analyzer

package
v0.1.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 6, 2026 License: MIT Imports: 7 Imported by: 0

Documentation

Overview

Package analyzer orchestrates concurrent package analysis: a bounded worker pool fans out over the dependency list, each worker fetches the artifact from its registry and runs every heuristic, and results stream back over a channel as they complete.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Analyzer

type Analyzer struct {
	// contains filtered or unexported fields
}

Analyzer holds the registry clients and rule set for a run.

func New

func New(rules []Rule, opts Options) *Analyzer

New builds an Analyzer with the given rules and default registry clients.

func (*Analyzer) Run

func (an *Analyzer) Run(ctx context.Context, pkgs []Package) <-chan Result

Run analyzes all packages concurrently. Results are delivered on the returned channel in completion order and the channel is closed when every worker finishes. Cancel the context to abort early.

type Ecosystem

type Ecosystem string

Ecosystem identifies the package registry a dependency belongs to.

const (
	NPM  Ecosystem = "npm"
	PyPI Ecosystem = "pypi"
)

type Finding

type Finding struct {
	RuleID   string   `json:"rule_id"`
	Severity Severity `json:"severity"`
	Title    string   `json:"title"`
	// Detail explains why this matters, referencing real attack patterns.
	Detail string `json:"detail"`
	// File is the path inside the package archive where the signal was found
	// (empty for metadata findings).
	File string `json:"file,omitempty"`
	// Evidence is a short redacted excerpt of the matching content.
	Evidence string `json:"evidence,omitempty"`
}

Finding is a single suspicious signal detected in a package.

type Options

type Options struct {
	Workers        int           // 0 = auto (2×CPU, capped at 16)
	PackageTimeout time.Duration // per-package budget, 0 = 90s
	// Suppress filters findings accepted in a baseline file. Suppressed
	// findings are dropped from the verdict but counted in Result.Suppressed.
	Suppress func(Package, Finding) bool
}

Options tunes a scan run.

type Package

type Package struct {
	Ecosystem Ecosystem `json:"ecosystem"`
	Name      string    `json:"name"`
	Version   string    `json:"version"`
	// Source is where the dependency was discovered (lockfile path or "cli").
	Source string `json:"source,omitempty"`
}

Package is a single dependency to analyze.

func (Package) String

func (p Package) String() string

type Result

type Result struct {
	Package    Package       `json:"package"`
	Risk       RiskLevel     `json:"risk"`
	Score      int           `json:"score"`
	Findings   []Finding     `json:"findings,omitempty"`
	Err        string        `json:"error,omitempty"`
	Elapsed    time.Duration `json:"-"`
	DurationMS int64         `json:"duration_ms"`
	// FilesScanned is how many files inside the archive were inspected.
	FilesScanned int `json:"files_scanned"`
	// Suppressed counts findings accepted by the baseline file.
	Suppressed int `json:"suppressed,omitempty"`
}

Result is the full analysis outcome for one package.

type RiskLevel

type RiskLevel int

RiskLevel is the aggregated verdict for a package.

const (
	RiskClean RiskLevel = iota
	RiskLow
	RiskMedium
	RiskHigh
	RiskCritical
)

func (RiskLevel) MarshalJSON

func (r RiskLevel) MarshalJSON() ([]byte, error)

MarshalJSON renders risk levels as their human-readable names.

func (RiskLevel) String

func (r RiskLevel) String() string

type Rule

type Rule interface {
	ID() string
	Check(a *registry.Artifact) []Finding
}

Rule is re-declared here (structurally identical to heuristics.Rule) so the analyzer does not import the heuristics package — keeping the dependency arrow pointing in one direction: cli → analyzer ← heuristics.

type Severity

type Severity int

Severity ranks how dangerous a finding is.

const (
	SevInfo Severity = iota
	SevLow
	SevMedium
	SevHigh
	SevCritical
)

func (Severity) MarshalJSON

func (s Severity) MarshalJSON() ([]byte, error)

MarshalJSON renders severities as their human-readable names — JSON consumers should never need to know internal ordinal values.

func (Severity) Score

func (s Severity) Score() int

Score converts a severity into the weight used for the package risk score.

func (Severity) String

func (s Severity) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL