Documentation
¶
Index ¶
- Constants
- Variables
- func CalculateArchiveDigest(dbFilePath string) (string, error)
- func CalculateDBDigest(dbFilePath string) (string, error)
- func Hydrater() func(string) error
- func InitialData() []any
- func Models() []any
- func NewLowLevelDB(dbFilePath string, empty, writable bool) (*gorm.DB, error)
- func NormalizeReferenceTags(tags []string) []string
- func ReadDBChecksum(dir string) (string, error)
- func WriteChecksums(writer io.Writer, value string) error
- type AffectedCPEHandle
- type AffectedCPEStoreReader
- type AffectedCPEStoreWriter
- type AffectedPackageBlob
- type AffectedPackageHandle
- type AffectedPackageQualifiers
- type AffectedPackageStoreReader
- type AffectedPackageStoreWriter
- type AffectedRange
- type AffectedVersion
- type Blob
- type BlobDigest
- type CVSSSeverity
- type Config
- type Cpe
- type Curator
- type DBMetadata
- type DBMetadataStoreReader
- type DBMetadataStoreWriter
- type Description
- type Fix
- type FixDetail
- type FixStatus
- type GetAffectedCPEOptions
- type GetAffectedPackageOptions
- type GetVulnerabilityOptions
- type ID
- type OSSpecifier
- type OSSpecifiers
- type OperatingSystem
- type OperatingSystemSpecifierOverride
- type Package
- type PackageSpecifier
- type PackageSpecifierOverride
- type PackageSpecifiers
- type Provider
- type ProviderStoreReader
- type ReadWriter
- type Reader
- type Reference
- type Severity
- type SeverityScheme
- type Status
- type Time
- type VulnerabilityAlias
- type VulnerabilityBlob
- type VulnerabilityHandle
- type VulnerabilitySpecifier
- type VulnerabilitySpecifiers
- type VulnerabilityStatus
- type VulnerabilityStoreReader
- type VulnerabilityStoreWriter
- type Writer
Constants ¶
View Source
const ( VulnerabilityDBFileName = "vulnerability.db" // ModelVersion indicates how many breaking schema changes there have been (which will prevent interaction with any historical data) // note: this must ALWAYS be "6" in the context of this package. ModelVersion = 6 // Revision indicates how many changes have been introduced which **may** prevent interaction with some historical data Revision = 0 // Addition indicates how many changes have been introduced that are compatible with all historical data Addition = 0 )
View Source
const ChecksumFileName = VulnerabilityDBFileName + ".checksum"
Variables ¶
View Source
var ErrDBDoesNotExist = errors.New("database does not exist")
View Source
var ErrDistroNotPresent = errors.New("distro not present")
View Source
var ErrLimitReached = errors.New("query limit reached")
View Source
var ErrMissingDistroIdentification = errors.New("missing os name or codename")
View Source
var ErrMultipleOSMatches = errors.New("multiple OS matches found but not allowed")
View Source
var NoOSSpecified = &OSSpecifier{}
Functions ¶
func CalculateArchiveDigest ¶ added in v0.86.0
func CalculateDBDigest ¶ added in v0.86.0
func InitialData ¶ added in v0.87.0
func InitialData() []any
func NewLowLevelDB ¶ added in v0.87.0
NewLowLevelDB creates a new empty DB for writing or opens an existing one for reading from the given path. This is not recommended for typical interactions with the vulnerability DB, use NewReader and NewWriter instead.
func NormalizeReferenceTags ¶ added in v0.86.0
func ReadDBChecksum ¶ added in v0.85.0
Types ¶
type AffectedCPEHandle ¶ added in v0.85.0
type AffectedCPEHandle struct {
ID ID `gorm:"column:id;primaryKey"`
VulnerabilityID ID `gorm:"column:vulnerability_id;not null"`
Vulnerability *VulnerabilityHandle `gorm:"foreignKey:VulnerabilityID"`
CpeID ID `gorm:"column:cpe_id"`
CPE *Cpe `gorm:"foreignKey:CpeID"`
BlobID ID `gorm:"column:blob_id"`
BlobValue *AffectedPackageBlob `gorm:"-"`
}
AffectedCPEHandle represents a single CPE affected by the specified vulnerability. Note the CPEs in this table must NOT be resolvable to Packages (use AffectedPackageHandle for that). This table is used when the CPE is known, but we do not have a clear understanding of the package ecosystem or authoritative name, so we can still find vulnerabilities by these identifiers but not assert they are related to an entry in the Packages table.
type AffectedCPEStoreReader ¶ added in v0.85.0
type AffectedCPEStoreReader interface {
GetAffectedCPEs(cpe *cpe.Attributes, config *GetAffectedCPEOptions) ([]AffectedCPEHandle, error)
}
type AffectedCPEStoreWriter ¶ added in v0.85.0
type AffectedCPEStoreWriter interface {
AddAffectedCPEs(packages ...*AffectedCPEHandle) error
}
type AffectedPackageBlob ¶ added in v0.85.0
type AffectedPackageBlob struct {
// CVEs is a list of Common Vulnerabilities and Exposures (CVE) identifiers related to this vulnerability.
CVEs []string `json:"cves,omitempty"`
// Qualifiers are package attributes that confirm the package is affected by the vulnerability.
Qualifiers *AffectedPackageQualifiers `json:"qualifiers,omitempty"`
// Ranges specifies the affected version ranges and fixes if available.
Ranges []AffectedRange `json:"ranges,omitempty"`
}
AffectedPackageBlob represents a package affected by a vulnerability.
type AffectedPackageHandle ¶ added in v0.85.0
type AffectedPackageHandle struct {
ID ID `gorm:"column:id;primaryKey"`
VulnerabilityID ID `gorm:"column:vulnerability_id;index;not null"`
Vulnerability *VulnerabilityHandle `gorm:"foreignKey:VulnerabilityID"`
OperatingSystemID *ID `gorm:"column:operating_system_id;index"`
OperatingSystem *OperatingSystem `gorm:"foreignKey:OperatingSystemID"`
PackageID ID `gorm:"column:package_id;index"`
Package *Package `gorm:"foreignKey:PackageID"`
BlobID ID `gorm:"column:blob_id"`
BlobValue *AffectedPackageBlob `gorm:"-"`
}
AffectedPackageHandle represents a single package affected by the specified vulnerability. A package here is a name within a known ecosystem, such as "python" or "golang". It is important to note that this table relates vulnerabilities to resolved packages. There are cases when we have package identifiers but are not resolved to packages; for example, when we have a CPE but not a clear understanding of the package ecosystem and authoritative name (which might or might not be the product name in the CPE), in which case AffectedCPEHandle should be used.
type AffectedPackageQualifiers ¶ added in v0.85.0
type AffectedPackageQualifiers struct {
// RpmModularity indicates if the package follows RPM modularity for versioning.
RpmModularity string `json:"rpm_modularity,omitempty"`
// PlatformCPEs lists Common Platform Enumeration (CPE) identifiers for affected platforms.
PlatformCPEs []string `json:"platform_cpes,omitempty"`
}
AffectedPackageQualifiers contains package attributes that confirm the package is affected by the vulnerability.
type AffectedPackageStoreReader ¶ added in v0.85.0
type AffectedPackageStoreReader interface {
GetAffectedPackages(pkg *PackageSpecifier, config *GetAffectedPackageOptions) ([]AffectedPackageHandle, error)
}
type AffectedPackageStoreWriter ¶ added in v0.85.0
type AffectedPackageStoreWriter interface {
AddAffectedPackages(packages ...*AffectedPackageHandle) error
}
type AffectedRange ¶ added in v0.85.0
type AffectedRange struct {
// Version defines the version constraints for affected software.
Version AffectedVersion `json:"version"`
// Fix provides details on the fix version and its state if available.
Fix *Fix `json:"fix,omitempty"`
}
AffectedRange defines a specific range of versions affected by a vulnerability.
type AffectedVersion ¶ added in v0.85.0
type AffectedVersion struct {
// Type specifies the versioning system used (e.g., "semver", "rpm").
Type string `json:"type,omitempty"`
// Constraint defines the version range constraint for affected versions.
Constraint string `json:"constraint"`
}
AffectedVersion defines the versioning format and constraints.
type BlobDigest ¶ added in v0.85.0
type CVSSSeverity ¶ added in v0.85.0
type CVSSSeverity struct {
// Vector is the CVSS assessment as a parameterized string
Vector string `json:"vector"`
// Version is the CVSS version (e.g. "3.0")
Version string `json:"version,omitempty"`
// Score is the evaluated CVSS vector as a scalar between 0 and 10
Score float64 `json:"score"`
}
CVSSSeverity represents a single Common Vulnerability Scoring System entry
func (CVSSSeverity) String ¶ added in v0.87.0
func (c CVSSSeverity) String() string
type Cpe ¶ added in v0.85.0
type Cpe struct {
// TODO: what about different CPE versions?
ID ID `gorm:"primaryKey"`
PackageID *ID `gorm:"column:package_id;index"`
Part string `gorm:"column:part;not null;index:idx_cpe,unique,collate:NOCASE"`
Vendor string `gorm:"column:vendor;index:idx_cpe,unique,collate:NOCASE;index:idx_cpe_vendor,collate:NOCASE"`
Product string `gorm:"column:product;not null;index:idx_cpe,unique,collate:NOCASE;index:idx_cpe_product,collate:NOCASE"`
Edition string `gorm:"column:edition;index:idx_cpe,unique,collate:NOCASE"`
Language string `gorm:"column:language;index:idx_cpe,unique,collate:NOCASE"`
SoftwareEdition string `gorm:"column:software_edition;index:idx_cpe,unique,collate:NOCASE"`
TargetHardware string `gorm:"column:target_hardware;index:idx_cpe,unique,collate:NOCASE"`
TargetSoftware string `gorm:"column:target_software;index:idx_cpe,unique,collate:NOCASE"`
Other string `gorm:"column:other;index:idx_cpe,unique,collate:NOCASE"`
}
type DBMetadata ¶
type DBMetadataStoreReader ¶
type DBMetadataStoreReader interface {
GetDBMetadata() (*DBMetadata, error)
}
type DBMetadataStoreWriter ¶
type DBMetadataStoreWriter interface {
SetDBMetadata() error
}
type Description ¶ added in v0.85.0
type Description struct {
// SchemaVersion is the version of the DB schema
SchemaVersion schemaver.SchemaVer `json:"schemaVersion,omitempty"`
// Built is the timestamp the database was built
Built Time `json:"built"`
}
func DescriptionFromMetadata ¶ added in v0.86.0
func DescriptionFromMetadata(m *DBMetadata) *Description
func ReadDescription ¶ added in v0.85.0
func ReadDescription(dbFilePath string) (*Description, error)
func (Description) String ¶ added in v0.85.0
func (m Description) String() string
type Fix ¶ added in v0.85.0
type Fix struct {
// Version is the version number of the fix.
Version string `json:"version,omitempty"`
// State represents the status of the fix (e.g., "fixed", "unaffected").
State FixStatus `json:"state"`
// Detail provides additional fix information, such as commit details.
Detail *FixDetail `json:"detail,omitempty"`
}
Fix conveys availability of a fix for a vulnerability.
type FixDetail ¶ added in v0.85.0
type FixDetail struct {
// GitCommit is the identifier for the Git commit associated with the fix.
GitCommit string `json:"git_commit,omitempty"`
// Timestamp is the date and time when the fix was committed.
Timestamp *time.Time `json:"timestamp,omitempty"`
// References contains URLs or identifiers for additional resources on the fix.
References []Reference `json:"references,omitempty"`
}
FixDetail is additional information about a fix, such as commit details and patch URLs.
type FixStatus ¶ added in v0.85.0
type FixStatus string
FixStatus conveys if the package is affected (or not) and the current availability (or not) of a fix
const ( UnknownFixStatus FixStatus = "" // FixedStatus affirms the package is affected and a fix is available FixedStatus FixStatus = "fixed" // NotFixedStatus affirms the package is affected and a fix is not available NotFixedStatus FixStatus = "not-fixed" // WontFixStatus affirms the package is affected and a fix will not be provided WontFixStatus FixStatus = "wont-fix" // NotAffectedFixStatus affirms the package is not affected by the vulnerability NotAffectedFixStatus FixStatus = "not-affected" )
func ParseFixStatus ¶ added in v0.85.0
type GetAffectedCPEOptions ¶ added in v0.85.0
type GetAffectedCPEOptions struct {
PreloadCPE bool
PreloadVulnerability bool
PreloadBlob bool
Vulnerabilities []VulnerabilitySpecifier
Limit int
}
type GetAffectedPackageOptions ¶ added in v0.85.0
type GetAffectedPackageOptions struct {
PreloadOS bool
PreloadPackage bool
PreloadPackageCPEs bool
PreloadVulnerability bool
PreloadBlob bool
OSs OSSpecifiers
Vulnerabilities VulnerabilitySpecifiers
Limit int
}
type GetVulnerabilityOptions ¶ added in v0.85.0
func DefaultGetVulnerabilityOptions ¶ added in v0.85.0
func DefaultGetVulnerabilityOptions() *GetVulnerabilityOptions
type OSSpecifier ¶ added in v0.87.0
type OSSpecifier struct {
// Name of the distro as identified by the ID field in /etc/os-release (or similar normalized name, e.g. "oracle" instead of "ol")
Name string
// MajorVersion is the first field in the VERSION_ID field in /etc/os-release (e.g. 7 in "7.0.1406")
MajorVersion string
// MinorVersion is the second field in the VERSION_ID field in /etc/os-release (e.g. 0 in "7.0.1406")
MinorVersion string
// LabelVersion is a string that represents a floating version (e.g. "edge" or "unstable") or is the CODENAME field in /etc/os-release (e.g. "wheezy" for debian 7)
LabelVersion string
// AllowMultiple specifies whether we intend to allow for multiple distro identities to be matched.
AllowMultiple bool
}
OSSpecifier is a struct that represents a distro in a way that can be used to query the affected package store.
var AnyOSSpecified *OSSpecifier
func (*OSSpecifier) String ¶ added in v0.87.0
func (d *OSSpecifier) String() string
type OSSpecifiers ¶ added in v0.87.0
type OSSpecifiers []*OSSpecifier
func (OSSpecifiers) IsAny ¶ added in v0.87.0
func (d OSSpecifiers) IsAny() bool
func (OSSpecifiers) String ¶ added in v0.87.0
func (d OSSpecifiers) String() string
type OperatingSystem ¶ added in v0.85.0
type OperatingSystem struct {
ID ID `gorm:"column:id;primaryKey"`
// Name is the operating system family name (e.g. "debian")
Name string `gorm:"column:name;index:os_idx,unique;index,collate:NOCASE"`
ReleaseID string `gorm:"column:release_id;index:os_idx,unique;index,collate:NOCASE"`
// MajorVersion is the major version of a specific release (e.g. "10" for debian 10)
MajorVersion string `gorm:"column:major_version;index:os_idx,unique;index"`
// MinorVersion is the minor version of a specific release (e.g. "1" for debian 10.1)
MinorVersion string `gorm:"column:minor_version;index:os_idx,unique;index"`
// LabelVersion is an optional non-codename string representation of the version (e.g. "unstable" or for debian:sid)
LabelVersion string `gorm:"column:label_version;index:os_idx,unique;index,collate:NOCASE"`
// Codename is the codename of a specific release (e.g. "buster" for debian 10)
Codename string `gorm:"column:codename;index,collate:NOCASE"`
}
OperatingSystem represents specific release of an operating system. The resolution of the version is relative to the available data by the vulnerability data provider, so though there may be major.minor.patch OS releases, there may only be data available for major.minor.
func (*OperatingSystem) BeforeCreate ¶ added in v0.85.0
func (os *OperatingSystem) BeforeCreate(tx *gorm.DB) (err error)
func (*OperatingSystem) Version ¶ added in v0.87.0
func (os *OperatingSystem) Version() string
func (*OperatingSystem) VersionNumber ¶ added in v0.87.0
func (os *OperatingSystem) VersionNumber() string
type OperatingSystemSpecifierOverride ¶ added in v0.87.0
type OperatingSystemSpecifierOverride struct {
// Alias is an alternative name/ID for the operating system.
Alias string `gorm:"column:alias;primaryKey;index:os_alias_idx,collate:NOCASE"`
// Version is the matching version as found in the VERSION_ID field if the /etc/os-release file
Version string `gorm:"column:version;primaryKey"`
// VersionPattern is a regex pattern to match against the VERSION_ID field if the /etc/os-release file
VersionPattern string `gorm:"column:version_pattern;primaryKey"`
// Codename is the matching codename as found in the VERSION_CODENAME field if the /etc/os-release file
Codename string `gorm:"column:codename"`
ReplacementName *string `gorm:"column:replacement;primaryKey"`
ReplacementMajorVersion *string `gorm:"column:replacement_major_version;primaryKey"`
ReplacementMinorVersion *string `gorm:"column:replacement_minor_version;primaryKey"`
ReplacementLabelVersion *string `gorm:"column:replacement_label_version;primaryKey"`
Rolling bool `gorm:"column:rolling;primaryKey"`
}
OperatingSystemSpecifierOverride is a table that allows for overriding fields on v6.OSSpecifier instances when searching for specific OperatingSystems.
func KnownOperatingSystemSpecifierOverrides ¶ added in v0.87.0
func KnownOperatingSystemSpecifierOverrides() []OperatingSystemSpecifierOverride
TODO: in a future iteration these should be raised up more explicitly by the vunnel providers
func (*OperatingSystemSpecifierOverride) BeforeCreate ¶ added in v0.87.0
func (os *OperatingSystemSpecifierOverride) BeforeCreate(_ *gorm.DB) (err error)
type Package ¶ added in v0.85.0
type Package struct {
ID ID `gorm:"column:id;primaryKey"`
// Ecosystem is the tooling and language ecosystem that the package is released within
Ecosystem string `gorm:"column:ecosystem;index:idx_package,unique,collate:NOCASE"`
// Name is the name of the package within the ecosystem
Name string `gorm:"column:name;index:idx_package,unique;index:idx_package_name,collate:NOCASE"`
// CPEs is the list of Common Platform Enumeration (CPE) identifiers that represent this package
CPEs []Cpe `gorm:"foreignKey:PackageID;constraint:OnDelete:CASCADE;"`
}
Package represents a package name within a known ecosystem, such as "python" or "golang".
type PackageSpecifier ¶ added in v0.86.0
type PackageSpecifier struct {
Name string
Ecosystem string
CPE *cpe.Attributes
}
var AnyPackageSpecified *PackageSpecifier
func (*PackageSpecifier) String ¶ added in v0.86.0
func (p *PackageSpecifier) String() string
type PackageSpecifierOverride ¶ added in v0.87.0
type PackageSpecifierOverride struct {
Ecosystem string `gorm:"column:ecosystem;primaryKey;index:pkg_ecosystem_idx,collate:NOCASE"`
ReplacementEcosystem *string `gorm:"column:replacement_ecosystem;primaryKey"`
}
PackageSpecifierOverride is a table that allows for overriding fields on v6.PackageSpecifier instances when searching for specific Packages.
func KnownPackageSpecifierOverrides ¶ added in v0.87.0
func KnownPackageSpecifierOverrides() []PackageSpecifierOverride
type PackageSpecifiers ¶ added in v0.87.0
type PackageSpecifiers []*PackageSpecifier
func (PackageSpecifiers) String ¶ added in v0.87.0
func (p PackageSpecifiers) String() string
type Provider ¶ added in v0.85.0
type Provider struct {
// Name of the Vunnel provider (or sub processor responsible for data records from a single specific source, e.g. "ubuntu")
ID string `gorm:"column:id;primaryKey"`
// Version of the Vunnel provider (or sub processor equivalent)
Version string `gorm:"column:version"`
// Processor is the name of the application that processed the data (e.g. "vunnel")
Processor string `gorm:"column:processor"`
// DateCaptured is the timestamp which the upstream data was pulled and processed
DateCaptured *time.Time `gorm:"column:date_captured"`
// InputDigest is a self describing hash (e.g. sha256:123... not 123...) of all data used by the provider to generate the vulnerability records
InputDigest string `gorm:"column:input_digest"`
}
Provider is the upstream data processor (usually Vunnel) that is responsible for vulnerability records. Each provider should be scoped to a specific vulnerability dataset, for instance, the "ubuntu" provider for all records from Canonicals' Ubuntu Security Notices (for all Ubuntu distro versions).
type ProviderStoreReader ¶ added in v0.85.0
type ReadWriter ¶
func NewWriter ¶
func NewWriter(cfg Config) (ReadWriter, error)
type Reader ¶
type Reader interface {
DBMetadataStoreReader
ProviderStoreReader
VulnerabilityStoreReader
AffectedPackageStoreReader
AffectedCPEStoreReader
}
type Reference ¶ added in v0.85.0
type Reference struct {
// URL is the external resource
URL string `json:"url"`
// Tags is a free-form organizational field to convey additional information about the reference
Tags []string `json:"tags,omitempty"`
}
Reference represents a single external URL and string tags to use for organizational purposes
type Severity ¶ added in v0.85.0
type Severity struct {
// Scheme describes the quantitative method used to determine the Score, such as "CVSS_V3". Alternatively this makes
// claim that Value is qualitative, for example "HML" (High, Medium, Low), CHMLN (critical-high-medium-low-negligible)
Scheme SeverityScheme `json:"scheme"`
// Value is the severity score (e.g. "7.5", "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", or "high" )
Value any `json:"value"` // one of CVSSSeverity, HMLSeverity, CHMLNSeverity
// Source is the name of the source of the severity score (e.g. "nvd@nist.gov" or "security-advisories@github.com")
Source string `json:"source,omitempty"`
// Rank is a free-form organizational field to convey priority over other severities
Rank int `json:"rank"`
}
Severity represents a single string severity record for a vulnerability record
func (*Severity) UnmarshalJSON ¶ added in v0.85.0
UnmarshalJSON custom unmarshaller for Severity struct
type SeverityScheme ¶ added in v0.85.0
type SeverityScheme string
SeverityScheme represents how to interpret the string value for a vulnerability severity
const ( UnknownSeverityScheme SeverityScheme = "" // SeveritySchemeCVSS is the Common Vulnerability Scoring System severity scheme SeveritySchemeCVSS SeverityScheme = "CVSS" // SeveritySchemeHML is a string severity scheme (High, Medium, Low) SeveritySchemeHML SeverityScheme = "HML" // SeveritySchemeCHML is a string severity scheme (Critical, High, Medium, Low) SeveritySchemeCHML SeverityScheme = "CHML" // SeveritySchemeCHMLN is a string severity scheme (Critical, High, Medium, Low, Negligible) SeveritySchemeCHMLN SeverityScheme = "CHMLN" )
func ParseSeverityScheme ¶ added in v0.85.0
func ParseSeverityScheme(s string) SeverityScheme
type Status ¶ added in v0.85.0
type Status struct {
SchemaVersion string `json:"schemaVersion"`
Built Time `json:"built"`
Path string `json:"path"`
Checksum string `json:"checksum"`
Err error `json:"error"`
}
func (Status) MarshalJSON ¶ added in v0.86.0
type Time ¶ added in v0.85.0
func (Time) MarshalJSON ¶ added in v0.85.0
func (*Time) UnmarshalJSON ¶ added in v0.85.0
type VulnerabilityAlias ¶ added in v0.86.0
type VulnerabilityAlias struct {
// Name is the unique name for the vulnerability
Name string `gorm:"column:name;primaryKey;index,collate:NOCASE"`
// Alias is an alternative name for the vulnerability that must be upstream from the Name (e.g if name is "RHSA-1234" then the upstream could be "CVE-1234-5678", but not the other way around)
Alias string `gorm:"column:alias;primaryKey;index,collate:NOCASE;not null"`
}
type VulnerabilityBlob ¶ added in v0.85.0
type VulnerabilityBlob struct {
// ID is the lowercase unique string identifier for the vulnerability relative to the provider
ID string `json:"id"`
// Assigners is a list of names, email, or organizations who submitted the vulnerability
Assigners []string `json:"assigner,omitempty"`
// Description of the vulnerability as provided by the source
Description string `json:"description,omitempty"`
// References are URLs to external resources that provide more information about the vulnerability
References []Reference `json:"refs,omitempty"`
// Aliases is a list of IDs of the same vulnerability in other databases, in the form of the ID field. This allows one database to claim that its own entry describes the same vulnerability as one or more entries in other databases.
Aliases []string `json:"aliases,omitempty"`
// Severities is a list of severity indications (quantitative or qualitative) for the vulnerability
Severities []Severity `json:"severities,omitempty"`
}
VulnerabilityBlob represents the core advisory record for a single known vulnerability from a specific provider.
type VulnerabilityHandle ¶ added in v0.85.0
type VulnerabilityHandle struct {
ID ID `gorm:"column:id;primaryKey"`
// Name is the unique name for the vulnerability (same as the decoded VulnerabilityBlob.ID)
Name string `gorm:"column:name;not null;index,collate:NOCASE"`
// Status conveys the actionability of the current record (one of "active", "analyzing", "rejected", "disputed")
Status VulnerabilityStatus `gorm:"column:status;not null;index,collate:NOCASE"`
// PublishedDate is the date the vulnerability record was first published
PublishedDate *time.Time `gorm:"column:published_date;index"`
// ModifiedDate is the date the vulnerability record was last modified
ModifiedDate *time.Time `gorm:"column:modified_date;index"`
// WithdrawnDate is the date the vulnerability record was withdrawn
WithdrawnDate *time.Time `gorm:"column:withdrawn_date;index"`
ProviderID string `gorm:"column:provider_id;not null;index"`
Provider *Provider `gorm:"foreignKey:ProviderID"`
BlobID ID `gorm:"column:blob_id;index,unique"`
BlobValue *VulnerabilityBlob `gorm:"-"`
}
VulnerabilityHandle represents the pointer to the core advisory record for a single known vulnerability from a specific provider.
type VulnerabilitySpecifier ¶ added in v0.86.0
type VulnerabilitySpecifier struct {
// Name of the vulnerability (e.g. CVE-2020-1234)
Name string
// ID is the DB ID of the vulnerability
ID ID
// Status is the status of the vulnerability (e.g. "active", "rejected", etc.)
Status VulnerabilityStatus
// PublishedAfter is a filter to only return vulnerabilities published after the given time
PublishedAfter *time.Time
// ModifiedAfter is a filter to only return vulnerabilities modified after the given time
ModifiedAfter *time.Time
// IncludeAliases for the given name or ID in results
IncludeAliases bool
// Providers
Providers []string
}
func (*VulnerabilitySpecifier) String ¶ added in v0.86.0
func (v *VulnerabilitySpecifier) String() string
type VulnerabilitySpecifiers ¶ added in v0.87.0
type VulnerabilitySpecifiers []VulnerabilitySpecifier
func (VulnerabilitySpecifiers) String ¶ added in v0.87.0
func (s VulnerabilitySpecifiers) String() string
type VulnerabilityStatus ¶ added in v0.85.0
type VulnerabilityStatus string
VulnerabilityStatus is meant to convey the current point in the lifecycle for a vulnerability record. This is roughly based on CVE status, NVD status, and vendor-specific status values (see https://nvd.nist.gov/vuln/vulnerability-status)
const ( UnknownVulnerabilityStatus VulnerabilityStatus = "" // VulnerabilityActive means that the information from the vulnerability record is actionable VulnerabilityActive VulnerabilityStatus = "active" // empty also means active // VulnerabilityAnalyzing means that the vulnerability record is being reviewed, it may or may not be actionable VulnerabilityAnalyzing VulnerabilityStatus = "analyzing" // VulnerabilityRejected means that data from the vulnerability record should not be acted upon VulnerabilityRejected VulnerabilityStatus = "rejected" // VulnerabilityDisputed means that the vulnerability record is in contention, it may or may not be actionable VulnerabilityDisputed VulnerabilityStatus = "disputed" )
func ParseVulnerabilityStatus ¶ added in v0.85.0
func ParseVulnerabilityStatus(s string) VulnerabilityStatus
type VulnerabilityStoreReader ¶ added in v0.85.0
type VulnerabilityStoreReader interface {
GetVulnerabilities(vuln *VulnerabilitySpecifier, config *GetVulnerabilityOptions) ([]VulnerabilityHandle, error)
}
type VulnerabilityStoreWriter ¶ added in v0.85.0
type VulnerabilityStoreWriter interface {
AddVulnerabilities(vulns ...*VulnerabilityHandle) error
}
type Writer ¶
type Writer interface {
DBMetadataStoreWriter
VulnerabilityStoreWriter
AffectedPackageStoreWriter
AffectedCPEStoreWriter
io.Closer
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.