Documentation ¶
Index ¶
- Constants
- func GetAPIServersRule() *model.Rule
- func GetAllBuiltInRules() map[string]*model.Rule
- func GetAllOWASPRules() map[string]*model.Rule
- func GetComponentDescriptionsRule() *model.Rule
- func GetContactPropertiesRule() *model.Rule
- func GetDescriptionDuplicationRule() *model.Rule
- func GetDuplicatedEntryInEnumRule() *model.Rule
- func GetGlobalOperationTagsRule() *model.Rule
- func GetInfoContactRule() *model.Rule
- func GetInfoDescriptionRule() *model.Rule
- func GetInfoLicenseRule() *model.Rule
- func GetInfoLicenseUrlRule() *model.Rule
- func GetNoEvalInMarkdownRule() *model.Rule
- func GetNoRefSiblingsRule() *model.Rule
- func GetNoScriptTagsInMarkdownRule() *model.Rule
- func GetNoVerbsInPathRule() *model.Rule
- func GetOAS2APIHostRule() *model.Rule
- func GetOAS2APISchemesRule() *model.Rule
- func GetOAS2DiscriminatorRule() *model.Rule
- func GetOAS2ExamplesRule() *model.Rule
- func GetOAS2FormDataConsumesRule() *model.Rule
- func GetOAS2HostNotExampleRule() *model.Rule
- func GetOAS2HostTrailingSlashRule() *model.Rule
- func GetOAS2ParameterDescriptionRule() *model.Rule
- func GetOAS2PolymorphicAnyOfRule() *model.Rule
- func GetOAS2PolymorphicOneOfRule() *model.Rule
- func GetOAS2SchemaRule() *model.Rule
- func GetOAS2SecurityDefinedRule() *model.Rule
- func GetOAS2UnusedComponentRule() *model.Rule
- func GetOAS3ExamplesRule() *model.Rule
- func GetOAS3HostNotExampleRule() *model.Rule
- func GetOAS3HostTrailingSlashRule() *model.Rule
- func GetOAS3ParameterDescriptionRule() *model.Rule
- func GetOAS3SchemaRule() *model.Rule
- func GetOAS3SecurityDefinedRule() *model.Rule
- func GetOAS3UnusedComponentRule() *model.Rule
- func GetOWASPArrayLimitRule() *model.Rule
- func GetOWASPAuthInsecureSchemesRule() *model.Rule
- func GetOWASPConstrainedAdditionalPropertiesRule() *model.Rule
- func GetOWASPDefineErrorResponses401Rule() *model.Rule
- func GetOWASPDefineErrorResponses429Rule() *model.Rule
- func GetOWASPDefineErrorResponses500Rule() *model.Rule
- func GetOWASPDefineErrorValidationRule() *model.Rule
- func GetOWASPIntegerFormatRule() *model.Rule
- func GetOWASPIntegerLimitLegacyRule() *model.Rule
- func GetOWASPIntegerLimitRule() *model.Rule
- func GetOWASPJWTBestPracticesRule() *model.Rule
- func GetOWASPNoAPIKeysInURLRule() *model.Rule
- func GetOWASPNoAdditionalPropertiesRule() *model.Rule
- func GetOWASPNoCredentialsInURLRule() *model.Rule
- func GetOWASPNoHttpBasicRule() *model.Rule
- func GetOWASPNoNumericIDsRule() *model.Rule
- func GetOWASPProtectionGlobalSafeRule() *model.Rule
- func GetOWASPProtectionGlobalUnsafeRule() *model.Rule
- func GetOWASPProtectionGlobalUnsafeStrictRule() *model.Rule
- func GetOWASPRateLimitRetryAfterRule() *model.Rule
- func GetOWASPRateLimitRule() *model.Rule
- func GetOWASPSecurityHostsHttpsOAS2Rule() *model.Rule
- func GetOWASPSecurityHostsHttpsOAS3Rule() *model.Rule
- func GetOWASPStringLimitRule() *model.Rule
- func GetOWASPStringRestrictedRule() *model.Rule
- func GetOpenApiTagsAlphabeticalRule() *model.Rule
- func GetOpenApiTagsRule() *model.Rule
- func GetOperationDescriptionRule() *model.Rule
- func GetOperationErrorResponseRule() *model.Rule
- func GetOperationIdRule() *model.Rule
- func GetOperationIdUniqueRule() *model.Rule
- func GetOperationIdValidInUrlRule() *model.Rule
- func GetOperationParametersRule() *model.Rule
- func GetOperationSingleTagRule() *model.Rule
- func GetOperationSuccessResponseRule() *model.Rule
- func GetOperationTagsRule() *model.Rule
- func GetPathDeclarationsMustExistRule() *model.Rule
- func GetPathNoTrailingSlashRule() *model.Rule
- func GetPathNotIncludeQueryRule() *model.Rule
- func GetPathParamsRule() *model.Rule
- func GetPathsKebabCaseRule() *model.Rule
- func GetRecommendedOWASPRules() map[string]*model.Rule
- func GetTagDescriptionRequiredRule() *model.Rule
- func GetTypedEnumRule() *model.Rule
- func NoAmbiguousPaths() *model.Rule
- type RuleSet
- type RuleSets
Constants ¶
const ( Style = "style" Validation = "validation" NoVerbsInPath = "no-http-verbs-in-path" PathsKebabCase = "paths-kebab-case" NoAmbiguousPathsRule = "no-ambiguous-paths" OperationErrorResponse = "operation-4xx-response" OperationSuccessResponse = "operation-success-response" OperationOperationIdUnique = "operation-operationId-unique" OperationOperationId = "operation-operationId" OperationParameters = "operation-parameters" OperationSingularTag = "operation-singular-tag" OperationTagDefined = "operation-tag-defined" PathParamsRule = "path-params" ContactProperties = "contact-properties" InfoContact = "info-contact" InfoDescription = "info-description" InfoLicense = "info-license" LicenseUrl = "license-url" OpenAPITagsAlphabetical = "openapi-tags-alphabetical" OpenAPITags = "openapi-tags" OperationTags = "operation-tags" OperationDescription = "operation-description" ComponentDescription = "component-description" OperationOperationIdValidInUrl = "operation-operationId-valid-in-url" PathDeclarationsMustExist = "path-declarations-must-exist" PathKeysNoTrailingSlash = "path-keys-no-trailing-slash" PathNotIncludeQuery = "path-not-include-query" TagDescription = "tag-description" NoRefSiblings = "no-$ref-siblings" Oas3UnusedComponent = "oas3-unused-component" Oas2UnusedDefinition = "oas2-unused-definition" Oas2APIHost = "oas2-api-host" Oas2APISchemes = "oas2-api-schemes" Oas2Discriminator = "oas2-discriminator" Oas2HostNotExample = "oas2-host-not-example" Oas3HostNotExample = "oas3-host-not-example.com" Oas2HostTrailingSlash = "oas2-host-trailing-slash" Oas3HostTrailingSlash = "oas3-host-trailing-slash" Oas2ParameterDescription = "oas2-parameter-description" Oas3ParameterDescription = "oas3-parameter-description" Oas3OperationSecurityDefined = "oas3-operation-security-defined" Oas2OperationSecurityDefined = "oas2-operation-security-defined" Oas3ValidSchemaExample = "oas3-valid-schema-example" Oas2ValidSchemaExample = "oas2-valid-schema-example" TypedEnum = "typed-enum" DuplicatedEntryInEnum = "duplicated-entry-in-enum" NoEvalInMarkdown = "no-eval-in-markdown" NoScriptTagsInMarkdown = "no-script-tags-in-markdown" DescriptionDuplication = "description-duplication" Oas3APIServers = "oas3-api-servers" Oas2OperationFormDataConsumeCheck = "oas2-operation-formData-consume-check" Oas2AnyOf = "oas2-anyOf" Oas2OneOf = "oas2-oneOf" Oas2Schema = "oas2-schema" Oas3Schema = "oas3-schema" OwaspNoNumericIDs = "owasp-no-numeric-ids" OwaspNoHttpBasic = "owasp-no-http-basic" OwaspNoAPIKeysInURL = "owasp-no-api-keys-in-url" OwaspNoCredentialsInURL = "owasp-no-credentials-in-url" OwaspAuthInsecureSchemes = "owasp-auth-insecure-schemes" OwaspJWTBestPractices = "owasp-jwt-best-practices" OwaspProtectionGlobalUnsafe = "owasp-protection-global-unsafe" OwaspProtectionGlobalUnsafeStrict = "owasp-protection-global-unsafe-strict" OwaspProtectionGlobalSafe = "owasp-protection-global-safe" OwaspDefineErrorValidation = "owasp-define-error-validation" OwaspDefineErrorResponses401 = "owasp-define-error-responses-401" OwaspDefineErrorResponses500 = "owasp-define-error-responses-500" OwaspRateLimit = "owasp-rate-limit" OwaspRateLimitRetryAfter = "owasp-rate-limit-retry-after" OwaspDefineErrorResponses429 = "owasp-define-error-responses-429" OwaspArrayLimit = "owasp-array-limit" OwaspStringLimit = "owasp-string-limit" OwaspStringRestricted = "owasp-string-restricted" OwaspIntegerLimit = "owasp-integer-limit" OwaspIntegerLimitLegacy = "owasp-integer-limit-legacy" OwaspIntegerFormat = "owasp-integer-format" OwaspNoAdditionalProperties = "owasp-no-additionalProperties" OwaspConstrainedAdditionalProperties = "owasp-constrained-additionalProperties" OwaspSecurityHostsHttpsOAS2 = "owasp-security-hosts-https-oas2" OwaspSecurityHostsHttpsOAS3 = "owasp-security-hosts-https-oas3" SpectralOpenAPI = "spectral:oas" SpectralOwasp = "spectral:owasp" VacuumOwasp = "vacuum:owasp" SpectralRecommended = "recommended" SpectralAll = "all" SpectralOff = "off" )
Variables ¶
This section is empty.
Functions ¶
func GetAPIServersRule ¶
GetAPIServersRule checks to make sure there is a valid 'servers' definition in the document.
func GetAllBuiltInRules ¶ added in v0.1.0
GetAllBuiltInRules returns a map of all the built-in rules available, ready to be used in a RuleSet.
func GetAllOWASPRules ¶ added in v0.2.0
GetAllOWASPRules returns a map of all the OWASP rules available, ready to be used in a RuleSet.
func GetComponentDescriptionsRule ¶
GetComponentDescriptionsRule will check all components for description problems.
func GetContactPropertiesRule ¶
GetContactPropertiesRule will return a rule configured to look at contact properties of a spec. it uses the in-built 'truthy' function
func GetDescriptionDuplicationRule ¶
GetDescriptionDuplicationRule will check if any descriptions have been copy/pasted or duplicated. all descriptions should be unique, otherwise what is the point?
func GetDuplicatedEntryInEnumRule ¶
GetDuplicatedEntryInEnumRule will check that enums used are not duplicates
func GetGlobalOperationTagsRule ¶
GetGlobalOperationTagsRule will check that an operation tag exists in top level tags This rule was dropped to a warning from an error after discussion here:
func GetInfoContactRule ¶
GetInfoContactRule Will return a rule that uses the truthy function to check if the info object contains a contact object
func GetInfoDescriptionRule ¶
GetInfoDescriptionRule Will return a rule that uses the truthy function to check if the info object contains a description
func GetInfoLicenseRule ¶
GetInfoLicenseRule will return a rule that uses the truthy function to check if the info object contains a license
func GetInfoLicenseUrlRule ¶
GetInfoLicenseUrlRule will return a rule that uses the truthy function to check if the info object contains a license with an url that is set.
func GetNoEvalInMarkdownRule ¶
GetNoEvalInMarkdownRule will return a rule that uses the pattern function to check if there is no eval statements markdown used in descriptions
func GetNoRefSiblingsRule ¶
GetNoRefSiblingsRule will check that there are no sibling nodes next to a $ref (which is technically invalid)
func GetNoScriptTagsInMarkdownRule ¶
GetNoScriptTagsInMarkdownRule will return a rule that uses the pattern function to check if there is no script tags used in descriptions and the title.
func GetNoVerbsInPathRule ¶ added in v0.0.13
GetNoVerbsInPathRule will check all paths to make sure not HTTP verbs have been used as a segment.
func GetOAS2APIHostRule ¶
GetOAS2APIHostRule will check swagger specs for the host property being set.
func GetOAS2APISchemesRule ¶
GetOAS2APISchemesRule uses the schema function to check if swagger has schemes and that it's an array with at least one item.
func GetOAS2DiscriminatorRule ¶
GetOAS2DiscriminatorRule will check swagger schemas to ensure they are using discriminations correctly.
func GetOAS2ExamplesRule ¶
GetOAS2ExamplesRule will check the entire spec for correct example use.
func GetOAS2FormDataConsumesRule ¶
GetOAS2FormDataConsumesRule will check that an "application/x-www-form-urlencoded" or "multipart/form-data" is defined in the 'consumes' node for in any parameters that use in formData.
func GetOAS2HostNotExampleRule ¶
GetOAS2HostNotExampleRule checks to make sure that example.com is not being used as a host. TODO: how common is this? should we keep it? change it?
func GetOAS2HostTrailingSlashRule ¶
GetOAS2HostTrailingSlashRule checks to make sure there is no trailing slash on the host
func GetOAS2ParameterDescriptionRule ¶
GetOAS2ParameterDescriptionRule will check specs to make sure parameters have a description.
func GetOAS2PolymorphicAnyOfRule ¶
GetOAS2PolymorphicAnyOfRule will check that 'anyOf' has not been used in a swagger spec (introduced in 3.0)
func GetOAS2PolymorphicOneOfRule ¶
GetOAS2PolymorphicOneOfRule will check that 'oneOf' has not been used in a swagger spec (introduced in 3.0)
func GetOAS2SchemaRule ¶
GetOAS2SchemaRule will check that the schema is valid for swagger docs.
func GetOAS2SecurityDefinedRule ¶
GetOAS2SecurityDefinedRule will check that security definitions exist and validate for OpenAPI 2
func GetOAS2UnusedComponentRule ¶
GetOAS2UnusedComponentRule will check that there aren't any components anywhere that haven't been used.
func GetOAS3ExamplesRule ¶
GetOAS3ExamplesRule will check the entire spec for correct example use.
func GetOAS3HostNotExampleRule ¶
GetOAS3HostNotExampleRule checks to make sure that example.com is not being used as a host. TODO: how common is this? should we keep it? change it?
func GetOAS3HostTrailingSlashRule ¶ added in v0.0.5
GetOAS3HostTrailingSlashRule checks to make sure there is no trailing slash on the host
func GetOAS3ParameterDescriptionRule ¶
GetOAS3ParameterDescriptionRule will check specs to make sure parameters have a description.
func GetOAS3SchemaRule ¶
GetOAS3SchemaRule will check that the schema is valid for openapi 3+ docs.
func GetOAS3SecurityDefinedRule ¶
GetOAS3SecurityDefinedRule will check that security definitions exist and validate for OpenAPI 3
func GetOAS3UnusedComponentRule ¶
GetOAS3UnusedComponentRule will check that there aren't any components anywhere that haven't been used.
func GetOWASPArrayLimitRule ¶ added in v0.2.0
It will return duplicate errors for each branch of any if/else/then logic
func GetOWASPAuthInsecureSchemesRule ¶ added in v0.2.0
func GetOWASPConstrainedAdditionalPropertiesRule ¶ added in v0.2.0
func GetOWASPDefineErrorResponses401Rule ¶ added in v0.2.0
func GetOWASPDefineErrorResponses429Rule ¶ added in v0.2.0
func GetOWASPDefineErrorResponses500Rule ¶ added in v0.2.0
func GetOWASPDefineErrorValidationRule ¶ added in v0.2.0
func GetOWASPIntegerFormatRule ¶ added in v0.2.0
It will return duplicate errors for each branch of any if/else/then logic
func GetOWASPIntegerLimitLegacyRule ¶ added in v0.2.0
It will return duplicate errors for each branch of any if/else/then logic
func GetOWASPIntegerLimitRule ¶ added in v0.2.0
It will return duplicate errors for each branch of any if/else/then logic
func GetOWASPJWTBestPracticesRule ¶ added in v0.2.0
func GetOWASPNoAPIKeysInURLRule ¶ added in v0.2.0
func GetOWASPNoAdditionalPropertiesRule ¶ added in v0.2.0
func GetOWASPNoCredentialsInURLRule ¶ added in v0.2.0
func GetOWASPNoHttpBasicRule ¶ added in v0.2.0
func GetOWASPNoNumericIDsRule ¶ added in v0.2.0
func GetOWASPProtectionGlobalSafeRule ¶ added in v0.2.0
https://github.com/italia/api-oas-checker/blob/master/security/security.yml
func GetOWASPProtectionGlobalUnsafeRule ¶ added in v0.2.0
https://github.com/italia/api-oas-checker/blob/master/security/security.yml
func GetOWASPProtectionGlobalUnsafeStrictRule ¶ added in v0.2.0
https://github.com/italia/api-oas-checker/blob/master/security/security.yml
func GetOWASPRateLimitRetryAfterRule ¶ added in v0.2.0
func GetOWASPRateLimitRule ¶ added in v0.2.0
func GetOWASPSecurityHostsHttpsOAS2Rule ¶ added in v0.2.0
func GetOWASPSecurityHostsHttpsOAS3Rule ¶ added in v0.2.0
func GetOWASPStringLimitRule ¶ added in v0.2.0
It will return duplicate errors for each branch of any if/else/then logic
func GetOWASPStringRestrictedRule ¶ added in v0.2.0
It will return duplicate errors for each branch of any if/else/then logic
func GetOpenApiTagsAlphabeticalRule ¶
GetOpenApiTagsAlphabeticalRule will return a rule that uses the alphabetical function to check if tags are in alphabetical order
func GetOpenApiTagsRule ¶
GetOpenApiTagsRule uses the schema function to check if there tags exist and that it's an array with at least one item.
func GetOperationDescriptionRule ¶
GetOperationDescriptionRule will return a rule that uses the truthy function to check if an operation has defined a description or not, or does not meet the required length
func GetOperationErrorResponseRule ¶ added in v0.0.13
GetOperationErrorResponseRule will return the rule for checking for a 4xx response defined in operations.
func GetOperationIdRule ¶
GetOperationIdRule will check to make sure that operationIds exist on all operations
func GetOperationIdUniqueRule ¶
GetOperationIdUniqueRule will check to make sure that operationIds are all unique and non-repeating
func GetOperationIdValidInUrlRule ¶
GetOperationIdValidInUrlRule will check id an operationId will be valid when used in an url.
func GetOperationParametersRule ¶
GetOperationParametersRule will check that an operation has valid parameters defined
func GetOperationSingleTagRule ¶
GetOperationSingleTagRule will check to see if an operation has more than a single tag
func GetOperationSuccessResponseRule ¶
GetOperationSuccessResponseRule will check that every operation has a success response defined.
func GetOperationTagsRule ¶
GetOperationTagsRule uses the schema function to check if there tags exist and that it's an array with at least one item.
func GetPathDeclarationsMustExistRule ¶
GetPathDeclarationsMustExistRule will check to make sure there are no empty path variables
func GetPathNoTrailingSlashRule ¶
GetPathNoTrailingSlashRule will make sure that paths don't have trailing slashes
func GetPathNotIncludeQueryRule ¶
GetPathNotIncludeQueryRule checks to ensure paths are not including any query parameters.
func GetPathParamsRule ¶
GetPathParamsRule checks if path params are valid and defined.
func GetPathsKebabCaseRule ¶ added in v0.0.13
GetPathsKebabCaseRule will check that each path segment is kebab-case
func GetRecommendedOWASPRules ¶ added in v0.2.0
GetRecommendedOWASPRules returns a map of all the OWASP rules available, ready to be used in a RuleSet.
func GetTagDescriptionRequiredRule ¶
GetTagDescriptionRequiredRule checks to ensure tags defined have been given a description
func GetTypedEnumRule ¶
GetTypedEnumRule checks to ensure enums are of the specified type
func NoAmbiguousPaths ¶ added in v0.0.12
NoAmbiguousPaths will check for paths that are ambiguous with one another
Types ¶
type RuleSet ¶
type RuleSet struct { Description string `json:"description,omitempty" yaml:"description,omitempty"` DocumentationURI string `json:"documentationUrl,omitempty" yaml:"documentationUrl,omitempty"` Formats []string `json:"formats,omitempty" yaml:"formats,omitempty"` RuleDefinitions map[string]interface{} `json:"rules" yaml:"rules"` // this can be either a string, or an entire rule (super annoying, stoplight). Rules map[string]*model.Rule `json:"-" yaml:"-"` Extends interface{} `json:"extends,omitempty" yaml:"extends,omitempty"` // can be string or tuple (again... why stoplight?) // contains filtered or unexported fields }
RuleSet represents a collection of Rule definitions.
func CreateRuleSetFromData ¶
CreateRuleSetFromData will create a new RuleSet instance from either a JSON or YAML input
func CreateRuleSetFromRuleMap ¶ added in v0.1.0
CreateRuleSetFromRuleMap creates a RuleSet from a map of rules. Built-in rules can can be exposed by using the GetAllBuiltInRules() function.
func CreateRuleSetUsingJSON ¶
CreateRuleSetUsingJSON will create a new RuleSet instance from a JSON byte array
func GenerateDefaultOpenAPIRuleSet ¶ added in v0.1.0
func GenerateDefaultOpenAPIRuleSet() *RuleSet
GenerateDefaultOpenAPIRuleSet generates a default ruleset for OpenAPI. All the built-in rules, ready to go.
func (*RuleSet) GetExtendsValue ¶
GetExtendsValue returns an array of maps defining which ruleset this one extends. The value can be a single string or an array of tuples, so this normalizes things into a standard structure.
type RuleSets ¶
type RuleSets interface { // GenerateOpenAPIDefaultRuleSet generates a ready to run pointer to a model.RuleSet containing all // OpenAPI rules supported by vacuum. Passing all these rules would be considered a very good quality specification. GenerateOpenAPIDefaultRuleSet() *RuleSet // GenerateOpenAPIRecommendedRuleSet generates a ready to run pointer to a model.RuleSet that contains only // recommended rules (not all rules). Passing all these rules would result in a quality specification GenerateOpenAPIRecommendedRuleSet() *RuleSet // GenerateRuleSetFromSuppliedRuleSet will generate a ready to run ruleset based on a supplied configuration. This // will look for any extensions and apply all rules turned on, turned off and any custom rules. GenerateRuleSetFromSuppliedRuleSet(config *RuleSet) *RuleSet }
RuleSets is used to generate default RuleSets built into vacuum
func BuildDefaultRuleSets ¶
func BuildDefaultRuleSets() RuleSets