Documentation
¶
Overview ¶
Package updater provides language-agnostic vulnerability package updating functionality.
Package updater provides Go-specific package update functionality ¶
Package updater provides language-agnostic vulnerability package updating functionality.
Architecture Design Principles:
Simplified Interface Design: The LanguageUpdater interface is intentionally minimal with only two methods: - UpdatePackages: Core functionality to update vulnerable packages - GetLanguageType: Returns the language this updater handles
Language-Specific Internal Processing: Each language implementation receives trivy vulnerability data and handles all language-specific logic internally, including: - Project structure validation (e.g., finding go.mod, requirements.txt) - Package version normalization (e.g., Go's "v" prefix handling) - Package manager command execution (e.g., "go get", "pip install") - Post-update tasks (e.g., "go mod tidy")
Trivy Result Integration: The design leverages trivy's standardized JSON output format. All languages use the same trivy vulnerability structure, making the interface consistent and reducing the need for language-specific data transformations at the interface level.
4. Flexibility and Extensibility:
- Easy to add new languages by implementing the simple LanguageUpdater interface
- Language detection is handled separately and can be enhanced independently
- Each language updater can evolve its internal logic without affecting others
- Testing is simplified with mock implementations
5. Separation of Concerns:
- Interface focuses on the core "update packages" responsibility
- Language detection is handled by a separate LanguageDetector interface
- Project validation and package management details are encapsulated within each language implementation
This design provides better maintainability, testability, and extensibility compared to a more complex interface with many methods.
Package updater provides functionality to update vulnerable packages for multiple languages
Index ¶
Constants ¶
const CommandOutputHeader = `#!/bin/sh
# This file is automatically generated by dependabot, please do not modify it manually!!!
`
CommandOutputHeader is the header template for generated command output files
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BaseUpdater ¶
type BaseUpdater struct {
// contains filtered or unexported fields
}
BaseUpdater provides common functionality for language-specific updaters
func NewBaseUpdater ¶
func NewBaseUpdater(projectPath string, commandOutputFile string) *BaseUpdater
NewBaseUpdater creates a new base updater with common functionality
func (*BaseUpdater) LogBlankLine ¶
func (b *BaseUpdater) LogBlankLine() error
LogBlankLine adds a blank line to the output file for readability
func (*BaseUpdater) LogComment ¶
func (b *BaseUpdater) LogComment(comment string) error
LogComment logs a comment line to the output file
func (*BaseUpdater) LogFailedCommand ¶
func (b *BaseUpdater) LogFailedCommand(command string, err error) error
LogFailedCommand logs a failed command as a comment with error details
func (*BaseUpdater) LogSuccessfulCommand ¶
func (b *BaseUpdater) LogSuccessfulCommand(command string) error
LogSuccessfulCommand logs the successful command to the configured output file
type GoUpdater ¶
type GoUpdater struct {
*BaseUpdater
// contains filtered or unexported fields
}
GoUpdater handles updating Go packages
func NewGoUpdater ¶
func NewGoUpdater(projectPath string, goConfig *config.GoUpdaterConfig) *GoUpdater
NewGoUpdater creates a new Go language updater
func (*GoUpdater) GetLanguageType ¶
func (g *GoUpdater) GetLanguageType() types.LanguageType
GetLanguageType returns the language type this updater handles
func (*GoUpdater) UpdatePackages ¶
func (g *GoUpdater) UpdatePackages(vulnerabilities []types.Vulnerability) (types.VulnFixResults, error)
UpdatePackages updates vulnerable Go packages to their fixed versions Supports mono repo scenarios by grouping vulnerabilities by PackageDir Uses batch update strategy to avoid version conflicts, especially for golang.org/x/* packages
type LanguageUpdater ¶
type LanguageUpdater interface {
// UpdatePackages is the core method that updates vulnerable packages for the specific language
// It receives vulnerabilities from trivy and handles all language-specific logic internally
UpdatePackages(vulnerabilities []types.Vulnerability) (types.VulnFixResults, error)
// GetLanguageType returns the language type this updater handles
GetLanguageType() types.LanguageType
}
LanguageUpdater defines the simplified interface for language-specific package updaters Each language implementation receives trivy vulnerabilities and handles the update process internally
type Updater ¶
type Updater struct {
// contains filtered or unexported fields
}
Updater coordinates the updating of vulnerable packages across different languages It manages language-specific updaters and orchestrates the update process for all detected vulnerabilities.
func New ¶
func New(projectPath string, updaterConfig config.UpdaterConfig) *Updater
New creates a new Updater instance with automatic language detection projectPath: the path to the project to be updated Returns a pointer to an Updater instance
func (*Updater) GetSupportedLanguages ¶
func (u *Updater) GetSupportedLanguages() []types.LanguageType
GetSupportedLanguages returns the list of supported languages Returns a slice of supported LanguageType
func (*Updater) RegisterLanguageUpdater ¶
func (u *Updater) RegisterLanguageUpdater(updater LanguageUpdater)
RegisterLanguageUpdater registers a language-specific updater updater: the language-specific updater to register
func (*Updater) UpdatePackages ¶
func (u *Updater) UpdatePackages(vulnerabilities []types.Vulnerability) (types.VulnFixResults, error)
UpdatePackages updates vulnerable packages using appropriate language-specific updaters Returns detailed update results for PR creation
Source Files