github.com/google/osv-scalibr@v0.4.1/extractor/extractor.go

github.com/google/osv-scalibr@v0.4.1/extractor/extractor.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package extractor provides the common interface for standalone and filesystem extractors.
    16  package extractor
    17  
    18  import (
    19  	"github.com/google/osv-scalibr/inventory/osvecosystem"
    20  	"github.com/google/osv-scalibr/inventory/vex"
    21  	"github.com/google/osv-scalibr/plugin"
    22  	"github.com/google/osv-scalibr/purl"
    23  )
    24  
    25  // Extractor is the common interface of inventory extraction plugins.
    26  type Extractor interface {
    27  	plugin.Plugin
    28  }
    29  
    30  // LINT.IfChange
    31  
    32  // SourceCodeIdentifier lists additional identifiers for source code software packages (e.g. NPM).
    33  type SourceCodeIdentifier struct {
    34  	Repo   string
    35  	Commit string
    36  }
    37  
    38  // Package is an instance of a software package or library found by the extractor.
    39  // TODO(b/400910349): Currently package is also used to store non-package data
    40  // like open ports. Move these into their own dedicated types.
    41  // TODO(b/400910349): Move from extractor into a separate package such as inventory.
    42  type Package struct {
    43  	// A human-readable name representation of the package. Note that this field
    44  	// should only be used for things like logging as different packages can have
    45  	// multiple different types of names (e.g. .deb packages have a source name
    46  	// and a binary name), in which case we arbitrarily pick one of them to use here.
    47  	// In cases when the exact name type used is important (e.g. when matching
    48  	// against vuln feeds) you should use the specific name field from the Metadata.
    49  	Name string
    50  	// The version of this package.
    51  	Version string
    52  	// Source code level package identifiers.
    53  	SourceCode *SourceCodeIdentifier
    54  	// Paths or source of files related to the package.
    55  	Locations []string
    56  	// The PURL type of this package, e.g. "pypi". Used for purl generation.
    57  	PURLType string
    58  	// The names of the Plugins that found this software instance. Set by the core library.
    59  	Plugins []string
    60  	// Signals to indicate that specific vulnerabilities are not applicable to this package.
    61  	ExploitabilitySignals []*vex.PackageExploitabilitySignal
    62  	// Details about the layer that the package was attributed to.
    63  	LayerMetadata *LayerMetadata
    64  	// The additional data found in the package.
    65  	Metadata any
    66  	// Licenses information of this package
    67  	Licenses []string
    68  	// If true, the package version is deprecated (e.g. yanked, unpublished, deprecated)
    69  	Deprecated bool
    70  }
    71  
    72  // PURL returns the Package URL of this package.
    73  func (p *Package) PURL() *purl.PackageURL {
    74  	return toPURL(p)
    75  }
    76  
    77  // Ecosystem returns the Ecosystem of the package. For software packages this corresponds
    78  // to an OSV ecosystem value, e.g. PyPI.
    79  func (p *Package) Ecosystem() osvecosystem.Parsed {
    80  	return toEcosystem(p)
    81  }
    82  
    83  // LINT.ThenChange(/binary/proto/scan_result.proto)