whitesource

package
v1.230.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 22, 2022 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source
const DateTimeLayout = "2006-01-02 15:04:05 -0700"

DateTimeLayout is the layout of the time format used by the WhiteSource API.

View Source
const ReportsDirectory = "whitesource"

ReportsDirectory defines the subfolder for the WhiteSource reports which are generated

Variables

This section is empty.

Functions

func CountSecurityVulnerabilities

func CountSecurityVulnerabilities(alerts *[]Alert, cvssSeverityLimit float64) (int, int)

CountSecurityVulnerabilities counts the security vulnerabilities above severityLimit

func CreateCustomVulnerabilityReport

func CreateCustomVulnerabilityReport(productName string, scan *Scan, alerts *[]Alert, cvssSeverityLimit float64) reporting.ScanReport

CreateCustomVulnerabilityReport creates a vulnerability ScanReport to be used for uploading into various sinks

func CreateSarifResultFile

func CreateSarifResultFile(scan *Scan, alerts *[]Alert) *format.SARIF

Creates a SARIF result from the Alerts that were brought up by the scan

func ReportSha

func ReportSha(productName string, scan *Scan) string

ReportSha creates a SHA unique to the WS product and scan to be used as part of the report filename

func WriteCustomVulnerabilityReports

func WriteCustomVulnerabilityReports(productName string, scan *Scan, scanReport reporting.ScanReport, utils piperutils.FileUtils) ([]piperutils.Path, error)

WriteCustomVulnerabilityReports creates an HTML and a JSON format file based on the alerts brought up by the scan

func WriteSarifFile

func WriteSarifFile(sarif *format.SARIF, utils piperutils.FileUtils) ([]piperutils.Path, error)

WriteSarifFile write a JSON sarif format file for upload into e.g. GCP

Types

type Alert

type Alert struct {
	Vulnerability    Vulnerability `json:"vulnerability"`
	Type             string        `json:"type,omitempty"`
	Level            string        `json:"level,omitempty"`
	Library          Library       `json:"library,omitempty"`
	Project          string        `json:"project,omitempty"`
	DirectDependency bool          `json:"directDependency,omitempty"`
	Description      string        `json:"description,omitempty"`
	CreationDate     string        `json:"date,omitempty"`
	ModifiedDate     string        `json:"modifiedDate,omitempty"`
	Status           string        `json:"status,omitempty"`
}

Alert

func (Alert) Title

func (a Alert) Title() string

Title returns the issue title representation of the contents

func (Alert) ToMarkdown

func (a Alert) ToMarkdown() ([]byte, error)

ToMarkdown returns the markdown representation of the contents

func (Alert) ToTxt

func (a Alert) ToTxt() string

ToTxt returns the textual representation of the contents

type Assignment

type Assignment struct {
	UserAssignments  []UserAssignment  `json:"userAssignments,omitempty"`
	GroupAssignments []GroupAssignment `json:"groupAssignments,omitempty"`
}

Assignment describes a list of UserAssignments and GroupAssignments which can be attributed to a WhiteSource Product.

type ConfigOption

type ConfigOption struct {
	Name          string
	Value         interface{}
	OmitIfPresent string
	Force         bool
	Append        bool
}

ConfigOption defines a dedicated WhiteSource config which can be enforced if required

type ConfigOptions

type ConfigOptions []ConfigOption

ConfigOptions contains a list of config options (ConfigOption)

type DownloadedFile

type DownloadedFile struct {
	SourceURL string
	FilePath  string
}

DownloadedFile records what URL has been downloaded to which file.

type File

type File interface {
	io.Writer
	io.StringWriter
	io.Closer
}

File defines the method subset we use from os.File

type Fix

type Fix struct {
	Vulnerability string `json:"vulnerability,omitempty"`
	Type          string `json:"type,omitempty"`
	Origin        string `json:"origin,omitempty"`
	URL           string `json:"url,omitempty"`
	FixResolution string `json:"fixResolution,omitempty"`
	Date          string `json:"date,omitempty"`
	Message       string `json:"message,omitempty"`
	ExtraData     string `json:"extraData,omitempty"`
}

Fix defines a Fix as returned by WhiteSource

type GroupAssignment

type GroupAssignment struct {
	Name string `json:"name,omitempty"`
}

GroupAssignment refers to the name of a particular group in WhiteSource.

type Library

type Library struct {
	Name       string `json:"name,omitempty"`
	Filename   string `json:"filename,omitempty"`
	ArtifactID string `json:"artifactId,omitempty"`
	GroupID    string `json:"groupId,omitempty"`
	Version    string `json:"version,omitempty"`
}

Library

type NpmInstall

type NpmInstall struct {
	CurrentDir  string
	PackageJSON []string
}

NpmInstall records in which directory "npm install" has been invoked and for which package.json files.

type Product

type Product struct {
	Name           string `json:"name"`
	Token          string `json:"token"`
	CreationDate   string `json:"creationDate,omitempty"`
	LastUpdateDate string `json:"lastUpdatedDate,omitempty"`
}

Product defines a WhiteSource product with name and token

type Project

type Project struct {
	ID             int64  `json:"id"`
	Name           string `json:"name"`
	PluginName     string `json:"pluginName"`
	Token          string `json:"token"`
	UploadedBy     string `json:"uploadedBy"`
	CreationDate   string `json:"creationDate,omitempty"`
	LastUpdateDate string `json:"lastUpdatedDate,omitempty"`
}

Project defines a WhiteSource project with name and token

type Reference

type Reference struct {
	URL                 string `json:"url,omitempty"`
	Homepage            string `json:"homepage,omitempty"`
	GenericPackageIndex string `json:"genericPackageIndex,omitempty"`
}

Reference defines a reference for the library affected

type ReportOptions

type ReportOptions struct {
	// ReportDirectory defines the target directory for downloading reports.
	ReportDirectory string
	// VulnerabilityReportFormat defines the requested file format of the vulnerability report (i.e. pdf).
	VulnerabilityReportFormat string
}

ReportOptions defines options for downloading reports after scanning.

type Request

type Request struct {
	RequestType          string      `json:"requestType,omitempty"`
	UserKey              string      `json:"userKey,omitempty"`
	ProductToken         string      `json:"productToken,omitempty"`
	ProductName          string      `json:"productName,omitempty"`
	ProjectToken         string      `json:"projectToken,omitempty"`
	OrgToken             string      `json:"orgToken,omitempty"`
	Format               string      `json:"format,omitempty"`
	AlertType            string      `json:"alertType,omitempty"`
	ProductAdmins        *Assignment `json:"productAdmins,omitempty"`
	ProductMembership    *Assignment `json:"productMembership,omitempty"`
	AlertsEmailReceivers *Assignment `json:"alertsEmailReceivers,omitempty"`
	ProductApprovers     *Assignment `json:"productApprovers,omitempty"`
	ProductIntegrators   *Assignment `json:"productIntegrators,omitempty"`
}

Request defines a request object to be sent to the WhiteSource system

type Scan

type Scan struct {
	// AggregateProjectName stores the name of the WhiteSource project where scans shall be aggregated.
	// It does not include the ProductVersion.
	AggregateProjectName string
	// ProductVersion is the global version that is used across all Projects (modules) during the scan.
	ProductVersion string

	AgentName    string
	AgentVersion string
	// contains filtered or unexported fields
}

Scan stores information about scanned WhiteSource projects (modules).

func (*Scan) AppendScannedProject

func (s *Scan) AppendScannedProject(projectName string) error

AppendScannedProject checks that no Project with the same name is already contained in the list of scanned projects, and appends a new Project with the given name. The global product version is appended to the name.

func (*Scan) AppendScannedProjectVersion

func (s *Scan) AppendScannedProjectVersion(projectName string) error

AppendScannedProjectVersion checks that no Project with the same name is already contained in the list of scanned projects, and appends a new Project with the given name (which is expected to include the product version).

func (*Scan) BlockUntilReportsAreReady

func (s *Scan) BlockUntilReportsAreReady(sys whitesourcePoller) error

BlockUntilReportsAreReady polls the WhiteSource system for all projects known to the Scan and blocks until their LastUpdateDate time stamp is from within the last 20 seconds.

func (*Scan) DownloadReports

func (s *Scan) DownloadReports(options ReportOptions, utils scanUtils, sys whitesource) ([]piperutils.Path, error)

DownloadReports downloads a Project's risk and vulnerability reports

func (*Scan) ExecuteMTAScan

func (s *Scan) ExecuteMTAScan(config *ScanOptions, utils Utils) error

ExecuteMTAScan executes a scan for the Java part with maven, and performs a scan for each NPM module.

func (*Scan) ExecuteMavenScan

func (s *Scan) ExecuteMavenScan(config *ScanOptions, utils Utils) error

ExecuteMavenScan constructs maven parameters from the given configuration, and executes the maven goal "org.whitesource:whitesource-maven-plugin:19.5.1:update".

func (*Scan) ExecuteMavenScanForPomFile

func (s *Scan) ExecuteMavenScanForPomFile(config *ScanOptions, utils Utils, pomPath string) error

ExecuteMavenScanForPomFile constructs maven parameters from the given configuration, and executes the maven goal "org.whitesource:whitesource-maven-plugin:19.5.1:update" for the given pom file.

func (*Scan) ExecuteNpmScan

func (s *Scan) ExecuteNpmScan(config *ScanOptions, utils Utils) error

ExecuteNpmScan iterates over all found npm modules and performs a scan in each one.

func (*Scan) ExecuteUAScan

func (s *Scan) ExecuteUAScan(config *ScanOptions, utils Utils) error

ExecuteUAScan executes a scan with the Whitesource Unified Agent.

func (*Scan) ExecuteUAScanInPath

func (s *Scan) ExecuteUAScanInPath(config *ScanOptions, utils Utils, scanPath string) error

ExecuteUAScanInPath executes a scan with the Whitesource Unified Agent in a dedicated scanPath.

func (*Scan) ExecuteYarnScan

func (s *Scan) ExecuteYarnScan(config *ScanOptions, utils Utils) error

ExecuteYarnScan generates a configuration file whitesource.config.json with appropriate values from config, installs whitesource yarn plugin and executes the scan.

func (*Scan) ProjectByName

func (s *Scan) ProjectByName(projectName string) (Project, bool)

ProjectByName returns a WhiteSource Project previously established via AppendScannedProject().

func (*Scan) ScanTime

func (s *Scan) ScanTime(projectName string) time.Time

ScanTime returns the time at which the respective WhiteSource Project was scanned, or the the zero value of time.Time, if AppendScannedProject() was not called with that name.

func (*Scan) ScannedProjectNames

func (s *Scan) ScannedProjectNames() []string

ScannedProjectNames returns a sorted list of all scanned project names

func (*Scan) ScannedProjects

func (s *Scan) ScannedProjects() []Project

ScannedProjects returns the WhiteSource projects that have been added via AppendScannedProject() as a slice.

func (*Scan) UpdateProjects

func (s *Scan) UpdateProjects(productToken string, sys whitesource) error

UpdateProjects pulls the current backend metadata for all WhiteSource projects in the product with the given productToken, and updates all scanned projects with the obtained information.

type ScanOptions

type ScanOptions struct {
	BuildTool string
	// ScanType defines the type of scan. Can be "maven" or "mta" for scanning with Maven or "npm"/"yarn".
	ScanType       string
	OrgToken       string
	UserToken      string
	ProductName    string
	ProductToken   string
	ProductVersion string
	// ProjectName is an optional name for an "aggregator" project.
	// All scanned maven modules will be reflected in the aggregate project.
	ProjectName string

	BuildDescriptorFile        string
	BuildDescriptorExcludeList []string
	// PomPath is the path to root build descriptor file.
	PomPath string
	// M2Path is the path to the local maven repository.
	M2Path string
	// GlobalSettingsFile is an optional path to a global maven settings file.
	GlobalSettingsFile string
	// ProjectSettingsFile is an optional path to a local maven settings file.
	ProjectSettingsFile string
	// InstallArtifacts installs artifacts from all maven modules to the local repository
	InstallArtifacts bool

	// DefaultNpmRegistry is an optional default registry for NPM.
	DefaultNpmRegistry string

	AgentDownloadURL string
	AgentFileName    string
	ConfigFilePath   string

	JreDownloadURL string

	Includes []string
	Excludes []string

	AgentURL   string
	ServiceURL string

	ScanPath string

	Verbose bool
}

ScanOptions contains parameters needed during the scan.

func (*ScanOptions) RewriteUAConfigurationFile

func (s *ScanOptions) RewriteUAConfigurationFile(utils Utils, projectName string) (string, error)

RewriteUAConfigurationFile updates the user's Unified Agent configuration with configuration which should be enforced or just eases the overall configuration It then returns the path to the file containing the updated configuration

type ScanUtilsMock

type ScanUtilsMock struct {
	*mock.FilesMock
	*mock.ExecMockRunner
	NpmInstalledModules []NpmInstall
	DownloadedFiles     []DownloadedFile
	DownloadError       map[string]error
	RemoveAllDirs       []string
	RemoveAllError      map[string]error
}

ScanUtilsMock is an implementation of the Utils interface that can be used during tests.

func NewScanUtilsMock

func NewScanUtilsMock() *ScanUtilsMock

NewScanUtilsMock returns an initialized ScanUtilsMock instance.

func (*ScanUtilsMock) DownloadFile

func (m *ScanUtilsMock) DownloadFile(url, filename string, _ http.Header, _ []*http.Cookie) error

DownloadFile mimics http.Downloader and records the downloaded file.

func (*ScanUtilsMock) FileOpen

func (m *ScanUtilsMock) FileOpen(name string, flag int, perm os.FileMode) (File, error)

FileOpen mimics os.FileOpen() based on FilesMock OpenFile().

func (*ScanUtilsMock) FindPackageJSONFiles

func (m *ScanUtilsMock) FindPackageJSONFiles(options *ScanOptions) ([]string, error)

FindPackageJSONFiles mimics npm.FindPackageJSONFiles() based on the FilesMock setup.

func (*ScanUtilsMock) InstallAllNPMDependencies

func (m *ScanUtilsMock) InstallAllNPMDependencies(_ *ScanOptions, packageJSONs []string) error

InstallAllNPMDependencies mimics npm.InstallAllNPMDependencies() and records the "npm install".

func (*ScanUtilsMock) RemoveAll

func (m *ScanUtilsMock) RemoveAll(dir string) error

RemoveAll mimics os.RemoveAll().

type System

type System struct {
	// contains filtered or unexported fields
}

System defines a WhiteSource System including respective tokens (e.g. org token, user token)

func NewSystem

func NewSystem(serverURL, orgToken, userToken string, timeout time.Duration) *System

NewSystem constructs a new System instance

func (*System) CreateProduct

func (s *System) CreateProduct(productName string) (string, error)

CreateProduct creates a new WhiteSource product and returns its product token.

func (*System) GetProductByName

func (s *System) GetProductByName(productName string) (Product, error)

GetProductByName retrieves meta information for a specific WhiteSource product

func (*System) GetProductName

func (s *System) GetProductName(productToken string) (string, error)

GetProductName returns the product name for a given product token

func (*System) GetProductsMetaInfo

func (s *System) GetProductsMetaInfo() ([]Product, error)

GetProductsMetaInfo retrieves meta information for all WhiteSource products a user has access to

func (*System) GetProjectAlerts

func (s *System) GetProjectAlerts(projectToken string) ([]Alert, error)

GetProjectAlerts

func (*System) GetProjectAlertsByType

func (s *System) GetProjectAlertsByType(projectToken, alertType string) ([]Alert, error)

GetProjectAlertsByType returns all alerts of a certain type for a given project

func (*System) GetProjectByName

func (s *System) GetProjectByName(productToken, projectName string) (Project, error)

GetProjectByName fetches all projects and returns the one matching the given projectName, or none, if not found

func (*System) GetProjectByToken

func (s *System) GetProjectByToken(projectToken string) (Project, error)

GetProjectByToken returns project meta info given a project token

func (*System) GetProjectLibraryLocations

func (s *System) GetProjectLibraryLocations(projectToken string) ([]Library, error)

GetProjectLibraryLocations

func (*System) GetProjectRiskReport

func (s *System) GetProjectRiskReport(projectToken string) ([]byte, error)

GetProjectRiskReport

func (*System) GetProjectToken

func (s *System) GetProjectToken(productToken, projectName string) (string, error)

GetProjectToken returns the project token for a project with a given name

func (*System) GetProjectTokens

func (s *System) GetProjectTokens(productToken string, projectNames []string) ([]string, error)

GetProjectTokens returns the project tokens matching a given a slice of project names

func (*System) GetProjectVulnerabilityReport

func (s *System) GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)

GetProjectVulnerabilityReport

func (*System) GetProjectsByIDs

func (s *System) GetProjectsByIDs(productToken string, projectIDs []int64) ([]Project, error)

GetProjectsByIDs retrieves all projects for the given productToken and filters them by the given project ids

func (*System) GetProjectsMetaInfo

func (s *System) GetProjectsMetaInfo(productToken string) ([]Project, error)

GetProjectsMetaInfo retrieves the registered projects for a specific WhiteSource product

func (*System) SetProductAssignments

func (s *System) SetProductAssignments(productToken string, membership, admins, alertReceivers *Assignment) error

SetProductAssignments assigns various types of membership to a WhiteSource Product.

type SystemMock

type SystemMock struct {
	ProductName         string
	Products            []Product
	Projects            []Project
	Alerts              []Alert
	AlertType           string
	AlertError          error
	Libraries           []Library
	RiskReport          []byte
	VulnerabilityReport []byte
}

SystemMock stores a number of WhiteSource objects and, based on that, mocks the behavior of System.

func NewSystemMock

func NewSystemMock(lastUpdateDate string) *SystemMock

NewSystemMock returns a pointer to a new instance of SystemMock.

func NewSystemMockWithProjectName

func NewSystemMockWithProjectName(lastUpdateDate, projectName string) *SystemMock

NewSystemMockWithProjectName returns a pointer to a new instance of SystemMock using a project with a defined name.

func (*SystemMock) CreateProduct

func (m *SystemMock) CreateProduct(productName string) (string, error)

CreateProduct appends a new Product to the system mock and returns its token ("mock-product-token-<index>").

func (*SystemMock) GetProductByName

func (m *SystemMock) GetProductByName(productName string) (Product, error)

GetProductByName mimics retrieving a Product by name. It returns an error of no Product is stored in the mock.

func (*SystemMock) GetProjectAlerts

func (m *SystemMock) GetProjectAlerts(projectToken string) ([]Alert, error)

GetProjectAlerts returns the alerts stored in the SystemMock.

func (*SystemMock) GetProjectAlertsByType

func (m *SystemMock) GetProjectAlertsByType(projectToken, alertType string) ([]Alert, error)

GetProjectAlertsByType returns the alerts stored in the SystemMock and records the type.

func (*SystemMock) GetProjectByToken

func (m *SystemMock) GetProjectByToken(projectToken string) (Project, error)

GetProjectByToken checks the Projects stored in the mock and returns the one with the given token or an error.

func (*SystemMock) GetProjectLibraryLocations

func (m *SystemMock) GetProjectLibraryLocations(projectToken string) ([]Library, error)

GetProjectLibraryLocations returns the libraries stored in the SystemMock.

func (*SystemMock) GetProjectRiskReport

func (m *SystemMock) GetProjectRiskReport(projectToken string) ([]byte, error)

GetProjectRiskReport mocks retrieving a risc report.

func (*SystemMock) GetProjectToken

func (m *SystemMock) GetProjectToken(productToken, projectName string) (string, error)

GetProjectToken checks the Projects stored in the mock and returns a valid token, or an empty token and no error.

func (*SystemMock) GetProjectVulnerabilityReport

func (m *SystemMock) GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)

GetProjectVulnerabilityReport mocks retrieving a vulnerability report. Behavior depends on what is stored in the mock.

func (*SystemMock) GetProjectsMetaInfo

func (m *SystemMock) GetProjectsMetaInfo(productToken string) ([]Project, error)

GetProjectsMetaInfo returns the list of Projects stored in the mock or an error if token is unknown.

func (*SystemMock) SetProductAssignments

func (m *SystemMock) SetProductAssignments(productToken string, _, _, _ *Assignment) error

SetProductAssignments checks if the system mock contains a product with the given token and returns an error depending on that, but otherwise does nothing with the provided arguments.

type UserAssignment

type UserAssignment struct {
	Email string `json:"email,omitempty"`
}

UserAssignment holds an email address for a WhiteSource user which can be assigned to a WhiteSource Product in a specific role.

type Utils

type Utils interface {
	maven.Utils

	Chdir(path string) error
	Getwd() (string, error)
	FileRead(path string) ([]byte, error)
	FileWrite(path string, content []byte, perm os.FileMode) error
	FileRemove(path string) error
	FileRename(oldPath, newPath string) error
	GetExitCode() int
	RemoveAll(path string) error
	FileOpen(name string, flag int, perm os.FileMode) (File, error)

	FindPackageJSONFiles(config *ScanOptions) ([]string, error)
	InstallAllNPMDependencies(config *ScanOptions, packageJSONFiles []string) error
}

Utils captures all external functionality that needs to be exchangeable in tests.

type Vulnerability

type Vulnerability struct {
	Name              string      `json:"name,omitempty"`
	Type              string      `json:"type,omitempty"`
	Severity          string      `json:"severity,omitempty"`
	Score             float64     `json:"score,omitempty"`
	CVSS3Severity     string      `json:"cvss3_severity,omitempty"`
	CVSS3Score        float64     `json:"cvss3_score,omitempty"`
	PublishDate       string      `json:"publishDate,omitempty"`
	URL               string      `json:"url,omitempty"`
	Description       string      `json:"description,omitempty"`
	TopFix            Fix         `json:"topFix,omitempty"`
	AllFixes          []Fix       `json:"allFixes,omitempty"`
	FixResolutionText string      `json:"fixResolutionText,omitempty"`
	References        []Reference `json:"references,omitempty"`
}

Vulnerability defines a vulnerability as returned by WhiteSource

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL