library

package
v0.72.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2026 License: Apache-2.0 Imports: 19 Imported by: 5

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DeregisterVendor added in v0.71.0

func DeregisterVendor(name string)

DeregisterVendor removes a registered vendor by name. Use it to opt out of a vendor that was registered via pkg/detector/library/all (e.g., DeregisterVendor("seal")).

func Detect added in v0.17.0

func Detect(ctx context.Context, libType ftypes.LangType, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error)

Detect scans language-specific packages and returns vulnerabilities.

func RegisterVendor added in v0.71.0

func RegisterVendor(v Vendor)

RegisterVendor registers a new vendor for library vulnerability detection. It should be called from an init() function in the vendor's package.

Types

type Driver

type Driver struct {
	// contains filtered or unexported fields
}

Driver represents security advisories for each programming language

func NewDriver added in v0.9.0

func NewDriver(libType ftypes.LangType) (Driver, bool)

NewDriver returns a driver according to the library type

func (*Driver) DetectVulnerabilities added in v0.23.0

func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.DetectedVulnerability, error)

DetectVulnerabilities scans buckets with the prefix according to the ecosystem. If "ecosystem" is pip, it looks for buckets with "pip::" and gets security advisories from those buckets. It allows us to add a new data source with the ecosystem prefix (e.g. pip::new-data-source) and detect vulnerabilities without specifying a specific bucket name.

func (*Driver) Type

func (d *Driver) Type() string

Type returns the driver ecosystem

type Vendor added in v0.71.0

type Vendor interface {
	// Name returns the vendor identifier used in the advisory bucket prefix.
	// For example, "seal" results in advisory queries to "seal pip::", "seal npm::", etc.
	Name() string

	// Match determines whether a package is provided by this vendor.
	// It receives the ecosystem type, a normalized package name
	// (see vulnerability.NormalizePkgName), and version to make the determination.
	Match(eco ecosystem.Type, pkgName, pkgVer string) bool

	// BucketPrefix returns the advisory bucket prefix for the given ecosystem.
	// For example, "seal pip::" for Seal Security pip packages.
	BucketPrefix(eco ecosystem.Type) string

	// Comparer returns a version comparer for the given ecosystem.
	// The defaultComparer is provided so the vendor can return it unchanged
	// when no custom comparison logic is needed.
	Comparer(eco ecosystem.Type, defaultComparer compare.Comparer) compare.Comparer
}

Vendor represents a third-party security vendor that provides patched packages with their own vulnerability advisories. These vendors (e.g., Seal Security) offer patched versions of open source packages and maintain separate advisory databases that should be used instead of the standard ecosystem advisories.

When a package is identified as coming from a vendor, Trivy queries the vendor-specific advisory bucket (e.g., "seal pip::") rather than the standard ecosystem bucket (e.g., "pip::").

Directories

Path Synopsis
Package all registers all built-in library vulnerability vendors.
Package all registers all built-in library vulnerability vendors.
npm

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL