github.com/google/osv-scalibr@v0.4.1/guidedremediation/internal/strategy/relax/relaxer/relaxer.go

github.com/google/osv-scalibr@v0.4.1/guidedremediation/internal/strategy/relax/relaxer/relaxer.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package relaxer implements requirement specification relaxation for ecosystems.
    16  package relaxer
    17  
    18  import (
    19  	"context"
    20  	"errors"
    21  
    22  	"deps.dev/util/resolve"
    23  	"github.com/google/osv-scalibr/guidedremediation/upgrade"
    24  )
    25  
    26  // A RequirementRelaxer provides an ecosystem-specific method for 'relaxing' the
    27  // specified versions of dependencies for vulnerability remediation.
    28  // Relaxing involves incrementally widening and bumping the version specifiers
    29  // of the requirement to allow more recent versions to be selected during
    30  // dependency resolution.
    31  // It has access to the available versions of a package via a resolve client.
    32  //
    33  // e.g. in a semver-like ecosystem, relaxation could follow the sequence:
    34  // 1.2.3 -> 1.2.* -> 1.*.* -> 2.*.* -> 3.*.* -> ...
    35  type RequirementRelaxer interface {
    36  	// Relax attempts to relax import requirement.
    37  	// Returns the newly relaxed import and true it was successful.
    38  	// If unsuccessful, it returns the original import and false.
    39  	Relax(ctx context.Context, cl resolve.Client, req resolve.RequirementVersion, config upgrade.Config) (resolve.RequirementVersion, bool)
    40  }
    41  
    42  // ForEcosystem returns the RequirementRelaxer for the specified ecosystem.
    43  func ForEcosystem(ecosystem resolve.System) (RequirementRelaxer, error) {
    44  	switch ecosystem {
    45  	case resolve.NPM:
    46  		return NpmRelaxer{}, nil
    47  	case resolve.PyPI:
    48  		return PythonRelaxer{}, nil
    49  	case resolve.Maven, resolve.UnknownSystem:
    50  		fallthrough
    51  	default:
    52  		return nil, errors.New("unsupported ecosystem")
    53  	}
    54  }