Documentation
¶
Index ¶
- Variables
- type Affected
- type AnalysisInfo
- type BaseImageDetails
- type Credit
- type CreditType
- type CycloneDXVersion
- type Ecosystem
- type Event
- type ExperimentalAnalysisConfig
- type ExperimentalLicenseConfig
- type GroupInfo
- type ImageMetadata
- type ImageOriginDetails
- type LayerMetadata
- type License
- type Metadata
- type Package
- type PackageInfo
- type PackageSource
- type PackageVulns
- type Range
- type RangeType
- type Reference
- type ReferenceType
- type Severity
- type SeverityType
- type SourceInfo
- type Vulnerabilities
- type Vulnerability
- type VulnerabilityFlattened
- type VulnerabilityResults
Constants ¶
This section is empty.
Variables ¶
var Ecosystems = []Ecosystem{ EcosystemGo, EcosystemNPM, EcosystemOSSFuzz, EcosystemPyPI, EcosystemRubyGems, EcosystemCratesIO, EcosystemPackagist, EcosystemMaven, EcosystemNuGet, EcosystemLinux, EcosystemDebian, EcosystemAlpine, EcosystemHex, EcosystemAndroid, EcosystemGitHubActions, EcosystemPub, EcosystemConanCenter, EcosystemRockyLinux, EcosystemAlmaLinux, EcosystemBitnami, EcosystemPhotonOS, EcosystemCRAN, EcosystemBioconductor, EcosystemSwiftURL, }
Functions ¶
This section is empty.
Types ¶
type Affected ¶
type Affected struct { Package Package `json:"package,omitempty" yaml:"package,omitempty"` Severity []Severity `json:"severity,omitempty" yaml:"severity,omitempty"` Ranges []Range `json:"ranges,omitempty" yaml:"ranges,omitempty"` Versions []string `json:"versions,omitempty" yaml:"versions,omitempty"` DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"` EcosystemSpecific map[string]interface{} `json:"ecosystem_specific,omitempty" yaml:"ecosystem_specific,omitempty"` }
Affected describes an affected package version, meaning one instance that contains the vulnerability.
See: https://ossf.github.io/osv-schema/#affected-fields
func (Affected) MarshalJSON ¶
MarshalJSON implements the json.Marshaler interface.
This method ensures Package is only present if it is not equal to the zero value. This is achieved by embedding the Affected struct with a pointer to Package used to populate the "package" key in the JSON object.
type AnalysisInfo ¶
type BaseImageDetails ¶
type Credit ¶
type Credit struct { Name string `json:"name" yaml:"name"` Type CreditType `json:"type,omitempty" yaml:"type,omitempty"` Contact []string `json:"contact,omitempty" yaml:"contact,omitempty"` }
Credit gives credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability.
type CreditType ¶
type CreditType string
const ( CreditFinder CreditType = "FINDER" CreditReporter CreditType = "REPORTER" CreditAnalyst CreditType = "ANALYST" CreditCoordinator CreditType = "COORDINATOR" CreditRemediationDeveloper CreditType = "REMEDIATION_DEVELOPER" //nolint:gosec CreditRemediationReviewer CreditType = "REMEDIATION_REVIEWER" //nolint:gosec CreditRemediationVerifier CreditType = "REMEDIATION_VERIFIER" //nolint:gosec CreditTool CreditType = "TOOL" CreditSponsor CreditType = "SPONSOR" CreditOther CreditType = "OTHER" )
type CycloneDXVersion ¶
type CycloneDXVersion int
const ( CycloneDXVersion14 CycloneDXVersion = iota CycloneDXVersion15 )
type Ecosystem ¶
type Ecosystem string
const ( EcosystemGo Ecosystem = "Go" EcosystemNPM Ecosystem = "npm" EcosystemOSSFuzz Ecosystem = "OSS-Fuzz" EcosystemPyPI Ecosystem = "PyPI" EcosystemRubyGems Ecosystem = "RubyGems" EcosystemCratesIO Ecosystem = "crates.io" EcosystemPackagist Ecosystem = "Packagist" EcosystemMaven Ecosystem = "Maven" EcosystemNuGet Ecosystem = "NuGet" EcosystemLinux Ecosystem = "Linux" EcosystemDebian Ecosystem = "Debian" EcosystemAlpine Ecosystem = "Alpine" EcosystemHex Ecosystem = "Hex" EcosystemAndroid Ecosystem = "Android" EcosystemGitHubActions Ecosystem = "GitHub Actions" EcosystemPub Ecosystem = "Pub" EcosystemConanCenter Ecosystem = "ConanCenter" EcosystemRockyLinux Ecosystem = "Rocky Linux" EcosystemAlmaLinux Ecosystem = "AlmaLinux" EcosystemBitnami Ecosystem = "Bitnami" EcosystemPhotonOS Ecosystem = "Photon OS" EcosystemCRAN Ecosystem = "CRAN" EcosystemBioconductor Ecosystem = "Bioconductor" EcosystemSwiftURL Ecosystem = "SwiftURL" )
type Event ¶
type Event struct { Introduced string `json:"introduced,omitempty" yaml:"introduced,omitempty"` Fixed string `json:"fixed,omitempty" yaml:"fixed,omitempty"` LastAffected string `json:"last_affected,omitempty" yaml:"last_affected,omitempty"` Limit string `json:"limit,omitempty" yaml:"limit,omitempty"` }
Event describes a single version that either:
- Introduces a vulnerability: {"introduced": string}
- Fixes a vulnerability: {"fixed": string}
- Describes the last known affected version: {"last_affected": string}
- Sets an upper limit on the range being described: {"limit": string}
Event instances form part of a “timeline” of status changes for the affected package described by the Affected struct.
See: https://ossf.github.io/osv-schema/#affectedrangesevents-fields
type ExperimentalAnalysisConfig ¶
type ExperimentalAnalysisConfig struct {
Licenses ExperimentalLicenseConfig `json:"licenses"`
}
ExperimentalAnalysisConfig is an experimental type intended to contain the types of analysis performed on packages found by the scanner.
type GroupInfo ¶
type GroupInfo struct { // IDs expected to be sorted in alphanumeric order IDs []string `json:"ids"` // Aliases include all aliases and IDs Aliases []string `json:"aliases"` // Map of Vulnerability IDs to AnalysisInfo ExperimentalAnalysis map[string]AnalysisInfo `json:"experimental_analysis,omitempty"` MaxSeverity string `json:"max_severity"` }
func (*GroupInfo) IndexString ¶
func (*GroupInfo) IsCalled ¶
IsCalled returns true if any analysis performed determines that the vulnerability is being called Also returns true if no analysis is performed
func (*GroupInfo) IsGroupUnimportant ¶
type ImageMetadata ¶
type ImageMetadata struct { OS string `json:"os"` LayerMetadata []LayerMetadata `json:"layer_metadata"` BaseImages [][]BaseImageDetails `json:"base_images"` }
type ImageOriginDetails ¶
type ImageOriginDetails struct {
Index int `json:"index"`
}
type LayerMetadata ¶
type Package ¶
type Package struct { Ecosystem Ecosystem `json:"ecosystem" yaml:"ecosystem"` Name string `json:"name" yaml:"name"` Purl string `json:"purl,omitempty" yaml:"purl,omitempty"` }
Package identifies the affected code library or command provided by the package.
See: https://ossf.github.io/osv-schema/#affectedpackage-field
type PackageInfo ¶
type PackageInfo struct { Name string `json:"name"` OSPackageName string `json:"os_package_name,omitempty"` Version string `json:"version"` Ecosystem string `json:"ecosystem"` Commit string `json:"commit,omitempty"` ImageOrigin *ImageOriginDetails `json:"image_origin_details,omitempty"` }
func PURLToPackage ¶
func PURLToPackage(purl string) (PackageInfo, error)
PURLToPackage converts a Package URL string to models.PackageInfo
type PackageSource ¶
type PackageSource struct { Source SourceInfo `json:"source"` // Place Annotations in PackageSource instead of SourceInfo as we need SourceInfo to be mappable ExperimentalAnnotations []extractor.Annotation `json:"experimental_annotations,omitempty"` Packages []PackageVulns `json:"packages"` }
PackageSource represents Vulnerabilities associated with a Source
type PackageVulns ¶
type PackageVulns struct { Package PackageInfo `json:"package"` DepGroups []string `json:"dependency_groups,omitempty"` Vulnerabilities []Vulnerability `json:"vulnerabilities,omitempty"` Groups []GroupInfo `json:"groups,omitempty"` Licenses []License `json:"licenses,omitempty"` LicenseViolations []License `json:"license_violations,omitempty"` }
PackageVulns grouped by package TODO: rename this to be Package as it now includes license information too.
type Range ¶
type Range struct { Type RangeType `json:"type" yaml:"type"` Events []Event `json:"events" yaml:"events"` Repo string `json:"repo,omitempty" yaml:"repo,omitempty"` DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"` }
Range describes the affected range of given version for a specific package.
See: https://ossf.github.io/osv-schema/#affectedranges-field
type Reference ¶
type Reference struct { Type ReferenceType `json:"type" yaml:"type"` URL string `json:"url" yaml:"url"` }
Reference links to additional information, advisories, issue tracker entries, and so on about the vulnerability itself.
type ReferenceType ¶
type ReferenceType string
const ( ReferenceAdvisory ReferenceType = "ADVISORY" ReferenceArticle ReferenceType = "ARTICLE" ReferenceDetection ReferenceType = "DETECTION" ReferenceDiscussion ReferenceType = "DISCUSSION" ReferenceReport ReferenceType = "REPORT" ReferenceFix ReferenceType = "FIX" ReferenceIntroduced ReferenceType = "INTRODUCED" ReferencePackage ReferenceType = "PACKAGE" ReferenceEvidence ReferenceType = "EVIDENCE" ReferenceWeb ReferenceType = "WEB" )
type Severity ¶
type Severity struct { Type SeverityType `json:"type" yaml:"type"` Score string `json:"score" yaml:"score"` }
Severity is used to describe the severity of a vulnerability for an affected package using one or more quantitative scoring methods.
type SeverityType ¶
type SeverityType string
const ( SeverityCVSSV2 SeverityType = "CVSS_V2" SeverityCVSSV3 SeverityType = "CVSS_V3" SeverityCVSSV4 SeverityType = "CVSS_V4" )
type SourceInfo ¶
func (SourceInfo) String ¶
func (s SourceInfo) String() string
type Vulnerabilities ¶
type Vulnerabilities []Vulnerability
func (Vulnerabilities) MarshalJSON ¶
func (vs Vulnerabilities) MarshalJSON() ([]byte, error)
MarshalJSON ensures that if there are no vulnerabilities, an empty array is used as the value instead of "null"
type Vulnerability ¶
type Vulnerability struct { SchemaVersion string `json:"schema_version,omitempty" yaml:"schema_version,omitempty"` ID string `json:"id" yaml:"id"` Modified time.Time `json:"modified" yaml:"modified"` Published time.Time `json:"published,omitempty" yaml:"published,omitempty"` Withdrawn time.Time `json:"withdrawn,omitempty" yaml:"withdrawn,omitempty"` Aliases []string `json:"aliases,omitempty" yaml:"aliases,omitempty"` Related []string `json:"related,omitempty" yaml:"related,omitempty"` Summary string `json:"summary,omitempty" yaml:"summary,omitempty"` Details string `json:"details,omitempty" yaml:"details,omitempty"` Affected []Affected `json:"affected,omitempty" yaml:"affected,omitempty"` Severity []Severity `json:"severity,omitempty" yaml:"severity,omitempty"` References []Reference `json:"references,omitempty" yaml:"references,omitempty"` Credits []Credit `json:"credits,omitempty" yaml:"credits,omitempty"` DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"` }
Vulnerability is the core Open Source Vulnerability (OSV) data type.
The full documentation for the schema is available at https://ossf.github.io/osv-schema.
func (Vulnerability) FixedVersions ¶
func (v Vulnerability) FixedVersions() map[Package][]string
FixedVersions returns a map of fixed versions for each package, or a map of empty slices if no fixed versions are available
func (Vulnerability) MarshalJSON ¶
func (v Vulnerability) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
This method ensures times all times are formatted correctly according to the schema.
func (Vulnerability) MarshalYAML ¶
func (v Vulnerability) MarshalYAML() (interface{}, error)
MarshalYAML implements the yaml.Marshaler interface.
This method ensures times all times are formatted correctly.
type VulnerabilityFlattened ¶
type VulnerabilityFlattened struct { Source SourceInfo Package PackageInfo DepGroups []string Vulnerability Vulnerability GroupInfo GroupInfo Licenses []License LicenseViolations []License }
VulnerabilityFlattened is a flattened version of the VulnerabilityResults TODO: rename this to IssueFlattened or similar in the next major release as it now contains license violations.
type VulnerabilityResults ¶
type VulnerabilityResults struct { Results []PackageSource `json:"results"` ExperimentalAnalysisConfig ExperimentalAnalysisConfig `json:"experimental_config"` ImageMetadata *ImageMetadata `json:"image_metadata,omitempty"` }
VulnerabilityResults is the top-level struct for the results of a scan
func (*VulnerabilityResults) Flatten ¶
func (vulns *VulnerabilityResults) Flatten() []VulnerabilityFlattened
Flatten the grouped/nested vulnerability results into one flat array.