Documentation
¶
Index ¶
- Constants
- func ClassifyManifest(subprojectRel, manifestPath string) (subprojectDir, moduleDir string)
- func FailingFindingCount(findings []sdk.Finding) int
- func ManifestRootName(manifest ScanManifest) string
- func Write(w io.Writer, format Format, payload any, renderers Renderers) error
- func WriteSARIF(w io.Writer, findings []sdk.Finding, registry *sdk.PackageRegistry, ...) error
- type AuditFinding
- type AuditSummary
- type DependencyPath
- type DiffAudit
- type DiffChangedPackage
- type DiffComparison
- type DiffDependencyResults
- type DiffLicenseChange
- type DiffLicenseDelta
- type DiffLicenseResults
- type DiffManifestResult
- type DiffPackageChange
- type DiffResponse
- type DiffResults
- type DiffSummary
- type DiffVulnerabilityChange
- type DiffVulnerabilityResults
- type ExplainQuery
- type ExplainResponse
- type ExplainTargetResponse
- type FindingPackageRef
- type Format
- type HierarchyNode
- type LicenseRef
- type LocationRef
- type ManifestNodeKind
- type Metadata
- type PackageRef
- type PositionRef
- type ProjectDescriptor
- type Renderers
- type ReportOptions
- type SARIFLineRange
- type SARIFOptions
- type ScanDependency
- type ScanManifest
- type ScanPackageEntry
- type ScanResponse
- type ScanTargetResponse
- type VulnerabilityRef
Constants ¶
const SchemaVersion = "1.0"
SchemaVersion is the current CLI output schema version.
Variables ¶
This section is empty.
Functions ¶
func ClassifyManifest ¶ added in v0.18.0
ClassifyManifest resolves where a manifest belongs in the hierarchy from its subproject relative path ("", "." = scan root) and its repo-relative manifest path. It returns the normalized subproject directory ("." for root) and the module directory: "" when the manifest sits directly in its subproject directory, otherwise the repo-relative directory of the module that owns the manifest. A manifest whose directory is not beneath its subproject directory attaches directly to the subproject (defensive).
func FailingFindingCount ¶
FailingFindingCount reports how many findings should fail policy evaluation.
func ManifestRootName ¶ added in v0.18.0
func ManifestRootName(manifest ScanManifest) string
ManifestRootName returns the package name of a manifest's root dependency — the project/module's own name (web, core-lib) — or "" when the manifest has no single unambiguous root. The root is the one dependency no other dependency in the manifest depends on.
func WriteSARIF ¶
func WriteSARIF(w io.Writer, findings []sdk.Finding, registry *sdk.PackageRegistry, toolName, toolVersion string, options ...SARIFOptions) error
WriteSARIF writes findings as a SARIF 2.1.0 document to w. toolName and toolVersion are used to populate the driver section. registry, when non-nil, is used to resolve f.PackageRef → *sdk.Package and f.VulnerabilityID → *sdk.Vulnerability so each result carries the rich properties (CVSS / EPSS / KEV / CWE / fix state / reachability call paths) as SARIF `properties` / `codeFlows`.
Types ¶
type AuditFinding ¶
type AuditFinding struct {
ID string `json:"id"`
Kind sdk.FindingKind `json:"kind"`
Severity sdk.SeverityLevel `json:"severity"`
Package FindingPackageRef `json:"package"`
Title string `json:"title"`
Reasons []string `json:"reasons,omitempty"`
Source string `json:"source"`
Auditor string `json:"auditor,omitempty"`
Disposition sdk.FindingDisposition `json:"disposition,omitempty"`
VulnerabilityID string `json:"vulnerability_id,omitempty"`
DependencyRefs []string `json:"dependency_refs,omitempty"`
}
AuditFinding is the serialized form of one normalized scan finding. It mirrors sdk.Finding's three-collection shape: the package is referenced by identity (join to packages[] via purl), the advisory by vulnerability_id (join to packages[].vulnerabilities), and the introducing graph nodes by dependency_refs (join to manifests[].dependencies ids).
