audit

package
v0.0.0-...-032f043 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 24, 2022 License: BSD-3-Clause Imports: 21 Imported by: 0

Documentation

Overview

Package audit finds vulnerabilities affecting Go packages.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Finding

type Finding struct {
	Symbol   string
	Position *token.Position `json:",omitempty"`
	Type     SymbolType
	Trace    []TraceElem
	// contains filtered or unexported fields
}

Finding represents a finding for the use of a vulnerable symbol or an imported vulnerable package. Provides info on symbol location and the trace leading up to the symbol use.

func (Finding) String

func (f Finding) String() string

String method for findings.

type ModuleVulnerabilities

type ModuleVulnerabilities []modVulns

func FetchVulnerabilities

func FetchVulnerabilities(client client.Client, modules []*packages.Module) (ModuleVulnerabilities, error)

FetchVulnerabilities fetches vulnerabilities that affect the supplied modules.

func (ModuleVulnerabilities) Filter

func (ModuleVulnerabilities) Num

func (mv ModuleVulnerabilities) Num() int

func (ModuleVulnerabilities) Vulns

func (mv ModuleVulnerabilities) Vulns() []*osv.Entry

Vulns returns vulnerabilities for all modules in `mv`.

func (ModuleVulnerabilities) VulnsForPackage

func (mv ModuleVulnerabilities) VulnsForPackage(importPath string) []*osv.Entry

VulnsForPackage returns the vulnerabilities for the module which is the most specific prefix of importPath, or nil if there is no matching module with vulnerabilities.

func (ModuleVulnerabilities) VulnsForSymbol

func (mv ModuleVulnerabilities) VulnsForSymbol(importPath, symbol string) []*osv.Entry

VulnsForSymbol returns vulnerabilities for `symbol` in `mv.VulnsForPackage(importPath)`.

type Results

type Results struct {
	SearchMode SearchType

	// TODO: identify vulnerability with <ID, package, symbol>?
	// Vulnerabilities in dependent modules.
	Vulnerabilities []osv.Entry

	VulnFindings map[string][]Finding // vuln.ID -> findings
}

Results contains the information on findings and identified vulnerabilities by audit search.

func VulnerableImports

func VulnerableImports(pkgs []*ssa.Package, modVulns ModuleVulnerabilities) Results

VulnerableImports returns vulnerability findings for packages imported by `pkgs` given the vulnerability and platform info captured in `env`.

Returns all findings reachable from `pkgs` while analyzing each package only once, preferring findings of shorter import traces. For instance, given import chains

A -> B -> V
A -> D -> B -> V
D -> B -> V

where A and D are top level packages and V is a vulnerable package, VulnerableImports can return either

A -> B -> V

or

D -> B -> V

as traces of importing a vulnerable package V.

Findings for each vulnerability are sorted by estimated usefulness to the user.

func VulnerablePackageSymbols

func VulnerablePackageSymbols(packageSymbols map[string][]string, modVulns ModuleVulnerabilities) Results

VulnerablePackageSymbols returns a list of vulnerability findings for per-package symbols in packageSymbols, given the `modVulns` vulnerabilities.

Findings for each vulnerability are sorted by estimated usefulness to the user and do not have an associated trace.

func VulnerableSymbols

func VulnerableSymbols(pkgs []*ssa.Package, modVulns ModuleVulnerabilities) Results

VulnerableSymbols returns vulnerability findings for symbols transitively reachable through the callgraph built using VTA analysis from the entry points of pkgs, given 'modVulns' vulnerabilities.

Returns all findings reachable from pkgs while analyzing each package only once, preferring findings of shorter import traces. For instance, given call chains

A() -> B() -> V
A() -> D() -> B() -> V
D() -> B() -> V

where A and D are top level packages and V is a vulnerable symbol, VulnerableSymbols can return either

A() -> B() -> V

or

D() -> B() -> V

as traces of transitively using a vulnerable symbol V.

Findings for each vulnerability are sorted by estimated usefulness to the user.

Panics if packages in pkgs do not belong to the same program.

func (Results) String

func (r Results) String() string

String method for results.

type SearchType

type SearchType int

SearchType represents a type of an audit search: call graph, imports, or binary.

const (
	CallGraphSearch SearchType = iota
	ImportsSearch
	BinarySearch
)

enum values for SearchType.

type SymbolType

type SymbolType int

SymbolType represents a type of a symbol use: function, global, or an import statement.

const (
	FunctionType SymbolType = iota
	ImportType
	GlobalType
)

enum values for SymbolType.

func (SymbolType) MarshalText

func (s SymbolType) MarshalText() ([]byte, error)

MarshalText implements the encoding.TextMarshaler interface.

type TraceElem

type TraceElem struct {
	Description string
	Position    *token.Position `json:",omitempty"`
}

TraceElem represents an entry in the finding trace. Represents a function call or an import statement.

func (TraceElem) String

func (e TraceElem) String() string

String method for trace elements.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL