internal

package
v0.1.0-rc.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 26, 2022 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const TrivyBin = "trivy"

Variables

View Source 
var (
	AVName        = "Attack Vector"
	AVDescription = "" /* 257-byte string literal not displayed */
	AVValueNames  = map[metric.AttackVector]string{
		metric.AttackVectorNetwork:  "Network",
		metric.AttackVectorAdjacent: "Adjacent Network",
		metric.AttackVectorLocal:    "Local",
		metric.AttackVectorPhysical: "Physical",
	}
	AVValueDescriptions = map[metric.AttackVector]string{
		metric.AttackVectorNetwork:  "A vulnerability exploitable with Network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).",
		metric.AttackVectorAdjacent: "A vulnerability exploitable with Adjacent Network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router).",
		metric.AttackVectorLocal:    "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, or may rely on User Interaction to execute a malicious file.",
		metric.AttackVectorPhysical: "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component, such as attaching an peripheral device to a system.",
	}
)
View Source 
var (
	ACName        = "Attack Complexity"
	ACDescription = "" /* 323-byte string literal not displayed */
	ACValueNames  = map[metric.AttackComplexity]string{
		metric.AttackComplexityHigh: "High",
		metric.AttackComplexityLow:  "Low",
	}
	ACValueDescriptions = map[metric.AttackComplexity]string{
		metric.AttackComplexityHigh: "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.",
		metric.AttackComplexityLow:  "A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.",
	}
)
View Source 
var (
	PRName        = "Privileges Required"
	PRDescription = "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability."
	PRValueNames  = map[metric.PrivilegesRequired]string{
		metric.PrivilegesRequiredNone: "None",
		metric.PrivilegesRequiredLow:  "Low",
		metric.PrivilegesRequiredHigh: "High",
	}
	PRValueDescriptions = map[metric.PrivilegesRequired]string{
		metric.PrivilegesRequiredNone: "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.",
		metric.PrivilegesRequiredLow:  "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.",
		metric.PrivilegesRequiredHigh: "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.",
	}
)
View Source 
var (
	UIName        = "User Interaction"
	UIDescription = "" /* 336-byte string literal not displayed */
	UIValueNames  = map[metric.UserInteraction]string{
		metric.UserInteractionNone:     "None",
		metric.UserInteractionRequired: "Required",
	}
	UIValueDescriptions = map[metric.UserInteraction]string{
		metric.UserInteractionNone:     "The vulnerable system can be exploited without interaction from any user.",
		metric.UserInteractionRequired: "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited, such as convincing a user to click a link in an email.",
	}
)
View Source 
var (
	SName        = "Scope"
	SDescription = "" /* 350-byte string literal not displayed */
	SValueNames  = map[metric.Scope]string{
		metric.ScopeUnchanged: "Unchanged",
		metric.ScopeChanged:   "Changed",
	}
	SValueDescriptions = map[metric.Scope]string{
		metric.ScopeUnchanged: "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.",
		metric.ScopeChanged:   "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.",
	}
)
View Source 
var (
	CName        = "Confidentiality Impact"
	CDescription = "" /* 327-byte string literal not displayed */
	CValueNames  = map[metric.ConfidentialityImpact]string{
		metric.ConfidentialityImpactNone: "None",
		metric.ConfidentialityImpactLow:  "Low",
		metric.ConfidentialityImpactHigh: "High",
	}
	CValueDescriptions = map[metric.ConfidentialityImpact]string{
		metric.ConfidentialityImpactNone: "There is no loss of confidentiality within the impacted component.",
		metric.ConfidentialityImpactLow:  "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.",
		metric.ConfidentialityImpactHigh: "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.",
	}
)
View Source 
var (
	IName        = "Integrity Impact"
	IDescription = "" /* 327-byte string literal not displayed */
	IValueNames  = map[metric.IntegrityImpact]string{
		metric.IntegrityImpactNone: "None",
		metric.IntegrityImpactLow:  "Low",
		metric.IntegrityImpactHigh: "High",
	}
	IValueDescriptions = map[metric.IntegrityImpact]string{
		metric.IntegrityImpactNone: "There is no loss of confidentiality within the impacted component.",
		metric.IntegrityImpactLow:  "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.",
		metric.IntegrityImpactHigh: "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.",
	}
)
View Source 
var (
	AName        = "Availability Impact"
	ADescription = "" /* 642-byte string literal not displayed */
	AValueNames  = map[metric.AvailabilityImpact]string{
		metric.AvailabilityImpactNone: "None",
		metric.AvailabilityImpactLow:  "Low",
		metric.AvailabilityImpactHigh: "High",
	}
	AValueDescriptions = map[metric.AvailabilityImpact]string{
		metric.AvailabilityImpactNone: "There is no impact to availability within the impacted component.",
		metric.AvailabilityImpactLow:  "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.",
		metric.AvailabilityImpactHigh: "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).",
	}
)

Functions

func FileList 

func FileList(dir string, patterns []regexp.Regexp) ([]string, error)

func FileResolvePath 

func FileResolvePath(dir string, file string) string

func FindVulnerabilityCVSSV3 

func FindVulnerabilityCVSSV3(vuln types.DetectedVulnerability) (string, float64, *metric.Base)

func RenderCVSSScoreString 

func RenderCVSSScoreString(cvssScore float64) string

func SlicesFilter 

func SlicesFilter[E any](slice []E, filterFn func(E) bool) []E

func SlicesFind 

func SlicesFind[E any](slice []E, fn func(E) bool) *E

func SlicesFlatMap 

func SlicesFlatMap[I any, O any](slice []I, mapFn func(I) []O) []O

func SlicesMap 

func SlicesMap[I any, O any](slice []I, mapFn func(I) O) []O

func SlicesUnique 

func SlicesUnique[E comparable](slice []E) []E

func StringAbbreviate 

func StringAbbreviate(str string, maxLength int) string

func StringSanitize 

func StringSanitize(s string) string

func StringSanitizeOneLine 

func StringSanitizeOneLine(s string) string

func TrivyDownloadDb 

func TrivyDownloadDb(ctx context.Context, dir string) error

func TrivyImage 

func TrivyImage(ctx context.Context, dir string, image string) (*types.Report, error)

Types

type AndPolicyMatcher 

type AndPolicyMatcher struct {
	And []PolicyMatcher `yaml:"and"`
}

func (*AndPolicyMatcher) IsMatch 

func (p *AndPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool

func (*AndPolicyMatcher) IsNonEmpty 

func (p *AndPolicyMatcher) IsNonEmpty() bool

func (*AndPolicyMatcher) String 

func (p *AndPolicyMatcher) String() string

func (*AndPolicyMatcher) UnmarshalYAML 

func (p *AndPolicyMatcher) UnmarshalYAML(value *yaml.Node) error

type ArtifactNameShortPolicyMatcher 

type ArtifactNameShortPolicyMatcher struct {
	ArtifactNameShort StringArray `yaml:"artifactNameShort"`
}

func (*ArtifactNameShortPolicyMatcher) IsMatch 

func (p *ArtifactNameShortPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool

func (*ArtifactNameShortPolicyMatcher) IsNonEmpty 

func (p *ArtifactNameShortPolicyMatcher) IsNonEmpty() bool

func (*ArtifactNameShortPolicyMatcher) String 

func (p *ArtifactNameShortPolicyMatcher) String() string

type CVSSPolicyMatcher 

type CVSSPolicyMatcher struct {
	CVSS CVSSPolicyMatcherCVSS `yaml:"cvss"`
}

func (*CVSSPolicyMatcher) IsMatch 

func (p *CVSSPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool

func (*CVSSPolicyMatcher) IsNonEmpty 

func (p *CVSSPolicyMatcher) IsNonEmpty() bool

func (*CVSSPolicyMatcher) String 

func (p *CVSSPolicyMatcher) String() string

type CVSSPolicyMatcherCVSS 

type CVSSPolicyMatcherCVSS struct {
	ScoreLowerThan float64     `yaml:"scoreLowerThan"`
	AV             StringArray `yaml:"av"`
	AC             StringArray `yaml:"ac"`
	PR             StringArray `yaml:"pr"`
	UI             StringArray `yaml:"ui"`
	S              StringArray `yaml:"s"`
	C              StringArray `yaml:"c"`
	I              StringArray `yaml:"i"`
	A              StringArray `yaml:"a"`
}

type ClassPolicyMatcher 

type ClassPolicyMatcher struct {
	Class StringArray `yaml:"class"`
}

func (*ClassPolicyMatcher) IsMatch 

func (p *ClassPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool

func (*ClassPolicyMatcher) IsNonEmpty 

func (p *ClassPolicyMatcher) IsNonEmpty() bool

func (*ClassPolicyMatcher) String 

func (p *ClassPolicyMatcher) String() string

type Config 

type Config struct {
	Github      ConfigGithub
	Files       []regexp.Regexp
	Mitigations []ConfigPolicy
	Ignores     []ConfigPolicy
}

func LoadConfig 

func LoadConfig(bytesRaw []byte) (*Config, error)

func (*Config) UnmarshalYAML 

func (c *Config) UnmarshalYAML(value *yaml.Node) error

type ConfigGithub 

type ConfigGithub struct {
	Token          string
	IssueRepoOwner string
	IssueRepoName  string
}

func (*ConfigGithub) UnmarshalYAML 

func (c *ConfigGithub) UnmarshalYAML(value *yaml.Node) error

type ConfigPolicy 

type ConfigPolicy struct {
	Comment string        `yaml:"comment"`
	Match   PolicyMatcher `yaml:"match"`
}

func (*ConfigPolicy) UnmarshalYAML 

func (c *ConfigPolicy) UnmarshalYAML(value *yaml.Node) error

type GithubIssueTask 

type GithubIssueTask struct {
	Done   bool
	Label  string
	Params map[string]string
}

type Group 

type Group[K comparable, V any] struct {
	Key    K
	Values []V
}

func SlicesGroupByOrdered 

func SlicesGroupByOrdered[K comparable, V any](slice []V, keyFn func(V) K) []Group[K, V]

type IDPolicyMatcher 

type IDPolicyMatcher struct {
	ID StringArray `yaml:"id"`
}

func (*IDPolicyMatcher) IsMatch 

func (p *IDPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool

func (*IDPolicyMatcher) IsNonEmpty 

func (p *IDPolicyMatcher) IsNonEmpty() bool

func (*IDPolicyMatcher) String 

func (p *IDPolicyMatcher) String() string

type Logger 

type Logger struct {
	Debug *log.Logger
	Info  *log.Logger
	// contains filtered or unexported fields
}

func NewLogger 

func NewLogger(withDebug bool) Logger

func NewNullLogger 

func NewNullLogger() Logger

func (*Logger) CloneNested 

func (l *Logger) CloneNested() *Logger

func (*Logger) Nest 

func (l *Logger) Nest() func()

type NotPolicyMatcher 

type NotPolicyMatcher struct {
	Not PolicyMatcher `yaml:"not"`
}

func (*NotPolicyMatcher) IsMatch 

func (p *NotPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool

func (*NotPolicyMatcher) IsNonEmpty 

func (p *NotPolicyMatcher) IsNonEmpty() bool

func (*NotPolicyMatcher) String 

func (p *NotPolicyMatcher) String() string

func (*NotPolicyMatcher) UnmarshalYAML 

func (p *NotPolicyMatcher) UnmarshalYAML(value *yaml.Node) error

type OrPolicyMatcher 

type OrPolicyMatcher struct {
	Or []PolicyMatcher `yaml:"or"`
}

func (*OrPolicyMatcher) IsMatch 

func (p *OrPolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool

func (*OrPolicyMatcher) IsNonEmpty 

func (p *OrPolicyMatcher) IsNonEmpty() bool

func (*OrPolicyMatcher) String 

func (p *OrPolicyMatcher) String() string

func (*OrPolicyMatcher) UnmarshalYAML 

func (p *OrPolicyMatcher) UnmarshalYAML(value *yaml.Node) error

type PackageNamePolicyMatcher 

type PackageNamePolicyMatcher struct {
	PackageName StringArray `yaml:"packageName"`
}

func (*PackageNamePolicyMatcher) IsMatch 

func (p *PackageNamePolicyMatcher) IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool

func (*PackageNamePolicyMatcher) IsNonEmpty 

func (p *PackageNamePolicyMatcher) IsNonEmpty() bool

func (*PackageNamePolicyMatcher) String 

func (p *PackageNamePolicyMatcher) String() string

type PolicyMatcher 

type PolicyMatcher interface {
	IsNonEmpty() bool
	IsMatch(report types.Report, res types.Result, vuln types.DetectedVulnerability) bool
	String() string
}

func PolicyMatcherUnmarshalYAML 

func PolicyMatcherUnmarshalYAML(value *yaml.Node) (PolicyMatcher, error)

type ProcessedUnfixedVulnerability 

type ProcessedUnfixedVulnerability struct {
	// contains filtered or unexported fields
}

type Scan 

type Scan struct {
	// contains filtered or unexported fields
}

func NewScan 

func NewScan(logger Logger, config Config, dir string, dryRun bool, issueCreateLimit int) Scan

func (*Scan) ProcessDashboard 

func (s *Scan) ProcessDashboard(allUnfixedVulnerabilities []ProcessedUnfixedVulnerability) error

func (*Scan) ProcessFixedVulnerabilities 

func (s *Scan) ProcessFixedVulnerabilities(artifactNameShort string, unfixedIssueNumbers []int) ([]int, error)

func (*Scan) ProcessUnfixedVulnerability 

func (s *Scan) ProcessUnfixedVulnerability(artifactNameShort string, report types.Report, res types.Result, vuln types.DetectedVulnerability) (*ProcessedUnfixedVulnerability, error)

func (*Scan) RenderGithubDashboardIssueBody 

func (s *Scan) RenderGithubDashboardIssueBody(allUnfixedVulnerabilities []ProcessedUnfixedVulnerability, footer string) string

func (*Scan) RenderGithubIssueBody 

func (s *Scan) RenderGithubIssueBody(report types.Report, res types.Result, vuln types.DetectedVulnerability, footer string) string

func (*Scan) Run 

func (s *Scan) Run() error

func (*Scan) ScrapeFile 

func (s *Scan) ScrapeFile(file string) ([]string, error)

type StringArray 

type StringArray []string

func (*StringArray) UnmarshalYAML 

func (sa *StringArray) UnmarshalYAML(value *yaml.Node) error

type UnfixedVulnerability 

type UnfixedVulnerability struct {
	// contains filtered or unexported fields
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.