models

package
v0.0.0-...-1a7096d Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 23, 2023 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Affected

type Affected struct {
	Package           Package                `json:"package"`
	Severity          Severity               `json:"severity,omitempty"`
	Ranges            []Range                `json:"ranges"`
	Versions          []string               `json:"versions,omitempty"`
	DatabaseSpecific  map[string]interface{} `json:"database_specific,omitempty"`
	EcosystemSpecific map[string]interface{} `json:"ecosystem_specific,omitempty"`
}

Affected describes an affected package version, meaning one instance that contains the vulnerability.

See: https://ossf.github.io/osv-schema/#affected-fields

type AnalysisInfo

type AnalysisInfo struct {
	Called bool `json:"called"`
}

type Credit

type Credit struct {
	Name    string     `json:"name"`
	Contact []string   `json:"contact,omitempty"`
	Type    CreditType `json:"type"`
}

Credit gives credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability.

See: https://ossf.github.io/osv-schema/#credits-fields

type CreditType

type CreditType string
const (
	CreditFinder               CreditType = "FINDER"
	CreditReporter             CreditType = "REPORTER"
	CreditAnalyst              CreditType = "ANALYST"
	CreditCoordinator          CreditType = "COORDINATOR"
	CreditRemediationDeveloper CreditType = "REMEDIATION_DEVELOPER" //nolint:gosec
	CreditRemediationReviewer  CreditType = "REMEDIATION_REVIEWER"  //nolint:gosec
	CreditRemediationVerifier  CreditType = "REMEDIATION_VERIFIER"  //nolint:gosec
	CreditTool                 CreditType = "TOOL"
	CreditSponsor              CreditType = "SPONSOR"
	CreditOther                CreditType = "OTHER"
)

type Ecosystem

type Ecosystem string
const (
	EcosystemGo            Ecosystem = "Go"
	EcosystemNPM           Ecosystem = "npm"
	EcosystemOSSFuzz       Ecosystem = "OSS-Fuzz"
	EcosystemPyPI          Ecosystem = "PyPI"
	EcosystemRubyGems      Ecosystem = "RubyGems"
	EcosystemCratesIO      Ecosystem = "crates.io"
	EcosystemPackagist     Ecosystem = "Packagist"
	EcosystemMaven         Ecosystem = "Maven"
	EcosystemNuGet         Ecosystem = "NuGet"
	EcosystemLinux         Ecosystem = "Linux"
	EcosystemDebian        Ecosystem = "Debian"
	EcosystemAlpine        Ecosystem = "Alpine"
	EcosystemHex           Ecosystem = "Hex"
	EcosystemAndroid       Ecosystem = "Android"
	EcosystemGitHubActions Ecosystem = "GitHub Actions"
	EcosystemPub           Ecosystem = "Pub"
	EcosystemConanCenter   Ecosystem = "ConanCenter"
)

type Event

type Event struct {
	Introduced   string `json:"introduced,omitempty"`
	Fixed        string `json:"fixed,omitempty"`
	LastAffected string `json:"last_affected,omitempty"`
	Limit        string `json:"limit,omitempty"`
}

Event describes a single version that either:

  • Introduces a vulnerability: {"introduced": string}
  • Fixes a vulnerability: {"fixed": string}
  • Describes the last known affected version: {"last_affected": string}
  • Sets an upper limit on the range being described: {"limit": string}

Event instances form part of a “timeline” of status changes for the affected package described by the Affected struct.

See: https://ossf.github.io/osv-schema/#affectedrangesevents-fields

type GroupInfo

type GroupInfo struct {
	IDs []string `json:"ids"`
	// Map of Vulnerability IDs to AnalysisInfo
	ExperimentalAnalysis map[string]AnalysisInfo `json:"experimentalAnalysis,omitempty"`
}

func (*GroupInfo) IsCalled

func (groupInfo *GroupInfo) IsCalled() bool

IsCalled returns true if any analysis performed determines that the vulnerability is being called Also returns true if no analysis is performed

type Package

type Package struct {
	Ecosystem Ecosystem `json:"ecosystem,omitempty"`
	Name      string    `json:"name,omitempty"`
	Purl      string    `json:"purl,omitempty"`
}

Package identifies the affected code library or command provided by the package.

See: https://ossf.github.io/osv-schema/#affectedpackage-field

type PackageInfo

type PackageInfo struct {
	Name      string `json:"name"`
	Version   string `json:"version"`
	Ecosystem string `json:"ecosystem"`
}

Specific package information

type PackageSource

type PackageSource struct {
	Source   SourceInfo     `json:"source"`
	Packages []PackageVulns `json:"packages"`
}

Vulnerabilities grouped by sources

type PackageVulns

type PackageVulns struct {
	Package         PackageInfo     `json:"package"`
	Vulnerabilities []Vulnerability `json:"vulnerabilities"`
	Groups          []GroupInfo     `json:"groups"`
}

Vulnerabilities grouped by package

type Range

type Range struct {
	Type             RangeType              `json:"type"`
	Events           []Event                `json:"events"`
	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty"`
}

Range describes the affected range of given version for a specific package.

See: https://ossf.github.io/osv-schema/#affectedranges-field

type RangeType

type RangeType string
const (
	RangeSemVer    RangeType = "SEMVER"
	RangeEcosystem RangeType = "ECOSYSTEM"
	RangeGit       RangeType = "GIT"
)

type Reference

type Reference struct {
	Type ReferenceType `json:"type"`
	URL  string        `json:"url"`
}

Reference links to additional information, advisories, issue tracker entries, and so on about the vulnerability itself.

See: https://ossf.github.io/osv-schema/#references-field

type ReferenceType

type ReferenceType string
const (
	ReferenceAdvisory ReferenceType = "ADVISORY"
	ReferenceArticle  ReferenceType = "ARTICLE"
	ReferenceReport   ReferenceType = "REPORT"
	ReferenceFix      ReferenceType = "FIX"
	ReferencePackage  ReferenceType = "PACKAGE"
	ReferenceEvidence ReferenceType = "EVIDENCE"
	ReferenceWeb      ReferenceType = "WEB"
)

type Severity

type Severity struct {
	Type  SeverityType `json:"type"`
	Score string       `json:"score"`
}

Severity is used to describe the severity of a vulnerability for an affected package using one or more quantitative scoring methods.

See: https://ossf.github.io/osv-schema/#severity-field

type SeverityType

type SeverityType string
const (
	SeverityCVSSV2 SeverityType = "CVSS_V2"
	SeverityCVSSV3 SeverityType = "CVSS_V3"
)

type SourceInfo

type SourceInfo struct {
	Path string `json:"path"`
	Type string `json:"type"`
}

func (SourceInfo) String

func (s SourceInfo) String() string

type Vulnerability

type Vulnerability struct {
	SchemaVersion    string                 `json:"schema_version"`
	ID               string                 `json:"id"`
	Modified         time.Time              `json:"modified"`
	Published        time.Time              `json:"published"`
	Aliases          []string               `json:"aliases"`
	Summary          string                 `json:"summary"`
	Details          string                 `json:"details"`
	Affected         []Affected             `json:"affected"`
	References       []Reference            `json:"references"`
	Credits          []Credit               `json:"credits"`
	DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty"`
}

Vulnerability is the core Open Source Vulnerability (OSV) data type.

The full documentation for the schema is available at https://ossf.github.io/osv-schema.

type VulnerabilityFlattened

type VulnerabilityFlattened struct {
	Source        SourceInfo
	Package       PackageInfo
	Vulnerability Vulnerability
	GroupInfo     GroupInfo
}

Flattened Vulnerability Information.

type VulnerabilityResults

type VulnerabilityResults struct {
	Results []PackageSource `json:"results"`
}

Combined vulnerabilities found for the scanned packages

func (*VulnerabilityResults) Flatten

func (vulns *VulnerabilityResults) Flatten() []VulnerabilityFlattened

Flatten the grouped/nested vulnerability results into one flat array.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL