vuln

package
v0.0.0-...-9e89dfb Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 24, 2024 License: BSD-3-Clause Imports: 24 Imported by: 0

Documentation

Overview

Package vulns provides utilities to interact with vuln APIs.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CanonicalAlias

func CanonicalAlias(id string) (_ string, ok bool)

Canonical returns the canonical form of the given alias ID string (a CVE or GHSA id) by correcting the case.

If no canonical form can be found, returns false.

func CanonicalGoID

func CanonicalGoID(id string) (_ string, ok bool)

Canonical returns the canonical form of the given Go ID string by correcting the case.

If no canonical form can be found, returns false.

func NewSource

func NewSource(src string) (source, error)

NewSource returns a source interface from a http:// or file:// prefixed url src. It errors if the given url is invalid or does not exist.

func URLToFilePath

func URLToFilePath(u *url.URL) (string, error)

URLToFilePath converts a file-scheme url to a file path.

Types

type AffectedComponent

type AffectedComponent struct {
	Path     string
	Versions string
	// Lists of affected symbols (for packages).
	// If both of these lists are empty, all symbols in the package are affected.
	ExportedSymbols   []string
	UnexportedSymbols []string
}

AffectedComponent holds information about a module/package affected by a certain vulnerability.

func AffectedComponents

func AffectedComponents(e *osv.Entry) (pkgs, modsNoPkgs []*AffectedComponent)

AffectedComponents extracts information about affected packages (and // modules, if there are any with no package information) from the given osv.Entry.

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client reads Go vulnerability databases.

func NewClient

func NewClient(src string) (*Client, error)

NewClient returns a client that can read from the vulnerability database in src (a URL representing either a http or file source).

func NewInMemoryClient

func NewInMemoryClient(entries []*osv.Entry) (*Client, error)

NewInMemoryClient creates an in-memory vulnerability client for use in tests.

func (*Client) ByAlias

func (c *Client) ByAlias(ctx context.Context, alias string) (_ string, err error)

ByAlias returns the Go ID of the OSV entry that has the given alias, or a NotFound error if there isn't one.

func (*Client) ByID

func (c *Client) ByID(ctx context.Context, id string) (_ *osv.Entry, err error)

ByID returns the OSV entry with the given ID or (nil, nil) if there isn't one.

func (*Client) ByPackage

func (c *Client) ByPackage(ctx context.Context, req *PackageRequest) (_ []*osv.Entry, err error)

ByPackage returns the OSV entries matching the package request.

func (*Client) ByPackagePrefix

func (c *Client) ByPackagePrefix(ctx context.Context, prefix string) (_ []*osv.Entry, err error)

ByPackagePrefix returns all the OSV entries that match the given package prefix, in descending order by ID, or (nil, nil) if there are none.

An entry matches a prefix if:

  • Any affected module or package equals the given prefix, OR
  • Any affected module or package's path begins with the given prefix interpreted as a full path. (E.g. "example.com/module/package" matches the prefix "example.com/module" but not "example.com/mod")

func (*Client) Entries

func (c *Client) Entries(ctx context.Context, n int) (_ []*osv.Entry, err error)

Entries returns all entries in the database, sorted in descending order by Go ID (most recent to least recent). If n >= 0, only the n most recent entries are returned.

func (*Client) IDs

func (c *Client) IDs(ctx context.Context) (_ []string, err error)

IDs returns a list of the IDs of all the entries in the database.

type DBMeta

type DBMeta struct {
	// Modified is the time the database was last modified, calculated
	// as the most recent time any single OSV entry was modified.
	Modified time.Time `json:"modified"`
}

DBMeta contains metadata about the database itself.

type ModuleMeta

type ModuleMeta struct {
	// Path is the module path.
	Path string `json:"path"`
	// Vulns is a list of vulnerabilities that affect this module.
	Vulns []ModuleVuln `json:"vulns"`
}

ModuleMeta contains metadata about a Go module that has one or more vulnerabilities in the database.

Found in the "index/modules" endpoint of the vulnerability database.

type ModuleVuln

type ModuleVuln struct {
	// ID is a unique identifier for the vulnerability.
	// The Go vulnerability database issues IDs of the form
	// GO-<YEAR>-<ENTRYID>.
	ID string `json:"id"`
	// Modified is the time the vuln was last modified.
	Modified time.Time `json:"modified"`
	// Fixed is the latest version that introduces a fix for the
	// vulnerability, in SemVer 2.0.0 format, with no leading "v" prefix.
	Fixed string `json:"fixed,omitempty"`
}

ModuleVuln contains metadata about a vulnerability that affects a certain module.

type PackageRequest

type PackageRequest struct {
	// Module is the module path to filter on.
	// ByPackage will only return entries that affect this module.
	// This must be set (if empty, ByPackage will always return nil).
	Module string
	// The package path to filter on.
	// ByPackage will only return entries that affect this package.
	// If empty, ByPackage will not filter based on the package.
	Package string
	// The version to filter on.
	// ByPackage will only return entries affected at this module
	// version.
	// If empty, ByPackage will not filter based on version.
	Version string
}

type Vuln

type Vuln struct {
	// The vulndb ID.
	ID string
	// A description of the vulnerability, or the problem in obtaining it.
	Details string
}

A Vuln contains information to display about a vulnerability.

func VulnsForPackage

func VulnsForPackage(ctx context.Context, modulePath, version, packagePath string, vc *Client) []Vuln

VulnsForPackage obtains vulnerability information for the given package. If packagePath is empty, it returns all entries for the module at version. If there is an error, VulnsForPackage returns a single Vuln that describes the error.

type VulnMeta

type VulnMeta struct {
	// ID is a unique identifier for the vulnerability.
	// The Go vulnerability database issues IDs of the form
	// GO-<YEAR>-<ENTRYID>.
	ID string `json:"id"`
	// Modified is the time the vulnerability was last modified.
	Modified time.Time `json:"modified"`
	// Aliases is a list of IDs for the same vulnerability in other
	// databases.
	Aliases []string `json:"aliases,omitempty"`
}

VulnMeta contains metadata about a vulnerability in the database.

Found in the "index/vulns" endpoint of the vulnerability database.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL