The highest tagged major version is
Documentation
¶
Index ¶
- Constants
- type Category
- type Commit
- type ConfidenceLevel
- type Dependency
- type DependencyFile
- type DependencyRef
- type DependencyScanningVulnerability
- type Identifier
- func CVEIdentifier(ID string) Identifier
- func CWEIdentifier(ID int) Identifier
- func ELSAIdentifier(ID string) Identifier
- func H1Identifier(ID string) Identifier
- func OSVDBIdentifier(ID string) Identifier
- func ParseIdentifierID(idStr string) (Identifier, bool)
- func RHSAIdentifier(ID string) Identifier
- func USNIdentifier(ID string) Identifier
- func WASCIdentifier(ID int) Identifier
- type IdentifierType
- type Issue
- type Link
- type Location
- type Package
- type PackageManager
- type Ref
- type Remediation
- type Report
- type Scan
- type ScanTime
- type Scanner
- type ScannerDetails
- type SeverityLevel
- type Status
- type Vendor
- type Version
Constants ¶
const ( // PackageManagerBundler is the identifier for Ruby Bundler PackageManagerBundler = "bundler" // PackageManagerComposer is the identifier for PHP Composer PackageManagerComposer = "composer" // PackageManagerMaven is the identifier for Java Maven PackageManagerMaven = "maven" // PackageManagerNpm is the identifier for npm PackageManagerNpm = "npm" // PackageManagerPip is the identifier for Python's pip PackageManagerPip = "pip" // PackageManagerYarn is the identifier for yarn PackageManagerYarn = "yarn" )
const ( // VersionMajor is the major number of the current version VersionMajor = 3 // VersionMinor is the minor number of the current version VersionMinor = 0 // VersionPatch is the patch number of the current version VersionPatch = 0 // VersionPreRelease is the optional suffix for pre-releases VersionPreRelease = "" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Category ¶
type Category string
Category is an identifier of the security scanning tool ("sast", "dependency_scanning", etc.)
const ( // CategorySast is the identifier for "SAST" vulnerability category CategorySast Category = "sast" // CategoryDependencyScanning is the identifier for "Dependency Scanning" vulnerability category CategoryDependencyScanning Category = "dependency_scanning" // CategoryContainerScanning is the identifier for "Container Scanning" vulnerability category CategoryContainerScanning Category = "container_scanning" // CategorySecretDetection is the identifier for "Secret Detection" vulnerability category CategorySecretDetection Category = "secret_detection" // CategoryCoverageFuzzing is the identifier for "Coverage Fuzzing" vulnerability category CategoryCoverageFuzzing Category = "coverage_fuzzing" )
type Commit ¶
type Commit struct {
Author string `json:"author,omitempty"`
Date string `json:"date,omitempty"`
Message string `json:"message,omitempty"`
Sha string `json:"sha"`
}
Commit contains information about a commit (author, date, message, sha).
type ConfidenceLevel ¶
type ConfidenceLevel int
ConfidenceLevel is the vulnerability confidence level reported by scanner.
const ( // ConfidenceLevelUndefined is a stub confidence value for the case when it was not reported by scanner. ConfidenceLevelUndefined ConfidenceLevel = iota // ConfidenceLevelIgnore represents the "ignore" confidence level. ConfidenceLevelIgnore // ConfidenceLevelUnknown represents the "unknown" confidence level. ConfidenceLevelUnknown // ConfidenceLevelExperimental represents the "experimental" confidence level. ConfidenceLevelExperimental // ConfidenceLevelLow represents the "low" confidence level. ConfidenceLevelLow // ConfidenceLevelMedium represents the "medium" confidence level. ConfidenceLevelMedium // ConfidenceLevelHigh represents the "high" confidence level. ConfidenceLevelHigh // ConfidenceLevelConfirmed represents the "critical" or "confirmed" confidence level. ConfidenceLevelConfirmed )
func ParseConfidenceLevel ¶
func ParseConfidenceLevel(s string) ConfidenceLevel
ParseConfidenceLevel parses a ConfidenceLevel value from string
func (ConfidenceLevel) MarshalJSON ¶
func (l ConfidenceLevel) MarshalJSON() ([]byte, error)
MarshalJSON converts a ConfidenceLevel value into the JSON representation
func (ConfidenceLevel) String ¶
func (l ConfidenceLevel) String() string
func (*ConfidenceLevel) UnmarshalJSON ¶
func (l *ConfidenceLevel) UnmarshalJSON(b []byte) error
UnmarshalJSON parses a ConfidenceLevel value from JSON representation
type Dependency ¶
type Dependency struct {
// IID is a numerical identifier unique within a dependency file.
IID uint `json:"iid,omitempty"`
// Direct is true if this is a direct dependency of the scanned project,
// and not a transient (or transitive) dependency.
Direct bool `json:"direct,omitempty"`
// DependencyPath contains the IIDs of the ancestors in the dependency chain, if any.
// It describes one possible path from one of direct dependency.
// Direct dependencies have no dependency path.
DependencyPath []DependencyRef `json:"dependency_path,omitempty"`
Package `json:"package,omitempty"`
Version string `json:"version,omitempty"`
}
Dependency contains the information about the software dependency (package details, version, etc.).
type DependencyFile ¶
type DependencyFile struct {
Path string `json:"path"` // Path relative to the repository root.
PackageManager PackageManager `json:"package_manager"` // Package manager used to process this file.
Dependencies []Dependency `json:"dependencies"` // Dependencies explicitly listed or implicitly required by the file.
}
DependencyFile holds the dependencies manifest file build by a particular package manager.
type DependencyRef ¶ added in v2.16.0
type DependencyRef struct {
IID uint `json:"iid"`
}
DependencyRef is a reference to a dependency.
type DependencyScanningVulnerability ¶
type DependencyScanningVulnerability struct {
Issue
}
DependencyScanningVulnerability can calculate some issue fields automatically.
func (DependencyScanningVulnerability) ToIssue ¶
func (v DependencyScanningVulnerability) ToIssue() Issue
ToIssue returns an issue where some fields are set automatically: - CompareKey - Message when undefined
type Identifier ¶
type Identifier struct {
Type IdentifierType `json:"type"` // Type of the identifier (CVE, CWE, VENDOR_X, etc.)
Name string `json:"name"` // Name of the identifier for display purpose
Value string `json:"value"` // Value of the identifier for matching purpose
URL string `json:"url,omitempty"` // URL to identifier's documentation
}
Identifier holds reference and matching information about a concrete vulnerability
func CVEIdentifier ¶
func CVEIdentifier(ID string) Identifier
CVEIdentifier returns a structured Identifier for a given CVE-ID Given ID must follow this format: CVE-YYYY-NNNNN
func CWEIdentifier ¶
func CWEIdentifier(ID int) Identifier
CWEIdentifier returns a structured Identifier for a given CWE ID Given ID must follow this format: NNN (just the number, no prefix)
func ELSAIdentifier ¶
func ELSAIdentifier(ID string) Identifier
ELSAIdentifier returns a structured Identifier for a given ELSA-ID Given ID must follow this format: ELSA-YYYY-NNNN(-N)?$
func H1Identifier ¶ added in v2.20.4
func H1Identifier(ID string) Identifier
H1Identifier returns a structured Identifier for a given hackerone report Given ID must follow this format: HACKERONE-XXXXXX The HACKERONE prefix is an internal GitLab identifier and is ignored in the value field
func OSVDBIdentifier ¶
func OSVDBIdentifier(ID string) Identifier
OSVDBIdentifier returns a structured Identifier for a given OSVDB-ID Given ID must follow this format: OSVDB-XXXXXX
func ParseIdentifierID ¶
func ParseIdentifierID(idStr string) (Identifier, bool)
ParseIdentifierID builds an Identifier of correct IdentifierType from a human-readable ID slug (e.g., "CWE-1", "WASC-01")
func RHSAIdentifier ¶
func RHSAIdentifier(ID string) Identifier
RHSAIdentifier returns a structured Identifier for a given RHSA-ID Given ID must follow this format: RHSA-YYYY:NNNN
func USNIdentifier ¶
func USNIdentifier(ID string) Identifier
USNIdentifier returns a structured Identifier for a Ubuntu Security Notice. Given ID must follow this format: USN-XXXXXX.
func WASCIdentifier ¶
func WASCIdentifier(ID int) Identifier
WASCIdentifier returns a structured Identifier for a given WASC-ID (Web Application Security Consortium vulnerability ID) Given ID must follow this format: NN (just the number, no prefix)
type IdentifierType ¶
type IdentifierType string
IdentifierType is the unique ID ("slug") for identifier "kind" bound to a certain vulnerabilities database (CVE, CWE, etc.)
const ( // IdentifierTypeCVE is the identifier type for CVE IDs (https://cve.mitre.org/cve/) IdentifierTypeCVE IdentifierType = "cve" // IdentifierTypeCWE is the identifier type for CWE IDs (https://cwe.mitre.org/data/index.html) IdentifierTypeCWE IdentifierType = "cwe" // IdentifierTypeOSVDB is the identifier type for OSVDB IDs (https://cve.mitre.org/data/refs/refmap/source-OSVDB.html) IdentifierTypeOSVDB IdentifierType = "osvdb" // IdentifierTypeUSN is the identifier type for Ubuntu Security Notice IDs (https://usn.ubuntu.com/) IdentifierTypeUSN IdentifierType = "usn" // IdentifierTypeWASC is the identifier type for WASC IDs (http://projects.webappsec.org/Threat-Classification-Reference-Grid) IdentifierTypeWASC IdentifierType = "wasc" // IdentifierTypeRHSA is the identifier type for RHSA IDs (https://access.redhat.com/errata) IdentifierTypeRHSA IdentifierType = "rhsa" // IdentifierTypeELSA is the identifier type for Oracle Linux Security Data IDs (https://linux.oracle.com/security/) IdentifierTypeELSA IdentifierType = "elsa" // IdentifierTypeH1 is the identifier type for IDs in hackerone reports (https://api.hackerone.com/core-resources/#reports) IdentifierTypeH1 IdentifierType = "hackerone" )
type Issue ¶
type Issue struct {
Category Category `json:"category"` // Category describes where this vulnerability belongs (SAST, Dependency Scanning, etc...)
Name string `json:"name,omitempty"` // Name of the vulnerability, this must not include occurence's specific information.
Message string `json:"message,omitempty"` // Message is a short text that describes the vulnerability, it may include occurence's specific information.
Description string `json:"description,omitempty"` // Description is a long text that describes the vulnerability.
CompareKey string `json:"cve"` // [DEPRECATED] CompareKey is a value used to establish whether two issues are the same. https://gitlab.com/gitlab-org/gitlab/-/issues/209850
Severity SeverityLevel `json:"severity,omitempty"` // Severity describes how much the vulnerability impacts the software.
Confidence ConfidenceLevel `json:"confidence,omitempty"` // Confidence describes how reliable the vulnerability's assessment is
Solution string `json:"solution,omitempty"` // Solution explains how to fix the vulnerability.
RawSourceCodeExtract string `json:"raw_source_code_extract,omitempty"` // RawSourceCodeExtract is an extract of the affected source code
Scanner Scanner `json:"scanner"` // Scanner identifies the analyzer.
Location Location `json:"location"` // Location tells which class and/or method is affected by the vulnerability.
Identifiers []Identifier `json:"identifiers"` // Identifiers are references that identify a vulnerability on internal or external DBs.
Links []Link `json:"links,omitempty"` // Links are external documentations or articles that further describes the vulnerability.
}
Issue represents a generic vulnerability occurrence reported by scanner.
func Dedupe ¶
Dedupe removes duplicates from a given list of issues. Duplicates shares the same location and at least one identifier. CWE ids are ignored since these are used to classify the vulnerability. First duplicate in the list wins and others are simply removed.
func (Issue) ID ¶
ID returns a hash combining all the fields of the vulnerability. This should be a randomly generated UUID but currently it needs to be predictable because of limitations in the implementation of klar and gemnasium analyzers.
func (Issue) MarshalJSON ¶
MarshalJSON adds an id field when encoding the issue.
type Link ¶
type Link struct {
Name string `json:"name,omitempty"` // Name of the link (optional)
URL string `json:"url"` // URL of the document (mandatory)
}
Link contains the hyperlink to the detailed information about a vulnerability.
type Location ¶
type Location struct {
File string `json:"file,omitempty"` // File is the path relative to the search path.
*Commit `json:"commit,omitempty"` // Commit is the commit in which the vulnerability was detected
LineStart int `json:"start_line,omitempty"` // LineStart is the first line of the affected code.
LineEnd int `json:"end_line,omitempty"` // LineEnd is the last line of the affected code.
Class string `json:"class,omitempty"`
Method string `json:"method,omitempty"`
*Dependency `json:"dependency,omitempty"`
OperatingSystem string `json:"operating_system,omitempty"` // OperatingSystem is the operating system and optionally its version, separated by a semicolon: linux, debian:10, etc
Image string `json:"image,omitempty"` // Name of the Docker image
CrashAddress string `json:"crash_address,omitempty"` // CrashAddress is the memory address where the crash occurred, used for coverage fuzzing
CrashType string `json:"crash_type,omitempty"` // CrashType is the type of the vulnerability/weakness (i.e Heap-buffer-overflow)
CrashState string `json:"crash_state,omitempty"` // CrashState (normalized stacktrace)
StacktraceSnippet string `json:"stacktrace_snippet,omitempty"` // StacktraceSnippet is the original stacktrace
}
Location represents the location of the vulnerability occurrence be it a source code line, a dependency package identifier or whatever else.
type Package ¶
type Package struct {
Name string `json:"name,omitempty"`
}
Package contains the information about the software dependency package.
type PackageManager ¶
type PackageManager string
PackageManager is a unique string identifier of the package manager.
type Ref ¶
type Ref struct {
CompareKey string `json:"cve"` // [DEPRECATED] CompareKey of a vulnerability
ID string `json:"id"` // ID of a vulnerability
}
Ref is a reference to a vulnerability occurrence in context of the remediation.
type Remediation ¶
type Remediation struct {
Fixes []Ref `json:"fixes"` // Refs to fixed vulnerability occurrences
Summary string `json:"summary"` // Overview of how the vulnerabilities have been fixed
Diff string `json:"diff"` // Base64 encoded diff, compatible with "git apply"
}
Remediation holds the patch required to fix a set of vulnerability occurrences.
type Report ¶
type Report struct {
Version Version `json:"version"`
Vulnerabilities []Issue `json:"vulnerabilities"`
Remediations []Remediation `json:"remediations"`
DependencyFiles []DependencyFile `json:"dependency_files,omitempty"`
Scan Scan `json:"scan"`
Analyzer string `json:"-"`
Config ruleset.Config `json:"-"`
}
Report is the output of an analyzer.
func MergeReports ¶
MergeReports merges the given reports and bring them to the current syntax version.
func (*Report) ExcludePaths ¶
ExcludePaths excludes paths from vulnerabilities, remediations, and dependency files. It takes a function that is true when the given path is excluded.
func (*Report) FilterDisabledRules ¶ added in v2.21.0
FilterDisabledRules removes vulnerabilities that have been disabled using rulesets
type Scan ¶
type Scan struct {
Scanner ScannerDetails `json:"scanner"` // Scanner is an Object defining the scanner used to perform the scan
Type Category `json:"type"` // Type of the scan (container_scanning, dependency_scanning, dast, sast)
StartTime *ScanTime `json:"start_time,omitempty"` // StartTime is the time when the scan started
EndTime *ScanTime `json:"end_time,omitempty"` // EndTime is the time when the scan ended
Status Status `json:"status,omitempty"` // Status is the status of the scan, either `success` or `failure`. Hardcoded to `success` for now
}
Scan contains the identifying information about a security scanner.
type ScanTime ¶ added in v2.15.0
ScanTime is a custom time type formatted using the timeFormat
func (*ScanTime) MarshalJSON ¶ added in v2.15.0
MarshalJSON converts the ScanTime value into a JSON string with the defined timeFormat
func (*ScanTime) UnmarshalJSON ¶ added in v2.15.0
UnmarshalJSON converts the JSON string with the defined timeFormat into a ScanTime value
type Scanner ¶
type Scanner struct {
ID string `json:"id"` // Id of the scanner as a snake_case string (mandatory)
Name string `json:"name"` // Name of the scanner, for display purpose (mandatory)
}
Scanner contains the identifying information about a security scanner.
type ScannerDetails ¶
type ScannerDetails struct {
ID string `json:"id"` // Unique id that identifies the scanner
Name string `json:"name"` // A human readable value that identifies the scanner, not required to be unique
URL string `json:"url,omitempty"` // A link to more information about the scanner
Vendor Vendor `json:"vendor"` // The vendor/maintainer of the scanner
Version string `json:"version"` // The version of the scanner
}
ScannerDetails contains detailed information about the scanner
func (ScannerDetails) String ¶
func (s ScannerDetails) String() string
type SeverityLevel ¶
type SeverityLevel int
SeverityLevel is the vulnerability severity level reported by scanner.
const ( // SeverityLevelUndefined is a stub severity value for the case when it was not reported by scanner. SeverityLevelUndefined SeverityLevel = iota // SeverityLevelInfo represents the "info" or "ignore" severity level. SeverityLevelInfo // SeverityLevelUnknown represents the "experimental" or "unknown" severity level. SeverityLevelUnknown // SeverityLevelLow represents the "low" severity level. SeverityLevelLow // SeverityLevelMedium represents the "medium" severity level. SeverityLevelMedium // SeverityLevelHigh represents the "high" severity level. SeverityLevelHigh // SeverityLevelCritical represents the "critical" severity level. SeverityLevelCritical )
func ParseSeverityLevel ¶
func ParseSeverityLevel(s string) SeverityLevel
ParseSeverityLevel parses a SeverityLevel value from string
func (SeverityLevel) MarshalJSON ¶
func (l SeverityLevel) MarshalJSON() ([]byte, error)
MarshalJSON converts a SeverityLevel value into the JSON representation
func (SeverityLevel) String ¶
func (l SeverityLevel) String() string
func (*SeverityLevel) UnmarshalJSON ¶
func (l *SeverityLevel) UnmarshalJSON(b []byte) error
UnmarshalJSON parses a SeverityLevel value from JSON representation
type Status ¶ added in v2.15.0
type Status string
Status represents the status of a scan, either `success` or `failure`
type Vendor ¶
type Vendor struct {
Name string `json:"name"` // The name of the vendor
}
Vendor is the vendor/maintainer of the scanner
type Version ¶
Version represents the version of the report syntax. It matches a release of the Security Report Schemas, and is used for JSON schema validation. See https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/releases
func CurrentVersion ¶
func CurrentVersion() Version
CurrentVersion returns the current version of the report syntax.
func (Version) MarshalJSON ¶
MarshalJSON encodes a version to JSON.
func (*Version) UnmarshalJSON ¶
UnmarshalJSON decodes a version.
Source Files