types

package
v0.4.19 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 22, 2023 License: Apache-2.0 Imports: 7 Imported by: 2

Documentation

Index

Constants

View Source
const (
	ClassUnknown     ResultClass = "unknown"
	ClassOSPkg       ResultClass = "os-pkgs"      // For detected packages and vulnerabilities in OS packages
	ClassLangPkg     ResultClass = "lang-pkgs"    // For detected packages and vulnerabilities in language-specific packages
	ClassConfig      ResultClass = "config"       // For detected misconfigurations
	ClassSecret      ResultClass = "secret"       // For detected secrets
	ClassLicense     ResultClass = "license"      // For detected package licenses
	ClassLicenseFile ResultClass = "license-file" // For detected licenses in files
	ClassCustom      ResultClass = "custom"

	ComplianceK8sNsa           = Compliance("k8s-nsa")
	ComplianceK8sCIS           = Compliance("k8s-cis")
	ComplianceK8sPSSBaseline   = Compliance("k8s-pss-baseline")
	ComplianceK8sPSSRestricted = Compliance("k8s-pss-restricted")
	ComplianceAWSCIS12         = Compliance("aws-cis-1.2")
	ComplianceAWSCIS14         = Compliance("aws-cis-1.4")
	ComplianceDockerCIS        = Compliance("docker-cis")

	FormatTable      Format = "table"
	FormatJSON       Format = "json"
	FormatTemplate   Format = "template"
	FormatSarif      Format = "sarif"
	FormatCycloneDX  Format = "cyclonedx"
	FormatSPDX       Format = "spdx"
	FormatSPDXJSON   Format = "spdx-json"
	FormatGitHub     Format = "github"
	FormatCosignVuln Format = "cosign-vuln"
)
View Source
const (
	SBOMSourceOCI   = SBOMSource("oci")
	SBOMSourceRekor = SBOMSource("rekor")
)
View Source
const (
	// VulnTypeUnknown is a vulnerability type of unknown
	VulnTypeUnknown = VulnType("unknown")

	// VulnTypeOS is a vulnerability type of OS packages
	VulnTypeOS = VulnType("os")

	// VulnTypeLibrary is a vulnerability type of programming language dependencies
	VulnTypeLibrary = VulnType("library")

	// UnknownScanner is the scanner of unknown
	UnknownScanner = Scanner("unknown")

	// NoneScanner is the scanner of none
	NoneScanner = Scanner("none")

	// VulnerabilityScanner is the scanner of vulnerabilities
	VulnerabilityScanner = Scanner("vuln")

	// MisconfigScanner is the scanner of misconfigurations
	MisconfigScanner = Scanner("misconfig")

	// SecretScanner is the scanner of secrets
	SecretScanner = Scanner("secret")

	// RBACScanner is the scanner of rbac assessment
	RBACScanner = Scanner("rbac")

	// LicenseScanner is the scanner of licenses
	LicenseScanner = Scanner("license")
)

Variables

View Source
var (
	VulnTypes = []string{
		VulnTypeOS,
		VulnTypeLibrary,
	}

	AllScanners = Scanners{
		VulnerabilityScanner,
		MisconfigScanner,
		RBACScanner,
		SecretScanner,
		LicenseScanner,
		NoneScanner,
	}

	// AllImageConfigScanners has a list of available scanners on container image config.
	// The container image in container registries consists of manifest, config and layers.
	// Tunnel is also able to detect security issues on the image config.
	AllImageConfigScanners = Scanners{
		MisconfigScanner,
		SecretScanner,
		NoneScanner,
	}
)
View Source
var (
	SBOMSources = []string{
		SBOMSourceOCI,
		SBOMSourceRekor,
	}
)

Functions

This section is empty.

Types

type BySeverity

type BySeverity []DetectedVulnerability

BySeverity implements sort.Interface based on the Severity field.

func (BySeverity) Len

func (v BySeverity) Len() int

Len returns the length of DetectedVulnerabilities

func (BySeverity) Less

func (v BySeverity) Less(i, j int) bool

Less compares 2 DetectedVulnerabilities based on package name, severity, vulnerabilityID and package path

func (BySeverity) Swap

func (v BySeverity) Swap(i, j int)

Swap swaps 2 vulnerability

type Compliance

type Compliance = string

type DetectedLicense

type DetectedLicense struct {
	// Severity is the consistent parameter indicating how severe the issue is
	Severity string

	// Category holds the license category such as "forbidden"
	Category types.LicenseCategory

	// PkgName holds a package name of the license.
	// It will be empty if FilePath is filled.
	PkgName string

	// PkgName holds a file path of the license.
	// It will be empty if PkgName is filled.
	FilePath string // for file license

	// Name holds a detected license name
	Name string

	// Confidence is level of the match. The confidence level is between 0.0 and 1.0, with 1.0 indicating an
	// exact match and 0.0 indicating a complete mismatch
	Confidence float64

	// Link is a SPDX link of the license
	Link string
}

type DetectedMisconfiguration

type DetectedMisconfiguration struct {
	Type          string               `json:",omitempty"`
	ID            string               `json:",omitempty"`
	AVDID         string               `json:",omitempty"`
	Title         string               `json:",omitempty"`
	Description   string               `json:",omitempty"`
	Message       string               `json:",omitempty"`
	Namespace     string               `json:",omitempty"`
	Query         string               `json:",omitempty"`
	Resolution    string               `json:",omitempty"`
	Severity      string               `json:",omitempty"`
	PrimaryURL    string               `json:",omitempty"`
	References    []string             `json:",omitempty"`
	Status        MisconfStatus        `json:",omitempty"`
	Layer         ftypes.Layer         `json:",omitempty"`
	CauseMetadata ftypes.CauseMetadata `json:",omitempty"`

	// For debugging
	Traces []string `json:",omitempty"`
}

DetectedMisconfiguration holds detected misconfigurations

func (*DetectedMisconfiguration) GetID

func (mc *DetectedMisconfiguration) GetID() string

GetID retrun misconfig ID

type DetectedVulnerability

type DetectedVulnerability struct {
	VulnerabilityID  string         `json:",omitempty"`
	VendorIDs        []string       `json:",omitempty"`
	PkgID            string         `json:",omitempty"` // It is used to construct dependency graph.
	PkgName          string         `json:",omitempty"`
	PkgPath          string         `json:",omitempty"` // This field is populated in the case of language-specific packages such as egg/wheel and gemspec
	InstalledVersion string         `json:",omitempty"`
	FixedVersion     string         `json:",omitempty"`
	Status           types.Status   `json:",omitempty"`
	Layer            ftypes.Layer   `json:",omitempty"`
	SeveritySource   types.SourceID `json:",omitempty"`
	PrimaryURL       string         `json:",omitempty"`

	// PkgRef is populated only when scanning SBOM and contains the reference ID used in the SBOM.
	// It could be PURL, UUID, etc.
	// e.g.
	//    - pkg:npm/acme/component@1.0.0
	//    - b2a46a4b-8367-4bae-9820-95557cfe03a8
	PkgRef string `json:",omitempty"`

	// DataSource holds where the advisory comes from
	DataSource *types.DataSource `json:",omitempty"`

	// Custom is for extensibility and not supposed to be used in OSS
	Custom interface{} `json:",omitempty"`

	// Embed vulnerability details
	types.Vulnerability
}

DetectedVulnerability holds the information of detected vulnerabilities

func (*DetectedVulnerability) GetID

func (vuln *DetectedVulnerability) GetID() string

GetID retrun Vulnerability ID

type Format

type Format string

type Library

type Library struct {
	Name    string
	Version string
}

Library holds the attribute of a package library

type Metadata

type Metadata struct {
	Size int64      `json:",omitempty"`
	OS   *ftypes.OS `json:",omitempty"`

	// Container image
	ImageID     string        `json:",omitempty"`
	DiffIDs     []string      `json:",omitempty"`
	RepoTags    []string      `json:",omitempty"`
	RepoDigests []string      `json:",omitempty"`
	ImageConfig v1.ConfigFile `json:",omitempty"`
}

Metadata represents a metadata of artifact

type MisconfStatus

type MisconfStatus string

MisconfStatus represents a status of misconfiguration

const (
	// StatusPassed represents successful status
	StatusPassed MisconfStatus = "PASS"

	// StatusFailure represents failure status
	StatusFailure MisconfStatus = "FAIL"

	// StatusException Passed represents the status of exception
	StatusException MisconfStatus = "EXCEPTION"
)

type MisconfSummary

type MisconfSummary struct {
	Successes  int
	Failures   int
	Exceptions int
}

func (MisconfSummary) Empty

func (s MisconfSummary) Empty() bool

type Report

type Report struct {
	SchemaVersion int                 `json:",omitempty"`
	CreatedAt     time.Time           `json:",omitempty"`
	ArtifactName  string              `json:",omitempty"`
	ArtifactType  ftypes.ArtifactType `json:",omitempty"`
	Metadata      Metadata            `json:",omitempty"`
	Results       Results             `json:",omitempty"`

	// SBOM
	CycloneDX *ftypes.CycloneDX `json:"-"` // Just for internal usage, not exported in JSON
}

Report represents a scan result

type Result

type Result struct {
	Target            string                     `json:"Target"`
	Class             ResultClass                `json:"Class,omitempty"`
	Type              ftypes.TargetType          `json:"Type,omitempty"`
	Packages          []ftypes.Package           `json:"Packages,omitempty"`
	Vulnerabilities   []DetectedVulnerability    `json:"Vulnerabilities,omitempty"`
	MisconfSummary    *MisconfSummary            `json:"MisconfSummary,omitempty"`
	Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"`
	Secrets           []ftypes.SecretFinding     `json:"Secrets,omitempty"`
	Licenses          []DetectedLicense          `json:"Licenses,omitempty"`
	CustomResources   []ftypes.CustomResource    `json:"CustomResources,omitempty"`
}

Result holds a target and detected vulnerabilities

func (*Result) IsEmpty

func (r *Result) IsEmpty() bool

func (*Result) MarshalJSON

func (r *Result) MarshalJSON() ([]byte, error)

type ResultClass

type ResultClass string

type Results

type Results []Result

Results to hold list of Result

func (Results) Failed

func (results Results) Failed() bool

Failed returns whether the result includes any vulnerabilities, misconfigurations or secrets

type SBOM

type SBOM struct {
	OS           types.OS
	Packages     []types.PackageInfo
	Applications []types.Application

	CycloneDX *types.CycloneDX
	SPDX      *stypes.Document
}

type SBOMSource

type SBOMSource = string

type ScanOptions

type ScanOptions struct {
	VulnType            []string
	Scanners            Scanners
	ImageConfigScanners Scanners // Scanners for container image configuration
	ScanRemovedPackages bool
	ListAllPackages     bool
	LicenseCategories   map[types.LicenseCategory][]string
	FilePatterns        []string
	IncludeDevDeps      bool
}

ScanOptions holds the attributes for scanning vulnerabilities

type ScanTarget

type ScanTarget struct {
	Name              string // container image name, file path, etc
	OS                types.OS
	Repository        *types.Repository
	Packages          types.Packages
	Applications      []types.Application
	Misconfigurations []types.Misconfiguration
	Secrets           []types.Secret
	Licenses          []types.LicenseFile

	// CustomResources hold analysis results from custom analyzers.
	// It is for extensibility and not used in OSS.
	CustomResources []types.CustomResource
}

ScanTarget holds the attributes for scanning.

type Scanner

type Scanner string

Scanner represents the type of security scanning

type Scanners

type Scanners []Scanner

Scanners is a slice of scanners

func (Scanners) AnyEnabled

func (scanners Scanners) AnyEnabled(ss ...Scanner) bool

AnyEnabled returns true if any of the passed scanners is included.

func (Scanners) Enabled

func (scanners Scanners) Enabled(s Scanner) bool

type VulnType

type VulnType = string

VulnType represents vulnerability type

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL