Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DependencySubgraph ¶
type DependencySubgraph struct {
Dependency resolve.NodeID // The NodeID of the end dependency of this subgraph.
Nodes map[resolve.NodeID]GraphNode
}
func ComputeSubgraphs ¶
func ComputeSubgraphs(g *resolve.Graph, nodes []resolve.NodeID) []*DependencySubgraph
ComputeSubgraphs computes the DependencySubgraphs for each specified NodeID. The computed Subgraphs contains all nodes and edges that transitively depend on the specified node, and the node itself.
Modifying any of the returned DependencySubgraphs may cause unexpected behaviour.
func (*DependencySubgraph) ConstrainingSubgraph ¶
func (ds *DependencySubgraph) ConstrainingSubgraph(ctx context.Context, cl resolve.Client, vuln *models.Vulnerability) *DependencySubgraph
ConstrainingSubgraph tries to construct a subgraph of the subgraph that includes only the edges that contribute to a vulnerability. It identifies the dependencies which constrain the vulnerable package to use a vulnerable version. This is used by the 'relax' remediation strategy to identify which direct dependencies need to be updated.
e.g. for a subgraph with:
A -> C@<2.0 B -> C@<3.0 C resolves to C@1.9
If the vuln affecting C is fixed in version 2.0, the constraining subgraph would only contain A, since B would allow versions >=2.0 of C to be selected if not for A.
This is a heuristic approach and may produce false positives (meaning possibly unnecessary dependencies would be flagged to be relaxed). If the constraining subgraph cannot be computed for some reason, returns the original DependencySubgraph.
func (*DependencySubgraph) IsDevOnly ¶
func (ds *DependencySubgraph) IsDevOnly(groups map[manifest.RequirementKey][]string) bool
IsDevOnly checks if this DependencySubgraph solely contains dev (or test) dependencies. If groups is nil, checks the dep.Type of the direct graph edges for the Dev Attr (for in-place). Otherwise, uses the groups of the direct dependencies to determine if a non-dev path exists (for relax/override).
type Difference ¶
type Difference struct {
Original *Result
New *Result
RemovedVulns []Vulnerability
AddedVulns []Vulnerability
manifest.Patch
}
func (Difference) Compare ¶
func (a Difference) Compare(b Difference) int
Compare compares ResolutionDiffs based on 'effectiveness' (best first):
Sort order:
- (number of fixed vulns - introduced vulns) / (number of changed direct dependencies) [descending] (i.e. more efficient first)
- number of fixed vulns [descending]
- number of changed direct dependencies [ascending]
- changed direct dependency name package names [ascending]
- size of changed direct dependency bump [ascending]
type ResolveOpts ¶
type ResolveOpts struct {
MavenManagement bool // whether to include unresolved dependencyManagement dependencies in resolved graph.
}
type Result ¶
type Result struct {
Manifest manifest.Manifest
Graph *resolve.Graph
Vulns []Vulnerability
UnfilteredVulns []Vulnerability
}
func Resolve ¶
func Resolve(ctx context.Context, cl client.ResolutionClient, m manifest.Manifest, opts ResolveOpts) (*Result, error)
func (*Result) CalculateDiff ¶
func (res *Result) CalculateDiff(other *Result) Difference
func (*Result) FilterVulns ¶
func (res *Result) FilterVulns(matchFn func(Vulnerability) bool)
FilterVulns populates Vulns with the UnfilteredVulns that satisfy matchFn
type Vulnerability ¶
type Vulnerability struct {
OSV models.Vulnerability
DevOnly bool
// Subgraphs are the collections of nodes and edges that reach the vulnerable node.
// Subgraphs all contain the root node (NodeID 0) with no incoming edges (Parents),
// and the vulnerable node (NodeID DependencySubgraph.Dependency) with no outgoing edges (Children).
Subgraphs []*DependencySubgraph
}
func (Vulnerability) IsDirect ¶
func (rv Vulnerability) IsDirect() bool
Source Files
Directories