Documentation ¶
Overview ¶
Package audit finds vulnerabilities affecting Go packages.
Index ¶
- type Finding
- type ModuleVulnerabilities
- func (mv ModuleVulnerabilities) Filter(os, arch string) ModuleVulnerabilities
- func (mv ModuleVulnerabilities) Num() int
- func (mv ModuleVulnerabilities) Vulns() []*osv.Entry
- func (mv ModuleVulnerabilities) VulnsForPackage(importPath string) []*osv.Entry
- func (mv ModuleVulnerabilities) VulnsForSymbol(importPath, symbol string) []*osv.Entry
- type Results
- type SearchType
- type SymbolType
- type TraceElem
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Finding ¶
type Finding struct { Symbol string Position *token.Position `json:",omitempty"` Type SymbolType Trace []TraceElem // contains filtered or unexported fields }
Finding represents a finding for the use of a vulnerable symbol or an imported vulnerable package. Provides info on symbol location and the trace leading up to the symbol use.
type ModuleVulnerabilities ¶
type ModuleVulnerabilities []modVulns
func FetchVulnerabilities ¶
func FetchVulnerabilities(client client.Client, modules []*packages.Module) (ModuleVulnerabilities, error)
FetchVulnerabilities fetches vulnerabilities that affect the supplied modules.
func (ModuleVulnerabilities) Filter ¶
func (mv ModuleVulnerabilities) Filter(os, arch string) ModuleVulnerabilities
func (ModuleVulnerabilities) Num ¶
func (mv ModuleVulnerabilities) Num() int
func (ModuleVulnerabilities) Vulns ¶
func (mv ModuleVulnerabilities) Vulns() []*osv.Entry
Vulns returns vulnerabilities for all modules in `mv`.
func (ModuleVulnerabilities) VulnsForPackage ¶
func (mv ModuleVulnerabilities) VulnsForPackage(importPath string) []*osv.Entry
VulnsForPackage returns the vulnerabilities for the module which is the most specific prefix of importPath, or nil if there is no matching module with vulnerabilities.
func (ModuleVulnerabilities) VulnsForSymbol ¶
func (mv ModuleVulnerabilities) VulnsForSymbol(importPath, symbol string) []*osv.Entry
VulnsForSymbol returns vulnerabilities for `symbol` in `mv.VulnsForPackage(importPath)`.
type Results ¶
type Results struct { SearchMode SearchType // TODO: identify vulnerability with <ID, package, symbol>? // Vulnerabilities in dependent modules. Vulnerabilities []osv.Entry VulnFindings map[string][]Finding // vuln.ID -> findings }
Results contains the information on findings and identified vulnerabilities by audit search.
func VulnerableImports ¶
func VulnerableImports(pkgs []*ssa.Package, modVulns ModuleVulnerabilities) Results
VulnerableImports returns vulnerability findings for packages imported by `pkgs` given the vulnerability and platform info captured in `env`.
Returns all findings reachable from `pkgs` while analyzing each package only once, preferring findings of shorter import traces. For instance, given import chains
A -> B -> V A -> D -> B -> V D -> B -> V
where A and D are top level packages and V is a vulnerable package, VulnerableImports can return either
A -> B -> V
or
D -> B -> V
as traces of importing a vulnerable package V.
Findings for each vulnerability are sorted by estimated usefulness to the user.
func VulnerablePackageSymbols ¶
func VulnerablePackageSymbols(packageSymbols map[string][]string, modVulns ModuleVulnerabilities) Results
VulnerablePackageSymbols returns a list of vulnerability findings for per-package symbols in packageSymbols, given the `modVulns` vulnerabilities.
Findings for each vulnerability are sorted by estimated usefulness to the user and do not have an associated trace.
func VulnerableSymbols ¶
func VulnerableSymbols(pkgs []*ssa.Package, modVulns ModuleVulnerabilities) Results
VulnerableSymbols returns vulnerability findings for symbols transitively reachable through the callgraph built using VTA analysis from the entry points of pkgs, given 'modVulns' vulnerabilities.
Returns all findings reachable from pkgs while analyzing each package only once, preferring findings of shorter import traces. For instance, given call chains
A() -> B() -> V A() -> D() -> B() -> V D() -> B() -> V
where A and D are top level packages and V is a vulnerable symbol, VulnerableSymbols can return either
A() -> B() -> V
or
D() -> B() -> V
as traces of transitively using a vulnerable symbol V.
Findings for each vulnerability are sorted by estimated usefulness to the user.
Panics if packages in pkgs do not belong to the same program.
type SearchType ¶
type SearchType int
SearchType represents a type of an audit search: call graph, imports, or binary.
const ( CallGraphSearch SearchType = iota ImportsSearch BinarySearch )
enum values for SearchType.
type SymbolType ¶
type SymbolType int
SymbolType represents a type of a symbol use: function, global, or an import statement.
const ( FunctionType SymbolType = iota ImportType GlobalType )
enum values for SymbolType.
func (SymbolType) MarshalText ¶
func (s SymbolType) MarshalText() ([]byte, error)
MarshalText implements the encoding.TextMarshaler interface.