import { AnalyzedPackageWithVersion, OSRelease } from "../analyzer/types"; import { DepTree } from "../types"; /** @deprecated Should implement a new function to build a dependency graph instead. */ export declare function buildTree(targetImage: string, packageFormat: string, depInfosList: AnalyzedPackageWithVersion[], targetOS: OSRelease): DepTree; /** * Canonical "full name" for a package as it appears in the dep graph and * therefore in any vulnerability `from[]` / `packageName` field a downstream * consumer (e.g. backend, UI) sees. * * For OS packages with a distinct source/origin (Debian `Source:`, Alpine * `o:`, RPM source RPM) the name is `/` - e.g. the libc * vuln pinned against Debian's `glibc` source surfaces on the binary * `libc-bin` as `glibc/libc-bin`. For packages without a `Source` (and for * non-OS ecosystems) it's just ``. * * Exported so the layer-attribution producer can mint keys with the same * shape — see `lib/analyzer/layer-attribution.ts`. Keep this as the single * source of truth for that string format; if it drifts, the response * builder's per-package `dockerLayerDiffId` annotation join (which keys * by `${depFullName}@${version}`) will silently miss for any package * with a non-trivial `Source` (i.e. most OS vulns). */ export declare function depFullName(depInfo: AnalyzedPackageWithVersion): string;