Documentation ¶
Index ¶
- Constants
- Variables
- func FileList(dir string, patterns []regexp.Regexp) ([]string, error)
- func FileResolvePath(dir string, file string) string
- func FindVulnerabilityCVSSV3(vuln types.DetectedVulnerability) (string, float64, *metric.Base)
- func RenderCVSSScoreString(cvssScore float64) string
- func SlicesFilter[E any](slice []E, filterFn func(E) bool) []E
- func SlicesFind[E any](slice []E, fn func(E) bool) *E
- func SlicesFlatMap[I any, O any](slice []I, mapFn func(I) []O) []O
- func SlicesMap[I any, O any](slice []I, mapFn func(I) O) []O
- func SlicesUnique[E comparable](slice []E) []E
- func StringAbbreviate(str string, maxLength int) string
- func StringSanitize(s string) string
- func StringSanitizeOneLine(s string) string
- func TrivyDownloadDb(ctx context.Context, dir string) error
- func TrivyImage(ctx context.Context, dir string, image string) (*types.Report, error)
- type AndPolicyMatcher
- type ArtifactNameShortPolicyMatcher
- type CVSSPolicyMatcher
- type CVSSPolicyMatcherCVSS
- type ClassPolicyMatcher
- type Config
- type ConfigGithub
- type ConfigPolicy
- type GithubIssueTask
- type Group
- type IDPolicyMatcher
- type Logger
- type NotPolicyMatcher
- type OrPolicyMatcher
- type PackageNamePolicyMatcher
- type PolicyMatcher
- type ProcessedUnfixedVulnerability
- type Scan
- func (s *Scan) ProcessDashboard(allUnfixedVulnerabilities []ProcessedUnfixedVulnerability) error
- func (s *Scan) ProcessFixedVulnerabilities(artifactNameShort string, unfixedIssueNumbers []int) ([]int, error)
- func (s *Scan) ProcessUnfixedVulnerability(artifactNameShort string, report types.Report, res types.Result, ...) (*ProcessedUnfixedVulnerability, error)
- func (s *Scan) RenderGithubDashboardIssueBody(allUnfixedVulnerabilities []ProcessedUnfixedVulnerability, footer string) string
- func (s *Scan) RenderGithubIssueBody(report types.Report, res types.Result, vuln types.DetectedVulnerability, ...) string
- func (s *Scan) Run() error
- func (s *Scan) ScrapeFile(file string) ([]string, error)
- type StringArray
- type UnfixedVulnerability
Constants ¶
View Source
const TrivyBin = "trivy"
Variables ¶
View Source
var ( AVName = "Attack Vector" AVDescription = "" /* 257-byte string literal not displayed */ AVValueNames = map[metric.AttackVector]string{ metric.AttackVectorNetwork: "Network", metric.AttackVectorAdjacent: "Adjacent Network", metric.AttackVectorLocal: "Local", metric.AttackVectorPhysical: "Physical", } AVValueDescriptions = map[metric.AttackVector]string{ metric.AttackVectorNetwork: "A vulnerability exploitable with Network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).", metric.AttackVectorAdjacent: "A vulnerability exploitable with Adjacent Network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router).", metric.AttackVectorLocal: "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, or may rely on User Interaction to execute a malicious file.", metric.AttackVectorPhysical: "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component, such as attaching an peripheral device to a system.", } )
View Source
var ( ACName = "Attack Complexity" ACDescription = "" /* 323-byte string literal not displayed */ ACValueNames = map[metric.AttackComplexity]string{ metric.AttackComplexityHigh: "High", metric.AttackComplexityLow: "Low", } ACValueDescriptions = map[metric.AttackComplexity]string{ metric.AttackComplexityHigh: "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.", metric.AttackComplexityLow: "A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.", } )
View Source
var ( PRName = "Privileges Required" PRDescription = "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability." PRValueNames = map[metric.PrivilegesRequired]string{ metric.PrivilegesRequiredNone: "None", metric.PrivilegesRequiredLow: "Low", metric.PrivilegesRequiredHigh: "High", } PRValueDescriptions = map[metric.PrivilegesRequired]string{ metric.PrivilegesRequiredNone: "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.", metric.PrivilegesRequiredLow: "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.", metric.PrivilegesRequiredHigh: "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.", } )
View Source
var ( UIName = "User Interaction" UIDescription = "" /* 336-byte string literal not displayed */ UIValueNames = map[metric.UserInteraction]string{ metric.UserInteractionNone: "None", metric.UserInteractionRequired: "Required", } UIValueDescriptions = map[metric.UserInteraction]string{ metric.UserInteractionNone: "The vulnerable system can be exploited without interaction from any user.", metric.UserInteractionRequired: "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited, such as convincing a user to click a link in an email.", } )
View Source
var ( SName = "Scope" SDescription = "" /* 350-byte string literal not displayed */ SValueNames = map[metric.Scope]string{ metric.ScopeUnchanged: "Unchanged", metric.ScopeChanged: "Changed", } SValueDescriptions = map[metric.Scope]string{ metric.ScopeUnchanged: "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.", metric.ScopeChanged: "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.", } )
View Source
var ( CName = "Confidentiality Impact" CDescription = "" /* 327-byte string literal not displayed */ CValueNames = map[metric.ConfidentialityImpact]string{ metric.ConfidentialityImpactNone: "None", metric.ConfidentialityImpactLow: "Low", metric.ConfidentialityImpactHigh: "High", } CValueDescriptions = map[metric.ConfidentialityImpact]string{ metric.ConfidentialityImpactNone: "There is no loss of confidentiality within the impacted component.", metric.ConfidentialityImpactLow: "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.", metric.ConfidentialityImpactHigh: "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.", } )
View Source
var ( IName = "Integrity Impact" IDescription = "" /* 327-byte string literal not displayed */ IValueNames = map[metric.IntegrityImpact]string{ metric.IntegrityImpactNone: "None", metric.IntegrityImpactLow: "Low", metric.IntegrityImpactHigh: "High", } IValueDescriptions = map[metric.IntegrityImpact]string{ metric.IntegrityImpactNone: "There is no loss of confidentiality within the impacted component.", metric.IntegrityImpactLow: "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.", metric.IntegrityImpactHigh: "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.", } )
View Source
var ( AName = "Availability Impact" ADescription = "" /* 642-byte string literal not displayed */ AValueNames = map[metric.AvailabilityImpact]string{ metric.AvailabilityImpactNone: "None", metric.AvailabilityImpactLow: "Low", metric.AvailabilityImpactHigh: "High", } AValueDescriptions = map[metric.AvailabilityImpact]string{ metric.AvailabilityImpactNone: "There is no impact to availability within the impacted component.", metric.AvailabilityImpactLow: "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.", metric.AvailabilityImpactHigh: "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).", } )
Functions ¶
func FileResolvePath ¶
func FindVulnerabilityCVSSV3 ¶
func RenderCVSSScoreString ¶
func SlicesFilter ¶
func SlicesFind ¶
func SlicesFlatMap ¶
func SlicesUnique ¶
func SlicesUnique[E comparable](slice []E) []E
func StringAbbreviate ¶
func StringSanitize ¶
func StringSanitizeOneLine ¶
Types ¶
type AndPolicyMatcher ¶
type AndPolicyMatcher struct {
And []PolicyMatcher `yaml:"and"`
}
func (*AndPolicyMatcher) IsMatch ¶
func (p *AndPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
func (*AndPolicyMatcher) IsNonEmpty ¶
func (p *AndPolicyMatcher) IsNonEmpty() bool
func (*AndPolicyMatcher) String ¶
func (p *AndPolicyMatcher) String() string
func (*AndPolicyMatcher) UnmarshalYAML ¶
func (p *AndPolicyMatcher) UnmarshalYAML(value *yaml.Node) error
type ArtifactNameShortPolicyMatcher ¶
type ArtifactNameShortPolicyMatcher struct {
ArtifactNameShort StringArray `yaml:"artifactNameShort"`
}
func (*ArtifactNameShortPolicyMatcher) IsMatch ¶
func (p *ArtifactNameShortPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
func (*ArtifactNameShortPolicyMatcher) IsNonEmpty ¶
func (p *ArtifactNameShortPolicyMatcher) IsNonEmpty() bool
func (*ArtifactNameShortPolicyMatcher) String ¶
func (p *ArtifactNameShortPolicyMatcher) String() string
type CVSSPolicyMatcher ¶
type CVSSPolicyMatcher struct {
CVSS CVSSPolicyMatcherCVSS `yaml:"cvss"`
}
func (*CVSSPolicyMatcher) IsMatch ¶
func (p *CVSSPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
func (*CVSSPolicyMatcher) IsNonEmpty ¶
func (p *CVSSPolicyMatcher) IsNonEmpty() bool
func (*CVSSPolicyMatcher) String ¶
func (p *CVSSPolicyMatcher) String() string
type CVSSPolicyMatcherCVSS ¶
type CVSSPolicyMatcherCVSS struct { ScoreLowerThan float64 `yaml:"scoreLowerThan"` AV StringArray `yaml:"av"` AC StringArray `yaml:"ac"` PR StringArray `yaml:"pr"` UI StringArray `yaml:"ui"` S StringArray `yaml:"s"` C StringArray `yaml:"c"` I StringArray `yaml:"i"` A StringArray `yaml:"a"` }
type ClassPolicyMatcher ¶
type ClassPolicyMatcher struct {
Class StringArray `yaml:"class"`
}
func (*ClassPolicyMatcher) IsMatch ¶
func (p *ClassPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
func (*ClassPolicyMatcher) IsNonEmpty ¶
func (p *ClassPolicyMatcher) IsNonEmpty() bool
func (*ClassPolicyMatcher) String ¶
func (p *ClassPolicyMatcher) String() string
type Config ¶
type Config struct { Github ConfigGithub Files []regexp.Regexp Mitigations []ConfigPolicy Ignores []ConfigPolicy }
func LoadConfig ¶
func (*Config) UnmarshalYAML ¶
type ConfigGithub ¶
func (*ConfigGithub) UnmarshalYAML ¶
func (c *ConfigGithub) UnmarshalYAML(value *yaml.Node) error
type ConfigPolicy ¶
type ConfigPolicy struct { Comment string `yaml:"comment"` Match PolicyMatcher `yaml:"match"` }
func (*ConfigPolicy) UnmarshalYAML ¶
func (c *ConfigPolicy) UnmarshalYAML(value *yaml.Node) error
type GithubIssueTask ¶
type Group ¶
type Group[K comparable, V any] struct { Key K Values []V }
func SlicesGroupByOrdered ¶
func SlicesGroupByOrdered[K comparable, V any](slice []V, keyFn func(V) K) []Group[K, V]
type IDPolicyMatcher ¶
type IDPolicyMatcher struct {
ID StringArray `yaml:"id"`
}
func (*IDPolicyMatcher) IsMatch ¶
func (p *IDPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
func (*IDPolicyMatcher) IsNonEmpty ¶
func (p *IDPolicyMatcher) IsNonEmpty() bool
func (*IDPolicyMatcher) String ¶
func (p *IDPolicyMatcher) String() string
type NotPolicyMatcher ¶
type NotPolicyMatcher struct {
Not PolicyMatcher `yaml:"not"`
}
func (*NotPolicyMatcher) IsMatch ¶
func (p *NotPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
func (*NotPolicyMatcher) IsNonEmpty ¶
func (p *NotPolicyMatcher) IsNonEmpty() bool
func (*NotPolicyMatcher) String ¶
func (p *NotPolicyMatcher) String() string
func (*NotPolicyMatcher) UnmarshalYAML ¶
func (p *NotPolicyMatcher) UnmarshalYAML(value *yaml.Node) error
type OrPolicyMatcher ¶
type OrPolicyMatcher struct {
Or []PolicyMatcher `yaml:"or"`
}
func (*OrPolicyMatcher) IsMatch ¶
func (p *OrPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
func (*OrPolicyMatcher) IsNonEmpty ¶
func (p *OrPolicyMatcher) IsNonEmpty() bool
func (*OrPolicyMatcher) String ¶
func (p *OrPolicyMatcher) String() string
func (*OrPolicyMatcher) UnmarshalYAML ¶
func (p *OrPolicyMatcher) UnmarshalYAML(value *yaml.Node) error
type PackageNamePolicyMatcher ¶
type PackageNamePolicyMatcher struct {
PackageName StringArray `yaml:"packageName"`
}
func (*PackageNamePolicyMatcher) IsMatch ¶
func (p *PackageNamePolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
func (*PackageNamePolicyMatcher) IsNonEmpty ¶
func (p *PackageNamePolicyMatcher) IsNonEmpty() bool
func (*PackageNamePolicyMatcher) String ¶
func (p *PackageNamePolicyMatcher) String() string
type PolicyMatcher ¶
type PolicyMatcher interface { IsNonEmpty() bool IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool String() string }
func PolicyMatcherUnmarshalYAML ¶
func PolicyMatcherUnmarshalYAML(value *yaml.Node) (PolicyMatcher, error)
type ProcessedUnfixedVulnerability ¶
type ProcessedUnfixedVulnerability struct {
// contains filtered or unexported fields
}
type Scan ¶
type Scan struct {
// contains filtered or unexported fields
}
func (*Scan) ProcessDashboard ¶
func (s *Scan) ProcessDashboard(allUnfixedVulnerabilities []ProcessedUnfixedVulnerability) error
func (*Scan) ProcessFixedVulnerabilities ¶
func (*Scan) ProcessUnfixedVulnerability ¶
func (s *Scan) ProcessUnfixedVulnerability(artifactNameShort string, report types.Report, res types.Result, vuln types.DetectedVulnerability) (*ProcessedUnfixedVulnerability, error)
func (*Scan) RenderGithubDashboardIssueBody ¶
func (s *Scan) RenderGithubDashboardIssueBody(allUnfixedVulnerabilities []ProcessedUnfixedVulnerability, footer string) string
func (*Scan) RenderGithubIssueBody ¶
type StringArray ¶
type StringArray []string
func (*StringArray) UnmarshalYAML ¶
func (sa *StringArray) UnmarshalYAML(value *yaml.Node) error
type UnfixedVulnerability ¶
type UnfixedVulnerability struct {
// contains filtered or unexported fields
}
Click to show internal directories.
Click to hide internal directories.