UNPKG

snyk-docker-plugin

Version:
55 lines (54 loc) 2.63 kB
import { SymlinkMap } from "../../extractor/types"; import { AnalyzedPackageWithVersion, ImageAnalysis, OSRelease } from "../types"; import { SymlinkGraph } from "./path-canonicalization"; export interface OwnedPackage { evidencePaths: string[]; apkPackageName: string; apkPackageVersion: string; originPackage: string; name?: string; version?: string; } export interface ApkPackageOwnership { distroId: string; ownedPackages: OwnedPackage[]; } export interface OwnershipCandidate { evidencePaths: string[]; name?: string; version?: string; } export type MatchKind = "exact" | "directory"; export interface PathOwnerMatch { owner: AnalyzedPackageWithVersion; matchKind: MatchKind; /** Number of matched path segments; a deeper directory match outranks a shallower one. */ prefixLength: number; } interface DirectoryTrieNode { owners: AnalyzedPackageWithVersion[]; children: Map<string, DirectoryTrieNode>; } export interface ApkPathIndex { exactFileOwners: Map<string, AnalyzedPackageWithVersion[]>; directoryTrie: DirectoryTrieNode; } export declare function isChainguardDistro(osRelease?: OSRelease): boolean; export declare function toSymlinkGraph(symlinks?: SymlinkMap): SymlinkGraph; export declare function buildApkPathIndex(packages: AnalyzedPackageWithVersion[], symlinkGraph: SymlinkGraph): ApkPathIndex; export declare function resolveOwnerForEvidencePath(evidencePath: string, index: ApkPathIndex, symlinkGraph: SymlinkGraph): PathOwnerMatch | undefined; /** * Resolve APK package ownership for a set of candidates on Wolfi/Chainguard * images. Each candidate (a single npm package, or a whole Go/Java result) is * resolved independently: all of its evidence paths must be wholly owned by one * consistent APK package, or the candidate is omitted (fail closed per * candidate). Per Chainguard's scanner spec, a dependency with any unowned path * is not covered by advisory data and must keep its findings — we skip rather * than guess and risk suppressing real vulnerabilities in user-added software. * Candidates carrying a coordinate (name@version) are deduplicated, keeping an * owned occurrence over an unowned one. * https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/scanning_implementation.md */ export declare function resolveApkOwnership(candidates: OwnershipCandidate[], index: ApkPathIndex, symlinkGraph: SymlinkGraph, osRelease: OSRelease): ApkPackageOwnership | undefined; export declare function getApkPackagesFromResults(results?: ImageAnalysis[]): AnalyzedPackageWithVersion[]; export {};