Documentation
¶
Overview ¶
Package scan contains reusable scan utilities shared by CLI commands.
Index ¶
- func BuildAnnotateExport(report *entities.InterimReport, fragment graphfrag.Fragment) graphfrag.GraphFragmentExport
- func BuildGraphFragmentExport(result *engine.DepScanResult) graphfrag.GraphFragmentExport
- func CountFindings(report *entities.InterimReport) int
- func DetectEcosystem(target string) string
- func DetectRootModule(targetDir, ecosystem string) string
- func ExportCallGraph(path, format string, result *engine.DepScanResult) error
- func ExportGraphFragment(path, format string, result *engine.DepScanResult) error
- func MarshalAnnotateExport(payload *graphfrag.GraphFragmentExport) ([]byte, error)
- func ParseDuration(s string) (time.Duration, error)
- func PrintSummary(outputPath string, filesCount, findingsCount int) error
- func ValidateFlags(target string, opts ValidationOptions) ([]string, error)
- func WriteAnnotateExport(path string, payload *graphfrag.GraphFragmentExport) error
- type ValidationOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildAnnotateExport ¶ added in v0.8.0
func BuildAnnotateExport(report *entities.InterimReport, fragment graphfrag.Fragment) graphfrag.GraphFragmentExport
BuildAnnotateExport produces a graph-fragment export carrying ONLY scan_metadata + crypto_annotations, mapping each crypto finding in report to its containing function using the imported (cached) structural fragment.
This is the annotate-only path: it runs after a detection-only scan (no callgraph build, the expensive ~95% of a scan) so a rules refresh can re-annotate a component against its already-cached structure.
Invariant: for the SAME source + rules, the crypto_annotations here are byte-identical to what a full `scan --export-graph-fragment` emits. This holds because:
- the detection-derived fields (finding_id, rule_id, expression, file_path, line range, oid, source, metadata, matched_operation) come from the SAME builder the full exporter uses (buildBaseGraphFragmentCryptoAnnotation);
- function_key is recovered from the imported fragment's function line ranges, which were produced by the same scan that the full export read its containing function from;
- crypto_call and the call-resolved Symbol override are carried verbatim from the imported fragment's matching CryptoOperation (joined by finding_id) — the full export already computed those from the live graph, so reusing them avoids both rebuilding the callgraph and any drift.
Functions, internal_edges, and external_calls are intentionally left empty: the structure lives in the imported fragment and is not rebuilt here.
func BuildGraphFragmentExport ¶ added in v0.6.0
func BuildGraphFragmentExport(result *engine.DepScanResult) graphfrag.GraphFragmentExport
BuildGraphFragmentExport projects a dependency scan result onto the public graph-fragment export schema.
func CountFindings ¶
func CountFindings(report *entities.InterimReport) int
CountFindings counts total cryptographic assets across all findings.
func DetectEcosystem ¶
DetectEcosystem checks the target directory for known manifest files and returns the corresponding ecosystem name ("go", "python", "java", "rust"). Returns empty string if no ecosystem is detected.
Polyglot resolution: when a pyproject.toml declares a Python package (via [project] / [tool.*] / PEP 517 build backend), it wins over Cargo.toml — this captures Python packages that embed Rust via PyO3, maturin or setuptools-rust (pyca/cryptography, pydantic-core, orjson, polars, ...). Polyglot conflicts outside the Python↔Rust pair are not disambiguated here; they keep the original precedence (Go → Java → Rust → Python fallback).
func DetectRootModule ¶
DetectRootModule returns a best-effort root module/package name for callgraph export. It is manifest-based when possible and falls back to the target directory name.
func ExportCallGraph ¶
func ExportCallGraph(path, format string, result *engine.DepScanResult) error
ExportCallGraph writes a finding-centric call graph export (schema v4.3).
func ExportGraphFragment ¶ added in v0.6.0
func ExportGraphFragment(path, format string, result *engine.DepScanResult) error
ExportGraphFragment writes the dependency scan result's call graph as a graph-fragment export in the requested format.
func MarshalAnnotateExport ¶ added in v0.8.0
func MarshalAnnotateExport(payload *graphfrag.GraphFragmentExport) ([]byte, error)
MarshalAnnotateExport serializes an annotate-only graph-fragment export as indented JSON, matching the formatting of ExportGraphFragment.
func ParseDuration ¶
ParseDuration parses a duration string supporting standard Go formats plus: - "d" for days (e.g., "30d" = 720 hours) - "w" for weeks (e.g., "2w" = 336 hours)
Standard formats (ns, us, ms, s, m, h) are parsed by time.ParseDuration.
func PrintSummary ¶
PrintSummary displays scan summary in a user-friendly format.
func ValidateFlags ¶
func ValidateFlags(target string, opts ValidationOptions) ([]string, error)
ValidateFlags validates scan inputs and returns normalized language hints.
func WriteAnnotateExport ¶ added in v0.8.0
func WriteAnnotateExport(path string, payload *graphfrag.GraphFragmentExport) error
WriteAnnotateExport writes an annotate-only graph-fragment export to path as indented JSON, matching the formatting of ExportGraphFragment.
Types ¶
type ValidationOptions ¶
type ValidationOptions struct {
RuleFiles []string
RuleDirs []string
NoRemoteRules bool
Scanner string
AllowedScanners []string
Interfile bool
InterfileScanner string
Format string
SupportedFormats []string
Languages []string
ScanDependencies bool
ExportCallgraph string
}
ValidationOptions contains scan flag values required for validation.
Source Files