Skip to main content

Occurrence

fleetreach_core

Enum Occurrence 

Source 
pub enum Occurrence {
    InRepo {
        repo: RepoId,
        package: String,
        installed: Version,
        patched: Vec<VersionReq>,
        dependency_kind: DependencyKind,
        dependency_path: Vec<String>,
        active: Option<bool>,
        source: DepSource,
    },
    Toolchain {
        channel: String,
        installed: Option<Version>,
        patched: Vec<VersionReq>,
    },
}
Expand description

A single location/version where an advisory applies.

The advisory groups occurrences, but the verdict is per-occurrence: the same crate at different versions across repos may differ (one patched, one not). A toolchain advisory (rustsec::Collection::Rust) has no repo to pin, so it is a distinct variant rather than a sentinel repo.

Serializes internally-tagged on kind ("in_repo" / "toolchain"), with the variant’s fields inlined alongside.

Variants§

§

InRepo

Fields

§repo: RepoId

Stable id from fleet.toml.

§package: String
§installed: Version
§patched: Vec<VersionReq>

Versions that fix the advisory; empty means “no fix available”.

§dependency_kind: DependencyKind
§dependency_path: Vec<String>

A shortest chain of package names from a root crate down to this package (["my-app", "jiff", "defmt", …]) — the answer to “who pulls this in”. There may be other paths; this is one representative. Empty when the dependency graph could not be computed. Additive field — omitted from JSON when empty, so schema_version: 1 is unaffected.

§active: Option<bool>

Whether this package is actually compiled in the host’s default build (feature-resolved). None unless --resolve-features ran; Some(false) flags a Cargo.lock-only optional dep that is never built. Additive — omitted from JSON when None.

§source: DepSource

Where this package resolves from (registry / git / path), for the VEX subcomponent PURL (§4.1). Additive — omitted from JSON for the common crates.io case, so schema_version: 1 output is unaffected.

§

Toolchain

Fields

§channel: String

e.g. "stable 1.xx" — there is no repo to pin a toolchain advisory to.

§installed: Option<Version>
§patched: Vec<VersionReq>

Implementations§

Source§

impl Occurrence

Source

pub fn is_vulnerable(&self) -> bool

The per-occurrence verdict: is the installed version actually vulnerable? An occurrence is vulnerable when its installed version is covered by none of the advisory’s patched requirements. This is computed per occurrence precisely because the same advisory can apply to different versions across the fleet — one already patched, one not.

Fail-closed: an empty patched set (no fix published) or an unknown installed version counts as vulnerable.

use fleetreach_core::{DependencyKind, Occurrence, RepoId};
use fleetreach_core::semver::{Version, VersionReq};

let at = |major, minor, patch| Occurrence::InRepo {
    repo: RepoId("app".into()),
    package: "foo".into(),
    installed: Version::new(major, minor, patch),
    patched: vec![VersionReq::parse(">=1.2.0").unwrap()],
    dependency_kind: DependencyKind::Transitive,
    dependency_path: vec![],
    active: None,
    source: Default::default(),
};
assert!(at(1, 1, 9).is_vulnerable());  // below the fix
assert!(!at(1, 2, 0).is_vulnerable()); // at the fix

Trait Implementations§

Source§

impl Clone for Occurrence

Source§

fn clone(&self) -> Occurrence

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Occurrence

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for Occurrence

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl PartialEq for Occurrence

Source§

fn eq(&self, other: &Occurrence) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for Occurrence

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl StructuralPartialEq for Occurrence

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.