v0.94.1 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Apr 10, 2024 License: Apache-2.0 Imports: 18 Imported by: 0




This section is empty.


This section is empty.


func NewLinter added in v0.55.0

func NewLinter(paths []string) (linter.Linter, error)

func PreparePackageQuery

func PreparePackageQuery(ctx context.Context, modules []Module) (rego.PreparedEvalQuery, error)

func ReportPackages

func ReportPackages(ctx context.Context, logger *slog.Logger, sqlDB *sql.DB, platform string, org string, repo string, owner string, level string) (table.Writer, error)


type EvaluationInput added in v0.65.2

type EvaluationInput struct {
	Project    EvaluationInputProject    `json:"project"`
	Dependency EvaluationInputDependency `json:"dependency"`

func PreparePolicyEvaluationInputs added in v0.75.2

func PreparePolicyEvaluationInputs(ctx context.Context, sqlDB *sql.DB) ([]EvaluationInput, error)

func (EvaluationInput) AsAstValue added in v0.75.2

func (i EvaluationInput) AsAstValue() ast.Value

type EvaluationInputDependency added in v0.65.2

type EvaluationInputDependency struct {
	// PackageName contains the name of the package
	PackageName string `json:"package_name"`
	// Version indicates the version of this dependency
	// NOTE this could be a version constraint, such as any of:
	//     <=1.3.4,>=1.3.0
	//     "~> 0.9"
	//     latest
	//     ^2.0.6
	//     =1.0.4
	// As well as a specific value, such as:
	//     1.0.4
	//     10
	//     latest
	// This versioning will be implementation-specific for the `packageManager` in use
	Version string `json:"version"`
	// CurrentVersion defines the current version that this package's `version` resolves to
	// If the `version` is an exact version number, such as `1.0.4`, then `currentVersion` will usually be the same value, `1.0.4`
	// If the `version` is a version constraint, then this column MAY indicate the exact version that was resolved at the time of dependency analysis
	// CurrentVersion may be empty
	CurrentVersion string `json:"current_version"`
	// PackageManager indicates the package manager that the Policy Violation will correspond to
	PackageManager string `json:"package_manager"`
	// packageFilePath defines the path within `repo` that defines the `packageName` as a dependency. For example:
	//     .github/workflows/build.yml
	//     go.mod
	//     build/Dockerfile
	// NOTE that this may be empty (https://gitlab.com/tanna.dev/dependency-management-data/-/issues/396)
	PackageFilePath string `json:"package_file_path"`
	// DepTypes defines the different dependency types that may be in use. This will always be a JSON array, with 0 or more string elements. For example:
	//    []
	//    ["action"]
	//    ["dependencies","lockfile"]
	//    ["dependencies","missing-data"]
	//    ["lockfile","lockfile-yarn-pinning-^21.1.1"]
	//    ["engines"]
	// Based on which datasource(s) (https://dmd.tanna.dev/concepts/datasource/) you are using, this will have different values and meanings
	// NOTE that in the future these there will be a more consistent naming structure for these (https://gitlab.com/tanna.dev/dependency-management-data/-/issues/379)
	DepTypes []string `json:"dep_types"`
	// Licenses contains the SPDX Identifier(s) or SPDX License Expression(s) (https://spdx.dev/learn/handling-license-info/) that declares this package's license
	Licenses []string `json:"licenses"`

	Health *EvaluationInputDependencyHealth `json:"health,omitempty"`

type EvaluationInputDependencyHealth added in v0.76.0

type EvaluationInputDependencyHealth struct {
	SecurityScorecard *EvaluationInputDependencyHealthScorecard         `json:"security_scorecard,omitempty"`
	Ecosystems        *EvaluationInputDependencyHealthEcosystemsPackage `json:"ecosystems,omitempty"`

type EvaluationInputDependencyHealthEcosystemsPackage added in v0.76.0

type EvaluationInputDependencyHealthEcosystemsPackage struct {
	Repo                     *EvaluationInputDependencyHealthEcosystemsRepo `json:"repo,omitempty"`
	LatestReleasePublishedAt *string                                        `json:"latest_release_published_at,omitempty"`
	LastSyncedAt             *string                                        `json:"last_synced_at,omitempty"`
	Status                   *string                                        `json:"status,omitempty"`

type EvaluationInputDependencyHealthEcosystemsRepo added in v0.76.0

type EvaluationInputDependencyHealthEcosystemsRepo struct {
	Archived     *bool   `json:"archived,omitempty"`
	PushedAt     *string `json:"pushed_at,omitempty"`
	UpdatedAt    *string `json:"updated_at,omitempty"`
	LastSyncedAt *string `json:"last_synced_at,omitempty"`

type EvaluationInputDependencyHealthScorecard added in v0.76.0

type EvaluationInputDependencyHealthScorecard struct {
	Score              *float64 `json:"score"`
	CodeReview         *int     `json:"code_review,omitempty"`
	Maintained         *int     `json:"maintained"`
	CiiBestPractices   *int     `json:"cii_best_practices"`
	License            *int     `json:"license"`
	DangerousWorkflow  *int     `json:"dangerous_workflow"`
	Packaging          *int     `json:"packaging"`
	TokenPermissions   *int     `json:"token_permissions"`
	SignedReleases     *int     `json:"signed_releases"`
	BranchProtection   *int     `json:"branch_protection"`
	BinaryArtifacts    *int     `json:"binary_artifacts"`
	Fuzzing            *int     `json:"fuzzing"`
	SecurityPolicy     *int     `json:"security_policy"`
	Sast               *int     `json:"sast"`
	Vulnerabilities    *int     `json:"vulnerabilities"`
	PinnedDependencies *int     `json:"pinned_dependencies"`

type EvaluationInputProject added in v0.65.2

type EvaluationInputProject struct {
	// Platform describes the source hosting platform this dependency's repository is found on, i.e. `github`, `gitlab`, `gitea`, etc
	Platform string `json:"platform"`
	// Organisation describes the organisation this dependency's repository is found on. Can include `/` for nested organisations
	Organisation string `json:"organisation"`
	// Repo is the repo name
	Repo string `json:"repo"`
	// Metadata tracks metadata about the repository, which is sourced from the `repository_metadata` table
	Metadata *EvaluationInputRepositoryMetadata `json:"metadata,omitempty"`

type EvaluationInputRepositoryMetadata added in v0.67.0

type EvaluationInputRepositoryMetadata struct {
	// IsMonorepo indicates whether the repository is treated as a monorepo
	IsMonorepo bool `json:"is_monorepo"`
	// IsFork indicates whether this is a forked repository. This could indicate that this is a temporary repository, a long-standing fork for security + supply-chain hygiene purposes, or some other reason.
	IsFork bool `json:"is_fork"`
	// RepositoryType is a free-form field to create enum-style data, for instance `LIBRARY` or `SERVICE`, or `EXAMPLE_CODE`.
	// This may track with your Developer Portal's own definition of a repository's type.
	RepositoryType string `json:"repository_type"`
	// RepositoryUsage is a free-form field to note additional information around the repository's usage, which is organisation-specific.
	// For instance, this may be enum-style data, a space-separated list of enum-style data, or a long human-readable description.
	RepositoryUsage *string `json:"repository_usage,omitempty"`
	// Visibility indicates the repository's visibility in the source forge
	// NOTE that this may be straightforward if you're using a publicly hosted source forge, but if you're running on an internally run, i.e. VPN'd off source force, this field may have a slightly different interpretation
	Visibility string `json:"visibility"`
	// Description is a textual description of the repo for more context, which can include links out to other systems i.e. a Service Catalog. The contents will be shown verbatim to a user, and will not be interpreted as markup
	Description *string `json:"description,omitempty"`
	// AdditionalMetadata contains additional key-value data that can be used to provide custom organisation-specific configuration, and augment any queries for data with information around this additional metadata.
	// For instance:
	// - `last_commit_date` - the last commit date to the project
	// - `pci_environment` - the PCI environment the application is deployed to
	// - `customer_type` - i.e. whether it's used for government, financial
	//   users, etc
	AdditionalMetadata map[string]string `json:"additional_metadata,omitempty"`

type Level added in v0.60.0

type Level string
const (
	LevelError   Level = "ERROR"
	LevelWarning Level = "WARN"

func (Level) String added in v0.60.0

func (l Level) String() string

type Module

type Module struct {
	Filepath string
	Contents string

type PolicyViolation

type PolicyViolation struct {
	DepTypes []string

	Level        Level
	AdvisoryType advisory.AdvisoryType
	Description  string

func EvaluatePolicies

func EvaluatePolicies(ctx context.Context, query rego.PreparedEvalQuery, inputs []EvaluationInput) ([]PolicyViolation, int, error)

func (PolicyViolation) DepTypesAsString

func (v PolicyViolation) DepTypesAsString() string


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL