|
2 | 2 | // Use of this source code is governed by a BSD-style |
3 | 3 | // license that can be found in the LICENSE file. |
4 | 4 |
|
| 5 | +// Package client provides an interface for accessing vulnerability |
| 6 | +// databases, via either HTTP or local filesystem access. |
| 7 | +// |
| 8 | +// The expected database layout is the same for both HTTP and local |
| 9 | +// databases. The database index is located at the root of the |
| 10 | +// database, and contains a list of all of the vulnerable packages |
| 11 | +// documented in the databse and the time the most recent vulnerability |
| 12 | +// was added. The index file is called indx.json, and has the |
| 13 | +// following format: |
| 14 | +// |
| 15 | +// map[string]time.Time (osv.DBIndex) |
| 16 | +// |
| 17 | +// Each vulnerable package is represented by an individual JSON file |
| 18 | +// which contains all of the vulnerabilities in that package. The path |
| 19 | +// for each package file is simply the import path of the package, |
| 20 | +// i.e. vulnerabilities in golang.org/x/crypto/ssh are contained in the |
| 21 | +// golang.org/x/crypto/ssh.json file. The per-package JSON files have |
| 22 | +// the following format: |
| 23 | +// |
| 24 | +// []osv.Entry |
| 25 | +// |
| 26 | +// A single client.Client can be used to access multiple vulnerability |
| 27 | +// databases. When looking up vulnerable packages each database is |
| 28 | +// consulted, and results are merged together. |
| 29 | +// |
| 30 | +// TODO: allow filtering private packages, possibly at a database level? |
| 31 | +// (e.g. I may want to use multiple databases, but only lookup a specific |
| 32 | +// package in a subset of them) |
5 | 33 | package client |
6 | 34 |
|
7 | 35 | import ( |
|
0 commit comments