osv

package
v0.0.0-...-09793e5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 10, 2025 License: BSD-3-Clause Imports: 6 Imported by: 0

Documentation

Overview

Package osv implements the Go OSV vulnerability format (https://go.dev/security/vuln/database#schema), which is a subset of the OSV shared vulnerability format (https://ossf.github.io/osv-schema), with database and ecosystem-specific meanings and fields.

As this package is intended for use with the Go vulnerability database, only the subset of features which are used by that database are implemented (for instance, only the SEMVER affected range type is implemented).

Index

Constants

View Source
const (
	// GoStdModulePath is the pseudo-module path string used
	// to describe vulnerabilities in the Go standard library.
	GoStdModulePath = "stdlib"
	// GoCmdModulePath is the pseudo-module path string used
	// to describe vulnerabilities in the go command.
	GoCmdModulePath = "toolchain"
)

Pseudo-module paths used to describe vulnerabilities in the Go standard library and toolchain.

View Source
const (
	// ReferenceTypeAdvisory is a published security advisory for
	// the vulnerability.
	ReferenceTypeAdvisory = ReferenceType("ADVISORY")
	// ReferenceTypeArticle is an article or blog post describing the vulnerability.
	ReferenceTypeArticle = ReferenceType("ARTICLE")
	// ReferenceTypeReport is a report, typically on a bug or issue tracker, of
	// the vulnerability.
	ReferenceTypeReport = ReferenceType("REPORT")
	// ReferenceTypeFix is a source code browser link to the fix (e.g., a GitHub commit).
	ReferenceTypeFix = ReferenceType("FIX")
	// ReferenceTypePackage is a home web page for the package.
	ReferenceTypePackage = ReferenceType("PACKAGE")
	// ReferenceTypeEvidence is a demonstration of the validity of a vulnerability claim.
	ReferenceTypeEvidence = ReferenceType("EVIDENCE")
	// ReferenceTypeWeb is a web page of some unspecified kind.
	ReferenceTypeWeb = ReferenceType("WEB")
)

Variables

This section is empty.

Functions

func AffectsSemver

func AffectsSemver(ranges []Range, v string) bool

func CanonicalizeSemver

func CanonicalizeSemver(s string) string

CanonicalizeSemver turns a SEMVER string into the canonical representation using the 'v' prefix, as used by the OSV format. Input may be a bare SEMVER ("1.2.3"), Go prefixed SEMVER ("go1.2.3"), or already canonical SEMVER ("v1.2.3").

func LatestFixedVersion

func LatestFixedVersion(ranges []Range) string

func LessSemver

func LessSemver(v1, v2 string) bool

LessSemver returns whether v1 < v2, where v1 and v2 are semver versions with either a "v", "go" or no prefix.

func ReviewStatusValues

func ReviewStatusValues() []string

Types

type Affected

type Affected struct {
	// The affected Go module. Required.
	// Note that this field is called "package" in the OSV specification.
	Module Module `json:"package"`
	// The module version ranges affected by the vulnerability.
	Ranges []Range `json:"ranges,omitempty"`
	// Details on the affected packages and symbols within the module.
	EcosystemSpecific EcosystemSpecific `json:"ecosystem_specific"`
}

Affected gives details about a module affected by the vulnerability.

See https://ossf.github.io/osv-schema/#affected-fields.

type Credit

type Credit struct {
	// Name is the name, label, or other identifier of the individual or
	// entity being credited. Required.
	Name string `json:"name"`
}

Credit represents a credit for the discovery, confirmation, patch, or other event in the life cycle of a vulnerability.

See https://ossf.github.io/osv-schema/#credits-fields.

type DatabaseSpecific

type DatabaseSpecific struct {
	// The URL of the Go advisory for this vulnerability, of the form
	// "https://pkg.go.dev/GO-YYYY-XXXX".
	URL string `json:"url,omitempty"`
	// The review status of this report (UNREVIEWED or REVIEWED).
	ReviewStatus ReviewStatus `json:"review_status,omitempty"`
}

DatabaseSpecific contains additional information about the vulnerability, specific to the Go vulnerability database.

See https://go.dev/security/vuln/database#schema.

type Ecosystem

type Ecosystem string

Ecosystem identifies the overall library ecosystem. In this implementation, only the "Go" ecosystem is supported.

const GoEcosystem Ecosystem = "Go"

GoEcosystem indicates the Go ecosystem.

type EcosystemSpecific

type EcosystemSpecific struct {
	// Packages is the list of affected packages within the module.
	Packages []Package `json:"imports,omitempty"`
	// CustomRanges are the version ranges affected by the vulnerability
	// which are not compatible with Go module version numbering
	// (https://go.dev/doc/modules/version-numbers).
	// These ranges may be displayed but are generally not consumable
	// by tools like govulncheck which expect standard Go module versions.
	CustomRanges []Range `json:"custom_ranges,omitempty"`
}

EcosystemSpecific contains additional information about the vulnerable module for the Go ecosystem.

See https://go.dev/security/vuln/database#schema.

type Entry

type Entry struct {
	// SchemaVersion is the OSV schema version used to encode this
	// vulnerability.
	SchemaVersion string `json:"schema_version,omitempty"`
	// ID is a unique identifier for the vulnerability. Required.
	// The Go vulnerability database issues IDs of the form
	// GO-<YEAR>-<ENTRYID>.
	ID string `json:"id"`
	// Modified is the time the entry was last modified. Required.
	Modified time.Time `json:"modified,omitempty"`
	// Published is the time the entry should be considered to have
	// been published.
	Published time.Time `json:"published,omitempty"`
	// Withdrawn is the time the entry should be considered to have
	// been withdrawn. If the field is missing, then the entry has
	// not been withdrawn.
	Withdrawn *time.Time `json:"withdrawn,omitempty"`
	// Aliases is a list of IDs for the same vulnerability in other
	// databases.
	Aliases []string `json:"aliases,omitempty"`
	// Summary contains a short English textual summary of the vulnerability.
	Summary string `json:"summary,omitempty"`
	// Details contains English textual details about the vulnerability.
	Details string `json:"details,omitempty"`
	// Affected contains information on the modules and versions
	// affected by the vulnerability.
	Affected []Affected `json:"affected"`
	// References contains links to more information about the
	// vulnerability.
	References []Reference `json:"references,omitempty"`
	// Credits contains credits to entities that helped find or fix the
	// vulnerability.
	Credits []Credit `json:"credits,omitempty"`
	// DatabaseSpecific contains additional information about the
	// vulnerability, specific to the Go vulnerability database.
	DatabaseSpecific *DatabaseSpecific `json:"database_specific,omitempty"`
}

Entry represents a vulnerability in the Go OSV format, documented in https://go.dev/security/vuln/database#schema. It is a subset of the OSV schema (https://ossf.github.io/osv-schema). Only fields that are published in the Go Vulnerability Database are supported.

func (Entry) AffectedModulesAndPackages

func (e Entry) AffectedModulesAndPackages() []string

AffectedModulesAndPackages returns a list of module paths affected by a vuln. If the vuln is in the standard library or toolchain, it lists package names instead of modules.

func (*Entry) AffectsStandardLibrary

func (e *Entry) AffectsStandardLibrary() bool

func (*Entry) HasCustomVersions

func (e *Entry) HasCustomVersions() bool

func (*Entry) IsUnreviewed

func (e *Entry) IsUnreviewed() bool

type Module

type Module struct {
	// The Go module path. Required.
	// For the Go standard library, this is "stdlib".
	// For the Go toolchain, this is "toolchain."
	Path string `json:"name"`
	// The ecosystem containing the module. Required.
	// This should always be "Go".
	Ecosystem Ecosystem `json:"ecosystem"`
}

Module identifies the Go module containing the vulnerability. Note that this field is called "package" in the OSV specification.

See https://ossf.github.io/osv-schema/#affectedpackage-field.

type Package

type Package struct {
	// Path is the package import path. Required.
	Path string `json:"path,omitempty"`
	// GOOS is the execution operating system where the symbols appear, if
	// known.
	GOOS []string `json:"goos,omitempty"`
	// GOARCH specifies the execution architecture where the symbols appear, if
	// known.
	GOARCH []string `json:"goarch,omitempty"`
	// Symbols is a list of function and method names affected by
	// this vulnerability. Methods are listed as <recv>.<method>.
	//
	// If included, only programs which use these symbols will be marked as
	// vulnerable by `govulncheck`. If omitted, any program which imports this
	// package will be marked vulnerable.
	Symbols []string `json:"symbols,omitempty"`
}

Package contains additional information about an affected package. This is an ecosystem-specific field for the Go ecosystem.

type Range

type Range struct {
	// Type is the version type that should be used to interpret the
	// versions in Events. Required.
	// In this implementation, only the "SEMVER" type is supported.
	Type RangeType `json:"type"`
	// Events is a list of versions representing the ranges in which
	// the module is vulnerable. Required.
	// The events should be sorted, and MUST represent non-overlapping
	// ranges.
	// There must be at least one RangeEvent containing a value for
	// Introduced.
	// See https://ossf.github.io/osv-schema/#examples for examples.
	Events []RangeEvent `json:"events"`
}

Range describes the affected versions of the vulnerable module.

See https://ossf.github.io/osv-schema/#affectedranges-field.

type RangeEvent

type RangeEvent struct {
	// Introduced is a version that introduces the vulnerability.
	// A special value, "0", represents a version that sorts before
	// any other version, and should be used to indicate that the
	// vulnerability exists from the "beginning of time".
	Introduced string `json:"introduced,omitempty"`
	// Fixed is a version that fixes the vulnerability.
	Fixed string `json:"fixed,omitempty"`
}

RangeEvent describes a single module version that either introduces or fixes a vulnerability.

Exactly one of Introduced and Fixed must be present. Other range event types (e.g, "last_affected" and "limit") are not supported in this implementation.

See https://ossf.github.io/osv-schema/#affectedrangesevents-fields.

type RangeType

type RangeType string

RangeType specifies the type of version range being recorded and defines the interpretation of the RangeEvent object's Introduced and Fixed fields.

In this implementation, only the "SEMVER" type is supported.

See https://ossf.github.io/osv-schema/#affectedrangestype-field.

const RangeTypeSemver RangeType = "SEMVER"

RangeTypeSemver indicates a semantic version as defined by SemVer 2.0.0, with no leading "v" prefix.

type Reference

type Reference struct {
	// The type of reference. Required.
	Type ReferenceType `json:"type"`
	// The fully-qualified URL of the reference. Required.
	URL string `json:"url"`
}

Reference is a reference URL containing additional information, advisories, issue tracker entries, etc., about the vulnerability.

See https://ossf.github.io/osv-schema/#references-field.

type ReferenceType

type ReferenceType string

Reference type is a reference (link) type.

type ReviewStatus

type ReviewStatus int
const (
	ReviewStatusUnknown ReviewStatus = iota
	ReviewStatusUnreviewed
	ReviewStatusReviewed
)

func ToReviewStatus

func ToReviewStatus(s string) (ReviewStatus, bool)

func (ReviewStatus) IsValid

func (r ReviewStatus) IsValid() bool

func (ReviewStatus) MarshalJSON

func (r ReviewStatus) MarshalJSON() ([]byte, error)

func (ReviewStatus) String

func (r ReviewStatus) String() string

func (*ReviewStatus) UnmarshalJSON

func (r *ReviewStatus) UnmarshalJSON(b []byte) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL