Documentation ¶
Index ¶
- Variables
- type Affected
- type AnalysisInfo
- type Credit
- type CreditType
- type Ecosystem
- type Event
- type ExperimentalAnalysisConfig
- type ExperimentalLicenseConfig
- type GroupInfo
- type License
- type Metadata
- type Package
- type PackageInfo
- type PackageSource
- type PackageVulns
- type Range
- type RangeType
- type Reference
- type ReferenceType
- type Severity
- type SeverityType
- type SourceInfo
- type Vulnerabilities
- type Vulnerability
- type VulnerabilityFlattened
- type VulnerabilityResults
Constants ¶
This section is empty.
Variables ¶
var Ecosystems = []Ecosystem{ EcosystemGo, EcosystemNPM, EcosystemOSSFuzz, EcosystemPyPI, EcosystemRubyGems, EcosystemCratesIO, EcosystemPackagist, EcosystemMaven, EcosystemNuGet, EcosystemLinux, EcosystemDebian, EcosystemAlpine, EcosystemHex, EcosystemAndroid, EcosystemGitHubActions, EcosystemPub, EcosystemConanCenter, EcosystemRockyLinux, EcosystemAlmaLinux, EcosystemBitnami, EcosystemPhotonOS, EcosystemCRAN, EcosystemBioconductor, EcosystemSwiftURL, }
Functions ¶
This section is empty.
Types ¶
type Affected ¶ added in v1.3.0
type Affected struct { Package Package `json:"package,omitempty" yaml:"package,omitempty"` Severity []Severity `json:"severity,omitempty" yaml:"severity,omitempty"` Ranges []Range `json:"ranges,omitempty" yaml:"ranges,omitempty"` Versions []string `json:"versions,omitempty" yaml:"versions,omitempty"` DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"` EcosystemSpecific map[string]interface{} `json:"ecosystem_specific,omitempty" yaml:"ecosystem_specific,omitempty"` }
Affected describes an affected package version, meaning one instance that contains the vulnerability.
See: https://ossf.github.io/osv-schema/#affected-fields
func (Affected) MarshalJSON ¶ added in v1.3.5
MarshalJSON implements the json.Marshaler interface.
This method ensures Package is only present if it is not equal to the zero value. This is achieved by embedding the Affected struct with a pointer to Package used to populate the "package" key in the JSON object.
type AnalysisInfo ¶ added in v1.3.0
type AnalysisInfo struct {
Called bool `json:"called"`
}
type Credit ¶ added in v1.3.0
type Credit struct { Name string `json:"name" yaml:"name"` Type CreditType `json:"type,omitempty" yaml:"type,omitempty"` Contact []string `json:"contact,omitempty" yaml:"contact,omitempty"` }
Credit gives credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability.
type CreditType ¶ added in v1.3.0
type CreditType string
const ( CreditFinder CreditType = "FINDER" CreditReporter CreditType = "REPORTER" CreditAnalyst CreditType = "ANALYST" CreditCoordinator CreditType = "COORDINATOR" CreditRemediationDeveloper CreditType = "REMEDIATION_DEVELOPER" //nolint:gosec CreditRemediationReviewer CreditType = "REMEDIATION_REVIEWER" //nolint:gosec CreditRemediationVerifier CreditType = "REMEDIATION_VERIFIER" //nolint:gosec CreditTool CreditType = "TOOL" CreditSponsor CreditType = "SPONSOR" CreditOther CreditType = "OTHER" )
type Ecosystem ¶ added in v1.3.0
type Ecosystem string
const ( EcosystemGo Ecosystem = "Go" EcosystemNPM Ecosystem = "npm" EcosystemOSSFuzz Ecosystem = "OSS-Fuzz" EcosystemPyPI Ecosystem = "PyPI" EcosystemRubyGems Ecosystem = "RubyGems" EcosystemCratesIO Ecosystem = "crates.io" EcosystemPackagist Ecosystem = "Packagist" EcosystemMaven Ecosystem = "Maven" EcosystemNuGet Ecosystem = "NuGet" EcosystemLinux Ecosystem = "Linux" EcosystemDebian Ecosystem = "Debian" EcosystemAlpine Ecosystem = "Alpine" EcosystemHex Ecosystem = "Hex" EcosystemAndroid Ecosystem = "Android" EcosystemGitHubActions Ecosystem = "GitHub Actions" EcosystemPub Ecosystem = "Pub" EcosystemConanCenter Ecosystem = "ConanCenter" EcosystemRockyLinux Ecosystem = "Rocky Linux" EcosystemAlmaLinux Ecosystem = "AlmaLinux" EcosystemBitnami Ecosystem = "Bitnami" EcosystemPhotonOS Ecosystem = "Photon OS" EcosystemCRAN Ecosystem = "CRAN" EcosystemBioconductor Ecosystem = "Bioconductor" EcosystemSwiftURL Ecosystem = "SwiftURL" )
type Event ¶ added in v1.3.0
type Event struct { Introduced string `json:"introduced,omitempty" yaml:"introduced,omitempty"` Fixed string `json:"fixed,omitempty" yaml:"fixed,omitempty"` LastAffected string `json:"last_affected,omitempty" yaml:"last_affected,omitempty"` Limit string `json:"limit,omitempty" yaml:"limit,omitempty"` }
Event describes a single version that either:
- Introduces a vulnerability: {"introduced": string}
- Fixes a vulnerability: {"fixed": string}
- Describes the last known affected version: {"last_affected": string}
- Sets an upper limit on the range being described: {"limit": string}
Event instances form part of a “timeline” of status changes for the affected package described by the Affected struct.
See: https://ossf.github.io/osv-schema/#affectedrangesevents-fields
type ExperimentalAnalysisConfig ¶ added in v1.5.0
type ExperimentalAnalysisConfig struct {
Licenses ExperimentalLicenseConfig `json:"licenses"`
}
ExperimentalAnalysisConfig is an experimental type intended to contain the types of analysis performed on packages found by the scanner.
type ExperimentalLicenseConfig ¶ added in v1.5.0
type GroupInfo ¶
type GroupInfo struct { // IDs expected to be sorted in alphanumeric order IDs []string `json:"ids"` // Aliases include all aliases and IDs Aliases []string `json:"aliases"` // Map of Vulnerability IDs to AnalysisInfo ExperimentalAnalysis map[string]AnalysisInfo `json:"experimentalAnalysis,omitempty"` MaxSeverity string `json:"max_severity"` }
func (*GroupInfo) IndexString ¶ added in v1.4.0
type Package ¶ added in v1.3.0
type Package struct { Ecosystem Ecosystem `json:"ecosystem" yaml:"ecosystem"` Name string `json:"name" yaml:"name"` Purl string `json:"purl,omitempty" yaml:"purl,omitempty"` }
Package identifies the affected code library or command provided by the package.
See: https://ossf.github.io/osv-schema/#affectedpackage-field
type PackageInfo ¶
type PackageInfo struct { Name string `json:"name"` Version string `json:"version"` Ecosystem string `json:"ecosystem"` Commit string `json:"commit,omitempty"` }
Specific package information
func PURLToPackage ¶ added in v1.3.6
func PURLToPackage(purl string) (PackageInfo, error)
PURLToPackage converts a Package URL string to models.PackageInfo
type PackageSource ¶
type PackageSource struct { Source SourceInfo `json:"source"` Packages []PackageVulns `json:"packages"` }
Vulnerabilities grouped by sources
type PackageVulns ¶
type PackageVulns struct { Package PackageInfo `json:"package"` DepGroups []string `json:"dependency_groups,omitempty"` Vulnerabilities []Vulnerability `json:"vulnerabilities,omitempty"` Groups []GroupInfo `json:"groups,omitempty"` Licenses []License `json:"licenses,omitempty"` LicenseViolations []License `json:"license_violations,omitempty"` }
Vulnerabilities grouped by package TODO: rename this to be Package as it now includes license information too.
type Range ¶ added in v1.3.0
type Range struct { Type RangeType `json:"type" yaml:"type"` Events []Event `json:"events" yaml:"events"` Repo string `json:"repo,omitempty" yaml:"repo,omitempty"` DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"` }
Range describes the affected range of given version for a specific package.
See: https://ossf.github.io/osv-schema/#affectedranges-field
type Reference ¶ added in v1.3.0
type Reference struct { Type ReferenceType `json:"type" yaml:"type"` URL string `json:"url" yaml:"url"` }
Reference links to additional information, advisories, issue tracker entries, and so on about the vulnerability itself.
type ReferenceType ¶ added in v1.3.0
type ReferenceType string
const ( ReferenceAdvisory ReferenceType = "ADVISORY" ReferenceArticle ReferenceType = "ARTICLE" ReferenceDetection ReferenceType = "DETECTION" ReferenceDiscussion ReferenceType = "DISCUSSION" ReferenceReport ReferenceType = "REPORT" ReferenceFix ReferenceType = "FIX" ReferenceIntroduced ReferenceType = "INTRODUCED" ReferencePackage ReferenceType = "PACKAGE" ReferenceEvidence ReferenceType = "EVIDENCE" ReferenceWeb ReferenceType = "WEB" )
type Severity ¶ added in v1.3.0
type Severity struct { Type SeverityType `json:"type" yaml:"type"` Score string `json:"score" yaml:"score"` }
Severity is used to describe the severity of a vulnerability for an affected package using one or more quantitative scoring methods.
type SeverityType ¶ added in v1.3.0
type SeverityType string
const ( SeverityCVSSV2 SeverityType = "CVSS_V2" SeverityCVSSV3 SeverityType = "CVSS_V3" SeverityCVSSV4 SeverityType = "CVSS_V4" )
type SourceInfo ¶
func (SourceInfo) String ¶
func (s SourceInfo) String() string
type Vulnerabilities ¶ added in v1.4.0
type Vulnerabilities []Vulnerability
func (Vulnerabilities) MarshalJSON ¶ added in v1.4.0
func (vs Vulnerabilities) MarshalJSON() ([]byte, error)
MarshalJSON ensures that if there are no vulnerabilities, an empty array is used as the value instead of "null"
type Vulnerability ¶
type Vulnerability struct { SchemaVersion string `json:"schema_version,omitempty" yaml:"schema_version,omitempty"` ID string `json:"id" yaml:"id"` Modified time.Time `json:"modified" yaml:"modified"` Published time.Time `json:"published,omitempty" yaml:"published,omitempty"` Withdrawn time.Time `json:"withdrawn,omitempty" yaml:"withdrawn,omitempty"` Aliases []string `json:"aliases,omitempty" yaml:"aliases,omitempty"` Related []string `json:"related,omitempty" yaml:"related,omitempty"` Summary string `json:"summary,omitempty" yaml:"summary,omitempty"` Details string `json:"details,omitempty" yaml:"details,omitempty"` Affected []Affected `json:"affected,omitempty" yaml:"affected,omitempty"` Severity []Severity `json:"severity,omitempty" yaml:"severity,omitempty"` References []Reference `json:"references,omitempty" yaml:"references,omitempty"` Credits []Credit `json:"credits,omitempty" yaml:"credits,omitempty"` DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"` }
Vulnerability is the core Open Source Vulnerability (OSV) data type.
The full documentation for the schema is available at https://ossf.github.io/osv-schema.
func (*Vulnerability) FixedVersions ¶ added in v1.4.0
func (v *Vulnerability) FixedVersions() map[Package][]string
FixedVersions returns a map of fixed versions for each package, or a map of empty slices if no fixed versions are available
func (Vulnerability) MarshalJSON ¶ added in v1.3.5
func (v Vulnerability) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
This method ensures times all times are formatted correctly according to the schema.
func (Vulnerability) MarshalYAML ¶ added in v1.3.5
func (v Vulnerability) MarshalYAML() (interface{}, error)
MarshalYAML implements the yaml.Marshaler interface.
This method ensures times all times are formatted correctly.
type VulnerabilityFlattened ¶
type VulnerabilityFlattened struct { Source SourceInfo Package PackageInfo DepGroups []string Vulnerability Vulnerability GroupInfo GroupInfo Licenses []License LicenseViolations []License }
Flattened Vulnerability Information. TODO: rename this to IssueFlattened or similar in the next major release as it now contains license violations.
type VulnerabilityResults ¶
type VulnerabilityResults struct { Results []PackageSource `json:"results"` ExperimentalAnalysisConfig ExperimentalAnalysisConfig `json:"experimental_config"` }
Combined vulnerabilities found for the scanned packages
func (*VulnerabilityResults) Flatten ¶
func (vulns *VulnerabilityResults) Flatten() []VulnerabilityFlattened
Flatten the grouped/nested vulnerability results into one flat array.