coana dashboard using the --api-key option.

6.2.2 (Sep 7. 2023)

Fixed an issue where the Coana APIs could not be reached

6.2.1 (Aug 22. 2023)

Fixed an issue where an error getaddrinfo ENOTFOUND was thrown occasionally. The error is due to a DNS lookup timeout, so we now try to resend the request instead of throwing an error when it occurs.

6.2.0 (Aug 14. 2023)

Add --timeout/-t option for specifying the timeout of API calls to the Coana backend.

6.1.0 (Aug 4. 2023)

Breaking changes

  • --jsonReport has been renamed to --json-report such that the naming better matches the name given to the other report types.
  • --json-report, --markdown-report and --json-report have been deprecated in favor of -o, --output <html,json,md>. For example, replace --json-report with -o json. Use -p, --output-path if you want to write the output to some other folder than the current working directory.

Other changes

  • The backend API has been partially re-implemented. This change should alleviate the problem of long periods of downtime.
  • Various improvements to the precision and speed of the static analysis.
  • Fix an issue where the CLI did not work on Windows due to a bug in the mechanism that initiated the static analysis.

5.0.0 (June 23. 2023)

Breaking changes

This update shouldn't be breaking. Various new fields have been added to the Coana report json object, but it's still backward compatible.

Other changes

Contains lot of minor bug fixes and improvements. Most notably, the layout of the HTML report has improved considerable.

4.0.0 (Apr 27. 2023)

Breaking changes

The JSON output type of the Coana CLI has changed. This change was made to align the JSON output type of the CLI, with the output type used to generate the HTML and markdown reports. The new return type definition is found here (opens in a new tab). Notice, the name is also changed from CoanaCLIOutput to CoanaReport.

Adapting to the new output type

Assuming you were working in a non-workspace project (only a single package.json). If you were previously reading output.unusedPackages, you have to make the following change:

- output.unusedPackages;
+ output.packageSummaries['.'].unusedPackages;

If you were previously reading output.vulnerablePackages, you have to make the following change:

- output.vulnerablePackages;
+ output.vulnerablePackages['.'].vulnerablePackages.map(pkg => pkg.packageName);

If you were previously reading output.packageDetails, you have to make the following change:

- output.packageDetails[somePkgName];
+ output.packageDetails['.'][somePkgName];

For workspace projects (multiple package.json), the change is slightly more complicated. Since Coana now groups the output by workspace name, you have to iterate over the workspace names to extract all of the data. For example:

- output.unusedPackages;
+ import { resolve } from 'path';
+ Object.keys(output.unusedPackages).flatMap(workspace => output.unusedPackages[workspace].map(pkg => resolve(workspace, pkg)));

Other changes

  • The Coana CLI now supports config files in YAML format. You can continue to use the old JSON5 format if you prefer.
  • The security auditor algorithm has changed quite dramatically. The CLI tool should run a lot faster as a consequence.

3.1.0 (Apr 23. 2023)

The coana CLI is now ready to be used with GitHub actions. The GitHub actions are available here https://github.com/coana-tech/coana-action (opens in a new tab) (documentation will follow later).

3.0.0 (Apr 19. 2023)

Breaking changes

The --out <path> or -o <path> option has been replaced with --jsonReport <path>. The <path> passed to --out used to include the file name, e.g., --out ./report.json, but now it should instead point to the folder where a report (coana-report.json) is written. For example --jsonReport . writes coana-report.json to the current directory. This change was made to align the behavior of out/jsonReport with HTML and markdown reports.

Other changes

Use the --silent to remove all logging and debug output. Also disables the spinner.

2.1.0 (Apr 18. 2023)

Coana can now output a HTML and markdown report. Pass either the --html-report . or --markdown-report . option to Coana generate the report in the CWD.

For example:

docker run -v $PWD:/project coana/coana:latest coana --html-report . /project

2.0.0 (Apr 12. 2023)

Breaking changes

  • See the new support for workspaces above. For non-workspaces projects, no breaking changes should be observed.

  • The vulnerability scanning mechanism has been optimized slightly to perform better with the new workspaces mechanism. Previously, if you had a project ./packages/package-a that depends on the local workspace ./packages/package-b and package-b is affected by a vulnerability, Coana would also report that vulnerability in package-a. However, since package-b is now also analyzed separate from package-a, Coana refrains from also reporting its vulnerabilities together with package-a in version 2.0.0 and above. Notice, this change only affects where vulnerabilities are reported (NOT which vulnerabilities that are found).

Other changes

Coana now supports workspaces (mono repositories). If you use workspaces (both npm, Yarn, or pnpm are supported), the Coana CLI can now aggregate the data from each workspace in a single run. For example, if you previously had a workspaces project with the following structure:

package.json
packages/package-a/package.json
packages/package-b/package.json

You would have had do 3 invocations of the CLI to gather data from each workspace:

docker run -v $PWD:/project coana/coana:latest coana ./
docker run -v $PWD:/project coana/coana:latest coana ./packages/packaga-a
docker run -v $PWD:/project coana/coana:latest coana ./packages/packaga-b

A single invocation will now gather data for each workspace

docker run -v $PWD:/project coana/coana:latest coana ./

The output type is different for workspace projects, where the packageDetails is now a 2-layer map from workspace path to package name to details for that package (See the version 2.x.x and 3.x.x types (opens in a new tab) for more details).

1.5.0 (Apr 3. 2023)

Don't show a package as unused if it appears to be used as a plugin in a config file. This feature is a heuristic (not always correct), and can be disabled by setting 'reportUnusedConfigPlugins' to true in coana-config.json.

1.4.0 (Apr 3. 2023)

Support for Yarn classic (Yarn below version 2) projects.

1.3.0 (Apr 1. 2023)

  • Do not report packages as unused if they are peer dependencies of used packages.
  • Use --version to print the version of the Coana CLI.

1.2.1 (Mar 24. 2023)

There is a new minAuditLevel property to be set in coana-config.json. It takes the values 'info', 'low', 'moderate', 'high', 'critical' or 'none' and defaults to 'info'. Packages that are only affected by vulnerabilities below minAuditLevel are not reported in vulnerablePackages.

1.2.0 (Mar 23. 2023)

  • The Docker image now uses alpine Linux instead of Debian (it has reduced its size from about 1GB to around 250MB (370MB to 60MB in the compressed format)).
  • The vulnerability scanner now contains suggested fixes computed by the Coana backend. To actually apply the fixes, you can use the Coana VSCode Extension (opens in a new tab).
  • The 'check for unused packages' feature now matches bins provided by a package with the scripts in the package.json (before it would only match on package names). This change means that if you depend on TypeScript, and use the TypeScript bin 'tsc' in one of your scripts, then TypeScript will not be flagged as unused.

1.1.1 (Feb 27. 2023)

Don't report a package as unused if:

  • It's a developer dependency
  • It's used in the script section of the package.json
  • It's a @types package