Merge pull request #432 from michaelkedar:guided-remediation/resolve

PiperOrigin-RevId: 726775722

Author: copybara-github

clients/clienttest/mock_resolution_client.go

@@ -21,7 +21,6 @@ import (
 
 	"deps.dev/util/resolve"
 	"deps.dev/util/resolve/schema"
-	"github.com/google/osv-scalibr/clients/resolution"
 	"gopkg.in/yaml.v3"
 )
 
@@ -31,14 +30,8 @@ type ResolutionUniverse struct {
 	Schema string `yaml:"schema"`
 }
 
-type mockDependencyClient struct {
-	*resolve.LocalClient
-}
-
-func (mdc mockDependencyClient) AddRegistries(_ []resolution.Registry) error { return nil }
-
 // NewMockResolutionClient creates a new mock resolution client from the given universe YAML.
-func NewMockResolutionClient(t *testing.T, universeYAML string) resolution.DependencyClient {
+func NewMockResolutionClient(t *testing.T, universeYAML string) resolve.Client {
 	t.Helper()
 	f, err := os.Open(universeYAML)
 	if err != nil {
@@ -70,5 +63,5 @@ func NewMockResolutionClient(t *testing.T, universeYAML string) resolution.Depen
 		t.Fatalf("failed parsing schema: %v", err)
 	}
 
-	return mockDependencyClient{sch.NewClient()}
+	return sch.NewClient()
 }

clients/resolution/client.go

@@ -19,8 +19,8 @@ import (
 	"deps.dev/util/resolve"
 )
 
-// DependencyClient is the interface of the client required by dependency resolution.
-type DependencyClient interface {
+// ClientWithRegistries is a resolve.Client that allows package registries to be added.
+type ClientWithRegistries interface {
 	resolve.Client
 	// AddRegistries adds the specified registries to fetch data.
 	AddRegistries(registries []Registry) error

clients/resolution/depsdev_client.go

@@ -34,6 +34,3 @@ func NewDepsDevClient(addr string, userAgent string) (*DepsDevClient, error) {
 
 	return &DepsDevClient{APIClient: *resolve.NewAPIClient(c), c: c}, nil
 }
-
-// AddRegistries is a placeholder here for DepsDevClient.
-func (d *DepsDevClient) AddRegistries(_ []Registry) error { return nil }

clients/resolution/override_client.go

@@ -21,20 +21,20 @@ import (
 	"deps.dev/util/resolve"
 )
 
-// OverrideClient wraps a DependencyClient, allowing for custom packages & versions to be added
+// OverrideClient wraps a resolve.Client, allowing for custom packages & versions to be added
 type OverrideClient struct {
-	DependencyClient
+	resolve.Client
 	// Can't quite reuse resolve.LocalClient because it automatically creates dependencies
 	pkgVers map[resolve.PackageKey][]resolve.Version            // versions of a package
 	verDeps map[resolve.VersionKey][]resolve.RequirementVersion // dependencies of a version
 }
 
 // NewOverrideClient makes a new OverrideClient.
-func NewOverrideClient(c DependencyClient) *OverrideClient {
+func NewOverrideClient(c resolve.Client) *OverrideClient {
 	return &OverrideClient{
-		DependencyClient: c,
-		pkgVers:          make(map[resolve.PackageKey][]resolve.Version),
-		verDeps:          make(map[resolve.VersionKey][]resolve.RequirementVersion),
+		Client:  c,
+		pkgVers: make(map[resolve.PackageKey][]resolve.Version),
+		verDeps: make(map[resolve.VersionKey][]resolve.RequirementVersion),
 	}
 }
 
@@ -62,7 +62,7 @@ func (c *OverrideClient) Version(ctx context.Context, vk resolve.VersionKey) (re
 		}
 	}
 
-	return c.DependencyClient.Version(ctx, vk)
+	return c.Client.Version(ctx, vk)
 }
 
 // Versions returns the versions of a package specified by the PackageKey.
@@ -71,7 +71,7 @@ func (c *OverrideClient) Versions(ctx context.Context, pk resolve.PackageKey) ([
 		return vers, nil
 	}
 
-	return c.DependencyClient.Versions(ctx, pk)
+	return c.Client.Versions(ctx, pk)
 }
 
 // Requirements returns the requirement versions of the version specified by the VersionKey.
@@ -80,7 +80,7 @@ func (c *OverrideClient) Requirements(ctx context.Context, vk resolve.VersionKey
 		return deps, nil
 	}
 
-	return c.DependencyClient.Requirements(ctx, vk)
+	return c.Client.Requirements(ctx, vk)
 }
 
 // MatchingVersions returns the versions matching the requirement specified by the VersionKey.
@@ -89,5 +89,5 @@ func (c *OverrideClient) MatchingVersions(ctx context.Context, vk resolve.Versio
 		return resolve.MatchRequirement(vk, vs), nil
 	}
 
-	return c.DependencyClient.MatchingVersions(ctx, vk)
+	return c.Client.MatchingVersions(ctx, vk)
 }

extractor/filesystem/language/java/pomxmlnet/pomxmlnet.go

@@ -38,13 +38,13 @@ import (
 
 // Extractor extracts Maven packages with transitive dependency resolution.
 type Extractor struct {
-	depClient   resolution.DependencyClient
+	depClient   resolve.Client
 	mavenClient *datasource.MavenRegistryAPIClient
 }
 
 // Config is the configuration for the pomxmlnet Extractor.
 type Config struct {
-	resolution.DependencyClient
+	DependencyClient resolve.Client
 	*datasource.MavenRegistryAPIClient
 }
 
@@ -133,8 +133,10 @@ func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) ([]
 		for i, reg := range registries {
 			clientRegs[i] = reg
 		}
-		if err := e.depClient.AddRegistries(clientRegs); err != nil {
-			return nil, err
+		if cl, ok := e.depClient.(resolution.ClientWithRegistries); ok {
+			if err := cl.AddRegistries(clientRegs); err != nil {
+				return nil, err
+			}
 		}
 	}
 

go.mod

@@ -23,6 +23,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/opencontainers/runtime-spec v1.1.0
+	github.com/ossf/osv-schema/bindings/go v0.0.0-20250210065807-ab8a4f6e6389
 	github.com/package-url/packageurl-go v0.1.2
 	github.com/spdx/tools-golang v0.5.3
 	github.com/tidwall/jsonc v0.3.2

go.sum

@@ -157,6 +157,9 @@ github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bl
 github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
 github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/ossf/osv-schema v1.6.7/go.mod h1:5JF2BtmJlCOVvx9ojzEXpSvqyJDfHDtRk8E5KIRO6uA=
+github.com/ossf/osv-schema/bindings/go v0.0.0-20250210065807-ab8a4f6e6389 h1:1ITHMJ7xNLEC9Qq9kvXPe8/rf7rrCxV5/fjyhawBbgI=
+github.com/ossf/osv-schema/bindings/go v0.0.0-20250210065807-ab8a4f6e6389/go.mod h1:lILztSxHU7VsdlYqCnwgxSDBhbXMf7iEQWtldJCDXPo=
 github.com/package-url/packageurl-go v0.1.2 h1:0H2DQt6DHd/NeRlVwW4EZ4oEI6Bn40XlNPRqegcxuo4=
 github.com/package-url/packageurl-go v0.1.2/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=

internal/guidedremediation/manifest/manifest.go

@@ -0,0 +1,53 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package manifest provides methods for parsing and writing manifest files.
+package manifest
+
+import (
+	"deps.dev/util/resolve"
+	"github.com/google/osv-scalibr/internal/guidedremediation/manifest/maven"
+	"github.com/google/osv-scalibr/internal/guidedremediation/manifest/npm"
+)
+
+// Manifest is the interface for the representation of a manifest file needed for dependency resolution.
+type Manifest interface {
+	FilePath() string                           // Path to the manifest file
+	Root() resolve.Version                      // Version representing this package
+	System() resolve.System                     // The System of this manifest
+	Requirements() []resolve.RequirementVersion // All direct requirements, including dev
+	Groups() map[RequirementKey][]string        // Dependency groups that the imports belong to
+	LocalManifests() []Manifest                 // Manifests of local packages
+	EcosystemSpecific() any                     // Any ecosystem-specific information needed
+
+	Clone() Manifest // Clone the manifest
+}
+
+// RequirementKey is a comparable type that uniquely identifies a package dependency in a manifest.
+// It does not include the version specification.
+type RequirementKey any
+
+// MakeRequirementKey constructs an ecosystem-specific RequirementKey from the given RequirementVersion.
+func MakeRequirementKey(requirement resolve.RequirementVersion) RequirementKey {
+	switch requirement.System {
+	case resolve.NPM:
+		return npm.MakeRequirementKey(requirement)
+	case resolve.Maven:
+		return maven.MakeRequirementKey(requirement)
+	case resolve.UnknownSystem:
+		fallthrough
+	default:
+		return requirement.PackageKey
+	}
+}

internal/guidedremediation/manifest/maven/pomxml.go

@@ -0,0 +1,65 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package maven provides the manifest parsing and writing for the Maven pom.xml format.
+package maven
+
+import (
+	"deps.dev/util/maven"
+	"deps.dev/util/resolve"
+	"deps.dev/util/resolve/dep"
+)
+
+// RequirementKey is a comparable type that uniquely identifies a package dependency in a manifest.
+type RequirementKey struct {
+	resolve.PackageKey
+	ArtifactType string
+	Classifier   string
+}
+
+var _ map[RequirementKey]any
+
+// MakeRequirementKey constructs a maven RequirementKey from the given RequirementVersion.
+func MakeRequirementKey(requirement resolve.RequirementVersion) RequirementKey {
+	// Maven dependencies must have unique groupId:artifactId:type:classifier.
+	artifactType, _ := requirement.Type.GetAttr(dep.MavenArtifactType)
+	classifier, _ := requirement.Type.GetAttr(dep.MavenClassifier)
+
+	return RequirementKey{
+		PackageKey:   requirement.PackageKey,
+		ArtifactType: artifactType,
+		Classifier:   classifier,
+	}
+}
+
+// ManifestSpecific is ecosystem-specific information needed for the pom.xml manifest.
+type ManifestSpecific struct {
+	Parent                 maven.Parent
+	Properties             []PropertyWithOrigin         // Properties from the base project
+	OriginalRequirements   []DependencyWithOrigin       // Dependencies from the base project
+	RequirementsForUpdates []resolve.RequirementVersion // Requirements that we only need for updates
+	Repositories           []maven.Repository
+}
+
+// PropertyWithOrigin is a maven property with the origin where it comes from.
+type PropertyWithOrigin struct {
+	maven.Property
+	Origin string // Origin indicates where the property comes from
+}
+
+// DependencyWithOrigin is a maven dependency with the origin where it comes from.
+type DependencyWithOrigin struct {
+	maven.Dependency
+	Origin string // Origin indicates where the dependency comes from
+}

internal/guidedremediation/manifest/npm/packagejson.go

@@ -0,0 +1,41 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package npm provides the manifest parsing and writing for the npm package.json format.
+package npm
+
+import (
+	"deps.dev/util/resolve"
+	"deps.dev/util/resolve/dep"
+)
+
+// RequirementKey is a comparable type that uniquely identifies a package dependency in a manifest.
+type RequirementKey struct {
+	resolve.PackageKey
+	KnownAs string
+}
+
+var _ map[RequirementKey]any
+
+// MakeRequirementKey constructs an npm RequirementKey from the given RequirementVersion.
+func MakeRequirementKey(requirement resolve.RequirementVersion) RequirementKey {
+	// Npm requirements are the uniquely identified by the key in the dependencies fields (which ends up being the path in node_modules)
+	// Declaring a dependency in multiple places (dependencies, devDependencies, optionalDependencies) only installs it once at one version.
+	// Aliases & non-registry dependencies are keyed on their 'KnownAs' attribute.
+	knownAs, _ := requirement.Type.GetAttr(dep.KnownAs)
+	return RequirementKey{
+		PackageKey: requirement.PackageKey,
+		KnownAs:    knownAs,
+	}
+}

internal/guidedremediation/matcher/matcher.go

@@ -0,0 +1,31 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package matcher provides the interface for the vulnerability matcher used by guided remediation.
+package matcher
+
+import (
+	"context"
+
+	"github.com/google/osv-scalibr/extractor"
+	"github.com/ossf/osv-schema/bindings/go/osvschema"
+)
+
+// TODO(#454): Temporarily internal while migration is in progress.
+// Will need to be moved to publicly accessible location once external interface is created.
+
+// VulnerabilityMatcher interface provides functionality get a list of affecting vulnerabilities for each package in an inventory.
+type VulnerabilityMatcher interface {
+	MatchVulnerabilities(ctx context.Context, invs []*extractor.Inventory) ([][]*osvschema.Vulnerability, error)
+}