README
¶
Analyzers Report Library
This repository contains Go code for implementing security scanners that generate GitLab Security reports.
In Gitlab rails, each report is validated against a JSON report schema before it is ingested. Read more about this.
The version of the report schema used by this library is specified in version.go.
Release Process
-
Create and merge an MR which introduces new functionality.
Ensure an entry exists in the CHANGELOG.md for the new version, for example
v4.3.0. -
Create a new release in this project.
-
For the
Tag name (required)field, enter the new version from the CHANGELOG.md, for examplev4.3.0, and click onCreate tag v4.3.0. -
For the
Release titlefield, enter the new version from the CHANGELOG.md, for examplev4.3.0. -
In the
Release notesfield, enter the message from the CHANGELOG.md, for example:- Add `Identifier.Vendor` function to retrieve the canonical name for the vendor that created the identifier (!75) - Set default report version to `15.0.7`. This default should have changed as part of `v4.2.0`, but was not included. (!75) -
Press the
Create releasebutton.
-
Support
This is an internal package used for developing GitLab-specific features. This package is not meant for public consumption, and breaking changes might be introduced at any time. See publicly available internal tooling for more details.
Contributing
Contributions are welcome, see CONTRIBUTING.md for more details.
License
This code is distributed under the MIT Expat license, see the LICENSE file.
Documentation
¶
Index ¶
- Constants
- func RegisterEventType(eventName string, factory EventFactory)
- type AnalyzerDetails
- type BaseEvent
- type CVSSRating
- type Category
- type Commit
- type ConfidenceLevel
- type Dependency
- type DependencyRef
- type DependencyScanningVulnerability
- type Details
- type DetailsCodeFlowNodeField
- type DetailsCodeFlowsField
- type DetailsFileLocationField
- type DetailsTextField
- type DetailsURLField
- type Event
- type EventFactory
- type Flag
- type Identifier
- func CVEIdentifier(ID string) Identifier
- func CWEIdentifier(ID int) Identifier
- func ELSAIdentifier(ID string) Identifier
- func GHSAIdentifier(ID string) Identifier
- func H1Identifier(ID string) Identifier
- func OSVDBIdentifier(ID string) Identifier
- func OWASPTop10Identifier(ID string, desc string) Identifier
- func ParseIdentifierID(idStr string) (Identifier, bool)
- func RHSAIdentifier(ID string) Identifier
- func USNIdentifier(ID string) Identifier
- type IdentifierType
- type KubernetesResource
- type Link
- type Location
- type Observability
- type Package
- type PartialScanType
- type Ref
- type Remediation
- type Report
- type SastScanMetricsEvent
- type Scan
- type ScanTime
- type Scanner
- type ScannerDetails
- type SeverityLevel
- type Status
- type Tracking
- type TrackingItem
- type TrackingSignature
- type Vendor
- type Version
- type Vulnerability
Constants ¶
const ( // VersionMajor is the major number of the current version VersionMajor = 15 // VersionMinor is the minor number of the current version VersionMinor = 2 // VersionPatch is the patch number of the current version VersionPatch = 2 // VersionPreRelease is the optional suffix for pre-releases VersionPreRelease = "" )
const (
EventTypeSastScanMetrics = "collect_sast_scan_metrics_from_pipeline"
)
Event type constants
const (
// FlagTypeFP is used to signal a false positive
FlagTypeFP = "flagged-as-likely-false-positive"
)
const ( // ModeDifferential indicates a differential partial scan mode ModeDifferential string = "differential" )
const VulnerabilityDescriptionMaxLengthBytes = 1048576
VulnerabilityDescriptionMaxLengthBytes defines the maximum chars a description can be
const VulnerabilityNameMaxLengthBytes = 255
VulnerabilityNameMaxLengthBytes defines the maximum chars a name can be
value is referenced from v15.x report schema, which is in turn referenced from the rails app Sources: - https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.0.6/src/security-report-format.json#L412 - https://gitlab.com/gitlab-org/gitlab/-/blob/v15.11.4-ee/ee/app/models/ee/vulnerability.rb?ref_type=tags#L78
Variables ¶
This section is empty.
Functions ¶
func RegisterEventType ¶
func RegisterEventType(eventName string, factory EventFactory)
RegisterEventType registers a new event type with its factory function
Types ¶
type AnalyzerDetails ¶
type AnalyzerDetails = ScannerDetails
AnalyzerDetails contains detailed information about the analyzer
type BaseEvent ¶
type BaseEvent struct {
Event string `json:"event"`
}
BaseEvent is a base event type that implements the common functionality
type CVSSRating ¶
CVSSRating contains a CVSS vector and the vendor that assigned the rating.
type Category ¶
type Category string
Category is an identifier of the security scanning tool ("sast", "dependency_scanning", etc.)
const ( // CategorySast is the identifier for "SAST" vulnerability category CategorySast Category = "sast" // CategoryDependencyScanning is the identifier for "Dependency Scanning" vulnerability category CategoryDependencyScanning Category = "dependency_scanning" // CategoryContainerScanning is the identifier for "Container Scanning" vulnerability category CategoryContainerScanning Category = "container_scanning" // CategorySecretDetection is the identifier for "Secret Detection" vulnerability category CategorySecretDetection Category = "secret_detection" // CategoryCoverageFuzzing is the identifier for "Coverage Fuzzing" vulnerability category CategoryCoverageFuzzing Category = "coverage_fuzzing" // CategoryClusterImageScanning is the identifier for "Cluster Image Scanning" vulnerability category CategoryClusterImageScanning = "cluster_image_scanning" )
type Commit ¶
type Commit struct {
Author string `json:"author,omitempty"`
Date string `json:"date,omitempty"`
Message string `json:"message,omitempty"`
Sha string `json:"sha"`
}
Commit contains information about a commit (author, date, message, sha).
type ConfidenceLevel ¶
type ConfidenceLevel int
ConfidenceLevel is the vulnerability confidence level reported by scanner.
const ( // ConfidenceLevelUndefined is a stub confidence value for the case when it was not reported by scanner. ConfidenceLevelUndefined ConfidenceLevel = iota // ConfidenceLevelIgnore represents the "ignore" confidence level. ConfidenceLevelIgnore // ConfidenceLevelUnknown represents the "unknown" confidence level. ConfidenceLevelUnknown // ConfidenceLevelExperimental represents the "experimental" confidence level. ConfidenceLevelExperimental // ConfidenceLevelLow represents the "low" confidence level. ConfidenceLevelLow // ConfidenceLevelMedium represents the "medium" confidence level. ConfidenceLevelMedium // ConfidenceLevelHigh represents the "high" confidence level. ConfidenceLevelHigh // ConfidenceLevelConfirmed represents the "critical" or "confirmed" confidence level. ConfidenceLevelConfirmed )
func ParseConfidenceLevel ¶
func ParseConfidenceLevel(s string) ConfidenceLevel
ParseConfidenceLevel parses a ConfidenceLevel value from string
func (ConfidenceLevel) MarshalJSON ¶
func (l ConfidenceLevel) MarshalJSON() ([]byte, error)
MarshalJSON converts a ConfidenceLevel value into the JSON representation
func (ConfidenceLevel) String ¶
func (l ConfidenceLevel) String() string
func (*ConfidenceLevel) UnmarshalJSON ¶
func (l *ConfidenceLevel) UnmarshalJSON(b []byte) error
UnmarshalJSON parses a ConfidenceLevel value from JSON representation
type Dependency ¶
type Dependency struct {
// Direct is true if this is a direct dependency of the scanned project,
// and not a transient (or transitive) dependency.
Direct bool `json:"direct,omitempty"`
Package `json:"package,omitempty"`
Version string `json:"version,omitempty"`
}
Dependency contains the information about the software dependency (package details, version, etc.).
type DependencyRef ¶
type DependencyRef struct {
IID uint `json:"iid"`
}
DependencyRef is a reference to a dependency.
type DependencyScanningVulnerability ¶
type DependencyScanningVulnerability struct {
Vulnerability
}
DependencyScanningVulnerability can calculate some vulnerability fields automatically.
func (DependencyScanningVulnerability) ToVulnerability ¶
func (v DependencyScanningVulnerability) ToVulnerability() Vulnerability
ToVulnerability returns an vulnerability where some fields are set automatically: - CompareKey - Message when undefined
type Details ¶
type Details map[string]interface{}
Details contains properties which abide by the details attribute of the Secure Report Schemas: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json
type DetailsCodeFlowNodeField ¶
type DetailsCodeFlowNodeField struct {
NodeType string `json:"node_type"`
FileLocation DetailsFileLocationField `json:"file_location"`
}
DetailsCodeFlowNodeField stores a node in a code flow, represented by a file location and a node type https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L295
func (DetailsCodeFlowNodeField) MarshalJSON ¶
func (d DetailsCodeFlowNodeField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsCodeFlowNodeField into a json object
type DetailsCodeFlowsField ¶
type DetailsCodeFlowsField struct {
Name string `json:"name"`
Items [][]DetailsCodeFlowNodeField `json:"items"`
}
DetailsCodeFlowsField stores an array of flows, represented by an ordered array of DetailsCodeFlowNodeField https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L323
func (DetailsCodeFlowsField) MarshalJSON ¶
func (d DetailsCodeFlowsField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsCodeFlowNodeField into a json object
type DetailsFileLocationField ¶
type DetailsFileLocationField struct {
FileName string `json:"file_name"`
LineStart int `json:"line_start"`
LineEnd int `json:"line_end,omitempty"`
}
DetailsFileLocationField stores a file location detail type https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L248
func (DetailsFileLocationField) MarshalJSON ¶
func (d DetailsFileLocationField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsFileLocationField into a json object
type DetailsTextField ¶
DetailsTextField stores a raw text detail type https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L125
func (DetailsTextField) MarshalJSON ¶
func (d DetailsTextField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsTextField into a json object
type DetailsURLField ¶
type DetailsURLField struct {
Name string `json:"name"`
Text string `json:"text"`
Href string `json:"href"`
}
DetailsURLField stores a raw url detail type https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.1.3/src/vulnerability-details-format.json#L141
func (DetailsURLField) MarshalJSON ¶
func (d DetailsURLField) MarshalJSON() ([]byte, error)
MarshalJSON turns a DetailsURLField into a json object
type EventFactory ¶
type EventFactory func(json.RawMessage) (Event, error)
EventFactory is a function that creates an Event from raw JSON
type Flag ¶
type Flag struct {
Type string `json:"type"`
Origin string `json:"origin"`
Description string `json:"description"`
}
Flag contains information added by post-analyzers
type Identifier ¶
type Identifier struct {
Type IdentifierType `json:"type"` // Type of the identifier (CVE, CWE, VENDOR_X, etc.)
Name string `json:"name"` // Name of the identifier for display purpose
Value string `json:"value"` // Value of the identifier for matching purpose
URL string `json:"url,omitempty"` // URL to identifier's documentation
}
Identifier holds reference and matching information about a concrete vulnerability
func CVEIdentifier ¶
func CVEIdentifier(ID string) Identifier
CVEIdentifier returns a structured Identifier for a given CVE-ID Given ID must follow this format: CVE-YYYY-NNNNN
func CWEIdentifier ¶
func CWEIdentifier(ID int) Identifier
CWEIdentifier returns a structured Identifier for a given CWE ID Given ID must follow this format: NNN (just the number, no prefix)
func ELSAIdentifier ¶
func ELSAIdentifier(ID string) Identifier
ELSAIdentifier returns a structured Identifier for a given ELSA-ID Given ID must follow this format: ELSA-YYYY-NNNN(-N)?$
func GHSAIdentifier ¶
func GHSAIdentifier(ID string) Identifier
GHSAIdentifier returns a structured Identifier for a given GHSA-ID Given ID must follow this format: GHSA-xxxx-xxxx-xxxx
func H1Identifier ¶
func H1Identifier(ID string) Identifier
H1Identifier returns a structured Identifier for a given hackerone report Given ID must follow this format: HACKERONE-XXXXXX The HACKERONE prefix is an internal GitLab identifier and is ignored in the value field
func OSVDBIdentifier ¶
func OSVDBIdentifier(ID string) Identifier
OSVDBIdentifier returns a structured Identifier for a given OSVDB-ID Given ID must follow this format: OSVDB-XXXXXX
func OWASPTop10Identifier ¶
func OWASPTop10Identifier(ID string, desc string) Identifier
OWASPTop10Identifier returns a structured Identifier for a given OWASP Top10 Category Given ID must follow this format: "NNN:XXXX", where "XXXX" is the year designation
func ParseIdentifierID ¶
func ParseIdentifierID(idStr string) (Identifier, bool)
ParseIdentifierID builds an Identifier of correct IdentifierType from a human-readable ID slug (e.g., "CWE-1", "RHSA-01")
func RHSAIdentifier ¶
func RHSAIdentifier(ID string) Identifier
RHSAIdentifier returns a structured Identifier for a given RHSA-ID Given ID must follow this format: RHSA-YYYY:NNNN
func USNIdentifier ¶
func USNIdentifier(ID string) Identifier
USNIdentifier returns a structured Identifier for a Ubuntu Security Notice. Given ID must follow this format: USN-XXXXXX.
func (Identifier) Vendor ¶
func (i Identifier) Vendor() string
Vendor returns the canonical name of the vendor that assigned the vulnerability identifier.
type IdentifierType ¶
type IdentifierType string
IdentifierType is the unique ID ("slug") for identifier "kind" bound to a certain vulnerabilities database (CVE, CWE, etc.)
const ( // IdentifierTypeCVE is the identifier type for CVE IDs (https://cve.mitre.org/cve/) IdentifierTypeCVE IdentifierType = "cve" // IdentifierTypeCWE is the identifier type for CWE IDs (https://cwe.mitre.org/data/index.html) IdentifierTypeCWE IdentifierType = "cwe" // IdentifierTypeOWASPTop10 is the identifier type for OWASP Top10 IDs (https://owasp.org/Top10) IdentifierTypeOWASPTop10 IdentifierType = "owasp" // IdentifierTypeOSVDB is the identifier type for OSVDB IDs (https://cve.mitre.org/data/refs/refmap/source-OSVDB.html) IdentifierTypeOSVDB IdentifierType = "osvdb" // IdentifierTypeUSN is the identifier type for Ubuntu Security Notice IDs (https://usn.ubuntu.com/) IdentifierTypeUSN IdentifierType = "usn" // IdentifierTypeRHSA is the identifier type for RHSA IDs (https://access.redhat.com/errata) IdentifierTypeRHSA IdentifierType = "rhsa" // IdentifierTypeGHSA is the identifier type for GHSA IDs (https://github.com/advisories) IdentifierTypeGHSA IdentifierType = "ghsa" // IdentifierTypeELSA is the identifier type for Oracle Linux Security Data IDs (https://linux.oracle.com/security/) IdentifierTypeELSA IdentifierType = "elsa" // IdentifierTypeH1 is the identifier type for IDs in hackerone reports (https://api.hackerone.com/core-resources/#reports) IdentifierTypeH1 IdentifierType = "hackerone" )
type KubernetesResource ¶
type KubernetesResource struct {
// Namespace is the Kubernetes namespace the the object resides in.
Namespace string `json:"namespace"`
// Name is the Kubernetes object's name
Name string `json:"name"`
// Kind is the object's Kubernetes kind (e.g. DaemonSet).
Kind string `json:"kind"`
// Container is the name of the container which had its image scanned.
ContainerName string `json:"container_name"`
// AgentID is the ID of the GitLab Kubernetes agent which
// was used to perform this scan. It should be present if
// there is no ClusterID.
AgentID string `json:"agent_id,omitempty"`
// ClusterID is the ID of the Kubernetes Cluster when
// the scan is performed using GitLab Kubernetes Integration.
// It should be present if there is no AgentID.
ClusterID string `json:"cluster_id,omitempty"`
}
KubernetesResource contains location information for an object in a Kubernetes cluster. https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/
type Link ¶
type Link struct {
Name string `json:"name,omitempty"` // Name of the link (optional)
URL string `json:"url"` // URL of the document (mandatory)
}
Link contains the hyperlink to the detailed information about a vulnerability.
type Location ¶
type Location struct {
File string `json:"file,omitempty"` // File is the path relative to the search path.
*Commit `json:"commit,omitempty"` // Commit is the commit in which the vulnerability was detected
LineStart int `json:"start_line,omitempty"` // LineStart is the first line of the affected code.
LineEnd int `json:"end_line,omitempty"` // LineEnd is the last line of the affected code.
Class string `json:"class,omitempty"`
Method string `json:"method,omitempty"`
*Dependency `json:"dependency,omitempty"`
OperatingSystem string `json:"operating_system,omitempty"` // OperatingSystem is the operating system and optionally its version, separated by a semicolon: linux, debian:10, etc
Image string `json:"image,omitempty"` // Name of the Docker image
CrashAddress string `json:"crash_address,omitempty"` // CrashAddress is the memory address where the crash occurred, used for coverage fuzzing
CrashType string `json:"crash_type,omitempty"` // CrashType is the type of the vulnerability/weakness (i.e Heap-buffer-overflow)
CrashState string `json:"crash_state,omitempty"` // CrashState (normalized stacktrace)
StacktraceSnippet string `json:"stacktrace_snippet,omitempty"` // StacktraceSnippet is the original stacktrace
*KubernetesResource `json:"kubernetes_resource,omitempty"`
}
Location represents the location of the vulnerability occurrence be it a source code line, a dependency package identifier or whatever else.
type Observability ¶
type Observability struct {
Events []Event `json:"events"`
}
Observability is a container for multiple events
func (*Observability) UnmarshalJSON ¶
func (o *Observability) UnmarshalJSON(data []byte) error
UnmarshalJSON implements custom JSON unmarshaling for Observability
type Package ¶
type Package struct {
Name string `json:"name,omitempty"`
}
Package contains the information about the software dependency package.
type PartialScanType ¶
type PartialScanType struct {
Mode string `json:"mode"`
}
PartialScanType represents the type of partial scan that was performed
type Ref ¶
type Ref struct {
CompareKey string `json:"cve,omitempty"` // [DEPRECATED] CompareKey of a vulnerability
ID string `json:"id"` // ID of a vulnerability
}
Ref is a reference to a vulnerability occurrence in context of the remediation.
type Remediation ¶
type Remediation struct {
Fixes []Ref `json:"fixes"` // Refs to fixed vulnerability occurrences
Summary string `json:"summary"` // Overview of how the vulnerabilities have been fixed
Diff string `json:"diff"` // Base64 encoded diff, compatible with "git apply"
}
Remediation holds the patch required to fix a set of vulnerability occurrences.
type Report ¶
type Report struct {
Version Version `json:"version"`
Vulnerabilities []Vulnerability `json:"vulnerabilities"`
Remediations []Remediation `json:"remediations,omitempty"`
Scan Scan `json:"scan"`
Analyzer string `json:"-"`
Config ruleset.Config `json:"-"`
}
Report is the output of an analyzer.
func (*Report) ApplyReportOverrides ¶
ApplyReportOverrides applies customer-supplied rulesets to override vulnerabilities
func (*Report) ExcludePaths ¶
ExcludePaths excludes paths from vulnerabilities and remediations It takes a function that is true when the given path is excluded.
func (*Report) FilterDisabledRules ¶
FilterDisabledRules removes vulnerabilities and identifiers that have been disabled using rulesets
func (*Report) TruncateTextFields ¶
func (r *Report) TruncateTextFields()
TruncateTextFields ensures that the report fields don't exceed the maximum allowed length
type SastScanMetricsEvent ¶
type SastScanMetricsEvent struct {
BaseEvent // Embed the base event to inherit the Name() method
Property string `json:"property"` // A UUID that identifies a scan
Label string `json:"label"` // Name of the analyzer
Value int `json:"value"` // Exit status of the analyzer where 0 indicates success and 1 indicates error
Version string `json:"version"` // Version of the analyzer
ExitCode int `json:"exit_code"` // Exit code of the analyzer
OverrideCount int `json:"override_count"` // Number of configured overrides
PassthroughCount int `json:"passthrough_count"` // Number of configured passthroughs
CustomExcludePathCount int `json:"custom_exclude_path_count"` // Captures whether or not users configured custom exclude paths
TimeS int `json:"time_s"` // Scan time duration in seconds
FileCount int `json:"file_count"` // Project size in terms of number of files
LanguageFeatureUsage string `json:"language_feature_usage,omitempty"` // A JSON string that encodes a map of file types to language feature usage counts
}
SastScanMetricsEvent represents a SAST scan metrics event
func NewSastScanMetricsEvent ¶
func NewSastScanMetricsEvent() SastScanMetricsEvent
NewSastScanMetricsEvent creates a new SAST scan metrics event with the proper event type set
type Scan ¶
type Scan struct {
Analyzer AnalyzerDetails `json:"analyzer"` // Analyzer describes the analyzer tool which wraps the scanner
Scanner ScannerDetails `json:"scanner"` // Scanner is an Object defining the scanner used to perform the scan
PrimaryIdentifiers []Identifier `json:"primary_identifiers,omitempty"` // PrimaryIdentifiers identify all rule identifiers for which scan was executed.
Type Category `json:"type"` // Type of the scan (container_scanning, dependency_scanning, dast, sast)
StartTime *ScanTime `json:"start_time,omitempty"` // StartTime is the time when the scan started
EndTime *ScanTime `json:"end_time,omitempty"` // EndTime is the time when the scan ended
Status Status `json:"status,omitempty"` // Status is the status of the scan, either `success` or `failure`. Status is `success` if no errors are encountered while Converting the report, `error` otherwise
Observability *Observability `json:"observability,omitempty"` // Include SAST metrics
PartialScan *PartialScanType `json:"partial_scan,omitempty"` // PartialScan indicates whether this scan is partial
}
Scan contains the identifying information about a security scanner.
type ScanTime ¶
ScanTime is a custom time type formatted using the timeFormat
func (*ScanTime) MarshalJSON ¶
MarshalJSON converts the ScanTime value into a JSON string with the defined timeFormat
func (*ScanTime) UnmarshalJSON ¶
UnmarshalJSON converts the JSON string with the defined timeFormat into a ScanTime value Unmarshalling is only used by tracking-calculator, since it needs to read the report JSON and insert additional details. See https://gitlab.com/gitlab-org/security-products/post-analyzers/tracking-calculator/-/blob/ec10c39ba5a8589c101f5c923fce80827164bd2d/clicmds/query.go#L62
type Scanner ¶
type Scanner struct {
ID string `json:"id"` // Id of the scanner as a snake_case string (mandatory)
Name string `json:"name"` // Name of the scanner, for display purpose (mandatory)
}
Scanner contains the identifying information about a security scanner.
type ScannerDetails ¶
type ScannerDetails struct {
ID string `json:"id"` // Unique id that identifies the scanner
Name string `json:"name"` // A human readable value that identifies the scanner, not required to be unique
URL string `json:"url,omitempty"` // A link to more information about the scanner
Vendor Vendor `json:"vendor"` // The vendor/maintainer of the scanner
Version string `json:"version"` // The version of the scanner
}
ScannerDetails contains detailed information about the scanner
func (ScannerDetails) String ¶
func (s ScannerDetails) String() string
type SeverityLevel ¶
type SeverityLevel int
SeverityLevel is the vulnerability severity level reported by scanner.
const ( // SeverityLevelUndefined is a stub severity value for the case when it was not reported by scanner. SeverityLevelUndefined SeverityLevel = iota // SeverityLevelInfo represents the "info" or "ignore" severity level. SeverityLevelInfo // SeverityLevelUnknown represents the "experimental" or "unknown" severity level. SeverityLevelUnknown // SeverityLevelLow represents the "low" severity level. SeverityLevelLow // SeverityLevelMedium represents the "medium" severity level. SeverityLevelMedium // SeverityLevelHigh represents the "high" severity level. SeverityLevelHigh // SeverityLevelCritical represents the "critical" severity level. SeverityLevelCritical )
func ParseSeverityLevel ¶
func ParseSeverityLevel(s string) SeverityLevel
ParseSeverityLevel parses a SeverityLevel value from string
func (SeverityLevel) MarshalJSON ¶
func (l SeverityLevel) MarshalJSON() ([]byte, error)
MarshalJSON converts a SeverityLevel value into the JSON representation
func (SeverityLevel) String ¶
func (l SeverityLevel) String() string
func (*SeverityLevel) UnmarshalJSON ¶
func (l *SeverityLevel) UnmarshalJSON(b []byte) error
UnmarshalJSON parses a SeverityLevel value from JSON representation
type Status ¶
type Status string
Status represents the status of a scan, either `success` or `failure`
type Tracking ¶
type Tracking struct {
Type string `json:"type"`
Items []TrackingItem `json:"items"`
}
Tracking provides scoping information
type TrackingItem ¶
type TrackingItem struct {
File string `json:"file,omitempty"`
LineStart int `json:"line_start,omitempty"`
LineEnd int `json:"line_end,omitempty"`
Signatures []TrackingSignature `json:"signatures"`
}
TrackingItem Captures the vulnerability item (position)
type TrackingSignature ¶
TrackingSignature contains the details about the fingerprinting algorithm
type Vendor ¶
type Vendor struct {
Name string `json:"name"` // The name of the vendor
}
Vendor is the vendor/maintainer of the scanner
type Version ¶
Version represents the version of the report syntax. It matches a release of the Security Report Schemas, and is used for JSON schema validation. See https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/releases
func CurrentVersion ¶
func CurrentVersion() Version
CurrentVersion returns the current version of the report syntax.
func (Version) MarshalJSON ¶
MarshalJSON encodes a version to JSON.
func (*Version) UnmarshalJSON ¶
UnmarshalJSON decodes a version.
type Vulnerability ¶
type Vulnerability struct {
Category Category `json:"category,omitempty"` // [DEPRECATED] Category describes where this vulnerability belongs (SAST, Dependency Scanning, etc...)
Name string `json:"name,omitempty"` // Name of the vulnerability, this must not include occurence's specific information.
Message string `json:"message,omitempty"` // Message is a short text that describes the vulnerability, it may include occurence's specific information.
Description string `json:"description,omitempty"` // Description is a long text that describes the vulnerability.
CompareKey string `json:"cve,omitempty"` // [DEPRECATED] CompareKey is a value used to establish whether two vulnerabilities are the same. https://gitlab.com/gitlab-org/gitlab/-/issues/209850
Severity SeverityLevel `json:"severity,omitempty"` // Severity describes how much the vulnerability impacts the software.
Confidence ConfidenceLevel `json:"confidence,omitempty"` // [DEPRECATED] Confidence describes how reliable the vulnerability's assessment is
Solution string `json:"solution,omitempty"` // Solution explains how to fix the vulnerability.
RawSourceCodeExtract string `json:"raw_source_code_extract,omitempty"` // RawSourceCodeExtract is an extract of the affected source code
Scanner *Scanner `json:"scanner,omitempty"` // [DEPRECATED] Scanner identifies the analyzer.
Location Location `json:"location"` // Location tells which class and/or method is affected by the vulnerability.
Flags []Flag `json:"flags,omitempty"` // Flags are used for post-analyzer processing
Identifiers []Identifier `json:"identifiers"` // Identifiers are references that identify a vulnerability on internal or external DBs.
CVSSRatings []CVSSRating `json:"cvss_vectors,omitempty"` // CVSSRatings provide context about the risk, impact and severity of a vulnerability. Different vendors may score the Vulnerability differently. Thus, we provide all known vectors for completeness.
Links []Link `json:"links,omitempty"` // Links are external documentations or articles that further describes the vulnerability.
Tracking *Tracking `json:"tracking,omitempty"`
Details *Details `json:"details,omitempty"`
}
Vulnerability represents a generic vulnerability occurrence reported by scanner.
func Dedupe ¶
func Dedupe(vulnerabilities ...Vulnerability) []Vulnerability
Dedupe removes duplicates from a given list of vulnerabilities. Duplicates shares the same location and at least one identifier. CWE ids are ignored since these are used to classify the vulnerability. First duplicate in the list wins and others are simply removed.
func (Vulnerability) ID ¶
func (i Vulnerability) ID() string
ID returns a hash combining all the fields of the vulnerability. This should be a randomly generated UUID but currently it needs to be predictable because of limitations in the implementation of klar and gemnasium analyzers.
func (Vulnerability) MarshalJSON ¶
func (i Vulnerability) MarshalJSON() ([]byte, error)
MarshalJSON adds an id field when encoding the vulnerability.
Source Files
Directories