rulesets

package
v0.14.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 19, 2024 License: MIT Imports: 22 Imported by: 3

Documentation

Index

Constants

View Source
const (
	Style                                = "style"
	Validation                           = "validation"
	NoVerbsInPath                        = "no-http-verbs-in-path"
	PathsKebabCase                       = "paths-kebab-case"
	NoAmbiguousPathsRule                 = "no-ambiguous-paths"
	OperationErrorResponse               = "operation-4xx-response"
	OperationSuccessResponse             = "operation-success-response"
	OperationOperationIdUnique           = "operation-operationId-unique"
	OperationOperationId                 = "operation-operationId"
	OperationParameters                  = "operation-parameters"
	OperationSingularTag                 = "operation-singular-tag"
	OperationTagDefined                  = "operation-tag-defined"
	PathParamsRule                       = "path-params"
	ContactProperties                    = "contact-properties"
	InfoContact                          = "info-contact"
	InfoDescription                      = "info-description"
	InfoLicense                          = "info-license"
	InfoLicenseSPDX                      = "info-license-spdx"
	LicenseUrl                           = "license-url"
	OpenAPITagsAlphabetical              = "openapi-tags-alphabetical"
	OpenAPITags                          = "openapi-tags"
	OperationTags                        = "operation-tags"
	OperationDescription                 = "operation-description"
	ComponentDescription                 = "component-description"
	OperationOperationIdValidInUrl       = "operation-operationId-valid-in-url"
	PathDeclarationsMustExist            = "path-declarations-must-exist"
	PathKeysNoTrailingSlash              = "path-keys-no-trailing-slash"
	PathNotIncludeQuery                  = "path-not-include-query"
	TagDescription                       = "tag-description"
	NoRefSiblings                        = "no-$ref-siblings"
	Oas3NoRefSiblings                    = "oas3-no-$ref-siblings"
	Oas3UnusedComponent                  = "oas3-unused-component"
	Oas2UnusedDefinition                 = "oas2-unused-definition"
	Oas2APIHost                          = "oas2-api-host"
	Oas2APISchemes                       = "oas2-api-schemes"
	Oas2Discriminator                    = "oas2-discriminator"
	Oas2HostNotExample                   = "oas2-host-not-example"
	Oas3HostNotExample                   = "oas3-host-not-example"
	Oas2HostTrailingSlash                = "oas2-host-trailing-slash"
	Oas3HostTrailingSlash                = "oas3-server-trailing-slash"
	Oas2ParameterDescription             = "oas2-parameter-description"
	Oas3ParameterDescription             = "oas3-parameter-description"
	Oas3OperationSecurityDefined         = "oas3-operation-security-defined"
	Oas2OperationSecurityDefined         = "oas2-operation-security-defined"
	Oas3ValidSchemaExample               = "oas3-valid-schema-example"
	Oas3ExampleMissingCheck              = "oas3-missing-example"
	Oas3ExampleExternalCheck             = "oas3-example-external-check"
	TypedEnum                            = "typed-enum"
	DuplicatedEntryInEnum                = "duplicated-entry-in-enum"
	NoEvalInMarkdown                     = "no-eval-in-markdown"
	NoScriptTagsInMarkdown               = "no-script-tags-in-markdown"
	DescriptionDuplication               = "description-duplication"
	Oas3APIServers                       = "oas3-api-servers"
	Oas2OperationFormDataConsumeCheck    = "oas2-operation-formData-consume-check"
	Oas2AnyOf                            = "oas2-anyOf"
	Oas2OneOf                            = "oas2-oneOf"
	Oas2Schema                           = "oas2-schema"
	Oas3Schema                           = "oas3-schema"
	OasSchemaCheck                       = "oas-schema-check"
	OwaspNoNumericIDs                    = "owasp-no-numeric-ids"
	OwaspNoHttpBasic                     = "owasp-no-http-basic"
	OwaspNoAPIKeysInURL                  = "owasp-no-api-keys-in-url"
	OwaspNoCredentialsInURL              = "owasp-no-credentials-in-url"
	OwaspAuthInsecureSchemes             = "owasp-auth-insecure-schemes"
	OwaspJWTBestPractices                = "owasp-jwt-best-practices"
	OwaspProtectionGlobalUnsafe          = "owasp-protection-global-unsafe"
	OwaspProtectionGlobalUnsafeStrict    = "owasp-protection-global-unsafe-strict"
	OwaspProtectionGlobalSafe            = "owasp-protection-global-safe"
	OwaspDefineErrorValidation           = "owasp-define-error-validation"
	OwaspDefineErrorResponses401         = "owasp-define-error-responses-401"
	OwaspDefineErrorResponses500         = "owasp-define-error-responses-500"
	OwaspRateLimit                       = "owasp-rate-limit"
	OwaspRateLimitRetryAfter             = "owasp-rate-limit-retry-after"
	OwaspDefineErrorResponses429         = "owasp-define-error-responses-429"
	OwaspArrayLimit                      = "owasp-array-limit"
	OwaspStringLimit                     = "owasp-string-limit"
	OwaspStringRestricted                = "owasp-string-restricted"
	OwaspIntegerLimit                    = "owasp-integer-limit"
	OwaspIntegerFormat                   = "owasp-integer-format"
	OwaspNoAdditionalProperties          = "owasp-no-additionalProperties"
	OwaspConstrainedAdditionalProperties = "owasp-constrained-additionalProperties"
	OwaspSecurityHostsHttpsOAS3          = "owasp-security-hosts-https-oas3"
	PostResponseSuccess                  = "post-response-success"
	SpectralOpenAPI                      = "spectral:oas"
	SpectralOwasp                        = "spectral:owasp"
	VacuumOwasp                          = "vacuum:owasp"
	SpectralRecommended                  = "recommended"
	SpectralAll                          = "all"
	SpectralOff                          = "off"
)

Variables

View Source
var RuleSchema string
View Source
var RulesetSchema string

Functions

func CheckForLocalExtends added in v0.6.0

func CheckForLocalExtends(extends map[string]string) bool

CheckForLocalExtends checks if the extends map contains a local link returns true if it does, false if it does not

func CheckForRemoteExtends added in v0.6.0

func CheckForRemoteExtends(extends map[string]string) bool

CheckForRemoteExtends checks if the extends map contains a remote link returns true if it does, false if it does not

func GetAPIServersRule

func GetAPIServersRule() *model.Rule

GetAPIServersRule checks to make sure there is a valid 'servers' definition in the document.

func GetAllBuiltInRules added in v0.1.0

func GetAllBuiltInRules() map[string]*model.Rule

GetAllBuiltInRules returns a map of all the built-in rules available, ready to be used in a RuleSet.

func GetAllOWASPRules added in v0.2.0

func GetAllOWASPRules() map[string]*model.Rule

GetAllOWASPRules returns a map of all the OWASP rules available, ready to be used in a RuleSet.

func GetComponentDescriptionsRule

func GetComponentDescriptionsRule() *model.Rule

GetComponentDescriptionsRule will check all components for description problems.

func GetContactPropertiesRule

func GetContactPropertiesRule() *model.Rule

GetContactPropertiesRule will return a rule configured to look at contact properties of a spec. it uses the in-built 'truthy' function

func GetDescriptionDuplicationRule

func GetDescriptionDuplicationRule() *model.Rule

GetDescriptionDuplicationRule will check if any descriptions have been copy/pasted or duplicated. all descriptions should be unique, otherwise what is the point?

func GetDuplicatedEntryInEnumRule

func GetDuplicatedEntryInEnumRule() *model.Rule

GetDuplicatedEntryInEnumRule will check that enums used are not duplicates

func GetGlobalOperationTagsRule

func GetGlobalOperationTagsRule() *model.Rule

GetGlobalOperationTagsRule will check that an operation tag exists in top level tags This rule was dropped to a warning from an error after discussion here:

func GetInfoContactRule

func GetInfoContactRule() *model.Rule

GetInfoContactRule Will return a rule that uses the truthy function to check if the info object contains a contact object

func GetInfoDescriptionRule

func GetInfoDescriptionRule() *model.Rule

GetInfoDescriptionRule Will return a rule that uses the truthy function to check if the info object contains a description

func GetInfoLicenseRule

func GetInfoLicenseRule() *model.Rule

GetInfoLicenseRule will return a rule that uses the truthy function to check if the info object contains a license

func GetInfoLicenseSPDXRule added in v0.13.0

func GetInfoLicenseSPDXRule() *model.Rule

GetInfoLicenseSPDXRule will check that a license either has a URL OR an identifier, not both.

func GetInfoLicenseUrlRule

func GetInfoLicenseUrlRule() *model.Rule

GetInfoLicenseUrlRule will return a rule that uses the truthy function to check if the info object contains a license with a URL that is set.

func GetNoEvalInMarkdownRule

func GetNoEvalInMarkdownRule() *model.Rule

GetNoEvalInMarkdownRule will return a rule that uses the pattern function to check if there is no eval statements markdown used in descriptions

func GetNoRefSiblingsRule

func GetNoRefSiblingsRule() *model.Rule

GetNoRefSiblingsRule will check that there are no sibling nodes next to a $ref (which is technically invalid)

func GetNoScriptTagsInMarkdownRule

func GetNoScriptTagsInMarkdownRule() *model.Rule

GetNoScriptTagsInMarkdownRule will return a rule that uses the pattern function to check if there is no script tags used in descriptions and the title.

func GetNoVerbsInPathRule added in v0.0.13

func GetNoVerbsInPathRule() *model.Rule

GetNoVerbsInPathRule will check all paths to make sure not HTTP verbs have been used as a segment.

func GetOAS2APIHostRule

func GetOAS2APIHostRule() *model.Rule

GetOAS2APIHostRule will check swagger specs for the host property being set.

func GetOAS2APISchemesRule

func GetOAS2APISchemesRule() *model.Rule

GetOAS2APISchemesRule uses the schema function to check if swagger has schemes and that it's an array with at least one item.

func GetOAS2DiscriminatorRule

func GetOAS2DiscriminatorRule() *model.Rule

GetOAS2DiscriminatorRule will check swagger schemas to ensure they are using discriminations correctly.

func GetOAS2FormDataConsumesRule

func GetOAS2FormDataConsumesRule() *model.Rule

GetOAS2FormDataConsumesRule will check that an "application/x-www-form-urlencoded" or "multipart/form-data" is defined in the 'consumes' node for in any parameters that use in formData.

func GetOAS2HostNotExampleRule

func GetOAS2HostNotExampleRule() *model.Rule

GetOAS2HostNotExampleRule checks to make sure that example.com is not being used as a host. TODO: how common is this? should we keep it? change it?

func GetOAS2HostTrailingSlashRule

func GetOAS2HostTrailingSlashRule() *model.Rule

GetOAS2HostTrailingSlashRule checks to make sure there is no trailing slash on the host

func GetOAS2ParameterDescriptionRule

func GetOAS2ParameterDescriptionRule() *model.Rule

GetOAS2ParameterDescriptionRule will check specs to make sure parameters have a description.

func GetOAS2PolymorphicAnyOfRule

func GetOAS2PolymorphicAnyOfRule() *model.Rule

GetOAS2PolymorphicAnyOfRule will check that 'anyOf' has not been used in a swagger spec (introduced in 3.0)

func GetOAS2PolymorphicOneOfRule

func GetOAS2PolymorphicOneOfRule() *model.Rule

GetOAS2PolymorphicOneOfRule will check that 'oneOf' has not been used in a swagger spec (introduced in 3.0)

func GetOAS2SchemaRule

func GetOAS2SchemaRule() *model.Rule

GetOAS2SchemaRule will check that the schema is valid for swagger docs.

func GetOAS2SecurityDefinedRule

func GetOAS2SecurityDefinedRule() *model.Rule

GetOAS2SecurityDefinedRule will check that security definitions exist and validate for OpenAPI 2

func GetOAS2UnusedComponentRule

func GetOAS2UnusedComponentRule() *model.Rule

GetOAS2UnusedComponentRule will check that there aren't any components anywhere that haven't been used.

func GetOAS3ExamplesExternalCheck added in v0.7.0

func GetOAS3ExamplesExternalCheck() *model.Rule

func GetOAS3ExamplesMissingRule added in v0.7.0

func GetOAS3ExamplesMissingRule() *model.Rule

func GetOAS3ExamplesRule

func GetOAS3ExamplesRule() *model.Rule

GetOAS3ExamplesRule will check the entire spec for correct example use.

func GetOAS3HostNotExampleRule

func GetOAS3HostNotExampleRule() *model.Rule

GetOAS3HostNotExampleRule checks to make sure that example.com is not being used as a host. TODO: how common is this? should we keep it? change it?

func GetOAS3HostTrailingSlashRule added in v0.0.5

func GetOAS3HostTrailingSlashRule() *model.Rule

GetOAS3HostTrailingSlashRule checks to make sure there is no trailing slash on the host

func GetOAS3NoRefSiblingsRule added in v0.14.3

func GetOAS3NoRefSiblingsRule() *model.Rule

GetNoRefSiblingsRule will check that there are no sibling nodes next to a $ref (which is technically invalid)

func GetOAS3ParameterDescriptionRule

func GetOAS3ParameterDescriptionRule() *model.Rule

GetOAS3ParameterDescriptionRule will check specs to make sure parameters have a description.

func GetOAS3SchemaRule

func GetOAS3SchemaRule() *model.Rule

GetOAS3SchemaRule will check that the schema is valid for openapi 3+ docs.

func GetOAS3SecurityDefinedRule

func GetOAS3SecurityDefinedRule() *model.Rule

GetOAS3SecurityDefinedRule will check that security definitions exist and validate for OpenAPI 3

func GetOAS3UnusedComponentRule

func GetOAS3UnusedComponentRule() *model.Rule

GetOAS3UnusedComponentRule will check that there aren't any components anywhere that haven't been used.

func GetOWASPArrayLimitRule added in v0.2.0

func GetOWASPArrayLimitRule() *model.Rule

func GetOWASPAuthInsecureSchemesRule added in v0.2.0

func GetOWASPAuthInsecureSchemesRule() *model.Rule

func GetOWASPConstrainedAdditionalPropertiesRule added in v0.2.0

func GetOWASPConstrainedAdditionalPropertiesRule() *model.Rule

func GetOWASPDefineErrorResponses401Rule added in v0.2.0

func GetOWASPDefineErrorResponses401Rule() *model.Rule

func GetOWASPDefineErrorResponses429Rule added in v0.2.0

func GetOWASPDefineErrorResponses429Rule() *model.Rule

func GetOWASPDefineErrorResponses500Rule added in v0.2.0

func GetOWASPDefineErrorResponses500Rule() *model.Rule

func GetOWASPDefineErrorValidationRule added in v0.2.0

func GetOWASPDefineErrorValidationRule() *model.Rule

func GetOWASPIntegerFormatRule added in v0.2.0

func GetOWASPIntegerFormatRule() *model.Rule

func GetOWASPIntegerLimitRule added in v0.2.0

func GetOWASPIntegerLimitRule() *model.Rule

func GetOWASPJWTBestPracticesRule added in v0.2.0

func GetOWASPJWTBestPracticesRule() *model.Rule

func GetOWASPNoAPIKeysInURLRule added in v0.2.0

func GetOWASPNoAPIKeysInURLRule() *model.Rule

func GetOWASPNoAdditionalPropertiesRule added in v0.2.0

func GetOWASPNoAdditionalPropertiesRule() *model.Rule

func GetOWASPNoCredentialsInURLRule added in v0.2.0

func GetOWASPNoCredentialsInURLRule() *model.Rule

func GetOWASPNoHttpBasicRule added in v0.2.0

func GetOWASPNoHttpBasicRule() *model.Rule

func GetOWASPNoNumericIDsRule added in v0.2.0

func GetOWASPNoNumericIDsRule() *model.Rule

func GetOWASPRateLimitRetryAfterRule added in v0.2.0

func GetOWASPRateLimitRetryAfterRule() *model.Rule

func GetOWASPRateLimitRule added in v0.2.0

func GetOWASPRateLimitRule() *model.Rule

func GetOWASPSecurityHostsHttpsOAS3Rule added in v0.2.0

func GetOWASPSecurityHostsHttpsOAS3Rule() *model.Rule

func GetOWASPStringLimitRule added in v0.2.0

func GetOWASPStringLimitRule() *model.Rule

func GetOWASPStringRestrictedRule added in v0.2.0

func GetOWASPStringRestrictedRule() *model.Rule

func GetOpenApiTagsAlphabeticalRule

func GetOpenApiTagsAlphabeticalRule() *model.Rule

GetOpenApiTagsAlphabeticalRule will return a rule that uses the alphabetical function to check if tags are in alphabetical order

func GetOpenApiTagsRule

func GetOpenApiTagsRule() *model.Rule

GetOpenApiTagsRule uses the schema function to check if there tags exist and that it's an array with at least one item.

func GetOperationDescriptionRule

func GetOperationDescriptionRule() *model.Rule

GetOperationDescriptionRule will return a rule that uses the truthy function to check if an operation has defined a description or not, or does not meet the required length

func GetOperationErrorResponseRule added in v0.0.13

func GetOperationErrorResponseRule() *model.Rule

GetOperationErrorResponseRule will return the rule for checking for a 4xx response defined in operations.

func GetOperationIdRule

func GetOperationIdRule() *model.Rule

GetOperationIdRule will check to make sure that operationIds exist on all operations

func GetOperationIdUniqueRule

func GetOperationIdUniqueRule() *model.Rule

GetOperationIdUniqueRule will check to make sure that operationIds are all unique and non-repeating

func GetOperationIdValidInUrlRule

func GetOperationIdValidInUrlRule() *model.Rule

GetOperationIdValidInUrlRule will check id an operationId will be valid when used in a URL.

func GetOperationParametersRule

func GetOperationParametersRule() *model.Rule

GetOperationParametersRule will check that an operation has valid parameters defined

func GetOperationSingleTagRule

func GetOperationSingleTagRule() *model.Rule

GetOperationSingleTagRule will check to see if an operation has more than a single tag

func GetOperationSuccessResponseRule

func GetOperationSuccessResponseRule() *model.Rule

GetOperationSuccessResponseRule will check that every operation has a success response defined.

func GetOperationTagsRule

func GetOperationTagsRule() *model.Rule

GetOperationTagsRule uses the schema function to check if there tags exist and that it's an array with at least one item.

func GetPathDeclarationsMustExistRule

func GetPathDeclarationsMustExistRule() *model.Rule

GetPathDeclarationsMustExistRule will check to make sure there are no empty path variables

func GetPathNoTrailingSlashRule

func GetPathNoTrailingSlashRule() *model.Rule

GetPathNoTrailingSlashRule will make sure that paths don't have trailing slashes

func GetPathNotIncludeQueryRule

func GetPathNotIncludeQueryRule() *model.Rule

GetPathNotIncludeQueryRule checks to ensure paths are not including any query parameters.

func GetPathParamsRule

func GetPathParamsRule() *model.Rule

GetPathParamsRule checks if path params are valid and defined.

func GetPathsKebabCaseRule added in v0.0.13

func GetPathsKebabCaseRule() *model.Rule

GetPathsKebabCaseRule will check that each path segment is kebab-case

func GetPostSuccessResponseRule added in v0.10.0

func GetPostSuccessResponseRule() *model.Rule

GetPostSuccessResponseRule will check that all POST operations have a success response defined.

func GetRecommendedOWASPRules added in v0.2.0

func GetRecommendedOWASPRules() map[string]*model.Rule

GetRecommendedOWASPRules returns a map of all the OWASP rules available, ready to be used in a RuleSet.

func GetSchemaTypeCheckRule added in v0.8.0

func GetSchemaTypeCheckRule() *model.Rule

GetSchemaTypeCheckRule will check that all schemas have a valid type defined

func GetTagDescriptionRequiredRule

func GetTagDescriptionRequiredRule() *model.Rule

GetTagDescriptionRequiredRule checks to ensure tags defined have been given a description

func GetTypedEnumRule

func GetTypedEnumRule() *model.Rule

GetTypedEnumRule checks to ensure enums are of the specified type

func NoAmbiguousPaths added in v0.0.12

func NoAmbiguousPaths() *model.Rule

NoAmbiguousPaths will check for paths that are ambiguous with one another

func SniffOutAllExternalRules added in v0.6.0

func SniffOutAllExternalRules(
	ctx context.Context,
	rsm *ruleSetsModel,
	location string,
	visited []string,
	rs *RuleSet,
	remote bool)

SniffOutAllExternalRules takes a ruleset and sniffs out all external rules it will recursively sniff out all external rulesets and add them to the ruleset it will return an error if it cannot sniff out the ruleset

Types

type RuleSet

type RuleSet struct {
	Description      string                 `json:"description,omitempty" yaml:"description,omitempty"`
	DocumentationURI string                 `json:"documentationUrl,omitempty" yaml:"documentationUrl,omitempty"`
	Formats          []string               `json:"formats,omitempty" yaml:"formats,omitempty"`
	RuleDefinitions  map[string]interface{} `json:"rules" yaml:"rules"` // this can be either a string, or an entire rule (super annoying, stoplight).
	Rules            map[string]*model.Rule `json:"-" yaml:"-"`
	Extends          interface{}            `json:"extends,omitempty" yaml:"extends,omitempty"` // can be string or tuple (again... why stoplight?)
	// contains filtered or unexported fields
}

RuleSet represents a collection of Rule definitions.

func CreateRuleSetFromData

func CreateRuleSetFromData(data []byte) (*RuleSet, error)

CreateRuleSetFromData will create a new RuleSet instance from either a JSON or YAML input

func CreateRuleSetFromRuleMap added in v0.1.0

func CreateRuleSetFromRuleMap(rules map[string]*model.Rule) *RuleSet

CreateRuleSetFromRuleMap creates a RuleSet from a map of rules. Built-in rules can can be exposed by using the GetAllBuiltInRules() function.

func CreateRuleSetUsingJSON

func CreateRuleSetUsingJSON(jsonData []byte) (*RuleSet, error)

CreateRuleSetUsingJSON will create a new RuleSet instance from a JSON byte array

func DownloadRemoteRuleSet added in v0.6.0

func DownloadRemoteRuleSet(_ context.Context, location string) (*RuleSet, error)

DownloadRemoteRuleSet downloads a remote ruleset and returns a *RuleSet returns an error if it cannot download the ruleset

func GenerateDefaultOpenAPIRuleSet added in v0.1.0

func GenerateDefaultOpenAPIRuleSet() *RuleSet

GenerateDefaultOpenAPIRuleSet generates a default ruleset for OpenAPI. All the built-in rules, ready to go.

func GenerateOWASPOpenAPIRuleSet added in v0.7.0

func GenerateOWASPOpenAPIRuleSet() *RuleSet

GenerateOWASPOpenAPIRuleSet generates our OWASP ruleset for OpenAPI. Hard mode engage!

func LoadLocalRuleSet added in v0.6.0

func LoadLocalRuleSet(_ context.Context, location string) (*RuleSet, error)

LoadLocalRuleSet loads a local ruleset and returns a *RuleSet returns an error if it cannot load the ruleset

func (*RuleSet) GetExtendsValue

func (rs *RuleSet) GetExtendsValue() map[string]string

GetExtendsValue returns an array of maps defining which ruleset this one extends. The value can be a single string or an array of tuples, so this normalizes things into a standard structure.

type RuleSets

type RuleSets interface {

	// GenerateOpenAPIDefaultRuleSet generates a ready to run pointer to a model.RuleSet containing all
	// OpenAPI rules supported by vacuum. Passing all these rules would be considered a very good quality specification.
	GenerateOpenAPIDefaultRuleSet() *RuleSet

	// GenerateOpenAPIRecommendedRuleSet generates a ready to run pointer to a model.RuleSet that contains only
	// recommended rules (not all rules). Passing all these rules would result in a quality specification
	GenerateOpenAPIRecommendedRuleSet() *RuleSet

	// GenerateRuleSetFromSuppliedRuleSet will generate a ready to run ruleset based on a supplied configuration. This
	// will look for any extensions and apply all rules turned on, turned off and any custom rules.
	GenerateRuleSetFromSuppliedRuleSet(config *RuleSet) *RuleSet
}

RuleSets is used to generate default RuleSets built into vacuum

func BuildDefaultRuleSets

func BuildDefaultRuleSets() RuleSets

func BuildDefaultRuleSetsWithLogger added in v0.5.0

func BuildDefaultRuleSetsWithLogger(logger *slog.Logger) RuleSets

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL