types

package
v0.39.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 9, 2023 License: Apache-2.0 Imports: 8 Imported by: 138

Documentation

Index

Constants

View Source
const (
	ArtifactJSONSchemaVersion = 1
	BlobJSONSchemaVersion     = 2
)
View Source
const (
	// Programming language dependencies
	Bundler    = "bundler"
	GemSpec    = "gemspec"
	Cargo      = "cargo"
	Composer   = "composer"
	Npm        = "npm"
	NuGet      = "nuget"
	DotNetCore = "dotnet-core"
	Pip        = "pip"
	Pipenv     = "pipenv"
	Poetry     = "poetry"
	CondaPkg   = "conda-pkg"
	PythonPkg  = "python-pkg"
	NodePkg    = "node-pkg"
	Yarn       = "yarn"
	Pnpm       = "pnpm"
	Jar        = "jar"
	Pom        = "pom"
	Gradle     = "gradle"
	GoBinary   = "gobinary"
	GoModule   = "gomod"
	JavaScript = "javascript"
	RustBinary = "rustbinary"
	Conan      = "conan"
	Cocoapods  = "cocoapods"
	Pub        = "pub"
	Hex        = "hex"

	// Config files
	YAML           = "yaml"
	JSON           = "json"
	Dockerfile     = "dockerfile"
	Terraform      = "terraform"
	CloudFormation = "cloudformation"
	Kubernetes     = "kubernetes"
	Ansible        = "ansible"
	Helm           = "helm"
	Cloud          = "cloud"
	AzureARM       = "azure-arm"

	// Licensing
	License = "license"

	// Language-specific file names
	NuGetPkgsLock   = "packages.lock.json"
	NuGetPkgsConfig = "packages.config"

	GoMod = "go.mod"
	GoSum = "go.sum"

	MavenPom = "pom.xml"

	NpmPkg     = "package.json"
	NpmPkgLock = "package-lock.json"
	YarnLock   = "yarn.lock"
	PnpmLock   = "pnpm-lock.yaml"

	ComposerLock = "composer.lock"
	ComposerJson = "composer.json"

	PyProject       = "pyproject.toml"
	PipRequirements = "requirements.txt"
	PipfileLock     = "Pipfile.lock"
	PoetryLock      = "poetry.lock"

	GemfileLock = "Gemfile.lock"

	CargoLock = "Cargo.lock"
	CargoToml = "Cargo.toml"

	ConanLock = "conan.lock"

	CocoaPodsLock = "Podfile.lock"

	PubSpecLock = "pubspec.lock"

	MixLock = "mix.lock"
)
View Source
const (
	SystemFileFilteringPostHandler HandlerType = "system-file-filter"
	MisconfPostHandler             HandlerType = "misconf"
	UnpackagedPostHandler          HandlerType = "unpackaged"

	// SystemFileFilteringPostHandlerPriority should be higher than other handlers.
	// Otherwise, other handlers need to process unnecessary files.
	SystemFileFilteringPostHandlerPriority = 100

	MisconfPostHandlerPriority    = 50
	UnpackagedPostHandlerPriority = 50
)

Variables

View Source
var (
	InvalidURLPattern = xerrors.New("invalid url pattern")
	ErrNoRpmCmd       = xerrors.New("no rpm command")
)

Functions

This section is empty.

Types

type Application

type Application struct {
	// e.g. bundler and pipenv
	Type string

	// Lock files have the file path here, while each package metadata do not have
	FilePath string `json:",omitempty"`

	// Libraries is a list of lang-specific packages
	Libraries []Package
}

type ArtifactDetail

type ArtifactDetail struct {
	OS                OS                 `json:",omitempty"`
	Repository        *Repository        `json:",omitempty"`
	Packages          Packages           `json:",omitempty"`
	Applications      []Application      `json:",omitempty"`
	Misconfigurations []Misconfiguration `json:",omitempty"`
	Secrets           []Secret           `json:",omitempty"`
	Licenses          []LicenseFile      `json:",omitempty"`

	// ImageConfig has information from container image config
	ImageConfig ImageConfigDetail

	// CustomResources hold analysis results from custom analyzers.
	// It is for extensibility and not used in OSS.
	CustomResources []CustomResource `json:",omitempty"`
}

ArtifactDetail is generated by applying blobs

func (*ArtifactDetail) ToBlobInfo added in v0.32.0

func (a *ArtifactDetail) ToBlobInfo() BlobInfo

ToBlobInfo is used to store a merged layer in cache.

type ArtifactInfo

type ArtifactInfo struct {
	SchemaVersion int
	Architecture  string
	Created       time.Time
	DockerVersion string
	OS            string

	// Misconfiguration holds misconfiguration in container image config
	Misconfiguration *Misconfiguration `json:",omitempty"`

	// Secret holds secrets in container image config such as environment variables
	Secret *Secret `json:",omitempty"`

	// HistoryPackages are packages extracted from RUN instructions
	HistoryPackages Packages `json:",omitempty"`
}

ArtifactInfo is stored in cache

type ArtifactReference

type ArtifactReference struct {
	Name          string // image name, tar file name, directory or repository name
	Type          ArtifactType
	ID            string
	BlobIDs       []string
	ImageMetadata ImageMetadata

	// SBOM
	CycloneDX *CycloneDX
}

ArtifactReference represents a reference of container image, local filesystem and repository

type ArtifactType

type ArtifactType string

ArtifactType represents a type of artifact

const (
	ArtifactContainerImage   ArtifactType = "container_image"
	ArtifactFilesystem       ArtifactType = "filesystem"
	ArtifactRemoteRepository ArtifactType = "repository"
	ArtifactCycloneDX        ArtifactType = "cyclonedx"
	ArtifactSPDX             ArtifactType = "spdx"
	ArtifactAWSAccount       ArtifactType = "aws_account"
	ArtifactVM               ArtifactType = "vm"
)

type BlobInfo

type BlobInfo struct {
	SchemaVersion int

	// Layer information
	Digest        string   `json:",omitempty"`
	DiffID        string   `json:",omitempty"`
	CreatedBy     string   `json:",omitempty"`
	OpaqueDirs    []string `json:",omitempty"`
	WhiteoutFiles []string `json:",omitempty"`

	// Analysis result
	OS                OS                 `json:",omitempty"`
	Repository        *Repository        `json:",omitempty"`
	PackageInfos      []PackageInfo      `json:",omitempty"`
	Applications      []Application      `json:",omitempty"`
	Misconfigurations []Misconfiguration `json:",omitempty"`
	Secrets           []Secret           `json:",omitempty"`
	Licenses          []LicenseFile      `json:",omitempty"`

	// Red Hat distributions have build info per layer.
	// This information will be embedded into packages when applying layers.
	// ref. https://redhat-connect.gitbook.io/partner-guide-for-adopting-red-hat-oval-v2/determining-common-platform-enumeration-cpe
	BuildInfo *BuildInfo `json:",omitempty"`

	// CustomResources hold analysis results from custom analyzers.
	// It is for extensibility and not used in OSS.
	CustomResources []CustomResource `json:",omitempty"`
}

BlobInfo is stored in cache

type BuildInfo

type BuildInfo struct {
	ContentSets []string `json:",omitempty"`
	Nvr         string   `json:",omitempty"`
	Arch        string   `json:",omitempty"`
}

BuildInfo represents information under /root/buildinfo in RHEL

type CauseMetadata

type CauseMetadata struct {
	Resource  string `json:",omitempty"`
	Provider  string `json:",omitempty"`
	Service   string `json:",omitempty"`
	StartLine int    `json:",omitempty"`
	EndLine   int    `json:",omitempty"`
	Code      Code   `json:",omitempty"`
}

type Code

type Code struct {
	Lines []Line
}

type Component added in v0.30.0

type Component struct {
	BOMRef     string        `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
	MIMEType   string        `json:"mime-type,omitempty" xml:"mime-type,attr,omitempty"`
	Type       ComponentType `json:"type" xml:"type,attr"`
	Name       string        `json:"name" xml:"name"`
	Version    string        `json:"version,omitempty" xml:"version,omitempty"`
	PackageURL string        `json:"purl,omitempty" xml:"purl,omitempty"`
}

type ComponentType added in v0.30.0

type ComponentType string

type Credential added in v0.38.0

type Credential struct {
	Username string
	Password string
}

type CustomResource

type CustomResource struct {
	Type     string
	FilePath string
	Layer    Layer
	Data     interface{}
}

CustomResource holds the analysis result from a custom analyzer. It is for extensibility and not used in OSS.

type CycloneDX added in v0.30.0

type CycloneDX struct {
	// JSON specific fields
	BOMFormat   string      `json:"bomFormat" xml:"-"`
	SpecVersion SpecVersion `json:"specVersion" xml:"-"`

	SerialNumber string      `json:"serialNumber,omitempty" xml:"serialNumber,attr,omitempty"`
	Version      int         `json:"version" xml:"version,attr"`
	Metadata     Metadata    `json:"metadata,omitempty" xml:"metadata,omitempty"`
	Components   []Component `json:"components,omitempty" xml:"components>component,omitempty"`
}

CycloneDX re-defines only necessary fields from cyclondx/cyclonedx-go cf. https://github.com/CycloneDX/cyclonedx-go/blob/de6bc07025d148badc8f6699ccb556744a5f4070/cyclonedx.go#L58-L77

The encoding/xml package that cyclondx-go depends on cannot be imported due to some limitations in TinyGo. cf. https://tinygo.org/docs/reference/lang-support/stdlib/

type File

type File struct {
	Type    string
	Path    string
	Content []byte
}

type HandlerType

type HandlerType string

type Image

type Image interface {
	v1.Image
	ImageExtension
}

type ImageConfigDetail added in v0.37.0

type ImageConfigDetail struct {
	// Packages are packages extracted from RUN instructions in history
	Packages []Package `json:",omitempty"`

	// Misconfiguration holds misconfigurations in container image config
	Misconfiguration *Misconfiguration `json:",omitempty"`

	// Secret holds secrets in container image config
	Secret *Secret `json:",omitempty"`
}

ImageConfigDetail has information from container image config

type ImageExtension

type ImageExtension interface {
	Name() string
	ID() (string, error)
	RepoTags() []string
	RepoDigests() []string
}

type ImageMetadata

type ImageMetadata struct {
	ID          string   // image ID
	DiffIDs     []string // uncompressed layer IDs
	RepoTags    []string
	RepoDigests []string
	ConfigFile  v1.ConfigFile
}

type Layer

type Layer struct {
	Digest    string `json:",omitempty"`
	DiffID    string `json:",omitempty"`
	CreatedBy string `json:",omitempty"`
}

type LicenseCategory added in v0.30.0

type LicenseCategory string
const (
	CategoryForbidden    LicenseCategory = "forbidden"
	CategoryRestricted   LicenseCategory = "restricted"
	CategoryReciprocal   LicenseCategory = "reciprocal"
	CategoryNotice       LicenseCategory = "notice"
	CategoryPermissive   LicenseCategory = "permissive"
	CategoryUnencumbered LicenseCategory = "unencumbered"
	CategoryUnknown      LicenseCategory = "unknown"
)

type LicenseFile added in v0.30.0

type LicenseFile struct {
	Type     LicenseType
	FilePath string
	PkgName  string
	Findings LicenseFindings
	Layer    Layer `json:",omitempty"`
}

type LicenseFinding added in v0.30.0

type LicenseFinding struct {
	Category   LicenseCategory // such as "forbidden"
	Name       string
	Confidence float64
	Link       string
}

type LicenseFindings added in v0.36.0

type LicenseFindings []LicenseFinding

func (LicenseFindings) Len added in v0.36.0

func (findings LicenseFindings) Len() int

func (LicenseFindings) Less added in v0.36.0

func (findings LicenseFindings) Less(i, j int) bool

func (LicenseFindings) Swap added in v0.36.0

func (findings LicenseFindings) Swap(i, j int)

type LicenseType added in v0.30.0

type LicenseType string
const (
	LicenseTypeDpkg   LicenseType = "dpkg"         // From /usr/share/doc/*/copyright
	LicenseTypeHeader LicenseType = "header"       // From file headers
	LicenseTypeFile   LicenseType = "license-file" // From LICENSE, COPYRIGHT, etc.
)

type Line

type Line struct {
	Number      int    `json:"Number"`
	Content     string `json:"Content"`
	IsCause     bool   `json:"IsCause"`
	Annotation  string `json:"Annotation"`
	Truncated   bool   `json:"Truncated"`
	Highlighted string `json:"Highlighted,omitempty"`
	FirstCause  bool   `json:"FirstCause"`
	LastCause   bool   `json:"LastCause"`
}

type Location added in v0.33.0

type Location struct {
	StartLine int `json:",omitempty"`
	EndLine   int `json:",omitempty"`
}

type Metadata added in v0.30.0

type Metadata struct {
	Timestamp string    `json:"timestamp,omitempty" xml:"timestamp,omitempty"`
	Component Component `json:"component,omitempty" xml:"component,omitempty"`
}

type MisconfResult

type MisconfResult struct {
	Namespace      string `json:",omitempty"`
	Query          string `json:",omitempty"`
	Message        string `json:",omitempty"`
	PolicyMetadata `json:",omitempty"`
	CauseMetadata  `json:",omitempty"`

	// For debugging
	Traces []string `json:",omitempty"`
}

type MisconfResults

type MisconfResults []MisconfResult

func (MisconfResults) Len

func (r MisconfResults) Len() int

func (MisconfResults) Less

func (r MisconfResults) Less(i, j int) bool

func (MisconfResults) Swap

func (r MisconfResults) Swap(i, j int)

type Misconfiguration

type Misconfiguration struct {
	FileType   string         `json:",omitempty"`
	FilePath   string         `json:",omitempty"`
	Successes  MisconfResults `json:",omitempty"`
	Warnings   MisconfResults `json:",omitempty"`
	Failures   MisconfResults `json:",omitempty"`
	Exceptions MisconfResults `json:",omitempty"`
	Layer      Layer          `json:",omitempty"`
}

func ToMisconfigurations

func ToMisconfigurations(misconfs map[string]Misconfiguration) []Misconfiguration

type OS

type OS struct {
	Family string
	Name   string
	Eosl   bool `json:"EOSL,omitempty"`

	// This field is used for enhanced security maintenance programs such as Ubuntu ESM, Debian Extended LTS.
	Extended bool `json:"extended,omitempty"`
}

func (*OS) Detected added in v0.36.0

func (o *OS) Detected() bool

func (*OS) Merge added in v0.36.0

func (o *OS) Merge(new OS)

Merge merges OS version and enhanced security maintenance programs

type Package

type Package struct {
	ID         string   `json:",omitempty"`
	Name       string   `json:",omitempty"`
	Version    string   `json:",omitempty"`
	Release    string   `json:",omitempty"`
	Epoch      int      `json:",omitempty"`
	Arch       string   `json:",omitempty"`
	SrcName    string   `json:",omitempty"`
	SrcVersion string   `json:",omitempty"`
	SrcRelease string   `json:",omitempty"`
	SrcEpoch   int      `json:",omitempty"`
	Licenses   []string `json:",omitempty"`
	Maintainer string   `json:",omitempty"`

	Modularitylabel string     `json:",omitempty"` // only for Red Hat based distributions
	BuildInfo       *BuildInfo `json:",omitempty"` // only for Red Hat

	Ref      string `json:",omitempty"` // identifier which can be used to reference the component elsewhere
	Indirect bool   `json:",omitempty"` // this package is direct dependency of the project or not

	// Dependencies of this package
	// Note: it may have interdependencies, which may lead to infinite loops.
	DependsOn []string `json:",omitempty"`

	Layer Layer `json:",omitempty"`

	// Each package metadata have the file path, while the package from lock files does not have.
	FilePath string `json:",omitempty"`

	// This is required when using SPDX formats. Otherwise, it will be empty.
	Digest digest.Digest `json:",omitempty"`

	// lines from the lock file where the dependency is written
	Locations []Location `json:",omitempty"`
}

func (*Package) Empty

func (pkg *Package) Empty() bool

type PackageInfo

type PackageInfo struct {
	FilePath string
	Packages Packages
}

type Packages added in v0.36.0

type Packages []Package

func (Packages) Len added in v0.36.0

func (pkgs Packages) Len() int

func (Packages) Less added in v0.36.0

func (pkgs Packages) Less(i, j int) bool

func (Packages) ParentDeps added in v0.39.0

func (pkgs Packages) ParentDeps() map[string]Packages

ParentDeps returns a map where the keys are package IDs and the values are the packages that depend on the respective package ID (parent dependencies).

func (Packages) Swap added in v0.36.0

func (pkgs Packages) Swap(i, j int)

type PolicyInputOption

type PolicyInputOption struct {
	Combine   bool                  `mapstructure:"combine"`
	Selectors []PolicyInputSelector `mapstructure:"selector"`
}

type PolicyInputSelector

type PolicyInputSelector struct {
	Type string `mapstructure:"type"`
}

type PolicyMetadata

type PolicyMetadata struct {
	ID                 string   `json:",omitempty"`
	AVDID              string   `json:",omitempty"`
	Type               string   `json:",omitempty"`
	Title              string   `json:",omitempty"`
	Description        string   `json:",omitempty"`
	Severity           string   `json:",omitempty"`
	RecommendedActions string   `json:",omitempty" mapstructure:"recommended_actions"`
	References         []string `json:",omitempty"`
}

type RemoteOptions added in v0.39.0

type RemoteOptions struct {
	// Auth for registries
	Credentials []Credential

	// RegistryToken is a bearer token to be sent to a registry
	RegistryToken string

	// SSL/TLS
	Insecure bool

	// Architecture
	Platform string

	// ECR
	AWSAccessKey    string
	AWSSecretKey    string
	AWSSessionToken string
	AWSRegion       string

	// GCP
	GCPCredPath string
}

type Repository

type Repository struct {
	Family  string `json:",omitempty"`
	Release string `json:",omitempty"`
}

type Secret

type Secret struct {
	FilePath string
	Findings []SecretFinding
}

type SecretFinding

type SecretFinding struct {
	RuleID    string
	Category  SecretRuleCategory
	Severity  string
	Title     string
	StartLine int
	EndLine   int
	Code      Code
	Match     string
	Layer     Layer `json:",omitempty"`
}

type SecretRuleCategory

type SecretRuleCategory string

type SpecVersion added in v0.36.1

type SpecVersion int

type SrcPackage

type SrcPackage struct {
	Name        string   `json:"name"`
	Version     string   `json:"version"`
	BinaryNames []string `json:"binaryNames"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL