v3

package
v0.34.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 21, 2022 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NVDNamespace        = "nvd"
	MSRCNamespacePrefix = "msrc"
	VulnDBNamespace     = "vulndb"
)
View Source 
const SchemaVersion = 3
View Source 
const VulnerabilityStoreFileName = "vulnerability.db"

Variables

This section is empty.

Functions

func NamespaceForDistro 

func NamespaceForDistro(d *distro.Distro) string

NamespaceFromDistro returns the correct Feed Service namespace for the given distro. A namespace is a distinct identifier from the Feed Service, and it can be a combination of distro name and version(s), for example "amzn:8". This is critical to query the database and correlate the distro version with feed contents. Namespaces have to exist in the Feed Service, otherwise, this causes no results to be returned when the database is queried.

func NamespaceForFeedGroup 

func NamespaceForFeedGroup(feed, group string) (string, error)

func NamespacePackageNamersForLanguage 

func NamespacePackageNamersForLanguage(l syftPkg.Language) map[string]NamerByPackage

func NamespacesIndexedByCPE 

func NamespacesIndexedByCPE() []string

func RecordSource 

func RecordSource(feed, group string) string

Types

type Advisory 

type Advisory struct {
	ID   string
	Link string
}

Advisory represents published statements regarding a vulnerability (and potentially about it's resolution).

type Cvss 

type Cvss struct {
	// VendorMetadata captures non-standard CVSS fields that vendors can sometimes
	// include when providing CVSS information.  This vendor-specific metadata type
	// allows to capture that data for persisting into the database
	VendorMetadata interface{}
	Metrics        CvssMetrics
	Vector         string // A textual representation of the metric values used to determine the score
	Version        string // The version of the CVSS spec, for example 2.0, 3.0, or 3.1
}

Cvss contains select Common Vulnerability Scoring System fields for a vulnerability.

type CvssMetrics 

type CvssMetrics struct {
	// BaseScore ranges from 0 - 10 and defines qualities intrinsic to the severity of a vulnerability.
	BaseScore float64
	// ExploitabilityScore is a pointer to avoid having a 0 value by default.
	// It is an indicator of how easy it may be for an attacker to exploit
	// a vulnerability
	ExploitabilityScore *float64
	// ImpactScore represents the effects of an exploited vulnerability
	// relative to compromise in confidentiality, integrity, and availability.
	// It is an optional parameter, so that is why it is a pointer instead of
	// a regular field
	ImpactScore *float64
}

CvssMetrics are the quantitative values that make up a CVSS score.

func NewCvssMetrics 

func NewCvssMetrics(baseScore, exploitabilityScore, impactScore float64) CvssMetrics

type Fix 

type Fix struct {
	Versions []string // The version(s) which this particular vulnerability was fixed in
	State    FixState
}

Fix represents all information about known fixes for a stated vulnerability.

type FixState 

type FixState string
const (
	UnknownFixState FixState = "unknown"
	FixedState      FixState = "fixed"
	NotFixedState   FixState = "not-fixed"
	WontFixState    FixState = "wont-fix"
)

type ID 

type ID struct {
	// BuildTimestamp is the timestamp used to define the age of the DB, ideally including the age of the data
	// contained in the DB, not just when the DB file was created.
	BuildTimestamp time.Time
	SchemaVersion  int
}

ID represents identifying information for a DB and the data it contains.

func NewID 

func NewID(age time.Time) ID

type IDReader 

type IDReader interface {
	GetID() (*ID, error)
}

type IDWriter 

type IDWriter interface {
	SetID(ID) error
}

type NamerByPackage 

type NamerByPackage func(p pkg.Package) []string

type Vulnerability 

type Vulnerability struct {
	ID                     string                   // The identifier of the vulnerability or advisory
	PackageName            string                   // The name of the package that is vulnerable
	Namespace              string                   // The ecosystem where the package resides
	VersionConstraint      string                   // The version range which the given package is vulnerable
	VersionFormat          string                   // The format which all version fields should be interpreted as
	CPEs                   []string                 // The CPEs which are considered vulnerable
	RelatedVulnerabilities []VulnerabilityReference // Other Vulnerabilities that are related to this one (e.g. GHSA relate to CVEs, or how distro CVE relates to NVD record)
	Fix                    Fix                      // All information about fixed versions
	Advisories             []Advisory               // Any vendor advisories about fixes or other notifications about this vulnerability
}

Vulnerability represents the minimum data fields necessary to perform package-to-vulnerability matching. This can represent a CVE, 3rd party advisory, or any source that relates back to a CVE.

type VulnerabilityMetadata 

type VulnerabilityMetadata struct {
	ID           string   // The identifier of the vulnerability or advisory
	Namespace    string   // Where this entry is valid within
	DataSource   string   // A URL where the data was sourced from
	RecordSource string   // The source of the vulnerability information (relative to the immediate upstream in the enterprise feedgroup)
	Severity     string   // How severe the vulnerability is (valid values are defined by upstream sources currently)
	URLs         []string // URLs to get more information about the vulnerability or advisory
	Description  string   // Description of the vulnerability
	Cvss         []Cvss   // Common Vulnerability Scoring System values
}

VulnerabilityMetadata represents all vulnerability data that is not necessary to perform package-to-vulnerability matching.

type VulnerabilityMetadataStore 

type VulnerabilityMetadataStore interface {
	VulnerabilityMetadataStoreReader
	VulnerabilityMetadataStoreWriter
}

type VulnerabilityMetadataStoreReader 

type VulnerabilityMetadataStoreReader interface {
	GetVulnerabilityMetadata(id, namespace string) (*VulnerabilityMetadata, error)
}

type VulnerabilityMetadataStoreWriter 

type VulnerabilityMetadataStoreWriter interface {
	AddVulnerabilityMetadata(metadata ...VulnerabilityMetadata) error
}

type VulnerabilityReference 

type VulnerabilityReference struct {
	ID        string
	Namespace string
}

type VulnerabilityStore 

type VulnerabilityStore interface {
	VulnerabilityStoreReader
	VulnerabilityStoreWriter
}

type VulnerabilityStoreReader 

type VulnerabilityStoreReader interface {
	// GetVulnerability retrieves vulnerabilities associated with a namespace and a package name
	GetVulnerability(namespace, name string) ([]Vulnerability, error)
}

type VulnerabilityStoreWriter 

type VulnerabilityStoreWriter interface {
	// AddVulnerability inserts a new record of a vulnerability into the store
	AddVulnerability(vulnerabilities ...Vulnerability) error
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.