model

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 4, 2024 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var AllComparator = []Comparator{
	ComparatorGreater,
	ComparatorEqual,
	ComparatorLess,
	ComparatorGreaterEqual,
	ComparatorLessEqual,
}
View Source 
var AllDependencyType = []DependencyType{
	DependencyTypeDirect,
	DependencyTypeIndirect,
	DependencyTypeUnknown,
}
View Source 
var AllEdge = []Edge{
	EdgeArtifactCertifyBad,
	EdgeArtifactCertifyGood,
	EdgeArtifactCertifyVexStatement,
	EdgeArtifactHashEqual,
	EdgeArtifactHasMetadata,
	EdgeArtifactHasSbom,
	EdgeArtifactHasSlsa,
	EdgeArtifactIsOccurrence,
	EdgeArtifactPointOfContact,
	EdgeBuilderHasSlsa,
	EdgeLicenseCertifyLegal,
	EdgePackageCertifyBad,
	EdgePackageCertifyGood,
	EdgePackageCertifyLegal,
	EdgePackageCertifyVexStatement,
	EdgePackageCertifyVuln,
	EdgePackageHasMetadata,
	EdgePackageHasSbom,
	EdgePackageHasSourceAt,
	EdgePackageIsDependency,
	EdgePackageIsOccurrence,
	EdgePackageNamePackageNamespace,
	EdgePackageNamePackageVersion,
	EdgePackageNamespacePackageName,
	EdgePackageNamespacePackageType,
	EdgePackagePkgEqual,
	EdgePackagePointOfContact,
	EdgePackageTypePackageNamespace,
	EdgePackageVersionPackageName,
	EdgeSourceCertifyBad,
	EdgeSourceCertifyGood,
	EdgeSourceCertifyLegal,
	EdgeSourceCertifyScorecard,
	EdgeSourceHasMetadata,
	EdgeSourceHasSourceAt,
	EdgeSourceIsOccurrence,
	EdgeSourceNameSourceNamespace,
	EdgeSourceNamespaceSourceName,
	EdgeSourceNamespaceSourceType,
	EdgeSourcePointOfContact,
	EdgeSourceTypeSourceNamespace,
	EdgeVulnerabilityCertifyVexStatement,
	EdgeVulnerabilityCertifyVuln,
	EdgeVulnerabilityIDVulnerabilityType,
	EdgeVulnerabilityTypeVulnerabilityID,
	EdgeVulnerabilityVulnEqual,
	EdgeVulnerabilityVulnMetadata,
	EdgeCertifyBadArtifact,
	EdgeCertifyBadPackage,
	EdgeCertifyBadSource,
	EdgeCertifyGoodArtifact,
	EdgeCertifyGoodPackage,
	EdgeCertifyGoodSource,
	EdgeCertifyLegalLicense,
	EdgeCertifyLegalPackage,
	EdgeCertifyLegalSource,
	EdgeCertifyScorecardSource,
	EdgeCertifyVexStatementArtifact,
	EdgeCertifyVexStatementPackage,
	EdgeCertifyVexStatementVulnerability,
	EdgeCertifyVulnPackage,
	EdgeCertifyVulnVulnerability,
	EdgeHashEqualArtifact,
	EdgeHasMetadataArtifact,
	EdgeHasMetadataPackage,
	EdgeHasMetadataSource,
	EdgeHasSbomArtifact,
	EdgeHasSbomPackage,
	EdgeHasSbomIncludedSoftware,
	EdgeHasSbomIncludedDependencies,
	EdgeHasSbomIncludedOccurrences,
	EdgeHasSlsaBuiltBy,
	EdgeHasSlsaMaterials,
	EdgeHasSlsaSubject,
	EdgeHasSourceAtPackage,
	EdgeHasSourceAtSource,
	EdgeIsDependencyPackage,
	EdgeIsOccurrenceArtifact,
	EdgeIsOccurrencePackage,
	EdgeIsOccurrenceSource,
	EdgePkgEqualPackage,
	EdgePointOfContactArtifact,
	EdgePointOfContactPackage,
	EdgePointOfContactSource,
	EdgeVulnEqualVulnerability,
	EdgeVulnMetadataVulnerability,
}
View Source 
var AllFilterOperation = []FilterOperation{
	FilterOperationContains,
	FilterOperationStartswith,
}
View Source 
var AllPkgMatchType = []PkgMatchType{
	PkgMatchTypeAllVersions,
	PkgMatchTypeSpecificVersion,
}
View Source 
var AllVexJustification = []VexJustification{
	VexJustificationComponentNotPresent,
	VexJustificationVulnerableCodeNotPresent,
	VexJustificationVulnerableCodeNotInExecutePath,
	VexJustificationVulnerableCodeCannotBeControlledByAdversary,
	VexJustificationInlineMitigationsAlreadyExist,
	VexJustificationNotProvided,
}
View Source 
var AllVexStatus = []VexStatus{
	VexStatusNotAffected,
	VexStatusAffected,
	VexStatusFixed,
	VexStatusUnderInvestigation,
}
View Source 
var AllVulnerabilityScoreType = []VulnerabilityScoreType{
	VulnerabilityScoreTypeCVSSv2,
	VulnerabilityScoreTypeCVSSv3,
	VulnerabilityScoreTypeEPSSv1,
	VulnerabilityScoreTypeEPSSv2,
	VulnerabilityScoreTypeCVSSv31,
	VulnerabilityScoreTypeCVSSv4,
	VulnerabilityScoreTypeOwasp,
	VulnerabilityScoreTypeSsvc,
}

Functions

This section is empty.

Types

type Artifact 

type Artifact struct {
	ID        string `json:"id"`
	Algorithm string `json:"algorithm"`
	Digest    string `json:"digest"`
}

Artifact represents an artifact identified by a checksum hash.

The checksum is split into the digest value and the algorithm used to generate it. Both fields are mandatory and canonicalized to be lowercase.

If having a checksum Go object, algorithm can be strings.ToLower(string(checksum.Algorithm)) and digest can be checksum.Value.

func (Artifact) IsNode 

func (Artifact) IsNode()

func (Artifact) IsPackageOrArtifact 

func (Artifact) IsPackageOrArtifact()

func (Artifact) IsPackageSourceOrArtifact 

func (Artifact) IsPackageSourceOrArtifact()

type ArtifactInputSpec 

type ArtifactInputSpec struct {
	Algorithm string `json:"algorithm"`
	Digest    string `json:"digest"`
}

ArtifactInputSpec specifies an artifact for mutations.

The checksum fields are canonicalized to be lowercase.

type ArtifactSpec 

type ArtifactSpec struct {
	ID        *string `json:"id,omitempty"`
	Algorithm *string `json:"algorithm,omitempty"`
	Digest    *string `json:"digest,omitempty"`
}

ArtifactSpec allows filtering the list of artifacts to return in a query.

The checksum fields are canonicalized to be lowercase.

type Builder 

type Builder struct {
	ID  string `json:"id"`
	URI string `json:"uri"`
}

Builder represents the builder (e.g., FRSCA or GitHub Actions).

Currently builders are identified by the uri field.

func (Builder) IsNode 

func (Builder) IsNode()

type BuilderInputSpec 

type BuilderInputSpec struct {
	URI string `json:"uri"`
}

BuilderInputSpec specifies a builder for mutations.

type BuilderSpec 

type BuilderSpec struct {
	ID  *string `json:"id,omitempty"`
	URI *string `json:"uri,omitempty"`
}

BuilderSpec allows filtering the list of builders to return in a query.

type CertifyBad 

type CertifyBad struct {
	ID            string                  `json:"id"`
	Subject       PackageSourceOrArtifact `json:"subject"`
	Justification string                  `json:"justification"`
	Origin        string                  `json:"origin"`
	Collector     string                  `json:"collector"`
	KnownSince    time.Time               `json:"knownSince"`
}

CertifyBad is an attestation that a package, source, or artifact is considered bad.

All evidence trees record a justification for the property they represent as well as the document that contains the attestation (origin) and the collector that collected the document (collector).

The certification applies to a subject which is a package, source, or artifact. If the attestation targets a package, it must target a PackageName or a PackageVersion. If the attestation targets a source, it must target a SourceName.

func (CertifyBad) IsNode 

func (CertifyBad) IsNode()

type CertifyBadInputSpec 

type CertifyBadInputSpec struct {
	Justification string    `json:"justification"`
	Origin        string    `json:"origin"`
	Collector     string    `json:"collector"`
	KnownSince    time.Time `json:"knownSince"`
}

CertifyBadInputSpec represents the mutation input to ingest a CertifyBad evidence.

type CertifyBadSpec 

type CertifyBadSpec struct {
	ID            *string                      `json:"id,omitempty"`
	Subject       *PackageSourceOrArtifactSpec `json:"subject,omitempty"`
	Justification *string                      `json:"justification,omitempty"`
	Origin        *string                      `json:"origin,omitempty"`
	Collector     *string                      `json:"collector,omitempty"`
	KnownSince    *time.Time                   `json:"knownSince,omitempty"`
}

CertifyBadSpec allows filtering the list of CertifyBad evidence to return in a query.

If a package is specified in the subject filter, then it must be specified up to PackageName or PackageVersion. That is, user must specify package name, or name and one of version, qualifiers, or subpath.

If a source is specified in the subject filter, then it must specify a name, and optionally a tag and a commit.

If KnownSince is specified, the returned value will be after or equal to the specified time. Any nodes time that is before KnownSince is excluded.

type CertifyGood 

type CertifyGood struct {
	ID            string                  `json:"id"`
	Subject       PackageSourceOrArtifact `json:"subject"`
	Justification string                  `json:"justification"`
	Origin        string                  `json:"origin"`
	Collector     string                  `json:"collector"`
	KnownSince    time.Time               `json:"knownSince"`
}

CertifyGood is an attestation that a package, source, or artifact is considered good.

All evidence trees record a justification for the property they represent as well as the document that contains the attestation (origin) and the collector that collected the document (collector).

The certification applies to a subject which is a package, source, or artifact. If the attestation targets a package, it must target a PackageName or a PackageVersion. If the attestation targets a source, it must target a SourceName.

func (CertifyGood) IsNode 

func (CertifyGood) IsNode()

type CertifyGoodInputSpec 

type CertifyGoodInputSpec struct {
	Justification string    `json:"justification"`
	Origin        string    `json:"origin"`
	Collector     string    `json:"collector"`
	KnownSince    time.Time `json:"knownSince"`
}

CertifyGoodInputSpec represents the mutation input to ingest a CertifyGood evidence.

type CertifyGoodSpec 

type CertifyGoodSpec struct {
	ID            *string                      `json:"id,omitempty"`
	Subject       *PackageSourceOrArtifactSpec `json:"subject,omitempty"`
	Justification *string                      `json:"justification,omitempty"`
	Origin        *string                      `json:"origin,omitempty"`
	Collector     *string                      `json:"collector,omitempty"`
	KnownSince    *time.Time                   `json:"knownSince,omitempty"`
}

CertifyBadSpec allows filtering the list of CertifyBad evidence to return in a query.

If a package is specified in the subject filter, then it must be specified up to PackageName or PackageVersion. That is, user must specify package name, or name and one of version, qualifiers, or subpath.

If a source is specified in the subject filter, then it must specify a name, and optionally a tag and a commit.

If KnownSince is specified, the returned value will be after or equal to the specified time. Any nodes time that is before KnownSince is excluded.

type CertifyLegal added in v0.2.0 

type CertifyLegal struct {
	ID string `json:"id"`
	// The package version or source that is attested
	Subject PackageOrSource `json:"subject"`
	// The license expression as delcared
	DeclaredLicense string `json:"declaredLicense"`
	// A list of license objects found in the declared license expression
	DeclaredLicenses []*License `json:"declaredLicenses"`
	// The license expression as discovered by scan
	DiscoveredLicense string `json:"discoveredLicense"`
	// A list of license objects found in the discovered license expression
	DiscoveredLicenses []*License `json:"discoveredLicenses"`
	// Attribution text of the subject
	Attribution string `json:"attribution"`
	// Extra justification for the certification
	Justification string `json:"justification"`
	// Time of scan (in RFC 3339 format)
	TimeScanned time.Time `json:"timeScanned"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

CertifyLegal is an attestation to attach legal information to a package or source.

The certification information is either copied from an attestation found in an SBOM or created by a collector/scanner.

Discovered license is also known as Concluded. More information: https://docs.clearlydefined.io/curation-guidelines#the-difference-between-declared-and-discovered-licenses

Attribution is also known as Copyright Text. It is what could be displayed to comply with notice requirements. https://www.nexb.com/oss-attribution-best-practices/

License expressions follow this format: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/

func (CertifyLegal) IsNode added in v0.2.0 

func (CertifyLegal) IsNode()

type CertifyLegalInputSpec added in v0.2.0 

type CertifyLegalInputSpec struct {
	DeclaredLicense   string    `json:"declaredLicense"`
	DiscoveredLicense string    `json:"discoveredLicense"`
	Attribution       string    `json:"attribution"`
	Justification     string    `json:"justification"`
	TimeScanned       time.Time `json:"timeScanned"`
	Origin            string    `json:"origin"`
	Collector         string    `json:"collector"`
}

CertifyLegalInputSpec represents the input for certifying legal information in mutations.

type CertifyLegalSpec added in v0.2.0 

type CertifyLegalSpec struct {
	ID                 *string              `json:"id,omitempty"`
	Subject            *PackageOrSourceSpec `json:"subject,omitempty"`
	DeclaredLicense    *string              `json:"declaredLicense,omitempty"`
	DeclaredLicenses   []*LicenseSpec       `json:"declaredLicenses,omitempty"`
	DiscoveredLicense  *string              `json:"discoveredLicense,omitempty"`
	DiscoveredLicenses []*LicenseSpec       `json:"discoveredLicenses,omitempty"`
	Attribution        *string              `json:"attribution,omitempty"`
	Justification      *string              `json:"justification,omitempty"`
	TimeScanned        *time.Time           `json:"timeScanned,omitempty"`
	Origin             *string              `json:"origin,omitempty"`
	Collector          *string              `json:"collector,omitempty"`
}

CertifyLegalSpec allows filtering the list of legal certifications to return in a query.

Specifying just the package allows to query for all certifications associated with the package.

type CertifyScorecard 

type CertifyScorecard struct {
	ID string `json:"id"`
	// The source repository that is being scanned (attestation subject)
	Source *Source `json:"source"`
	// The Scorecard attached to the repository (attestation object)
	Scorecard *Scorecard `json:"scorecard"`
}

CertifyScorecard is an attestation to attach a Scorecard analysis to a particular source repository.

func (CertifyScorecard) IsNode 

func (CertifyScorecard) IsNode()

type CertifyScorecardSpec 

type CertifyScorecardSpec struct {
	ID               *string               `json:"id,omitempty"`
	Source           *SourceSpec           `json:"source,omitempty"`
	TimeScanned      *time.Time            `json:"timeScanned,omitempty"`
	AggregateScore   *float64              `json:"aggregateScore,omitempty"`
	Checks           []*ScorecardCheckSpec `json:"checks,omitempty"`
	ScorecardVersion *string               `json:"scorecardVersion,omitempty"`
	ScorecardCommit  *string               `json:"scorecardCommit,omitempty"`
	Origin           *string               `json:"origin,omitempty"`
	Collector        *string               `json:"collector,omitempty"`
}

CertifyScorecardSpec allows filtering the list of Scorecards to return.

type CertifyVEXStatement 

type CertifyVEXStatement struct {
	ID string `json:"id"`
	// Subject of attestation
	Subject PackageOrArtifact `json:"subject"`
	// Attested vulnerability
	Vulnerability *Vulnerability `json:"vulnerability"`
	// Status of the vulnerabilities with respect to the subject
	Status VexStatus `json:"status"`
	// Justification from VEX statement
	VexJustification VexJustification `json:"vexJustification"`
	// VEX statement: impact_statement or action_statement depending on status
	Statement string `json:"statement"`
	// statusNotes may convey information about how status was determined
	StatusNotes string `json:"statusNotes"`
	// Timestamp (exact time in RFC 3339 format) for the VEX statement
	KnownSince time.Time `json:"knownSince"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

CertifyVEXStatement is an attestation to attach VEX statements to a package or artifact to clarify the impact of a specific vulnerability.

func (CertifyVEXStatement) IsNode 

func (CertifyVEXStatement) IsNode()

type CertifyVEXStatementSpec 

type CertifyVEXStatementSpec struct {
	ID               *string                `json:"id,omitempty"`
	Subject          *PackageOrArtifactSpec `json:"subject,omitempty"`
	Vulnerability    *VulnerabilitySpec     `json:"vulnerability,omitempty"`
	Status           *VexStatus             `json:"status,omitempty"`
	VexJustification *VexJustification      `json:"vexJustification,omitempty"`
	Statement        *string                `json:"statement,omitempty"`
	StatusNotes      *string                `json:"statusNotes,omitempty"`
	KnownSince       *time.Time             `json:"knownSince,omitempty"`
	Origin           *string                `json:"origin,omitempty"`
	Collector        *string                `json:"collector,omitempty"`
}

CertifyVEXStatementSpec allows filtering the list of VEX statements to return in a query.

Only one subject type (package or artifact) and one vulnerability may be specified.

Note that setting noVuln vulnerability type is invalid for VEX statements!

type CertifyVuln 

type CertifyVuln struct {
	ID string `json:"id"`
	// The package that is attested
	Package *Package `json:"package"`
	// The vulnerability can be an be a specific vulnerability or NoVuln type.
	Vulnerability *Vulnerability `json:"vulnerability"`
	// Metadata attached to the certification
	Metadata *ScanMetadata `json:"metadata"`
}

CertifyVuln is an attestation to attach vulnerability information to a package.

This information is obtained via a scanner. If there is no vulnerability detected, we attach the a vulnerability with "NoVuln" type and an empty string for the vulnerability ID.

func (CertifyVuln) IsNode 

func (CertifyVuln) IsNode()

type CertifyVulnSpec 

type CertifyVulnSpec struct {
	ID             *string            `json:"id,omitempty"`
	Package        *PkgSpec           `json:"package,omitempty"`
	Vulnerability  *VulnerabilitySpec `json:"vulnerability,omitempty"`
	TimeScanned    *time.Time         `json:"timeScanned,omitempty"`
	DbURI          *string            `json:"dbUri,omitempty"`
	DbVersion      *string            `json:"dbVersion,omitempty"`
	ScannerURI     *string            `json:"scannerUri,omitempty"`
	ScannerVersion *string            `json:"scannerVersion,omitempty"`
	Origin         *string            `json:"origin,omitempty"`
	Collector      *string            `json:"collector,omitempty"`
}

CertifyVulnSpec allows filtering the list of vulnerability certifications to return in a query.

Specifying just the package allows to query for all vulnerabilities associated with the package.

Only one vulnerability (or NoVuln vulnerability type) may be specified.

type Comparator added in v0.2.0 

type Comparator string

The Comparator is used by the vulnerability score filter on ranges 

const (
	ComparatorGreater      Comparator = "GREATER"
	ComparatorEqual        Comparator = "EQUAL"
	ComparatorLess         Comparator = "LESS"
	ComparatorGreaterEqual Comparator = "GREATER_EQUAL"
	ComparatorLessEqual    Comparator = "LESS_EQUAL"
)

func (Comparator) IsValid added in v0.2.0 

func (e Comparator) IsValid() bool

func (Comparator) MarshalGQL added in v0.2.0 

func (e Comparator) MarshalGQL(w io.Writer)

func (Comparator) String added in v0.2.0 

func (e Comparator) String() string

func (*Comparator) UnmarshalGQL added in v0.2.0 

func (e *Comparator) UnmarshalGQL(v interface{}) error

type DependencyType 

type DependencyType string

DependencyType determines the type of the dependency. 

const (
	// direct dependency
	DependencyTypeDirect DependencyType = "DIRECT"
	// indirect dependency
	DependencyTypeIndirect DependencyType = "INDIRECT"
	// type not known/not specified
	DependencyTypeUnknown DependencyType = "UNKNOWN"
)

func (DependencyType) IsValid 

func (e DependencyType) IsValid() bool

func (DependencyType) MarshalGQL 

func (e DependencyType) MarshalGQL(w io.Writer)

func (DependencyType) String 

func (e DependencyType) String() string

func (*DependencyType) UnmarshalGQL 

func (e *DependencyType) UnmarshalGQL(v interface{}) error

type Edge 

type Edge string

Edge allows filtering path/neighbors output to only contain a subset of all possible GUAC links.

Each member of the enum is formed by merging two Node names with _. Each name is converted from CamelCase to CAPITALS_WITH_UNDERSCORES. Only valid edges (pairs from Node to Node) are included. Edges are defined in both directions, which means nodes can be traversed from either direction.

The only exception to the above rule is for links out of HasSLSA. The names are HAS_SLSA_SUBJECT, HAS_SLSA_BUILT_BY, and HAS_SLSA_MATERIALS. This is because ARTIFACT_HAS_SLSA is only from subject Artifact to HasSLSA. 

const (
	EdgeArtifactCertifyBad               Edge = "ARTIFACT_CERTIFY_BAD"
	EdgeArtifactCertifyGood              Edge = "ARTIFACT_CERTIFY_GOOD"
	EdgeArtifactCertifyVexStatement      Edge = "ARTIFACT_CERTIFY_VEX_STATEMENT"
	EdgeArtifactHashEqual                Edge = "ARTIFACT_HASH_EQUAL"
	EdgeArtifactHasMetadata              Edge = "ARTIFACT_HAS_METADATA"
	EdgeArtifactHasSbom                  Edge = "ARTIFACT_HAS_SBOM"
	EdgeArtifactHasSlsa                  Edge = "ARTIFACT_HAS_SLSA"
	EdgeArtifactIsOccurrence             Edge = "ARTIFACT_IS_OCCURRENCE"
	EdgeArtifactPointOfContact           Edge = "ARTIFACT_POINT_OF_CONTACT"
	EdgeBuilderHasSlsa                   Edge = "BUILDER_HAS_SLSA"
	EdgeLicenseCertifyLegal              Edge = "LICENSE_CERTIFY_LEGAL"
	EdgePackageCertifyBad                Edge = "PACKAGE_CERTIFY_BAD"
	EdgePackageCertifyGood               Edge = "PACKAGE_CERTIFY_GOOD"
	EdgePackageCertifyLegal              Edge = "PACKAGE_CERTIFY_LEGAL"
	EdgePackageCertifyVexStatement       Edge = "PACKAGE_CERTIFY_VEX_STATEMENT"
	EdgePackageCertifyVuln               Edge = "PACKAGE_CERTIFY_VULN"
	EdgePackageHasMetadata               Edge = "PACKAGE_HAS_METADATA"
	EdgePackageHasSbom                   Edge = "PACKAGE_HAS_SBOM"
	EdgePackageHasSourceAt               Edge = "PACKAGE_HAS_SOURCE_AT"
	EdgePackageIsDependency              Edge = "PACKAGE_IS_DEPENDENCY"
	EdgePackageIsOccurrence              Edge = "PACKAGE_IS_OCCURRENCE"
	EdgePackageNamePackageNamespace      Edge = "PACKAGE_NAME_PACKAGE_NAMESPACE"
	EdgePackageNamePackageVersion        Edge = "PACKAGE_NAME_PACKAGE_VERSION"
	EdgePackageNamespacePackageName      Edge = "PACKAGE_NAMESPACE_PACKAGE_NAME"
	EdgePackageNamespacePackageType      Edge = "PACKAGE_NAMESPACE_PACKAGE_TYPE"
	EdgePackagePkgEqual                  Edge = "PACKAGE_PKG_EQUAL"
	EdgePackagePointOfContact            Edge = "PACKAGE_POINT_OF_CONTACT"
	EdgePackageTypePackageNamespace      Edge = "PACKAGE_TYPE_PACKAGE_NAMESPACE"
	EdgePackageVersionPackageName        Edge = "PACKAGE_VERSION_PACKAGE_NAME"
	EdgeSourceCertifyBad                 Edge = "SOURCE_CERTIFY_BAD"
	EdgeSourceCertifyGood                Edge = "SOURCE_CERTIFY_GOOD"
	EdgeSourceCertifyLegal               Edge = "SOURCE_CERTIFY_LEGAL"
	EdgeSourceCertifyScorecard           Edge = "SOURCE_CERTIFY_SCORECARD"
	EdgeSourceHasMetadata                Edge = "SOURCE_HAS_METADATA"
	EdgeSourceHasSourceAt                Edge = "SOURCE_HAS_SOURCE_AT"
	EdgeSourceIsOccurrence               Edge = "SOURCE_IS_OCCURRENCE"
	EdgeSourceNameSourceNamespace        Edge = "SOURCE_NAME_SOURCE_NAMESPACE"
	EdgeSourceNamespaceSourceName        Edge = "SOURCE_NAMESPACE_SOURCE_NAME"
	EdgeSourceNamespaceSourceType        Edge = "SOURCE_NAMESPACE_SOURCE_TYPE"
	EdgeSourcePointOfContact             Edge = "SOURCE_POINT_OF_CONTACT"
	EdgeSourceTypeSourceNamespace        Edge = "SOURCE_TYPE_SOURCE_NAMESPACE"
	EdgeVulnerabilityCertifyVexStatement Edge = "VULNERABILITY_CERTIFY_VEX_STATEMENT"
	EdgeVulnerabilityCertifyVuln         Edge = "VULNERABILITY_CERTIFY_VULN"
	EdgeVulnerabilityIDVulnerabilityType Edge = "VULNERABILITY_ID_VULNERABILITY_TYPE"
	EdgeVulnerabilityTypeVulnerabilityID Edge = "VULNERABILITY_TYPE_VULNERABILITY_ID"
	EdgeVulnerabilityVulnEqual           Edge = "VULNERABILITY_VULN_EQUAL"
	EdgeVulnerabilityVulnMetadata        Edge = "VULNERABILITY_VULN_METADATA"
	EdgeCertifyBadArtifact               Edge = "CERTIFY_BAD_ARTIFACT"
	EdgeCertifyBadPackage                Edge = "CERTIFY_BAD_PACKAGE"
	EdgeCertifyBadSource                 Edge = "CERTIFY_BAD_SOURCE"
	EdgeCertifyGoodArtifact              Edge = "CERTIFY_GOOD_ARTIFACT"
	EdgeCertifyGoodPackage               Edge = "CERTIFY_GOOD_PACKAGE"
	EdgeCertifyGoodSource                Edge = "CERTIFY_GOOD_SOURCE"
	EdgeCertifyLegalLicense              Edge = "CERTIFY_LEGAL_LICENSE"
	EdgeCertifyLegalPackage              Edge = "CERTIFY_LEGAL_PACKAGE"
	EdgeCertifyLegalSource               Edge = "CERTIFY_LEGAL_SOURCE"
	EdgeCertifyScorecardSource           Edge = "CERTIFY_SCORECARD_SOURCE"
	EdgeCertifyVexStatementArtifact      Edge = "CERTIFY_VEX_STATEMENT_ARTIFACT"
	EdgeCertifyVexStatementPackage       Edge = "CERTIFY_VEX_STATEMENT_PACKAGE"
	EdgeCertifyVexStatementVulnerability Edge = "CERTIFY_VEX_STATEMENT_VULNERABILITY"
	EdgeCertifyVulnPackage               Edge = "CERTIFY_VULN_PACKAGE"
	EdgeCertifyVulnVulnerability         Edge = "CERTIFY_VULN_VULNERABILITY"
	EdgeHashEqualArtifact                Edge = "HASH_EQUAL_ARTIFACT"
	EdgeHasMetadataArtifact              Edge = "HAS_METADATA_ARTIFACT"
	EdgeHasMetadataPackage               Edge = "HAS_METADATA_PACKAGE"
	EdgeHasMetadataSource                Edge = "HAS_METADATA_SOURCE"
	EdgeHasSbomArtifact                  Edge = "HAS_SBOM_ARTIFACT"
	EdgeHasSbomPackage                   Edge = "HAS_SBOM_PACKAGE"
	EdgeHasSbomIncludedSoftware          Edge = "HAS_SBOM_INCLUDED_SOFTWARE"
	EdgeHasSbomIncludedDependencies      Edge = "HAS_SBOM_INCLUDED_DEPENDENCIES"
	EdgeHasSbomIncludedOccurrences       Edge = "HAS_SBOM_INCLUDED_OCCURRENCES"
	EdgeHasSlsaBuiltBy                   Edge = "HAS_SLSA_BUILT_BY"
	EdgeHasSlsaMaterials                 Edge = "HAS_SLSA_MATERIALS"
	EdgeHasSlsaSubject                   Edge = "HAS_SLSA_SUBJECT"
	EdgeHasSourceAtPackage               Edge = "HAS_SOURCE_AT_PACKAGE"
	EdgeHasSourceAtSource                Edge = "HAS_SOURCE_AT_SOURCE"
	EdgeIsDependencyPackage              Edge = "IS_DEPENDENCY_PACKAGE"
	EdgeIsOccurrenceArtifact             Edge = "IS_OCCURRENCE_ARTIFACT"
	EdgeIsOccurrencePackage              Edge = "IS_OCCURRENCE_PACKAGE"
	EdgeIsOccurrenceSource               Edge = "IS_OCCURRENCE_SOURCE"
	EdgePkgEqualPackage                  Edge = "PKG_EQUAL_PACKAGE"
	EdgePointOfContactArtifact           Edge = "POINT_OF_CONTACT_ARTIFACT"
	EdgePointOfContactPackage            Edge = "POINT_OF_CONTACT_PACKAGE"
	EdgePointOfContactSource             Edge = "POINT_OF_CONTACT_SOURCE"
	EdgeVulnEqualVulnerability           Edge = "VULN_EQUAL_VULNERABILITY"
	EdgeVulnMetadataVulnerability        Edge = "VULN_METADATA_VULNERABILITY"
)

func (Edge) IsValid 

func (e Edge) IsValid() bool

func (Edge) MarshalGQL 

func (e Edge) MarshalGQL(w io.Writer)

func (Edge) String 

func (e Edge) String() string

func (*Edge) UnmarshalGQL 

func (e *Edge) UnmarshalGQL(v interface{}) error

type FilterOperation added in v0.4.0 

type FilterOperation string
const (
	FilterOperationContains   FilterOperation = "CONTAINS"
	FilterOperationStartswith FilterOperation = "STARTSWITH"
)

func (FilterOperation) IsValid added in v0.4.0 

func (e FilterOperation) IsValid() bool

func (FilterOperation) MarshalGQL added in v0.4.0 

func (e FilterOperation) MarshalGQL(w io.Writer)

func (FilterOperation) String added in v0.4.0 

func (e FilterOperation) String() string

func (*FilterOperation) UnmarshalGQL added in v0.4.0 

func (e *FilterOperation) UnmarshalGQL(v interface{}) error

type HasMetadata added in v0.1.1 

type HasMetadata struct {
	ID            string                  `json:"id"`
	Subject       PackageSourceOrArtifact `json:"subject"`
	Key           string                  `json:"key"`
	Value         string                  `json:"value"`
	Timestamp     time.Time               `json:"timestamp"`
	Justification string                  `json:"justification"`
	Origin        string                  `json:"origin"`
	Collector     string                  `json:"collector"`
}

HasMetadata is an attestation that a package, source, or artifact has a certain attested property (key) with value (value). For example, a source may have metadata "SourceRepo2FAEnabled=true".

The intent of this evidence tree predicate is to allow extensibility of metadata expressible within the GUAC ontology. Metadata that is commonly used will then be promoted to a predicate on its own.

Justification indicates how the metadata was determined.

The metadata applies to a subject which is a package, source, or artifact. If the attestation targets a package, it must target a PackageName or a PackageVersion. If the attestation targets a source, it must target a SourceName.

func (HasMetadata) IsNode added in v0.1.1 

func (HasMetadata) IsNode()

type HasMetadataInputSpec added in v0.1.1 

type HasMetadataInputSpec struct {
	Key           string    `json:"key"`
	Value         string    `json:"value"`
	Timestamp     time.Time `json:"timestamp"`
	Justification string    `json:"justification"`
	Origin        string    `json:"origin"`
	Collector     string    `json:"collector"`
}

HasMetadataInputSpec represents the mutation input to ingest a CertifyGood evidence.

type HasMetadataSpec added in v0.1.1 

type HasMetadataSpec struct {
	ID            *string                      `json:"id,omitempty"`
	Subject       *PackageSourceOrArtifactSpec `json:"subject,omitempty"`
	Since         *time.Time                   `json:"since,omitempty"`
	Key           *string                      `json:"key,omitempty"`
	Value         *string                      `json:"value,omitempty"`
	Justification *string                      `json:"justification,omitempty"`
	Origin        *string                      `json:"origin,omitempty"`
	Collector     *string                      `json:"collector,omitempty"`
}

HasMetadataSpec allows filtering the list of HasMetadata evidence to return in a query.

If a package is specified in the subject filter, then it must be specified up to PackageName or PackageVersion. That is, user must specify package name, or name and one of version, qualifiers, or subpath.

If a source is specified in the subject filter, then it must specify a name, and optionally a tag and a commit.

since specified indicates filtering timestamps after the specified time

type HasSBOMIncludesInputSpec added in v0.4.0 

type HasSBOMIncludesInputSpec struct {
	Packages     []string `json:"packages"`
	Artifacts    []string `json:"artifacts"`
	Dependencies []string `json:"dependencies"`
	Occurrences  []string `json:"occurrences"`
}

type HasSBOMInputSpec 

type HasSBOMInputSpec struct {
	URI              string    `json:"uri"`
	Algorithm        string    `json:"algorithm"`
	Digest           string    `json:"digest"`
	DownloadLocation string    `json:"downloadLocation"`
	Origin           string    `json:"origin"`
	Collector        string    `json:"collector"`
	KnownSince       time.Time `json:"knownSince"`
}

HasSBOMInputSpec is similar to HasSBOM but for mutation input.

type HasSBOMSpec 

type HasSBOMSpec struct {
	ID                   *string                  `json:"id,omitempty"`
	Subject              *PackageOrArtifactSpec   `json:"subject,omitempty"`
	URI                  *string                  `json:"uri,omitempty"`
	Algorithm            *string                  `json:"algorithm,omitempty"`
	Digest               *string                  `json:"digest,omitempty"`
	DownloadLocation     *string                  `json:"downloadLocation,omitempty"`
	Origin               *string                  `json:"origin,omitempty"`
	Collector            *string                  `json:"collector,omitempty"`
	KnownSince           *time.Time               `json:"knownSince,omitempty"`
	IncludedSoftware     []*PackageOrArtifactSpec `json:"includedSoftware,omitempty"`
	IncludedDependencies []*IsDependencySpec      `json:"includedDependencies,omitempty"`
	IncludedOccurrences  []*IsOccurrenceSpec      `json:"includedOccurrences,omitempty"`
}

HasSBOMSpec allows filtering the list of HasSBOM to return.

Only the package or artifact can be added, not both.

If KnownSince is specified, the returned value will be after or equal to the specified time. Any nodes time that is before KnownSince is excluded.

type HasSLSASpec 

type HasSLSASpec struct {
	ID          *string              `json:"id,omitempty"`
	Subject     *ArtifactSpec        `json:"subject,omitempty"`
	BuiltFrom   []*ArtifactSpec      `json:"builtFrom,omitempty"`
	BuiltBy     *BuilderSpec         `json:"builtBy,omitempty"`
	BuildType   *string              `json:"buildType,omitempty"`
	Predicate   []*SLSAPredicateSpec `json:"predicate,omitempty"`
	SlsaVersion *string              `json:"slsaVersion,omitempty"`
	StartedOn   *time.Time           `json:"startedOn,omitempty"`
	FinishedOn  *time.Time           `json:"finishedOn,omitempty"`
	Origin      *string              `json:"origin,omitempty"`
	Collector   *string              `json:"collector,omitempty"`
}

HasSLSASpec allows filtering the list of HasSLSA to return.

type HasSbom 

type HasSbom struct {
	ID string `json:"id"`
	// SBOM subject
	Subject PackageOrArtifact `json:"subject"`
	// Identifier for the SBOM document
	URI string `json:"uri"`
	// Algorithm by which SBOMs digest was computed
	Algorithm string `json:"algorithm"`
	// Digest of SBOM
	Digest string `json:"digest"`
	// Location from which the SBOM can be downloaded
	DownloadLocation string `json:"downloadLocation"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
	// Timestamp for SBOM creation
	KnownSince time.Time `json:"knownSince"`
	// Included packages and artifacts
	IncludedSoftware []PackageOrArtifact `json:"includedSoftware"`
	// Included dependencies
	IncludedDependencies []*IsDependency `json:"includedDependencies"`
	// Included occurrences
	IncludedOccurrences []*IsOccurrence `json:"includedOccurrences"`
}

func (HasSbom) IsNode 

func (HasSbom) IsNode()

type HasSlsa 

type HasSlsa struct {
	ID string `json:"id"`
	// The subject of SLSA attestation
	Subject *Artifact `json:"subject"`
	// The SLSA attestation
	Slsa *Slsa `json:"slsa"`
}

HasSLSA records that a subject node has a SLSA attestation.

func (HasSlsa) IsNode 

func (HasSlsa) IsNode()

type HasSourceAt 

type HasSourceAt struct {
	ID string `json:"id"`
	// The subject of the attestation: can be a PackageName or a PackageVersion
	Package *Package `json:"package"`
	// Source repository from which the package is built
	Source *Source `json:"source"`
	// Timestamp since this link between package and source was certified
	KnownSince time.Time `json:"knownSince"`
	// Justification for the attested relationship
	Justification string `json:"justification"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

HasSourceAt records that a package's repository is a given source.

func (HasSourceAt) IsNode 

func (HasSourceAt) IsNode()

type HasSourceAtInputSpec 

type HasSourceAtInputSpec struct {
	KnownSince    time.Time `json:"knownSince"`
	Justification string    `json:"justification"`
	Origin        string    `json:"origin"`
	Collector     string    `json:"collector"`
}

HasSourceAtInputSpec is the same as HasSourceAt but for mutation input.

type HasSourceAtSpec 

type HasSourceAtSpec struct {
	ID            *string     `json:"id,omitempty"`
	Package       *PkgSpec    `json:"package,omitempty"`
	Source        *SourceSpec `json:"source,omitempty"`
	KnownSince    *time.Time  `json:"knownSince,omitempty"`
	Justification *string     `json:"justification,omitempty"`
	Origin        *string     `json:"origin,omitempty"`
	Collector     *string     `json:"collector,omitempty"`
}

HasSourceAtSpec allows filtering the list of HasSourceAt to return.

type HashEqual 

type HashEqual struct {
	ID string `json:"id"`
	// Collection of artifacts that are similar
	Artifacts []*Artifact `json:"artifacts"`
	// Justification for the claim that the artifacts are similar
	Justification string `json:"justification"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

HashEqual is an attestation that a set of artifacts are identical.

func (HashEqual) IsNode 

func (HashEqual) IsNode()

type HashEqualInputSpec 

type HashEqualInputSpec struct {
	Justification string `json:"justification"`
	Origin        string `json:"origin"`
	Collector     string `json:"collector"`
}

HashEqualInputSpec represents the input to certify that packages are similar.

type HashEqualSpec 

type HashEqualSpec struct {
	ID            *string         `json:"id,omitempty"`
	Artifacts     []*ArtifactSpec `json:"artifacts,omitempty"`
	Justification *string         `json:"justification,omitempty"`
	Origin        *string         `json:"origin,omitempty"`
	Collector     *string         `json:"collector,omitempty"`
}

HashEqualSpec allows filtering the list of artifact equality statements to return in a query.

Specifying just one artifact allows to query for all similar artifacts (if any exists).

type IDorArtifactInput added in v0.5.0 

type IDorArtifactInput struct {
	ArtifactID    *string            `json:"artifactID,omitempty"`
	ArtifactInput *ArtifactInputSpec `json:"artifactInput,omitempty"`
}

IDorArtifactInput allows for specifying either the artifact ID or the ArtifactInputSpec.

Either the ID or the ArtifactInputSpec must be specified. Both cannot be nil.

If the ID is specified, the ArtifactInputSpec is not used.

type IDorBuilderInput added in v0.5.0 

type IDorBuilderInput struct {
	BuilderID    *string           `json:"builderID,omitempty"`
	BuilderInput *BuilderInputSpec `json:"builderInput,omitempty"`
}

IDorBuilderInput allows for specifying either the builder ID or the BuilderInputSpec.

Either the ID or the BuilderInputSpec must be specified. Both cannot be nil.

If the ID is specified, the BuilderInputSpec is not used.

type IDorLicenseInput added in v0.5.0 

type IDorLicenseInput struct {
	LicenseID    *string           `json:"licenseID,omitempty"`
	LicenseInput *LicenseInputSpec `json:"licenseInput,omitempty"`
}

IDorLicenseInput allows for specifying either the license ID or the LicenseInputSpec.

Either the ID or the LicenseInputSpec must be specified. Both cannot be nil.

If the ID is specified, the LicenseInputSpec is not used.

type IDorPkgInput added in v0.5.0 

type IDorPkgInput struct {
	PackageTypeID      *string       `json:"packageTypeID,omitempty"`
	PackageNamespaceID *string       `json:"packageNamespaceID,omitempty"`
	PackageNameID      *string       `json:"packageNameID,omitempty"`
	PackageVersionID   *string       `json:"packageVersionID,omitempty"`
	PackageInput       *PkgInputSpec `json:"packageInput,omitempty"`
}

IDorPkgInput allows for specifying either the package IDs or the PkgInputSpec.

Either the IDs or the PkgInputSpec must be specified. Both cannot be nil.

If the IDs are specified, the PkgInputSpec is not used.

type IDorSourceInput added in v0.5.0 

type IDorSourceInput struct {
	SourceTypeID      *string          `json:"sourceTypeID,omitempty"`
	SourceNamespaceID *string          `json:"sourceNamespaceID,omitempty"`
	SourceNameID      *string          `json:"sourceNameID,omitempty"`
	SourceInput       *SourceInputSpec `json:"sourceInput,omitempty"`
}

IDorSourceInput allows for specifying either the source IDs or the SourceInputSpec.

Either the IDs or the SourceInputSpec must be specified. Both cannot be nil.

If the IDs are specified, the SourceInputSpec is not used.

type IDorVulnerabilityInput added in v0.5.0 

type IDorVulnerabilityInput struct {
	VulnerabilityTypeID *string                 `json:"vulnerabilityTypeID,omitempty"`
	VulnerabilityNodeID *string                 `json:"vulnerabilityNodeID,omitempty"`
	VulnerabilityInput  *VulnerabilityInputSpec `json:"vulnerabilityInput,omitempty"`
}

IDorVulnerabilityInput allows for specifying either the vulnerability IDs or the VulnerabilityInputSpec.

Either the IDs or the VulnerabilityInputSpec must be specified. Both cannot be nil.

If the IDs are specified, the VulnerabilityInputSpec is not used.

type IsDependency 

type IsDependency struct {
	ID string `json:"id"`
	// Package that has the dependency
	Package *Package `json:"package"`
	// Package for the dependency; MUST be PackageName or PackageVersion
	DependencyPackage *Package `json:"dependencyPackage"`
	// Version range for the dependency link, required if depedentPackage points to PackageName
	VersionRange string `json:"versionRange"`
	// Type of dependency
	DependencyType DependencyType `json:"dependencyType"`
	// Justification for the attested relationship
	Justification string `json:"justification"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

IsDependency is an attestation to record that a package depends on another.

func (IsDependency) IsNode 

func (IsDependency) IsNode()

type IsDependencyInputSpec 

type IsDependencyInputSpec struct {
	// versionRange should be specified for depedentPackages that point to PackageName
	VersionRange   string         `json:"versionRange"`
	DependencyType DependencyType `json:"dependencyType"`
	Justification  string         `json:"justification"`
	Origin         string         `json:"origin"`
	Collector      string         `json:"collector"`
}

IsDependencyInputSpec is the input to record a new dependency.

type IsDependencySpec 

type IsDependencySpec struct {
	ID                *string         `json:"id,omitempty"`
	Package           *PkgSpec        `json:"package,omitempty"`
	DependencyPackage *PkgSpec        `json:"dependencyPackage,omitempty"`
	VersionRange      *string         `json:"versionRange,omitempty"`
	DependencyType    *DependencyType `json:"dependencyType,omitempty"`
	Justification     *string         `json:"justification,omitempty"`
	Origin            *string         `json:"origin,omitempty"`
	Collector         *string         `json:"collector,omitempty"`
}

IsDependencySpec allows filtering the list of dependencies to return.

To obtain the list of dependency packages, caller must fill in the package field.

Dependency packages must be defined at PackageName, not PackageVersion.

type IsOccurrence 

type IsOccurrence struct {
	ID string `json:"id"`
	// Package or source from which the artifact originates
	Subject PackageOrSource `json:"subject"`
	// The artifact in the relationship
	Artifact *Artifact `json:"artifact"`
	// Justification for the attested relationship
	Justification string `json:"justification"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

IsOccurrence is an attestation to link an artifact to a package or source.

Attestation must occur at the PackageVersion or at the SourceName.

func (IsOccurrence) IsNode 

func (IsOccurrence) IsNode()

type IsOccurrenceInputSpec 

type IsOccurrenceInputSpec struct {
	Justification string `json:"justification"`
	Origin        string `json:"origin"`
	Collector     string `json:"collector"`
}

IsOccurrenceInputSpec represents the input to record an artifact's origin.

type IsOccurrenceSpec 

type IsOccurrenceSpec struct {
	ID            *string              `json:"id,omitempty"`
	Subject       *PackageOrSourceSpec `json:"subject,omitempty"`
	Artifact      *ArtifactSpec        `json:"artifact,omitempty"`
	Justification *string              `json:"justification,omitempty"`
	Origin        *string              `json:"origin,omitempty"`
	Collector     *string              `json:"collector,omitempty"`
}

IsOccurrenceSpec allows filtering the list of artifact occurences to return in a query.

type License added in v0.2.0 

type License struct {
	ID          string  `json:"id"`
	Name        string  `json:"name"`
	Inline      *string `json:"inline,omitempty"`
	ListVersion *string `json:"listVersion,omitempty"`
}

License represents a particular license. If the license is found on the SPDX license list (https://spdx.org/licenses/) then the fields should be:

Name: SPDX license identifier Inline: empty ListVersion: SPDX license list version

example:

Name: AGPL-3.0-or-later Inline: "" ListVersion: 3.21 2023-06-18

If the license is not on the SPDX license list, then a new guid should be created and the license text placed inline:

Name: LicenseRef-<guid> Inline: Full license text ListVersion: empty

example:

Name: LicenseRef-1a2b3c Inline: Permission to use, copy, modify, and/or distribute ... ListVersion: ""

func (License) IsNode added in v0.2.0 

func (License) IsNode()

type LicenseInputSpec added in v0.2.0 

type LicenseInputSpec struct {
	Name        string  `json:"name"`
	Inline      *string `json:"inline,omitempty"`
	ListVersion *string `json:"listVersion,omitempty"`
}

LicenseInputSpec specifies an license for mutations. One of inline or listVersion should be empty or missing.

type LicenseSpec added in v0.2.0 

type LicenseSpec struct {
	ID          *string `json:"id,omitempty"`
	Name        *string `json:"name,omitempty"`
	Inline      *string `json:"inline,omitempty"`
	ListVersion *string `json:"listVersion,omitempty"`
}

LicenseSpec allows filtering the list of licenses to return in a query.

type MatchFlags 

type MatchFlags struct {
	Pkg PkgMatchType `json:"pkg"`
}

MatchFlags is used to input the PkgMatchType enum.

type Mutation added in v0.5.0 

type Mutation struct {
}

type Node 

type Node interface {
	IsNode()
}

Node is a union type of all the possible nodes.

It encapsulates the software tree nodes along with the evidence nodes. In a path query, all connecting evidence nodes along with their intermediate subject nodes need to be returned in order to create a complete graph.

type Package 

type Package struct {
	ID         string              `json:"id"`
	Type       string              `json:"type"`
	Namespaces []*PackageNamespace `json:"namespaces"`
}

Package represents the root of the package trie/tree.

We map package information to a trie, closely matching the pURL specification (https://github.com/package-url/purl-spec/blob/0dd92f26f8bb11956ffdf5e8acfcee71e8560407/README.rst), but deviating from it where GUAC heuristics allow for better representation of package information. Each path in the trie fully represents a package; we split the trie based on the pURL components.

This node matches a pkg:<type> partial pURL. The type field matches the pURL types but we might also use "guac" for the cases where the pURL representation is not complete or when we have custom rules.

Since this node is at the root of the package trie, it is named Package, not PackageType.

func (Package) IsNode 

func (Package) IsNode()

func (Package) IsPackageOrArtifact 

func (Package) IsPackageOrArtifact()

func (Package) IsPackageOrSource 

func (Package) IsPackageOrSource()

func (Package) IsPackageSourceOrArtifact 

func (Package) IsPackageSourceOrArtifact()

type PackageIDs added in v0.4.0 

type PackageIDs struct {
	PackageTypeID      string `json:"packageTypeID"`
	PackageNamespaceID string `json:"packageNamespaceID"`
	PackageNameID      string `json:"packageNameID"`
	PackageVersionID   string `json:"packageVersionID"`
}

The IDs of the ingested package

type PackageName 

type PackageName struct {
	ID       string            `json:"id"`
	Name     string            `json:"name"`
	Versions []*PackageVersion `json:"versions"`
}

PackageName is a name for packages.

In the pURL representation, each PackageName matches the pkg:<type>/<namespace>/<name> pURL.

Names are always mandatory.

This is the first node in the trie that can be referred to by other parts of GUAC.

type PackageNamespace 

type PackageNamespace struct {
	ID        string         `json:"id"`
	Namespace string         `json:"namespace"`
	Names     []*PackageName `json:"names"`
}

PackageNamespace is a namespace for packages.

In the pURL representation, each PackageNamespace matches the pkg:<type>/<namespace>/ partial pURL.

Namespaces are optional and type specific. Because they are optional, we use empty string to denote missing namespaces.

type PackageOrArtifact 

type PackageOrArtifact interface {
	IsPackageOrArtifact()
}

PackageOrArtifact is a union of Package and Artifact.

type PackageOrArtifactInput 

type PackageOrArtifactInput struct {
	Package  *IDorPkgInput      `json:"package,omitempty"`
	Artifact *IDorArtifactInput `json:"artifact,omitempty"`
}

PackageOrArtifactInput allows using PackageOrArtifact union as input type to be used in mutations.

Exactly one of the value must be set to non-nil.

type PackageOrArtifactInputs added in v0.1.2 

type PackageOrArtifactInputs struct {
	Packages  []*IDorPkgInput      `json:"packages,omitempty"`
	Artifacts []*IDorArtifactInput `json:"artifacts,omitempty"`
}

PackageOrArtifactInputs allows using packages and artifacts as input for batch mutations. Exactly one list must be specified.

type PackageOrArtifactSpec 

type PackageOrArtifactSpec struct {
	Package  *PkgSpec      `json:"package,omitempty"`
	Artifact *ArtifactSpec `json:"artifact,omitempty"`
}

PackageOrArtifactSpec allows using PackageOrArtifact union as input type to be used in read queries.

Exactly one of the value must be set to non-nil.

type PackageOrSource 

type PackageOrSource interface {
	IsPackageOrSource()
}

PackageOrSource is a union of Package and Source.

type PackageOrSourceInput 

type PackageOrSourceInput struct {
	Package *IDorPkgInput    `json:"package,omitempty"`
	Source  *IDorSourceInput `json:"source,omitempty"`
}

PackageOrSourceInput allows using PackageOrSource union as input for mutations.

Exactly one field must be specified.

type PackageOrSourceInputs added in v0.1.1 

type PackageOrSourceInputs struct {
	Packages []*IDorPkgInput    `json:"packages,omitempty"`
	Sources  []*IDorSourceInput `json:"sources,omitempty"`
}

PackageOrSourceInputs allows using packages and sources as input for batch mutations. Exactly one list must be specified.

type PackageOrSourceSpec 

type PackageOrSourceSpec struct {
	Package *PkgSpec    `json:"package,omitempty"`
	Source  *SourceSpec `json:"source,omitempty"`
}

PackageOrSourceSpec allows using PackageOrSource union as input for queries.

Exactly one field must be specified.

type PackageQualifier 

type PackageQualifier struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

PackageQualifier is a qualifier for a package, a key-value pair.

In the pURL representation, it is a part of the <qualifiers> part of the pkg:<type>/<namespace>/<name>@<version>?<qualifiers> pURL.

Qualifiers are optional, each Package type defines own rules for handling them, and multiple qualifiers could be attached to the same package.

This node cannot be directly referred by other parts of GUAC.

type PackageQualifierInputSpec 

type PackageQualifierInputSpec struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

PackageQualifierInputSpec allows specifying package qualifiers in mutations.

type PackageQualifierSpec 

type PackageQualifierSpec struct {
	Key   string  `json:"key"`
	Value *string `json:"value,omitempty"`
}

PackageQualifierSpec allows filtering package qualifiers in a query.

Keys are mandatory, but values could also be null if we want to match all values for a specific key.

NOTE: Before the schema becomes stable, we might change the nulability requirements of these fields.

type PackageSourceOrArtifact 

type PackageSourceOrArtifact interface {
	IsPackageSourceOrArtifact()
}

PackageSourceOrArtifact is a union of Package, Source, and Artifact.

type PackageSourceOrArtifactInput 

type PackageSourceOrArtifactInput struct {
	Package  *IDorPkgInput      `json:"package,omitempty"`
	Source   *IDorSourceInput   `json:"source,omitempty"`
	Artifact *IDorArtifactInput `json:"artifact,omitempty"`
}

PackageSourceOrArtifactInput allows using PackageSourceOrArtifact union as input type to be used in mutations.

Exactly one of the value must be set to non-nil.

type PackageSourceOrArtifactInputs added in v0.1.2 

type PackageSourceOrArtifactInputs struct {
	Packages  []*IDorPkgInput      `json:"packages,omitempty"`
	Sources   []*IDorSourceInput   `json:"sources,omitempty"`
	Artifacts []*IDorArtifactInput `json:"artifacts,omitempty"`
}

PackageSourceOrArtifactInputs allows using PackageSourceOrArtifact union as input type to be used in bulk mutations.

Exactly one list must be specified.

type PackageSourceOrArtifactSpec 

type PackageSourceOrArtifactSpec struct {
	Package  *PkgSpec      `json:"package,omitempty"`
	Source   *SourceSpec   `json:"source,omitempty"`
	Artifact *ArtifactSpec `json:"artifact,omitempty"`
}

PackageSourceOrArtifactSpec allows using PackageSourceOrArtifact union as input type to be used in read queries.

Exactly one of the value must be set to non-nil.

type PackageVersion 

type PackageVersion struct {
	ID         string              `json:"id"`
	Purl       string              `json:"purl"`
	Version    string              `json:"version"`
	Qualifiers []*PackageQualifier `json:"qualifiers"`
	Subpath    string              `json:"subpath"`
}

PackageVersion is a package version.

In the pURL representation, each PackageName matches the pkg:<type>/<namespace>/<name>@<version> pURL.

Versions are optional and each Package type defines own rules for handling them. For this level of GUAC, these are just opaque strings.

NOTE: The handling of versions might change before this schema becomes stable.

This node can be referred to by other parts of GUAC.

Subpath and qualifiers are optional. Lack of qualifiers is represented by an empty list and lack of subpath by empty string (to be consistent with optionality of namespace and version). Two nodes that have different qualifiers and/or subpath but the same version mean two different packages in the trie (they are different). Two nodes that have same version but qualifiers of one are a subset of the qualifier of the other also mean two different packages in the trie.

type PkgEqual 

type PkgEqual struct {
	ID string `json:"id"`
	// Collection of packages that are similar
	Packages []*Package `json:"packages"`
	// Justification for the claim that the packages are similar
	Justification string `json:"justification"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

PkgEqual is an attestation that a set of packages are similar.

func (PkgEqual) IsNode 

func (PkgEqual) IsNode()

type PkgEqualInputSpec 

type PkgEqualInputSpec struct {
	Justification string `json:"justification"`
	Origin        string `json:"origin"`
	Collector     string `json:"collector"`
}

PkgEqualInputSpec represents the input to certify that packages are similar.

type PkgEqualSpec 

type PkgEqualSpec struct {
	ID            *string    `json:"id,omitempty"`
	Packages      []*PkgSpec `json:"packages,omitempty"`
	Justification *string    `json:"justification,omitempty"`
	Origin        *string    `json:"origin,omitempty"`
	Collector     *string    `json:"collector,omitempty"`
}

PkgEqualSpec allows filtering the list of package equality statements to return in a query.

Specifying just one package allows to query for all similar packages (if any exists).

type PkgInputSpec 

type PkgInputSpec struct {
	Type       string                       `json:"type"`
	Namespace  *string                      `json:"namespace,omitempty"`
	Name       string                       `json:"name"`
	Version    *string                      `json:"version,omitempty"`
	Qualifiers []*PackageQualifierInputSpec `json:"qualifiers,omitempty"`
	Subpath    *string                      `json:"subpath,omitempty"`
}

PkgInputSpec specifies a package for mutations.

This is different than PkgSpec because we want to encode mandatory fields: type and name. All optional fields are given empty default values.

type PkgMatchType 

type PkgMatchType string

PkgMatchType is an enum to determine if the attestation should be done at the specific version or package name. 

const (
	PkgMatchTypeAllVersions     PkgMatchType = "ALL_VERSIONS"
	PkgMatchTypeSpecificVersion PkgMatchType = "SPECIFIC_VERSION"
)

func (PkgMatchType) IsValid 

func (e PkgMatchType) IsValid() bool

func (PkgMatchType) MarshalGQL 

func (e PkgMatchType) MarshalGQL(w io.Writer)

func (PkgMatchType) String 

func (e PkgMatchType) String() string

func (*PkgMatchType) UnmarshalGQL 

func (e *PkgMatchType) UnmarshalGQL(v interface{}) error

type PkgSpec 

type PkgSpec struct {
	ID                       *string                 `json:"id,omitempty"`
	Type                     *string                 `json:"type,omitempty"`
	Namespace                *string                 `json:"namespace,omitempty"`
	Name                     *string                 `json:"name,omitempty"`
	Version                  *string                 `json:"version,omitempty"`
	Qualifiers               []*PackageQualifierSpec `json:"qualifiers,omitempty"`
	MatchOnlyEmptyQualifiers *bool                   `json:"matchOnlyEmptyQualifiers,omitempty"`
	Subpath                  *string                 `json:"subpath,omitempty"`
}

PkgSpec allows filtering the list of sources to return in a query.

Each field matches a qualifier from pURL. Use null to match on all values at that level. For example, to get all packages in GUAC backend, use a PkgSpec where every field is null.

The id field can be used to match on a specific node in the trie to match packageTypeID, packageNamespaceID, packageNameID, or packageVersionID.

Empty string at a field means matching with the empty string. If passing in qualifiers, all of the values in the list must match. Since we want to return nodes with any number of qualifiers if no qualifiers are passed in the input, we must also return the same set of nodes it the qualifiers list is empty. To match on nodes that don't contain any qualifier, set matchOnlyEmptyQualifiers to true. If this field is true, then the qualifiers argument is ignored.

type PointOfContact added in v0.1.1 

type PointOfContact struct {
	ID            string                  `json:"id"`
	Subject       PackageSourceOrArtifact `json:"subject"`
	Email         string                  `json:"email"`
	Info          string                  `json:"info"`
	Since         time.Time               `json:"since"`
	Justification string                  `json:"justification"`
	Origin        string                  `json:"origin"`
	Collector     string                  `json:"collector"`
}

PointOfContact is an attestation of how to get in touch with the person(s) responsible for a package, source, or artifact.

All evidence trees record a justification for the property they represent as well as the document that contains the attestation (origin) and the collector that collected the document (collector).

The attestation applies to a subject which is a package, source, or artifact. If the attestation targets a package, it must target a PackageName or a PackageVersion. If the attestation targets a source, it must target a SourceName.

email is the email address (singular) of the point of contact.

info is additional contact information other than email address. This is free form.

NOTE: the identifiers for point of contact should be part of software trees. This will benefit from identifier look up and traversal as well as organization hierarchy. However, until the use case arises, PointOfContact will be a flat reference to the contact details.

func (PointOfContact) IsNode added in v0.1.1 

func (PointOfContact) IsNode()

type PointOfContactInputSpec added in v0.1.1 

type PointOfContactInputSpec struct {
	Email         string    `json:"email"`
	Info          string    `json:"info"`
	Since         time.Time `json:"since"`
	Justification string    `json:"justification"`
	Origin        string    `json:"origin"`
	Collector     string    `json:"collector"`
}

PointOfContactInputSpec represents the mutation input to ingest a PointOfContact evidence.

type PointOfContactSpec added in v0.1.1 

type PointOfContactSpec struct {
	ID            *string                      `json:"id,omitempty"`
	Subject       *PackageSourceOrArtifactSpec `json:"subject,omitempty"`
	Email         *string                      `json:"email,omitempty"`
	Info          *string                      `json:"info,omitempty"`
	Since         *time.Time                   `json:"since,omitempty"`
	Justification *string                      `json:"justification,omitempty"`
	Origin        *string                      `json:"origin,omitempty"`
	Collector     *string                      `json:"collector,omitempty"`
}

PointOfContactSpec allows filtering the list of PointOfContact evidence to return in a query.

If a package is specified in the subject filter, then it must be specified up to PackageName or PackageVersion. That is, user must specify package name, or name and one of version, qualifiers, or subpath.

If a source is specified in the subject filter, then it must specify a name, and optionally a tag and a commit.

since filters attestations with a value of since later or equal to the provided filter.

type Query added in v0.5.0 

type Query struct {
}

type SLSAInputSpec 

type SLSAInputSpec struct {
	BuildType     string                    `json:"buildType"`
	SlsaPredicate []*SLSAPredicateInputSpec `json:"slsaPredicate"`
	SlsaVersion   string                    `json:"slsaVersion"`
	StartedOn     *time.Time                `json:"startedOn,omitempty"`
	FinishedOn    *time.Time                `json:"finishedOn,omitempty"`
	Origin        string                    `json:"origin"`
	Collector     string                    `json:"collector"`
}

SLSAInputSpec is the same as SLSA but for mutation input.

type SLSAPredicate 

type SLSAPredicate struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

SLSAPredicate are the values from the SLSA predicate in key-value pair form.

For example, given the following predicate

``` 

"predicate": {
  "buildDefinition": {
    "externalParameters": {
      "repository": "https://github.com/octocat/hello-world",
      ...
    },
    ...
  },
  ...
}

```

we have

``` key = "buildDefinition.externalParameters.repository" value = "https://github.com/octocat/hello-world" ```

This node cannot be directly referred by other parts of GUAC.

type SLSAPredicateInputSpec 

type SLSAPredicateInputSpec struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

SLSAPredicateInputSpec allows ingesting SLSAPredicateSpec.

type SLSAPredicateSpec 

type SLSAPredicateSpec struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

SLSAPredicateSpec is the same as SLSAPredicate, but usable as query input.

type ScanMetadata added in v0.2.0 

type ScanMetadata struct {
	// Time of scan (in RFC 3339 format)
	TimeScanned time.Time `json:"timeScanned"`
	// URI of the vulnerability database used by the scanner
	DbURI string `json:"dbUri"`
	// Version of the vulnerability database used by the scanner
	DbVersion string `json:"dbVersion"`
	// URI of the scanner
	ScannerURI string `json:"scannerUri"`
	// Version of the scanner
	ScannerVersion string `json:"scannerVersion"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

ScanMetadata is the metadata attached to vulnerability certification.

It contains metadata about the scanner process that created the certification.

type ScanMetadataInput added in v0.2.0 

type ScanMetadataInput struct {
	TimeScanned    time.Time `json:"timeScanned"`
	DbURI          string    `json:"dbUri"`
	DbVersion      string    `json:"dbVersion"`
	ScannerURI     string    `json:"scannerUri"`
	ScannerVersion string    `json:"scannerVersion"`
	Origin         string    `json:"origin"`
	Collector      string    `json:"collector"`
}

ScanMetadataInput represents the input for certifying vulnerability scans in mutations.

type Scorecard 

type Scorecard struct {
	// Individual Scorecard check scores (Branch-Protection, Code-Review, ...)
	Checks []*ScorecardCheck `json:"checks"`
	// Overall Scorecard score for the source
	AggregateScore float64 `json:"aggregateScore"`
	// Exact timestamp when the source was last scanned (in RFC 3339 format)
	TimeScanned time.Time `json:"timeScanned"`
	// Version of the Scorecard scanner used to analyze the source
	ScorecardVersion string `json:"scorecardVersion"`
	// Commit of the Scorecards repository at the time of scanning the source
	ScorecardCommit string `json:"scorecardCommit"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

Scorecard contains all of the fields present in a Scorecard attestation.

We also include fields to specify under what conditions the check was performed (time of scan, version of scanners, etc.) as well as how this information got included into GUAC (origin document and the collector for that document).

type ScorecardCheck 

type ScorecardCheck struct {
	Check string `json:"check"`
	Score int    `json:"score"`
}

ScorecardCheck are the individual checks from scorecard and their values as a key-value pair.

For example: Branch-Protection, Code-Review...etc

Based off scorecard's: 

type jsonCheckResultV2 struct {
  Details []string                 `json:"details"`
  Score   int                      `json:"score"`
  Reason  string                   `json:"reason"`
  Name    string                   `json:"name"`
  Doc     jsonCheckDocumentationV2 `json:"documentation"`
}

This node cannot be directly referred by other parts of GUAC.

type ScorecardCheckInputSpec 

type ScorecardCheckInputSpec struct {
	Check string `json:"check"`
	Score int    `json:"score"`
}

ScorecardCheckInputSpec represents the mutation input for a Scorecard check.

type ScorecardCheckSpec 

type ScorecardCheckSpec struct {
	Check string `json:"check"`
	Score int    `json:"score"`
}

ScorecardCheckSpec is the same as ScorecardCheck, but usable as query input.

type ScorecardInputSpec 

type ScorecardInputSpec struct {
	Checks           []*ScorecardCheckInputSpec `json:"checks"`
	AggregateScore   float64                    `json:"aggregateScore"`
	TimeScanned      time.Time                  `json:"timeScanned"`
	ScorecardVersion string                     `json:"scorecardVersion"`
	ScorecardCommit  string                     `json:"scorecardCommit"`
	Origin           string                     `json:"origin"`
	Collector        string                     `json:"collector"`
}

ScorecardInputSpec represents the mutation input to ingest a Scorecard.

type Slsa 

type Slsa struct {
	// Materials of the build resulting in subject
	BuiltFrom []*Artifact `json:"builtFrom"`
	// Builder performing the build
	BuiltBy *Builder `json:"builtBy"`
	// Type of the builder
	BuildType string `json:"buildType"`
	// Individual predicates found in the attestation
	SlsaPredicate []*SLSAPredicate `json:"slsaPredicate"`
	// Version of the SLSA predicate
	SlsaVersion string `json:"slsaVersion"`
	// Timestamp (RFC3339Nano format) of build start time
	StartedOn *time.Time `json:"startedOn,omitempty"`
	// Timestamp (RFC3339Nano format) of build end time
	FinishedOn *time.Time `json:"finishedOn,omitempty"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

SLSA contains all of the fields present in a SLSA attestation.

The materials and builders are objects of the HasSLSA predicate, everything else are properties extracted from the attestation.

We also include fields to specify under what conditions the check was performed (time of scan, version of scanners, etc.) as well as how this information got included into GUAC (origin document and the collector for that document).

type Source 

type Source struct {
	ID         string             `json:"id"`
	Type       string             `json:"type"`
	Namespaces []*SourceNamespace `json:"namespaces"`
}

Source represents the root of the source trie/tree.

We map source information to a trie, as a derivative of the pURL specification: each path in the trie represents a type, namespace, name and an optional qualifier that stands for tag/commit information.

This node represents the type part of the trie path. It is used to represent the version control system that is being used.

Since this node is at the root of the source trie, it is named Source, not SourceType.

func (Source) IsNode 

func (Source) IsNode()

func (Source) IsPackageOrSource 

func (Source) IsPackageOrSource()

func (Source) IsPackageSourceOrArtifact 

func (Source) IsPackageSourceOrArtifact()

type SourceIDs added in v0.4.0 

type SourceIDs struct {
	SourceTypeID      string `json:"sourceTypeID"`
	SourceNamespaceID string `json:"sourceNamespaceID"`
	SourceNameID      string `json:"sourceNameID"`
}

The IDs of the ingested source

type SourceInputSpec 

type SourceInputSpec struct {
	Type      string  `json:"type"`
	Namespace string  `json:"namespace"`
	Name      string  `json:"name"`
	Tag       *string `json:"tag,omitempty"`
	Commit    *string `json:"commit,omitempty"`
}

SourceInputSpec specifies a source for mutations.

This is different than SourceSpec because we want to encode that all fields except tag and commit are mandatory fields. All optional fields are given empty default values.

It is an error to set both tag and commit fields to values different than the default.

type SourceName 

type SourceName struct {
	ID     string  `json:"id"`
	Name   string  `json:"name"`
	Tag    *string `json:"tag,omitempty"`
	Commit *string `json:"commit,omitempty"`
}

SourceName represents the url of the repository.

The name field is mandatory. The tag and commit fields are optional, but it is an error to specify both.

This is the only source trie node that can be referenced by other parts of GUAC.

type SourceNamespace 

type SourceNamespace struct {
	ID        string        `json:"id"`
	Namespace string        `json:"namespace"`
	Names     []*SourceName `json:"names"`
}

SourceNamespace is a namespace for sources.

This is the location of the repository (such as github/gitlab/bitbucket).

The namespace field is mandatory.

type SourceSpec 

type SourceSpec struct {
	ID        *string `json:"id,omitempty"`
	Type      *string `json:"type,omitempty"`
	Namespace *string `json:"namespace,omitempty"`
	Name      *string `json:"name,omitempty"`
	Tag       *string `json:"tag,omitempty"`
	Commit    *string `json:"commit,omitempty"`
}

SourceSpec allows filtering the list of sources to return in a query.

Empty string at a field means matching with the empty string. Missing field means retrieving all possible matches.

It is an error to specify both tag and commit fields, except it both are set as empty string (in which case the returned sources are only those for which there is no tag/commit information).

type VexJustification 

type VexJustification string

Records the justification included in the VEX statement. 

const (
	VexJustificationComponentNotPresent                         VexJustification = "COMPONENT_NOT_PRESENT"
	VexJustificationVulnerableCodeNotPresent                    VexJustification = "VULNERABLE_CODE_NOT_PRESENT"
	VexJustificationVulnerableCodeNotInExecutePath              VexJustification = "VULNERABLE_CODE_NOT_IN_EXECUTE_PATH"
	VexJustificationVulnerableCodeCannotBeControlledByAdversary VexJustification = "VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY"
	VexJustificationInlineMitigationsAlreadyExist               VexJustification = "INLINE_MITIGATIONS_ALREADY_EXIST"
	VexJustificationNotProvided                                 VexJustification = "NOT_PROVIDED"
)

func (VexJustification) IsValid 

func (e VexJustification) IsValid() bool

func (VexJustification) MarshalGQL 

func (e VexJustification) MarshalGQL(w io.Writer)

func (VexJustification) String 

func (e VexJustification) String() string

func (*VexJustification) UnmarshalGQL 

func (e *VexJustification) UnmarshalGQL(v interface{}) error

type VexStatementInputSpec 

type VexStatementInputSpec struct {
	Status           VexStatus        `json:"status"`
	VexJustification VexJustification `json:"vexJustification"`
	Statement        string           `json:"statement"`
	StatusNotes      string           `json:"statusNotes"`
	KnownSince       time.Time        `json:"knownSince"`
	Origin           string           `json:"origin"`
	Collector        string           `json:"collector"`
}

VexStatementInputSpec represents the input to ingest VEX statements.

type VexStatus 

type VexStatus string

Records the status of a VEX statement subject. 

const (
	VexStatusNotAffected        VexStatus = "NOT_AFFECTED"
	VexStatusAffected           VexStatus = "AFFECTED"
	VexStatusFixed              VexStatus = "FIXED"
	VexStatusUnderInvestigation VexStatus = "UNDER_INVESTIGATION"
)

func (VexStatus) IsValid 

func (e VexStatus) IsValid() bool

func (VexStatus) MarshalGQL 

func (e VexStatus) MarshalGQL(w io.Writer)

func (VexStatus) String 

func (e VexStatus) String() string

func (*VexStatus) UnmarshalGQL 

func (e *VexStatus) UnmarshalGQL(v interface{}) error

type VulnEqual added in v0.2.0 

type VulnEqual struct {
	ID string `json:"id"`
	// Collection of vulnerabilities that are similar
	Vulnerabilities []*Vulnerability `json:"vulnerabilities"`
	// Justification for the attested relationship
	Justification string `json:"justification"`
	// Document from which this attestation is generated from
	Origin string `json:"origin"`
	// GUAC collector for the document
	Collector string `json:"collector"`
}

VulnEqual is an attestation to link two vulnerabilities together as being equal"

Note that setting noVuln vulnerability type is invalid for VulnEqual!

func (VulnEqual) IsNode added in v0.2.0 

func (VulnEqual) IsNode()

type VulnEqualInputSpec added in v0.2.0 

type VulnEqualInputSpec struct {
	Justification string `json:"justification"`
	Origin        string `json:"origin"`
	Collector     string `json:"collector"`
}

VulnEqualInputSpec represents the input to link vulnerabilities to each other.

type VulnEqualSpec added in v0.2.0 

type VulnEqualSpec struct {
	ID              *string              `json:"id,omitempty"`
	Vulnerabilities []*VulnerabilitySpec `json:"vulnerabilities,omitempty"`
	Justification   *string              `json:"justification,omitempty"`
	Origin          *string              `json:"origin,omitempty"`
	Collector       *string              `json:"collector,omitempty"`
}

VulnEqualSpec allows filtering the list of vulnerability links to return in a query.

type Vulnerability 

type Vulnerability struct {
	ID               string             `json:"id"`
	Type             string             `json:"type"`
	VulnerabilityIDs []*VulnerabilityID `json:"vulnerabilityIDs"`
}

Vulnerability represents the root of the vulnerability trie/tree.

We map vulnerability information to a trie, as a derivative of the pURL specification: each path in the trie represents a type and a vulnerability ID. This allows for generic representation of the various vulnerabilities and does not limit to just cve, ghsa or osv. This would be in the general format: vuln://<general-type>/<vuln-id>

Examples:

CVE, using path separator: vuln://cve/cve-2023-20753 OSV, representing its knowledge of a GHSA: vuln://osv/ghsa-205hk Random vendor: vuln://snyk/sn-whatever NoVuln: vuln://novuln/

This node represents the type part of the trie path. It is used to represent the specific type of the vulnerability: cve, ghsa, osv or some other vendor specific

Since this node is at the root of the vulnerability trie, it is named Vulnerability, not VulnerabilityType.

NoVuln is a special vulnerability node to attest that no vulnerability has been found during a vulnerability scan. It will have the type "novuln" and contain an empty string for vulnerabilityID

The resolvers will enforce that both the type and vulnerability IDs are lower case.

func (Vulnerability) IsNode added in v0.2.0 

func (Vulnerability) IsNode()

type VulnerabilityID added in v0.2.0 

type VulnerabilityID struct {
	ID              string `json:"id"`
	VulnerabilityID string `json:"vulnerabilityID"`
}

VulnerabilityID is a specific vulnerability ID associated with the type of the vulnerability.

This will be enforced to be all lowercase.

The namespace field is mandatory.

type VulnerabilityIDs added in v0.4.0 

type VulnerabilityIDs struct {
	VulnerabilityTypeID string `json:"vulnerabilityTypeID"`
	VulnerabilityNodeID string `json:"vulnerabilityNodeID"`
}

The IDs of the ingested vulnerability

type VulnerabilityInputSpec added in v0.2.0 

type VulnerabilityInputSpec struct {
	Type            string `json:"type"`
	VulnerabilityID string `json:"vulnerabilityID"`
}

VulnInputSpec specifies a vulnerability for mutations.

This is different than VulnSpec because we want to encode mandatory fields: type and vulnerabilityID.

type VulnerabilityMetadata added in v0.2.0 

type VulnerabilityMetadata struct {
	ID            string                 `json:"id"`
	Vulnerability *Vulnerability         `json:"vulnerability"`
	ScoreType     VulnerabilityScoreType `json:"scoreType"`
	ScoreValue    float64                `json:"scoreValue"`
	Timestamp     time.Time              `json:"timestamp"`
	Origin        string                 `json:"origin"`
	Collector     string                 `json:"collector"`
}

VulnerabilityMetadata is an attestation that a vulnerability has a related score associated with it.

The intent of this evidence tree predicate is to allow extensibility of vulnerability score (one-to-one mapping) with a specific vulnerability ID.

A vulnerability ID can have a one-to-many relationship with the VulnerabilityMetadata node as a vulnerability ID can have multiple scores (in various frameworks).

Examples:

scoreType: EPSSv1 scoreValue: 0.960760000

scoreType: CVSSv2 scoreValue: 5.0

scoreType: CVSSv3 scoreValue: 7.5

The timestamp is used to determine when the score was evaluated for the specific vulnerability.

func (VulnerabilityMetadata) IsNode added in v0.2.0 

func (VulnerabilityMetadata) IsNode()

type VulnerabilityMetadataInputSpec added in v0.2.0 

type VulnerabilityMetadataInputSpec struct {
	ScoreType  VulnerabilityScoreType `json:"scoreType"`
	ScoreValue float64                `json:"scoreValue"`
	Timestamp  time.Time              `json:"timestamp"`
	Origin     string                 `json:"origin"`
	Collector  string                 `json:"collector"`
}

VulnerabilityMetadataInputSpec represents the mutation input to ingest a vulnerability metadata.

type VulnerabilityMetadataSpec added in v0.2.0 

type VulnerabilityMetadataSpec struct {
	ID            *string                 `json:"id,omitempty"`
	Vulnerability *VulnerabilitySpec      `json:"vulnerability,omitempty"`
	ScoreType     *VulnerabilityScoreType `json:"scoreType,omitempty"`
	ScoreValue    *float64                `json:"scoreValue,omitempty"`
	Comparator    *Comparator             `json:"comparator,omitempty"`
	Timestamp     *time.Time              `json:"timestamp,omitempty"`
	Origin        *string                 `json:"origin,omitempty"`
	Collector     *string                 `json:"collector,omitempty"`
}

VulnerabilityMetadataSpec allows filtering the list of VulnerabilityMetadata evidence to return in a query.

Comparator field is an enum that be set to filter the score and return a range that matches. If the comparator is not specified, it will default to equal operation.

Timestamp specified indicates filtering timestamps after the specified time

type VulnerabilityScoreType added in v0.2.0 

type VulnerabilityScoreType string

Records the type of the score being captured by the score node 

const (
	VulnerabilityScoreTypeCVSSv2  VulnerabilityScoreType = "CVSSv2"
	VulnerabilityScoreTypeCVSSv3  VulnerabilityScoreType = "CVSSv3"
	VulnerabilityScoreTypeEPSSv1  VulnerabilityScoreType = "EPSSv1"
	VulnerabilityScoreTypeEPSSv2  VulnerabilityScoreType = "EPSSv2"
	VulnerabilityScoreTypeCVSSv31 VulnerabilityScoreType = "CVSSv31"
	VulnerabilityScoreTypeCVSSv4  VulnerabilityScoreType = "CVSSv4"
	VulnerabilityScoreTypeOwasp   VulnerabilityScoreType = "OWASP"
	VulnerabilityScoreTypeSsvc    VulnerabilityScoreType = "SSVC"
)

func (VulnerabilityScoreType) IsValid added in v0.2.0 

func (e VulnerabilityScoreType) IsValid() bool

func (VulnerabilityScoreType) MarshalGQL added in v0.2.0 

func (e VulnerabilityScoreType) MarshalGQL(w io.Writer)

func (VulnerabilityScoreType) String added in v0.2.0 

func (e VulnerabilityScoreType) String() string

func (*VulnerabilityScoreType) UnmarshalGQL added in v0.2.0 

func (e *VulnerabilityScoreType) UnmarshalGQL(v interface{}) error

type VulnerabilitySpec 

type VulnerabilitySpec struct {
	ID              *string `json:"id,omitempty"`
	Type            *string `json:"type,omitempty"`
	VulnerabilityID *string `json:"vulnerabilityID,omitempty"`
	NoVuln          *bool   `json:"noVuln,omitempty"`
}

VulnerabilitySpec allows filtering the list of vulnerabilities to return in a query.

Use null to match on all values at that level. For example, to get all vulnerabilities in GUAC backend, use a VulnSpec where every field is null.

Setting the noVuln boolean true will ignore the other inputs for type and vulnerabilityID. Setting noVuln to true means retrieving only nodes where the type of the vulnerability is "novuln" and the it has an empty string for vulnerabilityID. Setting it to false filters out all results that are "novuln". Setting one of the other fields and omitting the noVuln means retrieving vulnerabilities for the corresponding type and vulnerabilityID. Omission of noVuln field will return all vulnerabilities and novuln.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.