types

package
v0.0.0-...-492b9fc Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 9, 2025 License: Apache-2.0 Imports: 3 Imported by: 208

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	SeverityNames = []string{
		"UNKNOWN",
		"LOW",
		"MEDIUM",
		"HIGH",
		"CRITICAL",
	}
)
View Source
var (
	// Statuses is a list of statuses.
	// VEX has 4 statuses: not-affected, affected, fixed, and under_investigation.
	// cf. https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf
	//
	// In addition to them, Red Hat has "will_not_fix" and "fix_deferred".
	// cf. https://access.redhat.com/blogs/product-security/posts/2066793
	Statuses = []string{
		"unknown",
		"not_affected",
		"affected",
		"fixed",
		"under_investigation",
		"will_not_fix",
		"fix_deferred",
		"end_of_life",
	}
)

Functions

func CompareSeverityString

func CompareSeverityString(sev1, sev2 string) int

Types

type Advisories

type Advisories struct {
	FixedVersion string     `json:",omitempty"` // For backward compatibility
	Entries      []Advisory `json:",omitempty"`
	// Custom is basically for extensibility and is not supposed to be used in OSS
	Custom interface{} `json:",omitempty"` // For backward compatibility
}

Advisories saves fixed versions for each arches/vendorIDs e.g. this is required when CVE has different fixed versions for different arches

type Advisory

type Advisory struct {
	VulnerabilityID string   `json:",omitempty"` // CVE-ID or vendor ID
	VendorIDs       []string `json:",omitempty"` // e.g. RHSA-ID and DSA-ID

	Arches []string `json:",omitempty"`

	// It is filled only when FixedVersion is empty since it is obvious the state is "Fixed" when FixedVersion is not empty.
	// e.g. Will not fix and Affected
	Status Status `json:"-"`

	// Trivy DB has "vulnerability" bucket and severities are usually stored in the bucket per a vulnerability ID.
	// In some cases, the advisory may have multiple severities depending on the packages.
	// For example, CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3.
	// e.g. https://security-tracker.debian.org/tracker/CVE-2015-2328
	Severity Severity `json:",omitempty"`

	// Versions for os package
	FixedVersion    string `json:",omitempty"`
	AffectedVersion string `json:",omitempty"` // Only for Arch Linux

	// MajorVersion ranges for language-specific package
	// Some advisories provide VulnerableVersions only, others provide PatchedVersions and UnaffectedVersions
	VulnerableVersions []string `json:",omitempty"`
	PatchedVersions    []string `json:",omitempty"`
	UnaffectedVersions []string `json:",omitempty"`

	// DataSource holds where the advisory comes from
	DataSource *DataSource `json:",omitempty"`

	// Custom is basically for extensibility and is not supposed to be used in OSS
	Custom interface{} `json:",omitempty"`
}

func (*Advisory) MarshalJSON

func (a *Advisory) MarshalJSON() ([]byte, error)

MarshalJSON customizes how an Advisory is marshaled to JSON. It is used when saving the Advisory to the BoltDB database. To reduce the size of the database, the Status field is converted to an integer before being saved, while the status is normally exported as a string in JSON. This is done by creating an anonymous struct that has all the same fields as Advisory, but with the Status field replaced by an IntStatus field of type int.

func (*Advisory) UnmarshalJSON

func (a *Advisory) UnmarshalJSON(data []byte) error

type AdvisoryDetail

type AdvisoryDetail struct {
	PlatformName string
	PackageName  string
	AdvisoryItem interface{}
}

type CVSS

type CVSS struct {
	V2Vector  string  `json:"V2Vector,omitempty"`
	V3Vector  string  `json:"V3Vector,omitempty"`
	V40Vector string  `json:"V40Vector,omitempty"`
	V2Score   float64 `json:"V2Score,omitempty"`
	V3Score   float64 `json:"V3Score,omitempty"`
	V40Score  float64 `json:"V40Score,omitempty"`
}

type CVSSVector

type CVSSVector struct {
	V2 string `json:"v2,omitempty"`
	V3 string `json:"v3,omitempty"`
}

type DataSource

type DataSource struct {
	ID   SourceID `json:",omitempty"`
	Name string   `json:",omitempty"`
	URL  string   `json:",omitempty"`
}

type Ecosystem

type Ecosystem string

Ecosystem represents language-specific ecosystem

type LastUpdated

type LastUpdated struct {
	Date time.Time
}

type Severity

type Severity int
const (
	SeverityUnknown Severity = iota
	SeverityLow
	SeverityMedium
	SeverityHigh
	SeverityCritical
)

func NewSeverity

func NewSeverity(severity string) (Severity, error)

func (Severity) String

func (s Severity) String() string

type SourceID

type SourceID string

SourceID represents data source such as NVD.

type Status

type Status int
const (
	StatusUnknown Status = iota
	StatusNotAffected
	StatusAffected
	StatusFixed
	StatusUnderInvestigation
	StatusWillNotFix // Red Hat specific
	StatusFixDeferred
	StatusEndOfLife
)

func NewStatus

func NewStatus(status string) Status

func (*Status) Index

func (s *Status) Index() int

func (Status) MarshalJSON

func (s Status) MarshalJSON() ([]byte, error)

func (*Status) String

func (s *Status) String() string

func (*Status) UnmarshalJSON

func (s *Status) UnmarshalJSON(data []byte) error

type VendorCVSS

type VendorCVSS map[SourceID]CVSS

type VendorSeverity

type VendorSeverity map[SourceID]Severity

type Vulnerability

type Vulnerability struct {
	Title            string         `json:",omitempty"`
	Description      string         `json:",omitempty"`
	Severity         string         `json:",omitempty"` // Selected from VendorSeverity, depending on a scan target
	CweIDs           []string       `json:",omitempty"` // e.g. CWE-78, CWE-89
	VendorSeverity   VendorSeverity `json:",omitempty"`
	CVSS             VendorCVSS     `json:",omitempty"`
	References       []string       `json:",omitempty"`
	PublishedDate    *time.Time     `json:",omitempty"` // Take from NVD
	LastModifiedDate *time.Time     `json:",omitempty"` // Take from NVD

	// Custom is basically for extensibility and is not supposed to be used in OSS
	Custom interface{} `json:",omitempty"`
}

type VulnerabilityDetail

type VulnerabilityDetail struct {
	ID               string     `json:",omitempty"` // e.g. CVE-2019-8331, OSVDB-104365
	CvssScore        float64    `json:",omitempty"`
	CvssVector       string     `json:",omitempty"`
	CvssScoreV3      float64    `json:",omitempty"`
	CvssVectorV3     string     `json:",omitempty"`
	CvssScoreV40     float64    `json:",omitempty"`
	CvssVectorV40    string     `json:",omitempty"`
	Severity         Severity   `json:",omitempty"`
	SeverityV3       Severity   `json:",omitempty"`
	SeverityV40      Severity   `json:",omitempty"`
	CweIDs           []string   `json:",omitempty"` // e.g. CWE-78, CWE-89
	References       []string   `json:",omitempty"`
	Title            string     `json:",omitempty"`
	Description      string     `json:",omitempty"`
	PublishedDate    *time.Time `json:",omitempty"` // Take from NVD
	LastModifiedDate *time.Time `json:",omitempty"` // Take from NVD
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL