Documentation ¶
Index ¶
- func NewLinter(paths []string) (linter.Linter, error)
- func PreparePackageQuery(ctx context.Context, modules []Module) (rego.PreparedEvalQuery, error)
- func ReportPackages(ctx context.Context, logger *slog.Logger, sqlDB *sql.DB, platform string, ...) (table.Writer, error)
- type EvaluationInput
- type EvaluationInputDependency
- type EvaluationInputDependencyHealth
- type EvaluationInputDependencyHealthEcosystemsPackage
- type EvaluationInputDependencyHealthEcosystemsRepo
- type EvaluationInputDependencyHealthScorecard
- type EvaluationInputProject
- type EvaluationInputRepositoryMetadata
- type Level
- type Module
- type Policies
- type PolicyViolation
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func PreparePackageQuery ¶
Types ¶
type EvaluationInput ¶ added in v0.65.2
type EvaluationInput struct { Project EvaluationInputProject `json:"project"` Dependency EvaluationInputDependency `json:"dependency"` }
func PreparePolicyEvaluationInputs ¶ added in v0.75.2
func (EvaluationInput) AsAstValue ¶ added in v0.75.2
func (i EvaluationInput) AsAstValue() ast.Value
type EvaluationInputDependency ¶ added in v0.65.2
type EvaluationInputDependency struct { // PackageName contains the name of the package PackageName string `json:"package_name"` // Version indicates the version of this dependency // // NOTE this could be a version constraint, such as any of: // // <=1.3.4,>=1.3.0 // "~> 0.9" // latest // ^2.0.6 // =1.0.4 // // As well as a specific value, such as: // // 1.0.4 // 10 // latest // // This versioning will be implementation-specific for the `packageManager` in use Version string `json:"version"` // CurrentVersion defines the current version that this package's `version` resolves to // // If the `version` is an exact version number, such as `1.0.4`, then `currentVersion` will usually be the same value, `1.0.4` // // If the `version` is a version constraint, then this column MAY indicate the exact version that was resolved at the time of dependency analysis // // CurrentVersion may be empty CurrentVersion string `json:"current_version"` // PackageManager indicates the package manager that the Policy Violation will correspond to PackageManager string `json:"package_manager"` // packageFilePath defines the path within `repo` that defines the `packageName` as a dependency. For example: // // .github/workflows/build.yml // go.mod // build/Dockerfile // // NOTE that this may be empty (https://gitlab.com/tanna.dev/dependency-management-data/-/issues/396) PackageFilePath string `json:"package_file_path"` // DepTypes defines the different dependency types that may be in use. This will always be a JSON array, with 0 or more string elements. For example: // // [] // ["action"] // ["dependencies","lockfile"] // ["dependencies","missing-data"] // ["lockfile","lockfile-yarn-pinning-^21.1.1"] // ["engines"] // // Based on which datasource(s) (https://dmd.tanna.dev/concepts/datasource/) you are using, this will have different values and meanings // // NOTE that in the future these there will be a more consistent naming structure for these (https://gitlab.com/tanna.dev/dependency-management-data/-/issues/379) DepTypes []string `json:"dep_types"` // Licenses contains the SPDX Identifier(s) or SPDX License Expression(s) (https://spdx.dev/learn/handling-license-info/) that declares this package's license Licenses []string `json:"licenses"` Health *EvaluationInputDependencyHealth `json:"health,omitempty"` }
type EvaluationInputDependencyHealth ¶ added in v0.76.0
type EvaluationInputDependencyHealth struct { SecurityScorecard *EvaluationInputDependencyHealthScorecard `json:"security_scorecard,omitempty"` Ecosystems *EvaluationInputDependencyHealthEcosystemsPackage `json:"ecosystems,omitempty"` }
type EvaluationInputDependencyHealthEcosystemsPackage ¶ added in v0.76.0
type EvaluationInputDependencyHealthEcosystemsPackage struct { Repo *EvaluationInputDependencyHealthEcosystemsRepo `json:"repo,omitempty"` LatestReleasePublishedAt *string `json:"latest_release_published_at,omitempty"` LastSyncedAt *string `json:"last_synced_at,omitempty"` Status *string `json:"status,omitempty"` }
type EvaluationInputDependencyHealthEcosystemsRepo ¶ added in v0.76.0
type EvaluationInputDependencyHealthScorecard ¶ added in v0.76.0
type EvaluationInputDependencyHealthScorecard struct { Score *float64 `json:"score"` CodeReview *int `json:"code_review,omitempty"` Maintained *int `json:"maintained"` CiiBestPractices *int `json:"cii_best_practices"` License *int `json:"license"` DangerousWorkflow *int `json:"dangerous_workflow"` Packaging *int `json:"packaging"` TokenPermissions *int `json:"token_permissions"` SignedReleases *int `json:"signed_releases"` BranchProtection *int `json:"branch_protection"` BinaryArtifacts *int `json:"binary_artifacts"` Fuzzing *int `json:"fuzzing"` SecurityPolicy *int `json:"security_policy"` Sast *int `json:"sast"` Vulnerabilities *int `json:"vulnerabilities"` PinnedDependencies *int `json:"pinned_dependencies"` }
type EvaluationInputProject ¶ added in v0.65.2
type EvaluationInputProject struct { // Platform describes the source hosting platform this dependency's repository is found on, i.e. `github`, `gitlab`, `gitea`, etc Platform string `json:"platform"` // Organisation describes the organisation this dependency's repository is found on. Can include `/` for nested organisations Organisation string `json:"organisation"` // Repo is the repo name Repo string `json:"repo"` // Metadata tracks metadata about the repository, which is sourced from the `repository_metadata` table Metadata *EvaluationInputRepositoryMetadata `json:"metadata,omitempty"` }
type EvaluationInputRepositoryMetadata ¶ added in v0.67.0
type EvaluationInputRepositoryMetadata struct { // IsMonorepo indicates whether the repository is treated as a monorepo IsMonorepo bool `json:"is_monorepo"` // IsFork indicates whether this is a forked repository. This could indicate that this is a temporary repository, a long-standing fork for security + supply-chain hygiene purposes, or some other reason. IsFork bool `json:"is_fork"` // RepositoryType is a free-form field to create enum-style data, for instance `LIBRARY` or `SERVICE`, or `EXAMPLE_CODE`. // // This may track with your Developer Portal's own definition of a repository's type. RepositoryType string `json:"repository_type"` // RepositoryUsage is a free-form field to note additional information around the repository's usage, which is organisation-specific. // // For instance, this may be enum-style data, a space-separated list of enum-style data, or a long human-readable description. RepositoryUsage *string `json:"repository_usage,omitempty"` // Visibility indicates the repository's visibility in the source forge // // NOTE that this may be straightforward if you're using a publicly hosted source forge, but if you're running on an internally run, i.e. VPN'd off source force, this field may have a slightly different interpretation Visibility string `json:"visibility"` // Description is a textual description of the repo for more context, which can include links out to other systems i.e. a Service Catalog. The contents will be shown verbatim to a user, and will not be interpreted as markup Description *string `json:"description,omitempty"` // AdditionalMetadata contains additional key-value data that can be used to provide custom organisation-specific configuration, and augment any queries for data with information around this additional metadata. // // For instance: // // - `last_commit_date` - the last commit date to the project // - `pci_environment` - the PCI environment the application is deployed to // - `customer_type` - i.e. whether it's used for government, financial // users, etc AdditionalMetadata map[string]string `json:"additional_metadata,omitempty"` }
type Policies ¶
type Policies struct{}
func (*Policies) AnonymiseData ¶
func (*Policies) CreateTables ¶
type PolicyViolation ¶
type PolicyViolation struct { domain.Dependency DepTypes []string Level Level AdvisoryType advisory.AdvisoryType Description string }
func EvaluatePolicies ¶
func EvaluatePolicies(ctx context.Context, query rego.PreparedEvalQuery, inputs []EvaluationInput) ([]PolicyViolation, int, error)
func (PolicyViolation) DepTypesAsString ¶
func (v PolicyViolation) DepTypesAsString() string
Click to show internal directories.
Click to hide internal directories.