Documentation
¶
Index ¶
- Variables
- type Artifact
- type ArtifactInputSpec
- type ArtifactSpec
- type Builder
- type BuilderInputSpec
- type BuilderSpec
- type CVEInputSpec
- type CVESpec
- type CertifyBad
- type CertifyBadInputSpec
- type CertifyBadSpec
- type CertifyGood
- type CertifyGoodInputSpec
- type CertifyGoodSpec
- type CertifyScorecard
- type CertifyScorecardSpec
- type CertifyVEXStatement
- type CertifyVEXStatementSpec
- type CertifyVuln
- type CertifyVulnSpec
- type Cve
- type CveOrGhsa
- type CveOrGhsaInput
- type CveOrGhsaSpec
- type DependencyType
- type Edge
- type GHSAInputSpec
- type GHSASpec
- type Ghsa
- type HasMetadata
- type HasMetadataInputSpec
- type HasMetadataSpec
- type HasSBOMInputSpec
- type HasSBOMSpec
- type HasSLSASpec
- type HasSbom
- type HasSlsa
- type HasSourceAt
- type HasSourceAtInputSpec
- type HasSourceAtSpec
- type HashEqual
- type HashEqualInputSpec
- type HashEqualSpec
- type IsDependency
- type IsDependencyInputSpec
- type IsDependencySpec
- type IsOccurrence
- type IsOccurrenceInputSpec
- type IsOccurrenceSpec
- type IsVulnerability
- type IsVulnerabilityInputSpec
- type IsVulnerabilitySpec
- type MatchFlags
- type NoVuln
- type Node
- type OSVInputSpec
- type OSVSpec
- type Osv
- type Package
- type PackageName
- type PackageNamespace
- type PackageOrArtifact
- type PackageOrArtifactInput
- type PackageOrArtifactInputs
- type PackageOrArtifactSpec
- type PackageOrSource
- type PackageOrSourceInput
- type PackageOrSourceInputs
- type PackageOrSourceSpec
- type PackageQualifier
- type PackageQualifierInputSpec
- type PackageQualifierSpec
- type PackageSourceOrArtifact
- type PackageSourceOrArtifactInput
- type PackageSourceOrArtifactInputs
- type PackageSourceOrArtifactSpec
- type PackageVersion
- type PkgEqual
- type PkgEqualInputSpec
- type PkgEqualSpec
- type PkgInputSpec
- type PkgMatchType
- type PkgNameSpec
- type PkgSpec
- type PointOfContact
- type PointOfContactInputSpec
- type PointOfContactSpec
- type SLSAInputSpec
- type SLSAPredicate
- type SLSAPredicateInputSpec
- type SLSAPredicateSpec
- type Scorecard
- type ScorecardCheck
- type ScorecardCheckInputSpec
- type ScorecardCheckSpec
- type ScorecardInputSpec
- type Slsa
- type Source
- type SourceInputSpec
- type SourceName
- type SourceNamespace
- type SourceSpec
- type VexJustification
- type VexStatementInputSpec
- type VexStatus
- type Vulnerability
- type VulnerabilityInput
- type VulnerabilityMetaData
- type VulnerabilityMetaDataInput
- type VulnerabilitySpec
Constants ¶
This section is empty.
Variables ¶
var AllDependencyType = []DependencyType{ DependencyTypeDirect, DependencyTypeIndirect, DependencyTypeUnknown, }
var AllEdge = []Edge{ EdgeArtifactCertifyBad, EdgeArtifactCertifyGood, EdgeArtifactCertifyVexStatement, EdgeArtifactHashEqual, EdgeArtifactHasSbom, EdgeArtifactHasSlsa, EdgeArtifactIsOccurrence, EdgeArtifactHasMetadata, EdgeArtifactPointOfContact, EdgeBuilderHasSlsa, EdgeCveCertifyVexStatement, EdgeCveCertifyVuln, EdgeCveIsVulnerability, EdgeGhsaCertifyVexStatement, EdgeGhsaCertifyVuln, EdgeGhsaIsVulnerability, EdgeNoVulnCertifyVuln, EdgeOsvCertifyVexStatement, EdgeOsvCertifyVuln, EdgeOsvIsVulnerability, EdgePackageCertifyBad, EdgePackageCertifyGood, EdgePackageCertifyVexStatement, EdgePackageCertifyVuln, EdgePackageHasSbom, EdgePackageHasSourceAt, EdgePackageIsDependency, EdgePackageIsOccurrence, EdgePackagePkgEqual, EdgePackageHasMetadata, EdgePackagePointOfContact, EdgeSourceCertifyBad, EdgeSourceCertifyGood, EdgeSourceCertifyScorecard, EdgeSourceHasSourceAt, EdgeSourceIsOccurrence, EdgeSourceHasMetadata, EdgeSourcePointOfContact, EdgeCertifyBadArtifact, EdgeCertifyBadPackage, EdgeCertifyBadSource, EdgeCertifyGoodArtifact, EdgeCertifyGoodPackage, EdgeCertifyGoodSource, EdgeCertifyScorecardSource, EdgeCertifyVexStatementArtifact, EdgeCertifyVexStatementCve, EdgeCertifyVexStatementGhsa, EdgeCertifyVexStatementOsv, EdgeCertifyVexStatementPackage, EdgeCertifyVulnCve, EdgeCertifyVulnGhsa, EdgeCertifyVulnNoVuln, EdgeCertifyVulnOsv, EdgeCertifyVulnPackage, EdgeHashEqualArtifact, EdgeHasSbomArtifact, EdgeHasSbomPackage, EdgeHasSlsaBuiltBy, EdgeHasSlsaMaterials, EdgeHasSlsaSubject, EdgeHasSourceAtPackage, EdgeHasSourceAtSource, EdgeIsDependencyPackage, EdgeIsOccurrenceArtifact, EdgeIsOccurrencePackage, EdgeIsOccurrenceSource, EdgeIsVulnerabilityCve, EdgeIsVulnerabilityGhsa, EdgeIsVulnerabilityOsv, EdgePkgEqualPackage, EdgeHasMetadataPackage, EdgeHasMetadataArtifact, EdgeHasMetadataSource, EdgePointOfContactPackage, EdgePointOfContactArtifact, EdgePointOfContactSource, }
var AllPkgMatchType = []PkgMatchType{ PkgMatchTypeAllVersions, PkgMatchTypeSpecificVersion, }
var AllVexJustification = []VexJustification{ VexJustificationComponentNotPresent, VexJustificationVulnerableCodeNotPresent, VexJustificationVulnerableCodeNotInExecutePath, VexJustificationVulnerableCodeCannotBeControlledByAdversary, VexJustificationInlineMitigationsAlreadyExist, VexJustificationNotProvided, }
var AllVexStatus = []VexStatus{ VexStatusNotAffected, VexStatusAffected, VexStatusFixed, VexStatusUnderInvestigation, }
Functions ¶
This section is empty.
Types ¶
type Artifact ¶
type Artifact struct {
ID string `json:"id"`
Algorithm string `json:"algorithm"`
Digest string `json:"digest"`
}
Artifact represents an artifact identified by a checksum hash.
The checksum is split into the digest value and the algorithm used to generate it. Both fields are mandatory and canonicalized to be lowercase.
If having a checksum Go object, algorithm can be strings.ToLower(string(checksum.Algorithm)) and digest can be checksum.Value.
func (Artifact) IsPackageOrArtifact ¶
func (Artifact) IsPackageOrArtifact()
func (Artifact) IsPackageSourceOrArtifact ¶
func (Artifact) IsPackageSourceOrArtifact()
type ArtifactInputSpec ¶
ArtifactInputSpec specifies an artifact for mutations.
The checksum fields are canonicalized to be lowercase.
type ArtifactSpec ¶
type ArtifactSpec struct {
ID *string `json:"id,omitempty"`
Algorithm *string `json:"algorithm,omitempty"`
Digest *string `json:"digest,omitempty"`
}
ArtifactSpec allows filtering the list of artifacts to return in a query.
The checksum fields are canonicalized to be lowercase.
type Builder ¶
Builder represents the builder (e.g., FRSCA or GitHub Actions).
Currently builders are identified by the uri field.
type BuilderInputSpec ¶
type BuilderInputSpec struct {
URI string `json:"uri"`
}
BuilderInputSpec specifies a builder for mutations.
type BuilderSpec ¶
BuilderSpec allows filtering the list of builders to return in a query.
type CVEInputSpec ¶
CVEInputSpec specifies a CVE vulnerability for mutations.
type CVESpec ¶
type CVESpec struct {
ID *string `json:"id,omitempty"`
Year *int `json:"year,omitempty"`
CveID *string `json:"cveId,omitempty"`
}
CVESpec allows filtering the list of advisories to return in a query.
type CertifyBad ¶
type CertifyBad struct {
ID string `json:"id"`
Subject PackageSourceOrArtifact `json:"subject"`
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
CertifyBad is an attestation that a package, source, or artifact is considered bad.
All evidence trees record a justification for the property they represent as well as the document that contains the attestation (origin) and the collector that collected the document (collector).
The certification applies to a subject which is a package, source, or artifact. If the attestation targets a package, it must target a PackageName or a PackageVersion. If the attestation targets a source, it must target a SourceName.
func (CertifyBad) IsNode ¶
func (CertifyBad) IsNode()
type CertifyBadInputSpec ¶
type CertifyBadInputSpec struct {
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
CertifyBadInputSpec represents the mutation input to ingest a CertifyBad evidence.
type CertifyBadSpec ¶
type CertifyBadSpec struct {
ID *string `json:"id,omitempty"`
Subject *PackageSourceOrArtifactSpec `json:"subject,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
CertifyBadSpec allows filtering the list of CertifyBad evidence to return in a query.
If a package is specified in the subject filter, then it must be specified up to PackageName or PackageVersion. That is, user must specify package name, or name and one of version, qualifiers, or subpath.
If a source is specified in the subject filter, then it must specify a name, and optionally a tag and a commit.
type CertifyGood ¶
type CertifyGood struct {
ID string `json:"id"`
Subject PackageSourceOrArtifact `json:"subject"`
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
CertifyGood is an attestation that a package, source, or artifact is considered good.
All evidence trees record a justification for the property they represent as well as the document that contains the attestation (origin) and the collector that collected the document (collector).
The certification applies to a subject which is a package, source, or artifact. If the attestation targets a package, it must target a PackageName or a PackageVersion. If the attestation targets a source, it must target a SourceName.
func (CertifyGood) IsNode ¶
func (CertifyGood) IsNode()
type CertifyGoodInputSpec ¶
type CertifyGoodInputSpec struct {
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
CertifyGoodInputSpec represents the mutation input to ingest a CertifyGood evidence.
type CertifyGoodSpec ¶
type CertifyGoodSpec struct {
ID *string `json:"id,omitempty"`
Subject *PackageSourceOrArtifactSpec `json:"subject,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
CertifyBadSpec allows filtering the list of CertifyBad evidence to return in a query.
If a package is specified in the subject filter, then it must be specified up to PackageName or PackageVersion. That is, user must specify package name, or name and one of version, qualifiers, or subpath.
If a source is specified in the subject filter, then it must specify a name, and optionally a tag and a commit.
type CertifyScorecard ¶
type CertifyScorecard struct {
ID string `json:"id"`
// The source repository that is being scanned (attestation subject)
Source *Source `json:"source"`
// The Scorecard attached to the repository (attestation object)
Scorecard *Scorecard `json:"scorecard"`
}
CertifyScorecard is an attestation to attach a Scorecard analysis to a particular source repository.
func (CertifyScorecard) IsNode ¶
func (CertifyScorecard) IsNode()
type CertifyScorecardSpec ¶
type CertifyScorecardSpec struct {
ID *string `json:"id,omitempty"`
Source *SourceSpec `json:"source,omitempty"`
TimeScanned *time.Time `json:"timeScanned,omitempty"`
AggregateScore *float64 `json:"aggregateScore,omitempty"`
Checks []*ScorecardCheckSpec `json:"checks,omitempty"`
ScorecardVersion *string `json:"scorecardVersion,omitempty"`
ScorecardCommit *string `json:"scorecardCommit,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
CertifyScorecardSpec allows filtering the list of Scorecards to return.
type CertifyVEXStatement ¶
type CertifyVEXStatement struct {
ID string `json:"id"`
// Subject of attestation
Subject PackageOrArtifact `json:"subject"`
// Attested vulnerability
Vulnerability Vulnerability `json:"vulnerability"`
// Status of the vulnerabilities with respect to the subject
Status VexStatus `json:"status"`
// Justification from VEX statement
VexJustification VexJustification `json:"vexJustification"`
// VEX statement: impact_statement or action_statement depending on status
Statement string `json:"statement"`
// statusNotes may convey information about how status was determined
StatusNotes string `json:"statusNotes"`
// Timestamp (exact time in RFC 3339 format) for the VEX statement
KnownSince time.Time `json:"knownSince"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
CertifyVEXStatement is an attestation to attach VEX statements to a package or artifact to clarify the impact of a specific vulnerability (CVE, GHSA or OSV).
func (CertifyVEXStatement) IsNode ¶
func (CertifyVEXStatement) IsNode()
type CertifyVEXStatementSpec ¶
type CertifyVEXStatementSpec struct {
ID *string `json:"id,omitempty"`
Subject *PackageOrArtifactSpec `json:"subject,omitempty"`
Vulnerability *VulnerabilitySpec `json:"vulnerability,omitempty"`
Status *VexStatus `json:"status,omitempty"`
VexJustification *VexJustification `json:"vexJustification,omitempty"`
Statement *string `json:"statement,omitempty"`
StatusNotes *string `json:"statusNotes,omitempty"`
KnownSince *time.Time `json:"knownSince,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
CertifyVEXStatementSpec allows filtering the list of VEX statements to return in a query.
Only one subject type (package or artifact) and one vulnerability type (CVE, GHSA or OSV) may be specified.
Note that setting noVuln in VulnerabilitySpec is invalid for VEX statements!
type CertifyVuln ¶
type CertifyVuln struct {
ID string `json:"id"`
// The package that is attested
Package *Package `json:"package"`
// The vulnerability object. Can be an OSV, CVE, or GHSA or the special NoVuln node.
Vulnerability Vulnerability `json:"vulnerability"`
// Metadata attached to the certification
Metadata *VulnerabilityMetaData `json:"metadata"`
}
CertifyVuln is an attestation to attach vulnerability information to a package.
This information is obtained via a scanner. If there is no vulnerability detected (no OSV, CVE, or GHSA), we attach the special NoVuln node.
func (CertifyVuln) IsNode ¶
func (CertifyVuln) IsNode()
type CertifyVulnSpec ¶
type CertifyVulnSpec struct {
ID *string `json:"id,omitempty"`
Package *PkgSpec `json:"package,omitempty"`
Vulnerability *VulnerabilitySpec `json:"vulnerability,omitempty"`
TimeScanned *time.Time `json:"timeScanned,omitempty"`
DbURI *string `json:"dbUri,omitempty"`
DbVersion *string `json:"dbVersion,omitempty"`
ScannerURI *string `json:"scannerUri,omitempty"`
ScannerVersion *string `json:"scannerVersion,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
CertifyVulnSpec allows filtering the list of vulnerability certifications to return in a query.
Specifying just the package allows to query for all vulnerabilities associated with the package.
Only one vulnerability type (OSV, CVE, GHSA, or special NoVuln) may be specified.
type Cve ¶
CVE represents a vulnerability in the Common Vulnerabilities and Exposures schema.
The vulnerability identifier contains a year field, so we are extracting that to allow matching for vulnerabilities found in a given year.
The vulnerability identifier field is mandatory and canonicalized to be lowercase.
This node can be referred to by other parts of GUAC.
func (Cve) IsCveOrGhsa ¶
func (Cve) IsCveOrGhsa()
func (Cve) IsVulnerability ¶
func (Cve) IsVulnerability()
type CveOrGhsaInput ¶
type CveOrGhsaInput struct {
Cve *CVEInputSpec `json:"cve,omitempty"`
Ghsa *GHSAInputSpec `json:"ghsa,omitempty"`
}
CveOrGhsaInput allows using CveOrGhsa union as input type for mutations.
Exactly one field must be specified.
type CveOrGhsaSpec ¶
type CveOrGhsaSpec struct {
Cve *CVESpec `json:"cve,omitempty"`
Ghsa *GHSASpec `json:"ghsa,omitempty"`
}
CveOrGhsaSpec allows using CveOrGhsa union as input type for queries.
Exactly one field must be specified.
type DependencyType ¶
type DependencyType string
DependencyType determines the type of the dependency.
const ( // direct dependency DependencyTypeDirect DependencyType = "DIRECT" // indirect dependency DependencyTypeIndirect DependencyType = "INDIRECT" // type not known/not specified DependencyTypeUnknown DependencyType = "UNKNOWN" )
func (DependencyType) IsValid ¶
func (e DependencyType) IsValid() bool
func (DependencyType) MarshalGQL ¶
func (e DependencyType) MarshalGQL(w io.Writer)
func (DependencyType) String ¶
func (e DependencyType) String() string
func (*DependencyType) UnmarshalGQL ¶
func (e *DependencyType) UnmarshalGQL(v interface{}) error
type Edge ¶
type Edge string
Edge allows filtering path/neighbors output to only contain a subset of all possible GUAC links.
Each member of the enum is formed by merging two Node names with _. Each name is converted from CamelCase to CAPITALS_WITH_UNDERSCORES. Only valid edges (pairs from Node to Node) are included.
The only exception to the above rule is for links out of HasSLSA. The names are HAS_SLSA_SUBJECT, HAS_SLSA_BUILT_BY, and HAS_SLSA_MATERIALS. This is because ARTIFACT_HAS_SLSA is only from subject Artifact to HasSLSA.
const ( EdgeArtifactCertifyBad Edge = "ARTIFACT_CERTIFY_BAD" EdgeArtifactCertifyGood Edge = "ARTIFACT_CERTIFY_GOOD" EdgeArtifactCertifyVexStatement Edge = "ARTIFACT_CERTIFY_VEX_STATEMENT" EdgeArtifactHashEqual Edge = "ARTIFACT_HASH_EQUAL" EdgeArtifactHasSbom Edge = "ARTIFACT_HAS_SBOM" EdgeArtifactHasSlsa Edge = "ARTIFACT_HAS_SLSA" EdgeArtifactIsOccurrence Edge = "ARTIFACT_IS_OCCURRENCE" EdgeArtifactHasMetadata Edge = "ARTIFACT_HAS_METADATA" EdgeArtifactPointOfContact Edge = "ARTIFACT_POINT_OF_CONTACT" EdgeBuilderHasSlsa Edge = "BUILDER_HAS_SLSA" EdgeCveCertifyVexStatement Edge = "CVE_CERTIFY_VEX_STATEMENT" EdgeCveCertifyVuln Edge = "CVE_CERTIFY_VULN" EdgeCveIsVulnerability Edge = "CVE_IS_VULNERABILITY" EdgeGhsaCertifyVexStatement Edge = "GHSA_CERTIFY_VEX_STATEMENT" EdgeGhsaCertifyVuln Edge = "GHSA_CERTIFY_VULN" EdgeGhsaIsVulnerability Edge = "GHSA_IS_VULNERABILITY" EdgeNoVulnCertifyVuln Edge = "NO_VULN_CERTIFY_VULN" EdgeOsvCertifyVexStatement Edge = "OSV_CERTIFY_VEX_STATEMENT" EdgeOsvCertifyVuln Edge = "OSV_CERTIFY_VULN" EdgeOsvIsVulnerability Edge = "OSV_IS_VULNERABILITY" EdgePackageCertifyBad Edge = "PACKAGE_CERTIFY_BAD" EdgePackageCertifyGood Edge = "PACKAGE_CERTIFY_GOOD" EdgePackageCertifyVexStatement Edge = "PACKAGE_CERTIFY_VEX_STATEMENT" EdgePackageCertifyVuln Edge = "PACKAGE_CERTIFY_VULN" EdgePackageHasSbom Edge = "PACKAGE_HAS_SBOM" EdgePackageHasSourceAt Edge = "PACKAGE_HAS_SOURCE_AT" EdgePackageIsDependency Edge = "PACKAGE_IS_DEPENDENCY" EdgePackageIsOccurrence Edge = "PACKAGE_IS_OCCURRENCE" EdgePackagePkgEqual Edge = "PACKAGE_PKG_EQUAL" EdgePackageHasMetadata Edge = "PACKAGE_HAS_METADATA" EdgePackagePointOfContact Edge = "PACKAGE_POINT_OF_CONTACT" EdgeSourceCertifyBad Edge = "SOURCE_CERTIFY_BAD" EdgeSourceCertifyGood Edge = "SOURCE_CERTIFY_GOOD" EdgeSourceCertifyScorecard Edge = "SOURCE_CERTIFY_SCORECARD" EdgeSourceHasSourceAt Edge = "SOURCE_HAS_SOURCE_AT" EdgeSourceIsOccurrence Edge = "SOURCE_IS_OCCURRENCE" EdgeSourceHasMetadata Edge = "SOURCE_HAS_METADATA" EdgeSourcePointOfContact Edge = "SOURCE_POINT_OF_CONTACT" EdgeCertifyBadArtifact Edge = "CERTIFY_BAD_ARTIFACT" EdgeCertifyBadPackage Edge = "CERTIFY_BAD_PACKAGE" EdgeCertifyBadSource Edge = "CERTIFY_BAD_SOURCE" EdgeCertifyGoodArtifact Edge = "CERTIFY_GOOD_ARTIFACT" EdgeCertifyGoodPackage Edge = "CERTIFY_GOOD_PACKAGE" EdgeCertifyGoodSource Edge = "CERTIFY_GOOD_SOURCE" EdgeCertifyScorecardSource Edge = "CERTIFY_SCORECARD_SOURCE" EdgeCertifyVexStatementArtifact Edge = "CERTIFY_VEX_STATEMENT_ARTIFACT" EdgeCertifyVexStatementCve Edge = "CERTIFY_VEX_STATEMENT_CVE" EdgeCertifyVexStatementGhsa Edge = "CERTIFY_VEX_STATEMENT_GHSA" EdgeCertifyVexStatementOsv Edge = "CERTIFY_VEX_STATEMENT_OSV" EdgeCertifyVexStatementPackage Edge = "CERTIFY_VEX_STATEMENT_PACKAGE" EdgeCertifyVulnCve Edge = "CERTIFY_VULN_CVE" EdgeCertifyVulnGhsa Edge = "CERTIFY_VULN_GHSA" EdgeCertifyVulnNoVuln Edge = "CERTIFY_VULN_NO_VULN" EdgeCertifyVulnOsv Edge = "CERTIFY_VULN_OSV" EdgeCertifyVulnPackage Edge = "CERTIFY_VULN_PACKAGE" EdgeHashEqualArtifact Edge = "HASH_EQUAL_ARTIFACT" EdgeHasSbomArtifact Edge = "HAS_SBOM_ARTIFACT" EdgeHasSbomPackage Edge = "HAS_SBOM_PACKAGE" EdgeHasSlsaBuiltBy Edge = "HAS_SLSA_BUILT_BY" EdgeHasSlsaMaterials Edge = "HAS_SLSA_MATERIALS" EdgeHasSlsaSubject Edge = "HAS_SLSA_SUBJECT" EdgeHasSourceAtPackage Edge = "HAS_SOURCE_AT_PACKAGE" EdgeHasSourceAtSource Edge = "HAS_SOURCE_AT_SOURCE" EdgeIsDependencyPackage Edge = "IS_DEPENDENCY_PACKAGE" EdgeIsOccurrenceArtifact Edge = "IS_OCCURRENCE_ARTIFACT" EdgeIsOccurrencePackage Edge = "IS_OCCURRENCE_PACKAGE" EdgeIsOccurrenceSource Edge = "IS_OCCURRENCE_SOURCE" EdgeIsVulnerabilityCve Edge = "IS_VULNERABILITY_CVE" EdgeIsVulnerabilityGhsa Edge = "IS_VULNERABILITY_GHSA" EdgeIsVulnerabilityOsv Edge = "IS_VULNERABILITY_OSV" EdgePkgEqualPackage Edge = "PKG_EQUAL_PACKAGE" EdgeHasMetadataPackage Edge = "HAS_METADATA_PACKAGE" EdgeHasMetadataArtifact Edge = "HAS_METADATA_ARTIFACT" EdgeHasMetadataSource Edge = "HAS_METADATA_SOURCE" EdgePointOfContactPackage Edge = "POINT_OF_CONTACT_PACKAGE" EdgePointOfContactArtifact Edge = "POINT_OF_CONTACT_ARTIFACT" EdgePointOfContactSource Edge = "POINT_OF_CONTACT_SOURCE" )
func (Edge) MarshalGQL ¶
func (*Edge) UnmarshalGQL ¶
type GHSAInputSpec ¶
type GHSAInputSpec struct {
GhsaID string `json:"ghsaId"`
}
GHSAInputSpec specifies a GitHub Security Advisory for mutations.
type Ghsa ¶
GHSA represents GitHub security advisories.
The advisory id field is mandatory and canonicalized to be lowercase.
This node can be referred to by other parts of GUAC.
func (Ghsa) IsCveOrGhsa ¶
func (Ghsa) IsCveOrGhsa()
func (Ghsa) IsVulnerability ¶
func (Ghsa) IsVulnerability()
type HasMetadata ¶ added in v0.1.1
type HasMetadata struct {
ID string `json:"id"`
Subject PackageSourceOrArtifact `json:"subject"`
Key string `json:"key"`
Value string `json:"value"`
Timestamp time.Time `json:"timestamp"`
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
HasMetadata is an attestation that a package, source, or artifact has a certain attested property (key) with value (value). For example, a source may have metadata "SourceRepo2FAEnabled=true".
The intent of this evidence tree predicate is to allow extensibility of metadata expressible within the GUAC ontology. Metadata that is commonly used will then be promoted to a predicate on its own.
Justification indicates how the metadata was determined.
The metadata applies to a subject which is a package, source, or artifact. If the attestation targets a package, it must target a PackageName or a PackageVersion. If the attestation targets a source, it must target a SourceName.
func (HasMetadata) IsNode ¶ added in v0.1.1
func (HasMetadata) IsNode()
type HasMetadataInputSpec ¶ added in v0.1.1
type HasMetadataInputSpec struct {
Key string `json:"key"`
Value string `json:"value"`
Timestamp time.Time `json:"timestamp"`
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
HasMetadataInputSpec represents the mutation input to ingest a CertifyGood evidence.
type HasMetadataSpec ¶ added in v0.1.1
type HasMetadataSpec struct {
ID *string `json:"id,omitempty"`
Subject *PackageSourceOrArtifactSpec `json:"subject,omitempty"`
Since *time.Time `json:"since,omitempty"`
Key *string `json:"key,omitempty"`
Value *string `json:"value,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
HasMetadataSpec allows filtering the list of HasMetadata evidence to return in a query.
If a package is specified in the subject filter, then it must be specified up to PackageName or PackageVersion. That is, user must specify package name, or name and one of version, qualifiers, or subpath.
If a source is specified in the subject filter, then it must specify a name, and optionally a tag and a commit.
since specified indicates filtering timestamps after the specified time
type HasSBOMInputSpec ¶
type HasSBOMInputSpec struct {
URI string `json:"uri"`
Algorithm string `json:"algorithm"`
Digest string `json:"digest"`
DownloadLocation string `json:"downloadLocation"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
HasSBOMInputSpec is the same as HasSBOM but for mutation input.
type HasSBOMSpec ¶
type HasSBOMSpec struct {
ID *string `json:"id,omitempty"`
Subject *PackageOrArtifactSpec `json:"subject,omitempty"`
URI *string `json:"uri,omitempty"`
Algorithm *string `json:"algorithm,omitempty"`
Digest *string `json:"digest,omitempty"`
DownloadLocation *string `json:"downloadLocation,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
HasSBOMSpec allows filtering the list of HasSBOM to return.
Only the package or artifact can be added, not both.
type HasSLSASpec ¶
type HasSLSASpec struct {
ID *string `json:"id,omitempty"`
Subject *ArtifactSpec `json:"subject,omitempty"`
BuiltFrom []*ArtifactSpec `json:"builtFrom,omitempty"`
BuiltBy *BuilderSpec `json:"builtBy,omitempty"`
BuildType *string `json:"buildType,omitempty"`
Predicate []*SLSAPredicateSpec `json:"predicate,omitempty"`
SlsaVersion *string `json:"slsaVersion,omitempty"`
StartedOn *time.Time `json:"startedOn,omitempty"`
FinishedOn *time.Time `json:"finishedOn,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
HasSLSASpec allows filtering the list of HasSLSA to return.
type HasSbom ¶
type HasSbom struct {
ID string `json:"id"`
// SBOM subject
Subject PackageOrArtifact `json:"subject"`
// Identifier for the SBOM document
URI string `json:"uri"`
// Algorithm by which SBOMs digest was computed
Algorithm string `json:"algorithm"`
// Digest of SBOM
Digest string `json:"digest"`
// Location from which the SBOM can be downloaded
DownloadLocation string `json:"downloadLocation"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
type HasSlsa ¶
type HasSlsa struct {
ID string `json:"id"`
// The subject of SLSA attestation
Subject *Artifact `json:"subject"`
// The SLSA attestation
Slsa *Slsa `json:"slsa"`
}
HasSLSA records that a subject node has a SLSA attestation.
type HasSourceAt ¶
type HasSourceAt struct {
ID string `json:"id"`
// The subject of the attestation: can be a PackageName or a PackageVersion
Package *Package `json:"package"`
// Source repository from which the package is built
Source *Source `json:"source"`
// Timestamp since this link between package and source was certified
KnownSince time.Time `json:"knownSince"`
// Justification for the attested relationship
Justification string `json:"justification"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
HasSourceAt records that a package's repository is a given source.
func (HasSourceAt) IsNode ¶
func (HasSourceAt) IsNode()
type HasSourceAtInputSpec ¶
type HasSourceAtInputSpec struct {
KnownSince time.Time `json:"knownSince"`
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
HasSourceAtInputSpec is the same as HasSourceAt but for mutation input.
type HasSourceAtSpec ¶
type HasSourceAtSpec struct {
ID *string `json:"id,omitempty"`
Package *PkgSpec `json:"package,omitempty"`
Source *SourceSpec `json:"source,omitempty"`
KnownSince *time.Time `json:"knownSince,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
HasSourceAtSpec allows filtering the list of HasSourceAt to return.
type HashEqual ¶
type HashEqual struct {
ID string `json:"id"`
// Collection of artifacts that are similar
Artifacts []*Artifact `json:"artifacts"`
// Justification for the claim that the artifacts are similar
Justification string `json:"justification"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
HashEqual is an attestation that a set of artifacts are identical.
type HashEqualInputSpec ¶
type HashEqualInputSpec struct {
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
HashEqualInputSpec represents the input to certify that packages are similar.
type HashEqualSpec ¶
type HashEqualSpec struct {
ID *string `json:"id,omitempty"`
Artifacts []*ArtifactSpec `json:"artifacts,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
HashEqualSpec allows filtering the list of artifact equality statements to return in a query.
Specifying just one artifact allows to query for all similar artifacts (if any exists).
type IsDependency ¶
type IsDependency struct {
ID string `json:"id"`
// Package that has the dependency
Package *Package `json:"package"`
// Package for the dependency; MUST BE PackageName, not PackageVersion
DependentPackage *Package `json:"dependentPackage"`
// Version range for the dependency link
VersionRange string `json:"versionRange"`
// Type of dependency
DependencyType DependencyType `json:"dependencyType"`
// Justification for the attested relationship
Justification string `json:"justification"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
IsDependency is an attestation to record that a package depends on another.
func (IsDependency) IsNode ¶
func (IsDependency) IsNode()
type IsDependencyInputSpec ¶
type IsDependencyInputSpec struct {
VersionRange string `json:"versionRange"`
DependencyType DependencyType `json:"dependencyType"`
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
IsDependencyInputSpec is the input to record a new dependency.
type IsDependencySpec ¶
type IsDependencySpec struct {
ID *string `json:"id,omitempty"`
Package *PkgSpec `json:"package,omitempty"`
DependentPackage *PkgNameSpec `json:"dependentPackage,omitempty"`
VersionRange *string `json:"versionRange,omitempty"`
DependencyType *DependencyType `json:"dependencyType,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
IsDependencySpec allows filtering the list of dependencies to return.
To obtain the list of dependency packages, caller must fill in the package field.
Dependent packages must be defined at PackageName, not PackageVersion.
type IsOccurrence ¶
type IsOccurrence struct {
ID string `json:"id"`
// Package or source from which the artifact originates
Subject PackageOrSource `json:"subject"`
// The artifact in the relationship
Artifact *Artifact `json:"artifact"`
// Justification for the attested relationship
Justification string `json:"justification"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
IsOccurrence is an attestation to link an artifact to a package or source.
Attestation must occur at the PackageVersion or at the SourceName.
func (IsOccurrence) IsNode ¶
func (IsOccurrence) IsNode()
type IsOccurrenceInputSpec ¶
type IsOccurrenceInputSpec struct {
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
IsOccurrenceInputSpec represents the input to record an artifact's origin.
type IsOccurrenceSpec ¶
type IsOccurrenceSpec struct {
ID *string `json:"id,omitempty"`
Subject *PackageOrSourceSpec `json:"subject,omitempty"`
Artifact *ArtifactSpec `json:"artifact,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
IsOccurrenceSpec allows filtering the list of artifact occurences to return in a query.
type IsVulnerability ¶
type IsVulnerability struct {
ID string `json:"id"`
// The OSV that encapsulates the vulnerability
Osv *Osv `json:"osv"`
// The upstream vulnerability information
Vulnerability CveOrGhsa `json:"vulnerability"`
// Justification for the attested relationship
Justification string `json:"justification"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
IsVulnerability is an attestation to link CVE/GHSA with data in OSV.
func (IsVulnerability) IsNode ¶
func (IsVulnerability) IsNode()
type IsVulnerabilityInputSpec ¶
type IsVulnerabilityInputSpec struct {
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
IsVulnerabilityInputSpec represents the input to link CVE/GHSA with OSV data.
type IsVulnerabilitySpec ¶
type IsVulnerabilitySpec struct {
ID *string `json:"id,omitempty"`
Osv *OSVSpec `json:"osv,omitempty"`
Vulnerability *CveOrGhsaSpec `json:"vulnerability,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
IsVulnerabilitySpec allows filtering the list of vulnerability links to return in a query.
type MatchFlags ¶
type MatchFlags struct {
Pkg PkgMatchType `json:"pkg"`
}
MatchFlags is used to input the PkgMatchType enum.
type NoVuln ¶
type NoVuln struct {
ID string `json:"id"`
}
NoVuln is a special vulnerability node to attest that no vulnerability has been found during a vulnerability scan.
Backends guarantee that this is a singleton node.
func (NoVuln) IsVulnerability ¶
func (NoVuln) IsVulnerability()
type Node ¶
type Node interface {
IsNode()
}
Node is a union type of all the possible nodes.
It encapsulates the software tree nodes along with the evidence nodes. In a path query, all connecting evidence nodes along with their intermediate subject nodes need to be returned in order to create a complete graph.
type OSVInputSpec ¶
type OSVInputSpec struct {
OsvID string `json:"osvId"`
}
OSVInputSpec specifies a OSV vulnerability for mutations.
type Osv ¶
OSV represents an Open Source Vulnerability.
The osvId field is mandatory and canonicalized to be lowercase.
This maps to a vulnerability ID specific to the environment (e.g., GHSA ID or CVE ID).
This node can be referred to by other parts of GUAC.
func (Osv) IsVulnerability ¶
func (Osv) IsVulnerability()
type Package ¶
type Package struct {
ID string `json:"id"`
Type string `json:"type"`
Namespaces []*PackageNamespace `json:"namespaces"`
}
Package represents the root of the package trie/tree.
We map package information to a trie, closely matching the pURL specification (https://github.com/package-url/purl-spec/blob/0dd92f26f8bb11956ffdf5e8acfcee71e8560407/README.rst), but deviating from it where GUAC heuristics allow for better representation of package information. Each path in the trie fully represents a package; we split the trie based on the pURL components.
This node matches a pkg:<type> partial pURL. The type field matches the pURL types but we might also use "guac" for the cases where the pURL representation is not complete or when we have custom rules.
Since this node is at the root of the package trie, it is named Package, not PackageType.
func (Package) IsPackageOrArtifact ¶
func (Package) IsPackageOrArtifact()
func (Package) IsPackageOrSource ¶
func (Package) IsPackageOrSource()
func (Package) IsPackageSourceOrArtifact ¶
func (Package) IsPackageSourceOrArtifact()
type PackageName ¶
type PackageName struct {
ID string `json:"id"`
Name string `json:"name"`
Versions []*PackageVersion `json:"versions"`
}
PackageName is a name for packages.
In the pURL representation, each PackageName matches the pkg:<type>/<namespace>/<name> pURL.
Names are always mandatory.
This is the first node in the trie that can be referred to by other parts of GUAC.
type PackageNamespace ¶
type PackageNamespace struct {
ID string `json:"id"`
Namespace string `json:"namespace"`
Names []*PackageName `json:"names"`
}
PackageNamespace is a namespace for packages.
In the pURL representation, each PackageNamespace matches the pkg:<type>/<namespace>/ partial pURL.
Namespaces are optional and type specific. Because they are optional, we use empty string to denote missing namespaces.
type PackageOrArtifact ¶
type PackageOrArtifact interface {
IsPackageOrArtifact()
}
PackageOrArtifact is a union of Package and Artifact.
type PackageOrArtifactInput ¶
type PackageOrArtifactInput struct {
Package *PkgInputSpec `json:"package,omitempty"`
Artifact *ArtifactInputSpec `json:"artifact,omitempty"`
}
PackageOrArtifactInput allows using PackageOrArtifact union as input type to be used in mutations.
Exactly one of the value must be set to non-nil.
type PackageOrArtifactInputs ¶ added in v0.1.2
type PackageOrArtifactInputs struct {
Packages []*PkgInputSpec `json:"packages,omitempty"`
Artifacts []*ArtifactInputSpec `json:"artifacts,omitempty"`
}
PackageOrArtifactInputs allows using packages and artifacts as input for batch mutations. Exactly one list must be specified.
type PackageOrArtifactSpec ¶
type PackageOrArtifactSpec struct {
Package *PkgSpec `json:"package,omitempty"`
Artifact *ArtifactSpec `json:"artifact,omitempty"`
}
PackageOrArtifactSpec allows using PackageOrArtifact union as input type to be used in read queries.
Exactly one of the value must be set to non-nil.
type PackageOrSource ¶
type PackageOrSource interface {
IsPackageOrSource()
}
PackageOrSource is a union of Package and Source.
type PackageOrSourceInput ¶
type PackageOrSourceInput struct {
Package *PkgInputSpec `json:"package,omitempty"`
Source *SourceInputSpec `json:"source,omitempty"`
}
PackageOrSourceInput allows using PackageOrSource union as input for mutations.
Exactly one field must be specified.
type PackageOrSourceInputs ¶ added in v0.1.1
type PackageOrSourceInputs struct {
Packages []*PkgInputSpec `json:"packages,omitempty"`
Sources []*SourceInputSpec `json:"sources,omitempty"`
}
PackageOrSourceInputs allows using packages and sources as input for batch mutations. Exactly one list must be specified.
type PackageOrSourceSpec ¶
type PackageOrSourceSpec struct {
Package *PkgSpec `json:"package,omitempty"`
Source *SourceSpec `json:"source,omitempty"`
}
PackageOrSourceSpec allows using PackageOrSource union as input for queries.
Exactly one field must be specified.
type PackageQualifier ¶
PackageQualifier is a qualifier for a package, a key-value pair.
In the pURL representation, it is a part of the <qualifiers> part of the pkg:<type>/<namespace>/<name>@<version>?<qualifiers> pURL.
Qualifiers are optional, each Package type defines own rules for handling them, and multiple qualifiers could be attached to the same package.
This node cannot be directly referred by other parts of GUAC.
type PackageQualifierInputSpec ¶
PackageQualifierInputSpec allows specifying package qualifiers in mutations.
type PackageQualifierSpec ¶
PackageQualifierSpec allows filtering package qualifiers in a query.
Keys are mandatory, but values could also be null if we want to match all values for a specific key.
NOTE: Before the schema becomes stable, we might change the nulability requirements of these fields.
type PackageSourceOrArtifact ¶
type PackageSourceOrArtifact interface {
IsPackageSourceOrArtifact()
}
PackageSourceOrArtifact is a union of Package, Source, and Artifact.
type PackageSourceOrArtifactInput ¶
type PackageSourceOrArtifactInput struct {
Package *PkgInputSpec `json:"package,omitempty"`
Source *SourceInputSpec `json:"source,omitempty"`
Artifact *ArtifactInputSpec `json:"artifact,omitempty"`
}
PackageSourceOrArtifactInput allows using PackageSourceOrArtifact union as input type to be used in mutations.
Exactly one of the value must be set to non-nil.
type PackageSourceOrArtifactInputs ¶ added in v0.1.2
type PackageSourceOrArtifactInputs struct {
Packages []*PkgInputSpec `json:"packages,omitempty"`
Sources []*SourceInputSpec `json:"sources,omitempty"`
Artifacts []*ArtifactInputSpec `json:"artifacts,omitempty"`
}
PackageSourceOrArtifactInputs allows using PackageSourceOrArtifact union as input type to be used in bulk mutations.
Exactly one list must be specified.
type PackageSourceOrArtifactSpec ¶
type PackageSourceOrArtifactSpec struct {
Package *PkgSpec `json:"package,omitempty"`
Source *SourceSpec `json:"source,omitempty"`
Artifact *ArtifactSpec `json:"artifact,omitempty"`
}
PackageSourceOrArtifactSpec allows using PackageSourceOrArtifact union as input type to be used in read queries.
Exactly one of the value must be set to non-nil.
type PackageVersion ¶
type PackageVersion struct {
ID string `json:"id"`
Version string `json:"version"`
Qualifiers []*PackageQualifier `json:"qualifiers"`
Subpath string `json:"subpath"`
}
PackageVersion is a package version.
In the pURL representation, each PackageName matches the pkg:<type>/<namespace>/<name>@<version> pURL.
Versions are optional and each Package type defines own rules for handling them. For this level of GUAC, these are just opaque strings.
NOTE: The handling of versions might change before this schema becomes stable.
This node can be referred to by other parts of GUAC.
Subpath and qualifiers are optional. Lack of qualifiers is represented by an empty list and lack of subpath by empty string (to be consistent with optionality of namespace and version). Two nodes that have different qualifiers and/or subpath but the same version mean two different packages in the trie (they are different). Two nodes that have same version but qualifiers of one are a subset of the qualifier of the other also mean two different packages in the trie.
type PkgEqual ¶
type PkgEqual struct {
ID string `json:"id"`
// Collection of packages that are similar
Packages []*Package `json:"packages"`
// Justification for the claim that the packages are similar
Justification string `json:"justification"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
PkgEqual is an attestation that a set of packages are similar.
type PkgEqualInputSpec ¶
type PkgEqualInputSpec struct {
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
PkgEqualInputSpec represents the input to certify that packages are similar.
type PkgEqualSpec ¶
type PkgEqualSpec struct {
ID *string `json:"id,omitempty"`
Packages []*PkgSpec `json:"packages,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
PkgEqualSpec allows filtering the list of package equality statements to return in a query.
Specifying just one package allows to query for all similar packages (if any exists).
type PkgInputSpec ¶
type PkgInputSpec struct {
Type string `json:"type"`
Namespace *string `json:"namespace,omitempty"`
Name string `json:"name"`
Version *string `json:"version,omitempty"`
Qualifiers []*PackageQualifierInputSpec `json:"qualifiers,omitempty"`
Subpath *string `json:"subpath,omitempty"`
}
PkgInputSpec specifies a package for mutations.
This is different than PkgSpec because we want to encode mandatory fields: type and name. All optional fields are given empty default values.
type PkgMatchType ¶
type PkgMatchType string
PkgMatchType is an enum to determine if the attestation should be done at the specific version or package name.
const ( PkgMatchTypeAllVersions PkgMatchType = "ALL_VERSIONS" PkgMatchTypeSpecificVersion PkgMatchType = "SPECIFIC_VERSION" )
func (PkgMatchType) IsValid ¶
func (e PkgMatchType) IsValid() bool
func (PkgMatchType) MarshalGQL ¶
func (e PkgMatchType) MarshalGQL(w io.Writer)
func (PkgMatchType) String ¶
func (e PkgMatchType) String() string
func (*PkgMatchType) UnmarshalGQL ¶
func (e *PkgMatchType) UnmarshalGQL(v interface{}) error
type PkgNameSpec ¶
type PkgNameSpec struct {
ID *string `json:"id,omitempty"`
Type *string `json:"type,omitempty"`
Namespace *string `json:"namespace,omitempty"`
Name *string `json:"name,omitempty"`
}
PkgNameSpec is used to query for dependent packages.
This is different from PkgSpec as the IsDependency attestation should only be allowed to be made to the packageName node and not the packageVersion node. Versions will be handled by the version_range in the IsDependency attestation node.
type PkgSpec ¶
type PkgSpec struct {
ID *string `json:"id,omitempty"`
Type *string `json:"type,omitempty"`
Namespace *string `json:"namespace,omitempty"`
Name *string `json:"name,omitempty"`
Version *string `json:"version,omitempty"`
Qualifiers []*PackageQualifierSpec `json:"qualifiers,omitempty"`
MatchOnlyEmptyQualifiers *bool `json:"matchOnlyEmptyQualifiers,omitempty"`
Subpath *string `json:"subpath,omitempty"`
}
PkgSpec allows filtering the list of sources to return in a query.
Each field matches a qualifier from pURL. Use null to match on all values at that level. For example, to get all packages in GUAC backend, use a PkgSpec where every field is null.
Empty string at a field means matching with the empty string. If passing in qualifiers, all of the values in the list must match. Since we want to return nodes with any number of qualifiers if no qualifiers are passed in the input, we must also return the same set of nodes it the qualifiers list is empty. To match on nodes that don't contain any qualifier, set matchOnlyEmptyQualifiers to true. If this field is true, then the qualifiers argument is ignored.
type PointOfContact ¶ added in v0.1.1
type PointOfContact struct {
ID string `json:"id"`
Subject PackageSourceOrArtifact `json:"subject"`
Email string `json:"email"`
Info string `json:"info"`
Since time.Time `json:"since"`
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
PointOfContact is an attestation of how to get in touch with the person(s) responsible for a package, source, or artifact.
All evidence trees record a justification for the property they represent as well as the document that contains the attestation (origin) and the collector that collected the document (collector).
The attestation applies to a subject which is a package, source, or artifact. If the attestation targets a package, it must target a PackageName or a PackageVersion. If the attestation targets a source, it must target a SourceName.
email is the email address (singular) of the point of contact.
info is additional contact information other than email address. This is free form.
NOTE: the identifiers for point of contact should be part of software trees. This will benefit from identifier look up and traversal as well as organization hierarchy. However, until the use case arises, PointOfContact will be a flat reference to the contact details.
func (PointOfContact) IsNode ¶ added in v0.1.1
func (PointOfContact) IsNode()
type PointOfContactInputSpec ¶ added in v0.1.1
type PointOfContactInputSpec struct {
Email string `json:"email"`
Info string `json:"info"`
Since time.Time `json:"since"`
Justification string `json:"justification"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
PointOfContactInputSpec represents the mutation input to ingest a PointOfContact evidence.
type PointOfContactSpec ¶ added in v0.1.1
type PointOfContactSpec struct {
ID *string `json:"id,omitempty"`
Subject *PackageSourceOrArtifactSpec `json:"subject,omitempty"`
Email *string `json:"email,omitempty"`
Info *string `json:"info,omitempty"`
Since *time.Time `json:"since,omitempty"`
Justification *string `json:"justification,omitempty"`
Origin *string `json:"origin,omitempty"`
Collector *string `json:"collector,omitempty"`
}
PointOfContactSpec allows filtering the list of PointOfContact evidence to return in a query.
If a package is specified in the subject filter, then it must be specified up to PackageName or PackageVersion. That is, user must specify package name, or name and one of version, qualifiers, or subpath.
If a source is specified in the subject filter, then it must specify a name, and optionally a tag and a commit.
since filters attestations with a value of since later or equal to the provided filter.
type SLSAInputSpec ¶
type SLSAInputSpec struct {
BuildType string `json:"buildType"`
SlsaPredicate []*SLSAPredicateInputSpec `json:"slsaPredicate"`
SlsaVersion string `json:"slsaVersion"`
StartedOn *time.Time `json:"startedOn,omitempty"`
FinishedOn *time.Time `json:"finishedOn,omitempty"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
SLSAInputSpec is the same as SLSA but for mutation input.
type SLSAPredicate ¶
SLSAPredicate are the values from the SLSA predicate in key-value pair form.
For example, given the following predicate ¶
```
"predicate": {
"buildDefinition": {
"externalParameters": {
"repository": "https://github.com/octocat/hello-world",
...
},
...
},
...
}
```
we have
``` key = "buildDefinition.externalParameters.repository" value = "https://github.com/octocat/hello-world" ```
This node cannot be directly referred by other parts of GUAC.
type SLSAPredicateInputSpec ¶
SLSAPredicateInputSpec allows ingesting SLSAPredicateSpec.
type SLSAPredicateSpec ¶
SLSAPredicateSpec is the same as SLSAPredicate, but usable as query input.
type Scorecard ¶
type Scorecard struct {
// Individual Scorecard check scores (Branch-Protection, Code-Review, ...)
Checks []*ScorecardCheck `json:"checks"`
// Overall Scorecard score for the source
AggregateScore float64 `json:"aggregateScore"`
// Exact timestamp when the source was last scanned (in RFC 3339 format)
TimeScanned time.Time `json:"timeScanned"`
// Version of the Scorecard scanner used to analyze the source
ScorecardVersion string `json:"scorecardVersion"`
// Commit of the Scorecards repository at the time of scanning the source
ScorecardCommit string `json:"scorecardCommit"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
Scorecard contains all of the fields present in a Scorecard attestation.
We also include fields to specify under what conditions the check was performed (time of scan, version of scanners, etc.) as well as how this information got included into GUAC (origin document and the collector for that document).
type ScorecardCheck ¶
ScorecardCheck are the individual checks from scorecard and their values as a key-value pair.
For example: Branch-Protection, Code-Review...etc
Based off scorecard's:
type jsonCheckResultV2 struct {
Details []string `json:"details"`
Score int `json:"score"`
Reason string `json:"reason"`
Name string `json:"name"`
Doc jsonCheckDocumentationV2 `json:"documentation"`
}
This node cannot be directly referred by other parts of GUAC.
type ScorecardCheckInputSpec ¶
ScorecardCheckInputSpec represents the mutation input for a Scorecard check.
type ScorecardCheckSpec ¶
ScorecardCheckSpec is the same as ScorecardCheck, but usable as query input.
type ScorecardInputSpec ¶
type ScorecardInputSpec struct {
Checks []*ScorecardCheckInputSpec `json:"checks"`
AggregateScore float64 `json:"aggregateScore"`
TimeScanned time.Time `json:"timeScanned"`
ScorecardVersion string `json:"scorecardVersion"`
ScorecardCommit string `json:"scorecardCommit"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
ScorecardInputSpec represents the mutation input to ingest a Scorecard.
type Slsa ¶
type Slsa struct {
// Materials of the build resulting in subject
BuiltFrom []*Artifact `json:"builtFrom"`
// Builder performing the build
BuiltBy *Builder `json:"builtBy"`
// Type of the builder
BuildType string `json:"buildType"`
// Individual predicates found in the attestation
SlsaPredicate []*SLSAPredicate `json:"slsaPredicate"`
// Version of the SLSA predicate
SlsaVersion string `json:"slsaVersion"`
// Timestamp (RFC3339Nano format) of build start time
StartedOn *time.Time `json:"startedOn,omitempty"`
// Timestamp (RFC3339Nano format) of build end time
FinishedOn *time.Time `json:"finishedOn,omitempty"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
SLSA contains all of the fields present in a SLSA attestation.
The materials and builders are objects of the HasSLSA predicate, everything else are properties extracted from the attestation.
We also include fields to specify under what conditions the check was performed (time of scan, version of scanners, etc.) as well as how this information got included into GUAC (origin document and the collector for that document).
type Source ¶
type Source struct {
ID string `json:"id"`
Type string `json:"type"`
Namespaces []*SourceNamespace `json:"namespaces"`
}
Source represents the root of the source trie/tree.
We map source information to a trie, as a derivative of the pURL specification: each path in the trie represents a type, namespace, name and an optional qualifier that stands for tag/commit information.
This node represents the type part of the trie path. It is used to represent the version control system that is being used.
Since this node is at the root of the source trie, it is named Source, not SourceType.
func (Source) IsPackageOrSource ¶
func (Source) IsPackageOrSource()
func (Source) IsPackageSourceOrArtifact ¶
func (Source) IsPackageSourceOrArtifact()
type SourceInputSpec ¶
type SourceInputSpec struct {
Type string `json:"type"`
Namespace string `json:"namespace"`
Name string `json:"name"`
Tag *string `json:"tag,omitempty"`
Commit *string `json:"commit,omitempty"`
}
SourceInputSpec specifies a source for mutations.
This is different than SourceSpec because we want to encode that all fields except tag and commit are mandatory fields. All optional fields are given empty default values.
It is an error to set both tag and commit fields to values different than the default.
type SourceName ¶
type SourceName struct {
ID string `json:"id"`
Name string `json:"name"`
Tag *string `json:"tag,omitempty"`
Commit *string `json:"commit,omitempty"`
}
SourceName represents the url of the repository.
The name field is mandatory. The tag and commit fields are optional, but it is an error to specify both.
This is the only source trie node that can be referenced by other parts of GUAC.
type SourceNamespace ¶
type SourceNamespace struct {
ID string `json:"id"`
Namespace string `json:"namespace"`
Names []*SourceName `json:"names"`
}
SourceNamespace is a namespace for sources.
This is the location of the repository (such as github/gitlab/bitbucket).
The namespace field is mandatory.
type SourceSpec ¶
type SourceSpec struct {
ID *string `json:"id,omitempty"`
Type *string `json:"type,omitempty"`
Namespace *string `json:"namespace,omitempty"`
Name *string `json:"name,omitempty"`
Tag *string `json:"tag,omitempty"`
Commit *string `json:"commit,omitempty"`
}
SourceSpec allows filtering the list of sources to return in a query.
Empty string at a field means matching with the empty string. Missing field means retrieving all possible matches.
It is an error to specify both tag and commit fields, except it both are set as empty string (in which case the returned sources are only those for which there is no tag/commit information).
type VexJustification ¶
type VexJustification string
Records the justification included in the VEX statement.
const ( VexJustificationComponentNotPresent VexJustification = "COMPONENT_NOT_PRESENT" VexJustificationVulnerableCodeNotPresent VexJustification = "VULNERABLE_CODE_NOT_PRESENT" VexJustificationVulnerableCodeNotInExecutePath VexJustification = "VULNERABLE_CODE_NOT_IN_EXECUTE_PATH" VexJustificationVulnerableCodeCannotBeControlledByAdversary VexJustification = "VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY" VexJustificationInlineMitigationsAlreadyExist VexJustification = "INLINE_MITIGATIONS_ALREADY_EXIST" VexJustificationNotProvided VexJustification = "NOT_PROVIDED" )
func (VexJustification) IsValid ¶
func (e VexJustification) IsValid() bool
func (VexJustification) MarshalGQL ¶
func (e VexJustification) MarshalGQL(w io.Writer)
func (VexJustification) String ¶
func (e VexJustification) String() string
func (*VexJustification) UnmarshalGQL ¶
func (e *VexJustification) UnmarshalGQL(v interface{}) error
type VexStatementInputSpec ¶
type VexStatementInputSpec struct {
Status VexStatus `json:"status"`
VexJustification VexJustification `json:"vexJustification"`
Statement string `json:"statement"`
StatusNotes string `json:"statusNotes"`
KnownSince time.Time `json:"knownSince"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
VexStatementInputSpec represents the input to ingest VEX statements.
type VexStatus ¶
type VexStatus string
Records the status of a VEX statement subject.
func (VexStatus) MarshalGQL ¶
func (*VexStatus) UnmarshalGQL ¶
type Vulnerability ¶
type Vulnerability interface {
IsVulnerability()
}
Vulnerability is a union of OSV, CVE, GHSA or the NoVuln node.
type VulnerabilityInput ¶
type VulnerabilityInput struct {
Osv *OSVInputSpec `json:"osv,omitempty"`
Cve *CVEInputSpec `json:"cve,omitempty"`
Ghsa *GHSAInputSpec `json:"ghsa,omitempty"`
NoVuln *bool `json:"noVuln,omitempty"`
}
VulnerabilityInput allows using Vulnerability union as input type to be used in mutations.
Either noVuln must be set to true or one of osv, cve, or ghsa must be set to non-nil. If noVuln is set then this is an ingestion of a known lack of vulnerabilities, so the special NoVuln node will be used by the backend. Otherwise, the specific vulnerability type will be linked to this attestation.
type VulnerabilityMetaData ¶
type VulnerabilityMetaData struct {
// Time of scan (in RFC 3339 format)
TimeScanned time.Time `json:"timeScanned"`
// URI of the vulnerability database used by the scanner
DbURI string `json:"dbUri"`
// Version of the vulnerability database used by the scanner
DbVersion string `json:"dbVersion"`
// URI of the scanner
ScannerURI string `json:"scannerUri"`
// Version of the scanner
ScannerVersion string `json:"scannerVersion"`
// Document from which this attestation is generated from
Origin string `json:"origin"`
// GUAC collector for the document
Collector string `json:"collector"`
}
VulnerabilityMetaData is the metadata attached to vulnerability certification.
It contains metadata about the scanner process that created the certification.
type VulnerabilityMetaDataInput ¶
type VulnerabilityMetaDataInput struct {
TimeScanned time.Time `json:"timeScanned"`
DbURI string `json:"dbUri"`
DbVersion string `json:"dbVersion"`
ScannerURI string `json:"scannerUri"`
ScannerVersion string `json:"scannerVersion"`
Origin string `json:"origin"`
Collector string `json:"collector"`
}
VulnerabilityMetaDataInput represents the input for certifying vulnerability scans in mutations.
type VulnerabilitySpec ¶
type VulnerabilitySpec struct {
Osv *OSVSpec `json:"osv,omitempty"`
Cve *CVESpec `json:"cve,omitempty"`
Ghsa *GHSASpec `json:"ghsa,omitempty"`
NoVuln *bool `json:"noVuln,omitempty"`
}
VulnerabilitySpec allows using Vulnerability union as input type to be used in read queries.
Either noVuln must be set or exactly one of osv, cve or ghsa must be set to non-nil. Setting noVuln to true means retrieving only nodes where there is no vulnerability attached. Setting it to false means retrieving only nodes with identified vulnerabilities. Setting one of the other fields means retrieving certifications for the corresponding vulnerability types.
Source Files