Documentation
¶
Index ¶
- Constants
- Variables
- func ComputeFixtureContentHash(fixtureDir string) (string, error)
- func DefaultVulnerabilities() []vulnerability.Vulnerability
- func DiscoverFixtures(searchRoots ...string) ([]string, error)
- type Builder
- type CPEDetailAssertion
- type DB
- func (db *DB) Close() error
- func (db *DB) FindVulnerabilities(criteria ...vulnerability.Criteria) ([]vulnerability.Vulnerability, error)
- func (db *DB) GetOperatingSystemEOL(d *distro.Distro) (eolDate, eoasDate *time.Time, err error)
- func (db *DB) Match(t *testing.T, matcher Matcher, p grypePkg.Package) *FindingsAssertion
- func (db *DB) PackageSearchNames(p grypePkg.Package) []string
- func (db *DB) String() string
- func (db *DB) VulnerabilityMetadata(ref vulnerability.Reference) (*vulnerability.Metadata, error)
- type DistroDetailAssertion
- type EcosystemDetailAssertion
- type ExtractionBuilder
- type FindingsAssertion
- func (f *FindingsAssertion) ContainsVulnerabilities(vulnIDs ...string) *FindingsAssertion
- func (f *FindingsAssertion) DoesNotHaveAnyVulnerabilities(vulnIDs ...string) *FindingsAssertion
- func (f *FindingsAssertion) Ignores() *IgnoreFiltersAssertion
- func (f *FindingsAssertion) IsEmpty() *FindingsAssertion
- func (f *FindingsAssertion) Matches() []match.Match
- func (f *FindingsAssertion) OnlyHasVulnerabilities(vulnIDs ...string) *FindingsAssertion
- func (f *FindingsAssertion) SelectMatch(vulnIDs ...string) *SingleFindingAssertion
- func (f *FindingsAssertion) SelectMatches(vulnID string) *MultipleFindingAssertion
- func (f *FindingsAssertion) SkipCompleteness() *FindingsAssertion
- type FixtureConfig
- type FixtureExtractor
- type FixtureLock
- type FixtureStatus
- type FixtureStatusDetail
- type IgnoreFiltersAssertion
- func (i *IgnoreFiltersAssertion) IsEmpty() *IgnoreFiltersAssertion
- func (i *IgnoreFiltersAssertion) SelectIgnoreRule(reason, vulnID string) *IgnoreRuleAssertion
- func (i *IgnoreFiltersAssertion) SelectRelatedPackageIgnore(reason, vulnID string) *IgnoreRelatedPackageAssertion
- func (i *IgnoreFiltersAssertion) SelectRelatedPackageIgnores(reason string, vulnIDs ...string) *IgnoreRelatedPackagesAssertion
- func (i *IgnoreFiltersAssertion) SkipCompleteness() *IgnoreFiltersAssertion
- type IgnoreRelatedPackageAssertion
- type IgnoreRelatedPackagesAssertion
- type IgnoreRuleAssertion
- type Matcher
- type MultiProviderExtractor
- type MultipleFindingAssertion
- type PackageBuilder
- func (b *PackageBuilder) Build() pkg.Package
- func (b *PackageBuilder) WithCPE(cpeStr string) *PackageBuilder
- func (b *PackageBuilder) WithCPEs(cpeStrs ...string) *PackageBuilder
- func (b *PackageBuilder) WithDistro(d *distro.Distro) *PackageBuilder
- func (b *PackageBuilder) WithID(id pkg.ID) *PackageBuilder
- func (b *PackageBuilder) WithLanguage(lang syftPkg.Language) *PackageBuilder
- func (b *PackageBuilder) WithLicenses(licenses ...string) *PackageBuilder
- func (b *PackageBuilder) WithLocation(path string) *PackageBuilder
- func (b *PackageBuilder) WithMetadata(metadata interface{}) *PackageBuilder
- func (b *PackageBuilder) WithPURL(purl string) *PackageBuilder
- func (b *PackageBuilder) WithRelatedPackage(relationshipType artifact.RelationshipType, related *pkg.Package) *PackageBuilder
- func (b *PackageBuilder) WithType(t syftPkg.Type) *PackageBuilder
- func (b *PackageBuilder) WithUpstream(name, version string) *PackageBuilder
- type ProviderState
- type RegenerateOptions
- type RegenerateResult
- type ServerBuilder
- type SingleDetailAssertion
- type SingleFindingAssertion
- func (s *SingleFindingAssertion) HasAdvisories(ids ...string) *SingleFindingAssertion
- func (s *SingleFindingAssertion) HasDetailCount(count int) *SingleFindingAssertion
- func (s *SingleFindingAssertion) HasFix(state vulnerability.FixState, versions ...string) *SingleFindingAssertion
- func (s *SingleFindingAssertion) HasMatchType(matchType match.Type) *SingleFindingAssertion
- func (s *SingleFindingAssertion) HasOnlyMatchTypes(matchTypes ...match.Type) *SingleFindingAssertion
- func (s *SingleFindingAssertion) InNamespace(namespace string) *SingleFindingAssertion
- func (s *SingleFindingAssertion) SelectDetailByCPE(cpe string, constraint ...string) *CPEDetailAssertion
- func (s *SingleFindingAssertion) SelectDetailByDistro(distroType, distroVersion string, constraint ...string) *DistroDetailAssertion
- func (s *SingleFindingAssertion) SelectDetailByEcosystem(language string, constraint ...string) *EcosystemDetailAssertion
- func (s *SingleFindingAssertion) SelectDetailByType(matchType ...match.Type) *SingleDetailAssertion
- type TestingT
Constants ¶
const ( // ConfigFilename is the name of the fixture config file (intent) ConfigFilename = "db.yaml" // LockFilename is the name of the fixture lock file (state) LockFilename = "db-lock.json" )
Variables ¶
var ( Debian8 = distro.New(distro.Debian, "8", "") Debian9 = distro.New(distro.Debian, "9", "") Debian10 = distro.New(distro.Debian, "10", "") Debian11 = distro.New(distro.Debian, "11", "") Debian12 = distro.New(distro.Debian, "12", "") Ubuntu1804 = distro.New(distro.Ubuntu, "18.04", "") Ubuntu2004 = distro.New(distro.Ubuntu, "20.04", "") Ubuntu2204 = distro.New(distro.Ubuntu, "22.04", "") Ubuntu2404 = distro.New(distro.Ubuntu, "24.04", "") Alpine316 = distro.New(distro.Alpine, "3.16", "") Alpine317 = distro.New(distro.Alpine, "3.17", "") Alpine318 = distro.New(distro.Alpine, "3.18", "") Alpine319 = distro.New(distro.Alpine, "3.19", "") // Wolfi is rolling; version is unused for matching but preserved here for // readability at call sites. WolfiRolling = distro.New(distro.Wolfi, "", "") RHEL7 = distro.New(distro.RedHat, "7", "") RHEL8 = distro.New(distro.RedHat, "8", "") RHEL9 = distro.New(distro.RedHat, "9", "") RHEL10 = distro.New(distro.RedHat, "10", "") AlmaLinux8 = distro.New(distro.AlmaLinux, "8", "") AlmaLinux9 = distro.New(distro.AlmaLinux, "9", "") SLES156 = distro.New(distro.SLES, "15.6", "") SLES157 = distro.New(distro.SLES, "15.7", "") Hummingbird1 = distro.New(distro.Hummingbird, "1", "") )
common distro constants for tests
var DefaultSchemaVersions = []int{v6.ModelVersion}
DefaultSchemaVersions controls which schema versions Build() generates by default. Currently only v6; v7 can be added here when ready.
Functions ¶
func ComputeFixtureContentHash ¶ added in v0.112.0
ComputeFixtureContentHash computes an xxh64 hash of all fixture content, excluding db.yaml and db.lock files. The hash is deterministic based on file paths and contents, sorted alphabetically.
func DefaultVulnerabilities ¶
func DefaultVulnerabilities() []vulnerability.Vulnerability
func DiscoverFixtures ¶ added in v0.112.0
DiscoverFixtures finds all fixture directories containing a db.yaml file under the given search roots.
Types ¶
type Builder ¶ added in v0.112.0
type Builder struct {
// contains filtered or unexported fields
}
Builder provides a fluent API for building test databases from fixture directories.
func DBs ¶ added in v0.112.0
DBs creates a new Builder for the named fixture. The fixture is expected to be in a "testdata" directory relative to the calling test file.
Example:
for _, db := range dbtest.DBs(t, "my-fixture").Build() {
t.Run(db.Name, func(t *testing.T) {
// use db as vulnerability.Provider
})
}
func SharedDBs ¶ added in v0.112.0
SharedDBs creates a Builder for a fixture in the shared fixture directory. Shared fixtures live in internal/dbtest/testdata/shared/{fixtureName} and can be used by tests in any package, enabling cross-package fixture sharing.
Example:
// from any test file in any package:
dbtest.SharedDBs(t, "common-debian").Run(func(t *testing.T, db *dbtest.DB) {
// use the shared fixture
})
func (*Builder) Build ¶ added in v0.112.0
Build builds databases for the specified schema versions (or DefaultSchemaVersions if none specified). Returns a slice of DB pointers that implement vulnerability.Provider.
func (*Builder) Run ¶ added in v0.112.0
Run executes a test function for each database built from the fixture. This is a convenience method that wraps Build() with the common for-loop and t.Run pattern.
func (*Builder) SelectOnly ¶ added in v0.112.0
SelectOnly specifies patterns to filter which vulnerability records are included in the built database. This enables creating focused test databases from larger fixtures.
Pattern types:
- CVE ID only: "CVE-2024-1234" (matches any namespace containing this CVE)
- Namespace only: "debian:10" (matches all CVEs in that namespace)
- Full identifier: "debian:10/CVE-2024-1234" (exact match)
Multiple patterns are combined with OR logic (union). If no selections are specified, all records are included.
Example:
// select specific CVEs across all namespaces
dbtest.SharedDBs(t, "large-fixture").SelectOnly("CVE-2024-1234", "CVE-2024-5678").Build()
// select all CVEs in a namespace
dbtest.DBs(t, "fixture").SelectOnly("debian:10").Build()
// combine namespace and CVE selections
dbtest.SharedDBs(t, "fixture").SelectOnly("debian:10", "CVE-2024-9999").Build()
type CPEDetailAssertion ¶ added in v0.112.0
type CPEDetailAssertion struct {
// contains filtered or unexported fields
}
CPEDetailAssertion provides assertions for CPE-based matches. SearchedBy is CPEParameters, Found is CPEResult.
func (*CPEDetailAssertion) FoundCPEs ¶ added in v0.112.0
func (c *CPEDetailAssertion) FoundCPEs(cpes ...string) *CPEDetailAssertion
FoundCPEs asserts that the found CPEs contain all the given CPEs.
func (*CPEDetailAssertion) HasMatchType ¶ added in v0.112.0
func (c *CPEDetailAssertion) HasMatchType(matchType match.Type) *CPEDetailAssertion
HasMatchType asserts that the detail has the expected match type.
type DB ¶ added in v0.112.0
type DB struct {
// Name is a human-readable name for this database (e.g., "v6")
Name string
// SchemaVersion is the database schema version
SchemaVersion int
// Path is the path to the database directory
Path string
// contains filtered or unexported fields
}
DB wraps a vulnerability.Provider with metadata about the database. It implements the vulnerability.Provider interface by delegating to the internal provider.
func (*DB) FindVulnerabilities ¶ added in v0.112.0
func (db *DB) FindVulnerabilities(criteria ...vulnerability.Criteria) ([]vulnerability.Vulnerability, error)
FindVulnerabilities returns vulnerabilities matching all the provided criteria.
func (*DB) GetOperatingSystemEOL ¶ added in v0.112.0
GetOperatingSystemEOL returns the EOL and EOAS dates for the given distro. Implements vulnerability.EOLChecker by delegating to the underlying provider if it supports the interface.
func (*DB) Match ¶ added in v0.112.0
Match calls matcher.Match using this DB as the provider and returns a FindingsAssertion for fluent assertions. Fails the test on error. The returned assertion captures both the matches and the ignore filters; use FindingsAssertion.Ignores() to assert on the latter. Ignore-filter completeness is only enforced once Ignores() is called.
func (*DB) PackageSearchNames ¶ added in v0.112.0
PackageSearchNames returns the package names to search for in the database.
func (*DB) VulnerabilityMetadata ¶ added in v0.112.0
func (db *DB) VulnerabilityMetadata(ref vulnerability.Reference) (*vulnerability.Metadata, error)
VulnerabilityMetadata returns the metadata associated with a vulnerability.
type DistroDetailAssertion ¶ added in v0.112.0
type DistroDetailAssertion struct {
// contains filtered or unexported fields
}
DistroDetailAssertion provides assertions for distro/OS package matches. SearchedBy is DistroParameters, Found is DistroResult.
func (*DistroDetailAssertion) HasMatchType ¶ added in v0.112.0
func (d *DistroDetailAssertion) HasMatchType(matchType match.Type) *DistroDetailAssertion
HasMatchType asserts that the detail has the expected match type.
type EcosystemDetailAssertion ¶ added in v0.112.0
type EcosystemDetailAssertion struct {
// contains filtered or unexported fields
}
EcosystemDetailAssertion provides assertions for language/ecosystem package matches. SearchedBy is EcosystemParameters, Found is EcosystemResult.
func (*EcosystemDetailAssertion) HasMatchType ¶ added in v0.112.0
func (e *EcosystemDetailAssertion) HasMatchType(matchType match.Type) *EcosystemDetailAssertion
HasMatchType asserts that the detail has the expected match type.
type ExtractionBuilder ¶ added in v0.112.0
type ExtractionBuilder struct {
// contains filtered or unexported fields
}
ExtractionBuilder provides a fluent API for extraction operations.
func (*ExtractionBuilder) AppendTo ¶ added in v0.112.0
func (b *ExtractionBuilder) AppendTo(fixtureDir string) error
AppendTo extracts matching records and appends them to an existing fixture. Existing records with the same ID are overwritten. This also updates the db.yaml and db.lock files to track the additional extraction.
func (*ExtractionBuilder) Select ¶ added in v0.112.0
func (b *ExtractionBuilder) Select(patterns ...string) *ExtractionBuilder
Select adds patterns for record selection (LIKE matching). Patterns are wrapped with % for partial matching:
- "CVE-2024-1234" matches any record containing this CVE ID
- "debian:10" matches records in the debian:10 namespace
- "RHSA-2024:%" matches all 2024 RHSAs
func (*ExtractionBuilder) WriteTo ¶ added in v0.112.0
func (b *ExtractionBuilder) WriteTo(fixtureDir string) error
WriteTo extracts matching records and writes them to a new fixture directory. The fixtureDir should be the path to the fixture root directory (provider subdirectory will be created inside). This also creates db.yaml and db.lock files to track the fixture's provenance.
type FindingsAssertion ¶ added in v0.112.0
type FindingsAssertion struct {
// contains filtered or unexported fields
}
FindingsAssertion provides a string-based, API-agnostic fluent assertion chain for match results. This approach abstracts away internal struct shapes so that tests don't need to change when the high-level API is refactored (e.g., in grype v1).
Example:
dbtest.AssertFindings(t, matches, p).
HasCount(2).
OnlyHasVulnerabilities("CVE-2024-1234", "CVE-2024-5678").
DoesNotHaveAnyVulnerabilities("CVE-2024-9999")
func AssertFindings ¶ added in v0.112.0
AssertFindings creates a new FindingsAssertion for API-agnostic assertions. The package parameter is the package that was matched against. If the package is zero-value (empty name), asserts that there are no matches. Otherwise, asserts that all matches are for the given package.
Use complete() to enable completeness checking, which verifies that all matches and details were asserted.
func AssertFindingsAndIgnores ¶ added in v0.113.0
func AssertFindingsAndIgnores(t TestingT, matches []match.Match, ignores []match.IgnoreFilter, p pkg.Package) *FindingsAssertion
AssertFindingsAndIgnores is the same as AssertFindings but also captures the ignore filters returned by the matcher so they can be asserted on via FindingsAssertion.Ignores().
func (*FindingsAssertion) ContainsVulnerabilities ¶ added in v0.112.0
func (f *FindingsAssertion) ContainsVulnerabilities(vulnIDs ...string) *FindingsAssertion
ContainsVulnerabilities asserts that findings with all the given vulnerability IDs exist. Other vulnerabilities may also be present.
func (*FindingsAssertion) DoesNotHaveAnyVulnerabilities ¶ added in v0.112.0
func (f *FindingsAssertion) DoesNotHaveAnyVulnerabilities(vulnIDs ...string) *FindingsAssertion
DoesNotHaveAnyVulnerabilities asserts that no finding with the given vulnerability ID exists.
func (*FindingsAssertion) Ignores ¶ added in v0.113.0
func (f *FindingsAssertion) Ignores() *IgnoreFiltersAssertion
Ignores returns an IgnoreFiltersAssertion for asserting on the ignore filters returned alongside the matches. Ignore-side completeness is always on (set up at construction time), so a test that produces zero ignores does not need to call this at all - completeness fails the test if any unasserted ignore is emitted by the matcher. Tests that expect ≥1 ignore must use this to assert on each one. Use SkipCompleteness on the returned assertion to scope to a subset.
func (*FindingsAssertion) IsEmpty ¶ added in v0.112.0
func (f *FindingsAssertion) IsEmpty() *FindingsAssertion
IsEmpty asserts that the matcher returned nothing - no matches AND no ignores. Use this when the matcher is expected to be a complete no-op for the input. For "no matches but some ignores expected", just skip IsEmpty and assert on the ignores via Ignores(); the matches-side completeness check will enforce that no matches were produced.
func (*FindingsAssertion) Matches ¶ added in v0.112.0
func (f *FindingsAssertion) Matches() []match.Match
Matches returns the underlying []match.Match. It is an intentional escape hatch and should be avoided.
The point of this assertion API is to be a façade over match.Match and vulnerability.Vulnerability so that the internal struct layout can be refactored (e.g., the v1 API rewrite) without touching tests. Every caller of Matches() is one more test that locks itself to today's struct shape.
If you find yourself wanting raw matches, the right move is almost always to add a focused helper instead - HasFix, HasAdvisories, InNamespace, SelectMatches+WithDetailType, SelectDetailBy* and friends were all added this way. There is intentionally no equivalent on SingleFindingAssertion.
Bypasses completeness checking, which is the other reason it makes tests fragile.
func (*FindingsAssertion) OnlyHasVulnerabilities ¶ added in v0.112.0
func (f *FindingsAssertion) OnlyHasVulnerabilities(vulnIDs ...string) *FindingsAssertion
OnlyHasVulnerabilities asserts that findings contain exactly the given vulnerability IDs and no others. Order does not matter.
func (*FindingsAssertion) SelectMatch ¶ added in v0.112.0
func (f *FindingsAssertion) SelectMatch(vulnIDs ...string) *SingleFindingAssertion
SelectMatch returns a SingleFindingAssertion for detailed assertions on a specific finding. With no arguments, selects the single match (fails if not exactly one). With one argument, selects the match with the given vulnerability ID.
func (*FindingsAssertion) SelectMatches ¶ added in v0.113.0
func (f *FindingsAssertion) SelectMatches(vulnID string) *MultipleFindingAssertion
SelectMatches returns the subset of matches with the given vulnerability ID. Unlike SelectMatch, which fatals when multiple matches share an ID, SelectMatches accepts any non-zero count and lets callers narrow further via WithDetailType. The returned MultipleFindingAssertion participates in completeness tracking; selecting a sub-match here is what marks the underlying match as asserted.
func (*FindingsAssertion) SkipCompleteness ¶ added in v0.112.0
func (f *FindingsAssertion) SkipCompleteness() *FindingsAssertion
SkipCompleteness asserts that this chain is intentionally checking only a subset of matches/details. The default mode requires every match and detail to be asserted; calling SkipCompleteness inverts that contract: the chain fails if everything happened to be asserted anyway. The inversion exists so that SkipCompleteness calls don't rot in tests that have grown into being exhaustive - if the chain is fully asserting, drop the SkipCompleteness call.
type FixtureConfig ¶ added in v0.112.0
type FixtureConfig struct {
AutoGenerate bool `yaml:"auto-generate"`
Extractions map[string][]string `yaml:"extractions"` // provider name -> patterns
}
FixtureConfig represents the intent of what a fixture should contain (db.yaml). This file is human-edited and defines how the fixture was created.
func ReadConfig ¶ added in v0.112.0
func ReadConfig(fixtureDir string) (*FixtureConfig, error)
ReadConfig reads a FixtureConfig from the given fixture directory.
func (*FixtureConfig) Write ¶ added in v0.112.0
func (c *FixtureConfig) Write(fixtureDir string) error
Write writes the FixtureConfig to the given fixture directory.
type FixtureExtractor ¶ added in v0.112.0
type FixtureExtractor struct {
// contains filtered or unexported fields
}
FixtureExtractor extracts records from vunnel SQLite caches and writes them as fixtures.
func NewFixtureExtractor ¶ added in v0.112.0
func NewFixtureExtractor(vunnelRoot string) *FixtureExtractor
NewFixtureExtractor creates an extractor for the given vunnel cache root. The vunnelRoot should be the path to the vunnel data directory containing provider subdirectories (e.g., "debian", "rhel", "nvd").
func (*FixtureExtractor) From ¶ added in v0.112.0
func (e *FixtureExtractor) From(providerName string) *ExtractionBuilder
From specifies which provider's results.db to read from. The provider name should match a subdirectory in the vunnel data directory.
func (*FixtureExtractor) FromMultiple ¶ added in v0.112.0
func (e *FixtureExtractor) FromMultiple() *MultiProviderExtractor
FromMultiple starts a multi-provider extraction, returning a builder that allows adding multiple provider extractions.
