models

package
v1.7.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 8, 2024 License: Apache-2.0 Imports: 6 Imported by: 15

Documentation

Index

Constants

This section is empty.

Variables

Functions

This section is empty.

Types

type Affected added in v1.3.0

type Affected struct {
	Package           Package                `json:"package,omitempty"            yaml:"package,omitempty"`
	Severity          []Severity             `json:"severity,omitempty"           yaml:"severity,omitempty"`
	Ranges            []Range                `json:"ranges,omitempty"             yaml:"ranges,omitempty"`
	Versions          []string               `json:"versions,omitempty"           yaml:"versions,omitempty"`
	DatabaseSpecific  map[string]interface{} `json:"database_specific,omitempty"  yaml:"database_specific,omitempty"`
	EcosystemSpecific map[string]interface{} `json:"ecosystem_specific,omitempty" yaml:"ecosystem_specific,omitempty"`
}

Affected describes an affected package version, meaning one instance that contains the vulnerability.

See: https://ossf.github.io/osv-schema/#affected-fields

func (Affected) MarshalJSON added in v1.3.5

func (a Affected) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

This method ensures Package is only present if it is not equal to the zero value. This is achieved by embedding the Affected struct with a pointer to Package used to populate the "package" key in the JSON object.

type AnalysisInfo added in v1.3.0

type AnalysisInfo struct {
	Called bool `json:"called"`
}

type Credit added in v1.3.0

type Credit struct {
	Name    string     `json:"name"              yaml:"name"`
	Type    CreditType `json:"type,omitempty"    yaml:"type,omitempty"`
	Contact []string   `json:"contact,omitempty" yaml:"contact,omitempty"`
}

Credit gives credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability.

See: https://ossf.github.io/osv-schema/#credits-fields

type CreditType added in v1.3.0

type CreditType string
const (
	CreditFinder               CreditType = "FINDER"
	CreditReporter             CreditType = "REPORTER"
	CreditAnalyst              CreditType = "ANALYST"
	CreditCoordinator          CreditType = "COORDINATOR"
	CreditRemediationDeveloper CreditType = "REMEDIATION_DEVELOPER" //nolint:gosec
	CreditRemediationReviewer  CreditType = "REMEDIATION_REVIEWER"  //nolint:gosec
	CreditRemediationVerifier  CreditType = "REMEDIATION_VERIFIER"  //nolint:gosec
	CreditTool                 CreditType = "TOOL"
	CreditSponsor              CreditType = "SPONSOR"
	CreditOther                CreditType = "OTHER"
)

type Ecosystem added in v1.3.0

type Ecosystem string
const (
	EcosystemGo            Ecosystem = "Go"
	EcosystemNPM           Ecosystem = "npm"
	EcosystemOSSFuzz       Ecosystem = "OSS-Fuzz"
	EcosystemPyPI          Ecosystem = "PyPI"
	EcosystemRubyGems      Ecosystem = "RubyGems"
	EcosystemCratesIO      Ecosystem = "crates.io"
	EcosystemPackagist     Ecosystem = "Packagist"
	EcosystemMaven         Ecosystem = "Maven"
	EcosystemNuGet         Ecosystem = "NuGet"
	EcosystemLinux         Ecosystem = "Linux"
	EcosystemDebian        Ecosystem = "Debian"
	EcosystemAlpine        Ecosystem = "Alpine"
	EcosystemHex           Ecosystem = "Hex"
	EcosystemAndroid       Ecosystem = "Android"
	EcosystemGitHubActions Ecosystem = "GitHub Actions"
	EcosystemPub           Ecosystem = "Pub"
	EcosystemConanCenter   Ecosystem = "ConanCenter"
	EcosystemRockyLinux    Ecosystem = "Rocky Linux"
	EcosystemAlmaLinux     Ecosystem = "AlmaLinux"
	EcosystemBitnami       Ecosystem = "Bitnami"
	EcosystemPhotonOS      Ecosystem = "Photon OS"
	EcosystemCRAN          Ecosystem = "CRAN"
	EcosystemBioconductor  Ecosystem = "Bioconductor"
	EcosystemSwiftURL      Ecosystem = "SwiftURL"
)

type Event added in v1.3.0

type Event struct {
	Introduced   string `json:"introduced,omitempty"    yaml:"introduced,omitempty"`
	Fixed        string `json:"fixed,omitempty"         yaml:"fixed,omitempty"`
	LastAffected string `json:"last_affected,omitempty" yaml:"last_affected,omitempty"`
	Limit        string `json:"limit,omitempty"         yaml:"limit,omitempty"`
}

Event describes a single version that either:

  • Introduces a vulnerability: {"introduced": string}
  • Fixes a vulnerability: {"fixed": string}
  • Describes the last known affected version: {"last_affected": string}
  • Sets an upper limit on the range being described: {"limit": string}

Event instances form part of a “timeline” of status changes for the affected package described by the Affected struct.

See: https://ossf.github.io/osv-schema/#affectedrangesevents-fields

type ExperimentalAnalysisConfig added in v1.5.0

type ExperimentalAnalysisConfig struct {
	Licenses ExperimentalLicenseConfig `json:"licenses"`
}

ExperimentalAnalysisConfig is an experimental type intended to contain the types of analysis performed on packages found by the scanner.

type ExperimentalLicenseConfig added in v1.5.0

type ExperimentalLicenseConfig struct {
	Summary   bool      `json:"summary"`
	Allowlist []License `json:"allowlist"`
}

type GroupInfo

type GroupInfo struct {
	// IDs expected to be sorted in alphanumeric order
	IDs []string `json:"ids"`
	// Aliases include all aliases and IDs
	Aliases []string `json:"aliases"`
	// Map of Vulnerability IDs to AnalysisInfo
	ExperimentalAnalysis map[string]AnalysisInfo `json:"experimentalAnalysis,omitempty"`
	MaxSeverity          string                  `json:"max_severity"`
}

func (*GroupInfo) IndexString added in v1.4.0

func (groupInfo *GroupInfo) IndexString() string

func (*GroupInfo) IsCalled added in v1.3.0

func (groupInfo *GroupInfo) IsCalled() bool

IsCalled returns true if any analysis performed determines that the vulnerability is being called Also returns true if no analysis is performed

type License added in v1.5.0

type License string

License is an SPDX license.

type Metadata added in v1.4.2

type Metadata struct {
	RepoURL   string   `json:"repo_url"`
	DepGroups []string `json:"-"`
}

type Package added in v1.3.0

type Package struct {
	Ecosystem Ecosystem `json:"ecosystem"      yaml:"ecosystem"`
	Name      string    `json:"name"           yaml:"name"`
	Purl      string    `json:"purl,omitempty" yaml:"purl,omitempty"`
}

Package identifies the affected code library or command provided by the package.

See: https://ossf.github.io/osv-schema/#affectedpackage-field

type PackageInfo

type PackageInfo struct {
	Name      string `json:"name"`
	Version   string `json:"version"`
	Ecosystem string `json:"ecosystem"`
	Commit    string `json:"commit,omitempty"`
}

Specific package information

func PURLToPackage added in v1.3.6

func PURLToPackage(purl string) (PackageInfo, error)

PURLToPackage converts a Package URL string to models.PackageInfo

type PackageSource

type PackageSource struct {
	Source   SourceInfo     `json:"source"`
	Packages []PackageVulns `json:"packages"`
}

Vulnerabilities grouped by sources

type PackageVulns

type PackageVulns struct {
	Package           PackageInfo     `json:"package"`
	DepGroups         []string        `json:"dependency_groups,omitempty"`
	Vulnerabilities   []Vulnerability `json:"vulnerabilities,omitempty"`
	Groups            []GroupInfo     `json:"groups,omitempty"`
	Licenses          []License       `json:"licenses,omitempty"`
	LicenseViolations []License       `json:"license_violations,omitempty"`
}

Vulnerabilities grouped by package TODO: rename this to be Package as it now includes license information too.

type Range added in v1.3.0

type Range struct {
	Type             RangeType              `json:"type"                        yaml:"type"`
	Events           []Event                `json:"events"                      yaml:"events"`
	Repo             string                 `json:"repo,omitempty"              yaml:"repo,omitempty"`
	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"`
}

Range describes the affected range of given version for a specific package.

See: https://ossf.github.io/osv-schema/#affectedranges-field

type RangeType added in v1.3.0

type RangeType string
const (
	RangeSemVer    RangeType = "SEMVER"
	RangeEcosystem RangeType = "ECOSYSTEM"
	RangeGit       RangeType = "GIT"
)

type Reference added in v1.3.0

type Reference struct {
	Type ReferenceType `json:"type" yaml:"type"`
	URL  string        `json:"url"  yaml:"url"`
}

Reference links to additional information, advisories, issue tracker entries, and so on about the vulnerability itself.

See: https://ossf.github.io/osv-schema/#references-field

type ReferenceType added in v1.3.0

type ReferenceType string
const (
	ReferenceAdvisory   ReferenceType = "ADVISORY"
	ReferenceArticle    ReferenceType = "ARTICLE"
	ReferenceDetection  ReferenceType = "DETECTION"
	ReferenceDiscussion ReferenceType = "DISCUSSION"
	ReferenceReport     ReferenceType = "REPORT"
	ReferenceFix        ReferenceType = "FIX"
	ReferenceIntroduced ReferenceType = "INTRODUCED"
	ReferencePackage    ReferenceType = "PACKAGE"
	ReferenceEvidence   ReferenceType = "EVIDENCE"
	ReferenceWeb        ReferenceType = "WEB"
)

type Severity added in v1.3.0

type Severity struct {
	Type  SeverityType `json:"type"  yaml:"type"`
	Score string       `json:"score" yaml:"score"`
}

Severity is used to describe the severity of a vulnerability for an affected package using one or more quantitative scoring methods.

See: https://ossf.github.io/osv-schema/#severity-field

type SeverityType added in v1.3.0

type SeverityType string
const (
	SeverityCVSSV2 SeverityType = "CVSS_V2"
	SeverityCVSSV3 SeverityType = "CVSS_V3"
	SeverityCVSSV4 SeverityType = "CVSS_V4"
)

type SourceInfo

type SourceInfo struct {
	Path string `json:"path"`
	Type string `json:"type"`
}

func (SourceInfo) String

func (s SourceInfo) String() string

type Vulnerabilities added in v1.4.0

type Vulnerabilities []Vulnerability

func (Vulnerabilities) MarshalJSON added in v1.4.0

func (vs Vulnerabilities) MarshalJSON() ([]byte, error)

MarshalJSON ensures that if there are no vulnerabilities, an empty array is used as the value instead of "null"

type Vulnerability

type Vulnerability struct {
	SchemaVersion    string                 `json:"schema_version,omitempty"    yaml:"schema_version,omitempty"`
	ID               string                 `json:"id"                          yaml:"id"`
	Modified         time.Time              `json:"modified"                    yaml:"modified"`
	Published        time.Time              `json:"published,omitempty"         yaml:"published,omitempty"`
	Withdrawn        time.Time              `json:"withdrawn,omitempty"         yaml:"withdrawn,omitempty"`
	Aliases          []string               `json:"aliases,omitempty"           yaml:"aliases,omitempty"`
	Related          []string               `json:"related,omitempty"           yaml:"related,omitempty"`
	Summary          string                 `json:"summary,omitempty"           yaml:"summary,omitempty"`
	Details          string                 `json:"details,omitempty"           yaml:"details,omitempty"`
	Affected         []Affected             `json:"affected,omitempty"          yaml:"affected,omitempty"`
	Severity         []Severity             `json:"severity,omitempty"          yaml:"severity,omitempty"`
	References       []Reference            `json:"references,omitempty"        yaml:"references,omitempty"`
	Credits          []Credit               `json:"credits,omitempty"           yaml:"credits,omitempty"`
	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"`
}

Vulnerability is the core Open Source Vulnerability (OSV) data type.

The full documentation for the schema is available at https://ossf.github.io/osv-schema.

func (*Vulnerability) FixedVersions added in v1.4.0

func (v *Vulnerability) FixedVersions() map[Package][]string

FixedVersions returns a map of fixed versions for each package, or a map of empty slices if no fixed versions are available

func (Vulnerability) MarshalJSON added in v1.3.5

func (v Vulnerability) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

This method ensures times all times are formatted correctly according to the schema.

func (Vulnerability) MarshalYAML added in v1.3.5

func (v Vulnerability) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface.

This method ensures times all times are formatted correctly.

type VulnerabilityFlattened

type VulnerabilityFlattened struct {
	Source            SourceInfo
	Package           PackageInfo
	DepGroups         []string
	Vulnerability     Vulnerability
	GroupInfo         GroupInfo
	Licenses          []License
	LicenseViolations []License
}

Flattened Vulnerability Information. TODO: rename this to IssueFlattened or similar in the next major release as it now contains license violations.

type VulnerabilityResults

type VulnerabilityResults struct {
	Results                    []PackageSource            `json:"results"`
	ExperimentalAnalysisConfig ExperimentalAnalysisConfig `json:"experimental_config"`
}

Combined vulnerabilities found for the scanned packages

func (*VulnerabilityResults) Flatten

func (vulns *VulnerabilityResults) Flatten() []VulnerabilityFlattened

Flatten the grouped/nested vulnerability results into one flat array.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL