ecosystem

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package ecosystem provides a pluggable interface for different package ecosystems. Each ecosystem (npm, go, pip, brew, debian, etc.) implements the Plugin interface to provide scanning, vulnerability detection, and remediation capabilities.

Index

Constants

This section is empty.

Variables

View Source 
var DefaultOSVClient = NewOSVClient()

DefaultOSVClient is a shared OSV client instance.

View Source 
var DefaultRegistry = NewRegistry()

DefaultRegistry is the global plugin registry.

Functions

func NormalizeEcosystem 

func NormalizeEcosystem(eco string) string

NormalizeEcosystem converts ecosystem identifiers to plugin names. Handles case normalization and OSV→plugin name mapping (e.g., "PyPI" → "pip").

func Register 

func Register(plugin Plugin) error

Register adds a plugin to the default registry.

Types

type AffectedResult 

type AffectedResult struct {
	Status     version.VulnerabilityStatus `json:"status"`
	Message    string                      `json:"message"`
	VulnID     string                      `json:"vuln_id,omitempty"`
	FixVersion string                      `json:"fix_version,omitempty"`
	Severity   string                      `json:"severity,omitempty"`
}

AffectedResult represents the result of checking if a version is affected.

type Finding 

type Finding struct {
	Package         Package         `json:"package"`
	Vulnerabilities []Vulnerability `json:"vulnerabilities"`
}

Finding links a package to its vulnerabilities.

type FixAction 

type FixAction struct {
	Type          string `json:"type"`                     // "upgrade", "patch", "remove", "workaround"
	Command       string `json:"command,omitempty"`        // Shell command to execute
	Description   string `json:"description,omitempty"`    // Human-readable explanation
	TargetVersion string `json:"target_version,omitempty"` // Version to upgrade to
	Breaking      bool   `json:"breaking,omitempty"`       // Potentially breaking change?
}

FixAction describes how to remediate a vulnerability.

type OSVClient 

type OSVClient struct {
	// contains filtered or unexported fields
}

OSVClient queries the OSV.dev vulnerability database.

func NewOSVClient 

func NewOSVClient() *OSVClient

NewOSVClient creates a new OSV API client.

func (*OSVClient) CheckIfAffected 

func (c *OSVClient) CheckIfAffected(ctx context.Context, vulnID string, pkg Package) (*AffectedResult, error)

CheckIfAffected checks if a specific package version is affected by a vulnerability.

func (*OSVClient) CheckPackages 

func (c *OSVClient) CheckPackages(ctx context.Context, packages []Package) ([]Finding, error)

CheckPackages queries OSV for vulnerabilities affecting the given packages. Large package lists are automatically chunked to avoid API limits.

func (*OSVClient) ResolveCVEID 

func (c *OSVClient) ResolveCVEID(ctx context.Context, vulnID string) (string, error)

ResolveCVEID resolves any vulnerability ID (GHSA, PYSEC, etc.) to its CVE alias. Returns the original ID if it's already a CVE or if no CVE alias exists.

type Package 

type Package struct {
	Name      string `json:"name"`
	Version   string `json:"version"`
	Ecosystem string `json:"ecosystem"`

	// Optional metadata
	Source   string `json:"source,omitempty"`   // Lock file path, system package db, etc.
	Direct   bool   `json:"direct,omitempty"`   // Direct vs transitive dependency
	Checksum string `json:"checksum,omitempty"` // For integrity verification
}

Package represents a software package in any ecosystem.

type Plugin 

type Plugin interface {
	// Info returns metadata about the plugin.
	Info() PluginInfo

	// Detect checks if this plugin can handle the given path.
	// Returns true if lock files, manifests, or other indicators are found.
	Detect(ctx context.Context, path string) bool

	// Scan enumerates packages and checks for vulnerabilities.
	Scan(ctx context.Context, path string) (*ScanResult, error)

	// GetFix returns remediation actions for a specific vulnerability.
	// The package parameter provides context (current version, ecosystem).
	GetFix(ctx context.Context, pkg Package, vuln Vulnerability) (*FixAction, error)
}

Plugin is the interface that all ecosystem plugins must implement.

func Detect 

func Detect(ctx context.Context, path string) []Plugin

Detect finds matching plugins from the default registry.

func Get 

func Get(name string) (Plugin, bool)

Get returns a plugin from the default registry.

func List 

func List() []Plugin

List returns all plugins from the default registry.

type PluginInfo 

type PluginInfo struct {
	// Name is the ecosystem identifier (e.g., "npm", "go", "debian").
	Name string

	// DisplayName is human-readable (e.g., "Node.js (npm)").
	DisplayName string

	// Description explains what this plugin handles.
	Description string

	// FilePatterns lists files this plugin looks for (e.g., "package-lock.json").
	FilePatterns []string

	// Priority determines order when multiple plugins match (higher = first).
	Priority int
}

PluginInfo contains metadata about a plugin.

type PluginWithAdvisorySource 

type PluginWithAdvisorySource interface {
	Plugin

	// AdvisorySources returns the advisory databases this plugin uses.
	AdvisorySources() []string

	// CheckAdvisory queries a specific advisory database for a package.
	CheckAdvisory(ctx context.Context, source string, pkg Package) ([]Vulnerability, error)
}

PluginWithAdvisorySource is an optional interface for plugins that can query specific advisory databases.

type PluginWithNativeAudit 

type PluginWithNativeAudit interface {
	Plugin

	// NativeAudit runs the ecosystem's native audit command.
	// Returns findings directly from the native tool.
	NativeAudit(ctx context.Context, path string) (*ScanResult, error)
}

PluginWithNativeAudit is an optional interface for plugins that have native audit tools (npm audit, cargo audit, etc.).

type Registry 

type Registry struct {
	// contains filtered or unexported fields
}

Registry manages ecosystem plugins.

func NewRegistry 

func NewRegistry() *Registry

NewRegistry creates a new plugin registry.

func (*Registry) Detect 

func (r *Registry) Detect(ctx context.Context, path string) []Plugin

Detect finds all plugins that can handle the given path.

func (*Registry) Get 

func (r *Registry) Get(name string) (Plugin, bool)

Get returns a plugin by name.

func (*Registry) List 

func (r *Registry) List() []Plugin

List returns all registered plugins, sorted by priority (highest first).

func (*Registry) NativeAuditAll added in v0.3.0 

func (r *Registry) NativeAuditAll(ctx context.Context, path string) ([]*ScanResult, error)

NativeAuditAll runs native audit on all matching plugins that support it.

func (*Registry) Register 

func (r *Registry) Register(plugin Plugin) error

Register adds a plugin to the registry.

func (*Registry) ScanAll 

func (r *Registry) ScanAll(ctx context.Context, path string) ([]*ScanResult, error)

ScanAll scans a path with all matching plugins. Returns an error only if ALL plugins fail. Partial failures are recorded in results.

type ScanResult 

type ScanResult struct {
	Ecosystem       string     `json:"ecosystem"`
	PackagesScanned int        `json:"packages_scanned"`
	Findings        []Finding  `json:"findings"`
	Errors          []string   `json:"errors,omitempty"`
	Status          ScanStatus `json:"status"`
}

ScanResult contains packages and their vulnerabilities.

func NativeAuditAll added in v0.3.0 

func NativeAuditAll(ctx context.Context, path string) ([]*ScanResult, error)

NativeAuditAll runs native audit with all matching plugins from the default registry.

func ScanAll 

func ScanAll(ctx context.Context, path string) ([]*ScanResult, error)

ScanAll scans with all matching plugins from the default registry.

func (*ScanResult) Failed 

func (r *ScanResult) Failed() bool

Failed returns true if the scan failed completely.

func (*ScanResult) HasErrors 

func (r *ScanResult) HasErrors() bool

HasErrors returns true if the scan encountered any errors.

func (*ScanResult) Success 

func (r *ScanResult) Success() bool

Success returns true if the scan completed without critical errors. A scan with findings but no errors is considered successful.

type ScanStatus 

type ScanStatus string

ScanStatus indicates the outcome of a scan operation. 

const (
	// ScanStatusSuccess indicates the scan completed successfully.
	ScanStatusSuccess ScanStatus = "success"
	// ScanStatusPartial indicates the scan completed but with some errors.
	ScanStatusPartial ScanStatus = "partial"
	// ScanStatusFailed indicates the scan failed completely.
	ScanStatusFailed ScanStatus = "failed"
)

type Vulnerability 

type Vulnerability struct {
	ID         string   `json:"id"`                    // CVE-2021-23337, GHSA-xxx, etc.
	Aliases    []string `json:"aliases,omitempty"`     // Alternative IDs
	Severity   string   `json:"severity"`              // CRITICAL, HIGH, MEDIUM, LOW
	CVSSScore  *float64 `json:"cvss_score,omitempty"`  // Numeric score if available
	Summary    string   `json:"summary"`               // Short description
	Details    string   `json:"details,omitempty"`     // Full description
	FixVersion string   `json:"fix_version,omitempty"` // Version that fixes this
	References []string `json:"references,omitempty"`  // URLs for more info
}

Vulnerability represents a security vulnerability affecting a package.

Source Files

View all Source files

Directories

Path Synopsis
Package golang provides the Go ecosystem plugin.
 Package golang provides the Go ecosystem plugin.
Package npm provides the npm/Node.js ecosystem plugin.
 Package npm provides the npm/Node.js ecosystem plugin.
Package pip provides the Python/pip ecosystem plugin.
 Package pip provides the Python/pip ecosystem plugin.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.