normalize

package
v1.0.0-rc.17 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 19, 2026 License: AGPL-3.0 Imports: 20 Imported by: 0

Documentation

Overview

Package normalize provides utilities for normalizing package identifiers. This file handles mapping binary package names to their source package names for Linux distributions (Debian, Alpine), enabling vulnerability matching against security advisories that reference source packages.

Index

Constants

View Source 
const (
	NodeTypeComponent             nodeType = "component"
	NodeTypeSbomInformationSource nodeType = "sbom"
	NodeTypeVexInformationSource  nodeType = "vex"
	NodeTypeCSAFInformationSource nodeType = "csaf"
	NodeTypeUnknown               nodeType = "unknown"
)

Variables

View Source 
var PURLEcosystems = map[string]string{
	"Alpine":    "apk",
	"crates.io": "cargo",
	"Debian":    "deb",
	"Go":        "golang",
	"Hackage":   "hackage",
	"Hex":       "hex",
	"Maven":     "maven",
	"npm":       "npm",
	"NuGet":     "nuget",
	"OSS-Fuzz":  "generic",
	"Packagist": "composer",
	"Pub":       "pub",
	"PyPI":      "pypi",
	"RubyGems":  "gem",
}

PURL conversion utilities

View Source 
var ValidSemverRegex = regexp.MustCompile(`^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<buildmetadata>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$`)

Regex for validating a correct semver.

Functions

func ArtifactPurl 

func ArtifactPurl(scanner string, assetName string) string

func BeautifyPURL 

func BeautifyPURL(pURL string) (string, error)

function to make purl look more visually appealing

func CheckVersion 

func CheckVersion(exactVersion, introduced, fixed *string, lookingForVersion, affectedComponentType string) (bool, error)

func ConvertToSemver 

func ConvertToSemver(originalVersion string) (string, error)

ConvertToSemver converts various version formats to semantic versioning format. It handles: - Epoch prefixes (e.g., "2:1.2.3" -> "1.2.3") - "v" prefixes (e.g., "v1.2.3" -> "1.2.3") - Pre-release identifiers with "-" (e.g., "1.2.3-rc1") - Build metadata with "+" (e.g., "1.2.3+build1") - Tilde versions "~" (e.g., "1.2.3~rc1" -> "1.2.3-rc1") - Missing version segments (e.g., "1.2" -> "1.2.0")

Returns an error if: - Version contains invalid characters (only 0-9 and . allowed in version part) - Version has more than 3 numeric segments

func DeepSort 

func DeepSort(el any) any

this is a deep sort function that sorts all maps and slices recursively it is REALLY expensive, so use it wisely! it treats any arrays as sets and sorts them by their canonical JSON representation

func FixFixedVersion 

func FixFixedVersion(purl string, fixedVersion *string) *string

func GetComponentID 

func GetComponentID(component cdx.Component) string

func MapCDXToEventType 

func MapCDXToEventType(a *cdx.VulnerabilityAnalysis) string

func MapCDXToVulnStatus 

func MapCDXToVulnStatus(a *cdx.VulnerabilityAnalysis) string

map CycloneDX Analysis State / Response to internal status strings used by CreateVulnEventAndApply

func PackageToPurl 

func PackageToPurl(ecosystem, packageName string) string

func PurlToEcosystem 

func PurlToEcosystem(purlType string) string

func Purlify 

func Purlify(artifactName string, assetVersionName string) string

func QualifiersMapToString 

func QualifiersMapToString(qualifiers map[string]string) string

func RemoveOriginTypePrefixIfExists 

func RemoveOriginTypePrefixIfExists(origin string) (nodeType, string)

func SemverCompare 

func SemverCompare(v1, v2 string) int

func SemverSort 

func SemverSort(versions []string)

func SortStringsSlice 

func SortStringsSlice(slice []string) []string

func StructuralCompareCdxBoms 

func StructuralCompareCdxBoms(a, b *cdx.BOM) error

func ToPurlWithoutVersion 

func ToPurlWithoutVersion(purl packageurl.PackageURL) string

Types

type CdxBom 

type CdxBom struct {
	// contains filtered or unexported fields
}

func FromCdxBom 

func FromCdxBom(bom *cdx.BOM, artifactName, ref string, informationSource string) *CdxBom

func FromComponents 

func FromComponents(assetSlug, artifactName, assetVersionName, assetVersionSlug, projectSlug, orgSlug, frontendURL string, components []CdxComponent, licenseOverwrites map[string]string) *CdxBom

func FromVulnerabilities 

func FromVulnerabilities(assetSlug, artifactName, assetVersionName, assetVersionSlug, projectSlug, orgSlug, frontendURL string, vulns []cdx.Vulnerability) *CdxBom

func MergeCdxBoms 

func MergeCdxBoms(metadata *cdx.Metadata, boms ...*CdxBom) *CdxBom

func (*CdxBom) AddChild 

func (bom *CdxBom) AddChild(parent *TreeNode[cdxBomNode], child *TreeNode[cdxBomNode])

func (*CdxBom) AddDirectChildWhichInheritsChildren 

func (bom *CdxBom) AddDirectChildWhichInheritsChildren(parent cdxBomNode, child cdxBomNode)

func (*CdxBom) AddSourceChildrenToTarget 

func (bom *CdxBom) AddSourceChildrenToTarget(source *TreeNode[cdxBomNode], target *TreeNode[cdxBomNode])

func (*CdxBom) CalculateDepth 

func (bom *CdxBom) CalculateDepth() map[string]int

func (*CdxBom) CountParentTypes 

func (bom *CdxBom) CountParentTypes() map[string]map[nodeType]int

func (*CdxBom) EjectMinimalDependencyTree 

func (bom *CdxBom) EjectMinimalDependencyTree() *minimalTreeNode

func (*CdxBom) EjectSBOM 

func (bom *CdxBom) EjectSBOM(assetID *uuid.UUID) *cdx.BOM

func (*CdxBom) EjectVex 

func (bom *CdxBom) EjectVex(assetID *uuid.UUID) *cdx.BOM

func (*CdxBom) GetAllParentNodes 

func (bom *CdxBom) GetAllParentNodes(nodeID string) []string

func (*CdxBom) GetComponents 

func (bom *CdxBom) GetComponents() *[]cdx.Component

func (*CdxBom) GetComponentsIncludingFakeNodes 

func (bom *CdxBom) GetComponentsIncludingFakeNodes() *[]cdx.Component

func (*CdxBom) GetCsafRootPurls 

func (bom *CdxBom) GetCsafRootPurls() []string

this returns direct csaf children of csaf information source nodes since csaf does not scope transitive dependencies but we might be able to redistribute found cves to the subtree reachable from those purls.

func (*CdxBom) GetDependencies 

func (bom *CdxBom) GetDependencies() *[]cdx.Dependency

func (*CdxBom) GetDependenciesIncludingFakeNodes 

func (bom *CdxBom) GetDependenciesIncludingFakeNodes() *[]cdx.Dependency

func (*CdxBom) GetDependenciesOfComponent 

func (bom *CdxBom) GetDependenciesOfComponent(componentRef string) *cdx.Dependency

func (*CdxBom) GetDirectDependencies 

func (bom *CdxBom) GetDirectDependencies() *[]cdx.Dependency

func (*CdxBom) GetInformationSourceNodes 

func (bom *CdxBom) GetInformationSourceNodes() []*TreeNode[cdxBomNode]

func (*CdxBom) GetInformationSources 

func (bom *CdxBom) GetInformationSources() []string

func (*CdxBom) GetMetadata 

func (bom *CdxBom) GetMetadata() *cdx.Metadata

func (*CdxBom) GetTransitiveDependencies 

func (bom *CdxBom) GetTransitiveDependencies() *[]cdx.Dependency

func (*CdxBom) GetVulnerabilities 

func (bom *CdxBom) GetVulnerabilities() *[]cdx.Vulnerability

func (*CdxBom) InformationFromVexOrMultipleSBOMs 

func (bom *CdxBom) InformationFromVexOrMultipleSBOMs() []string

func (*CdxBom) ReplaceOrAddInformationSourceNode 

func (bom *CdxBom) ReplaceOrAddInformationSourceNode(subTree *TreeNode[cdxBomNode])

func (*CdxBom) ReplaceRoot 

func (bom *CdxBom) ReplaceRoot(newRoot cdxBomNode)

type CdxComponent 

type CdxComponent interface {
	GetPurl() string
	GetDependentPurl() *string
	ToCdxComponent(componentLicenseOverwrites map[string]string) cdx.Component
}

type Node 

type Node interface {
	GetID() string
}

type PurlMatchContext 

type PurlMatchContext struct {
	SearchPurl                  string
	NormalizedVersion           string
	HowToInterpretVersionString VersionInterpretationType
	Qualifiers                  packageurl.Qualifiers
	Namespace                   string
}

PurlMatchContext holds the parsed purl information for matching

func ParsePurlForMatching 

func ParsePurlForMatching(purl packageurl.PackageURL) *PurlMatchContext

ParsePurlForMatching parses a purl and version into a context for database matching

type Tree 

type Tree[Element Node] struct {
	Root *TreeNode[Element] `json:"root"`
	// contains filtered or unexported fields
}

func BuildDependencyTree 

func BuildDependencyTree[Element Node](root Element, elements []Element, depMap map[string][]string) Tree[Element]

func (*Tree[Element]) AddChild 

func (tree *Tree[Element]) AddChild(parent *TreeNode[Element], child *TreeNode[Element])

func (*Tree[Element]) AddDirectChildWhichInheritsChildren 

func (tree *Tree[Element]) AddDirectChildWhichInheritsChildren(parent Element, child Element)

func (*Tree[Element]) AddSourceChildrenToTarget 

func (tree *Tree[Element]) AddSourceChildrenToTarget(source *TreeNode[Element], target *TreeNode[Element])

func (*Tree[Data]) Reachable 

func (tree *Tree[Data]) Reachable(id string) bool

func (*Tree[Data]) RenderToMermaid 

func (tree *Tree[Data]) RenderToMermaid() string

func (*Tree[Element]) ReplaceNode 

func (tree *Tree[Element]) ReplaceNode(old *TreeNode[Element], new *TreeNode[Element])

func (*Tree[Element]) ReplaceRoot 

func (tree *Tree[Element]) ReplaceRoot(node Element)

func (*Tree[Element]) ReplaceSubtree 

func (tree *Tree[Element]) ReplaceSubtree(other *TreeNode[Element])

func (*Tree[Element]) Visitable 

func (tree *Tree[Element]) Visitable() ([]string, []string)

type TreeNode 

type TreeNode[Element Node] struct {
	ID       string               `json:"name"`
	Children []*TreeNode[Element] `json:"children"`
	// contains filtered or unexported fields
}

type VersionInterpretationType 

type VersionInterpretationType string
const (
	ExactVersionString       VersionInterpretationType = "exact"
	SemanticVersionString    VersionInterpretationType = "semver_range"
	EmptyVersion             VersionInterpretationType = "empty_version"
	EcosystemSpecificVersion VersionInterpretationType = "ecosystem_specific"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.