How it works

The Coana core technology builds on state-of-the-art static analysis technology in the form of the open source Jelly program analysis.

A static analysis is a program capable of scanning and understanding code without running it. Typical examples of tools that use static analysis include compilers and type checkers, for example, tsc for TypeScript , but some analyses can also scan for more complex program properties.

The Jelly analysis is designed specifically to solve problems in industrial-scale JavaScript and TypeScript applications with deep dependency chains. Historically, a static analysis would have struggled to produce meaningful results for such programs due to their immense complexity. However, based on recent results from academia, Jelly is far better suited to handle such applications than any other similar analysis.

Jelly creates a model of the input program known as a call graph. The call graph contains information about where functions are called. Let's consider a small example.

This is some text inside of a div block.

Take a moment to try and understand the program. Can you see which function is called on line 2? The correct answer is the function h defined on line 9. It's exactly questions like this the Jelly program can answer, with unprecedented accuracy and scalability, also when the flow of functions spans many modules in large, real-world applications.

The Jelly program analysis constitutes the core of the tools we develop at Coana. By building on top of Jelly, our tools are designed with a degree of code awareness that has not been present in dependency management historically. This code awareness means that Coana provides more precise and actionable information than competitors. For example, consider classic security auditing tools, like npm audit. It is a well-known fact that these tools tend to be very coarse-grained, often leading to numerous false positives (does npm audit also report tens or hundreds of vulnerabilities in your project?). A code-aware security auditor can provide much more accurate information. Instead of You may be affected by ... since you depend on package Foo, Coana will say You may be affected by ... in package Foo since you call the function f on line 232 in backend-logic.ts.

Get early access