engine

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 2, 2026 License: GPL-2.0, GPL-2.0-only Imports: 34 Imported by: 0

Documentation

Overview

Package engine coordinates the scanning workflow by managing language detection, rule loading, scanner execution, and result processing.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AssignFindingIDs added in v0.4.0 

func AssignFindingIDs(report *entities.InterimReport)

AssignFindingIDs ensures every finding asset in the report has a stable short hash suitable for joining the main report to the callgraph export.

func ComputeRulesHash added in v0.4.0 

func ComputeRulesHash(rulePaths []string) (string, error)

ComputeRulesHash computes a SHA-256 hash of the sorted rule file contents. The hash is truncated to 16 hex characters. This captures rule content changes so the cache invalidates when rules are edited even if filenames stay the same.

func EnsureFindingSources added in v0.4.0 

func EnsureFindingSources(report *entities.InterimReport)

EnsureFindingSources normalizes finding source attribution by defaulting any un-attributed finding asset to direct source.

func EnsureSchema added in v0.4.0 

func EnsureSchema(ctx context.Context, pool *pgxpool.Pool, table string) error

EnsureSchema creates the findings_cache table on first run and is a no-op when the table already exists. It is safe to call repeatedly and from multiple processes.

Types

type DepScanOptions added in v0.4.0 

type DepScanOptions struct {
	// ScanOptions are the base scan options to reuse for each dependency scan.
	ScanOptions ScanOptions
	// Workers is the number of concurrent dependency scans (0 = default to NumCPU/2, capped at 8).
	Workers int
}

DepScanOptions configures the dependency scanning behavior.

type DepScanResult added in v0.4.0 

type DepScanResult struct {
	Report       *entities.InterimReport
	CallGraph    *callgraph.CallGraph
	RootModule   string
	Ecosystem    string
	ProjectRoot  string
	Dependencies []dependency.Dependency
}

DepScanResult holds the aggregated result of the dependency scanning pipeline. It surfaces the crypto-scoped call graph so callers can export or inspect it.

type DependencyScanner added in v0.4.0 

type DependencyScanner struct {
	// contains filtered or unexported fields
}

DependencyScanner coordinates dependency resolution, scanning, call graph construction, and finding attribution.

func NewDependencyScanner added in v0.4.0 

func NewDependencyScanner(
	orchestrator *Orchestrator,
	resolver dependency.Resolver,
	cgBuilder *callgraph.Builder,
	findingsCache FindingsCache,
) *DependencyScanner

NewDependencyScanner creates a new dependency scanner. The optional findingsCache, if non-nil, is used to skip rescanning dependencies whose results are already cached (keyed by module@version + rules hash).

func (*DependencyScanner) ScanWithDependencies added in v0.4.0 

func (ds *DependencyScanner) ScanWithDependencies(
	ctx context.Context,
	userReport *entities.InterimReport,
	opts DepScanOptions,
) (*DepScanResult, error)

ScanWithDependencies performs the full dependency scanning pipeline:

  1. Resolve dependencies to source paths
  2. Pre-load and filter rules by ecosystem language
  3. Scan each dependency's source code in parallel
  4. Build a call graph across user code + dependencies with findings
  5. Trace each dependency crypto finding back to user code
  6. Merge attributed findings into the user report

type DiskFindingsCache added in v0.4.0 

type DiskFindingsCache struct {
	// contains filtered or unexported fields
}

DiskFindingsCache implements FindingsCache using local JSON files.

func NewDiskFindingsCache added in v0.4.0 

func NewDiskFindingsCache() (*DiskFindingsCache, error)

NewDiskFindingsCache creates a new disk-based findings cache under ~/.scanoss/crypto-finder/cache/findings/.

func NewDiskFindingsCacheWithDir added in v0.4.0 

func NewDiskFindingsCacheWithDir(dir string) (*DiskFindingsCache, error)

NewDiskFindingsCacheWithDir creates a disk-based findings cache at a custom directory. Useful for testing.

func (*DiskFindingsCache) Get added in v0.4.0 

func (c *DiskFindingsCache) Get(_ context.Context, key string) (*entities.InterimReport, bool, error)

Get retrieves a cached report by key. Corrupted cache files are treated as cache misses and are removed.

func (*DiskFindingsCache) Put added in v0.4.0 

func (c *DiskFindingsCache) Put(_ context.Context, key string, report *entities.InterimReport) error

Put stores a report in the cache using an atomic write-then-rename flow.

