Documentation
¶
Overview ¶
Package resolution provides dependency graph resolution and vulnerability findings for guided remediation.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MakeRequirementKey ¶
func MakeRequirementKey(requirement resolve.RequirementVersion) manifest.RequirementKey
MakeRequirementKey constructs an ecosystem-specific RequirementKey from the given RequirementVersion.
Types ¶
type DependencySubgraph ¶
type DependencySubgraph struct {
Dependency resolve.NodeID // The NodeID of the end dependency of this subgraph.
Nodes map[resolve.NodeID]GraphNode
}
DependencySubgraph is a subgraph of dependencies that contains all paths to a specific node.
func ComputeSubgraphs ¶
func ComputeSubgraphs(g *resolve.Graph, nodes []resolve.NodeID) []*DependencySubgraph
ComputeSubgraphs computes the DependencySubgraphs for each specified NodeID. The computed Subgraphs contains all nodes and edges that transitively depend on the specified node, and the node itself.
Modifying any of the returned DependencySubgraphs may cause unexpected behaviour.
func (*DependencySubgraph) ConstrainingSubgraph ¶
func (ds *DependencySubgraph) ConstrainingSubgraph(ctx context.Context, cl resolve.Client, vuln *osvpb.Vulnerability) *DependencySubgraph
ConstrainingSubgraph tries to construct a subgraph of the subgraph that includes only the edges that contribute to a vulnerability. It identifies the dependencies which constrain the vulnerable package to use a vulnerable version. This is used by the 'relax' remediation strategy to identify which direct dependencies need to be updated.
e.g. for a subgraph with:
A -> C@<2.0 B -> C@<3.0 C resolves to C@1.9
If the vuln affecting C is fixed in version 2.0, the constraining subgraph would only contain A, since B would allow versions >=2.0 of C to be selected if not for A.
This is a heuristic approach and may produce false positives (meaning possibly unnecessary dependencies would be flagged to be relaxed). If the constraining subgraph cannot be computed for some reason, returns the original DependencySubgraph.
func (*DependencySubgraph) IsDevOnly ¶
func (ds *DependencySubgraph) IsDevOnly(groups map[manifest.RequirementKey][]string) bool
IsDevOnly checks if this DependencySubgraph solely contains dev (or test) dependencies. If groups is nil, checks the dep.Type of the direct graph edges for the Dev Attr (for in-place). Otherwise, uses the groups of the direct dependencies to determine if a non-dev path exists (for relax/override).
type GraphNode ¶
type GraphNode struct {
Version resolve.VersionKey
Distance int // The shortest distance to the end Dependency Node (which has a Distance of 0)
Parents []resolve.Edge // Parent edges i.e. with Edge.To == this ID
Children []resolve.Edge // Child edges i.e. with Edge.From == this ID
}
GraphNode is a node in a DependencySubgraph
type Vulnerability ¶
type Vulnerability struct {
OSV *osvpb.Vulnerability
DevOnly bool
// Subgraphs are the collections of nodes and edges that reach the vulnerable node.
// Subgraphs all contain the root node (NodeID 0) with no incoming edges (Parents),
// and the vulnerable node (NodeID DependencySubgraph.Dependency) with no outgoing edges (Children).
Subgraphs []*DependencySubgraph
}
Vulnerability represents a vulnerability found in a dependency graph.
func FindVulnerabilities ¶
func FindVulnerabilities(ctx context.Context, en enricher.Enricher, depGroups map[manifest.RequirementKey][]string, graph *resolve.Graph) ([]Vulnerability, error)
FindVulnerabilities scans for vulnerabilities in a resolved graph. One Vulnerability is created per unique ID, which may affect multiple graph nodes.
Source Files