import { SymlinkMap } from "../../extractor/types";
import { AnalyzedPackageWithVersion, ImageAnalysis, OSRelease } from "../types";
import { SymlinkGraph } from "./path-canonicalization";
export interface OwnedPackage {
    evidencePaths: string[];
    apkPackageName: string;
    apkPackageVersion: string;
    originPackage: string;
    name?: string;
    version?: string;
}
export interface ApkPackageOwnership {
    distroId: string;
    ownedPackages: OwnedPackage[];
}
export interface OwnershipCandidate {
    evidencePaths: string[];
    name?: string;
    version?: string;
}
export type MatchKind = "exact" | "directory";
export interface PathOwnerMatch {
    owner: AnalyzedPackageWithVersion;
    matchKind: MatchKind;
    /** Number of matched path segments; a deeper directory match outranks a shallower one. */
    prefixLength: number;
}
interface DirectoryTrieNode {
    owners: AnalyzedPackageWithVersion[];
    children: Map<string, DirectoryTrieNode>;
}
export interface ApkPathIndex {
    exactFileOwners: Map<string, AnalyzedPackageWithVersion[]>;
    directoryTrie: DirectoryTrieNode;
}
export declare function isChainguardDistro(osRelease?: OSRelease): boolean;
export declare function toSymlinkGraph(symlinks?: SymlinkMap): SymlinkGraph;
export declare function buildApkPathIndex(packages: AnalyzedPackageWithVersion[], symlinkGraph: SymlinkGraph): ApkPathIndex;
export declare function resolveOwnerForEvidencePath(evidencePath: string, index: ApkPathIndex, symlinkGraph: SymlinkGraph): PathOwnerMatch | undefined;
/**
 * Resolve APK package ownership for a set of candidates on Wolfi/Chainguard
 * images. Each candidate (a single npm package, or a whole Go/Java result) is
 * resolved independently: all of its evidence paths must be wholly owned by one
 * consistent APK package, or the candidate is omitted (fail closed per
 * candidate). Per Chainguard's scanner spec, a dependency with any unowned path
 * is not covered by advisory data and must keep its findings — we skip rather
 * than guess and risk suppressing real vulnerabilities in user-added software.
 * Candidates carrying a coordinate (name@version) are deduplicated, keeping an
 * owned occurrence over an unowned one.
 * https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/scanning_implementation.md
 */
export declare function resolveApkOwnership(candidates: OwnershipCandidate[], index: ApkPathIndex, symlinkGraph: SymlinkGraph, osRelease: OSRelease): ApkPackageOwnership | undefined;
export declare function getApkPackagesFromResults(results?: ImageAnalysis[]): AnalyzedPackageWithVersion[];
export {};