type FixtureLock ¶ added in v0.112.0
type FixtureLock struct {
ContentHash string `json:"content_hash"`
CreatedAt time.Time `json:"created_at"`
RegeneratedAt *time.Time `json:"regenerated_at,omitempty"`
Providers map[string]ProviderState `json:"providers"`
}
FixtureLock represents the state of a fixture (db.lock). This file is machine-generated and should never be manually edited.
func ReadLock ¶ added in v0.112.0
func ReadLock(fixtureDir string) (*FixtureLock, error)
ReadLock reads a FixtureLock from the given fixture directory.
func (*FixtureLock) Write ¶ added in v0.112.0
func (l *FixtureLock) Write(fixtureDir string) error
Write writes the FixtureLock to the given fixture directory.
type FixtureStatus ¶ added in v0.112.0
type FixtureStatus string
FixtureStatus represents the high-level state of a fixture.
const ( StatusOK FixtureStatus = "ok" // auto-generate=true, config/lock in sync, hash matches StatusContentDrift FixtureStatus = "content_drift" // auto-generate=true, files on disk don't match lock hash StatusConfigAhead FixtureStatus = "config_ahead" // auto-generate=true, config has extractions not in lock StatusManual FixtureStatus = "manual" // auto-generate=false StatusNoConfig FixtureStatus = "no_config" // no db.yaml StatusNoLock FixtureStatus = "no_lock" // db.yaml exists but no db.lock )
func GetFixtureStatus ¶ added in v0.112.0
func GetFixtureStatus(fixtureDir string) (FixtureStatus, error)
GetFixtureStatus determines the current status of a fixture.
type FixtureStatusDetail ¶ added in v0.112.0
type FixtureStatusDetail struct {
Status FixtureStatus
ConfigExists bool
LockExists bool
AutoGenerate bool
ContentHash string // current hash of files on disk
LockHash string // hash recorded in db.lock
HashMatches bool // ContentHash == LockHash
ConfigInSync bool // all config extractions have corresponding lock entries
MissingInLock []string // providers in config but not in lock
}
FixtureStatusDetail provides detailed information about a fixture's state.
func GetFixtureStatusDetail ¶ added in v0.112.0
func GetFixtureStatusDetail(fixtureDir string) (*FixtureStatusDetail, error)
GetFixtureStatusDetail determines the detailed status of a fixture, including information about config/lock synchronization and content hashes.
type IgnoreFiltersAssertion ¶ added in v0.113.0
type IgnoreFiltersAssertion struct {
// contains filtered or unexported fields
}
IgnoreFiltersAssertion provides assertions on the ignore filters returned by a matcher. Like FindingsAssertion, it tracks which ignores were asserted and fails the test if any were missed (unless SkipCompleteness is called).
func (*IgnoreFiltersAssertion) IsEmpty ¶ added in v0.113.0
func (i *IgnoreFiltersAssertion) IsEmpty() *IgnoreFiltersAssertion
IsEmpty asserts there are no ignore filters.
func (*IgnoreFiltersAssertion) SelectIgnoreRule ¶ added in v0.113.0
func (i *IgnoreFiltersAssertion) SelectIgnoreRule(reason, vulnID string) *IgnoreRuleAssertion
SelectIgnoreRule finds an IgnoreRule with the given reason and vulnerability ID. Fails if not exactly one matches. The returned assertion can be further qualified with ForPackage. Use this for matchers that emit match.IgnoreRule (e.g., the language ecosystem path's UnaffectedPackageEntry rules); use SelectRelatedPackageIgnore for matchers that emit match.IgnoreRelatedPackage.
func (*IgnoreFiltersAssertion) SelectRelatedPackageIgnore ¶ added in v0.113.0
func (i *IgnoreFiltersAssertion) SelectRelatedPackageIgnore(reason, vulnID string) *IgnoreRelatedPackageAssertion
SelectRelatedPackageIgnore finds an IgnoreRelatedPackage with the given reason and vulnerability ID. Fails if not exactly one matches. The returned assertion can be further qualified with ForPackage and WithRelationshipType.
func (*IgnoreFiltersAssertion) SelectRelatedPackageIgnores ¶ added in v0.113.0
func (i *IgnoreFiltersAssertion) SelectRelatedPackageIgnores(reason string, vulnIDs ...string) *IgnoreRelatedPackagesAssertion
SelectRelatedPackageIgnores selects a batch of IgnoreRelatedPackage filters that share a reason and lets the caller assert on the whole batch with one chain. This is the right shape for cases like AlmaLinux alias unwinding, where one ALSA emits an ignore for the ALSA itself plus one per aliased CVE - all with the same reason, same package, and the same relationship type. Fails fatally if any of the requested vulnerability IDs is missing or duplicated under that reason. Each selected ignore is registered for completeness tracking. Pass at least one vulnerability ID; for a single ID, the singular SelectRelatedPackageIgnore reads cleaner.
func (*IgnoreFiltersAssertion) SkipCompleteness ¶ added in v0.113.0
func (i *IgnoreFiltersAssertion) SkipCompleteness() *IgnoreFiltersAssertion
SkipCompleteness asserts that this ignore-filter chain is intentionally partial. Mirrors the inverted semantics of FindingsAssertion.SkipCompleteness: the default requires every ignore filter to be asserted, and calling this flips the contract so the chain fails if everything happened to be asserted anyway. Drop the call once you are exhaustively asserting on ignores.
type IgnoreRelatedPackageAssertion ¶ added in v0.113.0
type IgnoreRelatedPackageAssertion struct {
// contains filtered or unexported fields
}
IgnoreRelatedPackageAssertion provides assertions on a single match.IgnoreRelatedPackage that has already been selected by reason+vuln.
func (*IgnoreRelatedPackageAssertion) ForPackage ¶ added in v0.113.0
func (a *IgnoreRelatedPackageAssertion) ForPackage(pkgID pkg.ID) *IgnoreRelatedPackageAssertion
ForPackage asserts the related package ID matches the given pkg.ID. This is the most common follow-up assertion: tests typically capture the package ID when constructing the test package and then assert that the ignore points back at it.
func (*IgnoreRelatedPackageAssertion) WithRelationshipType ¶ added in v0.113.0
func (a *IgnoreRelatedPackageAssertion) WithRelationshipType(rt artifact.RelationshipType) *IgnoreRelatedPackageAssertion
WithRelationshipType asserts the ignore filter's relationship type. The vast majority of cases use OwnershipByFileOverlapRelationship so this is only needed for the rare cases that use a different relationship.
type IgnoreRelatedPackagesAssertion ¶ added in v0.113.0
type IgnoreRelatedPackagesAssertion struct {
// contains filtered or unexported fields
}
IgnoreRelatedPackagesAssertion fans assertions out over a batch of IgnoreRelatedPackage filters that were selected together via SelectRelatedPackageIgnores. Each method applies to every filter in the batch.
func (*IgnoreRelatedPackagesAssertion) ForPackage ¶ added in v0.113.0
func (a *IgnoreRelatedPackagesAssertion) ForPackage(pkgID pkg.ID) *IgnoreRelatedPackagesAssertion
ForPackage asserts that every filter in the batch has the given related package ID.
func (*IgnoreRelatedPackagesAssertion) WithRelationshipType ¶ added in v0.113.0
func (a *IgnoreRelatedPackagesAssertion) WithRelationshipType(rt artifact.RelationshipType) *IgnoreRelatedPackagesAssertion
WithRelationshipType asserts that every filter in the batch has the given relationship type.
type IgnoreRuleAssertion ¶ added in v0.113.0
type IgnoreRuleAssertion struct {
// contains filtered or unexported fields
}
IgnoreRuleAssertion provides assertions on a single match.IgnoreRule that has already been selected by reason+vulnerability.
func (*IgnoreRuleAssertion) ForPackage ¶ added in v0.113.0
func (a *IgnoreRuleAssertion) ForPackage(name, version string) *IgnoreRuleAssertion
ForPackage asserts the rule's package identification matches the given name and version. This is the most common follow-up assertion for VEX/unaffected ignore rules, where the package coordinates pin the rule to the specific scanned artifact.
func (*IgnoreRuleAssertion) IncludesAliases ¶ added in v0.113.0
func (a *IgnoreRuleAssertion) IncludesAliases() *IgnoreRuleAssertion
IncludesAliases asserts the rule will fan out to aliased vulnerability IDs (the common case for VEX/unaffected entries that suppress a primary advisory along with all its aliases).
type Matcher ¶ added in v0.112.0
type Matcher interface {
Match(vulnerability.Provider, grypePkg.Package) ([]match.Match, []match.IgnoreFilter, error)
}
Matcher is the interface for vulnerability matchers.
type MultiProviderExtractor ¶ added in v0.112.0
type MultiProviderExtractor struct {
// contains filtered or unexported fields
}
MultiProviderExtractor extends FixtureExtractor to support extracting from multiple providers.
func (*MultiProviderExtractor) AppendTo ¶ added in v0.112.0
func (m *MultiProviderExtractor) AppendTo(fixtureDir string) error
AppendTo extracts matching records from all providers and appends them to an existing fixture.
func (*MultiProviderExtractor) Provider ¶ added in v0.112.0
func (m *MultiProviderExtractor) Provider(providerName string, patterns ...string) *MultiProviderExtractor
Provider adds a provider extraction to the multi-provider builder.
func (*MultiProviderExtractor) WriteTo ¶ added in v0.112.0
func (m *MultiProviderExtractor) WriteTo(fixtureDir string) error
WriteTo extracts matching records from all providers and writes them to a new fixture directory.
type MultipleFindingAssertion ¶ added in v0.113.0
type MultipleFindingAssertion struct {
// contains filtered or unexported fields
}
MultipleFindingAssertion is a subset of a FindingsAssertion's matches that share a vulnerability ID. Used to disambiguate the otherwise-ambiguous case where one matcher emits multiple findings for the same CVE (e.g., a distro disclosure plus a CPE-fallback NVD finding for an EOL distro).
func (*MultipleFindingAssertion) WithDetailType ¶ added in v0.113.0
func (m *MultipleFindingAssertion) WithDetailType(detailType match.Type) *SingleFindingAssertion
WithDetailType narrows the subset to the single match that has at least one detail of the given type. Fatals if zero or more than one match in the subset has a detail of that type. The selected match (and the detail used to pick it) become tracked for completeness purposes.
type PackageBuilder ¶ added in v0.112.0
type PackageBuilder struct {
// contains filtered or unexported fields
}
PackageBuilder provides a fluent API for building test packages.
func NewPackage ¶ added in v0.112.0
func NewPackage(name, version string, t syftPkg.Type) *PackageBuilder
NewPackage creates a new PackageBuilder with the given name, version, and type. An ID is auto-generated.
func (*PackageBuilder) Build ¶ added in v0.112.0
func (b *PackageBuilder) Build() pkg.Package
Build returns the constructed package.
func (*PackageBuilder) WithCPE ¶ added in v0.112.0
func (b *PackageBuilder) WithCPE(cpeStr string) *PackageBuilder
WithCPE adds a CPE to the package. The cpeStr should be in CPE 2.3 format (e.g., "cpe:2.3:a:vendor:product:version:*:*:*:*:*:*:*").
func (*PackageBuilder) WithCPEs ¶ added in v0.112.0
func (b *PackageBuilder) WithCPEs(cpeStrs ...string) *PackageBuilder
WithCPEs adds multiple CPEs to the package.
func (*PackageBuilder) WithDistro ¶ added in v0.112.0
func (b *PackageBuilder) WithDistro(d *distro.Distro) *PackageBuilder
WithDistro sets the package's distro.
func (*PackageBuilder) WithID ¶ added in v0.113.0
func (b *PackageBuilder) WithID(id pkg.ID) *PackageBuilder
WithID overrides the auto-generated package ID. Use this when a test needs a stable, comparable ID (e.g., to assert against an IgnoreFilter that references the package by ID).
func (*PackageBuilder) WithLanguage ¶ added in v0.112.0
func (b *PackageBuilder) WithLanguage(lang syftPkg.Language) *PackageBuilder
WithLanguage sets the package's language ecosystem.
func (*PackageBuilder) WithLicenses ¶ added in v0.112.0
func (b *PackageBuilder) WithLicenses(licenses ...string) *PackageBuilder
WithLicenses sets the package licenses.
func (*PackageBuilder) WithLocation ¶ added in v0.112.0
func (b *PackageBuilder) WithLocation(path string) *PackageBuilder
WithLocation adds a file location to the package.
func (*PackageBuilder) WithMetadata ¶ added in v0.112.0
func (b *PackageBuilder) WithMetadata(metadata interface{}) *PackageBuilder
WithMetadata sets package-specific metadata.
func (*PackageBuilder) WithPURL ¶ added in v0.112.0
func (b *PackageBuilder) WithPURL(purl string) *PackageBuilder
WithPURL sets the Package URL.
func (*PackageBuilder) WithRelatedPackage ¶ added in v0.112.0
func (b *PackageBuilder) WithRelatedPackage(relationshipType artifact.RelationshipType, related *pkg.Package) *PackageBuilder
WithRelatedPackage adds a related package via the given relationship type.
func (*PackageBuilder) WithType ¶ added in v0.112.0
func (b *PackageBuilder) WithType(t syftPkg.Type) *PackageBuilder
WithType sets the package type (e.g., syftPkg.ApkPkg, syftPkg.RpmPkg).
func (*PackageBuilder) WithUpstream ¶ added in v0.112.0
func (b *PackageBuilder) WithUpstream(name, version string) *PackageBuilder
WithUpstream adds an upstream package.
type ProviderState ¶ added in v0.112.0
type ProviderState struct {
VunnelVersion string `json:"vunnel_version"` // from metadata.json processor field
Timestamp time.Time `json:"timestamp"` // from metadata.json timestamp field
}
ProviderState captures metadata from a vunnel provider at extraction time.
type RegenerateOptions ¶ added in v0.112.0
type RegenerateOptions struct {
VunnelRoot string // path to vunnel data directory
Force bool // regenerate even if modified
DryRun bool // only report what would be done
}
RegenerateOptions configures the regeneration behavior.
type RegenerateResult ¶ added in v0.112.0
type RegenerateResult struct {
FixtureDir string
Status FixtureStatus
Skipped bool
SkipReason string
Error error
}
RegenerateResult describes the outcome of a regeneration attempt.
func RegenerateAll ¶ added in v0.112.0
func RegenerateAll(searchRoots []string, opts RegenerateOptions) ([]RegenerateResult, error)
RegenerateAll regenerates all fixtures found under the given search roots.
func RegenerateFixture ¶ added in v0.112.0
func RegenerateFixture(fixtureDir string, opts RegenerateOptions) (*RegenerateResult, error)
RegenerateFixture regenerates a single fixture from its config. The process is: check status -> delete fixture content -> replay extractions -> update lock.
type ServerBuilder ¶
type ServerBuilder struct {
DBFormat string
DBBuildTime time.Time
DBVersion schemaver.SchemaVer
Vulnerabilities []vulnerability.Vulnerability
LatestDoc *distribution.LatestDocument
ServerSubdir string
LatestDocFile string
RequestHandler http.HandlerFunc
// contains filtered or unexported fields
}
func NewServer ¶
func NewServer(t *testing.T) *ServerBuilder
NewServer creates a new test db server building a single database from the provided vulnerabilities, along with a latest.json pointing to it, optionally with any properties specified in the provided latest parameter
func (*ServerBuilder) SetDBBuilt ¶
func (s *ServerBuilder) SetDBBuilt(t time.Time) *ServerBuilder
func (*ServerBuilder) SetDBVersion ¶
func (s *ServerBuilder) SetDBVersion(major, minor, patch int) *ServerBuilder
func (*ServerBuilder) Start ¶
func (s *ServerBuilder) Start() (url string)
Start starts builds a database and starts a server with the current settings if you need to rebuild a DB or modify the behavior, you can either set a custom RequestHandler func or modify the settings and call Start() again. Returns a URL to the latest.json file, e.g. http://127.0.0.1:5678/v6/latest.json
func (*ServerBuilder) WithHandler ¶
func (s *ServerBuilder) WithHandler(handler http.HandlerFunc) *ServerBuilder
type SingleDetailAssertion ¶ added in v0.112.0
type SingleDetailAssertion struct {
// contains filtered or unexported fields
}
SingleDetailAssertion provides assertions on a single match detail. Use AsDistroSearch(), AsCPESearch(), or AsEcosystemSearch() for type-specific assertions.
func (*SingleDetailAssertion) AsCPESearch ¶ added in v0.112.0
func (d *SingleDetailAssertion) AsCPESearch(constraint ...string) *CPEDetailAssertion
AsCPESearch validates that SearchedBy is CPEParameters and Found is CPEResult, and validates the found vulnerability. Takes an optional version constraint to validate (0 = no assertion, 1 = assert, 2+ = error).
func (*SingleDetailAssertion) AsDistroSearch ¶ added in v0.112.0
func (d *SingleDetailAssertion) AsDistroSearch(constraint ...string) *DistroDetailAssertion
AsDistroSearch validates that SearchedBy is DistroParameters and Found is DistroResult, asserts the searched distro matches the package's distro, and validates the found vulnerability. Takes an optional version constraint to validate (0 = no assertion, 1 = assert, 2+ = error).
func (*SingleDetailAssertion) AsEcosystemSearch ¶ added in v0.112.0
func (d *SingleDetailAssertion) AsEcosystemSearch(constraint ...string) *EcosystemDetailAssertion
AsEcosystemSearch validates that SearchedBy is EcosystemParameters and Found is EcosystemResult, asserts the searched language matches the package's language, and validates the found vulnerability. Takes an optional version constraint to validate (0 = no assertion, 1 = assert, 2+ = error).
type SingleFindingAssertion ¶ added in v0.112.0
type SingleFindingAssertion struct {
// contains filtered or unexported fields
}
SingleFindingAssertion provides detailed string-based assertions on a single finding. There is intentionally no Match() accessor returning the underlying match.Match: the assertion API is a façade so that the internal struct layout can be refactored without touching tests. When a new assertion is needed (e.g., severity, CVSS, alias IDs), the right move is to add a focused method here rather than reach into the struct.
func (*SingleFindingAssertion) HasAdvisories ¶ added in v0.113.0
func (s *SingleFindingAssertion) HasAdvisories(ids ...string) *SingleFindingAssertion
HasAdvisories asserts the match's vulnerability has exactly the given advisory IDs (order doesn't matter, but the count must match).
func (*SingleFindingAssertion) HasDetailCount ¶ added in v0.112.0
func (s *SingleFindingAssertion) HasDetailCount(count int) *SingleFindingAssertion
HasDetailCount asserts the match has the expected number of details.
func (*SingleFindingAssertion) HasFix ¶ added in v0.113.0
func (s *SingleFindingAssertion) HasFix(state vulnerability.FixState, versions ...string) *SingleFindingAssertion
HasFix asserts the match's vulnerability has the expected fix state and (if any are passed) the exact set of fix versions in order.
func (*SingleFindingAssertion) HasMatchType ¶ added in v0.112.0
func (s *SingleFindingAssertion) HasMatchType(matchType match.Type) *SingleFindingAssertion
HasMatchType asserts that at least one match detail has the expected match type.
func (*SingleFindingAssertion) HasOnlyMatchTypes ¶ added in v0.112.0
func (s *SingleFindingAssertion) HasOnlyMatchTypes(matchTypes ...match.Type) *SingleFindingAssertion
HasOnlyMatchTypes asserts that all match details have one of the expected types.
func (*SingleFindingAssertion) InNamespace ¶ added in v0.113.0
func (s *SingleFindingAssertion) InNamespace(namespace string) *SingleFindingAssertion
InNamespace asserts the match's vulnerability lives in the expected namespace - useful when one matcher's results are scoped to a different namespace than the package's distro (e.g., AlmaLinux disclosures live in the rhel namespace).
func (*SingleFindingAssertion) SelectDetailByCPE ¶ added in v0.112.0
func (s *SingleFindingAssertion) SelectDetailByCPE(cpe string, constraint ...string) *CPEDetailAssertion
SelectDetailByCPE finds a detail where SearchedBy is CPEParameters containing the given CPE, and validates the found vulnerability. Fails if not exactly one detail matches. Takes an optional version constraint to validate (0 = no assertion, 1 = assert, 2+ = error).
func (*SingleFindingAssertion) SelectDetailByDistro ¶ added in v0.112.0
func (s *SingleFindingAssertion) SelectDetailByDistro(distroType, distroVersion string, constraint ...string) *DistroDetailAssertion
SelectDetailByDistro finds a detail where SearchedBy is DistroParameters matching the given distro type and version, and validates the found vulnerability. Fails if not exactly one detail matches.
Takes an optional version constraint. When provided, the constraint serves as BOTH a selection filter (the matched detail must have this exact Found.VersionConstraint) AND a validation - so callers can disambiguate findings that produce multiple details with the same (distro, version) but different version constraints, like RHEL EUS findings whose details cover the EUS-overlay fix and the mainline fix paths in the same match.
At most one constraint may be passed.
func (*SingleFindingAssertion) SelectDetailByEcosystem ¶ added in v0.112.0
func (s *SingleFindingAssertion) SelectDetailByEcosystem(language string, constraint ...string) *EcosystemDetailAssertion
SelectDetailByEcosystem finds a detail where SearchedBy is EcosystemParameters matching the given language, and validates the found vulnerability. Fails if not exactly one detail matches. Takes an optional version constraint to validate (0 = no assertion, 1 = assert, 2+ = error).
func (*SingleFindingAssertion) SelectDetailByType ¶ added in v0.112.0
func (s *SingleFindingAssertion) SelectDetailByType(matchType ...match.Type) *SingleDetailAssertion
SelectDetailByType returns a SingleDetailAssertion for assertions on a specific detail. With no arguments, requires exactly one detail (fails if not exactly one). With one argument, selects the detail matching the given type (fails if not exactly one match). More than one argument is an error.