model

package
v0.94.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var AllAdvisoryType = []AdvisoryType{
	AdvisoryTypeDeprecated,
	AdvisoryTypeUnmaintained,
	AdvisoryTypeSecurity,
	AdvisoryTypePolicy,
	AdvisoryTypeOther,
}
View Source 
var AllPolicyViolationLevel = []PolicyViolationLevel{
	PolicyViolationLevelError,
	PolicyViolationLevelWarn,
}
View Source 
var AllRepositoryVisibility = []RepositoryVisibility{
	RepositoryVisibilityPublic,
	RepositoryVisibilityPrivate,
	RepositoryVisibilityInternal,
}

Functions

This section is empty.

Types

type Advisory 

type Advisory struct {
	// dependency is the underlying dependency that this Advisory is flagged against
	Dependency *Dependency `json:"dependency"`
	// advisoryType defines the type of Advisory (https://dmd.tanna.dev/concepts/advisory/) that this Advisory will flagged as
	AdvisoryType AdvisoryType `json:"advisoryType"`
	// description is a human-readable explanation of why this advisory is being flagged. The contents will be shown verbatim to a user, and will not be interpreted as markup
	//
	// This can be as long and detailed as you wish, and is recommended to include links to (internal) documentation around the finding, any known remediation actions, and communication channels to reach out to for information
	Description string `json:"description"`
	// supportedUntil describes the date that this release will be marked as End of Life, and will no longer be maintained from
	SupportedUntil *string `json:"supportedUntil,omitempty"`
	// endOfLifeFrom describes the date that this release will be marked as End of Life, and will no longer be maintained from
	EndOfLifeFrom *string `json:"endOfLifeFrom,omitempty"`
}

Advisory (https://dmd.tanna.dev/concepts/advisory/) is an indication of issues flagged against the dependencies this Repository contains, for instance to indicate lack of maintainence upstream, security issues, etc

type AdvisoryType 

type AdvisoryType string

AdvisoryType defines the type of Advisory (https://dmd.tanna.dev/concepts/advisory/) that this will flagged as 

const (
	// The dependency is deprecated, and should ideally be replaced
	AdvisoryTypeDeprecated AdvisoryType = "DEPRECATED"
	// The dependency is no longer maintained
	AdvisoryTypeUnmaintained AdvisoryType = "UNMAINTAINED"
	// There is a security issue with this dependency
	AdvisoryTypeSecurity AdvisoryType = "SECURITY"
	// There is organisational policy that recommends awareness of the use of this
	// dependency
	AdvisoryTypePolicy AdvisoryType = "POLICY"
	// There is no other `AdvisoryType` that makes sense for this type. If you feel there should be, please raise an issue on the issue tracker (https://gitlab.com/tanna.dev/dependency-management-data/-/issues)
	AdvisoryTypeOther AdvisoryType = "OTHER"
)

func (AdvisoryType) IsValid 

func (e AdvisoryType) IsValid() bool

func (AdvisoryType) MarshalGQL 

func (e AdvisoryType) MarshalGQL(w io.Writer)

func (AdvisoryType) String 

func (e AdvisoryType) String() string

func (*AdvisoryType) UnmarshalGQL 

func (e *AdvisoryType) UnmarshalGQL(v interface{}) error

type Dependency 

type Dependency struct {
	// packageName contains the name of the package
	PackageName string `json:"packageName"`
	// version indicates the version of this dependency
	//
	// NOTE this could be a version constraint, such as any of:
	//
	//     <=1.3.4,>=1.3.0
	//     "~> 0.9"
	//     latest
	//     ^2.0.6
	//     =1.0.4
	//
	// As well as a specific value, such as:
	//
	//     1.0.4
	//     10
	//     latest
	//
	// This versioning will be implementation-specific for the `packageManager` in use
	Version string `json:"version"`
	// currentVersion defines the current version that this package's `version` resolves to
	//
	// If the `version` is an exact version number, such as `1.0.4`, then `currentVersion` will usually be the same value, `1.0.4`
	//
	// If the `version` is a version constraint, then this column MAY indicate the exact version that was resolved at the time of dependency analysis
	CurrentVersion *string `json:"currentVersion,omitempty"`
	// packageManager indicates the package manager that the dependency is from
	PackageManager string `json:"packageManager"`
	// packageFilePath defines the path within `repo` that defines the `packageName` as a dependency. For example:
	//
	//     .github/workflows/build.yml
	//     go.mod
	//     build/Dockerfile
	//
	// NOTE that this may be empty (https://gitlab.com/tanna.dev/dependency-management-data/-/issues/396)
	PackageFilePath *string `json:"packageFilePath,omitempty"`
	// depTypes defines the different dependency types that may be in use. This will always be a JSON array, with 0 or more string elements. For example:
	//
	//     []
	//     ["action"]
	//     ["dependencies","lockfile"]
	//     ["dependencies","missing-data"]
	//     ["lockfile","lockfile-yarn-pinning-^21.1.1"]
	//     ["engines"]
	//
	// Based on which datasource(s) (https://dmd.tanna.dev/concepts/datasource/) you are using, this will have different values and meanings
	//
	// NOTE that in the future these there will be a more consistent naming structure for these (https://gitlab.com/tanna.dev/dependency-management-data/-/issues/379)
	DepTypes []string `json:"depTypes,omitempty"`
	// health defines metrics that can be used to determine how healthy the dependency is.
	Health *DependencyHealth `json:"health,omitempty"`
}

Dependency models a given package dependency

type DependencyHealth added in v0.76.0 

type DependencyHealth struct {
	// securityScorecard contains metadata from OpenSSF Security Scorecards, and can indicate concerns for supply chain security hygiene.
	SecurityScorecard *SecurityScorecard `json:"securityScorecard,omitempty"`
	// ecosystems contains metadata from Ecosystems, and can indicate concerns around the package and its maintainence.
	Ecosystems *EcosystemsPackage `json:"ecosystems,omitempty"`
}

DependencyHealth contains information about the health of given dependencies.

This consumes data from different sources to augment the understanding of dependencies in use, for instance giving an indication of whether they are (well) maintained, have been recently released, or may have supply chain hygiene issues.

Currently, this data is derived from:

- OpenSSF Security Scorecards (https://api.securityscorecards.dev/) - Ecosystems (https://ecosyste.ms)

This data is a best-efforts attempt to provide this insight, and may be stale at the time of querying.

type DependentOnResponse 

type DependentOnResponse struct {
	Repositories []DependentOnUsage `json:"repositories,omitempty"`
}

type DependentOnUsage 

type DependentOnUsage struct {
	Platform        string   `json:"platform"`
	Organisation    string   `json:"organisation"`
	Repo            string   `json:"repo"`
	Version         *string  `json:"version,omitempty"`
	CurrentVersion  *string  `json:"currentVersion,omitempty"`
	DepTypes        []string `json:"depTypes,omitempty"`
	PackageFilePath *string  `json:"packageFilePath,omitempty"`
	Owner           *Owner   `json:"owner,omitempty"`
}

type EcosystemsPackage added in v0.76.0 

type EcosystemsPackage struct {
	// repo contains repository-specific metadata
	Repo *EcosystemsRepo `json:"repo,omitempty"`
	// latestReleasePublishedAt contains the date the last release was made, if any
	LatestReleasePublishedAt *string `json:"latestReleasePublishedAt,omitempty"`
	// lastSyncedAt indicates the last date that Ecosystems synced package data.
	//
	// This is useful when used in conjunction with decisioning based on other fields, as it indicates how stale the data may be.
	LastSyncedAt *string `json:"lastSyncedAt,omitempty"`
	// status indicates the status of the package.
	//
	// Some possible values:
	//
	//   yanked
	//   deprecated
	//   discontinued
	Status *string `json:"status,omitempty"`
	// funding defines the different platform(s) that the dependency is seeking financial support on.
	Funding []FundingPlatform `json:"funding,omitempty"`
}

EcosystemsPackage defines Ecosyte.ms' understanding of a given package

type EcosystemsRepo added in v0.76.0 

type EcosystemsRepo struct {
	// archived indicates whether the repository has been archived (made read-only)
	Archived *bool `json:"archived,omitempty"`
	// pushedAt indicates the last push to the default branch of -- the source code repository that manages this package.
	PushedAt *string `json:"pushedAt,omitempty"`
	// ecosystems_repo_updated_at indicates the last activity in the source code repository that manages this package.
	//
	// Depending on the host of the source code, this could indicate a comments, push to a branch, or otherwise.
	UpdatedAt *string `json:"updatedAt,omitempty"`
	// lastSyncedAt indicates the last date that Ecosystems synced repository data.
	//
	// This is useful when used in conjunction with decisioning based on other fields, as it indicates how stale the data may be.
	LastSyncedAt *string `json:"lastSyncedAt,omitempty"`
}

EcosystemsRepo defines Ecosyte.ms' understanding of a given source code repository

type FundingPlatform added in v0.87.0 

type FundingPlatform struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

FundingPlatform defines information around the different platform(s) that the dependency is seeking financial support on.

type Metadata 

type Metadata struct {
	// DMDVersion is the version of the `dmd` CLI that was used to create the underlying database
	DMDVersion string `json:"DMDVersion"`
	// finalisedAt is the date at which the database was "finalised", and should now be treated as "up-to-date" and read-only from this point onwards.
	//
	// This indicates that all datasources were imported and all enrichment (i.e. via Advisories, Dependency Health, etc) was complete.
	//
	// This could indicate that all datasources' data is now up-to-date, but there are likely some that haven't been as recently scanned.
	FinalisedAt *string `json:"finalisedAt,omitempty"`
}

Metadata tracks information about metadata of the dependency-management-data installation

type Owner added in v0.66.0 

type Owner struct {
	// owner is a free-form identifier for who owns the repository. This could be an email address, a team name, Slack channel name, etc, but should ideally be clear from this column who should be contacted about any queries about the repository
	Owner *string `json:"owner,omitempty"`
	// notes allows adding additional, optional, context around the ownership, for instance a link to a Slack channel, Confluence page, internal Service Catalog, etc. The contents will be shown verbatim to a user, and will not be interpreted as markup.
	Notes *string `json:"notes,omitempty"`
}

Owner models the definition of which team / person / vendor / part of your organisation / etc owns a given repository. This data is expected to be sourced through a Service Catalog or through some other means, and will be organisation-specific.

type PolicyViolation 

type PolicyViolation struct {
	// dependency is the underlying dependency that this Policy Violation is flagged against
	Dependency *Dependency `json:"dependency"`
	// level defines the severity of the Policy Violation. This will be organisation-specific in terms of what you deem most critical, but an example of what this could look like is:
	Level PolicyViolationLevel `json:"level"`
	// advisoryType defines the type of Advisory (https://dmd.tanna.dev/concepts/advisory/) that this Policy Violation will flagged as
	AdvisoryType AdvisoryType `json:"advisoryType"`
	// description is a human-readable explanation of why this advisory is being flagged. The contents will be shown verbatim to a user, and will not be interpreted as markup
	//
	// This can be as long and detailed as you wish, and is recommended to include links to (internal) documentation around the finding, any known remediation actions, and communication channels to reach out to for information
	Description string `json:"description"`
}

PolicyViolation is a violation of organisational policy (https://dmd.tanna.dev/concepts/policy/)

type PolicyViolationLevel 

type PolicyViolationLevel string

PolicyViolationLevel defines the severity of the Policy Violation. This will be organisation-specific in terms of what you deem most critical, but an example of what this could look like is: 

ERROR: "Use of AGPL-3.0 licensed dependencies anywhere is a high-severity"
WARN:  "Using a dependency that hasn't been updated in 1 year should be avoided"

const (
	PolicyViolationLevelError PolicyViolationLevel = "ERROR"
	PolicyViolationLevelWarn  PolicyViolationLevel = "WARN"
)

func (PolicyViolationLevel) IsValid 

func (e PolicyViolationLevel) IsValid() bool

func (PolicyViolationLevel) MarshalGQL 

func (e PolicyViolationLevel) MarshalGQL(w io.Writer)

func (PolicyViolationLevel) String 

func (e PolicyViolationLevel) String() string

func (*PolicyViolationLevel) UnmarshalGQL 

func (e *PolicyViolationLevel) UnmarshalGQL(v interface{}) error

type Query added in v0.71.1 

type Query struct {
}

type RepositoriesResponse 

type RepositoriesResponse struct {
	Repositories          []Repository `json:"repositories,omitempty"`
	TotalAdvisories       int          `json:"totalAdvisories"`
	TotalDependencies     int          `json:"totalDependencies"`
	TotalPolicyViolations int          `json:"totalPolicyViolations"`
}

type Repository 

type Repository struct {
	// what platform hosts the source code that this repository is for? i.e. `github`, `gitlab`, `gitea`, etc
	Platform string `json:"platform"`
	// what organisation manages the source code that this repository is for? Can include `/` for nested organisations
	Organisation string `json:"organisation"`
	// what is the repo name?
	Repo string `json:"repo"`
	// owner contains information about the owner of a given repository
	Owner *Owner `json:"owner,omitempty"`
	// totalDependencies is the total number of dependencies that this Repository contains
	TotalDependencies int `json:"totalDependencies"`
	// dependencies are the dependencies that this Repository contains
	Dependencies []Dependency `json:"dependencies,omitempty"`
	// totalAdvisories is the total number of Advisories (https://dmd.tanna.dev/concepts/advisory/) flagged against the dependencies this Repository contains, for instance to indicate lack of maintainence upstream, security issues, etc
	//
	// NOTE: This will include `totalPolicyViolations`
	//
	// TODO: https://gitlab.com/tanna.dev/dependency-management-data/-/issues/400
	TotalAdvisories int `json:"totalAdvisories"`
	// advisories are the Advisories (https://dmd.tanna.dev/concepts/advisory/) flagged against the dependencies this Repository contains, for instance to indicate lack of maintainence upstream, security issues, etc. Will include the results of `policyViolations`
	//
	// NOTE: This will includes the results of `policyViolations`
	//
	// TODO: https://gitlab.com/tanna.dev/dependency-management-data/-/issues/400
	Advisories []Advisory `json:"advisories,omitempty"`
	// totalPolicyViolations are the number of `PolicyViolation`s that have been flagged against this Repository, based on configured policies
	//
	// NOTE: This does not include all values of `advisories`, only those that have an `AdvisoryType == POLICY`
	//
	// TODO: https://gitlab.com/tanna.dev/dependency-management-data/-/issues/400
	TotalPolicyViolations int `json:"totalPolicyViolations"`
	// policyViolations are the `PolicyViolation`s that have been flagged against this Repository, based on configured policies
	//
	// NOTE: This does not include all values of `advisories`, only those that have an `AdvisoryType == POLICY`
	//
	// TODO: https://gitlab.com/tanna.dev/dependency-management-data/-/issues/400
	PolicyViolations []PolicyViolation `json:"policyViolations,omitempty"`
	// libyear is the value of the Libyear metric, which is defined as "how many years between the version we're currently using and the latest version released", and then totalled across all libraries used by the project.
	//
	// Dependencies with a Libyear value of 0 could indicate that either all dependencies are up-to-date, or that the Libyear could not be calculated and are not shown.
	//
	// Note that a low number could still be problematic, for instance if a package has pushed out a dozen releases in the last month, all of which include significant breaking changes.
	//
	// Alternatively, a package may have a low score simply because the package is no longer maintained, so no new releases means you are "up to date".
	//
	// It is worth using this metric with context where possible, or at least with the above caveats in mind.
	//
	// It is recommended to display this at a precision of 2 decimal places.
	//
	// Further reading:
	//
	// - https://chaoss.community/kb/metric-libyears/
	// - https://libyear.com/
	Libyears float64 `json:"libyears"`
	// metadata provides additional metadata about the underlying repository
	Metadata *RepositoryMetadata `json:"metadata,omitempty"`
}

Repository is a source repository

type RepositoryAdditionalMetadatum added in v0.67.0 

type RepositoryAdditionalMetadatum struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

additionalMetadata contains additional key-value data that can be used to provide custom organisation-specific configuration, and augment any queries for data with information around this additional metadata.

For instance:

  • `last_commit_date` - the last commit date to the project
  • `pci_environment` - the PCI environment the application is deployed to
  • `customer_type` - i.e. whether it's used for government, financial users, etc

type RepositoryKey 

type RepositoryKey struct {
	Platform     string `json:"platform"`
	Organisation string `json:"organisation"`
	Repo         string `json:"repo"`
}

type RepositoryMetadata added in v0.67.0 

type RepositoryMetadata struct {
	// isMonorepo indicates whether the repository is treated as a monorepo
	IsMonorepo bool `json:"isMonorepo"`
	// isFork indicates whether this is a forked repository. This could indicate that this is a temporary repository, a long-standing fork for security + supply-chain hygiene purposes, or some other reason.
	IsFork bool `json:"isFork"`
	// repositoryType is a free-form field to create enum-style data, for instance `LIBRARY` or `SERVICE`, or `EXAMPLE_CODE`.
	//
	// This may track with your Developer Portal's own definition of a repository's type.
	RepositoryType string `json:"repositoryType"`
	// repositoryUsage is a free-form field to note additional information
	// around the repository's usage, which is organisation-specific.
	//
	// For instance, this may be enum-style data, a space-separated list of
	// enum-style data, or a long human-readable description.
	RepositoryUsage *string `json:"repositoryUsage,omitempty"`
	// visibility indicates the repository's visibility in the source forge
	Visibility RepositoryVisibility `json:"visibility"`
	// description is a textual description of the repo for more context, which can include links out to other systems i.e. a Service Catalog. The contents will be shown verbatim to a user, and will not be interpreted as markup
	Description *string `json:"description,omitempty"`
	// additionalMetadata contains additional key-value data that can be used to provide custom organisation-specific configuration, and augment any queries for data with information around this additional metadata.
	AddititionalMetadata []RepositoryAdditionalMetadatum `json:"addititionalMetadata"`
}

type RepositoryVisibility added in v0.67.0 

type RepositoryVisibility string

RepositoryVisibility indicates the repository's visibility in the source forge.

NOTE that this may be straightforward if you're using a publicly hosted source forge, but if you're running on an internally run, i.e. VPN'd off source force, this field may have a slightly different interpretation 

const (
	RepositoryVisibilityPublic   RepositoryVisibility = "PUBLIC"
	RepositoryVisibilityPrivate  RepositoryVisibility = "PRIVATE"
	RepositoryVisibilityInternal RepositoryVisibility = "INTERNAL"
)

func (RepositoryVisibility) IsValid added in v0.67.0 

func (e RepositoryVisibility) IsValid() bool

func (RepositoryVisibility) MarshalGQL added in v0.67.0 

func (e RepositoryVisibility) MarshalGQL(w io.Writer)

func (RepositoryVisibility) String added in v0.67.0 

func (e RepositoryVisibility) String() string

func (*RepositoryVisibility) UnmarshalGQL added in v0.67.0 

func (e *RepositoryVisibility) UnmarshalGQL(v interface{}) error

type SecurityScorecard added in v0.76.0 

type SecurityScorecard struct {
	// score is the overall calculated value of the OpenSSF Security Scorecards' checks for the given dependency.
	Score *float64 `json:"score,omitempty"`
	// codeReview is the value of the OpenSSF Security Scorecards' `Code-Review` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review
	CodeReview *int `json:"codeReview,omitempty"`
	// scorecard_maintained is the value of the OpenSSF Security Scorecards' `Maintained` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
	Maintained *int `json:"maintained,omitempty"`
	// ciiBestPractices is the value of the OpenSSF Security Scorecards' `CII-Best-Practices` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices
	CiiBestPractices *int `json:"ciiBestPractices,omitempty"`
	// license is the value of the OpenSSF Security Scorecards' `License` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#license
	License *int `json:"license,omitempty"`
	// dangerousWorkflow is the value of the OpenSSF Security Scorecards' `Dangerous-Workflow` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow
	DangerousWorkflow *int `json:"dangerousWorkflow,omitempty"`
	// packaging is the value of the OpenSSF Security Scorecards' `Packaging` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging
	Packaging *int `json:"packaging,omitempty"`
	// tokenPermissions is the value of the OpenSSF Security Scorecards' `Token-Permissions` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
	TokenPermissions *int `json:"tokenPermissions,omitempty"`
	// signedReleases is the value of the OpenSSF Security Scorecards' `Signed-Releases` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases
	SignedReleases *int `json:"signedReleases,omitempty"`
	// branchProtection is the value of the OpenSSF Security Scorecards' `Branch-Protection` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
	BranchProtection *int `json:"branchProtection,omitempty"`
	// binaryArtifacts is the value of the OpenSSF Security Scorecards' `Binary-Artifacts` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts
	BinaryArtifacts *int `json:"binaryArtifacts,omitempty"`
	// fuzzing is the value of the OpenSSF Security Scorecards' `Fuzzing` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing
	Fuzzing *int `json:"fuzzing,omitempty"`
	// securitypolicy is the value of the OpenSSF Security Scorecards' `Security-Policy` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy
	SecurityPolicy *int `json:"securityPolicy,omitempty"`
	// sast is the value of the OpenSSF Security Scorecards' `SAST` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast
	Sast *int `json:"sast,omitempty"`
	// vulnerabilities is the value of the OpenSSF Security Scorecards' `Vulnerabilities` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities
	Vulnerabilities *int `json:"vulnerabilities,omitempty"`
	// pinnedDependencies is the value of the OpenSSF Security Scorecards' `Pinned-Dependencies` check.
	//
	// More details on the calculation can be found at https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
	PinnedDependencies *int `json:"pinnedDependencies,omitempty"`
}

SecurityScorecard contains metadata from OpenSSF Security Scorecards, and can indicate concerns for supply chain security hygiene.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.