models

package
v1.8.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 2, 2025 License: Apache-2.0 Imports: 13 Imported by: 1

Documentation

Index

Constants

View Source
const (
	EcosystemMaven             = "Maven"
	EcosystemRubyGems          = "RubyGems"
	EcosystemGo                = "Go"
	EcosystemNpm               = "npm"
	EcosystemPyPI              = "PyPI"
	EcosystemCargo             = "Cargo"
	EcosystemNuGet             = "NuGet"
	EcosystemPackagist         = "Packagist"
	EcosystemHex               = "Hex"
	EcosystemPub               = "Pub"
	EcosystemCyDxSBOM          = "CycloneDxSbom" // These are not real ecosystems. They are containers
	EcosystemSpdxSBOM          = "SpdxSbom"      // These are not real ecosystems. They are containers
	EcosystemGitHubActions     = "GitHubActions"
	EcosystemTerraform         = "Terraform"
	EcosystemTerraformModule   = "TerraformModule"
	EcosystemTerraformProvider = "TerraformProvider"
)
View Source
const (
	ManifestSourceLocal         = ManifestSourceType("local")
	ManifestSourcePurl          = ManifestSourceType("purl")
	ManifestSourceGitRepository = ManifestSourceType("git_repository")
)
View Source
const (
	ProvenanceTypeSlsa = ProvenanceType("slsa")
)

Variables

This section is empty.

Functions

func GetModelEcosystem added in v1.8.3

func GetModelEcosystem(ecosystem packagev1.Ecosystem) string

Map the control tower spec ecosystem to model ecosystem

func IdGen added in v1.5.3

func IdGen(data string) string

This is probably not the best place for IdGen but keeping it here since this package is the most stable (SDP)

func NewPackageDetail

func NewPackageDetail(ecosystem, name, version string) lockfile.PackageDetails

Types

type DependencyGraph added in v1.5.6

type DependencyGraph[T DependencyGraphNodeType] struct {
	// contains filtered or unexported fields
}

Directed Acyclic Graph (DAG) representation of the package manifest

func NewDependencyGraph added in v1.5.6

func NewDependencyGraph[T DependencyGraphNodeType]() *DependencyGraph[T]

func (*DependencyGraph[T]) AddDependency added in v1.5.6

func (dg *DependencyGraph[T]) AddDependency(from, to T)

AddDependency adds a dependency from one package to another Add an edge from [from] to [to]

func (*DependencyGraph[T]) AddNode added in v1.5.6

func (dg *DependencyGraph[T]) AddNode(node T)

Add a node to the graph

func (*DependencyGraph[T]) AddRootNode added in v1.5.6

func (dg *DependencyGraph[T]) AddRootNode(node T)

Add a root node to the graph

func (*DependencyGraph[T]) Clear added in v1.5.6

func (dg *DependencyGraph[T]) Clear()

Clear clears the dependency graph

func (*DependencyGraph[T]) GetDependencies added in v1.5.6

func (dg *DependencyGraph[T]) GetDependencies(pkg T) []T

GetDependencies returns the list of dependencies for the given package Outgoing edges

func (*DependencyGraph[T]) GetDependents added in v1.5.6

func (dg *DependencyGraph[T]) GetDependents(pkg T) []T

GetDependents returns the list of dependents for the given package Incoming edges

func (*DependencyGraph[T]) GetNodes added in v1.5.6

func (dg *DependencyGraph[T]) GetNodes() []*DependencyGraphNode[T]

GetNodes returns the list of nodes in the graph

func (*DependencyGraph[T]) GetPackages added in v1.5.6

func (dg *DependencyGraph[T]) GetPackages() []T

GetPackages returns the list of packages in the graph

func (*DependencyGraph[T]) IsRoot added in v1.5.6

func (dg *DependencyGraph[T]) IsRoot(data T) bool

func (*DependencyGraph[T]) MarshalJSON added in v1.5.6

func (dg *DependencyGraph[T]) MarshalJSON() ([]byte, error)

func (*DependencyGraph[T]) PathToRoot added in v1.5.6

func (dg *DependencyGraph[T]) PathToRoot(pkg T) []T

PathToRoot returns the path from the given package to the root It uses a simple DFS algorithm to find the path. In future, it is likely that we will use a more efficient algorithm like a weighted traversal which is more relevant here because we want to update minimum number of root packages

func (*DependencyGraph[T]) Present added in v1.5.6

func (dg *DependencyGraph[T]) Present() bool

Present returns true if the dependency graph is present

func (*DependencyGraph[T]) SetPresent added in v1.5.6

func (dg *DependencyGraph[T]) SetPresent(present bool)

Set present flag for the dependency graph This is useful when we want to indicate that the graph is present because we are building it as an enhancement over our existing list of packages

func (*DependencyGraph[T]) UnmarshalJSON added in v1.5.6

func (dg *DependencyGraph[T]) UnmarshalJSON(b []byte) error

type DependencyGraphNode added in v1.5.6

type DependencyGraphNode[T DependencyGraphNodeType] struct {
	Data     T   `json:"data"`
	Children []T `json:"children"`

	// While not relevant for a graph, this is required to identify root packages
	Root bool `json:"root"`
}

DependencyGraphNode represents a node in the dependency graph. It must be serializable to JSON

func (*DependencyGraphNode[T]) SetRoot added in v1.5.6

func (node *DependencyGraphNode[T]) SetRoot(root bool)

type DependencyGraphNodeType added in v1.5.6

type DependencyGraphNodeType interface {
	Id() string
}

We are using generics here to make the graph implementation not too coupled with our model types

type ManifestSourceType added in v1.8.0

type ManifestSourceType string

type Package

type Package struct {
	lockfile.PackageDetails `json:"package_detail"`

	// Insights obtained for this package
	Insights *insightapi.PackageVersionInsight `json:"insights,omitempty"`

	// Insights v2
	InsightsV2 *packagev1.PackageVersionInsight `json:"insights_v2,omitempty"`

	// This package is a transitive dependency of parent package
	Parent *Package `json:"-"`

	// Depth of this package in dependency tree
	Depth int `json:"depth"`

	// Optional provenances for this package
	Provenances []*Provenance `json:"provenances"`

	// Manifest from where this package was found directly or indirectly
	Manifest *PackageManifest `json:"-"`
}

Represents a package such as a version of a library defined as a dependency in Gemfile.lock, pom.xml etc.

func (*Package) DependencyPath added in v1.5.6

func (p *Package) DependencyPath() []*Package

DependencyPath returns the path from a root package to this package

func (*Package) GetControlTowerSpecEcosystem added in v1.8.3

func (p *Package) GetControlTowerSpecEcosystem() packagev1.Ecosystem

func (*Package) GetDependencies added in v1.8.0

func (p *Package) GetDependencies() ([]*Package, error)

func (*Package) GetDependencyGraph added in v1.5.6

func (p *Package) GetDependencyGraph() *DependencyGraph[*Package]

func (*Package) GetName added in v1.3.0

func (p *Package) GetName() string

func (*Package) GetProvenances added in v1.8.10

func (p *Package) GetProvenances() []*Provenance

func (*Package) GetSpecEcosystem added in v1.3.0

func (p *Package) GetSpecEcosystem() modelspec.Ecosystem

FIXME: For SPDX/CycloneDX, package ecosystem may be different from the manifest ecosystem

func (*Package) GetVersion added in v1.3.0

func (p *Package) GetVersion() string

func (*Package) Id

func (p *Package) Id() string

Id returns a unique identifier for this package within a manifest It is used to identify a package in the dependency graph It should be reproducible across multiple runs

func (*Package) ShortName

func (p *Package) ShortName() string

type PackageManifest

type PackageManifest struct {
	// The source of the package manifest
	Source PackageManifestSource `json:"source"`

	// Filesystem path of this manifest
	Path string `json:"path"`

	// Ecosystem to interpret this manifest
	Ecosystem string `json:"ecosystem"`

	// List of packages obtained by parsing the manifest
	Packages []*Package `json:"packages"`

	// The package dependency graph representation
	DependencyGraph *DependencyGraph[*Package] `json:"dependency_graph"`
	// contains filtered or unexported fields
}

Represents a package manifest that contains a list of packages. Example: pom.xml, requirements.txt

func NewPackageManifest deprecated added in v1.5.6

func NewPackageManifest(path, ecosystem string) *PackageManifest

Deprecated: Use NewPackageManifest* initializers

func NewPackageManifestFromGitHub added in v1.8.0

func NewPackageManifestFromGitHub(repo, repoRelativePath, realPath, ecosystem string) *PackageManifest

func NewPackageManifestFromLocal added in v1.8.0

func NewPackageManifestFromLocal(path, ecosystem string) *PackageManifest

func NewPackageManifestFromPurl added in v1.8.8

func NewPackageManifestFromPurl(purl, ecosystem string) *PackageManifest

func (*PackageManifest) AddPackage

func (pm *PackageManifest) AddPackage(pkg *Package)

func (*PackageManifest) GetControlTowerSpecEcosystem added in v1.8.0

func (pm *PackageManifest) GetControlTowerSpecEcosystem() packagev1.Ecosystem

func (*PackageManifest) GetDisplayPath added in v1.3.1

func (pm *PackageManifest) GetDisplayPath() string

GetDisplayPath returns the [DisplayPath] if available or fallsback to [Path]

func (*PackageManifest) GetPackages added in v1.5.6

func (pm *PackageManifest) GetPackages() []*Package

GetPackages returns the list of packages in this manifest It uses the DependencyGraph to get the list of packages if available else fallsback to the [Packages] field

func (*PackageManifest) GetPackagesCount added in v1.4.0

func (pm *PackageManifest) GetPackagesCount() int

func (*PackageManifest) GetPath added in v1.3.0

func (pm *PackageManifest) GetPath() string

func (*PackageManifest) GetSource added in v1.8.0

func (pm *PackageManifest) GetSource() PackageManifestSource

func (*PackageManifest) GetSpecEcosystem deprecated added in v1.3.0

func (pm *PackageManifest) GetSpecEcosystem() modelspec.Ecosystem

Deprecated: Move towards GetControlTowerSpecEcosystem

func (*PackageManifest) Id added in v1.3.0

func (pm *PackageManifest) Id() string

func (*PackageManifest) SetDisplayPath added in v1.3.1

func (pm *PackageManifest) SetDisplayPath(path string)

func (*PackageManifest) SetPath added in v1.8.1

func (pm *PackageManifest) SetPath(path string)

func (*PackageManifest) UpdateSourceAsGitRepository added in v1.8.0

func (p *PackageManifest) UpdateSourceAsGitRepository(repo, repoRelativePath string)

Parsers usually create a package manifest from file, readers have the context to set the source correct. Example: GitHub reader

type PackageManifestSource added in v1.8.0

type PackageManifestSource struct {
	// The source type of this package namespace
	Type ManifestSourceType `json:"type"`

	// The namespace of the package manifest. Examples:
	// - Directory when source is local
	// - GitHub repo URL when source is GitHub
	Namespace string `json:"namespace"`

	// The namespace relative path of the package manifest.
	// This is an actually referenceable identifier to the data
	Path string `json:"path"`

	// Explicit override the display path
	DisplayPath string `json:"display_path"`
}

We now have different sources from where a package manifest can be identified. For example, local, github, and may be in future within containers or archives like JAR. So we need to store additional internal metadata

func (PackageManifestSource) GetDisplayPath added in v1.8.0

func (ps PackageManifestSource) GetDisplayPath() string

func (PackageManifestSource) GetNamespace added in v1.8.0

func (ps PackageManifestSource) GetNamespace() string

func (PackageManifestSource) GetPath added in v1.8.0

func (ps PackageManifestSource) GetPath() string

func (PackageManifestSource) GetType added in v1.8.3

type Provenance added in v1.8.10

type Provenance struct {
	Type             ProvenanceType `json:"type"`
	CommitSHA        string         `json:"commit_sha"`
	SourceRepository string         `json:"source_url"`
	Url              string         `json:"url"`
	Verified         bool           `json:"verified"`
}

Represents an abstract provenance of a package provided by different sources such as deps.dev or other sources

type ProvenanceType added in v1.8.10

type ProvenanceType string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL