github.com/google/osv-scalibr@v0.4.1/guidedremediation/options/options.go

github.com/google/osv-scalibr@v0.4.1/guidedremediation/options/options.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package options has the configuration options for guided remediation.
    16  package options
    17  
    18  import (
    19  	"context"
    20  
    21  	"deps.dev/util/resolve"
    22  	"github.com/google/osv-scalibr/clients/datasource"
    23  	"github.com/google/osv-scalibr/enricher"
    24  	"github.com/google/osv-scalibr/guidedremediation/strategy"
    25  	"github.com/google/osv-scalibr/guidedremediation/upgrade"
    26  )
    27  
    28  // DependencyCachePopulator is an interface for populating the cache of a resolve.Client.
    29  // It is called before the initial resolution of a manifest, with the requirements of the manifest.
    30  // The mechanism for populating the cache is up to the implementer to decide.
    31  type DependencyCachePopulator interface {
    32  	PopulateCache(ctx context.Context, c resolve.Client, requirements []resolve.RequirementVersion, manifestPath string)
    33  }
    34  
    35  // FixVulnsOptions are the options for guidedremediation.FixVulns().
    36  type FixVulnsOptions struct {
    37  	RemediationOptions
    38  
    39  	Manifest          string                             // Path to manifest file on disk.
    40  	Lockfile          string                             // Path to lockfile on disk.
    41  	Strategy          strategy.Strategy                  // Remediation strategy to use.
    42  	MaxUpgrades       int                                // Maximum number of patches to apply. If <= 0 applies as many as possible.
    43  	NoIntroduce       bool                               // If true, do not apply patches that introduce new vulnerabilities.
    44  	NoMavenNewDepMgmt bool                               // If true, do not apply patches that introduce new dependency management.
    45  	VulnEnricher      enricher.Enricher                  // Enricher to get vulnerability information.
    46  	ResolveClient     resolve.Client                     // Client for dependency information.
    47  	MavenClient       *datasource.MavenRegistryAPIClient // Client for fetching Maven dependency information, may be nil.
    48  	DepCachePopulator DependencyCachePopulator           // Interface for populating the cache of the resolve.Client. Can be nil.
    49  }
    50  
    51  // RemediationOptions are the configuration options for vulnerability remediation.
    52  type RemediationOptions struct {
    53  	ResolutionOptions
    54  
    55  	IgnoreVulns   []string // Vulnerability IDs to ignore
    56  	ExplicitVulns []string // If set, only consider these vulnerability IDs & ignore all others
    57  
    58  	DevDeps     bool    // Whether to consider vulnerabilities in dev dependencies
    59  	MinSeverity float64 // Minimum vulnerability CVSS score to consider
    60  	MaxDepth    int     // Maximum depth of dependency to consider vulnerabilities for (e.g. 1 for direct only)
    61  
    62  	UpgradeConfig upgrade.Config // Allowed upgrade levels per package.
    63  }
    64  
    65  // DefaultRemediationOptions creates a default initialized remediation configuration.
    66  func DefaultRemediationOptions() RemediationOptions {
    67  	return RemediationOptions{
    68  		DevDeps:       true,
    69  		MaxDepth:      -1,
    70  		UpgradeConfig: upgrade.NewConfig(),
    71  	}
    72  }
    73  
    74  // ResolutionOptions are the configuration options for dependency resolution.
    75  type ResolutionOptions struct {
    76  	MavenManagement bool // Whether to include unresolved dependencyManagement dependencies in resolved graph.
    77  }
    78  
    79  // UpdateOptions are the options for performing guidedremediation.Update().
    80  type UpdateOptions struct {
    81  	Manifest      string                             // Path to manifest file on disk.
    82  	ResolveClient resolve.Client                     // Client for dependency information.
    83  	MavenClient   *datasource.MavenRegistryAPIClient // Client for fetching Maven dependency information, may be nil.
    84  
    85  	IgnoreDev     bool           // Whether to ignore updates on dev dependencies
    86  	UpgradeConfig upgrade.Config // Allowed upgrade levels per package.
    87  }