refactor: imodels PackageInfo refactor to use functions (google#1482)

This PR refactors PackageInfo to be accessed via methods, which will
perform necessary transformations on the underlying inventory as needed.

This also adds the ecosystemmock extractor which allows you set the
return value of the Ecosystem() function.

TODO: Add tests for imodels. I will add tests in a followup PR once we
are confident we are sticking with this approach and it works with the
other refactors.

internal/clients/clientimpl/localmatcher/localmatcher.go

@@ -54,21 +54,21 @@ func (matcher *LocalMatcher) MatchVulnerabilities(ctx context.Context, invs []*e
 		}
 
 		pkg := imodels.FromInventory(inv)
-		if pkg.Ecosystem.IsEmpty() {
-			if pkg.Commit == "" {
+		if pkg.Ecosystem().IsEmpty() {
+			if pkg.Commit() == "" {
 				// This should never happen, as those results will be filtered out before matching
 				return nil, errors.New("ecosystem is empty and there is no commit hash")
 			}
 
 			// Is a commit based query, skip local scanning
 			results = append(results, []*models.Vulnerability{})
 			// TODO (V2 logging):
-			matcher.r.Infof("Skipping commit scanning for: %s\n", pkg.Commit)
+			matcher.r.Infof("Skipping commit scanning for: %s\n", pkg.Commit())
 
 			continue
 		}
 
-		db, err := matcher.loadDBFromCache(ctx, pkg.Ecosystem)
+		db, err := matcher.loadDBFromCache(ctx, pkg.Ecosystem())
 
 		if err != nil {
 			continue

internal/clients/clientimpl/localmatcher/zip.go

@@ -238,12 +238,12 @@ func (db *ZipDB) VulnerabilitiesAffectingPackage(pkg imodels.PackageInfo) []*mod
 
 	// TODO (V2 Models): remove this once PackageDetails has been migrated
 	mappedPackageDetails := lockfile.PackageDetails{
-		Name:      pkg.Name,
-		Version:   pkg.Version,
-		Commit:    pkg.Commit,
-		Ecosystem: lockfile.Ecosystem(pkg.Ecosystem.String()),
-		CompareAs: lockfile.Ecosystem(pkg.Ecosystem.String()),
-		DepGroups: pkg.DepGroups,
+		Name:      pkg.Name(),
+		Version:   pkg.Version(),
+		Commit:    pkg.Commit(),
+		Ecosystem: lockfile.Ecosystem(pkg.Ecosystem().String()),
+		CompareAs: lockfile.Ecosystem(pkg.Ecosystem().String()),
+		DepGroups: pkg.DepGroups(),
 	}
 
 	for _, vulnerability := range db.Vulnerabilities(false) {

internal/clients/clientimpl/osvmatcher/osvmatcher.go

@@ -9,6 +9,7 @@ import (
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/log"
 	"github.com/google/osv-scanner/internal/imodels"
+	"github.com/google/osv-scanner/internal/imodels/ecosystem"
 	"github.com/google/osv-scanner/internal/osvdev"
 	"github.com/google/osv-scanner/internal/semantic"
 	"github.com/google/osv-scanner/pkg/models"
@@ -155,19 +156,19 @@ func queryForBatchWithPaging(ctx context.Context, c *osvdev.OSVClient, queries [
 }
 
 func pkgToQuery(pkg imodels.PackageInfo) *osvdev.Query {
-	if pkg.Name != "" && !pkg.Ecosystem.IsEmpty() && pkg.Version != "" {
+	if pkg.Name() != "" && !pkg.Ecosystem().IsEmpty() && pkg.Version() != "" {
 		return &osvdev.Query{
 			Package: osvdev.Package{
-				Name:      pkg.Name,
-				Ecosystem: pkg.Ecosystem.String(),
+				Name:      pkg.Name(),
+				Ecosystem: pkg.Ecosystem().String(),
 			},
-			Version: pkg.Version,
+			Version: pkg.Version(),
 		}
 	}
 
-	if pkg.Commit != "" {
+	if pkg.Commit() != "" {
 		return &osvdev.Query{
-			Commit: pkg.Commit,
+			Commit: pkg.Commit(),
 		}
 	}
 
@@ -184,16 +185,16 @@ func invsToQueries(invs []*extractor.Inventory) []*osvdev.Query {
 
 	for i, inv := range invs {
 		pkg := imodels.FromInventory(inv)
-		pkg = patchPackageForRequest(pkg)
 		queries[i] = pkgToQuery(pkg)
+		patchQueryForRequest(queries[i])
 	}
 
 	return queries
 }
 
-// patchPackageForRequest modifies packages before they are sent to osv.dev to
+// patchQueryForRequest modifies packages before they are sent to osv.dev to
 // account for edge cases.
-func patchPackageForRequest(pkg imodels.PackageInfo) imodels.PackageInfo {
+func patchQueryForRequest(queryToPatch *osvdev.Query) {
 	// Assume Go stdlib patch version as the latest version
 	//
 	// This is done because go1.20 and earlier do not support patch
@@ -202,17 +203,17 @@ func patchPackageForRequest(pkg imodels.PackageInfo) imodels.PackageInfo {
 	// However, if we assume patch version as .0, this will cause a lot of
 	// false positives. This compromise still allows osv-scanner to pick up
 	// when the user is using a minor version that is out-of-support.
-	if pkg.Name == "stdlib" && pkg.Ecosystem.Ecosystem == osvschema.EcosystemGo {
-		v := semantic.ParseSemverLikeVersion(pkg.Version, 3)
+	//
+	// MustParse works here because this query is converted from a valid ecosystem in the first place
+	if queryToPatch.Package.Name == "stdlib" && ecosystem.MustParse(queryToPatch.Package.Ecosystem).Ecosystem == osvschema.EcosystemGo {
+		v := semantic.ParseSemverLikeVersion(queryToPatch.Version, 3)
 		if len(v.Components) == 2 {
-			pkg.Version = fmt.Sprintf(
+			queryToPatch.Version = fmt.Sprintf(
 				"%d.%d.%d",
 				v.Components.Fetch(0),
 				v.Components.Fetch(1),
 				9999,
 			)
 		}
 	}
-
-	return pkg
 }

internal/config/config.go

@@ -54,19 +54,19 @@ type PackageOverrideEntry struct {
 }
 
 func (e PackageOverrideEntry) matches(pkg imodels.PackageInfo) bool {
-	if e.Name != "" && e.Name != pkg.Name {
+	if e.Name != "" && e.Name != pkg.Name() {
 		return false
 	}
-	if e.Version != "" && e.Version != pkg.Version {
+	if e.Version != "" && e.Version != pkg.Version() {
 		return false
 	}
 	// If there is an ecosystem filter, the filter must not match both the:
 	//  - Full ecosystem + suffix
 	//  - The base ecosystem
-	if e.Ecosystem != "" && (e.Ecosystem != pkg.Ecosystem.String() && e.Ecosystem != string(pkg.Ecosystem.Ecosystem)) {
+	if e.Ecosystem != "" && (e.Ecosystem != pkg.Ecosystem().String() && e.Ecosystem != string(pkg.Ecosystem().Ecosystem)) {
 		return false
 	}
-	if e.Group != "" && !slices.Contains(pkg.DepGroups, e.Group) {
+	if e.Group != "" && !slices.Contains(pkg.DepGroups(), e.Group) {
 		return false
 	}