cves

package
v0.0.0-...-9d48acd Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2025 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CVE5TimeFormat = "2006-01-02T15:04:05"
)
View Source 
const NVDISO8601Time = "2006-01-02T15:04:05.999"

Vexingly, the timestamps used are not RFC 3339, but part of the (much) broader ISO 8601.

Variables

View Source 
var (
	InvalidRepos = []string{
		"https://github.com/ComparedArray/printix-CVE-2022-25089",
		"https://github.com/CVEProject/cvelist",
		"https://github.com/github/cvelist",
		"https://github.com/github/securitylab",
		"https://github.com/gitlabhq/gitlabhq",
		"https://github.com/n0Sleeper/bosscmsVuln",
		"https://github.com/rapid7/metasploit-framework",
		"https://github.com/starnightcyber/miscellaneous",
		"https://gitlab.com/gitlab-org/gitlab-ce",
		"https://gitlab.com/gitlab-org/gitlab-ee",
		"https://gitlab.com/gitlab-org/gitlab-foss",
		"https://gitlab.com/gitlab-org/omnibus-gitlab",
	}
	InvalidRepoRegex = `(?i)/(?:(?:CVEs?)|(?:CVE-\d{4}-\d{4,})(?:/?.*)?|bug_report(?:/.*)?|GitHubAssessments/.*)`
)

Functions

func AffectedCommitCompare 

func AffectedCommitCompare(i, j AffectedCommit) int

Helper function for sorting AffectedCommit for stability. Sorts by Repo, then Fixed, then LastAffected, then Introduced.

func CPEs 

func CPEs(cve CVE) []string

func Commit 

func Commit(u string) (string, error)

Returns the commit ID from supported links.

func EnglishDescription 

func EnglishDescription(cve CVE) string

func NormalizeVersion 

func NormalizeVersion(version string) (normalizedVersion string, e error)

Normalize version strings found in CVE CPE Match data or Git tags. Use the same logic and behaviour as normalize_tag() osv/bug.py for consistency.

func ParseCVE5Timestamp 

func ParseCVE5Timestamp(timestamp string) (time.Time, error)

func RemoveQuoting 

func RemoveQuoting(s string) (result string)

There are some weird and wonderful rules about quoting with strings in CPEs See 5.3.2 of NISTIR 7695 for more details https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf

func Repo 

func Repo(u string) (string, error)

Returns the base repository URL for supported repository hosts. 

func ValidateAndCanonicalizeLink(link string) (canonicalLink string, err error)

Detect linkrot and handle link decay in HTTP(S) links via HEAD request with exponential backoff.

Types

type AffectedCommit 

type AffectedCommit struct {
	Repo         string `json:"repo,omitempty" yaml:"repo,omitempty"`
	Introduced   string `json:"introduced,omitempty" yaml:"introduced,omitempty"`
	Fixed        string `json:"fixed,omitempty" yaml:"fixed,omitempty"`
	Limit        string `json:"limit,omitempty" yaml:"limit,omitempty"`
	LastAffected string `json:"last_affected,omitempty" yaml:"last_affected,omitempty"`
}

func (*AffectedCommit) InvalidRange 

func (ac *AffectedCommit) InvalidRange() bool

Check if the commit range actually spans any commits. A range that starts and ends with the same commit is not considered a valid range.

func (*AffectedCommit) SetFixed 

func (ac *AffectedCommit) SetFixed(commit string)

func (*AffectedCommit) SetIntroduced 

func (ac *AffectedCommit) SetIntroduced(commit string)

func (*AffectedCommit) SetLastAffected 

func (ac *AffectedCommit) SetLastAffected(commit string)

func (*AffectedCommit) SetLimit 

func (ac *AffectedCommit) SetLimit(commit string)

func (*AffectedCommit) SetRepo 

func (ac *AffectedCommit) SetRepo(repo string)

type AffectedVersion 

type AffectedVersion struct {
	Introduced   string `json:"introduced,omitempty" yaml:"introduced,omitempty"`
	Fixed        string `json:"fixed,omitempty" yaml:"fixed,omitempty"`
	LastAffected string `json:"last_affected,omitempty" yaml:"last_affected,omitempty"`
}

type CPE 

type CPE struct {
	CPEVersion string
	Part       string
	Vendor     string
	Product    string
	Version    string
	Update     string
	Edition    string
	Language   string
	SWEdition  string
	TargetSW   string
	TargetHW   string
	Other      string
}

func ParseCPE 

func ParseCPE(formattedString string) (*CPE, error)

Parse a well-formed CPE string into a struct.

type CPEMatch 

type CPEMatch struct {
	// Criteria corresponds to the JSON schema field "criteria".
	Criteria string `json:"criteria" yaml:"criteria" mapstructure:"criteria"`

	// MatchCriteriaId corresponds to the JSON schema field "matchCriteriaId".
	MatchCriteriaId string `json:"matchCriteriaId" yaml:"matchCriteriaId" mapstructure:"matchCriteriaId"`

	// VersionEndExcluding corresponds to the JSON schema field "versionEndExcluding".
	VersionEndExcluding *string `json:"versionEndExcluding,omitempty" yaml:"versionEndExcluding,omitempty" mapstructure:"versionEndExcluding,omitempty"`

	// VersionEndIncluding corresponds to the JSON schema field "versionEndIncluding".
	VersionEndIncluding *string `json:"versionEndIncluding,omitempty" yaml:"versionEndIncluding,omitempty" mapstructure:"versionEndIncluding,omitempty"`

	// VersionStartExcluding corresponds to the JSON schema field
	// "versionStartExcluding".
	VersionStartExcluding *string `json:"versionStartExcluding,omitempty" yaml:"versionStartExcluding,omitempty" mapstructure:"versionStartExcluding,omitempty"`

	// VersionStartIncluding corresponds to the JSON schema field
	// "versionStartIncluding".
	VersionStartIncluding *string `json:"versionStartIncluding,omitempty" yaml:"versionStartIncluding,omitempty" mapstructure:"versionStartIncluding,omitempty"`

	// Vulnerable corresponds to the JSON schema field "vulnerable".
	Vulnerable bool `json:"vulnerable" yaml:"vulnerable" mapstructure:"vulnerable"`
}

CPE match string or range

func (*CPEMatch) UnmarshalJSON 

func (j *CPEMatch) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler.

type CVE 

type CVE struct {
	// CISAActionDue corresponds to the JSON schema field "cisaActionDue".
	CISAActionDue *types.SerializableDate `json:"cisaActionDue,omitempty" yaml:"cisaActionDue,omitempty" mapstructure:"cisaActionDue,omitempty"`

	// CISAExploitAdd corresponds to the JSON schema field "cisaExploitAdd".
	CISAExploitAdd *types.SerializableDate `json:"cisaExploitAdd,omitempty" yaml:"cisaExploitAdd,omitempty" mapstructure:"cisaExploitAdd,omitempty"`

	// CISARequiredAction corresponds to the JSON schema field "cisaRequiredAction".
	CISARequiredAction *string `json:"cisaRequiredAction,omitempty" yaml:"cisaRequiredAction,omitempty" mapstructure:"cisaRequiredAction,omitempty"`

	// CISAVulnerabilityName corresponds to the JSON schema field
	// "cisaVulnerabilityName".
	CISAVulnerabilityName *string `json:"cisaVulnerabilityName,omitempty" yaml:"cisaVulnerabilityName,omitempty" mapstructure:"cisaVulnerabilityName,omitempty"`

	// Configurations corresponds to the JSON schema field "configurations".
	Configurations []Config `json:"configurations,omitempty" yaml:"configurations,omitempty" mapstructure:"configurations,omitempty"`

	// Descriptions corresponds to the JSON schema field "descriptions".
	Descriptions []LangString `json:"descriptions" yaml:"descriptions" mapstructure:"descriptions"`

	// EvaluatorComment corresponds to the JSON schema field "evaluatorComment".
	EvaluatorComment *string `json:"evaluatorComment,omitempty" yaml:"evaluatorComment,omitempty" mapstructure:"evaluatorComment,omitempty"`

	// EvaluatorImpact corresponds to the JSON schema field "evaluatorImpact".
	EvaluatorImpact *string `json:"evaluatorImpact,omitempty" yaml:"evaluatorImpact,omitempty" mapstructure:"evaluatorImpact,omitempty"`

	// EvaluatorSolution corresponds to the JSON schema field "evaluatorSolution".
	EvaluatorSolution *string `json:"evaluatorSolution,omitempty" yaml:"evaluatorSolution,omitempty" mapstructure:"evaluatorSolution,omitempty"`

	// ID corresponds to the JSON schema field "id".
	ID CVEID `json:"id" yaml:"id" mapstructure:"id"`

	// LastModified corresponds to the JSON schema field "lastModified".
	LastModified NVDTime `json:"lastModified" yaml:"lastModified" mapstructure:"lastModified"`

	// Metric scores for a vulnerability as found on NVD.
	Metrics *CVEItemMetrics `json:"metrics,omitempty" yaml:"metrics,omitempty" mapstructure:"metrics,omitempty"`

	// Published corresponds to the JSON schema field "published".
	Published NVDTime `json:"published" yaml:"published" mapstructure:"published"`

	// References corresponds to the JSON schema field "references".
	References []Reference `json:"references" yaml:"references" mapstructure:"references"`

	// SourceIdentifier corresponds to the JSON schema field "sourceIdentifier".
	SourceIdentifier *string `json:"sourceIdentifier,omitempty" yaml:"sourceIdentifier,omitempty" mapstructure:"sourceIdentifier,omitempty"`

	// VendorComments corresponds to the JSON schema field "vendorComments".
	VendorComments []VendorComment `json:"vendorComments,omitempty" yaml:"vendorComments,omitempty" mapstructure:"vendorComments,omitempty"`

	// VulnStatus corresponds to the JSON schema field "vulnStatus".
	VulnStatus *string `json:"vulnStatus,omitempty" yaml:"vulnStatus,omitempty" mapstructure:"vulnStatus,omitempty"`

	// Weaknesses corresponds to the JSON schema field "weaknesses".
	Weaknesses []Weakness `json:"weaknesses,omitempty" yaml:"weaknesses,omitempty" mapstructure:"weaknesses,omitempty"`
}

func (*CVE) UnmarshalJSON 

func (j *CVE) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler.

type CVE5 

type CVE5 struct {
	DataType    string `json:"dataType"`
	DataVersion string `json:"dataVersion"`
	Metadata    struct {
		State             string `json:"state"`
		ID                string `json:"cveId"`
		AssignerOrgId     string `json:"assignerOrgId"`
		AssignerShortName string `json:"assignerShortName"`
		DateUpdated       string `json:"dateUpdated"`
		DateReserved      string `json:"dateReserved"`
		DatePublished     string `json:"datePublished"`
	}
	Containers struct {
		CNA struct {
			ProviderMetadata struct {
				OrgID       string `json:"orgId"`
				ShortName   string `json:"shortName"`
				DateUpdated string `json:"dateUpdated"`
			}
			Descriptions []struct {
				Lang  string `json:"lang"`
				Value string `json:"value"`
			}
			Tags     []string `json:"tags"`
			Affected []struct {
				Vendor   string `json:"vendor"`
				Product  string `json:"product"`
				Versions []struct {
					Version string `json:"version"`
					Status  string `json:"status"`
				}
			}
			References []struct {
				URL string `json:"url"`
			}
			ProblemTypes []struct {
				Descriptions []struct {
					Type        string `json:"type"`
					Lang        string `json:"lang"`
					Description string `json:"description"`
				}
			}
		}
	}
}

type CVEAPIJSON20Schema 

type CVEAPIJSON20Schema struct {
	// Format corresponds to the JSON schema field "format".
	Format string `json:"format" yaml:"format" mapstructure:"format"`

	// ResultsPerPage corresponds to the JSON schema field "resultsPerPage".
	ResultsPerPage int `json:"resultsPerPage" yaml:"resultsPerPage" mapstructure:"resultsPerPage"`

	// StartIndex corresponds to the JSON schema field "startIndex".
	StartIndex int `json:"startIndex" yaml:"startIndex" mapstructure:"startIndex"`

	// Timestamp corresponds to the JSON schema field "timestamp".
	Timestamp NVDTime `json:"timestamp" yaml:"timestamp" mapstructure:"timestamp"`

	// TotalResults corresponds to the JSON schema field "totalResults".
	TotalResults int `json:"totalResults" yaml:"totalResults" mapstructure:"totalResults"`

	// Version corresponds to the JSON schema field "version".
	Version string `json:"version" yaml:"version" mapstructure:"version"`

	// NVD feed array of CVE
	Vulnerabilities []Vulnerability `json:"vulnerabilities" yaml:"vulnerabilities" mapstructure:"vulnerabilities"`
}

func (*CVEAPIJSON20Schema) ToJSON 

func (n *CVEAPIJSON20Schema) ToJSON(w io.Writer) error

func (*CVEAPIJSON20Schema) UnmarshalJSON 

func (j *CVEAPIJSON20Schema) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler.

type CVEID 

type CVEID string

type CVEItemMetrics 

type CVEItemMetrics struct {
	// CVSS V2.0 score.
	CVSSMetricV2 []CVSSV2 `json:"cvssMetricV2,omitempty" yaml:"cvssMetricV2,omitempty" mapstructure:"cvssMetricV2,omitempty"`

	// CVSS V3.0 score.
	CVSSMetricV30 []CVSSV30 `json:"cvssMetricV30,omitempty" yaml:"cvssMetricV30,omitempty" mapstructure:"cvssMetricV30,omitempty"`

	// CVSS V3.1 score.
	CVSSMetricV31 []CVSSV31 `json:"cvssMetricV31,omitempty" yaml:"cvssMetricV31,omitempty" mapstructure:"cvssMetricV31,omitempty"`
}

Metric scores for a vulnerability as found on NVD.

type CVSS 

type CVSS struct {
	// VectorString corresponds to the JSON schema field "vectorString".
	VectorString string `json:"vectorString" yaml:"vectorString" mapstructure:"vectorString"`
}

type CVSSV2 

type CVSSV2 struct {
	Source                  string       `json:"source" yaml:"source" mapstructure:"source"`
	Type                    string       `json:"type" yaml:"type" mapstructure:"type"`
	BaseSeverity            string       `json:"baseSeverity,omitempty" yaml:"baseSeverity,omitempty" mapstructure:"baseSeverity,omitempty"`
	CVSSData                CVSS         `json:"cvssData" yaml:"cvssData" mapstructure:"cvssData"`
	ExploitabilityScore     *DefSubscore `json:"exploitabilityScore,omitempty" yaml:"exploitabilityScore,omitempty" mapstructure:"exploitabilityScore,omitempty"`
	ImpactScore             *DefSubscore `json:"impactScore,omitempty" yaml:"impactScore,omitempty" mapstructure:"impactScore,omitempty"`
	AcInsufInfo             bool         `json:"acInsufInfo,omitempty" yaml:"acInsufInfo,omitempty" mapstructure:"acInsufInfo,omitempty"`
	ObtainAllPrivilege      bool         `json:"obtainAllPrivilege,omitempty" yaml:"obtainAllPrivilege,omitempty" mapstructure:"obtainAllPrivilege,omitempty"`
	ObtainUserPrivilege     bool         `json:"obtainUserPrivilege,omitempty" yaml:"obtainUserPrivilege,omitempty" mapstructure:"obtainUserPrivilege,omitempty"`
	ObtainOtherPrivilege    bool         `json:"obtainOtherPrivilege,omitempty" yaml:"obtainOtherPrivilege,omitempty" mapstructure:"obtainOtherPrivilege,omitempty"`
	UserInteractionRequired bool         `` /* 130-byte string literal not displayed */
}

CVSS V2.0 score. (hand-generated)

type CVSSV30 

type CVSSV30 struct {
	Source              string       `json:"source" yaml:"source" mapstructure:"source"`
	Type                string       `json:"type" yaml:"type" mapstructure:"type"`
	CVSSData            CVSS         `json:"cvssData" yaml:"cvssData" mapstructure:"cvssData"`
	ExploitabilityScore *DefSubscore `json:"exploitabilityScore,omitempty" yaml:"exploitabilityScore,omitempty" mapstructure:"exploitabilityScore,omitempty"`
	ImpactScore         *DefSubscore `json:"impactScore,omitempty" yaml:"impactScore,omitempty" mapstructure:"impactScore,omitempty"`
}

CVSS V3.0 score. (hand-generated)

type CVSSV31 

type CVSSV31 struct {
	Source              string `json:"source" yaml:"source" mapstructure:"source"`
	Type                string `json:"type" yaml:"type" mapstructure:"type"`
	CVSSData            CVSS
	ExploitabilityScore *DefSubscore `json:"exploitabilityScore,omitempty" yaml:"exploitabilityScore,omitempty" mapstructure:"exploitabilityScore,omitempty"`
	ImpactScore         *DefSubscore `json:"impactScore,omitempty" yaml:"impactScore,omitempty" mapstructure:"impactScore,omitempty"`
}

CVSS V3.1 score. (hand-generated)

type CommitType 

type CommitType int

Synthetic enum of supported commit types. 

const (
	Introduced CommitType = iota
	Fixed
	Limit
	LastAffected
)

type Config 

type Config struct {
	Operator string `json:"operator,omitempty" yaml:"operator,omitempty" mapstructure:"operator,omitempty"`
	Negate   bool   `json:"negate,omitempty" yaml:"negate,omitempty" mapstructure:"negate,omitempty"`
	Nodes    []Node `json:"nodes" yaml:"nodes" mapstructure:"nodes"`
}

type DefSubscore 

type DefSubscore float64

CVSS subscore.

type LangString 

type LangString struct {
	// Lang corresponds to the JSON schema field "lang".
	Lang string `json:"lang" yaml:"lang" mapstructure:"lang"`

	// Value corresponds to the JSON schema field "value".
	Value string `json:"value" yaml:"value" mapstructure:"value"`
}

func (*LangString) UnmarshalJSON 

func (j *LangString) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler.

type NVDTime 

type NVDTime struct {
	time.Time
}

func (*NVDTime) UnmarshalJSON 

func (t *NVDTime) UnmarshalJSON(b []byte) (err error)

type Node 

type Node struct {
	Operator string     `json:"operator" yaml:"operator" mapstructure:"operator"`
	Negate   bool       `json:"negate,omitempty" yaml:"negate,omitempty" mapstructure:"negate,omitempty"`
	CPEMatch []CPEMatch `json:"cpeMatch" yaml:"cpeMatch" mapstructure:"cpeMatch"`
}

Defines a configuration node in an NVD applicability statement.

type Reference 

type Reference struct {
	// Source corresponds to the JSON schema field "source".
	Source string `json:"source,omitempty" yaml:"source,omitempty" mapstructure:"source,omitempty"`

	// Tags corresponds to the JSON schema field "tags".
	Tags []string `json:"tags,omitempty" yaml:"tags,omitempty" mapstructure:"tags,omitempty"`

	// Url corresponds to the JSON schema field "url".
	Url string `json:"url" yaml:"url" mapstructure:"url"`
}

func (*Reference) UnmarshalJSON 

func (j *Reference) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler.

type VendorComment 

type VendorComment struct {
	// Comment corresponds to the JSON schema field "comment".
	Comment string `json:"comment" yaml:"comment" mapstructure:"comment"`

	// LastModified corresponds to the JSON schema field "lastModified".
	LastModified NVDTime `json:"lastModified" yaml:"lastModified" mapstructure:"lastModified"`

	// Organization corresponds to the JSON schema field "organization".
	Organization string `json:"organization" yaml:"organization" mapstructure:"organization"`
}

func (*VendorComment) UnmarshalJSON 

func (j *VendorComment) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler.

type VersionInfo 

type VersionInfo struct {
	AffectedCommits  []AffectedCommit  `json:"affect_commits,omitempty" yaml:"affected_commits,omitempty"`
	AffectedVersions []AffectedVersion `json:"affected_versions,omitempty" yaml:"affected_versions,omitempty"`
}

func ExtractVersionInfo 

func ExtractVersionInfo(cve CVE, validVersions []string) (v VersionInfo, notes []string)

func (*VersionInfo) Duplicated 

func (vi *VersionInfo) Duplicated(candidate AffectedCommit) bool

Check if the same commit appears in multiple fields of the AffectedCommits array. See https://github.com/google/osv.dev/issues/1984 for more context.

func (*VersionInfo) FixedCommits 

func (vi *VersionInfo) FixedCommits(repo string) (FixedCommits []string)

func (*VersionInfo) HasFixedCommits 

func (vi *VersionInfo) HasFixedCommits(repo string) bool

func (*VersionInfo) HasFixedVersions 

func (vi *VersionInfo) HasFixedVersions() bool

func (*VersionInfo) HasIntroducedCommits 

func (vi *VersionInfo) HasIntroducedCommits(repo string) bool

func (*VersionInfo) HasLastAffectedCommits 

func (vi *VersionInfo) HasLastAffectedCommits(repo string) bool

func (*VersionInfo) HasLastAffectedVersions 

func (vi *VersionInfo) HasLastAffectedVersions() bool

func (*VersionInfo) HasLimitCommits 

func (vi *VersionInfo) HasLimitCommits(repo string) bool

func (*VersionInfo) LastAffectedCommits 

func (vi *VersionInfo) LastAffectedCommits(repo string) (LastAffectedCommits []string)

type Vulnerability 

type Vulnerability struct {
	CVE CVE `json:"cve" yaml:"cve" mapstructure:"cve"`
}

(hand generated), see https://github.com/omissis/go-jsonschema/issues/171

type Weakness 

type Weakness interface{}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.