models

package
v2.0.0-beta2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 12, 2025 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

Functions

This section is empty.

Types

type Affected

type Affected struct {
	Package           Package                `json:"package,omitempty"            yaml:"package,omitempty"`
	Severity          []Severity             `json:"severity,omitempty"           yaml:"severity,omitempty"`
	Ranges            []Range                `json:"ranges,omitempty"             yaml:"ranges,omitempty"`
	Versions          []string               `json:"versions,omitempty"           yaml:"versions,omitempty"`
	DatabaseSpecific  map[string]interface{} `json:"database_specific,omitempty"  yaml:"database_specific,omitempty"`
	EcosystemSpecific map[string]interface{} `json:"ecosystem_specific,omitempty" yaml:"ecosystem_specific,omitempty"`
}

Affected describes an affected package version, meaning one instance that contains the vulnerability.

See: https://ossf.github.io/osv-schema/#affected-fields

func (Affected) MarshalJSON

func (a Affected) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

This method ensures Package is only present if it is not equal to the zero value. This is achieved by embedding the Affected struct with a pointer to Package used to populate the "package" key in the JSON object.

type AnalysisInfo

type AnalysisInfo struct {
	Called      bool `json:"called"`
	Unimportant bool `json:"unimportant"`
}

type BaseImageDetails

type BaseImageDetails struct {
	Name string `json:"name"`
	// TODO: Not yet filled in
	Tags []string `json:"tags"`
}

type Credit

type Credit struct {
	Name    string     `json:"name"              yaml:"name"`
	Type    CreditType `json:"type,omitempty"    yaml:"type,omitempty"`
	Contact []string   `json:"contact,omitempty" yaml:"contact,omitempty"`
}

Credit gives credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability.

See: https://ossf.github.io/osv-schema/#credits-fields

type CreditType

type CreditType string
const (
	CreditFinder               CreditType = "FINDER"
	CreditReporter             CreditType = "REPORTER"
	CreditAnalyst              CreditType = "ANALYST"
	CreditCoordinator          CreditType = "COORDINATOR"
	CreditRemediationDeveloper CreditType = "REMEDIATION_DEVELOPER" //nolint:gosec
	CreditRemediationReviewer  CreditType = "REMEDIATION_REVIEWER"  //nolint:gosec
	CreditRemediationVerifier  CreditType = "REMEDIATION_VERIFIER"  //nolint:gosec
	CreditTool                 CreditType = "TOOL"
	CreditSponsor              CreditType = "SPONSOR"
	CreditOther                CreditType = "OTHER"
)

type CycloneDXVersion

type CycloneDXVersion int
const (
	CycloneDXVersion14 CycloneDXVersion = iota
	CycloneDXVersion15
)

type Ecosystem

type Ecosystem string
const (
	EcosystemGo            Ecosystem = "Go"
	EcosystemNPM           Ecosystem = "npm"
	EcosystemOSSFuzz       Ecosystem = "OSS-Fuzz"
	EcosystemPyPI          Ecosystem = "PyPI"
	EcosystemRubyGems      Ecosystem = "RubyGems"
	EcosystemCratesIO      Ecosystem = "crates.io"
	EcosystemPackagist     Ecosystem = "Packagist"
	EcosystemMaven         Ecosystem = "Maven"
	EcosystemNuGet         Ecosystem = "NuGet"
	EcosystemLinux         Ecosystem = "Linux"
	EcosystemDebian        Ecosystem = "Debian"
	EcosystemAlpine        Ecosystem = "Alpine"
	EcosystemHex           Ecosystem = "Hex"
	EcosystemAndroid       Ecosystem = "Android"
	EcosystemGitHubActions Ecosystem = "GitHub Actions"
	EcosystemPub           Ecosystem = "Pub"
	EcosystemConanCenter   Ecosystem = "ConanCenter"
	EcosystemRockyLinux    Ecosystem = "Rocky Linux"
	EcosystemAlmaLinux     Ecosystem = "AlmaLinux"
	EcosystemBitnami       Ecosystem = "Bitnami"
	EcosystemPhotonOS      Ecosystem = "Photon OS"
	EcosystemCRAN          Ecosystem = "CRAN"
	EcosystemBioconductor  Ecosystem = "Bioconductor"
	EcosystemSwiftURL      Ecosystem = "SwiftURL"
)

type Event

type Event struct {
	Introduced   string `json:"introduced,omitempty"    yaml:"introduced,omitempty"`
	Fixed        string `json:"fixed,omitempty"         yaml:"fixed,omitempty"`
	LastAffected string `json:"last_affected,omitempty" yaml:"last_affected,omitempty"`
	Limit        string `json:"limit,omitempty"         yaml:"limit,omitempty"`
}

Event describes a single version that either:

  • Introduces a vulnerability: {"introduced": string}
  • Fixes a vulnerability: {"fixed": string}
  • Describes the last known affected version: {"last_affected": string}
  • Sets an upper limit on the range being described: {"limit": string}

Event instances form part of a “timeline” of status changes for the affected package described by the Affected struct.

See: https://ossf.github.io/osv-schema/#affectedrangesevents-fields

type ExperimentalAnalysisConfig

type ExperimentalAnalysisConfig struct {
	Licenses ExperimentalLicenseConfig `json:"licenses"`
}

ExperimentalAnalysisConfig is an experimental type intended to contain the types of analysis performed on packages found by the scanner.

type ExperimentalLicenseConfig

type ExperimentalLicenseConfig struct {
	Summary   bool      `json:"summary"`
	Allowlist []License `json:"allowlist"`
}

type GroupInfo

type GroupInfo struct {
	// IDs expected to be sorted in alphanumeric order
	IDs []string `json:"ids"`
	// Aliases include all aliases and IDs
	Aliases []string `json:"aliases"`
	// Map of Vulnerability IDs to AnalysisInfo
	ExperimentalAnalysis map[string]AnalysisInfo `json:"experimental_analysis,omitempty"`
	MaxSeverity          string                  `json:"max_severity"`
}

func (*GroupInfo) IndexString

func (groupInfo *GroupInfo) IndexString() string

func (*GroupInfo) IsCalled

func (groupInfo *GroupInfo) IsCalled() bool

IsCalled returns true if any analysis performed determines that the vulnerability is being called Also returns true if no analysis is performed

func (*GroupInfo) IsGroupUnimportant

func (groupInfo *GroupInfo) IsGroupUnimportant() bool

type ImageMetadata

type ImageMetadata struct {
	OS            string               `json:"os"`
	LayerMetadata []LayerMetadata      `json:"layer_metadata"`
	BaseImages    [][]BaseImageDetails `json:"base_images"`
}

type ImageOriginDetails

type ImageOriginDetails struct {
	Index int `json:"index"`
}

type LayerMetadata

type LayerMetadata struct {
	DiffID         digest.Digest `json:"diff_id"`
	Command        string        `json:"command"`
	IsEmpty        bool          `json:"is_empty"`
	BaseImageIndex int           `json:"base_image_index"`
}

type License

type License string

License is an SPDX license.

type Metadata

type Metadata struct {
	RepoURL   string   `json:"repo_url"`
	DepGroups []string `json:"-"`
}

type Package

type Package struct {
	Ecosystem Ecosystem `json:"ecosystem"      yaml:"ecosystem"`
	Name      string    `json:"name"           yaml:"name"`
	Purl      string    `json:"purl,omitempty" yaml:"purl,omitempty"`
}

Package identifies the affected code library or command provided by the package.

See: https://ossf.github.io/osv-schema/#affectedpackage-field

type PackageInfo

type PackageInfo struct {
	Name          string              `json:"name"`
	OSPackageName string              `json:"os_package_name,omitempty"`
	Version       string              `json:"version"`
	Ecosystem     string              `json:"ecosystem"`
	Commit        string              `json:"commit,omitempty"`
	ImageOrigin   *ImageOriginDetails `json:"image_origin_details,omitempty"`
}

func PURLToPackage

func PURLToPackage(purl string) (PackageInfo, error)

PURLToPackage converts a Package URL string to models.PackageInfo

type PackageSource

type PackageSource struct {
	Source SourceInfo `json:"source"`
	// Place Annotations in PackageSource instead of SourceInfo as we need SourceInfo to be mappable
	ExperimentalAnnotations []extractor.Annotation `json:"experimental_annotations,omitempty"`
	Packages                []PackageVulns         `json:"packages"`
}

PackageSource represents Vulnerabilities associated with a Source

type PackageVulns

type PackageVulns struct {
	Package           PackageInfo     `json:"package"`
	DepGroups         []string        `json:"dependency_groups,omitempty"`
	Vulnerabilities   []Vulnerability `json:"vulnerabilities,omitempty"`
	Groups            []GroupInfo     `json:"groups,omitempty"`
	Licenses          []License       `json:"licenses,omitempty"`
	LicenseViolations []License       `json:"license_violations,omitempty"`
}

PackageVulns grouped by package TODO: rename this to be Package as it now includes license information too.

type Range

type Range struct {
	Type             RangeType              `json:"type"                        yaml:"type"`
	Events           []Event                `json:"events"                      yaml:"events"`
	Repo             string                 `json:"repo,omitempty"              yaml:"repo,omitempty"`
	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"`
}

Range describes the affected range of given version for a specific package.

See: https://ossf.github.io/osv-schema/#affectedranges-field

type RangeType

type RangeType string
const (
	RangeSemVer    RangeType = "SEMVER"
	RangeEcosystem RangeType = "ECOSYSTEM"
	RangeGit       RangeType = "GIT"
)

type Reference

type Reference struct {
	Type ReferenceType `json:"type" yaml:"type"`
	URL  string        `json:"url"  yaml:"url"`
}

Reference links to additional information, advisories, issue tracker entries, and so on about the vulnerability itself.

See: https://ossf.github.io/osv-schema/#references-field

type ReferenceType

type ReferenceType string
const (
	ReferenceAdvisory   ReferenceType = "ADVISORY"
	ReferenceArticle    ReferenceType = "ARTICLE"
	ReferenceDetection  ReferenceType = "DETECTION"
	ReferenceDiscussion ReferenceType = "DISCUSSION"
	ReferenceReport     ReferenceType = "REPORT"
	ReferenceFix        ReferenceType = "FIX"
	ReferenceIntroduced ReferenceType = "INTRODUCED"
	ReferencePackage    ReferenceType = "PACKAGE"
	ReferenceEvidence   ReferenceType = "EVIDENCE"
	ReferenceWeb        ReferenceType = "WEB"
)

type Severity

type Severity struct {
	Type  SeverityType `json:"type"  yaml:"type"`
	Score string       `json:"score" yaml:"score"`
}

Severity is used to describe the severity of a vulnerability for an affected package using one or more quantitative scoring methods.

See: https://ossf.github.io/osv-schema/#severity-field

type SeverityType

type SeverityType string
const (
	SeverityCVSSV2 SeverityType = "CVSS_V2"
	SeverityCVSSV3 SeverityType = "CVSS_V3"
	SeverityCVSSV4 SeverityType = "CVSS_V4"
)

type SourceInfo

type SourceInfo struct {
	Path string `json:"path"`
	Type string `json:"type"`
}

func (SourceInfo) String

func (s SourceInfo) String() string

type Vulnerabilities

type Vulnerabilities []Vulnerability

func (Vulnerabilities) MarshalJSON

func (vs Vulnerabilities) MarshalJSON() ([]byte, error)

MarshalJSON ensures that if there are no vulnerabilities, an empty array is used as the value instead of "null"

type Vulnerability

type Vulnerability struct {
	SchemaVersion    string                 `json:"schema_version,omitempty"    yaml:"schema_version,omitempty"`
	ID               string                 `json:"id"                          yaml:"id"`
	Modified         time.Time              `json:"modified"                    yaml:"modified"`
	Published        time.Time              `json:"published,omitempty"         yaml:"published,omitempty"`
	Withdrawn        time.Time              `json:"withdrawn,omitempty"         yaml:"withdrawn,omitempty"`
	Aliases          []string               `json:"aliases,omitempty"           yaml:"aliases,omitempty"`
	Related          []string               `json:"related,omitempty"           yaml:"related,omitempty"`
	Summary          string                 `json:"summary,omitempty"           yaml:"summary,omitempty"`
	Details          string                 `json:"details,omitempty"           yaml:"details,omitempty"`
	Affected         []Affected             `json:"affected,omitempty"          yaml:"affected,omitempty"`
	Severity         []Severity             `json:"severity,omitempty"          yaml:"severity,omitempty"`
	References       []Reference            `json:"references,omitempty"        yaml:"references,omitempty"`
	Credits          []Credit               `json:"credits,omitempty"           yaml:"credits,omitempty"`
	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"`
}

Vulnerability is the core Open Source Vulnerability (OSV) data type.

The full documentation for the schema is available at https://ossf.github.io/osv-schema.

func (Vulnerability) FixedVersions

func (v Vulnerability) FixedVersions() map[Package][]string

FixedVersions returns a map of fixed versions for each package, or a map of empty slices if no fixed versions are available

func (Vulnerability) MarshalJSON

func (v Vulnerability) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

This method ensures times all times are formatted correctly according to the schema.

func (Vulnerability) MarshalYAML

func (v Vulnerability) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface.

This method ensures times all times are formatted correctly.

type VulnerabilityFlattened

type VulnerabilityFlattened struct {
	Source            SourceInfo
	Package           PackageInfo
	DepGroups         []string
	Vulnerability     Vulnerability
	GroupInfo         GroupInfo
	Licenses          []License
	LicenseViolations []License
}

VulnerabilityFlattened is a flattened version of the VulnerabilityResults TODO: rename this to IssueFlattened or similar in the next major release as it now contains license violations.

type VulnerabilityResults

type VulnerabilityResults struct {
	Results                    []PackageSource            `json:"results"`
	ExperimentalAnalysisConfig ExperimentalAnalysisConfig `json:"experimental_config"`
	ImageMetadata              *ImageMetadata             `json:"image_metadata,omitempty"`
}

VulnerabilityResults is the top-level struct for the results of a scan

func (*VulnerabilityResults) Flatten

func (vulns *VulnerabilityResults) Flatten() []VulnerabilityFlattened

Flatten the grouped/nested vulnerability results into one flat array.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL