Documentation ¶
Index ¶
- Constants
- func OfflineImport(ctx context.Context, pool *pgxpool.Pool, in io.Reader) error
- type Libvuln
- func (l *Libvuln) Close(ctx context.Context) error
- func (l *Libvuln) DeleteUpdateOperations(ctx context.Context, ref ...uuid.UUID) (int64, error)
- func (l *Libvuln) FetchUpdates(ctx context.Context) error
- func (l *Libvuln) GC(ctx context.Context) (int64, error)
- func (l *Libvuln) GCFull(ctx context.Context) (int64, error)
- func (l *Libvuln) Initialized(ctx context.Context) (bool, error)
- func (l *Libvuln) LatestUpdateOperation(ctx context.Context, kind driver.UpdateKind) (uuid.UUID, error)
- func (l *Libvuln) LatestUpdateOperations(ctx context.Context, kind driver.UpdateKind) (map[string][]driver.UpdateOperation, error)
- func (l *Libvuln) Scan(ctx context.Context, ir *claircore.IndexReport) (*claircore.VulnerabilityReport, error)
- func (l *Libvuln) UpdateDiff(ctx context.Context, prev, cur uuid.UUID) (*driver.UpdateDiff, error)
- func (l *Libvuln) UpdateOperations(ctx context.Context, kind driver.UpdateKind, updaters ...string) (map[string][]driver.UpdateOperation, error)
- type LockSource
- type Options
- Bugs
Examples ¶
Constants ¶
const ( DefaultUpdateWorkers = 10 DefaultMaxConnPool = 50 DefaultUpdateRetention = 2 )
Variables ¶
This section is empty.
Functions ¶
func OfflineImport ¶
OfflineImport takes the format written into the io.Writer provided to NewOfflineUpdater and imports the contents into the provided pgxpool.Pool.
The format provided on "in" should be the same output from jsonblob.Store, with any compression undone.
Types ¶
type Libvuln ¶
type Libvuln struct {
// contains filtered or unexported fields
}
Libvuln exports methods for scanning an IndexReport and created a VulnerabilityReport.
Libvuln also runs background updaters which keep the vulnerability database consistent.
Example ¶
package main import ( "context" "time" "github.com/vishnuchalla/claircore" "github.com/vishnuchalla/claircore/libvuln" ) func main() { ctx := context.TODO() opts := &libvuln.Options{ // see definition for configuration option } lib, err := libvuln.New(ctx, opts) if err != nil { panic(err) } for range time.Tick(5 * time.Second) { ok, err := lib.Initialized(ctx) if err != nil { panic(err) } if ok { break } } ir := &claircore.IndexReport{} vr, err := lib.Scan(ctx, ir) if err != nil { panic(err) } _ = vr }
Output:
func (*Libvuln) DeleteUpdateOperations ¶
DeleteUpdateOperations removes UpdateOperations. A call to GC or GCFull must be run after this to garbage collect vulnerabilities associated with the UpdateOperation.
The number of UpdateOperations deleted is returned.
func (*Libvuln) FetchUpdates ¶
FetchUpdates runs configured updaters.
func (*Libvuln) GC ¶
GC will cleanup any update operations older then the configured UpdatesRetention value. GC is throttled and ensure its a good citizen to the database.
The returned int is the number of outstanding UpdateOperations not deleted due to throttling. To run GC to completion use the GCFull method.
func (*Libvuln) GCFull ¶
GCFull will run garbage collection until all expired update operations and stale vulnerabilites are removed in accordance with the UpdateRetention value.
GCFull may return an error accompanied by its other return value, the number of oustanding update operations not deleted.
func (*Libvuln) Initialized ¶
Initialized reports whether the backing vulnerability store is initialized.
func (*Libvuln) LatestUpdateOperation ¶
func (l *Libvuln) LatestUpdateOperation(ctx context.Context, kind driver.UpdateKind) (uuid.UUID, error)
LatestUpdateOperation returns a reference to the latest known update.
This can be used by clients to determine if a call to Scan is likely to return new results.
func (*Libvuln) LatestUpdateOperations ¶
func (l *Libvuln) LatestUpdateOperations(ctx context.Context, kind driver.UpdateKind) (map[string][]driver.UpdateOperation, error)
LatestUpdateOperations returns references for the latest update for every known updater.
These references are okay to expose externally.
func (*Libvuln) Scan ¶
func (l *Libvuln) Scan(ctx context.Context, ir *claircore.IndexReport) (*claircore.VulnerabilityReport, error)
Scan creates a VulnerabilityReport given a manifest's IndexReport.
func (*Libvuln) UpdateDiff ¶
UpdateDiff returns an UpdateDiff describing the changes between prev and cur.
func (*Libvuln) UpdateOperations ¶
func (l *Libvuln) UpdateOperations(ctx context.Context, kind driver.UpdateKind, updaters ...string) (map[string][]driver.UpdateOperation, error)
UpdateOperations returns UpdateOperations in date descending order keyed by the Updater name
type LockSource ¶
type LockSource interface { TryLock(context.Context, string) (context.Context, context.CancelFunc) Lock(context.Context, string) (context.Context, context.CancelFunc) Close(context.Context) error }
TODO (crozzy): Find a home for this and stop redefining it. LockSource abstracts over how locks are implemented.
An online system needs distributed locks, offline use cases can use process-local locks.
type Options ¶
type Options struct { // Store is the interface used to persist and retrieve vulnerabilites // for of matching. Store datastore.MatcherStore // Locker provides system-wide locks for the updater subsystem. If the // matching work is distributed the lock should be backed by a distributed // store. Locker LockSource // An interval on which Libvuln will check for new security database // updates. // // This duration will have jitter added to it, to help with smearing load on // installations. UpdateInterval time.Duration // A slice of strings representing which updaters libvuln will create. // // If nil all default UpdaterSets will be used. // // The following sets are supported: // "alpine" // "aws" // "debian" // "oracle" // "photon" // "pyupio" // "rhel" // "suse" // "ubuntu" UpdaterSets []string // A list of out-of-tree updaters to run. // // This list will be merged with any defined UpdaterSets. // // If you desire no updaters to run do not add an updater // into this slice. Updaters []driver.Updater // A slice of strings representing which // matchers will be used. // // If nil all default Matchers will be used // // The following names are supported by default: // "alpine" // "aws" // "debian" // "oracle" // "photon" // "python" // "rhel" // "suse" // "ubuntu" // "crda" - remotematcher calls hosted api via RPC. MatcherNames []string // Config holds configuration blocks for MatcherFactories and Matchers, // keyed by name. MatcherConfigs map[string]driver.MatcherConfigUnmarshaler // A list of out-of-tree matchers you'd like libvuln to // use. // // This list will me merged with the default matchers. Matchers []driver.Matcher // Enrichers is a slice of enrichers to use with all VulnerabilityReport // requests. Enrichers []driver.Enricher // UpdateWorkers controls the number of update workers running concurrently. // If less than or equal to zero, a sensible default will be used. UpdateWorkers int // UpdateRetention controls the number of updates to retain between // garbage collection periods. // // The lowest possible value is 2 in order to compare updates for notification // purposes. UpdateRetention int // If set to true, there will not be a goroutine launched to periodically // run updaters. DisableBackgroundUpdates bool // UpdaterConfigs is a map of functions for configuration of Updaters. UpdaterConfigs map[string]driver.ConfigUnmarshaler // Client is an http.Client for use by all updaters. If unset, // http.DefaultClient will be used. Client *http.Client }
Notes ¶
Bugs ¶
The OfflineImport function is a wart, needed to work around some package namespacing issues. It should get refactored if claircore gets merged into clair.