whitesource

package
v1.230.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 22, 2022 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const DateTimeLayout = "2006-01-02 15:04:05 -0700"

DateTimeLayout is the layout of the time format used by the WhiteSource API.

View Source 
const ReportsDirectory = "whitesource"

ReportsDirectory defines the subfolder for the WhiteSource reports which are generated

Variables

This section is empty.

Functions

func CountSecurityVulnerabilities 

func CountSecurityVulnerabilities(alerts *[]Alert, cvssSeverityLimit float64) (int, int)

CountSecurityVulnerabilities counts the security vulnerabilities above severityLimit

func CreateCustomVulnerabilityReport 

func CreateCustomVulnerabilityReport(productName string, scan *Scan, alerts *[]Alert, cvssSeverityLimit float64) reporting.ScanReport

CreateCustomVulnerabilityReport creates a vulnerability ScanReport to be used for uploading into various sinks

func CreateSarifResultFile 

func CreateSarifResultFile(scan *Scan, alerts *[]Alert) *format.SARIF

Creates a SARIF result from the Alerts that were brought up by the scan

func ReportSha 

func ReportSha(productName string, scan *Scan) string

ReportSha creates a SHA unique to the WS product and scan to be used as part of the report filename

func WriteCustomVulnerabilityReports 

func WriteCustomVulnerabilityReports(productName string, scan *Scan, scanReport reporting.ScanReport, utils piperutils.FileUtils) ([]piperutils.Path, error)

WriteCustomVulnerabilityReports creates an HTML and a JSON format file based on the alerts brought up by the scan

func WriteSarifFile 

func WriteSarifFile(sarif *format.SARIF, utils piperutils.FileUtils) ([]piperutils.Path, error)

WriteSarifFile write a JSON sarif format file for upload into e.g. GCP

Types

type Alert 

type Alert struct {
	Vulnerability    Vulnerability `json:"vulnerability"`
	Type             string        `json:"type,omitempty"`
	Level            string        `json:"level,omitempty"`
	Library          Library       `json:"library,omitempty"`
	Project          string        `json:"project,omitempty"`
	DirectDependency bool          `json:"directDependency,omitempty"`
	Description      string        `json:"description,omitempty"`
	CreationDate     string        `json:"date,omitempty"`
	ModifiedDate     string        `json:"modifiedDate,omitempty"`
	Status           string        `json:"status,omitempty"`
}

Alert

func (Alert) Title 

func (a Alert) Title() string

Title returns the issue title representation of the contents

func (Alert) ToMarkdown 

func (a Alert) ToMarkdown() ([]byte, error)

ToMarkdown returns the markdown representation of the contents

func (Alert) ToTxt 

func (a Alert) ToTxt() string

ToTxt returns the textual representation of the contents

type Assignment 

type Assignment struct {
	UserAssignments  []UserAssignment  `json:"userAssignments,omitempty"`
	GroupAssignments []GroupAssignment `json:"groupAssignments,omitempty"`
}

Assignment describes a list of UserAssignments and GroupAssignments which can be attributed to a WhiteSource Product.

type ConfigOption 

type ConfigOption struct {
	Name          string
	Value         interface{}
	OmitIfPresent string
	Force         bool
	Append        bool
}

ConfigOption defines a dedicated WhiteSource config which can be enforced if required

type ConfigOptions 

type ConfigOptions []ConfigOption

ConfigOptions contains a list of config options (ConfigOption)

type DownloadedFile 

type DownloadedFile struct {
	SourceURL string
	FilePath  string
}

DownloadedFile records what URL has been downloaded to which file.

type File 

type File interface {
	io.Writer
	io.StringWriter
	io.Closer
}

File defines the method subset we use from os.File

type Fix 

type Fix struct {
	Vulnerability string `json:"vulnerability,omitempty"`
	Type          string `json:"type,omitempty"`
	Origin        string `json:"origin,omitempty"`
	URL           string `json:"url,omitempty"`
	FixResolution string `json:"fixResolution,omitempty"`
	Date          string `json:"date,omitempty"`
	Message       string `json:"message,omitempty"`
	ExtraData     string `json:"extraData,omitempty"`
}

Fix defines a Fix as returned by WhiteSource

type GroupAssignment 

type GroupAssignment struct {
	Name string `json:"name,omitempty"`
}

GroupAssignment refers to the name of a particular group in WhiteSource.

type Library 

type Library struct {
	Name       string `json:"name,omitempty"`
	Filename   string `json:"filename,omitempty"`
	ArtifactID string `json:"artifactId,omitempty"`
	GroupID    string `json:"groupId,omitempty"`
	Version    string `json:"version,omitempty"`
}

Library

type NpmInstall 

type NpmInstall struct {
	CurrentDir  string
	PackageJSON []string
}

NpmInstall records in which directory "npm install" has been invoked and for which package.json files.

type Product 

type Product struct {
	Name           string `json:"name"`
	Token          string `json:"token"`
	CreationDate   string `json:"creationDate,omitempty"`
	LastUpdateDate string `json:"lastUpdatedDate,omitempty"`
}

Product defines a WhiteSource product with name and token

type Project 

type Project struct {
	ID             int64  `json:"id"`
	Name           string `json:"name"`
	PluginName     string `json:"pluginName"`
	Token          string `json:"token"`
	UploadedBy     string `json:"uploadedBy"`
	CreationDate   string `json:"creationDate,omitempty"`
	LastUpdateDate string `json:"lastUpdatedDate,omitempty"`
}

Project defines a WhiteSource project with name and token

type Reference 

type Reference struct {
	URL                 string `json:"url,omitempty"`
	Homepage            string `json:"homepage,omitempty"`
	GenericPackageIndex string `json:"genericPackageIndex,omitempty"`
}

Reference defines a reference for the library affected

type ReportOptions 

type ReportOptions struct {
	// ReportDirectory defines the target directory for downloading reports.
	ReportDirectory string
	// VulnerabilityReportFormat defines the requested file format of the vulnerability report (i.e. pdf).
	VulnerabilityReportFormat string
}

ReportOptions defines options for downloading reports after scanning.

type Request 

type Request struct {
	RequestType          string      `json:"requestType,omitempty"`
	UserKey              string      `json:"userKey,omitempty"`
	ProductToken         string      `json:"productToken,omitempty"`
	ProductName          string      `json:"productName,omitempty"`
	ProjectToken         string      `json:"projectToken,omitempty"`
	OrgToken             string      `json:"orgToken,omitempty"`
	Format               string      `json:"format,omitempty"`
	AlertType            string      `json:"alertType,omitempty"`
	ProductAdmins        *Assignment `json:"productAdmins,omitempty"`
	ProductMembership    *Assignment `json:"productMembership,omitempty"`
	AlertsEmailReceivers *Assignment `json:"alertsEmailReceivers,omitempty"`
	ProductApprovers     *Assignment `json:"productApprovers,omitempty"`
	ProductIntegrators   *Assignment `json:"productIntegrators,omitempty"`
}

Request defines a request object to be sent to the WhiteSource system

type Scan 

type Scan struct {
	// AggregateProjectName stores the name of the WhiteSource project where scans shall be aggregated.
	// It does not include the ProductVersion.
	AggregateProjectName string
	// ProductVersion is the global version that is used across all Projects (modules) during the scan.
	ProductVersion string

	AgentName    string
	AgentVersion string
	// contains filtered or unexported fields
}

Scan stores information about scanned WhiteSource projects (modules).

func (*Scan) AppendScannedProject 

func (s *Scan) AppendScannedProject(projectName string) error

AppendScannedProject checks that no Project with the same name is already contained in the list of scanned projects, and appends a new Project with the given name. The global product version is appended to the name.

func (*Scan) AppendScannedProjectVersion 

func (s *Scan) AppendScannedProjectVersion(projectName string) error

AppendScannedProjectVersion checks that no Project with the same name is already contained in the list of scanned projects, and appends a new Project with the given name (which is expected to include the product version).

func (*Scan) BlockUntilReportsAreReady 

func (s *Scan) BlockUntilReportsAreReady(sys whitesourcePoller) error

BlockUntilReportsAreReady polls the WhiteSource system for all projects known to the Scan and blocks until their LastUpdateDate time stamp is from within the last 20 seconds.

func (*Scan) DownloadReports 

func (s *Scan) DownloadReports(options ReportOptions, utils scanUtils, sys whitesource) ([]piperutils.Path, error)

DownloadReports downloads a Project's risk and vulnerability reports

func (*Scan) ExecuteMTAScan 

func (s *Scan) ExecuteMTAScan(config *ScanOptions, utils Utils) error

ExecuteMTAScan executes a scan for the Java part with maven, and performs a scan for each NPM module.

func (*Scan) ExecuteMavenScan 

func (s *Scan) ExecuteMavenScan(config *ScanOptions, utils Utils) error

ExecuteMavenScan constructs maven parameters from the given configuration, and executes the maven goal "org.whitesource:whitesource-maven-plugin:19.5.1:update".

func (*Scan) ExecuteMavenScanForPomFile 

func (s *Scan) ExecuteMavenScanForPomFile(config *ScanOptions, utils Utils, pomPath string) error

ExecuteMavenScanForPomFile constructs maven parameters from the given configuration, and executes the maven goal "org.whitesource:whitesource-maven-plugin:19.5.1:update" for the given pom file.

func (*Scan) ExecuteNpmScan 

func (s *Scan) ExecuteNpmScan(config *ScanOptions, utils Utils) error

ExecuteNpmScan iterates over all found npm modules and performs a scan in each one.

func (*Scan) ExecuteUAScan 

func (s *Scan) ExecuteUAScan(config *ScanOptions, utils Utils) error

ExecuteUAScan executes a scan with the Whitesource Unified Agent.

func (*Scan) ExecuteUAScanInPath 

func (s *Scan) ExecuteUAScanInPath(config *ScanOptions, utils Utils, scanPath string) error

ExecuteUAScanInPath executes a scan with the Whitesource Unified Agent in a dedicated scanPath.

func (*Scan) ExecuteYarnScan 

func (s *Scan) ExecuteYarnScan(config *ScanOptions, utils Utils) error

ExecuteYarnScan generates a configuration file whitesource.config.json with appropriate values from config, installs whitesource yarn plugin and executes the scan.

func (*Scan) ProjectByName 

func (s *Scan) ProjectByName(projectName string) (Project, bool)

ProjectByName returns a WhiteSource Project previously established via AppendScannedProject().

func (*Scan) ScanTime 

func (s *Scan) ScanTime(projectName string) time.Time

ScanTime returns the time at which the respective WhiteSource Project was scanned, or the the zero value of time.Time, if AppendScannedProject() was not called with that name.

func (*Scan) ScannedProjectNames 

func (s *Scan) ScannedProjectNames() []string

ScannedProjectNames returns a sorted list of all scanned project names

func (*Scan) ScannedProjects 

func (s *Scan) ScannedProjects() []Project

ScannedProjects returns the WhiteSource projects that have been added via AppendScannedProject() as a slice.

func (*Scan) UpdateProjects 

func (s *Scan) UpdateProjects(productToken string, sys whitesource) error

UpdateProjects pulls the current backend metadata for all WhiteSource projects in the product with the given productToken, and updates all scanned projects with the obtained information.

type ScanOptions 

type ScanOptions struct {
	BuildTool string
	// ScanType defines the type of scan. Can be "maven" or "mta" for scanning with Maven or "npm"/"yarn".
	ScanType       string
	OrgToken       string
	UserToken      string
	ProductName    string
	ProductToken   string
	ProductVersion string
	// ProjectName is an optional name for an "aggregator" project.
	// All scanned maven modules will be reflected in the aggregate project.
	ProjectName string

	BuildDescriptorFile        string
	BuildDescriptorExcludeList []string
	// PomPath is the path to root build descriptor file.
	PomPath string
	// M2Path is the path to the local maven repository.
	M2Path string
	// GlobalSettingsFile is an optional path to a global maven settings file.
	GlobalSettingsFile string
	// ProjectSettingsFile is an optional path to a local maven settings file.
	ProjectSettingsFile string
	// InstallArtifacts installs artifacts from all maven modules to the local repository
	InstallArtifacts bool

	// DefaultNpmRegistry is an optional default registry for NPM.
	DefaultNpmRegistry string

	AgentDownloadURL string
	AgentFileName    string
	ConfigFilePath   string

	JreDownloadURL string

	Includes []string
	Excludes []string

	AgentURL   string
	ServiceURL string

	ScanPath string

	Verbose bool
}

ScanOptions contains parameters needed during the scan.

func (*ScanOptions) RewriteUAConfigurationFile 

func (s *ScanOptions) RewriteUAConfigurationFile(utils Utils, projectName string) (string, error)

RewriteUAConfigurationFile updates the user's Unified Agent configuration with configuration which should be enforced or just eases the overall configuration It then returns the path to the file containing the updated configuration

type ScanUtilsMock 

type ScanUtilsMock struct {
	*mock.FilesMock
	*mock.ExecMockRunner
	NpmInstalledModules []NpmInstall
	DownloadedFiles     []DownloadedFile
	DownloadError       map[string]error
	RemoveAllDirs       []string
	RemoveAllError      map[string]error
}

ScanUtilsMock is an implementation of the Utils interface that can be used during tests.

func NewScanUtilsMock 

func NewScanUtilsMock() *ScanUtilsMock

NewScanUtilsMock returns an initialized ScanUtilsMock instance.

func (*ScanUtilsMock) DownloadFile 

func (m *ScanUtilsMock) DownloadFile(url, filename string, _ http.Header, _ []*http.Cookie) error

DownloadFile mimics http.Downloader and records the downloaded file.

func (*ScanUtilsMock) FileOpen 

func (m *ScanUtilsMock) FileOpen(name string, flag int, perm os.FileMode) (File, error)

FileOpen mimics os.FileOpen() based on FilesMock OpenFile().

func (*ScanUtilsMock) FindPackageJSONFiles 

func (m *ScanUtilsMock) FindPackageJSONFiles(options *ScanOptions) ([]string, error)

FindPackageJSONFiles mimics npm.FindPackageJSONFiles() based on the FilesMock setup.

func (*ScanUtilsMock) InstallAllNPMDependencies 

func (m *ScanUtilsMock) InstallAllNPMDependencies(_ *ScanOptions, packageJSONs []string) error

InstallAllNPMDependencies mimics npm.InstallAllNPMDependencies() and records the "npm install".

func (*ScanUtilsMock) RemoveAll 

func (m *ScanUtilsMock) RemoveAll(dir string) error

RemoveAll mimics os.RemoveAll().

type System 

type System struct {
	// contains filtered or unexported fields
}

System defines a WhiteSource System including respective tokens (e.g. org token, user token)

func NewSystem 

func NewSystem(serverURL, orgToken, userToken string, timeout time.Duration) *System

NewSystem constructs a new System instance

func (*System) CreateProduct 

func (s *System) CreateProduct(productName string) (string, error)

CreateProduct creates a new WhiteSource product and returns its product token.

func (*System) GetProductByName 

func (s *System) GetProductByName(productName string) (Product, error)

GetProductByName retrieves meta information for a specific WhiteSource product

func (*System) GetProductName 

func (s *System) GetProductName(productToken string) (string, error)

GetProductName returns the product name for a given product token

func (*System) GetProductsMetaInfo 

func (s *System) GetProductsMetaInfo() ([]Product, error)

GetProductsMetaInfo retrieves meta information for all WhiteSource products a user has access to

func (*System) GetProjectAlerts 

func (s *System) GetProjectAlerts(projectToken string) ([]Alert, error)

GetProjectAlerts

func (*System) GetProjectAlertsByType 

func (s *System) GetProjectAlertsByType(projectToken, alertType string) ([]Alert, error)

GetProjectAlertsByType returns all alerts of a certain type for a given project

func (*System) GetProjectByName 

func (s *System) GetProjectByName(productToken, projectName string) (Project, error)

GetProjectByName fetches all projects and returns the one matching the given projectName, or none, if not found

func (*System) GetProjectByToken 

func (s *System) GetProjectByToken(projectToken string) (Project, error)

GetProjectByToken returns project meta info given a project token

func (*System) GetProjectLibraryLocations 

func (s *System) GetProjectLibraryLocations(projectToken string) ([]Library, error)

GetProjectLibraryLocations

func (*System) GetProjectRiskReport 

func (s *System) GetProjectRiskReport(projectToken string) ([]byte, error)

GetProjectRiskReport

func (*System) GetProjectToken 

func (s *System) GetProjectToken(productToken, projectName string) (string, error)

GetProjectToken returns the project token for a project with a given name

func (*System) GetProjectTokens 

func (s *System) GetProjectTokens(productToken string, projectNames []string) ([]string, error)

GetProjectTokens returns the project tokens matching a given a slice of project names

func (*System) GetProjectVulnerabilityReport 

func (s *System) GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)

GetProjectVulnerabilityReport

func (*System) GetProjectsByIDs 

func (s *System) GetProjectsByIDs(productToken string, projectIDs []int64) ([]Project, error)

GetProjectsByIDs retrieves all projects for the given productToken and filters them by the given project ids

func (*System) GetProjectsMetaInfo 

func (s *System) GetProjectsMetaInfo(productToken string) ([]Project, error)

GetProjectsMetaInfo retrieves the registered projects for a specific WhiteSource product

func (*System) SetProductAssignments 

func (s *System) SetProductAssignments(productToken string, membership, admins, alertReceivers *Assignment) error

SetProductAssignments assigns various types of membership to a WhiteSource Product.

type SystemMock 

type SystemMock struct {
	ProductName         string
	Products            []Product
	Projects            []Project
	Alerts              []Alert
	AlertType           string
	AlertError          error
	Libraries           []Library
	RiskReport          []byte
	VulnerabilityReport []byte
}

SystemMock stores a number of WhiteSource objects and, based on that, mocks the behavior of System.

func NewSystemMock 

func NewSystemMock(lastUpdateDate string) *SystemMock

NewSystemMock returns a pointer to a new instance of SystemMock.

func NewSystemMockWithProjectName 

func NewSystemMockWithProjectName(lastUpdateDate, projectName string) *SystemMock

NewSystemMockWithProjectName returns a pointer to a new instance of SystemMock using a project with a defined name.

func (*SystemMock) CreateProduct 

func (m *SystemMock) CreateProduct(productName string) (string, error)

CreateProduct appends a new Product to the system mock and returns its token ("mock-product-token-<index>").

func (*SystemMock) GetProductByName 

func (m *SystemMock) GetProductByName(productName string) (Product, error)

GetProductByName mimics retrieving a Product by name. It returns an error of no Product is stored in the mock.

func (*SystemMock) GetProjectAlerts 

func (m *SystemMock) GetProjectAlerts(projectToken string) ([]Alert, error)

GetProjectAlerts returns the alerts stored in the SystemMock.

func (*SystemMock) GetProjectAlertsByType 

func (m *SystemMock) GetProjectAlertsByType(projectToken, alertType string) ([]Alert, error)

GetProjectAlertsByType returns the alerts stored in the SystemMock and records the type.

func (*SystemMock) GetProjectByToken 

func (m *SystemMock) GetProjectByToken(projectToken string) (Project, error)

GetProjectByToken checks the Projects stored in the mock and returns the one with the given token or an error.

func (*SystemMock) GetProjectLibraryLocations 

func (m *SystemMock) GetProjectLibraryLocations(projectToken string) ([]Library, error)

GetProjectLibraryLocations returns the libraries stored in the SystemMock.

func (*SystemMock) GetProjectRiskReport 

func (m *SystemMock) GetProjectRiskReport(projectToken string) ([]byte, error)

GetProjectRiskReport mocks retrieving a risc report.

func (*SystemMock) GetProjectToken 

func (m *SystemMock) GetProjectToken(productToken, projectName string) (string, error)

GetProjectToken checks the Projects stored in the mock and returns a valid token, or an empty token and no error.

func (*SystemMock) GetProjectVulnerabilityReport 

func (m *SystemMock) GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)

GetProjectVulnerabilityReport mocks retrieving a vulnerability report. Behavior depends on what is stored in the mock.

func (*SystemMock) GetProjectsMetaInfo 

func (m *SystemMock) GetProjectsMetaInfo(productToken string) ([]Project, error)

GetProjectsMetaInfo returns the list of Projects stored in the mock or an error if token is unknown.

func (*SystemMock) SetProductAssignments 

func (m *SystemMock) SetProductAssignments(productToken string, _, _, _ *Assignment) error

SetProductAssignments checks if the system mock contains a product with the given token and returns an error depending on that, but otherwise does nothing with the provided arguments.

type UserAssignment 

type UserAssignment struct {
	Email string `json:"email,omitempty"`
}

UserAssignment holds an email address for a WhiteSource user which can be assigned to a WhiteSource Product in a specific role.

type Utils 

type Utils interface {
	maven.Utils

	Chdir(path string) error
	Getwd() (string, error)
	FileRead(path string) ([]byte, error)
	FileWrite(path string, content []byte, perm os.FileMode) error
	FileRemove(path string) error
	FileRename(oldPath, newPath string) error
	GetExitCode() int
	RemoveAll(path string) error
	FileOpen(name string, flag int, perm os.FileMode) (File, error)

	FindPackageJSONFiles(config *ScanOptions) ([]string, error)
	InstallAllNPMDependencies(config *ScanOptions, packageJSONFiles []string) error
}

Utils captures all external functionality that needs to be exchangeable in tests.

type Vulnerability 

type Vulnerability struct {
	Name              string      `json:"name,omitempty"`
	Type              string      `json:"type,omitempty"`
	Severity          string      `json:"severity,omitempty"`
	Score             float64     `json:"score,omitempty"`
	CVSS3Severity     string      `json:"cvss3_severity,omitempty"`
	CVSS3Score        float64     `json:"cvss3_score,omitempty"`
	PublishDate       string      `json:"publishDate,omitempty"`
	URL               string      `json:"url,omitempty"`
	Description       string      `json:"description,omitempty"`
	TopFix            Fix         `json:"topFix,omitempty"`
	AllFixes          []Fix       `json:"allFixes,omitempty"`
	FixResolutionText string      `json:"fixResolutionText,omitempty"`
	References        []Reference `json:"references,omitempty"`
}

Vulnerability defines a vulnerability as returned by WhiteSource

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.