Documentation
¶
Index ¶
- Constants
- Variables
- type AdvisoriesToCheckPerLanguage
- type AdvisoryToCheck
- type Affected
- type AnalysisInfo
- type ArtifactDetail
- type Credit
- type CreditType
- type DepGroup
- type DetectionResults
- type Ecosystem
- type Event
- type FilePosition
- func (p *FilePosition) GetNestedDependencies() map[string]*FilePosition
- func (p *FilePosition) IsStartSet() bool
- func (p *FilePosition) SetColumnEnd(position int)
- func (p *FilePosition) SetColumnStart(position int)
- func (p *FilePosition) SetLineEnd(position int)
- func (p *FilePosition) SetLineStart(position int)
- type IFilePosition
- type Language
- type License
- type Metadata
- type Package
- type PackageInfo
- type PackageLocation
- type PackageLocations
- type PackageManager
- type PackageMetadata
- type PackageMetadataType
- type PackageSource
- type PackageVulns
- type Position
- type PurlToReachabilityAnalysisResults
- type Range
- type RangeType
- type ReachabilityAnalysis
- type ReachabilityAnalysisResults
- type ReachableSymbolLocation
- type ReachableSymbolLocations
- type ReachableVulnerability
- type Reference
- type ReferenceType
- type ScannedArtifact
- type Severity
- type SeverityType
- type SourceInfo
- type StringWithPosition
- type Symbols
- type Vulnerabilities
- type Vulnerability
- type VulnerabilityResults
Constants ¶
View Source
const ( ApkFilePath string = "/lib/apk/db/installed" BundlerFilePath string = "Gemfile.lock" ComposerFilePath string = "composer.lock" ConanFilePath string = "conan.lock" CratesFilePath string = "Cargo.lock" DpkgFilePath string = "/var/lib/dpkg/status" GolangFilePath string = "go.mod" GradleBuildScriptFilePath string = "buildscript-gradle.lockfile" GradleFilePath string = "gradle.lockfile" HexFilePath string = "mix.lock" MavenFilePath string = "pom.xml" NpmFilePath string = "package-lock.json" NuGetFilePath string = "packages.lock.json" PdmFilePath string = "pdm.lock" PipfileFilePath string = "Pipfile.lock" PnpmFilePath string = "pnpm-lock.yaml" PoetryFilePath string = "poetry.lock" PubFilePath string = "pubspec.lock" RenvFilePath string = "renv.lock" RequirementsFilePath string = "requirements.txt" UvFilePath string = "uv.lock" YarnFilePath string = "yarn.lock" )
View Source
const (
ReachableSymbolLocationMetadata packageMetadataTypeMulti = "reachable-symbol-location"
)
Variables ¶
View Source
var PackageManagerToLanguage = map[PackageManager]Language{ Maven: Java, Gradle: Java, NPM: Javascript, Yarn: Javascript, Pnpm: Javascript, Requirements: Python, Pipfile: Python, Pdm: Python, Poetry: Python, Uv: Python, NuGet: Dotnet, Bundler: Ruby, Golang: Go, Composer: PHP, Crates: Cpp, Conan: Cpp, Hex: Elixir, Pub: Dart, Renv: R, }
Functions ¶
This section is empty.
Types ¶
type AdvisoriesToCheckPerLanguage ¶
type AdvisoriesToCheckPerLanguage map[string][]AdvisoryToCheck
type AdvisoryToCheck ¶
type Affected ¶
type Affected struct {
Package Package `json:"package,omitempty" yaml:"package,omitempty"`
Severity []Severity `json:"severity,omitempty" yaml:"severity,omitempty"`
Ranges []Range `json:"ranges,omitempty" yaml:"ranges,omitempty"`
Versions []string `json:"versions,omitempty" yaml:"versions,omitempty"`
DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"`
EcosystemSpecific map[string]interface{} `json:"ecosystem_specific,omitempty" yaml:"ecosystem_specific,omitempty"`
}
Affected describes an affected package version, meaning one instance that contains the vulnerability.
See: https://ossf.github.io/osv-schema/#affected-fields
func (Affected) MarshalJSON ¶
MarshalJSON implements the json.Marshaler interface.
This method ensures Package is only present if it is not equal to the zero value. This is achieved by embedding the Affected struct with a pointer to Package used to populate the "package" key in the JSON object.
type AnalysisInfo ¶
type AnalysisInfo struct {
Called bool `json:"called"`
}
type ArtifactDetail ¶
type Credit ¶
type Credit struct {
Name string `json:"name" yaml:"name"`
Type CreditType `json:"type,omitempty" yaml:"type,omitempty"`
Contact []string `json:"contact,omitempty" yaml:"contact,omitempty"`
}
Credit gives credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability.
type CreditType ¶
type CreditType string
const ( CreditFinder CreditType = "FINDER" CreditReporter CreditType = "REPORTER" CreditAnalyst CreditType = "ANALYST" CreditCoordinator CreditType = "COORDINATOR" CreditRemediationDeveloper CreditType = "REMEDIATION_DEVELOPER" //nolint:gosec CreditRemediationReviewer CreditType = "REMEDIATION_REVIEWER" //nolint:gosec CreditRemediationVerifier CreditType = "REMEDIATION_VERIFIER" //nolint:gosec CreditTool CreditType = "TOOL" CreditSponsor CreditType = "SPONSOR" CreditOther CreditType = "OTHER" )
type DetectionResults ¶
type DetectionResults map[string]map[string]ReachableSymbolLocations
DetectionResults is a map of purl -> advisoryId -> []reachableSymbols
type Ecosystem ¶
type Ecosystem string
const ( EcosystemGo Ecosystem = "Go" EcosystemNPM Ecosystem = "npm" EcosystemOSSFuzz Ecosystem = "OSS-Fuzz" EcosystemPyPI Ecosystem = "PyPI" EcosystemRubyGems Ecosystem = "RubyGems" EcosystemCratesIO Ecosystem = "crates.io" EcosystemPackagist Ecosystem = "Packagist" EcosystemMaven Ecosystem = "Maven" EcosystemNuGet Ecosystem = "NuGet" EcosystemLinux Ecosystem = "Linux" EcosystemDebian Ecosystem = "Debian" EcosystemAlpine Ecosystem = "Alpine" EcosystemHex Ecosystem = "Hex" EcosystemAndroid Ecosystem = "Android" EcosystemGitHubActions Ecosystem = "GitHub Actions" EcosystemPub Ecosystem = "Pub" EcosystemConanCenter Ecosystem = "ConanCenter" EcosystemRockyLinux Ecosystem = "Rocky Linux" EcosystemAlmaLinux Ecosystem = "AlmaLinux" EcosystemBitnami Ecosystem = "Bitnami" EcosystemPhotonOS Ecosystem = "Photon OS" EcosystemCRAN Ecosystem = "CRAN" EcosystemBioconductor Ecosystem = "Bioconductor" EcosystemSwiftURL Ecosystem = "SwiftURL" )
func (Ecosystem) IsDevGroup ¶
IsDevGroup returns if any string in groups indicates the development dependency group for the specified ecosystem.
type Event ¶
type Event struct {
Introduced string `json:"introduced,omitempty" yaml:"introduced,omitempty"`
Fixed string `json:"fixed,omitempty" yaml:"fixed,omitempty"`
LastAffected string `json:"last_affected,omitempty" yaml:"last_affected,omitempty"`
Limit string `json:"limit,omitempty" yaml:"limit,omitempty"`
}
Event describes a single version that either:
- Introduces a vulnerability: {"introduced": string}
- Fixes a vulnerability: {"fixed": string}
- Describes the last known affected version: {"last_affected": string}
- Sets an upper limit on the range being described: {"limit": string}
Event instances form part of a “timeline” of status changes for the affected package described by the Affected struct.
See: https://ossf.github.io/osv-schema/#affectedrangesevents-fields
type FilePosition ¶
type FilePosition struct {
Line Position `json:"line"`
Column Position `json:"column"`
Filename string `json:"file_name"`
}
func (*FilePosition) GetNestedDependencies ¶
func (p *FilePosition) GetNestedDependencies() map[string]*FilePosition
func (*FilePosition) IsStartSet ¶
func (p *FilePosition) IsStartSet() bool
func (*FilePosition) SetColumnEnd ¶
func (p *FilePosition) SetColumnEnd(position int)
func (*FilePosition) SetColumnStart ¶
func (p *FilePosition) SetColumnStart(position int)
func (*FilePosition) SetLineEnd ¶
func (p *FilePosition) SetLineEnd(position int)
func (*FilePosition) SetLineStart ¶
func (p *FilePosition) SetLineStart(position int)
type IFilePosition ¶
type Language ¶ added in v0.0.5
type Language string
const ( Java Language = "Java" Python Language = "Python" Dotnet Language = ".NET" Javascript Language = "Javascript" Ruby Language = "Ruby" Go Language = "Go" PHP Language = "PHP" Cpp Language = "C++" Elixir Language = "Elixir" Dart Language = "Dart" R Language = "R" )
These constants are only used for display purposes. For language constants used by our backend, follow this pattern: https://github.com/DataDog/datadog-ci/blob/master/src/commands/sbom/types.ts#L1-L10
type Package ¶
type Package struct {
Ecosystem Ecosystem `json:"ecosystem" yaml:"ecosystem"`
Name string `json:"name" yaml:"name"`
Purl string `json:"purl,omitempty" yaml:"purl,omitempty"`
}
Package identifies the affected code library or command provided by the package.
See: https://ossf.github.io/osv-schema/#affectedpackage-field
type PackageInfo ¶
type PackageInfo struct {
Name string `json:"name"`
Version string `json:"version"`
Ecosystem string `json:"ecosystem"`
Commit string `json:"commit,omitempty"`
Purl string `json:"purl,omitempty"`
}
Specific package information
type PackageLocation ¶
type PackageLocation struct {
Filename string `json:"file_name"`
LineStart int `json:"line_start"`
LineEnd int `json:"line_end"`
ColumnStart int `json:"column_start"`
ColumnEnd int `json:"column_end"`
}
func (PackageLocation) Hash ¶
func (location PackageLocation) Hash() string
func (PackageLocation) IsValid ¶
func (location PackageLocation) IsValid() bool
type PackageLocations ¶
type PackageLocations struct {
Block PackageLocation `json:"block"`
Namespace *PackageLocation `json:"namespace,omitempty"`
Name *PackageLocation `json:"name,omitempty"`
Version *PackageLocation `json:"version,omitempty"`
}
func (PackageLocations) Clean ¶
func (location PackageLocations) Clean() *PackageLocations
func (PackageLocations) MarshalToJSONString ¶
func (location PackageLocations) MarshalToJSONString() (string, error)
type PackageManager ¶
type PackageManager string
const ( Bundler PackageManager = "Bundler" Composer PackageManager = "Composer" Conan PackageManager = "Conan" Crates PackageManager = "Crates" Golang PackageManager = "Golang" Gradle PackageManager = "Gradle" Hex PackageManager = "Hex" Maven PackageManager = "Maven" NPM PackageManager = "NPM" NuGet PackageManager = "NuGet" Pdm PackageManager = "Pdm" Pipfile PackageManager = "Pipfile" Pnpm PackageManager = "Pnpm" Poetry PackageManager = "Poetry" Pub PackageManager = "Pub" Renv PackageManager = "Renv" Requirements PackageManager = "Requirements" Unknown PackageManager = "Unknown" Uv PackageManager = "uv" Yarn PackageManager = "Yarn" )
type PackageMetadata ¶
type PackageMetadata map[PackageMetadataType]string
func (PackageMetadata) Merge ¶
func (metadata PackageMetadata) Merge(other PackageMetadata) PackageMetadata
type PackageMetadataType ¶
type PackageMetadataType string
const ( PackageManagerMetadata PackageMetadataType = "package-manager" IsDirectDependencyMetadata PackageMetadataType = "is-direct" IsDevDependencyMetadata PackageMetadataType = "is-dev" ExclusionMetadata PackageMetadataType = "exclusion" )
type PackageSource ¶
type PackageSource struct {
Source SourceInfo `json:"source"`
Packages []PackageVulns `json:"packages"`
}
Vulnerabilities grouped by sources
type PackageVulns ¶
type PackageVulns struct {
Package PackageInfo `json:"package"`
DepGroups []string `json:"dependency_groups,omitempty"`
Locations []PackageLocations `json:"locations,omitempty"`
Vulnerabilities []Vulnerability `json:"vulnerabilities,omitempty"`
Metadata PackageMetadata `json:"metadata,omitempty"`
AdvisoriesForReachability []string `json:"reachability_advisories,omitempty"`
}
Vulnerabilities grouped by package TODO: rename this to be Package as it now includes license information too.
type PurlToReachabilityAnalysisResults ¶
type PurlToReachabilityAnalysisResults map[string]*ReachabilityAnalysisResults
PurlToReachabilityAnalysisResults is a map of purl -> ReachabilityAnalysisResults
type Range ¶
type Range struct {
Type RangeType `json:"type" yaml:"type"`
Events []Event `json:"events" yaml:"events"`
Repo string `json:"repo,omitempty" yaml:"repo,omitempty"`
DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"`
}
Range describes the affected range of given version for a specific package.
See: https://ossf.github.io/osv-schema/#affectedranges-field
type ReachabilityAnalysis ¶
type ReachabilityAnalysis struct {
PurlToReachabilityAnalysisResults PurlToReachabilityAnalysisResults
}
type ReachabilityAnalysisResults ¶
type ReachabilityAnalysisResults struct {
ReachableVulnerabilities []ReachableVulnerability
AdvisoryIdsChecked []string
}
ReachabilityAnalysisResults contains the results of a reachability analysis for one PURL.
type ReachableSymbolLocation ¶
type ReachableSymbolLocation struct {
PackageLocation
Symbol string `json:"symbol"`
}
ReachableSymbolLocation details where a vulnerability was deemed reachable.
type ReachableSymbolLocations ¶
type ReachableSymbolLocations []ReachableSymbolLocation
ReachableSymbolLocations contains all locations (and their associated symbols) where the vulnerability was determined to be reachable.
func (ReachableSymbolLocations) MarshalToJSONString ¶
func (reachableSymbolLocations ReachableSymbolLocations) MarshalToJSONString() (string, error)
MarshalToJSONString marshals the ReachableSymbolLocations list into a JSON string This is needed to pass this information into a CycloneDX field that requires a string.
type ReachableVulnerability ¶
type ReachableVulnerability struct {
// AdvisoryID is the vulnerability identifier that was analyzed.
AdvisoryID string `json:"advisory_id"`
// Locations where the vulnerability was deemed reachable, if any.
ReachableSymbolLocations ReachableSymbolLocations `json:"reachable_symbol_locations,omitempty"`
}
ReachableVulnerability contains info for a vulnerability that was deemed reachable.
type Reference ¶
type Reference struct {
Type ReferenceType `json:"type" yaml:"type"`
URL string `json:"url" yaml:"url"`
}
Reference links to additional information, advisories, issue tracker entries, and so on about the vulnerability itself.
type ReferenceType ¶
type ReferenceType string
const ( ReferenceAdvisory ReferenceType = "ADVISORY" ReferenceArticle ReferenceType = "ARTICLE" ReferenceDetection ReferenceType = "DETECTION" ReferenceDiscussion ReferenceType = "DISCUSSION" ReferenceReport ReferenceType = "REPORT" ReferenceFix ReferenceType = "FIX" ReferenceIntroduced ReferenceType = "INTRODUCED" ReferencePackage ReferenceType = "PACKAGE" ReferenceEvidence ReferenceType = "EVIDENCE" ReferenceWeb ReferenceType = "WEB" )
type ScannedArtifact ¶
type ScannedArtifact struct {
ArtifactDetail
DependsOn *ArtifactDetail
}
type Severity ¶
type Severity struct {
Type SeverityType `json:"type" yaml:"type"`
Score string `json:"score" yaml:"score"`
}
Severity is used to describe the severity of a vulnerability for an affected package using one or more quantitative scoring methods.
type SeverityType ¶
type SeverityType string
const ( SeverityCVSSV2 SeverityType = "CVSS_V2" SeverityCVSSV3 SeverityType = "CVSS_V3" SeverityCVSSV4 SeverityType = "CVSS_V4" )
type SourceInfo ¶
type SourceInfo struct {
Path string `json:"path"`
}
func (SourceInfo) String ¶
func (s SourceInfo) String() string
type StringWithPosition ¶
type StringWithPosition struct {
Value string
FilePosition
}
StringWithPosition is a structure meant to deserialize string data along with the position of the data in the file when they can be mixed with other such as :
- spaces, tabs and newline for formatting
- comments (for example with XML based files)
It supports XML based files through the UnmarshalXML method
func (*StringWithPosition) UnmarshalXML ¶
func (stringHolder *StringWithPosition) UnmarshalXML(decoder *xml.Decoder, start xml.StartElement) error
type Vulnerabilities ¶
type Vulnerabilities []Vulnerability
func (Vulnerabilities) MarshalJSON ¶
func (vs Vulnerabilities) MarshalJSON() ([]byte, error)
MarshalJSON ensures that if there are no vulnerabilities, an empty array is used as the value instead of "null"
type Vulnerability ¶
type Vulnerability struct {
SchemaVersion string `json:"schema_version,omitempty" yaml:"schema_version,omitempty"`
ID string `json:"id" yaml:"id"`
Modified time.Time `json:"modified" yaml:"modified"`
Published time.Time `json:"published,omitempty" yaml:"published,omitempty"`
Withdrawn time.Time `json:"withdrawn,omitempty" yaml:"withdrawn,omitempty"`
Aliases []string `json:"aliases,omitempty" yaml:"aliases,omitempty"`
Related []string `json:"related,omitempty" yaml:"related,omitempty"`
Summary string `json:"summary,omitempty" yaml:"summary,omitempty"`
Details string `json:"details,omitempty" yaml:"details,omitempty"`
Affected []Affected `json:"affected,omitempty" yaml:"affected,omitempty"`
Severity []Severity `json:"severity,omitempty" yaml:"severity,omitempty"`
References []Reference `json:"references,omitempty" yaml:"references,omitempty"`
Credits []Credit `json:"credits,omitempty" yaml:"credits,omitempty"`
DatabaseSpecific map[string]interface{} `json:"database_specific,omitempty" yaml:"database_specific,omitempty"`
}
Vulnerability is the core Open Source Vulnerability (OSV) data type.
The full documentation for the schema is available at https://ossf.github.io/osv-schema.
func (Vulnerability) MarshalJSON ¶
func (v Vulnerability) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
This method ensures times all times are formatted correctly according to the schema.
func (Vulnerability) MarshalYAML ¶
func (v Vulnerability) MarshalYAML() (interface{}, error)
MarshalYAML implements the yaml.Marshaler interface.
This method ensures times all times are formatted correctly.
type VulnerabilityResults ¶
type VulnerabilityResults struct {
Results []PackageSource `json:"results"`
Artifacts []ScannedArtifact `json:"artifacts,omitempty"`
}
Combined vulnerabilities found for the scanned packages
Source Files
Click to show internal directories.
Click to hide internal directories.