Documentation ¶
Index ¶
- Constants
- Variables
- type BySeverity
- type Compliance
- type DetectedLicense
- type DetectedMisconfiguration
- type DetectedVulnerability
- type Format
- type Library
- type Metadata
- type MisconfStatus
- type MisconfSummary
- type Report
- type Result
- type ResultClass
- type Results
- type SBOM
- type SBOMSource
- type ScanOptions
- type ScanTarget
- type Scanner
- type Scanners
- type VulnType
Constants ¶
const ( ClassUnknown ResultClass = "unknown" ClassOSPkg ResultClass = "os-pkgs" // For detected packages and vulnerabilities in OS packages ClassLangPkg ResultClass = "lang-pkgs" // For detected packages and vulnerabilities in language-specific packages ClassConfig ResultClass = "config" // For detected misconfigurations ClassSecret ResultClass = "secret" // For detected secrets ClassLicense ResultClass = "license" // For detected package licenses ClassLicenseFile ResultClass = "license-file" // For detected licenses in files ClassCustom ResultClass = "custom" ComplianceK8sNsa = Compliance("k8s-nsa") ComplianceK8sCIS = Compliance("k8s-cis") ComplianceK8sPSSBaseline = Compliance("k8s-pss-baseline") ComplianceK8sPSSRestricted = Compliance("k8s-pss-restricted") ComplianceAWSCIS12 = Compliance("aws-cis-1.2") ComplianceAWSCIS14 = Compliance("aws-cis-1.4") ComplianceDockerCIS = Compliance("docker-cis") FormatTable Format = "table" FormatJSON Format = "json" FormatTemplate Format = "template" FormatSarif Format = "sarif" FormatCycloneDX Format = "cyclonedx" FormatSPDX Format = "spdx" FormatSPDXJSON Format = "spdx-json" FormatGitHub Format = "github" FormatCosignVuln Format = "cosign-vuln" )
const ( SBOMSourceOCI = SBOMSource("oci") SBOMSourceRekor = SBOMSource("rekor") )
const ( // VulnTypeUnknown is a vulnerability type of unknown VulnTypeUnknown = VulnType("unknown") // VulnTypeOS is a vulnerability type of OS packages VulnTypeOS = VulnType("os") // VulnTypeLibrary is a vulnerability type of programming language dependencies VulnTypeLibrary = VulnType("library") // UnknownScanner is the scanner of unknown UnknownScanner = Scanner("unknown") // NoneScanner is the scanner of none NoneScanner = Scanner("none") // VulnerabilityScanner is the scanner of vulnerabilities VulnerabilityScanner = Scanner("vuln") // MisconfigScanner is the scanner of misconfigurations MisconfigScanner = Scanner("misconfig") // SecretScanner is the scanner of secrets SecretScanner = Scanner("secret") // RBACScanner is the scanner of rbac assessment RBACScanner = Scanner("rbac") // LicenseScanner is the scanner of licenses LicenseScanner = Scanner("license") )
Variables ¶
var ( SupportedFormats = []Format{ FormatTable, FormatJSON, FormatTemplate, FormatSarif, FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, FormatCosignVuln, } SupportedSBOMFormats = []Format{ FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, } SupportedCompliances = []string{ ComplianceK8sNsa, ComplianceK8sCIS, ComplianceK8sPSSBaseline, ComplianceK8sPSSRestricted, ComplianceAWSCIS12, ComplianceAWSCIS14, ComplianceDockerCIS, } )
var ( VulnTypes = []string{ VulnTypeOS, VulnTypeLibrary, } AllScanners = Scanners{ VulnerabilityScanner, MisconfigScanner, RBACScanner, SecretScanner, LicenseScanner, NoneScanner, } // AllImageConfigScanners has a list of available scanners on container image config. // The container image in container registries consists of manifest, config and layers. // Tunnel is also able to detect security issues on the image config. AllImageConfigScanners = Scanners{ MisconfigScanner, SecretScanner, NoneScanner, } )
var ( SBOMSources = []string{ SBOMSourceOCI, SBOMSourceRekor, } )
Functions ¶
This section is empty.
Types ¶
type BySeverity ¶
type BySeverity []DetectedVulnerability
BySeverity implements sort.Interface based on the Severity field.
func (BySeverity) Len ¶
func (v BySeverity) Len() int
Len returns the length of DetectedVulnerabilities
func (BySeverity) Less ¶
func (v BySeverity) Less(i, j int) bool
Less compares 2 DetectedVulnerabilities based on package name, severity, vulnerabilityID and package path
type Compliance ¶
type Compliance = string
type DetectedLicense ¶
type DetectedLicense struct { // Severity is the consistent parameter indicating how severe the issue is Severity string // Category holds the license category such as "forbidden" Category types.LicenseCategory // PkgName holds a package name of the license. // It will be empty if FilePath is filled. PkgName string // PkgName holds a file path of the license. // It will be empty if PkgName is filled. FilePath string // for file license // Name holds a detected license name Name string // Confidence is level of the match. The confidence level is between 0.0 and 1.0, with 1.0 indicating an // exact match and 0.0 indicating a complete mismatch Confidence float64 // Link is a SPDX link of the license Link string }
type DetectedMisconfiguration ¶
type DetectedMisconfiguration struct { Type string `json:",omitempty"` ID string `json:",omitempty"` AVDID string `json:",omitempty"` Title string `json:",omitempty"` Description string `json:",omitempty"` Message string `json:",omitempty"` Namespace string `json:",omitempty"` Query string `json:",omitempty"` Resolution string `json:",omitempty"` Severity string `json:",omitempty"` PrimaryURL string `json:",omitempty"` References []string `json:",omitempty"` Status MisconfStatus `json:",omitempty"` Layer ftypes.Layer `json:",omitempty"` CauseMetadata ftypes.CauseMetadata `json:",omitempty"` // For debugging Traces []string `json:",omitempty"` }
DetectedMisconfiguration holds detected misconfigurations
func (*DetectedMisconfiguration) GetID ¶
func (mc *DetectedMisconfiguration) GetID() string
GetID retrun misconfig ID
type DetectedVulnerability ¶
type DetectedVulnerability struct { VulnerabilityID string `json:",omitempty"` VendorIDs []string `json:",omitempty"` PkgID string `json:",omitempty"` // It is used to construct dependency graph. PkgName string `json:",omitempty"` PkgPath string `json:",omitempty"` // This field is populated in the case of language-specific packages such as egg/wheel and gemspec InstalledVersion string `json:",omitempty"` FixedVersion string `json:",omitempty"` Status types.Status `json:",omitempty"` Layer ftypes.Layer `json:",omitempty"` SeveritySource types.SourceID `json:",omitempty"` PrimaryURL string `json:",omitempty"` // PkgRef is populated only when scanning SBOM and contains the reference ID used in the SBOM. // It could be PURL, UUID, etc. // e.g. // - pkg:npm/acme/component@1.0.0 // - b2a46a4b-8367-4bae-9820-95557cfe03a8 PkgRef string `json:",omitempty"` // DataSource holds where the advisory comes from DataSource *types.DataSource `json:",omitempty"` // Custom is for extensibility and not supposed to be used in OSS Custom interface{} `json:",omitempty"` // Embed vulnerability details types.Vulnerability }
DetectedVulnerability holds the information of detected vulnerabilities
func (*DetectedVulnerability) GetID ¶
func (vuln *DetectedVulnerability) GetID() string
GetID retrun Vulnerability ID
type Metadata ¶
type Metadata struct { Size int64 `json:",omitempty"` OS *ftypes.OS `json:",omitempty"` // Container image ImageID string `json:",omitempty"` DiffIDs []string `json:",omitempty"` RepoTags []string `json:",omitempty"` RepoDigests []string `json:",omitempty"` ImageConfig v1.ConfigFile `json:",omitempty"` }
Metadata represents a metadata of artifact
type MisconfStatus ¶
type MisconfStatus string
MisconfStatus represents a status of misconfiguration
const ( // StatusPassed represents successful status StatusPassed MisconfStatus = "PASS" // StatusFailure represents failure status StatusFailure MisconfStatus = "FAIL" // StatusException Passed represents the status of exception StatusException MisconfStatus = "EXCEPTION" )
type MisconfSummary ¶
func (MisconfSummary) Empty ¶
func (s MisconfSummary) Empty() bool
type Report ¶
type Report struct { SchemaVersion int `json:",omitempty"` CreatedAt time.Time `json:",omitempty"` ArtifactName string `json:",omitempty"` ArtifactType ftypes.ArtifactType `json:",omitempty"` Metadata Metadata `json:",omitempty"` Results Results `json:",omitempty"` // SBOM CycloneDX *ftypes.CycloneDX `json:"-"` // Just for internal usage, not exported in JSON }
Report represents a scan result
type Result ¶
type Result struct { Target string `json:"Target"` Class ResultClass `json:"Class,omitempty"` Type ftypes.TargetType `json:"Type,omitempty"` Packages []ftypes.Package `json:"Packages,omitempty"` Vulnerabilities []DetectedVulnerability `json:"Vulnerabilities,omitempty"` MisconfSummary *MisconfSummary `json:"MisconfSummary,omitempty"` Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"` Secrets []ftypes.SecretFinding `json:"Secrets,omitempty"` Licenses []DetectedLicense `json:"Licenses,omitempty"` CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"` }
Result holds a target and detected vulnerabilities
func (*Result) MarshalJSON ¶
type ResultClass ¶
type ResultClass string
type SBOM ¶
type SBOM struct { OS types.OS Packages []types.PackageInfo Applications []types.Application CycloneDX *types.CycloneDX SPDX *stypes.Document }
type SBOMSource ¶
type SBOMSource = string
type ScanOptions ¶
type ScanOptions struct { VulnType []string Scanners Scanners ImageConfigScanners Scanners // Scanners for container image configuration ScanRemovedPackages bool ListAllPackages bool LicenseCategories map[types.LicenseCategory][]string FilePatterns []string IncludeDevDeps bool }
ScanOptions holds the attributes for scanning vulnerabilities
type ScanTarget ¶
type ScanTarget struct { Name string // container image name, file path, etc OS types.OS Repository *types.Repository Packages types.Packages Applications []types.Application Misconfigurations []types.Misconfiguration Secrets []types.Secret Licenses []types.LicenseFile // CustomResources hold analysis results from custom analyzers. // It is for extensibility and not used in OSS. CustomResources []types.CustomResource }
ScanTarget holds the attributes for scanning.
type Scanners ¶
type Scanners []Scanner
Scanners is a slice of scanners
func (Scanners) AnyEnabled ¶
AnyEnabled returns true if any of the passed scanners is included.