Documentation ¶
Overview ¶
Package sarif defines Static Analysis Results Interchange Format (SARIF) types supported by govulncheck.
The implementation covers the subset of the specification available at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif.
If govulncheck is used in source mode, the locations will include a physical location implemented as a path relative to either the source module (%SRCROOT%), Go root (%GOROOT%), or Go module cache (%GOMODCACHE%) URI base id.
Index ¶
Constants ¶
const ( SrcRootID = "%SRCROOT%" GoRootID = "%GOROOT%" GoModCacheID = "%GOMODCACHE%" )
Variables ¶
This section is empty.
Functions ¶
func NewHandler ¶ added in v1.1.0
Types ¶
type ArtifactLocation ¶
type ArtifactLocation struct { // URI is a path to the artifact. If URIBaseID is empty, then // URI is absolute and it needs to start with, say, "file://." URI string `json:"uri,omitempty"` // URIBaseID is offset for URI. An example is %SRCROOT%, used by // Github Code Scanning to point to the root of the target repo. // Its value must be defined in URIBaseIDs of a Run. URIBaseID string `json:"uriBaseId,omitempty"` }
ArtifactLocation is a path to an offending file.
type CodeFlow ¶
type CodeFlow struct { // ThreadFlows is effectively a set of related information flows. ThreadFlows []ThreadFlow `json:"threadFlows,omitempty"` Message Description `json:"message,omitempty"` }
CodeFlow describes a detected offending flow of information in terms of code locations. More precisely, it can contain several related information flows, keeping them together. In govulncheck, those can be all call stacks for, say, a particular symbol or package.
type Description ¶
type Description struct { Text string `json:"text,omitempty"` Markdown string `json:"markdown,omitempty"` }
Description is a text in its raw or markdown form.
type Driver ¶
type Driver struct { // Name should be "govulncheck" Name string `json:"name,omitempty"` // Version should be the govulncheck version Version string `json:"semanticVersion,omitempty"` // InformationURI should point to the description of govulncheck tool InformationURI string `json:"informationUri,omitempty"` // Properties are govulncheck run metadata, such as vuln db, Go version, etc. Properties govulncheck.Config `json:"properties,omitempty"` Rules []Rule `json:"rules,omitempty"` }
Driver provides details about the govulncheck binary being executed.
type Frame ¶
type Frame struct { Module string `json:"module,omitempty"` Location Location `json:"location,omitempty"` }
Frame is effectively a module location. It can also contain thread and parameter info, but those are not needed for govulncheck.
type Location ¶
type Location struct { PhysicalLocation PhysicalLocation `json:"physicalLocation,omitempty"` Message Description `json:"message,omitempty"` }
Location is currently a physical location annotated with a message.
type Log ¶
type Log struct { // Version should always be "2.1.0" Version string `json:"version,omitempty"` // Schema should always be "https://json.schemastore.org/sarif-2.1.0.json" Schema string `json:"$schema,omitempty"` // Runs describes executions of static analysis tools. For govulncheck, // there will be only one run object. Runs []Run `json:"runs,omitempty"` }
Log is the top-level SARIF object encoded in UTF-8.
type PhysicalLocation ¶
type PhysicalLocation struct { ArtifactLocation ArtifactLocation `json:"artifactLocation,omitempty"` Region Region `json:"region,omitempty"` }
type Region ¶
type Region struct { StartLine int `json:"startLine,omitempty"` StartColumn int `json:"startColumn,omitempty"` EndLine int `json:"endLine,omitempty"` EndColumn int `json:"endColumn,omitempty"` }
Region is a target region within a file.
type Result ¶
type Result struct { // RuleID is the Rule.ID/OSV producing the finding. RuleID string `json:"ruleId,omitempty"` // Level is one of "error", "warning", "note", and "none". Level string `json:"level,omitempty"` // Message explains the overall findings. Message Description `json:"message,omitempty"` // Locations to which the findings are associated. Locations []Location `json:"locations,omitempty"` // CodeFlows can encode call stacks produced by govulncheck. CodeFlows []CodeFlow `json:"codeFlows,omitempty"` // Stacks can encode call stacks produced by govulncheck. Stacks []Stack `json:"stacks,omitempty"` }
Result is a set of govulncheck findings for an OSV. For call stack mode, it will contain call stacks for the OSV. There is exactly one Result per detected OSV. Only findings at the lowest possible level appear in the Result. For instance, if there are findings with call stacks for an OSV, those findings will be in the Result, but not the “imports” and “requires” findings for the same OSV.
type Rule ¶
type Rule struct { // ID is OSV.ID ID string `json:"id,omitempty"` ShortDescription Description `json:"shortDescription,omitempty"` FullDescription Description `json:"fullDescription,omitempty"` Help Description `json:"help,omitempty"` HelpURI string `json:"helpUri,omitempty"` // Properties should contain OSV.Aliases (CVEs and GHSAs) as tags. // Consumers of govulncheck SARIF can use these tags to filter // results based on, say, CVEs. Properties RuleTags `json:"properties,omitempty"` }
Rule corresponds to the static analysis rule/analyzer that produces findings. For govulncheck, rules are OSVs.
type RuleTags ¶
type RuleTags struct {
Tags []string `json:"tags,omitempty"`
}
RuleTags defines properties.tags.
type Run ¶
type Run struct { Tool Tool `json:"tool,omitempty"` // Results contain govulncheck findings. There should be exactly one // Result per a detected OSV. Results []Result `json:"results,omitempty"` // URIBaseIDs encodes the SARIF originalUriBaseIds property URIBaseIDs map[string]ArtifactLocation `json:"originalUriBaseIds,omitempty"` }
Run summarizes results of a single invocation of a static analysis tool, in this case govulncheck.
type Stack ¶
type Stack struct { Message Description `json:"message,omitempty"` Frames []Frame `json:"frames,omitempty"` }
Stack is a sequence of frames and can encode a govulncheck call stack.
type ThreadFlow ¶
type ThreadFlow struct {
Locations []ThreadFlowLocation `json:"locations,omitempty"`
}
ThreadFlow encodes an information flow as a sequence of locations. For govulncheck, it can encode a call stack.