Documentation ¶
Index ¶
- Constants
- Variables
- func CheckForLocalExtends(extends map[string]string) bool
- func CheckForRemoteExtends(extends map[string]string) bool
- func GetAPIServersRule() *model.Rule
- func GetAllBuiltInRules() map[string]*model.Rule
- func GetAllOWASPRules() map[string]*model.Rule
- func GetComponentDescriptionsRule() *model.Rule
- func GetContactPropertiesRule() *model.Rule
- func GetDescriptionDuplicationRule() *model.Rule
- func GetDuplicatedEntryInEnumRule() *model.Rule
- func GetGlobalOperationTagsRule() *model.Rule
- func GetInfoContactRule() *model.Rule
- func GetInfoDescriptionRule() *model.Rule
- func GetInfoLicenseRule() *model.Rule
- func GetInfoLicenseUrlRule() *model.Rule
- func GetNoEvalInMarkdownRule() *model.Rule
- func GetNoRefSiblingsRule() *model.Rule
- func GetNoScriptTagsInMarkdownRule() *model.Rule
- func GetNoVerbsInPathRule() *model.Rule
- func GetOAS2APIHostRule() *model.Rule
- func GetOAS2APISchemesRule() *model.Rule
- func GetOAS2DiscriminatorRule() *model.Rule
- func GetOAS2FormDataConsumesRule() *model.Rule
- func GetOAS2HostNotExampleRule() *model.Rule
- func GetOAS2HostTrailingSlashRule() *model.Rule
- func GetOAS2ParameterDescriptionRule() *model.Rule
- func GetOAS2PolymorphicAnyOfRule() *model.Rule
- func GetOAS2PolymorphicOneOfRule() *model.Rule
- func GetOAS2SchemaRule() *model.Rule
- func GetOAS2SecurityDefinedRule() *model.Rule
- func GetOAS2UnusedComponentRule() *model.Rule
- func GetOAS3ExamplesExternalCheck() *model.Rule
- func GetOAS3ExamplesMissingRule() *model.Rule
- func GetOAS3ExamplesRule() *model.Rule
- func GetOAS3HostNotExampleRule() *model.Rule
- func GetOAS3HostTrailingSlashRule() *model.Rule
- func GetOAS3ParameterDescriptionRule() *model.Rule
- func GetOAS3SchemaRule() *model.Rule
- func GetOAS3SecurityDefinedRule() *model.Rule
- func GetOAS3UnusedComponentRule() *model.Rule
- func GetOWASPArrayLimitRule() *model.Rule
- func GetOWASPAuthInsecureSchemesRule() *model.Rule
- func GetOWASPConstrainedAdditionalPropertiesRule() *model.Rule
- func GetOWASPDefineErrorResponses401Rule() *model.Rule
- func GetOWASPDefineErrorResponses429Rule() *model.Rule
- func GetOWASPDefineErrorResponses500Rule() *model.Rule
- func GetOWASPDefineErrorValidationRule() *model.Rule
- func GetOWASPIntegerFormatRule() *model.Rule
- func GetOWASPIntegerLimitRule() *model.Rule
- func GetOWASPJWTBestPracticesRule() *model.Rule
- func GetOWASPNoAPIKeysInURLRule() *model.Rule
- func GetOWASPNoAdditionalPropertiesRule() *model.Rule
- func GetOWASPNoCredentialsInURLRule() *model.Rule
- func GetOWASPNoHttpBasicRule() *model.Rule
- func GetOWASPNoNumericIDsRule() *model.Rule
- func GetOWASPProtectionGlobalSafeRule() *model.Rule
- func GetOWASPProtectionGlobalUnsafeRule() *model.Rule
- func GetOWASPProtectionGlobalUnsafeStrictRule() *model.Rule
- func GetOWASPRateLimitRetryAfterRule() *model.Rule
- func GetOWASPRateLimitRule() *model.Rule
- func GetOWASPSecurityHostsHttpsOAS3Rule() *model.Rule
- func GetOWASPStringLimitRule() *model.Rule
- func GetOWASPStringRestrictedRule() *model.Rule
- func GetOpenApiTagsAlphabeticalRule() *model.Rule
- func GetOpenApiTagsRule() *model.Rule
- func GetOperationDescriptionRule() *model.Rule
- func GetOperationErrorResponseRule() *model.Rule
- func GetOperationIdRule() *model.Rule
- func GetOperationIdUniqueRule() *model.Rule
- func GetOperationIdValidInUrlRule() *model.Rule
- func GetOperationParametersRule() *model.Rule
- func GetOperationSingleTagRule() *model.Rule
- func GetOperationSuccessResponseRule() *model.Rule
- func GetOperationTagsRule() *model.Rule
- func GetPathDeclarationsMustExistRule() *model.Rule
- func GetPathNoTrailingSlashRule() *model.Rule
- func GetPathNotIncludeQueryRule() *model.Rule
- func GetPathParamsRule() *model.Rule
- func GetPathsKebabCaseRule() *model.Rule
- func GetPostSuccessResponseRule() *model.Rule
- func GetRecommendedOWASPRules() map[string]*model.Rule
- func GetSchemaTypeCheckRule() *model.Rule
- func GetTagDescriptionRequiredRule() *model.Rule
- func GetTypedEnumRule() *model.Rule
- func NoAmbiguousPaths() *model.Rule
- func SniffOutAllExternalRules(ctx context.Context, rsm *ruleSetsModel, location string, visited []string, ...)
- type RuleSet
- func CreateRuleSetFromData(data []byte) (*RuleSet, error)
- func CreateRuleSetFromRuleMap(rules map[string]*model.Rule) *RuleSet
- func CreateRuleSetUsingJSON(jsonData []byte) (*RuleSet, error)
- func DownloadRemoteRuleSet(_ context.Context, location string) (*RuleSet, error)
- func GenerateDefaultOpenAPIRuleSet() *RuleSet
- func GenerateOWASPOpenAPIRuleSet() *RuleSet
- func LoadLocalRuleSet(_ context.Context, location string) (*RuleSet, error)
- type RuleSets
Constants ¶
const ( Style = "style" Validation = "validation" NoVerbsInPath = "no-http-verbs-in-path" PathsKebabCase = "paths-kebab-case" NoAmbiguousPathsRule = "no-ambiguous-paths" OperationErrorResponse = "operation-4xx-response" OperationSuccessResponse = "operation-success-response" OperationOperationIdUnique = "operation-operationId-unique" OperationOperationId = "operation-operationId" OperationParameters = "operation-parameters" OperationSingularTag = "operation-singular-tag" OperationTagDefined = "operation-tag-defined" PathParamsRule = "path-params" ContactProperties = "contact-properties" InfoContact = "info-contact" InfoDescription = "info-description" InfoLicense = "info-license" LicenseUrl = "license-url" OpenAPITagsAlphabetical = "openapi-tags-alphabetical" OpenAPITags = "openapi-tags" OperationTags = "operation-tags" OperationDescription = "operation-description" ComponentDescription = "component-description" OperationOperationIdValidInUrl = "operation-operationId-valid-in-url" PathDeclarationsMustExist = "path-declarations-must-exist" PathKeysNoTrailingSlash = "path-keys-no-trailing-slash" PathNotIncludeQuery = "path-not-include-query" TagDescription = "tag-description" NoRefSiblings = "no-$ref-siblings" Oas3UnusedComponent = "oas3-unused-component" Oas2UnusedDefinition = "oas2-unused-definition" Oas2APIHost = "oas2-api-host" Oas2APISchemes = "oas2-api-schemes" Oas2Discriminator = "oas2-discriminator" Oas2HostNotExample = "oas2-host-not-example" Oas3HostNotExample = "oas3-host-not-example" Oas2HostTrailingSlash = "oas2-host-trailing-slash" Oas3HostTrailingSlash = "oas3-server-trailing-slash" Oas2ParameterDescription = "oas2-parameter-description" Oas3ParameterDescription = "oas3-parameter-description" Oas3OperationSecurityDefined = "oas3-operation-security-defined" Oas2OperationSecurityDefined = "oas2-operation-security-defined" Oas3ValidSchemaExample = "oas3-valid-schema-example" Oas3ExampleMissingCheck = "oas3-missing-example" Oas3ExampleExternalCheck = "oas3-example-external-check" TypedEnum = "typed-enum" DuplicatedEntryInEnum = "duplicated-entry-in-enum" NoEvalInMarkdown = "no-eval-in-markdown" NoScriptTagsInMarkdown = "no-script-tags-in-markdown" DescriptionDuplication = "description-duplication" Oas3APIServers = "oas3-api-servers" Oas2OperationFormDataConsumeCheck = "oas2-operation-formData-consume-check" Oas2AnyOf = "oas2-anyOf" Oas2OneOf = "oas2-oneOf" Oas2Schema = "oas2-schema" Oas3Schema = "oas3-schema" OasSchemaCheck = "oas-schema-check" OwaspNoNumericIDs = "owasp-no-numeric-ids" OwaspNoHttpBasic = "owasp-no-http-basic" OwaspNoAPIKeysInURL = "owasp-no-api-keys-in-url" OwaspNoCredentialsInURL = "owasp-no-credentials-in-url" OwaspAuthInsecureSchemes = "owasp-auth-insecure-schemes" OwaspJWTBestPractices = "owasp-jwt-best-practices" OwaspProtectionGlobalUnsafe = "owasp-protection-global-unsafe" OwaspProtectionGlobalUnsafeStrict = "owasp-protection-global-unsafe-strict" OwaspProtectionGlobalSafe = "owasp-protection-global-safe" OwaspDefineErrorValidation = "owasp-define-error-validation" OwaspDefineErrorResponses401 = "owasp-define-error-responses-401" OwaspDefineErrorResponses500 = "owasp-define-error-responses-500" OwaspRateLimit = "owasp-rate-limit" OwaspRateLimitRetryAfter = "owasp-rate-limit-retry-after" OwaspDefineErrorResponses429 = "owasp-define-error-responses-429" OwaspArrayLimit = "owasp-array-limit" OwaspStringLimit = "owasp-string-limit" OwaspStringRestricted = "owasp-string-restricted" OwaspIntegerLimit = "owasp-integer-limit" OwaspIntegerFormat = "owasp-integer-format" OwaspNoAdditionalProperties = "owasp-no-additionalProperties" OwaspConstrainedAdditionalProperties = "owasp-constrained-additionalProperties" OwaspSecurityHostsHttpsOAS3 = "owasp-security-hosts-https-oas3" PostResponseSuccess = "post-response-success" SpectralOpenAPI = "spectral:oas" SpectralOwasp = "spectral:owasp" VacuumOwasp = "vacuum:owasp" SpectralRecommended = "recommended" SpectralAll = "all" SpectralOff = "off" )
Variables ¶
var RuleSchema string
var RulesetSchema string
Functions ¶
func CheckForLocalExtends ¶ added in v0.6.0
CheckForLocalExtends checks if the extends map contains a local link returns true if it does, false if it does not
func CheckForRemoteExtends ¶ added in v0.6.0
CheckForRemoteExtends checks if the extends map contains a remote link returns true if it does, false if it does not
func GetAPIServersRule ¶
GetAPIServersRule checks to make sure there is a valid 'servers' definition in the document.
func GetAllBuiltInRules ¶ added in v0.1.0
GetAllBuiltInRules returns a map of all the built-in rules available, ready to be used in a RuleSet.
func GetAllOWASPRules ¶ added in v0.2.0
GetAllOWASPRules returns a map of all the OWASP rules available, ready to be used in a RuleSet.
func GetComponentDescriptionsRule ¶
GetComponentDescriptionsRule will check all components for description problems.
func GetContactPropertiesRule ¶
GetContactPropertiesRule will return a rule configured to look at contact properties of a spec. it uses the in-built 'truthy' function
func GetDescriptionDuplicationRule ¶
GetDescriptionDuplicationRule will check if any descriptions have been copy/pasted or duplicated. all descriptions should be unique, otherwise what is the point?
func GetDuplicatedEntryInEnumRule ¶
GetDuplicatedEntryInEnumRule will check that enums used are not duplicates
func GetGlobalOperationTagsRule ¶
GetGlobalOperationTagsRule will check that an operation tag exists in top level tags This rule was dropped to a warning from an error after discussion here:
func GetInfoContactRule ¶
GetInfoContactRule Will return a rule that uses the truthy function to check if the info object contains a contact object
func GetInfoDescriptionRule ¶
GetInfoDescriptionRule Will return a rule that uses the truthy function to check if the info object contains a description
func GetInfoLicenseRule ¶
GetInfoLicenseRule will return a rule that uses the truthy function to check if the info object contains a license
func GetInfoLicenseUrlRule ¶
GetInfoLicenseUrlRule will return a rule that uses the truthy function to check if the info object contains a license with a URL that is set.
func GetNoEvalInMarkdownRule ¶
GetNoEvalInMarkdownRule will return a rule that uses the pattern function to check if there is no eval statements markdown used in descriptions
func GetNoRefSiblingsRule ¶
GetNoRefSiblingsRule will check that there are no sibling nodes next to a $ref (which is technically invalid)
func GetNoScriptTagsInMarkdownRule ¶
GetNoScriptTagsInMarkdownRule will return a rule that uses the pattern function to check if there is no script tags used in descriptions and the title.
func GetNoVerbsInPathRule ¶ added in v0.0.13
GetNoVerbsInPathRule will check all paths to make sure not HTTP verbs have been used as a segment.
func GetOAS2APIHostRule ¶
GetOAS2APIHostRule will check swagger specs for the host property being set.
func GetOAS2APISchemesRule ¶
GetOAS2APISchemesRule uses the schema function to check if swagger has schemes and that it's an array with at least one item.
func GetOAS2DiscriminatorRule ¶
GetOAS2DiscriminatorRule will check swagger schemas to ensure they are using discriminations correctly.
func GetOAS2FormDataConsumesRule ¶
GetOAS2FormDataConsumesRule will check that an "application/x-www-form-urlencoded" or "multipart/form-data" is defined in the 'consumes' node for in any parameters that use in formData.
func GetOAS2HostNotExampleRule ¶
GetOAS2HostNotExampleRule checks to make sure that example.com is not being used as a host. TODO: how common is this? should we keep it? change it?
func GetOAS2HostTrailingSlashRule ¶
GetOAS2HostTrailingSlashRule checks to make sure there is no trailing slash on the host
func GetOAS2ParameterDescriptionRule ¶
GetOAS2ParameterDescriptionRule will check specs to make sure parameters have a description.
func GetOAS2PolymorphicAnyOfRule ¶
GetOAS2PolymorphicAnyOfRule will check that 'anyOf' has not been used in a swagger spec (introduced in 3.0)
func GetOAS2PolymorphicOneOfRule ¶
GetOAS2PolymorphicOneOfRule will check that 'oneOf' has not been used in a swagger spec (introduced in 3.0)
func GetOAS2SchemaRule ¶
GetOAS2SchemaRule will check that the schema is valid for swagger docs.
func GetOAS2SecurityDefinedRule ¶
GetOAS2SecurityDefinedRule will check that security definitions exist and validate for OpenAPI 2
func GetOAS2UnusedComponentRule ¶
GetOAS2UnusedComponentRule will check that there aren't any components anywhere that haven't been used.
func GetOAS3ExamplesExternalCheck ¶ added in v0.7.0
func GetOAS3ExamplesMissingRule ¶ added in v0.7.0
func GetOAS3ExamplesRule ¶
GetOAS3ExamplesRule will check the entire spec for correct example use.
func GetOAS3HostNotExampleRule ¶
GetOAS3HostNotExampleRule checks to make sure that example.com is not being used as a host. TODO: how common is this? should we keep it? change it?
func GetOAS3HostTrailingSlashRule ¶ added in v0.0.5
GetOAS3HostTrailingSlashRule checks to make sure there is no trailing slash on the host
func GetOAS3ParameterDescriptionRule ¶
GetOAS3ParameterDescriptionRule will check specs to make sure parameters have a description.
func GetOAS3SchemaRule ¶
GetOAS3SchemaRule will check that the schema is valid for openapi 3+ docs.
func GetOAS3SecurityDefinedRule ¶
GetOAS3SecurityDefinedRule will check that security definitions exist and validate for OpenAPI 3
func GetOAS3UnusedComponentRule ¶
GetOAS3UnusedComponentRule will check that there aren't any components anywhere that haven't been used.
func GetOWASPArrayLimitRule ¶ added in v0.2.0
func GetOWASPAuthInsecureSchemesRule ¶ added in v0.2.0
func GetOWASPConstrainedAdditionalPropertiesRule ¶ added in v0.2.0
func GetOWASPDefineErrorResponses401Rule ¶ added in v0.2.0
func GetOWASPDefineErrorResponses429Rule ¶ added in v0.2.0
func GetOWASPDefineErrorResponses500Rule ¶ added in v0.2.0
func GetOWASPDefineErrorValidationRule ¶ added in v0.2.0
func GetOWASPIntegerFormatRule ¶ added in v0.2.0
func GetOWASPIntegerLimitRule ¶ added in v0.2.0
func GetOWASPJWTBestPracticesRule ¶ added in v0.2.0
func GetOWASPNoAPIKeysInURLRule ¶ added in v0.2.0
func GetOWASPNoAdditionalPropertiesRule ¶ added in v0.2.0
func GetOWASPNoCredentialsInURLRule ¶ added in v0.2.0
func GetOWASPNoHttpBasicRule ¶ added in v0.2.0
func GetOWASPNoNumericIDsRule ¶ added in v0.2.0
func GetOWASPProtectionGlobalSafeRule ¶ added in v0.2.0
https://github.com/italia/api-oas-checker/blob/master/security/security.yml
func GetOWASPProtectionGlobalUnsafeRule ¶ added in v0.2.0
https://github.com/italia/api-oas-checker/blob/master/security/security.yml
func GetOWASPProtectionGlobalUnsafeStrictRule ¶ added in v0.2.0
https://github.com/italia/api-oas-checker/blob/master/security/security.yml
func GetOWASPRateLimitRetryAfterRule ¶ added in v0.2.0
func GetOWASPRateLimitRule ¶ added in v0.2.0
func GetOWASPSecurityHostsHttpsOAS3Rule ¶ added in v0.2.0
func GetOWASPStringLimitRule ¶ added in v0.2.0
func GetOWASPStringRestrictedRule ¶ added in v0.2.0
func GetOpenApiTagsAlphabeticalRule ¶
GetOpenApiTagsAlphabeticalRule will return a rule that uses the alphabetical function to check if tags are in alphabetical order
func GetOpenApiTagsRule ¶
GetOpenApiTagsRule uses the schema function to check if there tags exist and that it's an array with at least one item.
func GetOperationDescriptionRule ¶
GetOperationDescriptionRule will return a rule that uses the truthy function to check if an operation has defined a description or not, or does not meet the required length
func GetOperationErrorResponseRule ¶ added in v0.0.13
GetOperationErrorResponseRule will return the rule for checking for a 4xx response defined in operations.
func GetOperationIdRule ¶
GetOperationIdRule will check to make sure that operationIds exist on all operations
func GetOperationIdUniqueRule ¶
GetOperationIdUniqueRule will check to make sure that operationIds are all unique and non-repeating
func GetOperationIdValidInUrlRule ¶
GetOperationIdValidInUrlRule will check id an operationId will be valid when used in a URL.
func GetOperationParametersRule ¶
GetOperationParametersRule will check that an operation has valid parameters defined
func GetOperationSingleTagRule ¶
GetOperationSingleTagRule will check to see if an operation has more than a single tag
func GetOperationSuccessResponseRule ¶
GetOperationSuccessResponseRule will check that every operation has a success response defined.
func GetOperationTagsRule ¶
GetOperationTagsRule uses the schema function to check if there tags exist and that it's an array with at least one item.
func GetPathDeclarationsMustExistRule ¶
GetPathDeclarationsMustExistRule will check to make sure there are no empty path variables
func GetPathNoTrailingSlashRule ¶
GetPathNoTrailingSlashRule will make sure that paths don't have trailing slashes
func GetPathNotIncludeQueryRule ¶
GetPathNotIncludeQueryRule checks to ensure paths are not including any query parameters.
func GetPathParamsRule ¶
GetPathParamsRule checks if path params are valid and defined.
func GetPathsKebabCaseRule ¶ added in v0.0.13
GetPathsKebabCaseRule will check that each path segment is kebab-case
func GetPostSuccessResponseRule ¶ added in v0.10.0
GetPostSuccessResponseRule will check that all POST operations have a success response defined.
func GetRecommendedOWASPRules ¶ added in v0.2.0
GetRecommendedOWASPRules returns a map of all the OWASP rules available, ready to be used in a RuleSet.
func GetSchemaTypeCheckRule ¶ added in v0.8.0
GetSchemaTypeCheckRule will check that all schemas have a valid type defined
func GetTagDescriptionRequiredRule ¶
GetTagDescriptionRequiredRule checks to ensure tags defined have been given a description
func GetTypedEnumRule ¶
GetTypedEnumRule checks to ensure enums are of the specified type
func NoAmbiguousPaths ¶ added in v0.0.12
NoAmbiguousPaths will check for paths that are ambiguous with one another
func SniffOutAllExternalRules ¶ added in v0.6.0
func SniffOutAllExternalRules( ctx context.Context, rsm *ruleSetsModel, location string, visited []string, rs *RuleSet, remote bool)
SniffOutAllExternalRules takes a ruleset and sniffs out all external rules it will recursively sniff out all external rulesets and add them to the ruleset it will return an error if it cannot sniff out the ruleset
Types ¶
type RuleSet ¶
type RuleSet struct { Description string `json:"description,omitempty" yaml:"description,omitempty"` DocumentationURI string `json:"documentationUrl,omitempty" yaml:"documentationUrl,omitempty"` Formats []string `json:"formats,omitempty" yaml:"formats,omitempty"` RuleDefinitions map[string]interface{} `json:"rules" yaml:"rules"` // this can be either a string, or an entire rule (super annoying, stoplight). Rules map[string]*model.Rule `json:"-" yaml:"-"` Extends interface{} `json:"extends,omitempty" yaml:"extends,omitempty"` // can be string or tuple (again... why stoplight?) // contains filtered or unexported fields }
RuleSet represents a collection of Rule definitions.
func CreateRuleSetFromData ¶
CreateRuleSetFromData will create a new RuleSet instance from either a JSON or YAML input
func CreateRuleSetFromRuleMap ¶ added in v0.1.0
CreateRuleSetFromRuleMap creates a RuleSet from a map of rules. Built-in rules can can be exposed by using the GetAllBuiltInRules() function.
func CreateRuleSetUsingJSON ¶
CreateRuleSetUsingJSON will create a new RuleSet instance from a JSON byte array
func DownloadRemoteRuleSet ¶ added in v0.6.0
DownloadRemoteRuleSet downloads a remote ruleset and returns a *RuleSet returns an error if it cannot download the ruleset
func GenerateDefaultOpenAPIRuleSet ¶ added in v0.1.0
func GenerateDefaultOpenAPIRuleSet() *RuleSet
GenerateDefaultOpenAPIRuleSet generates a default ruleset for OpenAPI. All the built-in rules, ready to go.
func GenerateOWASPOpenAPIRuleSet ¶ added in v0.7.0
func GenerateOWASPOpenAPIRuleSet() *RuleSet
GenerateOWASPOpenAPIRuleSet generates our OWASP ruleset for OpenAPI. Hard mode engage!
func LoadLocalRuleSet ¶ added in v0.6.0
LoadLocalRuleSet loads a local ruleset and returns a *RuleSet returns an error if it cannot load the ruleset
func (*RuleSet) GetExtendsValue ¶
GetExtendsValue returns an array of maps defining which ruleset this one extends. The value can be a single string or an array of tuples, so this normalizes things into a standard structure.
type RuleSets ¶
type RuleSets interface { // GenerateOpenAPIDefaultRuleSet generates a ready to run pointer to a model.RuleSet containing all // OpenAPI rules supported by vacuum. Passing all these rules would be considered a very good quality specification. GenerateOpenAPIDefaultRuleSet() *RuleSet // GenerateOpenAPIRecommendedRuleSet generates a ready to run pointer to a model.RuleSet that contains only // recommended rules (not all rules). Passing all these rules would result in a quality specification GenerateOpenAPIRecommendedRuleSet() *RuleSet // GenerateRuleSetFromSuppliedRuleSet will generate a ready to run ruleset based on a supplied configuration. This // will look for any extensions and apply all rules turned on, turned off and any custom rules. GenerateRuleSetFromSuppliedRuleSet(config *RuleSet) *RuleSet }
RuleSets is used to generate default RuleSets built into vacuum
func BuildDefaultRuleSets ¶
func BuildDefaultRuleSets() RuleSets