Documentation ¶
Overview ¶
Package vulns provides utilities to interact with vuln APIs.
Index ¶
- func CanonicalAlias(id string) (_ string, ok bool)
- func CanonicalGoID(id string) (_ string, ok bool)
- func NewSource(src string) (source, error)
- func URLToFilePath(u *url.URL) (string, error)
- type AffectedComponent
- type Client
- func (c *Client) ByAlias(ctx context.Context, alias string) (_ string, err error)
- func (c *Client) ByID(ctx context.Context, id string) (_ *osv.Entry, err error)
- func (c *Client) ByPackage(ctx context.Context, req *PackageRequest) (_ []*osv.Entry, err error)
- func (c *Client) ByPackagePrefix(ctx context.Context, prefix string) (_ []*osv.Entry, err error)
- func (c *Client) Entries(ctx context.Context, n int) (_ []*osv.Entry, err error)
- func (c *Client) IDs(ctx context.Context) (_ []string, err error)
- type DBMeta
- type ModuleMeta
- type ModuleVuln
- type PackageRequest
- type Vuln
- type VulnMeta
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CanonicalAlias ¶
Canonical returns the canonical form of the given alias ID string (a CVE or GHSA id) by correcting the case.
If no canonical form can be found, returns false.
func CanonicalGoID ¶
Canonical returns the canonical form of the given Go ID string by correcting the case.
If no canonical form can be found, returns false.
Types ¶
type AffectedComponent ¶
type AffectedComponent struct { Path string Versions string // Lists of affected symbols (for packages). // If both of these lists are empty, all symbols in the package are affected. ExportedSymbols []string UnexportedSymbols []string }
AffectedComponent holds information about a module/package affected by a certain vulnerability.
func AffectedComponents ¶
func AffectedComponents(e *osv.Entry) (pkgs, modsNoPkgs []*AffectedComponent)
AffectedComponents extracts information about affected packages (and // modules, if there are any with no package information) from the given osv.Entry.
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client reads Go vulnerability databases.
func NewClient ¶
NewClient returns a client that can read from the vulnerability database in src (a URL representing either a http or file source).
func NewInMemoryClient ¶
NewInMemoryClient creates an in-memory vulnerability client for use in tests.
func (*Client) ByAlias ¶
ByAlias returns the Go ID of the OSV entry that has the given alias, or a NotFound error if there isn't one.
func (*Client) ByID ¶
ByID returns the OSV entry with the given ID or (nil, nil) if there isn't one.
func (*Client) ByPackagePrefix ¶
ByPackagePrefix returns all the OSV entries that match the given package prefix, in descending order by ID, or (nil, nil) if there are none.
An entry matches a prefix if:
- Any affected module or package equals the given prefix, OR
- Any affected module or package's path begins with the given prefix interpreted as a full path. (E.g. "example.com/module/package" matches the prefix "example.com/module" but not "example.com/mod")
type DBMeta ¶
type DBMeta struct { // Modified is the time the database was last modified, calculated // as the most recent time any single OSV entry was modified. Modified time.Time `json:"modified"` }
DBMeta contains metadata about the database itself.
type ModuleMeta ¶
type ModuleMeta struct { // Path is the module path. Path string `json:"path"` // Vulns is a list of vulnerabilities that affect this module. Vulns []ModuleVuln `json:"vulns"` }
ModuleMeta contains metadata about a Go module that has one or more vulnerabilities in the database.
Found in the "index/modules" endpoint of the vulnerability database.
type ModuleVuln ¶
type ModuleVuln struct { // ID is a unique identifier for the vulnerability. // The Go vulnerability database issues IDs of the form // GO-<YEAR>-<ENTRYID>. ID string `json:"id"` // Modified is the time the vuln was last modified. Modified time.Time `json:"modified"` // Fixed is the latest version that introduces a fix for the // vulnerability, in SemVer 2.0.0 format, with no leading "v" prefix. Fixed string `json:"fixed,omitempty"` }
ModuleVuln contains metadata about a vulnerability that affects a certain module.
type PackageRequest ¶
type PackageRequest struct { // Module is the module path to filter on. // ByPackage will only return entries that affect this module. // This must be set (if empty, ByPackage will always return nil). Module string // The package path to filter on. // ByPackage will only return entries that affect this package. // If empty, ByPackage will not filter based on the package. Package string // The version to filter on. // ByPackage will only return entries affected at this module // version. // If empty, ByPackage will not filter based on version. Version string }
type Vuln ¶
type Vuln struct { // The vulndb ID. ID string // A description of the vulnerability, or the problem in obtaining it. Details string }
A Vuln contains information to display about a vulnerability.
func VulnsForPackage ¶
func VulnsForPackage(ctx context.Context, modulePath, version, packagePath string, vc *Client) []Vuln
VulnsForPackage obtains vulnerability information for the given package. If packagePath is empty, it returns all entries for the module at version. If there is an error, VulnsForPackage returns a single Vuln that describes the error.
type VulnMeta ¶
type VulnMeta struct { // ID is a unique identifier for the vulnerability. // The Go vulnerability database issues IDs of the form // GO-<YEAR>-<ENTRYID>. ID string `json:"id"` // Modified is the time the vulnerability was last modified. Modified time.Time `json:"modified"` // Aliases is a list of IDs for the same vulnerability in other // databases. Aliases []string `json:"aliases,omitempty"` }
VulnMeta contains metadata about a vulnerability in the database.
Found in the "index/vulns" endpoint of the vulnerability database.