diagnostics

package
v0.8.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2022 License: BSD-3-Clause Imports: 12 Imported by: 9

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateSampleExclusion

func GenerateSampleExclusion() string

GenerateSampleExclusion generates a sample exclusion YAML file content with descriptions

func GetExtraHeaders added in v0.6.7

func GetExtraHeaders(diags []*SecurityDiagnostic) []string

Derives additional headers from Tags, sorted in alphabetic order

Types

type CharRange

type CharRange struct {
	StartIndex, EndIndex int64
}

CharRange describes the location in the file where a range of "text" is found

func (*CharRange) Contains

func (thisRange *CharRange) Contains(thatRange *CharRange) bool

type Confidence

type Confidence int

Confidence reflects the degree of confidence that we have in an assessment

const (
	//informational Confidence in the assessment
	Info Confidence = iota
	//Low Confidence in the assessment
	Low
	//Medium Confidence in the assessment
	Medium
	//High Confidence in the assessment
	High
	//Critical Confidence in the assessment
	Critical
)

func (Confidence) GoString

func (conf Confidence) GoString() string

GoString go stringify

func (Confidence) MarshalJSON

func (conf Confidence) MarshalJSON() ([]byte, error)

MarshalJSON makes a string representation of the confidence

func (Confidence) String

func (conf Confidence) String() string

func (*Confidence) UnmarshalJSON

func (conf *Confidence) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals a string representation of the confidence to Confidence

type DefaultSecurityDiagnosticsProvider

type DefaultSecurityDiagnosticsProvider struct {
	// contains filtered or unexported fields
}

DefaultSecurityDiagnosticsProvider a default implementation

func (*DefaultSecurityDiagnosticsProvider) AddConsumers

func (sdp *DefaultSecurityDiagnosticsProvider) AddConsumers(consumers ...SecurityDiagnosticsConsumer)

AddConsumers adds consumers to be notified by this provider when there is a new diagnostics

func (*DefaultSecurityDiagnosticsProvider) Broadcast

func (sdp *DefaultSecurityDiagnosticsProvider) Broadcast(diagnostics *SecurityDiagnostic)

Broadcast sends diagnostics to all registered consumers

type Evidence

type Evidence struct {
	Description string     `json:"description"`
	Confidence  Confidence `json:"confidence"`
}

Evidence is an atomic piece of information that describes a security diagnostics

type ExcludeContainer

type ExcludeContainer struct {
	ExcludeDef   *ExcludeDefinition
	Repositories []string
}

type ExcludeDefinition

type ExcludeDefinition struct {
	//These specify regular expressions of matching strings that should be ignored as secrets anywhere they are found
	GloballyExcludedRegExs []string `yaml:"GloballyExcludedRegExs"`
	//These specify strings that should be ignored as secrets anywhere they are found
	GloballyExcludedStrings []string `yaml:"GloballyExcludedStrings"`
	//These specify SHA256 hashes that should be ignored as secrets anywhere they are found
	GloballyExcludedHashes []string `yaml:"GloballyExcludedHashes"`
	//These specify regular expressions that ignore files whose paths match
	PathExclusionRegExs []string `yaml:"PathExclusionRegExs"`
	//These specify sets of strings that should be excluded in a given file. That is filepath -> Set(strings)
	PerFileExcludedStrings map[string][]string `yaml:"PerFileExcludedStrings"`
	//These specify sets of SHA256 hashes that should be excluded in a given file. That is filepath -> Set(strings)
	PerFileExcludedHashes map[string][]string `yaml:"PerFileExcludedHashes"`
	//These specify sets of regular expressions that if matched on a path matched by the filepath key should be ignored. That is filepath_regex -> Set(regex)
	//This is a quite versatile construct and can model the four above
	PathRegexExcludedRegExs map[string][]string `yaml:"PathRegexExcludedRegex"`
}

ExcludeDefinition describes exclude rules

type ExcludeRequirement

type ExcludeRequirement struct {
	What      string
	Issue     SecurityDiagnostic
	ProjectID string
}

type ExclusionProvider

type ExclusionProvider interface {
	//ShouldExclude determines whether the supplied value should be excluded based on its value and the
	//path (if any) of the source file providing additional context
	ShouldExclude(pathContext, value string) bool
	ShouldExcludeHashOnPath(pathContext, hash string) bool
	ShouldExcludePath(path string) bool
	ShouldExcludeValue(value string) bool
	ShouldExcludeHash(hash string) bool
}

ExclusionProvider implements a exclude strategy

func CompileExcludes

func CompileExcludes(container ExcludeContainer) (ExclusionProvider, error)

CompileExcludes returns a ExclusionProvider with the regular expressions already compiled

func MakeEmptyExcludes

func MakeEmptyExcludes() ExclusionProvider

MakeEmptyExcludes creates an empty default exclusion list

type Justification

type Justification struct {
	Headline Evidence   `json:"headline,omitempty"` //Headline evidence
	Reasons  []Evidence `json:"reasons,omitempty"`  //sub-reasons that justify why this is an issue
}

Justification describes why a piece of security diagnostic has been generated

type PolicyUpdateResult

type PolicyUpdateResult struct {
	Status    string
	NewPolicy string
}

type Progress

type Progress struct {
	ProjectID   string
	ScanID      string
	Position    int64 //how many files processed so far
	Total       int64 //total number of files
	CurrentFile string
}

type SecurityDiagnostic

type SecurityDiagnostic struct {
	Justification  Justification `json:"justification,omitempty"`
	Range          code.Range    `json:"range,omitempty"`
	RawRange       CharRange     `json:"rawRange,omitempty"`
	HighlightRange code.Range    `json:"highlightRange,omitempty"`
	//Source code evidence optionally provided
	Source *string `json:"source,omitempty"`
	//SHA256 checksum is an optional SHA256 hash of the secret. High-security environments
	//may want to consider using an HMAC or similar and ommitting source from the reports
	SHA256 *string `json:"sha256,omitempty"`
	//Location is an optional value that could contain filepath or URI of resource that this diagnostic applies to
	Location *string `json:"location,omitempty"`
	//used for identifying the source of the diagnostics
	ProviderID *string   `json:"providerID,omitempty"`
	Excluded   bool      //indicates whether or not this diagnostics has been excluded
	Tags       *[]string `json:"tags,omitempty"` //optionally annotate diagnostic with tags, e.g. "test"
}

SecurityDiagnostic describes a security issue

func (*SecurityDiagnostic) AddTag

func (sd *SecurityDiagnostic) AddTag(tag string)

AddTag adds a tag to the diagnostic

func (*SecurityDiagnostic) CSVHeaders

func (sd *SecurityDiagnostic) CSVHeaders(extraHeaders ...string) []string

func (*SecurityDiagnostic) CSVValues

func (sd *SecurityDiagnostic) CSVValues(extraHeaders ...string) []string

func (*SecurityDiagnostic) GetValue

func (sd *SecurityDiagnostic) GetValue() string

func (SecurityDiagnostic) GoString

func (sd SecurityDiagnostic) GoString() string

GoString stringify

func (*SecurityDiagnostic) HasTag

func (sd *SecurityDiagnostic) HasTag(tag string) bool

HasTag cheks whether diagnostic has the specified tag

type SecurityDiagnosticsConsumer

type SecurityDiagnosticsConsumer interface {
	ReceiveDiagnostic(diagnostic *SecurityDiagnostic)
}

SecurityDiagnosticsConsumer is an interface with a callback to receive security diagnostics

type SecurityDiagnosticsProvider

type SecurityDiagnosticsProvider interface {
	//AddConsumers adds consumers to be notified by this provider when there is a new diagnostics
	AddConsumers(consumers ...SecurityDiagnosticsConsumer)
	Broadcast(diagnostic *SecurityDiagnostic)
}

SecurityDiagnosticsProvider interface for security diagnostics providers

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL