cyclonedx

package
v0.39.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 9, 2022 License: Apache-2.0 Imports: 14 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Advisories

type Advisories struct {
	Advisory []string `xml:"v:advisory"`
}

Advisories holds all the links for a vulnerability

type BdComponent added in v0.10.0

type BdComponent struct {
	XMLName xml.Name `xml:"component"`
	Component
}

BdComponent represents the software/package being cataloged.

type BdTool added in v0.10.0

type BdTool struct {
	XMLName xml.Name `xml:"tool"`
	Vendor  string   `xml:"vendor,omitempty"`  // The vendor of the tool used to create the BOM.
	Name    string   `xml:"name,omitempty"`    // The name of the tool used to create the BOM.
	Version string   `xml:"version,omitempty"` // The version of the tool used to create the BOM.

}

BdTool represents the tool that created the BOM report.

type BomDescriptor added in v0.10.0

type BomDescriptor struct {
	XMLName   xml.Name     `xml:"metadata"`
	Timestamp string       `xml:"timestamp,omitempty"` // The date and time (timestamp) when the document was created
	Tools     []BdTool     `xml:"tools>tool"`          // The tool used to create the BOM.
	Component *BdComponent `xml:"component"`           // The Component that the BOM describes.
}

BomDescriptor represents all metadata surrounding the BOM report (such as when the BOM was made, with which tool, and the item being cataloged).

func NewBomDescriptor

func NewBomDescriptor(name, version string, srcMetadata source.Metadata) *BomDescriptor

NewBomDescriptor returns a new BomDescriptor tailored for the current time and "syft" tool details.

type Component

type Component struct {
	XMLName     xml.Name   `xml:"component"`
	Type        string     `xml:"type,attr"`             // Required; Describes if the Component is a library, framework, application, container, operating system, firmware, hardware device, or file
	Supplier    string     `xml:"supplier,omitempty"`    // The organization that supplied the Component. The supplier may often be the manufacture, but may also be a distributor or repackager.
	Author      string     `xml:"author,omitempty"`      // The person(s) or organization(s) that authored the Component
	Publisher   string     `xml:"publisher,omitempty"`   // The person(s) or organization(s) that published the Component
	Group       string     `xml:"group,omitempty"`       // The high-level classification that a project self-describes as. This will often be a shortened, single name of the company or project that produced the Component, or the source package or domain name.
	Name        string     `xml:"name"`                  // Required; The name of the Component as defined by the project
	Version     string     `xml:"version"`               // Required; The version of the Component as defined by the project
	Description string     `xml:"description,omitempty"` // A description of the Component
	Licenses    *[]License `xml:"licenses>License"`      // A node describing zero or more License names, SPDX License IDs or expressions
	PackageURL  string     `xml:"purl,omitempty"`        // Specifies the package-url (PackageURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
	// TODO: source, hashes, copyright, cpe, purl, swid, modified, pedigree, externalReferences
	// TODO: add user-defined parameters for syft-specific values (image layer index, cataloger, location path, etc.)
	Vulnerabilities *[]Vulnerability `xml:"v:vulnerabilities>v:vulnerability,omitempty"`
}

Component represents a single element in the CycloneDX BOM

type Document

type Document struct {
	XMLName       xml.Name       `xml:"bom"`
	XMLNs         string         `xml:"xmlns,attr"`
	XMLNsV        string         `xml:"xmlns:v,attr"`
	Version       int            `xml:"version,attr"`
	SerialNumber  string         `xml:"serialNumber,attr"`
	BomDescriptor *BomDescriptor `xml:"metadata"`
	Components    []Component    `xml:"components>component"`
}

Document represents a CycloneDX Vulnerability Document.

func NewDocument

func NewDocument(packages []pkg.Package, matches match.Matches, srcMetadata *source.Metadata, provider vulnerability.MetadataProvider) (Document, error)

NewDocument returns a CycloneDX Document object populated with the SBOM and vulnerability findings.

type License added in v0.10.0

type License struct {
	XMLName xml.Name `xml:"license"`
	ID      string   `xml:"id,omitempty"`   // A valid SPDX License ID
	Name    string   `xml:"name,omitempty"` // If SPDX does not define the License used, this field may be used to provide the License name
}

License represents a single software License for a Component

type Presenter

type Presenter struct {
	// contains filtered or unexported fields
}

Presenter writes a CycloneDX report from the given Matches and Scope contents

func NewPresenter

func NewPresenter(results match.Matches, packages []pkg.Package, srcMetadata *source.Metadata, metadataProvider vulnerability.MetadataProvider) *Presenter

NewPresenter is a *Presenter constructor

func (*Presenter) Present

func (pres *Presenter) Present(output io.Writer) error

Present creates a CycloneDX-based reporting

type Rating

type Rating struct {
	Score    *Score `xml:"v:score,omitempty"`
	Severity string `xml:"v:severity,omitempty"`
	Method   string `xml:"v:method,omitempty"`
	Vector   string `xml:"v:vector,omitempty"`
}

Rating has information about the intensity of a vulnerability

type Score

type Score struct {
	Base           float64 `xml:"v:base"`
	Impact         float64 `xml:"v:impact"`
	Exploitability float64 `xml:"v:exploitability"`
}

Score provides the different ways to measure how serious a vulnerability is

type Source

type Source struct {
	Name string `xml:"name,attr"`
	URL  string `xml:"v:url"`
}

Source is the origin of the vulnerability, like Github Advisories or NVD, along with a URL constructed with the vulnerability ID

type Vulnerability

type Vulnerability struct {
	Ref     string   `xml:"ref,attr"`
	ID      string   `xml:"v:id"`
	Source  Source   `xml:"v:source"`
	Ratings []Rating `xml:"v:ratings>v:rating"`
	// We do not capture Common Weakness Enumeration
	// Cwes            Cwes             `xml:"v:cwes"`
	Description string `xml:"v:description,omitempty"`
	// We don't have recommendations (e.g. "upgrade")
	// Recommendations *Recommendations `xml:"v:recommendations"`
	Advisories *Advisories `xml:"v:advisories,omitempty"`
}

Vulnerability is the actual description of a vulnerable artifact

func NewVulnerability

func NewVulnerability(m match.Match, p vulnerability.MetadataProvider) (Vulnerability, error)

NewVulnerability creates a Vulnerability document from a match and the metadata provider

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL