update

package
v1.2.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 7, 2026 License: AGPL-3.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BaseRiskScore 

func BaseRiskScore(ut UpdateType) int

BaseRiskScore returns a risk score based on semver update type. CE uses this as the final score. Pro can enrich further with CVE data.

func DetectBreakingChanges 

func DetectBreakingChanges(body string) bool

DetectBreakingChanges scans release body text for breaking change indicators.

func FactorsToJSON 

func FactorsToJSON(factors map[string]RiskFactor) string

FactorsToJSON serializes risk factors to JSON for storage.

func ParseTag 

func ParseTag(tag string) (*semver.Version, error)

ParseTag attempts to parse a Docker tag as a semver version. Returns nil, error for non-semver tags like "latest", "alpine".

func ParseTagOSVariant added in v1.1.0 

func ParseTagOSVariant(tag string) (string, bool)

ParseTagOSVariant detects an OS variant from an image tag suffix. Returns the OSV ecosystem identifier and true if a variant was detected.

func SortTags 

func SortTags(tags []string) []*semver.Version

SortTags filters non-semver tags and returns sorted semver versions (ascending).

Types

type CVECacheEntry 

type CVECacheEntry struct {
	ID             int64       `json:"id"`
	Ecosystem      string      `json:"ecosystem"`
	PackageName    string      `json:"package_name"`
	PackageVersion string      `json:"package_version"`
	CVEID          string      `json:"cve_id"`
	CVSSScore      float64     `json:"cvss_score"`
	CVSSVector     string      `json:"cvss_vector"`
	Severity       CVESeverity `json:"severity"`
	Summary        string      `json:"summary"`
	FixedIn        string      `json:"fixed_in"`
	ReferencesJSON string      `json:"references_json"`
	FetchedAt      time.Time   `json:"fetched_at"`
	ExpiresAt      time.Time   `json:"expires_at"`
}

CVECacheEntry caches CVE lookup results from OSV.dev.

type CVEClient 

type CVEClient struct {
	// contains filtered or unexported fields
}

CVEClient queries OSV.dev for known vulnerabilities.

func NewCVEClient 

func NewCVEClient(store UpdateStore, logger *slog.Logger) *CVEClient

NewCVEClient creates a CVE lookup client.

func (*CVEClient) QueryCVEs 

func (c *CVEClient) QueryCVEs(ctx context.Context, queries []ImageCVEQuery) (map[string][]*CVECacheEntry, error)

QueryCVEs queries OSV.dev for a batch of images and returns CVEs.

type CVESeverity 

type CVESeverity string

CVESeverity classifies the severity of a CVE. 

const (
	CVESeverityCritical CVESeverity = "critical"
	CVESeverityHigh     CVESeverity = "high"
	CVESeverityMedium   CVESeverity = "medium"
	CVESeverityLow      CVESeverity = "low"
)

type ChangelogResolver 

type ChangelogResolver struct {
	// contains filtered or unexported fields
}

ChangelogResolver fetches release notes from GitHub.

func NewChangelogResolver 

func NewChangelogResolver(registry *RegistryClient, logger *slog.Logger) *ChangelogResolver

NewChangelogResolver creates a changelog resolver.

func (*ChangelogResolver) FetchLatestReleases 

func (cr *ChangelogResolver) FetchLatestReleases(ctx context.Context, owner, repo string, count int) ([]ReleaseInfo, error)

FetchLatestReleases fetches the latest releases from a GitHub repository.

func (*ChangelogResolver) ResolveChangelog 

func (cr *ChangelogResolver) ResolveChangelog(ctx context.Context, imageRef, latestTag string) (changelogURL, summary string, hasBreaking bool, sourceURL string)

ResolveChangelog resolves changelog data for an image update.

func (*ChangelogResolver) ResolveSourceURL 

func (cr *ChangelogResolver) ResolveSourceURL(ctx context.Context, imageRef string) (string, error)

ResolveSourceURL extracts the source repository URL from OCI image labels.

type ContainerCVE 

type ContainerCVE struct {
	ID              int64       `json:"id"`
	ContainerID     string      `json:"container_id"`
	CVEID           string      `json:"cve_id"`
	Severity        CVESeverity `json:"severity"`
	CVSSScore       float64     `json:"cvss_score"`
	Summary         string      `json:"summary"`
	FixedIn         string      `json:"fixed_in"`
	FirstDetectedAt time.Time   `json:"first_detected_at"`
	ResolvedAt      *time.Time  `json:"resolved_at,omitempty"`
}

ContainerCVE links a container to an active CVE.

type ContainerInfo 

type ContainerInfo struct {
	ExternalID         string
	Name               string
	Image              string
	Labels             map[string]string
	OrchestrationGroup string
	OrchestrationUnit  string
	RuntimeType        string
	ControllerKind     string
	ComposeWorkingDir  string
}

ContainerInfo holds the minimal container data needed for scanning.

type ContainerLister 

type ContainerLister interface {
	ListContainerInfos(ctx context.Context) ([]ContainerInfo, error)
}

ContainerLister provides the list of containers to scan.

type ContainerServiceAdapter 

type ContainerServiceAdapter struct {
	// contains filtered or unexported fields
}

ContainerServiceAdapter adapts container.Service to the ContainerLister interface.

func NewContainerServiceAdapter 

func NewContainerServiceAdapter(svc *container.Service) *ContainerServiceAdapter

NewContainerServiceAdapter creates a new adapter.

func (*ContainerServiceAdapter) GetContainerInfo added in v1.1.0 

func (a *ContainerServiceAdapter) GetContainerInfo(ctx context.Context, externalID string) (ContainerInfo, error)

GetContainerInfo returns container metadata for a single container by external ID.

func (*ContainerServiceAdapter) ListContainerInfos 

func (a *ContainerServiceAdapter) ListContainerInfos(ctx context.Context) ([]ContainerInfo, error)

ListContainerInfos returns container info for all running containers.

func (*ContainerServiceAdapter) WithLabelFetcher added in v1.2.0 

func (a *ContainerServiceAdapter) WithLabelFetcher(lf LabelFetcher) *ContainerServiceAdapter

WithLabelFetcher attaches a runtime label fetcher to the adapter. When set, ContainerInfo.Labels is populated with live runtime labels at scan time.

type Deps added in v1.1.0 

type Deps struct {
	Store         UpdateStore        // required
	Scanner       *Scanner           // required
	Containers    ContainerLister    // required
	Logger        *slog.Logger       // required
	Enricher      Enricher           // optional — defaults to no-op
	EventCallback EventCallback      // optional — nil-safe
	AlertChan     chan<- interface{} // optional — nil-safe
}

Deps holds all dependencies for the update Service.

type DigestBaseline added in v1.1.2 

type DigestBaseline struct {
	ContainerID  string    `json:"container_id"`
	Image        string    `json:"image"`
	Tag          string    `json:"tag"`
	RemoteDigest string    `json:"remote_digest"`
	CheckedAt    time.Time `json:"checked_at"`
}

DigestBaseline stores the last-known remote digest for a non-semver tag. Used to detect when a channel tag (e.g. "lts", "alpine") has been republished.

type DigestReport 

type DigestReport struct {
	Critical    []ImageUpdate `json:"critical"`
	Recommended []ImageUpdate `json:"recommended"`
	Available   []ImageUpdate `json:"available"`
	UpToDate    int           `json:"up_to_date"`
	Untracked   int           `json:"untracked"`
	TotalCVEs   int           `json:"total_cves"`
}

DigestReport is a structured summary of all updates for digest generation.

type EcosystemResolver added in v1.1.0 

type EcosystemResolver struct {
	// contains filtered or unexported fields
}

EcosystemResolver resolves container images to CVE ecosystems using a fallback chain: cache → static → local OCI labels → remote registry labels → tag heuristics → image name fallback.

func NewEcosystemResolver added in v1.1.0 

func NewEcosystemResolver(registry *RegistryClient, logger *slog.Logger) *EcosystemResolver

NewEcosystemResolver creates an ecosystem resolver.

func (*EcosystemResolver) Resolve added in v1.1.0 

func (r *EcosystemResolver) Resolve(ctx context.Context, image, tag, digest string, localLabels map[string]string) *EcosystemResult

Resolve determines the CVE ecosystem for a container image using a fallback chain. Returns nil if no ecosystem can be determined.

type EcosystemResult added in v1.1.0 

type EcosystemResult struct {
	PackageName     string `json:"package_name"`
	Ecosystem       string `json:"ecosystem"`
	DetectionMethod string `json:"detection_method"`
}

EcosystemResult holds the resolved CVE ecosystem for a container image.

type Enricher added in v1.1.0 

type Enricher interface {
	Enrich(ctx context.Context, results []UpdateResult) error
}

Enricher enriches raw scan results with additional data. CE: no-op (returns nil). Pro: runs an enrichment pipeline (CVE, changelog, risk).

type EventCallback 

type EventCallback func(eventType string, data interface{})

EventCallback is the function signature for SSE event broadcasting.

type ExclusionType 

type ExclusionType string

ExclusionType represents the type of exclusion pattern. 

const (
	ExclusionTypeImage ExclusionType = "image"
	ExclusionTypeTag   ExclusionType = "tag"
)

type ImageCVEQuery 

type ImageCVEQuery struct {
	ContainerID string
	PackageName string
	Ecosystem   string
	Version     string
}

ImageCVEQuery holds parameters for querying CVEs for an image.

type ImageUpdate 

type ImageUpdate struct {
	ID                 int64      `json:"id"`
	ScanID             int64      `json:"scan_id"`
	ContainerID        string     `json:"container_id"`
	ContainerName      string     `json:"container_name"`
	Image              string     `json:"image"`
	CurrentTag         string     `json:"current_tag"`
	CurrentDigest      string     `json:"current_digest"`
	Registry           string     `json:"registry"`
	LatestTag          string     `json:"latest_tag,omitempty"`
	LatestDigest       string     `json:"latest_digest,omitempty"`
	UpdateType         UpdateType `json:"update_type,omitempty"`
	PublishedAt        *time.Time `json:"published_at,omitempty"`
	ChangelogURL       string     `json:"changelog_url,omitempty"`
	ChangelogSummary   string     `json:"changelog_summary,omitempty"`
	HasBreakingChanges bool       `json:"has_breaking_changes"`
	RiskScore          int        `json:"risk_score"`
	PreviousDigest     string     `json:"previous_digest,omitempty"`
	SourceURL          string     `json:"source_url,omitempty"`
	Status             Status     `json:"status"`
	DetectedAt         time.Time  `json:"detected_at"`
}

ImageUpdate stores a detected update per container image.

type LabelFetcher added in v1.2.0 

type LabelFetcher interface {
	FetchLabels(ctx context.Context) (map[string]map[string]string, error)
}

LabelFetcher retrieves raw container labels from the runtime. Returns a map of externalID -> labels. Implemented by docker.Runtime via a thin adapter. Returns nil (not an error) when the runtime doesn't support label fetching (e.g. Kubernetes).

type ListCVEsOpts 

type ListCVEsOpts struct {
	Severity    string
	ContainerID string
}

ListCVEsOpts contains filter parameters for listing CVEs.

type ListImageUpdatesOpts 

type ListImageUpdatesOpts struct {
	Status     string
	UpdateType string
	MinRisk    int
}

ListImageUpdatesOpts contains filter parameters for listing image updates.

type ProEnricher 

type ProEnricher struct {
	// contains filtered or unexported fields
}

ProEnricher enriches scan results with CVE data, changelog info, and risk scores.

func NewProEnricher 

func NewProEnricher(store UpdateStore, cve *CVEClient, changelog *ChangelogResolver, risk *RiskEngine, ecosystem *EcosystemResolver, logger *slog.Logger) *ProEnricher

NewProEnricher creates the full enrichment pipeline.

func (*ProEnricher) Enrich 

func (e *ProEnricher) Enrich(ctx context.Context, results []UpdateResult) error

Enrich runs CVE lookup, changelog resolution, and risk scoring for each update result.

type RegistryClient 

type RegistryClient struct{}

RegistryClient wraps go-containerregistry for read-only registry operations.

func NewRegistryClient 

func NewRegistryClient() *RegistryClient

NewRegistryClient creates a new registry client.

func (*RegistryClient) GetConfigLabels 

func (rc *RegistryClient) GetConfigLabels(ctx context.Context, imageRef string) (map[string]string, error)

GetConfigLabels returns the OCI/Docker config labels for the given image reference.

func (*RegistryClient) GetDigest 

func (rc *RegistryClient) GetDigest(ctx context.Context, imageRef string) (string, error)

GetDigest returns the platform-specific digest for the given image reference. For multi-arch manifests, it resolves the platform matching the host OS/arch.

func (*RegistryClient) GetManifest 

func (rc *RegistryClient) GetManifest(ctx context.Context, imageRef string) (*remote.Descriptor, error)

GetManifest returns the raw manifest descriptor for the given image reference.

func (*RegistryClient) ListTags 

func (rc *RegistryClient) ListTags(ctx context.Context, imageRef string) ([]string, error)

ListTags returns all tags for the given image reference.

type ReleaseInfo 

type ReleaseInfo struct {
	TagName            string    `json:"tag_name"`
	Name               string    `json:"name"`
	Body               string    `json:"body"`
	PublishedAt        time.Time `json:"published_at"`
	HTMLURL            string    `json:"html_url"`
	HasBreakingChanges bool      `json:"has_breaking_changes"`
}

ReleaseInfo holds information about a GitHub release.

type RiskContext 

type RiskContext struct {
	HasEndpointCheck bool
	RestartCount     int
	DependentCount   int
	Criticality      string // from maintenant.severity label
}

RiskContext provides monitoring context for risk calculation.

type RiskEngine 

type RiskEngine struct{}

RiskEngine computes contextual risk scores for containers with updates.

func NewRiskEngine 

func NewRiskEngine() *RiskEngine

NewRiskEngine creates a risk score engine.

func (*RiskEngine) CalculateScore 

func (re *RiskEngine) CalculateScore(u *ImageUpdate, cves []*ContainerCVE, rctx RiskContext) RiskScore

CalculateScore computes a risk score (0-100) from update data and monitoring context.

type RiskFactor 

type RiskFactor struct {
	Label string `json:"label"`
	Score int    `json:"score"`
}

RiskFactor represents one factor contributing to the risk score.

type RiskLevel 

type RiskLevel string

RiskLevel classifies the risk level based on score. 

const (
	RiskLevelCritical RiskLevel = "critical"
	RiskLevelHigh     RiskLevel = "high"
	RiskLevelModerate RiskLevel = "moderate"
	RiskLevelLow      RiskLevel = "low"
)

func RiskLevelFromScore 

func RiskLevelFromScore(score int) RiskLevel

RiskLevelFromScore converts a numeric score to a risk level.

type RiskScore 

type RiskScore struct {
	ContainerID string                `json:"container_id"`
	Score       int                   `json:"score"`
	Level       RiskLevel             `json:"level"`
	Factors     map[string]RiskFactor `json:"factors"`
}

RiskScore is the computed risk assessment for a container.

type RiskScoreRecord 

type RiskScoreRecord struct {
	ID          int64     `json:"id"`
	ContainerID string    `json:"container_id"`
	Score       int       `json:"score"`
	FactorsJSON string    `json:"factors_json"`
	RecordedAt  time.Time `json:"recorded_at"`
}

RiskScoreRecord stores historical risk scores for trend tracking.

type ScanError 

type ScanError struct {
	ContainerID   string
	ContainerName string
	Image         string
	Error         error
}

ScanError represents an error scanning a specific container.

type ScanRecord 

type ScanRecord struct {
	ID                int64      `json:"id"`
	StartedAt         time.Time  `json:"started_at"`
	CompletedAt       *time.Time `json:"completed_at,omitempty"`
	ContainersScanned int        `json:"containers_scanned"`
	UpdatesFound      int        `json:"updates_found"`
	Errors            int        `json:"errors"`
	Status            ScanStatus `json:"status"`
}

ScanRecord stores the result of each periodic scan cycle.

type ScanStatus 

type ScanStatus string

ScanStatus represents the lifecycle status of a scan cycle. 

const (
	ScanStatusRunning   ScanStatus = "running"
	ScanStatusCompleted ScanStatus = "completed"
	ScanStatusFailed    ScanStatus = "failed"
)

type Scanner 

type Scanner struct {
	// contains filtered or unexported fields
}

func NewScanner 

func NewScanner(registry *RegistryClient, store UpdateStore, logger *slog.Logger) *Scanner

NewScanner creates a new registry scanner.

func (*Scanner) Scan 

func (sc *Scanner) Scan(ctx context.Context, containers []ContainerInfo) ([]UpdateResult, []ScanError)

Scan checks all provided containers for available updates.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service orchestrates update detection and notification.

func NewService 

func NewService(d Deps) *Service

NewService creates the update intelligence service.

func (*Service) GenerateFixCommand added in v1.1.0 

func (s *Service) GenerateFixCommand(c ContainerInfo, currentTag, fixedInVersion string) string

GenerateFixCommand produces a shell command to update a container to a specific CVE fix version. Returns empty string if fixedInVersion is not a valid semver or is <= currentTag (prevents downgrades).

func (*Service) GenerateRollbackCommand added in v1.1.0 

func (s *Service) GenerateRollbackCommand(c ContainerInfo, previousDigest string) string

GenerateRollbackCommand produces a shell command to revert a container to its previous image digest.

func (*Service) GenerateUpdateCommand 

func (s *Service) GenerateUpdateCommand(c ContainerInfo, latestTag string) string

GenerateUpdateCommand produces a shell command to update a container.

func (*Service) GetImageUpdateByContainer 

func (s *Service) GetImageUpdateByContainer(ctx context.Context, containerID string) (*ImageUpdate, error)

GetImageUpdateByContainer returns the latest update for a container.

func (*Service) GetLastScanTime 

func (s *Service) GetLastScanTime() time.Time

GetLastScanTime returns when the last scan completed.

func (*Service) GetLatestScanRecord 

func (s *Service) GetLatestScanRecord(ctx context.Context) (*ScanRecord, error)

GetLatestScanRecord returns the most recent scan record.

func (*Service) GetNextScanTime 

func (s *Service) GetNextScanTime() time.Time

GetNextScanTime returns when the next scan is scheduled.

func (*Service) GetScanRecord 

func (s *Service) GetScanRecord(ctx context.Context, id int64) (*ScanRecord, error)

GetScanRecord returns a scan record by ID.

func (*Service) GetUpdateSummary 

func (s *Service) GetUpdateSummary(ctx context.Context) (*UpdateSummary, error)

GetUpdateSummary returns the aggregated update counts.

func (*Service) IsFixedByUpdate added in v1.1.0 

func (s *Service) IsFixedByUpdate(latestTag, fixedInVersion string) bool

IsFixedByUpdate returns true when the latest available tag already covers the CVE fix version.

func (*Service) IsScanning 

func (s *Service) IsScanning() bool

IsScanning returns whether a scan is currently in progress.

func (*Service) ListImageUpdates 

func (s *Service) ListImageUpdates(ctx context.Context, opts ListImageUpdatesOpts) ([]*ImageUpdate, error)

ListImageUpdates returns filtered updates.

func (*Service) SetAlertChannel 

func (s *Service) SetAlertChannel(ch chan<- interface{})

SetAlertChannel sets the alert engine's event channel for critical notifications.

func (*Service) SetEnricher 

func (s *Service) SetEnricher(e Enricher)

SetEnricher sets the update enricher (no-op in CE, CVE/changelog/risk in Pro).

func (*Service) SetEventCallback 

func (s *Service) SetEventCallback(fn EventCallback)

SetEventCallback sets the SSE broadcasting callback.

func (*Service) Start 

func (s *Service) Start(ctx context.Context)

Start begins the periodic scan loop. Blocks until ctx is canceled.

func (*Service) TriggerScan 

func (s *Service) TriggerScan(_ context.Context) (int64, error)

TriggerScan starts an immediate scan. Returns the scan ID. The scan runs with the application-scoped context (not the HTTP request context), so it survives after the triggering request completes.

type Status 

type Status string

Status represents the lifecycle status of a detected update. 

const (
	StatusAvailable Status = "available"
	StatusPinned    Status = "pinned"
)

type TagFilter added in v1.2.0 

type TagFilter struct {
	// contains filtered or unexported fields
}

TagFilter filters registry tag lists based on include/exclude regex patterns and the automatic variant suffix (e.g. "-alpine").

