snyk-docker-plugin
Version:
Snyk CLI docker plugin
55 lines (54 loc) • 2.63 kB
TypeScript
import { SymlinkMap } from "../../extractor/types";
import { AnalyzedPackageWithVersion, ImageAnalysis, OSRelease } from "../types";
import { SymlinkGraph } from "./path-canonicalization";
export interface OwnedPackage {
evidencePaths: string[];
apkPackageName: string;
apkPackageVersion: string;
originPackage: string;
name?: string;
version?: string;
}
export interface ApkPackageOwnership {
distroId: string;
ownedPackages: OwnedPackage[];
}
export interface OwnershipCandidate {
evidencePaths: string[];
name?: string;
version?: string;
}
export type MatchKind = "exact" | "directory";
export interface PathOwnerMatch {
owner: AnalyzedPackageWithVersion;
matchKind: MatchKind;
/** Number of matched path segments; a deeper directory match outranks a shallower one. */
prefixLength: number;
}
interface DirectoryTrieNode {
owners: AnalyzedPackageWithVersion[];
children: Map<string, DirectoryTrieNode>;
}
export interface ApkPathIndex {
exactFileOwners: Map<string, AnalyzedPackageWithVersion[]>;
directoryTrie: DirectoryTrieNode;
}
export declare function isChainguardDistro(osRelease?: OSRelease): boolean;
export declare function toSymlinkGraph(symlinks?: SymlinkMap): SymlinkGraph;
export declare function buildApkPathIndex(packages: AnalyzedPackageWithVersion[], symlinkGraph: SymlinkGraph): ApkPathIndex;
export declare function resolveOwnerForEvidencePath(evidencePath: string, index: ApkPathIndex, symlinkGraph: SymlinkGraph): PathOwnerMatch | undefined;
/**
* Resolve APK package ownership for a set of candidates on Wolfi/Chainguard
* images. Each candidate (a single npm package, or a whole Go/Java result) is
* resolved independently: all of its evidence paths must be wholly owned by one
* consistent APK package, or the candidate is omitted (fail closed per
* candidate). Per Chainguard's scanner spec, a dependency with any unowned path
* is not covered by advisory data and must keep its findings — we skip rather
* than guess and risk suppressing real vulnerabilities in user-added software.
* Candidates carrying a coordinate (name@version) are deduplicated, keeping an
* owned occurrence over an unowned one.
* https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/scanning_implementation.md
*/
export declare function resolveApkOwnership(candidates: OwnershipCandidate[], index: ApkPathIndex, symlinkGraph: SymlinkGraph, osRelease: OSRelease): ApkPackageOwnership | undefined;
export declare function getApkPackagesFromResults(results?: ImageAnalysis[]): AnalyzedPackageWithVersion[];
export {};