Documentation ¶
Index ¶
- Variables
- func CompareSeverityString(sev1, sev2 string) int
- type Advisories
- type Advisory
- type AdvisoryDetail
- type CVSS
- type CVSSVector
- type DataSource
- type Ecosystem
- type LastUpdated
- type Severity
- type SourceID
- type Status
- type VendorCVSS
- type VendorSeverity
- type Vulnerability
- type VulnerabilityDetail
Constants ¶
This section is empty.
Variables ¶
View Source
var (
SeverityNames = []string{
"UNKNOWN",
"LOW",
"MEDIUM",
"HIGH",
"CRITICAL",
}
)
View Source
var ( // Statuses is a list of statuses. // VEX has 4 statuses: not-affected, affected, fixed, and under_investigation. // cf. https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf // // In addition to them, Red Hat has "will_not_fix" and "fix_deferred". // cf. https://access.redhat.com/blogs/product-security/posts/2066793 Statuses = []string{ "unknown", "not_affected", "affected", "fixed", "under_investigation", "will_not_fix", "fix_deferred", "end_of_life", } )
Functions ¶
func CompareSeverityString ¶
Types ¶
type Advisories ¶
type Advisories struct { FixedVersion string `json:",omitempty"` // For backward compatibility Entries []Advisory `json:",omitempty"` // Custom is basically for extensibility and is not supposed to be used in OSS Custom interface{} `json:",omitempty"` // For backward compatibility }
Advisories saves fixed versions for each arches/vendorIDs e.g. this is required when CVE has different fixed versions for different arches
type Advisory ¶
type Advisory struct { VulnerabilityID string `json:",omitempty"` // CVE-ID or vendor ID VendorIDs []string `json:",omitempty"` // e.g. RHSA-ID and DSA-ID Arches []string `json:",omitempty"` // It is filled only when FixedVersion is empty since it is obvious the state is "Fixed" when FixedVersion is not empty. // e.g. Will not fix and Affected Status Status `json:"-"` // Trivy DB has "vulnerability" bucket and severities are usually stored in the bucket per a vulnerability ID. // In some cases, the advisory may have multiple severities depending on the packages. // For example, CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3. // e.g. https://security-tracker.debian.org/tracker/CVE-2015-2328 Severity Severity `json:",omitempty"` // Versions for os package FixedVersion string `json:",omitempty"` AffectedVersion string `json:",omitempty"` // Only for Arch Linux // MajorVersion ranges for language-specific package // Some advisories provide VulnerableVersions only, others provide PatchedVersions and UnaffectedVersions VulnerableVersions []string `json:",omitempty"` PatchedVersions []string `json:",omitempty"` UnaffectedVersions []string `json:",omitempty"` // DataSource holds where the advisory comes from DataSource *DataSource `json:",omitempty"` // Custom is basically for extensibility and is not supposed to be used in OSS Custom interface{} `json:",omitempty"` }
func (*Advisory) MarshalJSON ¶
MarshalJSON customizes how an Advisory is marshaled to JSON. It is used when saving the Advisory to the BoltDB database. To reduce the size of the database, the Status field is converted to an integer before being saved, while the status is normally exported as a string in JSON. This is done by creating an anonymous struct that has all the same fields as Advisory, but with the Status field replaced by an IntStatus field of type int.
func (*Advisory) UnmarshalJSON ¶
type AdvisoryDetail ¶
type CVSSVector ¶
type DataSource ¶
type LastUpdated ¶
type VendorCVSS ¶
type VendorSeverity ¶
type Vulnerability ¶
type Vulnerability struct { Title string `json:",omitempty"` Description string `json:",omitempty"` Severity string `json:",omitempty"` // Selected from VendorSeverity, depending on a scan target CweIDs []string `json:",omitempty"` // e.g. CWE-78, CWE-89 VendorSeverity VendorSeverity `json:",omitempty"` CVSS VendorCVSS `json:",omitempty"` References []string `json:",omitempty"` PublishedDate *time.Time `json:",omitempty"` // Take from NVD LastModifiedDate *time.Time `json:",omitempty"` // Take from NVD // Custom is basically for extensibility and is not supposed to be used in OSS Custom interface{} `json:",omitempty"` }
type VulnerabilityDetail ¶
type VulnerabilityDetail struct { ID string `json:",omitempty"` // e.g. CVE-2019-8331, OSVDB-104365 CvssScore float64 `json:",omitempty"` CvssVector string `json:",omitempty"` CvssScoreV3 float64 `json:",omitempty"` CvssVectorV3 string `json:",omitempty"` Severity Severity `json:",omitempty"` SeverityV3 Severity `json:",omitempty"` CweIDs []string `json:",omitempty"` // e.g. CWE-78, CWE-89 References []string `json:",omitempty"` Title string `json:",omitempty"` Description string `json:",omitempty"` PublishedDate *time.Time `json:",omitempty"` // Take from NVD LastModifiedDate *time.Time `json:",omitempty"` // Take from NVD }
Click to show internal directories.
Click to hide internal directories.