snyk-docker-plugin
Version:
Snyk CLI docker plugin
24 lines (23 loc) • 1.39 kB
TypeScript
import { AnalyzedPackageWithVersion, OSRelease } from "../analyzer/types";
import { DepTree } from "../types";
/** @deprecated Should implement a new function to build a dependency graph instead. */
export declare function buildTree(targetImage: string, packageFormat: string, depInfosList: AnalyzedPackageWithVersion[], targetOS: OSRelease): DepTree;
/**
* Canonical "full name" for a package as it appears in the dep graph and
* therefore in any vulnerability `from[]` / `packageName` field a downstream
* consumer (e.g. backend, UI) sees.
*
* For OS packages with a distinct source/origin (Debian `Source:`, Alpine
* `o:`, RPM source RPM) the name is `<source>/<binary>` - e.g. the libc
* vuln pinned against Debian's `glibc` source surfaces on the binary
* `libc-bin` as `glibc/libc-bin`. For packages without a `Source` (and for
* non-OS ecosystems) it's just `<name>`.
*
* Exported so the layer-attribution producer can mint keys with the same
* shape — see `lib/analyzer/layer-attribution.ts`. Keep this as the single
* source of truth for that string format; if it drifts, the response
* builder's per-package `dockerLayerDiffId` annotation join (which keys
* by `${depFullName}@${version}`) will silently miss for any package
* with a non-trivial `Source` (i.e. most OS vulns).
*/
export declare function depFullName(depInfo: AnalyzedPackageWithVersion): string;