type FindingsCache added in v0.4.0 

type FindingsCache interface {
	// Get retrieves cached scan results for the given cache key.
	// Returns the report and true if found, or nil and false if not cached.
	Get(ctx context.Context, key string) (*entities.InterimReport, bool, error)

	// Put stores scan results under the given cache key.
	Put(ctx context.Context, key string, report *entities.InterimReport) error
}

FindingsCache stores and retrieves scan results for dependencies. Implementations can back this with disk, memory, Redis, S3, etc.

type Orchestrator 

type Orchestrator struct {
	// contains filtered or unexported fields
}

Orchestrator coordinates the entire scanning workflow. It manages language detection, rule loading, scanner execution, and result processing.

func NewOrchestrator 

func NewOrchestrator(
	langDetector language.Detector,
	rulesManager *rules.Manager,
	scannerReg *scanner.Registry,
) *Orchestrator

NewOrchestrator creates a new orchestrator with the required dependencies.

func (*Orchestrator) Scan 

func (o *Orchestrator) Scan(ctx context.Context, opts ScanOptions) (*entities.InterimReport, error)

Scan orchestrates the complete scanning workflow.

Workflow:

  1. Detect languages (or use hint if provided)
  2. Load rules from manager
  3. Get scanner from registry
  4. Initialize scanner
  5. Execute scan with loaded rule paths
  6. Process and enrich results

Returns the final interim report or an error if any step fails.

type PostgresCacheOption added in v0.4.0 

type PostgresCacheOption func(*PostgresFindingsCache)

PostgresCacheOption configures a PostgresFindingsCache at construction time.

func WithTableName added in v0.4.0 

func WithTableName(name string) PostgresCacheOption

WithTableName overrides the default findings_cache table name. The provided name must match a SQL identifier pattern; invalid names cause the option to be ignored and the cache to fall back to the default table.

type PostgresFindingsCache added in v0.4.0 

type PostgresFindingsCache struct {
	// contains filtered or unexported fields
}

PostgresFindingsCache stores InterimReport entries in a Postgres table, providing a multi-process-safe FindingsCache implementation suitable for fleet-wide deployments where multiple workers share a single cache.

func NewPostgresFindingsCache added in v0.4.0 

func NewPostgresFindingsCache(pool *pgxpool.Pool, opts ...PostgresCacheOption) *PostgresFindingsCache

NewPostgresFindingsCache returns a cache backed by the provided pool. The pool is borrowed, not owned: callers are responsible for closing it.

func (*PostgresFindingsCache) Get added in v0.4.0 

func (c *PostgresFindingsCache) Get(ctx context.Context, key string) (*entities.InterimReport, bool, error)

Get retrieves a cached report by key. Returns (nil, false, nil) for unknown keys, version mismatches, or rows whose payload fails to unmarshal — the disk implementation has the same semantics, so callers cannot distinguish the backends.

func (*PostgresFindingsCache) Put added in v0.4.0 

func (c *PostgresFindingsCache) Put(ctx context.Context, key string, report *entities.InterimReport) error

Put stores or updates a report by key. Concurrent calls with the same key are safe: the upsert resolves any race to a single row whose contents reflect one of the racing payloads.

type Processor 

type Processor struct{}

Processor handles result aggregation and enrichment. For MVP, it performs basic validation and metadata enrichment.

func NewProcessor 

func NewProcessor() *Processor

NewProcessor creates a new result processor.

func (*Processor) Process 

func (p *Processor) Process(report *entities.InterimReport, _ []string, targetDir string) (*entities.InterimReport, error)

Process enriches and validates the scan results.

Current processing:

  • Validates report structure
  • Ensures all required fields are present

type ScanOptions 

type ScanOptions struct {
	// Target is the directory or file to scan
	Target string

	// ScannerName is the name of the scanner to use (e.g., "semgrep")
	ScannerName string

	// LanguageHint allows manual override of language detection (from --languages flag)
	LanguageHint []string

	// ScannerConfig contains scanner-specific configuration
	ScannerConfig scanner.Config

	// RulePaths, when non-nil, bypasses the rules manager and uses these paths directly.
	// This is used by the dependency scanner to pass pre-loaded, language-filtered rules.
	RulePaths []string

	// JavaRuntime controls Java-specific dependency resolution and bytecode type enrichment.
	JavaRuntime javaruntime.Config

	// JavaRuntimeCacheToken partitions dependency scan caches by Java runtime selection.
	JavaRuntimeCacheToken string
}

ScanOptions contains all configuration options for a scan operation.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.