Priority rules:

  1. If include is set, only matching tags are kept (variant filter is skipped).
  2. If include is nil and variant is non-empty, the automatic variant filter applies.
  3. If exclude is set, matching tags are removed from the remaining set.
  4. Exclude always wins — applied last.

func NewTagFilter added in v1.2.0 

func NewTagFilter(include, exclude *regexp.Regexp, variant string) *TagFilter

NewTagFilter creates a TagFilter from optional include/exclude patterns and a variant suffix. Pass nil for include or exclude to disable those filters. Pass an empty string for variant to disable the automatic variant filter.

func (*TagFilter) Filter added in v1.2.0 

func (f *TagFilter) Filter(tags []string) []string

Filter returns the subset of tags that pass the configured filters.

When include is set:

  • keeps only tags matching the include regex
  • the automatic variant filter is NOT applied (include takes full control)

When include is nil:

  • applies the automatic variant filter if variant is non-empty
  • all tags pass when variant is empty

After include/variant, exclude removes any remaining matching tags.

type UpdateConfig 

type UpdateConfig struct {
	Enabled     bool
	Track       string // "major", "minor", "patch", "digest"
	Pin         string // pinned tag
	IgnoreMajor bool
	Registry    string // override registry
	AlertOn     string // "all", "critical", "none"
	DigestOnly  bool
	TagInclude  *regexp.Regexp // compiled tag-include regex, nil if absent/invalid
	TagExclude  *regexp.Regexp // compiled tag-exclude regex, nil if absent/invalid
}

UpdateConfig holds parsed maintenant.update.* label values.

func ParseUpdateLabels 

func ParseUpdateLabels(labels map[string]string, logger *slog.Logger) UpdateConfig

ParseUpdateLabels extracts update configuration from Docker container labels.

type UpdateExclusion 

type UpdateExclusion struct {
	ID          int64         `json:"id"`
	Pattern     string        `json:"pattern"`
	PatternType ExclusionType `json:"pattern_type"`
	CreatedAt   time.Time     `json:"created_at"`
}

UpdateExclusion is a global exclusion rule for images or tags.

type UpdateResult 

type UpdateResult struct {
	ContainerID        string
	ContainerName      string
	Image              string
	CurrentTag         string
	CurrentDigest      string
	Registry           string
	LatestTag          string
	LatestDigest       string
	UpdateType         UpdateType
	HasUpdate          bool
	ChangelogURL       string
	ChangelogSummary   string
	HasBreakingChanges bool
	SourceURL          string
	PreviousDigest     string
}

UpdateResult is the output of scanning a single container.

type UpdateStore 

type UpdateStore interface {
	// Scan records
	InsertScanRecord(ctx context.Context, r *ScanRecord) (int64, error)
	UpdateScanRecord(ctx context.Context, r *ScanRecord) error
	GetScanRecord(ctx context.Context, id int64) (*ScanRecord, error)
	GetLatestScanRecord(ctx context.Context) (*ScanRecord, error)

	// Image updates
	InsertImageUpdate(ctx context.Context, u *ImageUpdate) (int64, error)
	UpdateImageUpdate(ctx context.Context, u *ImageUpdate) error
	GetImageUpdate(ctx context.Context, id int64) (*ImageUpdate, error)
	GetImageUpdateByContainer(ctx context.Context, containerID string) (*ImageUpdate, error)
	ListImageUpdates(ctx context.Context, opts ListImageUpdatesOpts) ([]*ImageUpdate, error)
	GetUpdateSummary(ctx context.Context) (*UpdateSummary, error)
	DeleteImageUpdatesByContainer(ctx context.Context, containerID string) error
	DeleteStaleImageUpdates(ctx context.Context, scanID int64, scannedContainerNames []string) (int64, error)
	ListStaleImageUpdates(ctx context.Context, scanID int64, scannedContainerNames []string) ([]string, error)

	// Version pins
	InsertVersionPin(ctx context.Context, p *VersionPin) (int64, error)
	GetVersionPin(ctx context.Context, containerID string) (*VersionPin, error)
	DeleteVersionPin(ctx context.Context, containerID string) error

	// Update exclusions
	InsertExclusion(ctx context.Context, e *UpdateExclusion) (int64, error)
	ListExclusions(ctx context.Context) ([]*UpdateExclusion, error)
	DeleteExclusion(ctx context.Context, id int64) error

	// CVE cache
	InsertCVECacheEntry(ctx context.Context, e *CVECacheEntry) (int64, error)
	GetCVECacheEntries(ctx context.Context, ecosystem, packageName, packageVersion string) ([]*CVECacheEntry, error)
	IsCVECacheFresh(ctx context.Context, ecosystem, packageName, packageVersion string) (bool, error)

	// Container CVEs
	UpsertContainerCVE(ctx context.Context, c *ContainerCVE) error
	ListContainerCVEs(ctx context.Context, containerID string) ([]*ContainerCVE, error)
	ListAllActiveCVEs(ctx context.Context, opts ListCVEsOpts) ([]*ContainerCVE, error)
	ResolveContainerCVE(ctx context.Context, containerID, cveID string) error
	DeleteContainerCVEs(ctx context.Context, containerID string) error
	GetCVESummaryCounts(ctx context.Context) (map[string]int, error)

	// Digest baselines (non-semver tags)
	UpsertDigestBaseline(ctx context.Context, b *DigestBaseline) error
	GetDigestBaseline(ctx context.Context, containerID string) (*DigestBaseline, error)

	// Risk score history
	InsertRiskScoreRecord(ctx context.Context, r *RiskScoreRecord) (int64, error)
	ListRiskScoreHistory(ctx context.Context, containerID string, from, to time.Time) ([]*RiskScoreRecord, error)

	// Retention cleanup
	CleanupExpired(ctx context.Context, olderThan time.Time) (int64, error)
}

UpdateStore defines the persistence interface for update intelligence data.

type UpdateSummary 

type UpdateSummary struct {
	Critical    int `json:"critical"`
	Recommended int `json:"recommended"`
	Available   int `json:"available"`
	UpToDate    int `json:"up_to_date"`
	Untracked   int `json:"untracked"`
	Pinned      int `json:"pinned"`
}

UpdateSummary holds aggregated update counts.

type UpdateType 

type UpdateType string

UpdateType classifies the type of version update. 

const (
	UpdateTypeMajor      UpdateType = "major"
	UpdateTypeMinor      UpdateType = "minor"
	UpdateTypePatch      UpdateType = "patch"
	UpdateTypeDigestOnly UpdateType = "digest_only"
	UpdateTypeUnknown    UpdateType = "unknown"
)

func ClassifyUpdate 

func ClassifyUpdate(current, latest *semver.Version) UpdateType

ClassifyUpdate determines the type of version bump between two versions.

func FindBestUpdate 

func FindBestUpdate(currentTag string, allTags []string) (bestTag string, updateType UpdateType)

FindBestUpdate finds the best available update for the given current tag among all tags. For semver tags: finds the highest version with the same variant suffix (e.g. -alpine). For non-semver tags: returns the latest tag if digests differ (digest_only mode).

type VersionPin 

type VersionPin struct {
	ID           int64     `json:"id"`
	ContainerID  string    `json:"container_id"`
	Image        string    `json:"image"`
	PinnedTag    string    `json:"pinned_tag"`
	PinnedDigest string    `json:"pinned_digest"`
	Reason       string    `json:"reason,omitempty"`
	PinnedAt     time.Time `json:"pinned_at"`
}

VersionPin tracks a pinned (intentionally frozen) image.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.