Documentation
¶
Index ¶
- Constants
- Variables
- type BySeverity
- type Compliance
- type DetectedLicense
- type DetectedMisconfiguration
- type DetectedSecret
- type DetectedVulnerability
- type ExitError
- type FindingStatus
- type FindingType
- type Format
- type Library
- type Metadata
- type MisconfStatus
- type MisconfSummary
- type ModifiedFinding
- type PkgType
- type Report
- type Result
- type ResultClass
- type Results
- type SBOM
- type SBOMSource
- type ScanOptions
- type ScanTarget
- type Scanner
- type Scanners
Constants ¶
View Source
const ( FindingTypeVulnerability FindingType = "vulnerability" FindingTypeMisconfiguration FindingType = "misconfiguration" FindingTypeSecret FindingType = "secret" FindingTypeLicense FindingType = "license" FindingStatusIgnored FindingStatus = "ignored" // Tunnel FindingStatusUnknown FindingStatus = "unknown" // Tunnel FindingStatusNotAffected FindingStatus = "not_affected" // VEX FindingStatusAffected FindingStatus = "affected" // VEX FindingStatusFixed FindingStatus = "fixed" // VEX FindingStatusUnderInvestigation FindingStatus = "under_investigation" // VEX )
View Source
const ( ClassUnknown ResultClass = "unknown" ClassOSPkg ResultClass = "os-pkgs" // For detected packages and vulnerabilities in OS packages ClassLangPkg ResultClass = "lang-pkgs" // For detected packages and vulnerabilities in language-specific packages ClassConfig ResultClass = "config" // For detected misconfigurations ClassSecret ResultClass = "secret" // For detected secrets ClassLicense ResultClass = "license" // For detected package licenses ClassLicenseFile ResultClass = "license-file" // For detected licenses in files ClassCustom ResultClass = "custom" ComplianceK8sNsa10 = Compliance("k8s-nsa-1.0") ComplianceK8sCIS123 = Compliance("k8s-cis-1.23") ComplianceK8sPSSBaseline01 = Compliance("k8s-pss-baseline-0.1") ComplianceK8sPSSRestricted01 = Compliance("k8s-pss-restricted-0.1") ComplianceAWSCIS12 = Compliance("aws-cis-1.2") ComplianceAWSCIS14 = Compliance("aws-cis-1.4") ComplianceDockerCIS160 = Compliance("docker-cis-1.6.0") ComplianceEksCIS14 = Compliance("eks-cis-1.4") ComplianceRke2CIS124 = Compliance("rke2-cis-1.24") FormatTable Format = "table" FormatJSON Format = "json" FormatTemplate Format = "template" FormatSarif Format = "sarif" FormatCycloneDX Format = "cyclonedx" FormatSPDX Format = "spdx" FormatSPDXJSON Format = "spdx-json" FormatGitHub Format = "github" FormatCosignVuln Format = "cosign-vuln" )
View Source
const ( SBOMSourceOCI = SBOMSource("oci") SBOMSourceRekor = SBOMSource("rekor") )
View Source
const ( // PkgTypeUnknown is a package type of unknown PkgTypeUnknown PkgType = "unknown" // PkgTypeOS is a package type of OS packages PkgTypeOS PkgType = "os" // PkgTypeLibrary is a package type of programming language dependencies PkgTypeLibrary PkgType = "library" // UnknownScanner is the scanner of unknown UnknownScanner Scanner = "unknown" // NoneScanner is the scanner of none NoneScanner Scanner = "none" // SBOMScanner is the virtual scanner of SBOM, which cannot be enabled by the user SBOMScanner Scanner = "sbom" // VulnerabilityScanner is the scanner of vulnerabilities VulnerabilityScanner Scanner = "vuln" // MisconfigScanner is the scanner of misconfigurations MisconfigScanner Scanner = "misconfig" // SecretScanner is the scanner of secrets SecretScanner Scanner = "secret" // RBACScanner is the scanner of rbac assessment RBACScanner Scanner = "rbac" // LicenseScanner is the scanner of licenses LicenseScanner Scanner = "license" )
Variables ¶
View Source
var ( SupportedFormats = []Format{ FormatTable, FormatJSON, FormatTemplate, FormatSarif, FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, FormatCosignVuln, } SupportedSBOMFormats = []Format{ FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub, } SupportedCompliances = []string{ ComplianceK8sNsa10, ComplianceK8sCIS123, ComplianceK8sPSSBaseline01, ComplianceK8sPSSRestricted01, ComplianceAWSCIS12, ComplianceAWSCIS14, ComplianceDockerCIS160, ComplianceEksCIS14, ComplianceRke2CIS124, } )
View Source
var ( PkgTypes = []string{ PkgTypeOS, PkgTypeLibrary, } AllScanners = Scanners{ VulnerabilityScanner, MisconfigScanner, RBACScanner, SecretScanner, LicenseScanner, NoneScanner, } // AllImageConfigScanners has a list of available scanners on container image config. // The container image in container registries consists of manifest, config and layers. // Tunnel is also able to detect security issues on the image config. AllImageConfigScanners = Scanners{ MisconfigScanner, SecretScanner, NoneScanner, } )
View Source
var ( SBOMSources = []string{ SBOMSourceOCI, SBOMSourceRekor, } )
Functions ¶
This section is empty.