func FindingsFromScan ¶
func FindingsFromScan(findings []sdk.Finding, registry *sdk.PackageRegistry) []AuditFinding
FindingsFromScan converts normalized findings into JSON-friendly DTOs. When registry is non-nil the finding's package reference is resolved against it for display identity (name/org/version/ecosystem), and a missing finding severity is backfilled from the referenced advisory.
func (AuditFinding) ResolvedVulnerabilityID ¶ added in v0.17.0
func (f AuditFinding) ResolvedVulnerabilityID() string
ResolvedVulnerabilityID returns the advisory id a finding references, falling back to the finding id when VulnerabilityID is unset. All joins against packages[].vulnerabilities use this precedence rule.
type AuditSummary ¶
type AuditSummary struct {
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
Unknown int `json:"unknown"`
Total int `json:"total"`
}
AuditSummary aggregates finding counts by severity.
func SummaryFromFindings ¶
func SummaryFromFindings(findings []sdk.Finding) *AuditSummary
SummaryFromFindings aggregates finding counts by severity band.
type DependencyPath ¶
type DependencyPath struct {
Relationship string `json:"relationship,omitempty"`
Packages []PackageRef `json:"packages"`
IntroducedVia string `json:"introduced_via,omitempty"`
Cyclic bool `json:"cyclic,omitempty"`
CycleTo string `json:"cycle_to,omitempty"`
}
DependencyPath describes one resolved dependency path returned by the explain command.
type DiffAudit ¶
type DiffAudit struct {
Introduced []AuditFinding `json:"introduced,omitempty"`
Resolved []AuditFinding `json:"resolved,omitempty"`
Persisted []AuditFinding `json:"persisted,omitempty"`
AuditSummary *AuditSummary `json:"audit_summary,omitempty"`
}
DiffAudit groups audit deltas for diff output.
type DiffChangedPackage ¶
type DiffChangedPackage struct {
After PackageRef `json:"after"`
Before PackageRef `json:"before"`
}
DiffChangedPackage is one version-changed package.
type DiffComparison ¶
DiffComparison identifies the compared dependency states.
type DiffDependencyResults ¶
type DiffDependencyResults struct {
Added []DiffPackageChange `json:"added,omitempty"`
Removed []DiffPackageChange `json:"removed,omitempty"`
Changed []DiffChangedPackage `json:"changed,omitempty"`
}
DiffDependencyResults aggregates package changes across all manifests.
type DiffLicenseChange ¶
type DiffLicenseChange struct {
Package PackageRef `json:"package"`
Licenses []LicenseRef `json:"licenses"`
}
DiffLicenseChange is a package whose license set was introduced or removed.
type DiffLicenseDelta ¶
type DiffLicenseDelta struct {
Package PackageRef `json:"package"`
Before []LicenseRef `json:"before"`
After []LicenseRef `json:"after"`
}
DiffLicenseDelta is a package whose license set changed.
type DiffLicenseResults ¶
type DiffLicenseResults struct {
Added []DiffLicenseChange `json:"added,omitempty"`
Removed []DiffLicenseChange `json:"removed,omitempty"`
Changed []DiffLicenseDelta `json:"changed,omitempty"`
}
DiffLicenseResults aggregates license changes across all manifests.
type DiffManifestResult ¶
type DiffManifestResult struct {
Status string `json:"status"`
Path string `json:"path,omitempty"`
Kind sdk.ManifestKind `json:"kind,omitempty"`
Subproject string `json:"subproject,omitempty"`
Ecosystem sdk.Ecosystem `json:"ecosystem,omitempty"`
PackageManager sdk.PackageManager `json:"package_manager,omitempty"`
Added []DiffPackageChange `json:"added,omitempty"`
Removed []DiffPackageChange `json:"removed,omitempty"`
Changed []DiffChangedPackage `json:"changed,omitempty"`
}
DiffManifestResult describes changes for one manifest.
type DiffPackageChange ¶
type DiffPackageChange struct {
Package PackageRef `json:"package"`
}
DiffPackageChange is one added or removed package.
type DiffResponse ¶
type DiffResponse struct {
SchemaVersion string `json:"schema_version"`
Command string `json:"command"`
Project ProjectDescriptor `json:"project"`
Comparison DiffComparison `json:"comparison"`
Results DiffResults `json:"results"`
Summary DiffSummary `json:"summary"`
Packages []ScanPackageEntry `json:"packages"`
Audit *DiffAudit `json:"audit,omitempty"`
Metadata Metadata `json:"metadata"`
}
DiffResponse is the structured payload for the diff command. Packages is the PURL-deduplicated union of the base and head registries (head wins on conflict) so audit findings can be joined against advisory data the same way scan findings join against ScanResponse.Packages.
func BuildDiffResponse ¶
func BuildDiffResponse(projectPath, baseRef, headRef string, baseConsolidated, headConsolidated sdk.ConsolidatedGraph, audit *DiffAudit, started time.Time, options ...ReportOptions) DiffResponse
BuildDiffResponse constructs the structured diff payload from consolidated manifest selections.
func (DiffResponse) WithReportOptions ¶
func (r DiffResponse) WithReportOptions(options ReportOptions) DiffResponse
WithReportOptions annotates a DiffResponse with optional report data and strips experimental reachability annotations when the flag is disabled.
type DiffResults ¶
type DiffResults struct {
Dependencies DiffDependencyResults `json:"dependencies"`
Licenses DiffLicenseResults `json:"licenses"`
Vulnerabilities DiffVulnerabilityResults `json:"vulnerabilities"`
Manifests []DiffManifestResult `json:"manifests"`
}
DiffResults groups per-manifest diff results.
type DiffSummary ¶
type DiffSummary struct {
AddedManifestCount int `json:"added_manifest_count"`
ChangedManifestCount int `json:"changed_manifest_count"`
RemovedManifestCount int `json:"removed_manifest_count"`
UnchangedManifestCount int `json:"unchanged_manifest_count"`
AddedPackageCount int `json:"added_package_count"`
ChangedPackageCount int `json:"changed_package_count"`
RemovedPackageCount int `json:"removed_package_count"`
ExactMatchCount int `json:"exact_match_count"`
FuzzyMatchCount int `json:"fuzzy_match_count"`
UnmatchedPackageCount int `json:"unmatched_package_count"`
}
DiffSummary aggregates manifest and package counts for a diff.
type DiffVulnerabilityChange ¶
type DiffVulnerabilityChange struct {
Package PackageRef `json:"package"`
Vulnerability VulnerabilityRef `json:"vulnerability"`
}
DiffVulnerabilityChange is one vulnerability introduced or removed for a package.
type DiffVulnerabilityResults ¶
type DiffVulnerabilityResults struct {
Added []DiffVulnerabilityChange `json:"added,omitempty"`
Removed []DiffVulnerabilityChange `json:"removed,omitempty"`
Persisted []DiffVulnerabilityChange `json:"persisted,omitempty"`
}
DiffVulnerabilityResults aggregates vulnerability changes across all manifests. Persisted holds vulnerabilities that affect a version-changed package on both sides of the diff — i.e. carried-over findings the upgrade did not remediate.
type ExplainQuery ¶
type ExplainQuery struct {
Name string `json:"name"`
}
ExplainQuery records the user query issued to the explain command.
type ExplainResponse ¶
type ExplainResponse struct {
SchemaVersion string `json:"schema_version"`
Command string `json:"command"`
Project ProjectDescriptor `json:"project"`
Query ExplainQuery `json:"query"`
Dependency PackageRef `json:"dependency,omitempty"`
Paths []DependencyPath `json:"paths,omitempty"`
Findings []AuditFinding `json:"findings,omitempty"`
AuditSummary *AuditSummary `json:"audit_summary,omitempty"`
Targets []ExplainTargetResponse `json:"targets,omitempty"`
Metadata Metadata `json:"metadata"`
}
ExplainResponse is the structured payload for the explain command.
func BuildExplainResponse ¶
func BuildExplainResponse(project ProjectDescriptor, query string, targets []ExplainTargetResponse, started time.Time, options ...ReportOptions) ExplainResponse
BuildExplainResponse constructs the structured explain payload from resolved targets.
func (ExplainResponse) WithReportOptions ¶
func (r ExplainResponse) WithReportOptions(options ReportOptions) ExplainResponse
WithReportOptions annotates an ExplainResponse with optional report data and strips experimental reachability annotations when the flag is disabled.
type ExplainTargetResponse ¶
type ExplainTargetResponse struct {
Project ProjectDescriptor `json:"project"`
Detector string `json:"detector,omitempty"`
PackageManager sdk.PackageManager `json:"package_manager,omitempty"`
Dependency PackageRef `json:"dependency"`
Paths []DependencyPath `json:"paths"`
Findings []AuditFinding `json:"findings,omitempty"`
AuditSummary *AuditSummary `json:"audit_summary,omitempty"`
}
ExplainTargetResponse represents explain output for one resolved target.
type FindingPackageRef ¶ added in v0.17.0
type FindingPackageRef struct {
Name string `json:"name"`
Org string `json:"org,omitempty"`
Version string `json:"version,omitempty"`
Purl string `json:"purl,omitempty"`
Ecosystem string `json:"ecosystem,omitempty"`
}
FindingPackageRef is an identity-only reference from a finding into the top-level packages collection (join key: purl). Advisory enrichment lives once, on the referenced ScanPackageEntry — findings never re-embed it.
func (FindingPackageRef) DisplayLabel ¶ added in v0.17.0
func (p FindingPackageRef) DisplayLabel() string
DisplayLabel returns a human-readable name@version label for the package.
type Format ¶
type Format string
Format identifies a supported output format.
const ( // FormatJSON renders structured JSON output. FormatJSON Format = "json" // FormatMarkdown renders a Markdown report. FormatMarkdown Format = "markdown" // FormatText renders a human-readable text format. FormatText Format = "text" // FormatSARIF renders SARIF 2.1.0 output for vulnerability findings. FormatSARIF Format = "sarif" // FormatSPDX renders an SPDX 2.3 JSON SBOM. FormatSPDX Format = "spdx" // FormatCycloneDX renders a CycloneDX 1.6 JSON SBOM. FormatCycloneDX Format = "cyclonedx" )
func ParseFormat ¶
ParseFormat validates a format value.
type HierarchyNode ¶ added in v0.18.0
type HierarchyNode struct {
Kind ManifestNodeKind
// Dir is the repo-relative directory of the node; "." for the project root.
Dir string
// Label is the display name: subproject labels are their repo-relative
// directory, module labels are relative to their parent node's directory.
Label string
// ManifestIndexes point into the manifests slice passed to BuildHierarchy
// for manifests attached directly to this node, preserving input order.
ManifestIndexes []int
// Children holds module nodes (under project or subproject nodes) and
// subproject nodes (under the project node only), modules first, each
// group sorted by Dir.
Children []HierarchyNode
// AttachedManifest is set on module nodes only: the index (into the
// manifests slice passed to BuildHierarchy) of the parent node's manifest
// that natively resolves this module — the workspace lockfile or reactor
// pom. -1 when no unambiguous parent manifest exists. Views nest modules
// under that manifest's node.
AttachedManifest int
}
HierarchyNode is one node of the derived project → subproject → module grouping of scan manifests. The hierarchy is a pure presentation view: it is derived from each manifest's Subproject and Path fields, never stored, so every consumer (TUI, text, markdown, MCP) shows the same structure without schema changes.
func BuildHierarchy ¶ added in v0.18.0
func BuildHierarchy(manifests []ScanManifest) HierarchyNode
BuildHierarchy groups scan manifests into the derived project hierarchy: root-level manifests attach directly to the project node; module nodes and subproject nodes are its children (modules first, then subprojects, each sorted by directory); a subproject's own manifests attach to its node with its modules as children.
func (HierarchyNode) CountKind ¶ added in v0.18.0
func (n HierarchyNode) CountKind(kind ManifestNodeKind) int
CountKind returns the number of descendant nodes of the given kind.
func (HierarchyNode) HasGroups ¶ added in v0.18.0
func (n HierarchyNode) HasGroups() bool
HasGroups reports whether the hierarchy contains any subproject or module nodes. Consumers keep today's flat presentation when it does not.
type LicenseRef ¶
type LicenseRef struct {
Value string `json:"value,omitempty"`
SPDXExpression string `json:"spdxExpression,omitempty"`
Type sdk.LicenseType `json:"type,omitempty"`
}
LicenseRef identifies one package license in command outputs.
func LicenseRefsFromGraphLicenses ¶
func LicenseRefsFromGraphLicenses(licenses []sdk.PackageLicense) []LicenseRef
LicenseRefsFromGraphLicenses converts graph licenses into output-friendly values.
func (LicenseRef) Identifier ¶
func (l LicenseRef) Identifier() string
Identifier returns the most useful license identifier for display.
type LocationRef ¶
type LocationRef struct {
RealPath string `json:"real_path,omitempty"`
AccessPath string `json:"access_path,omitempty"`
Position *PositionRef `json:"position,omitempty"`
}
LocationRef points at where a package was declared in a lockfile or manifest. Detectors populate this when their input format makes position cheaply recoverable; consumers (SARIF / explain output / IDE plugins) use it to deep-link into the source.
func LocationRefsFromGraphLocations ¶
func LocationRefsFromGraphLocations(locations []sdk.PackageLocation) []LocationRef
LocationRefsFromGraphLocations converts SDK locations into output-friendly values, dropping entries with no useful content.
type ManifestNodeKind ¶ added in v0.18.0
type ManifestNodeKind string
ManifestNodeKind labels one level of the derived project hierarchy.
const ( // ManifestNodeProject is the scan root. ManifestNodeProject ManifestNodeKind = "project" // ManifestNodeSubproject is an independently discovered nested directory // (a subproject planned by discovery with a non-root relative path). ManifestNodeSubproject ManifestNodeKind = "subproject" // ManifestNodeModule is a member the package manager natively resolves // under one root manifest (a Maven reactor module, an npm/pnpm/cargo // workspace member): its manifest path sits beneath the subproject // directory that produced it. ManifestNodeModule ManifestNodeKind = "module" )
type Metadata ¶
type Metadata struct {
DurationMS int64 `json:"duration_ms"`
ReachabilityEnabled bool `json:"reachability_enabled,omitempty"`
ScorecardEnabled bool `json:"scorecard_enabled,omitempty"`
AnalyzerRuns []string `json:"analyzer_runs,omitempty"`
AnalyzerStats map[string]sdk.ReachabilityStats `json:"analyzer_stats,omitempty"`
}
Metadata captures execution metadata shared by all command outputs.
type PackageRef ¶
type PackageRef struct {
Name string `json:"name"`
Version string `json:"version,omitempty"`
Scope string `json:"scope,omitempty"`
Purl string `json:"purl,omitempty"`
ID string `json:"id,omitempty"`
Metadata map[string]any `json:"metadata,omitempty"`
Locations []LocationRef `json:"locations,omitempty"`
Licenses []LicenseRef `json:"licenses"`
Vulnerabilities []VulnerabilityRef `json:"vulnerabilities"`
Scorecard *sdk.PackageScorecard `json:"scorecard,omitempty"`
// Direct reports whether the package is a direct dependency of a project
// root. nil means directness could not be determined (e.g. a flat SBOM with
// no dependency edges); it is only populated where a graph is in scope.
Direct *bool `json:"direct,omitempty"`
}
PackageRef identifies a package in command outputs.
func PackageFromDependencyAndRegistry ¶
func PackageFromDependencyAndRegistry(dep *sdk.Dependency, registry *sdk.PackageRegistry) PackageRef
PackageFromDependencyAndRegistry builds a PackageRef from a graph Dependency node and layers in matching-stage enrichment (vulnerabilities, scorecard, licenses learned during matching) by resolving dep.PURL against the registry. registry may be nil — callers without a registry get the detection-only projection.
func PackageFromGraphPackage ¶
func PackageFromGraphPackage(dep *sdk.Dependency) PackageRef
PackageFromGraphPackage builds a PackageRef from a graph Dependency node. Detection-time license facts (carried in the dependency's metadata under MetadataKeyDetectionLicenses) are surfaced directly from the dependency; matching-stage enrichment (Vulnerabilities, Scorecard, EOL, licenses learned during matching) must come from the registry — use PackageFromDependencyAndRegistry when a registry is in scope.
type PositionRef ¶
type PositionRef struct {
File string `json:"file,omitempty"`
Line int `json:"line,omitempty"`
Column int `json:"column,omitempty"`
EndLine int `json:"end_line,omitempty"`
}
PositionRef is the JSON shape of sdk.SourcePosition.
type ProjectDescriptor ¶
type ProjectDescriptor struct {
Name string `json:"name,omitempty"`
Path string `json:"path"`
TargetType string `json:"target_type,omitempty"`
TargetRef string `json:"target_ref,omitempty"`
Ecosystem sdk.Ecosystem `json:"ecosystem"`
PackageManager sdk.PackageManager `json:"package_manager,omitempty"`
}
ProjectDescriptor describes the project being analyzed.
type ReportOptions ¶
type ReportOptions struct {
ReachabilityEnabled bool
ScorecardEnabled bool
AnalyzerRuns []string
AnalyzerStats map[string]sdk.ReachabilityStats
BaseRegistry *sdk.PackageRegistry
HeadRegistry *sdk.PackageRegistry
}
ReportOptions controls optional experimental data in structured command outputs.
type SARIFLineRange ¶ added in v0.14.17
SARIFLineRange is an inclusive 1-based line range used to prefer dependency locations that intersect a source diff.
type SARIFOptions ¶
type SARIFOptions struct {
IncludeReachability bool
LocationGraphs []*sdk.Graph
BaselineState string
ChangedLines map[string][]SARIFLineRange
}
SARIFOptions controls optional experimental data in SARIF output.
type ScanDependency ¶
type ScanDependency struct {
ID string `json:"id"`
Name string `json:"name"`
Version string `json:"version,omitempty"`
Purl string `json:"purl,omitempty"`
Scopes []string `json:"scopes,omitempty"`
DependsOn []string `json:"depends_on"`
Matched bool `json:"matched,omitempty"`
PackageRef string `json:"package_ref,omitempty"`
Locations []LocationRef `json:"locations,omitempty"`
Licenses []LicenseRef `json:"licenses"`
}
ScanDependency is one detection-stage dependency node in a manifest. It is a lean projection of sdk.Dependency: identity, scopes, edges, detection-time licenses, and a package_ref (PURL) link into the top-level packages collection. Matching-stage enrichment (vulnerabilities, scorecard, EOL, licenses learned during matching) is NOT carried here — it lives on the resolved ScanPackageEntry referenced by PackageRef.
func DependenciesFromGraph ¶
func DependenciesFromGraph(g *sdk.Graph, registry *sdk.PackageRegistry) []ScanDependency
DependenciesFromGraph converts a graph into stable, lean scan dependency payloads. registry, when non-nil, supplies the Matched flag via PURL lookup; all richer enrichment is surfaced through PackagesFromRegistry instead.
func (ScanDependency) PrimaryScope ¶
func (d ScanDependency) PrimaryScope() string
PrimaryScope returns the merged precedence scope across the dependency's recorded scopes, mirroring sdk.Dependency.PrimaryScope so text/markdown renderers reproduce the same scope label as before the model split.
type ScanManifest ¶
type ScanManifest struct {
Path string `json:"path,omitempty"`
Kind sdk.ManifestKind `json:"kind,omitempty"`
Subproject string `json:"subproject,omitempty"`
Ecosystem sdk.Ecosystem `json:"ecosystem,omitempty"`
PackageManager sdk.PackageManager `json:"package_manager,omitempty"`
Detector string `json:"detector,omitempty"`
Resolution *sdk.ResolutionMetadata `json:"resolution,omitempty"`
Dependencies []ScanDependency `json:"dependencies"`
}
ScanManifest is one manifest-scoped dependency inventory in the scan payload.
func ScanManifestsFromConsolidated ¶
func ScanManifestsFromConsolidated(consolidated sdk.ConsolidatedGraph, registry *sdk.PackageRegistry) []ScanManifest
ScanManifestsFromConsolidated converts consolidated manifest selections into stable scan payloads. registry, when non-nil, enriches each manifest's packages with matching-stage data (vulnerabilities / scorecard / etc.) resolved by PURL.
type ScanPackageEntry ¶
type ScanPackageEntry struct {
Purl string `json:"purl"`
Name string `json:"name,omitempty"`
Org string `json:"org,omitempty"`
Version string `json:"version,omitempty"`
Ecosystem string `json:"ecosystem,omitempty"`
Matched bool `json:"matched,omitempty"`
Licenses []LicenseRef `json:"licenses"`
Vulnerabilities []VulnerabilityRef `json:"vulnerabilities"`
Scorecard *sdk.PackageScorecard `json:"scorecard,omitempty"`
EOL *sdk.PackageEOL `json:"eol,omitempty"`
CPEs []string `json:"cpes,omitempty"`
Digests []sdk.Digest `json:"digests,omitempty"`
Metadata map[string]any `json:"metadata,omitempty"`
}
ScanPackageEntry is one matching-stage artifact in the top-level packages collection: a PURL-keyed, deduplicated projection of sdk.Package carrying the enrichment (licenses, vulnerabilities, scorecard, EOL, CPEs, digests) that manifest dependencies reference by package_ref.
func PackagesFromRegistries ¶ added in v0.17.0
func PackagesFromRegistries(base, head *sdk.PackageRegistry) []ScanPackageEntry
PackagesFromRegistries projects the union of the base and head registries into one PURL-deduplicated packages collection. Head entries win on conflict, so findings computed against the head state resolve to head advisory data while base-only (resolved-finding) packages stay joinable.
func PackagesFromRegistry ¶
func PackagesFromRegistry(registry *sdk.PackageRegistry) []ScanPackageEntry
PackagesFromRegistry projects the matching-stage registry into the top-level packages collection, deduplicated by PURL. registry.All() is already PURL-sorted. Returns a non-nil (possibly empty) slice so JSON consumers always see a "packages" array.
type ScanResponse ¶
type ScanResponse struct {
SchemaVersion string `json:"schema_version"`
Command string `json:"command"`
Project ProjectDescriptor `json:"project"`
Manifests []ScanManifest `json:"manifests"`
Packages []ScanPackageEntry `json:"packages"`
Findings []AuditFinding `json:"findings,omitempty"`
AuditSummary *AuditSummary `json:"audit_summary,omitempty"`
Metadata Metadata `json:"metadata"`
}
ScanResponse is the structured payload for the scan command. It surfaces the three-collection model: manifests carry lean detection-stage dependencies, packages is the deduplicated matching-stage registry projection, and findings is the reference-style audit output.
func BuildScanResponse ¶
func BuildScanResponse(project ProjectDescriptor, consolidated sdk.ConsolidatedGraph, registry *sdk.PackageRegistry, findings []sdk.Finding, started time.Time, options ...ReportOptions) ScanResponse
BuildScanResponse constructs the structured scan payload from consolidated manifest selections and findings. Reachability metadata (analyzer runs and per-analyzer stats) is attached afterwards via ScanResponse.WithAnalyzerRuns.
func (ScanResponse) WithAnalyzerRuns ¶
func (r ScanResponse) WithAnalyzerRuns(runs []string, stats map[string]sdk.ReachabilityStats) ScanResponse
WithAnalyzerRuns annotates a ScanResponse with analyzer run names and per-analyzer reachability stats. Returns the response by value so it can be chained from BuildScanResponse callers without intermediate state.
func (ScanResponse) WithReportOptions ¶
func (r ScanResponse) WithReportOptions(options ReportOptions) ScanResponse
WithReportOptions annotates a ScanResponse with optional report data and strips experimental reachability annotations when the flag is disabled.
type ScanTargetResponse ¶
type ScanTargetResponse struct {
Project ProjectDescriptor `json:"project"`
Detector string `json:"detector,omitempty"`
Dependencies []ScanDependency `json:"dependencies"`
}
ScanTargetResponse represents one target-specific scan payload.
type VulnerabilityRef ¶
type VulnerabilityRef struct {
ID string `json:"id"`
Source string `json:"source"`
Title string `json:"title,omitempty"`
Severity sdk.SeverityLevel `json:"severity,omitempty"`
SeveritySource string `json:"severity_source,omitempty"`
Aliases []string `json:"aliases,omitempty"`
Description string `json:"description,omitempty"`
Reasons []string `json:"reasons,omitempty"`
CVSS []sdk.CVSSScore `json:"cvss,omitempty"`
FixedIn string `json:"fixed_in,omitempty"`
FixedVersions []string `json:"fixed_versions,omitempty"`
FixState sdk.FixState `json:"fix_state,omitempty"`
FixAvailable []sdk.FixAvailable `json:"fix_available,omitempty"`
AffectedVersionRange string `json:"affected_version_range,omitempty"`
References []sdk.Reference `json:"references,omitempty"`
KEVExploited bool `json:"kev_exploited,omitempty"`
KnownExploited []sdk.KnownExploited `json:"known_exploited,omitempty"`
EPSS []sdk.EPSSScore `json:"epss,omitempty"`
CWEs []sdk.CWE `json:"cwes,omitempty"`
RiskScore float64 `json:"risk_score,omitempty"`
DataSource string `json:"data_source,omitempty"`
Namespace string `json:"namespace,omitempty"`
CPEs []string `json:"cpes,omitempty"`
AffectedSymbols []sdk.AffectedSymbol `json:"affected_symbols,omitempty"`
Reachability *sdk.Reachability `json:"reachability,omitempty"`
}
VulnerabilityRef identifies one package vulnerability in command outputs.
func FindingVulnerabilityInPackages ¶ added in v0.17.0
func FindingVulnerabilityInPackages(f AuditFinding, packages []ScanPackageEntry) *VulnerabilityRef
FindingVulnerabilityInPackages resolves the advisory a finding references (finding.package.purl + finding.vulnerability_id) against the top-level packages collection. Returns nil when the package or advisory is absent — e.g. non-vulnerability findings or unenriched scans.
func MatchVulnerabilityRef ¶ added in v0.17.0
func MatchVulnerabilityRef(refs []VulnerabilityRef, id string) *VulnerabilityRef
MatchVulnerabilityRef finds the vulnerability ref matching id (or one of its aliases) in refs. Returns nil when id is empty or no ref matches.
func VulnerabilityRefsFromPackageVulnerabilities ¶
func VulnerabilityRefsFromPackageVulnerabilities(vulnerabilities []sdk.Vulnerability) []VulnerabilityRef
VulnerabilityRefsFromPackageVulnerabilities converts package vulnerability enrichment into output-friendly values.