Documentation ¶
Index ¶
Constants ¶
const ( // TypeURI is the type used to describe VEX documents, e.g. within [in-toto // statements]. // // [in-toto statements]: https://github.com/in-toto/attestation/blob/main/spec/README.md#statement TypeURI = "text/vex" // DefaultAuthor is the default value for a document's Author field. DefaultAuthor = "Unknown Author" // DefaultRole is the default value for a document's AuthorRole field. DefaultRole = "Document Creator" // Context is the URL of the json-ld context definition Context = "https://openvex.dev/ns" // PublicNamespace is the public openvex namespace for common @ids PublicNamespace = "https://openvex.dev/docs" // NoActionStatementMsg is the action statement that informs that there is no action statement :/ NoActionStatementMsg = "No action statement provided" )
Variables ¶
This section is empty.
Functions ¶
func DateFromEnv ¶ added in v0.1.0
func Justifications ¶ added in v0.1.0
func Justifications() []string
Justifications returns a list of the valid Justification values.
func SortStatements ¶ added in v0.1.0
SortStatements does an "in-place" sort of the given slice of VEX statements.
The documentTimestamp parameter is needed because statements without timestamps inherit the timestamp of the document.
Types ¶
type Justification ¶
type Justification string
Justification describes why a given component is not affected by a vulnerability.
const ( // ComponentNotPresent means the vulnerable component is not included in the artifact. // // ComponentNotPresent is a strong justification that the artifact is not affected. ComponentNotPresent Justification = "component_not_present" // VulnerableCodeNotPresent means the vulnerable component is included in // artifact, but the vulnerable code is not present. Typically, this case occurs // when source code is configured or built in a way that excluded the vulnerable // code. // // VulnerableCodeNotPresent is a strong justification that the artifact is not affected. VulnerableCodeNotPresent Justification = "vulnerable_code_not_present" // VulnerableCodeNotInExecutePath means the vulnerable code (likely in // [subcomponent_id]) can not be executed as it is used by [product_id]. // Typically, this case occurs when [product_id] includes the vulnerable // [subcomponent_id] and the vulnerable code but does not call or use the // vulnerable code. VulnerableCodeNotInExecutePath Justification = "vulnerable_code_not_in_execute_path" // VulnerableCodeCannotBeControlledByAdversary means the vulnerable code cannot // be controlled by an attacker to exploit the vulnerability. // // This justification could be difficult to prove conclusively. VulnerableCodeCannotBeControlledByAdversary Justification = "vulnerable_code_cannot_be_controlled_by_adversary" // InlineMitigationsAlreadyExist means [product_id] includes built-in protections // or features that prevent exploitation of the vulnerability. These built-in // protections cannot be subverted by the attacker and cannot be configured or // disabled by the user. These mitigations completely prevent exploitation based // on known attack vectors. // // This justification could be difficult to prove conclusively. History is // littered with examples of mitigation bypasses, typically involving minor // modifications of existing exploit code. InlineMitigationsAlreadyExist Justification = "inline_mitigations_already_exist" )
func (Justification) Valid ¶ added in v0.1.0
func (j Justification) Valid() bool
Valid returns a bool indicating whether the Justification value is equal to one of the enumerated allowed values for Justification.
type Metadata ¶
type Metadata struct { // Context is the URL pointing to the jsonld context definition Context string `json:"@context"` // ID is the identifying string for the VEX document. This should be unique per // document. ID string `json:"@id"` // Author is the identifier for the author of the VEX statement, ideally a common // name, may be a URI. [author] is an individual or organization. [author] // identity SHOULD be cryptographically associated with the signature of the VEX // statement or document or transport. Author string `json:"author"` // AuthorRole describes the role of the document Author. AuthorRole string `json:"role"` // Timestamp defines the time at which the document was issued. Timestamp *time.Time `json:"timestamp"` // Version is the document version. It must be incremented when any content // within the VEX document changes, including any VEX statements included within // the VEX document. Version string `json:"version"` // Tooling expresses how the VEX document and contained VEX statements were // generated. It's optional. It may specify tools or automated processes used in // the document or statement generation. Tooling string `json:"tooling,omitempty"` // Supplier is an optional field. Supplier string `json:"supplier,omitempty"` }
The Metadata type represents the metadata associated with a VEX document.
type Statement ¶
type Statement struct { // [vul_id] SHOULD use existing and well known identifiers, for example: // CVE, the Global Security Database (GSD), or a supplier’s vulnerability // tracking system. It is expected that vulnerability identification systems // are external to and maintained separately from VEX. // // [vul_id] MAY be URIs or URLs. // [vul_id] MAY be arbitrary and MAY be created by the VEX statement [author]. Vulnerability string `json:"vulnerability,omitempty"` VulnDescription string `json:"vuln_description,omitempty"` // Timestamp is the time at which the information expressed in the Statement // was known to be true. Timestamp *time.Time `json:"timestamp,omitempty"` // ProductIdentifiers // Product details MUST specify what Status applies to. // Product details MUST include [product_id] and MAY include [subcomponent_id]. Products []string `json:"products,omitempty"` Subcomponents []string `json:"subcomponents,omitempty"` // A VEX statement MUST provide Status of the vulnerabilities with respect to the // products and components listed in the statement. Status MUST be one of the // Status const values, some of which have further options and requirements. Status Status `json:"status"` // [status_notes] MAY convey information about how [status] was determined // and MAY reference other VEX information. StatusNotes string `json:"status_notes,omitempty"` // For ”not_affected” status, a VEX statement MUST include a status Justification // that further explains the status. Justification Justification `json:"justification,omitempty"` // For ”not_affected” status, a VEX statement MAY include an ImpactStatement // that contains a description why the vulnerability cannot be exploited. ImpactStatement string `json:"impact_statement,omitempty"` // For "affected" status, a VEX statement MUST include an ActionStatement that // SHOULD describe actions to remediate or mitigate [vul_id]. ActionStatement string `json:"action_statement,omitempty"` ActionStatementTimestamp *time.Time `json:"action_statement_timestamp,omitempty"` }
A Statement is a declaration conveying a single [status] for a single [vul_id] for one or more [product_id]s. A VEX Statement exists within a VEX Document.
type Status ¶
type Status string
Status describes the exploitability status of a component with respect to a vulnerability.
const ( // StatusNotAffected means no remediation or mitigation is required. StatusNotAffected Status = "not_affected" // StatusAffected means actions are recommended to remediate or mitigate. StatusAffected Status = "affected" // StatusFixed means the listed products or components have been remediated (by including fixes). StatusFixed Status = "fixed" // StatusUnderInvestigation means the author of the VEX statement is investigating. StatusUnderInvestigation Status = "under_investigation" )
func StatusFromCSAF ¶
StatusFromCSAF returns a vex status from the CSAF status
type VEX ¶
The VEX type represents a VEX document and all of its contained information.
func Load ¶ added in v0.1.0
Load reads the VEX document file at the given path and returns a decoded VEX object. If Load is unable to read the file or decode the document, it returns an error.
func SortDocuments ¶ added in v0.1.0
SortDocuments sorts and returns a slice of documents based on their date. VEXes should be applied sequentially in chronological order as they capture knowledge about an artifact as it changes over time.
func (*VEX) CanonicalHash ¶ added in v0.1.0
CanonicalHash returns a hash representing the state of impact statements expressed in it. This hash should be constant as long as the impact statements are not modified. Changes in extra information and metadata will not alter the hash.
func (*VEX) GenerateCanonicalID ¶ added in v0.1.0
GenerateCanonicalID generates an ID for the document. The ID will be based on the canonicalization hash. This means that documents with the same impact statements will always get the same ID. Trying to generate the id of a doc with an existing ID will not do anything.
func (*VEX) StatementFromID ¶
StatementFromID returns a statement for a given vulnerability if there is one.