README
¶
Analyzers Report Library
This repository contains Go code for implementing security scanners that generate GitLab Security reports.
Release Process
-
Create and merge an MR which introduces new functionality.
Ensure an entry exists in the CHANGELOG.md for the new version, for example
v4.3.0. -
Create a new release in this project.
-
For the
Tag name (required)field, enter the new version from the CHANGELOG.md, for examplev4.3.0, and click onCreate tag v4.3.0. -
For the
Release titlefield, enter the new version from the CHANGELOG.md, for examplev4.3.0. -
In the
Release notesfield, enter the message from the CHANGELOG.md, for example:- Add `Identifier.Vendor` function to retrieve the canonical name for the vendor that created the identifier (!75) - Set default report version to `15.0.7`. This default should have changed as part of `v4.2.0`, but was not included. (!75) -
Press the
Create releasebutton.
-
Contributing
Contributions are welcome, see CONTRIBUTING.md for more details.
License
This code is distributed under the MIT Expat license, see the LICENSE file.
Documentation
¶
Index ¶
- Constants
- type AnalyzerDetails
- type CVSSRating
- type Category
- type Commit
- type ConfidenceLevel
- type Dependency
- type DependencyRef
- type DependencyScanningVulnerability
- type Details
- type DetailsCodeFlowNodeField
- type DetailsCodeFlowsField
- type DetailsFileLocationField
- type DetailsTextField
- type DetailsURLField
- type Flag
- type Identifier
- func CVEIdentifier(ID string) Identifier
- func CWEIdentifier(ID int) Identifier
- func ELSAIdentifier(ID string) Identifier
- func GHSAIdentifier(ID string) Identifier
- func H1Identifier(ID string) Identifier
- func OSVDBIdentifier(ID string) Identifier
- func OWASPTop10Identifier(ID string, desc string) Identifier
- func ParseIdentifierID(idStr string) (Identifier, bool)
- func RHSAIdentifier(ID string) Identifier
- func USNIdentifier(ID string) Identifier
- type IdentifierType
- type KubernetesResource
- type Link
- type Location
- type Package
- type Ref
- type Remediation
- type Report
- type Scan
- type ScanTime
- type Scanner
- type ScannerDetails
- type SeverityLevel
- type Status
- type Tracking
- type TrackingItem
- type TrackingSignature
- type Vendor
- type Version
- type Vulnerability
Constants ¶
const ( // VersionMajor is the major number of the current version VersionMajor = 15 // VersionMinor is the minor number of the current version VersionMinor = 1 // VersionPatch is the patch number of the current version VersionPatch = 4 // VersionPreRelease is the optional suffix for pre-releases VersionPreRelease = "" )
const (
// FlagTypeFP is used to signal a false positive
FlagTypeFP = "flagged-as-likely-false-positive"
)
const VulnerabilityDescriptionMaxLengthBytes = 1048576
VulnerabilityDescriptionMaxLengthBytes defines the maximum chars a description can be
const VulnerabilityNameMaxLengthBytes = 255
VulnerabilityNameMaxLengthBytes defines the maximum chars a name can be
value is referenced from v15.x report schema, which is in turn referenced from the rails app Sources: - https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.0.6/src/security-report-format.json#L412 - https://gitlab.com/gitlab-org/gitlab/-/blob/v15.11.4-ee/ee/app/models/ee/vulnerability.rb?ref_type=tags#L78
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AnalyzerDetails ¶
type AnalyzerDetails = ScannerDetails
AnalyzerDetails contains detailed information about the analyzer
type CVSSRating ¶
CVSSRating contains a CVSS vector and the vendor that assigned the rating.
type Category ¶
type Category string
Category is an identifier of the security scanning tool ("sast", "dependency_scanning", etc.)
const ( // CategorySast is the identifier for "SAST" vulnerability category CategorySast Category = "sast" // CategoryDependencyScanning is the identifier for "Dependency Scanning" vulnerability category CategoryDependencyScanning Category = "dependency_scanning" // CategoryContainerScanning is the identifier for "Container Scanning" vulnerability category CategoryContainerScanning Category = "container_scanning" // CategorySecretDetection is the identifier for "Secret Detection" vulnerability category CategorySecretDetection Category = "secret_detection" // CategoryCoverageFuzzing is the identifier for "Coverage Fuzzing" vulnerability category CategoryCoverageFuzzing Category = "coverage_fuzzing" // CategoryClusterImageScanning is the identifier for "Cluster Image Scanning" vulnerability category CategoryClusterImageScanning = "cluster_image_scanning" )
type Commit ¶
type Commit struct {
Author string `json:"author,omitempty"`
Date string `json:"date,omitempty"`
Message string `json:"message,omitempty"`
Sha string `json:"sha"`
}
Commit contains information about a commit (author, date, message, sha).
type ConfidenceLevel ¶
type ConfidenceLevel int
ConfidenceLevel is the vulnerability confidence level reported by scanner.
const ( // ConfidenceLevelUndefined is a stub confidence value for the case when it was not reported by scanner. ConfidenceLevelUndefined ConfidenceLevel = iota // ConfidenceLevelIgnore represents the "ignore" confidence level. ConfidenceLevelIgnore // ConfidenceLevelUnknown represents the "unknown" confidence level. ConfidenceLevelUnknown // ConfidenceLevelExperimental represents the "experimental" confidence level. ConfidenceLevelExperimental // ConfidenceLevelLow represents the "low" confidence level. ConfidenceLevelLow // ConfidenceLevelMedium represents the "medium" confidence level. ConfidenceLevelMedium // ConfidenceLevelHigh represents the "high" confidence level. ConfidenceLevelHigh // ConfidenceLevelConfirmed represents the "critical" or "confirmed" confidence level. ConfidenceLevelConfirmed )
func ParseConfidenceLevel ¶
func ParseConfidenceLevel(s string) ConfidenceLevel
ParseConfidenceLevel parses a ConfidenceLevel value from string
func (ConfidenceLevel) MarshalJSON ¶
func (l ConfidenceLevel) MarshalJSON() ([]byte, error)
MarshalJSON converts a ConfidenceLevel value into the JSON representation
func (ConfidenceLevel) String ¶
func (l ConfidenceLevel) String() string
func (*ConfidenceLevel) UnmarshalJSON ¶
func (l *ConfidenceLevel) UnmarshalJSON(b []byte) error
UnmarshalJSON parses a ConfidenceLevel value from JSON representation
type Dependency ¶
type Dependency struct {
// Direct is true if this is a direct dependency of the scanned project,
// and not a transient (or transitive) dependency.
Direct bool `json:"direct,omitempty"`
Package `json:"package,omitempty"`
Version string `json:"version,omitempty"`
}
Dependency contains the information about the software dependency (package details, version, etc.).
type DependencyRef ¶
type DependencyRef struct {
IID uint `json:"iid"`
}
DependencyRef is a reference to a dependency.
type DependencyScanningVulnerability ¶
type DependencyScanningVulnerability struct {
Vulnerability
}
DependencyScanningVulnerability can calculate some vulnerability fields automatically.
func (DependencyScanningVulnerability) ToVulnerability ¶
func (v DependencyScanningVulnerability) ToVulnerability() Vulnerability
ToVulnerability returns an vulnerability where some fields are set automatically: - CompareKey - Message when undefined
type Details ¶
type Details map[string]interface{}
Details contains properties which abide by the details attribute of the Secure Report Schemas: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json
type DetailsCodeFlowNodeField ¶ added in v5.2.0
type DetailsCodeFlowNodeField struct {
NodeType string `json:"node_type"`
FileLocation DetailsFileLocationField `json:"file_location"`
}
DetailsCodeFlowNodeField stores a node in a code flow, represented by a file location and a node type https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L295
func (DetailsCodeFlowNodeField) MarshalJSON ¶ added in v5.2.0
func (d DetailsCodeFlowNodeField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsCodeFlowNodeField into a json object
type DetailsCodeFlowsField ¶ added in v5.2.0
type DetailsCodeFlowsField struct {
Name string `json:"name"`
Items [][]DetailsCodeFlowNodeField `json:"items"`
}
DetailsCodeFlowsField stores an array of flows, represented by an ordered array of DetailsCodeFlowNodeField https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L323
func (DetailsCodeFlowsField) MarshalJSON ¶ added in v5.2.0
func (d DetailsCodeFlowsField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsCodeFlowNodeField into a json object
type DetailsFileLocationField ¶ added in v5.2.0
type DetailsFileLocationField struct {
FileName string `json:"file_name"`
LineStart int `json:"line_start"`
LineEnd int `json:"line_end,omitempty"`
}
DetailsFileLocationField stores a file location detail type https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L248
func (DetailsFileLocationField) MarshalJSON ¶ added in v5.2.0
func (d DetailsFileLocationField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsFileLocationField into a json object
type DetailsTextField ¶
DetailsTextField stores a raw text detail type https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L125
func (DetailsTextField) MarshalJSON ¶
func (d DetailsTextField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsTextField into a json object
type DetailsURLField ¶
type DetailsURLField struct {
Name string `json:"name"`
Text string `json:"text"`
Href string `json:"href"`
}
DetailsURLField stores a raw url detail type https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L141
func (DetailsURLField) MarshalJSON ¶
func (d DetailsURLField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsURLField into a json object
type Flag ¶
type Flag struct {
Type string `json:"type"`
Origin string `json:"origin"`
Description string `json:"description"`
}
Flag contains information added by post-analyzers
type Identifier ¶
type Identifier struct {
Type IdentifierType `json:"type"` // Type of the identifier (CVE, CWE, VENDOR_X, etc.)
Name string `json:"name"` // Name of the identifier for display purpose
Value string `json:"value"` // Value of the identifier for matching purpose
URL string `json:"url,omitempty"` // URL to identifier's documentation
}
Identifier holds reference and matching information about a concrete vulnerability
func CVEIdentifier ¶
func CVEIdentifier(ID string) Identifier
CVEIdentifier returns a structured Identifier for a given CVE-ID Given ID must follow this format: CVE-YYYY-NNNNN
func CWEIdentifier ¶
func CWEIdentifier(ID int) Identifier
CWEIdentifier returns a structured Identifier for a given CWE ID Given ID must follow this format: NNN (just the number, no prefix)
func ELSAIdentifier ¶
func ELSAIdentifier(ID string) Identifier
ELSAIdentifier returns a structured Identifier for a given ELSA-ID Given ID must follow this format: ELSA-YYYY-NNNN(-N)?$
func GHSAIdentifier ¶
func GHSAIdentifier(ID string) Identifier
GHSAIdentifier returns a structured Identifier for a given GHSA-ID Given ID must follow this format: GHSA-xxxx-xxxx-xxxx
func H1Identifier ¶
func H1Identifier(ID string) Identifier
H1Identifier returns a structured Identifier for a given hackerone report Given ID must follow this format: HACKERONE-XXXXXX The HACKERONE prefix is an internal GitLab identifier and is ignored in the value field
func OSVDBIdentifier ¶
func OSVDBIdentifier(ID string) Identifier
OSVDBIdentifier returns a structured Identifier for a given OSVDB-ID Given ID must follow this format: OSVDB-XXXXXX
func OWASPTop10Identifier ¶
func OWASPTop10Identifier(ID string, desc string) Identifier
OWASPTop10Identifier returns a structured Identifier for a given OWASP Top10 Category Given ID must follow this format: "NNN" OR "NNN:XXXX", where "XXXX" is an optional year designation
func ParseIdentifierID ¶
func ParseIdentifierID(idStr string) (Identifier, bool)
ParseIdentifierID builds an Identifier of correct IdentifierType from a human-readable ID slug (e.g., "CWE-1", "RHSA-01")
func RHSAIdentifier ¶
func RHSAIdentifier(ID string) Identifier
RHSAIdentifier returns a structured Identifier for a given RHSA-ID Given ID must follow this format: RHSA-YYYY:NNNN
func USNIdentifier ¶
func USNIdentifier(ID string) Identifier
USNIdentifier returns a structured Identifier for a Ubuntu Security Notice. Given ID must follow this format: USN-XXXXXX.
func (Identifier) Vendor ¶
func (i Identifier) Vendor() string
Vendor returns the canonical name of the vendor that assigned the vulnerability identifier.
type IdentifierType ¶
type IdentifierType string
IdentifierType is the unique ID ("slug") for identifier "kind" bound to a certain vulnerabilities database (CVE, CWE, etc.)
const ( // IdentifierTypeCVE is the identifier type for CVE IDs (https://cve.mitre.org/cve/) IdentifierTypeCVE IdentifierType = "cve" // IdentifierTypeCWE is the identifier type for CWE IDs (https://cwe.mitre.org/data/index.html) IdentifierTypeCWE IdentifierType = "cwe" // IdentifierTypeOWASPTop10 is the identifier type for OWASP Top10 IDs (https://owasp.org/Top10) IdentifierTypeOWASPTop10 IdentifierType = "owasp" // IdentifierTypeOSVDB is the identifier type for OSVDB IDs (https://cve.mitre.org/data/refs/refmap/source-OSVDB.html) IdentifierTypeOSVDB IdentifierType = "osvdb" // IdentifierTypeUSN is the identifier type for Ubuntu Security Notice IDs (https://usn.ubuntu.com/) IdentifierTypeUSN IdentifierType = "usn" // IdentifierTypeRHSA is the identifier type for RHSA IDs (https://access.redhat.com/errata) IdentifierTypeRHSA IdentifierType = "rhsa" // IdentifierTypeGHSA is the identifier type for GHSA IDs (https://github.com/advisories) IdentifierTypeGHSA IdentifierType = "ghsa" // IdentifierTypeELSA is the identifier type for Oracle Linux Security Data IDs (https://linux.oracle.com/security/) IdentifierTypeELSA IdentifierType = "elsa" // IdentifierTypeH1 is the identifier type for IDs in hackerone reports (https://api.hackerone.com/core-resources/#reports) IdentifierTypeH1 IdentifierType = "hackerone" )
type KubernetesResource ¶
type KubernetesResource struct {
// Namespace is the Kubernetes namespace the the object resides in.
Namespace string `json:"namespace"`
// Name is the Kubernetes object's name
Name string `json:"name"`
// Kind is the object's Kubernetes kind (e.g. DaemonSet).
Kind string `json:"kind"`
// Container is the name of the container which had its image scanned.
ContainerName string `json:"container_name"`
// AgentID is the ID of the GitLab Kubernetes agent which
// was used to perform this scan. It should be present if
// there is no ClusterID.
AgentID string `json:"agent_id,omitempty"`
// ClusterID is the ID of the Kubernetes Cluster when
// the scan is performed using GitLab Kubernetes Integration.
// It should be present if there is no AgentID.
ClusterID string `json:"cluster_id,omitempty"`
}
KubernetesResource contains location information for an object in a Kubernetes cluster. https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/
type Link ¶
type Link struct {
Name string `json:"name,omitempty"` // Name of the link (optional)
URL string `json:"url"` // URL of the document (mandatory)
}
Link contains the hyperlink to the detailed information about a vulnerability.
type Location ¶
type Location struct {
File string `json:"file,omitempty"` // File is the path relative to the search path.
*Commit `json:"commit,omitempty"` // Commit is the commit in which the vulnerability was detected
LineStart int `json:"start_line,omitempty"` // LineStart is the first line of the affected code.
LineEnd int `json:"end_line,omitempty"` // LineEnd is the last line of the affected code.
Class string `json:"class,omitempty"`
Method string `json:"method,omitempty"`
*Dependency `json:"dependency,omitempty"`
OperatingSystem string `json:"operating_system,omitempty"` // OperatingSystem is the operating system and optionally its version, separated by a semicolon: linux, debian:10, etc
Image string `json:"image,omitempty"` // Name of the Docker image
CrashAddress string `json:"crash_address,omitempty"` // CrashAddress is the memory address where the crash occurred, used for coverage fuzzing
CrashType string `json:"crash_type,omitempty"` // CrashType is the type of the vulnerability/weakness (i.e Heap-buffer-overflow)
CrashState string `json:"crash_state,omitempty"` // CrashState (normalized stacktrace)
StacktraceSnippet string `json:"stacktrace_snippet,omitempty"` // StacktraceSnippet is the original stacktrace
*KubernetesResource `json:"kubernetes_resource,omitempty"`
}
Location represents the location of the vulnerability occurrence be it a source code line, a dependency package identifier or whatever else.
type Package ¶
type Package struct {
Name string `json:"name,omitempty"`
}
Package contains the information about the software dependency package.
type Ref ¶
type Ref struct {
CompareKey string `json:"cve,omitempty"` // [DEPRECATED] CompareKey of a vulnerability
ID string `json:"id"` // ID of a vulnerability
}
Ref is a reference to a vulnerability occurrence in context of the remediation.
type Remediation ¶
type Remediation struct {
Fixes []Ref `json:"fixes"` // Refs to fixed vulnerability occurrences
Summary string `json:"summary"` // Overview of how the vulnerabilities have been fixed
Diff string `json:"diff"` // Base64 encoded diff, compatible with "git apply"
}
Remediation holds the patch required to fix a set of vulnerability occurrences.
type Report ¶
type Report struct {
Version Version `json:"version"`
Vulnerabilities []Vulnerability `json:"vulnerabilities"`
Remediations []Remediation `json:"remediations,omitempty"`
Scan Scan `json:"scan"`
Analyzer string `json:"-"`
Config ruleset.Config `json:"-"`
}
Report is the output of an analyzer.
func MergeReports ¶
MergeReports merges the given reports and bring them to the current syntax version. TODO: remove this as part of https://gitlab.com/gitlab-org/gitlab/-/issues/383241
func (*Report) ApplyReportOverrides ¶
ApplyReportOverrides applies customer-supplied rulesets to override vulnerabilities
func (*Report) ExcludePaths ¶
ExcludePaths excludes paths from vulnerabilities and remediations It takes a function that is true when the given path is excluded.
func (*Report) FilterDisabledRules ¶
FilterDisabledRules removes vulnerabilities and identifiers that have been disabled using rulesets
func (*Report) TruncateTextFields ¶ added in v5.1.0
func (r *Report) TruncateTextFields()
TruncateTextFields ensures that the report fields don't exceed the maximum allowed length
type Scan ¶
type Scan struct {
Analyzer AnalyzerDetails `json:"analyzer"` // Analyzer describes the analyzer tool which wraps the scanner
Scanner ScannerDetails `json:"scanner"` // Scanner is an Object defining the scanner used to perform the scan
PrimaryIdentifiers []Identifier `json:"primary_identifiers,omitempty"` // PrimaryIdentifiers identify all rule identifiers for which scan was executed.
Type Category `json:"type"` // Type of the scan (container_scanning, dependency_scanning, dast, sast)
StartTime *ScanTime `json:"start_time,omitempty"` // StartTime is the time when the scan started
EndTime *ScanTime `json:"end_time,omitempty"` // EndTime is the time when the scan ended
Status Status `json:"status,omitempty"` // Status is the status of the scan, either `success` or `failure`. Hardcoded to `success` for now
}
Scan contains the identifying information about a security scanner.
type ScanTime ¶
ScanTime is a custom time type formatted using the timeFormat
func (*ScanTime) MarshalJSON ¶
MarshalJSON converts the ScanTime value into a JSON string with the defined timeFormat
func (*ScanTime) UnmarshalJSON ¶
UnmarshalJSON converts the JSON string with the defined timeFormat into a ScanTime value
type Scanner ¶
type Scanner struct {
ID string `json:"id"` // Id of the scanner as a snake_case string (mandatory)
Name string `json:"name"` // Name of the scanner, for display purpose (mandatory)
}
Scanner contains the identifying information about a security scanner.
type ScannerDetails ¶
type ScannerDetails struct {
ID string `json:"id"` // Unique id that identifies the scanner
Name string `json:"name"` // A human readable value that identifies the scanner, not required to be unique
URL string `json:"url,omitempty"` // A link to more information about the scanner
Vendor Vendor `json:"vendor"` // The vendor/maintainer of the scanner
Version string `json:"version"` // The version of the scanner
}
ScannerDetails contains detailed information about the scanner
func (ScannerDetails) String ¶
func (s ScannerDetails) String() string
type SeverityLevel ¶
type SeverityLevel int
SeverityLevel is the vulnerability severity level reported by scanner.
const ( // SeverityLevelUndefined is a stub severity value for the case when it was not reported by scanner. SeverityLevelUndefined SeverityLevel = iota // SeverityLevelInfo represents the "info" or "ignore" severity level. SeverityLevelInfo // SeverityLevelUnknown represents the "experimental" or "unknown" severity level. SeverityLevelUnknown // SeverityLevelLow represents the "low" severity level. SeverityLevelLow // SeverityLevelMedium represents the "medium" severity level. SeverityLevelMedium // SeverityLevelHigh represents the "high" severity level. SeverityLevelHigh // SeverityLevelCritical represents the "critical" severity level. SeverityLevelCritical )
func ParseSeverityLevel ¶
func ParseSeverityLevel(s string) SeverityLevel
ParseSeverityLevel parses a SeverityLevel value from string
func (SeverityLevel) MarshalJSON ¶
func (l SeverityLevel) MarshalJSON() ([]byte, error)
MarshalJSON converts a SeverityLevel value into the JSON representation
func (SeverityLevel) String ¶
func (l SeverityLevel) String() string
func (*SeverityLevel) UnmarshalJSON ¶
func (l *SeverityLevel) UnmarshalJSON(b []byte) error
UnmarshalJSON parses a SeverityLevel value from JSON representation
type Status ¶
type Status string
Status represents the status of a scan, either `success` or `failure`
type Tracking ¶
type Tracking struct {
Type string `json:"type"`
Items []TrackingItem `json:"items"`
}
Tracking provides scoping information
type TrackingItem ¶
type TrackingItem struct {
File string `json:"file,omitempty"`
LineStart int `json:"line_start,omitempty"`
LineEnd int `json:"line_end,omitempty"`
Signatures []TrackingSignature `json:"signatures"`
}
TrackingItem Captures the vulnerability item (position)
type TrackingSignature ¶
TrackingSignature contains the details about the fingerprinting algorithm
type Vendor ¶
type Vendor struct {
Name string `json:"name"` // The name of the vendor
}
Vendor is the vendor/maintainer of the scanner
type Version ¶
Version represents the version of the report syntax. It matches a release of the Security Report Schemas, and is used for JSON schema validation. See https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/releases
func CurrentVersion ¶
func CurrentVersion() Version
CurrentVersion returns the current version of the report syntax.
func (Version) MarshalJSON ¶
MarshalJSON encodes a version to JSON.
func (*Version) UnmarshalJSON ¶
UnmarshalJSON decodes a version.
type Vulnerability ¶
type Vulnerability struct {
Category Category `json:"category,omitempty"` // [DEPRECATED] Category describes where this vulnerability belongs (SAST, Dependency Scanning, etc...)
Name string `json:"name,omitempty"` // Name of the vulnerability, this must not include occurence's specific information.
Message string `json:"message,omitempty"` // Message is a short text that describes the vulnerability, it may include occurence's specific information.
Description string `json:"description,omitempty"` // Description is a long text that describes the vulnerability.
CompareKey string `json:"cve,omitempty"` // [DEPRECATED] CompareKey is a value used to establish whether two vulnerabilities are the same. https://gitlab.com/gitlab-org/gitlab/-/issues/209850
Severity SeverityLevel `json:"severity,omitempty"` // Severity describes how much the vulnerability impacts the software.
Confidence ConfidenceLevel `json:"confidence,omitempty"` // [DEPRECATED] Confidence describes how reliable the vulnerability's assessment is
Solution string `json:"solution,omitempty"` // Solution explains how to fix the vulnerability.
RawSourceCodeExtract string `json:"raw_source_code_extract,omitempty"` // RawSourceCodeExtract is an extract of the affected source code
Scanner *Scanner `json:"scanner,omitempty"` // [DEPRECATED] Scanner identifies the analyzer.
Location Location `json:"location"` // Location tells which class and/or method is affected by the vulnerability.
Flags []Flag `json:"flags,omitempty"` // Flags are used for post-analyzer processing
Identifiers []Identifier `json:"identifiers"` // Identifiers are references that identify a vulnerability on internal or external DBs.
CVSSRatings []CVSSRating `json:"cvss_vectors,omitempty"` // CVSSRatings provide context about the risk, impact and severity of a vulnerability. Different vendors may score the Vulnerability differently. Thus, we provide all known vectors for completeness.
Links []Link `json:"links,omitempty"` // Links are external documentations or articles that further describes the vulnerability.
Tracking *Tracking `json:"tracking,omitempty"`
Details *Details `json:"details,omitempty"`
}
Vulnerability represents a generic vulnerability occurrence reported by scanner.
func Dedupe ¶
func Dedupe(vulnerabilities ...Vulnerability) []Vulnerability
Dedupe removes duplicates from a given list of vulnerabilities. Duplicates shares the same location and at least one identifier. CWE ids are ignored since these are used to classify the vulnerability. First duplicate in the list wins and others are simply removed.
func (Vulnerability) ID ¶
func (i Vulnerability) ID() string
ID returns a hash combining all the fields of the vulnerability. This should be a randomly generated UUID but currently it needs to be predictable because of limitations in the implementation of klar and gemnasium analyzers.
func (Vulnerability) MarshalJSON ¶
func (i Vulnerability) MarshalJSON() ([]byte, error)
MarshalJSON adds an id field when encoding the vulnerability.
Source Files
Directories