Types ¶
type BySeverity ¶
type BySeverity []DetectedVulnerability
BySeverity implements sort.Interface based on the Severity field.
func (BySeverity) Len ¶
func (v BySeverity) Len() int
Len returns the length of DetectedVulnerabilities
func (BySeverity) Less ¶
func (v BySeverity) Less(i, j int) bool
Less compares 2 DetectedVulnerabilities based on package name, severity, vulnerabilityID and package path
type Compliance ¶
type Compliance = string
type DetectedLicense ¶
type DetectedLicense struct {
// Severity is the consistent parameter indicating how severe the issue is
Severity string
// Category holds the license category such as "forbidden"
Category types.LicenseCategory
// PkgName holds a package name of the license.
// It will be empty if FilePath is filled.
PkgName string
// PkgName holds a file path of the license.
// It will be empty if PkgName is filled.
FilePath string // for file license
// Name holds a detected license name
Name string
// Text holds a long license text if Tunnel detects a license name as a license text
Text string
// Confidence is level of the match. The confidence level is between 0.0 and 1.0, with 1.0 indicating an
// exact match and 0.0 indicating a complete mismatch
Confidence float64
// Link is a SPDX link of the license
Link string
}
type DetectedMisconfiguration ¶
type DetectedMisconfiguration struct {
Type string `json:",omitempty"`
ID string `json:",omitempty"`
AVDID string `json:",omitempty"`
Title string `json:",omitempty"`
Description string `json:",omitempty"`
Message string `json:",omitempty"`
Namespace string `json:",omitempty"`
Query string `json:",omitempty"`
Resolution string `json:",omitempty"`
Severity string `json:",omitempty"`
PrimaryURL string `json:",omitempty"`
References []string `json:",omitempty"`
Status MisconfStatus `json:",omitempty"`
Layer ftypes.Layer `json:",omitempty"`
CauseMetadata ftypes.CauseMetadata `json:",omitempty"`
// For debugging
Traces []string `json:",omitempty"`
}
DetectedMisconfiguration holds detected misconfigurations
type DetectedSecret ¶
type DetectedSecret ftypes.SecretFinding
type DetectedVulnerability ¶
type DetectedVulnerability struct {
VulnerabilityID string `json:",omitempty"`
VendorIDs []string `json:",omitempty"`
PkgID string `json:",omitempty"` // It is used to construct dependency graph.
PkgName string `json:",omitempty"`
PkgPath string `json:",omitempty"` // This field is populated in the case of language-specific packages such as egg/wheel and gemspec
PkgIdentifier ftypes.PkgIdentifier `json:",omitempty"`
InstalledVersion string `json:",omitempty"`
FixedVersion string `json:",omitempty"`
Status types.Status `json:",omitempty"`
Layer ftypes.Layer `json:",omitempty"`
SeveritySource types.SourceID `json:",omitempty"`
PrimaryURL string `json:",omitempty"`
// DataSource holds where the advisory comes from
DataSource *types.DataSource `json:",omitempty"`
// Custom is for extensibility and not supposed to be used in OSS
Custom any `json:",omitempty"`
// Embed vulnerability details
types.Vulnerability
}
DetectedVulnerability holds the information of detected vulnerabilities
type FindingStatus ¶
type FindingStatus string
type FindingType ¶
type FindingType string
type Metadata ¶
type Metadata struct {
Size int64 `json:",omitempty"`
OS *ftypes.OS `json:",omitempty"`
// Container image
ImageID string `json:",omitempty"`
DiffIDs []string `json:",omitempty"`
RepoTags []string `json:",omitempty"`
RepoDigests []string `json:",omitempty"`
ImageConfig v1.ConfigFile `json:",omitempty"`
}
Metadata represents a metadata of artifact
type MisconfStatus ¶
type MisconfStatus string
MisconfStatus represents a status of misconfiguration
const ( // MisconfStatusPassed represents successful status MisconfStatusPassed MisconfStatus = "PASS" // MisconfStatusFailure represents failure status MisconfStatusFailure MisconfStatus = "FAIL" // MisconfStatusException Passed represents the status of exception MisconfStatusException MisconfStatus = "EXCEPTION" )
type MisconfSummary ¶
func (MisconfSummary) Empty ¶
func (s MisconfSummary) Empty() bool
type ModifiedFinding ¶
type ModifiedFinding struct {
Type FindingType
Status FindingStatus
Statement string
Source string
Finding finding // one of findings
}
ModifiedFinding represents a security finding that has been modified by an external source, such as .tunnelignore and VEX. Currently, it is primarily used to account for vulnerabilities that are ignored via .tunnelignore or identified as not impactful through VEX. However, it is planned to also store vulnerabilities whose severity has been adjusted by VEX, or that have been detected through Wasm modules in the future.
func NewModifiedFinding ¶
func NewModifiedFinding(f finding, status FindingStatus, statement, source string) ModifiedFinding
func (*ModifiedFinding) UnmarshalJSON ¶
func (m *ModifiedFinding) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals ModifiedFinding given the type and `UnmarshalJSON` functions of struct fields
type Report ¶
type Report struct {
SchemaVersion int `json:",omitempty"`
CreatedAt time.Time `json:",omitempty"`
ArtifactName string `json:",omitempty"`
ArtifactType artifact.Type `json:",omitempty"`
Metadata Metadata `json:",omitempty"`
Results Results `json:",omitempty"`
// parsed SBOM
BOM *core.BOM `json:"-"` // Just for internal usage, not exported in JSON
}
Report represents a scan result
type Result ¶
type Result struct {
Target string `json:"Target"`
Class ResultClass `json:"Class,omitempty"`
Type ftypes.TargetType `json:"Type,omitempty"`
Packages []ftypes.Package `json:"Packages,omitempty"`
Vulnerabilities []DetectedVulnerability `json:"Vulnerabilities,omitempty"`
MisconfSummary *MisconfSummary `json:"MisconfSummary,omitempty"`
Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"`
Secrets []DetectedSecret `json:"Secrets,omitempty"`
Licenses []DetectedLicense `json:"Licenses,omitempty"`
CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"`
// ModifiedFindings holds a list of findings that have been modified from their original state.
// This can include vulnerabilities that have been marked as ignored, not affected, or have had
// their severity adjusted. It's still in an experimental stage and may change in the future.
ModifiedFindings []ModifiedFinding `json:"ExperimentalModifiedFindings,omitempty"`
}
Result holds a target and detected vulnerabilities
type ResultClass ¶
type ResultClass string
type SBOM ¶
type SBOM struct {
Metadata Metadata
Packages []ftypes.PackageInfo
Applications []ftypes.Application
BOM *core.BOM
}
type SBOMSource ¶
type SBOMSource = string
type ScanOptions ¶
type ScanOptions struct {
PkgTypes []string
PkgRelationships []types.Relationship
Scanners Scanners
ImageConfigScanners Scanners // Scanners for container image configuration
ScanRemovedPackages bool
LicenseCategories map[types.LicenseCategory][]string
FilePatterns []string
IncludeDevDeps bool
}
ScanOptions holds the attributes for scanning vulnerabilities
type ScanTarget ¶
type ScanTarget struct {
Name string // container image name, file path, etc
OS types.OS
Repository *types.Repository
Packages types.Packages
Applications []types.Application
Misconfigurations []types.Misconfiguration
Secrets []types.Secret
Licenses []types.LicenseFile
// CustomResources hold analysis results from custom analyzers.
// It is for extensibility and not used in OSS.
CustomResources []types.CustomResource
}
ScanTarget holds the attributes for scanning.
type Scanners ¶
type Scanners []Scanner
Scanners is a slice of scanners
func (*Scanners) AnyEnabled ¶
AnyEnabled returns true if any of the passed scanners is included.
Source Files
Click to show internal directories.
Click to hide internal directories.