1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
//! Domain types for fleetreach: the stable, I/O-free contract every other crate maps onto.
//!
//! `fleetreach-core` defines the model a fleet scan produces — `FleetReport`,
//! `VulnFinding`, `Occurrence`, `Severity` — and their serde shape. It
//! performs **no I/O** and exposes **no `rustsec` types**, so downstream
//! enrichment (EPSS, reachability, SARIF) lands as additive fields without
//! breaking `schema_version: 1` consumers. `semver` values stay typed and
//! serialize to strings only at the JSON boundary.
//!
//! # Usage
//!
//! ```sh
//! cargo add fleetreach-core
//! ```
//!
//! The per-occurrence verdict — is the *installed* version still vulnerable? — is
//! computed against the advisory's patched range, fail-closed:
//!
//! ```
//! use fleetreach_core::semver::{Version, VersionReq};
//! use fleetreach_core::{DependencyKind, Occurrence, RepoId, Severity};
//!
//! // Severity is ordered worst-last, so `iter().max()` yields the fleet maximum.
//! assert!(Severity::Critical > Severity::High);
//!
//! let occurrence = Occurrence::InRepo {
//! repo: RepoId("app".into()),
//! package: "jiff".into(),
//! installed: Version::new(0, 1, 1),
//! patched: vec![VersionReq::parse(">=0.1.2").unwrap()],
//! dependency_kind: DependencyKind::Transitive,
//! dependency_path: vec![],
//! active: None,
//! source: Default::default(),
//! };
//! assert!(occurrence.is_vulnerable()); // installed is below the patched range
//! ```
//!
//! # Minimum supported Rust version
//!
//! 1.89. An MSRV increase is treated as a minor-version bump.
pub use DepGraph;
pub use ;
pub use ;
pub use ;
pub use ;
pub use Severity;
/// Re-exported so every downstream crate links the *same* `semver`, matching
/// the version `rustsec` pulls in (§12, avoid version skew).
pub use semver;