Skip to main content

fleetreach_core/
lib.rs

1//! Domain types for fleetreach: the stable, I/O-free contract every other crate maps onto.
2//!
3//! `fleetreach-core` defines the model a fleet scan produces — `FleetReport`,
4//! `VulnFinding`, `Occurrence`, `Severity` — and their serde shape. It
5//! performs **no I/O** and exposes **no `rustsec` types**, so downstream
6//! enrichment (EPSS, reachability, SARIF) lands as additive fields without
7//! breaking `schema_version: 1` consumers. `semver` values stay typed and
8//! serialize to strings only at the JSON boundary.
9//!
10//! # Usage
11//!
12//! ```sh
13//! cargo add fleetreach-core
14//! ```
15//!
16//! The per-occurrence verdict — is the *installed* version still vulnerable? — is
17//! computed against the advisory's patched range, fail-closed:
18//!
19//! ```
20//! use fleetreach_core::semver::{Version, VersionReq};
21//! use fleetreach_core::{DependencyKind, Occurrence, RepoId, Severity};
22//!
23//! // Severity is ordered worst-last, so `iter().max()` yields the fleet maximum.
24//! assert!(Severity::Critical > Severity::High);
25//!
26//! let occurrence = Occurrence::InRepo {
27//!     repo: RepoId("app".into()),
28//!     package: "jiff".into(),
29//!     installed: Version::new(0, 1, 1),
30//!     patched: vec![VersionReq::parse(">=0.1.2").unwrap()],
31//!     dependency_kind: DependencyKind::Transitive,
32//!     dependency_path: vec![],
33//!     active: None,
34//!     source: Default::default(),
35//! };
36//! assert!(occurrence.is_vulnerable()); // installed is below the patched range
37//! ```
38//!
39//! # Minimum supported Rust version
40//!
41//! 1.89. An MSRV increase is treated as a minor-version bump.
42
43pub mod depgraph;
44mod finding;
45pub mod osv;
46mod outcome;
47mod remediation;
48mod report;
49mod severity;
50
51pub use depgraph::DepGraph;
52pub use finding::{
53    DepSource, DependencyKind, Ecosystem, Exploitability, Occurrence, ReachVerdict, Reachability,
54    RepoId, VulnFinding, WarnFinding, WarnKind,
55};
56pub use outcome::{RepoOutcome, ScanStatus};
57pub use remediation::{remediations, Action, ReachTier, RemediationItem};
58pub use report::{max_severity_of, FleetReport, Provenance, Summary, SCHEMA_VERSION};
59pub use severity::Severity;
60
61/// Re-exported so every downstream crate links the *same* `semver`, matching
62/// the version `rustsec` pulls in (§12, avoid version skew).
63pub use semver;