Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Advisories ¶
type Advisories struct {
Advisory []string `xml:"v:advisory"`
}
Advisories holds all the links for a vulnerability
type BdComponent ¶
BdComponent represents the software/package being cataloged.
type BdTool ¶
type BdTool struct {
XMLName xml.Name `xml:"tool"`
Vendor string `xml:"vendor,omitempty"` // The vendor of the tool used to create the BOM.
Name string `xml:"name,omitempty"` // The name of the tool used to create the BOM.
Version string `xml:"version,omitempty"` // The version of the tool used to create the BOM.
}
BdTool represents the tool that created the BOM report.
type BomDescriptor ¶
type BomDescriptor struct {
XMLName xml.Name `xml:"metadata"`
Timestamp string `xml:"timestamp,omitempty"` // The date and time (timestamp) when the document was created
Tools []BdTool `xml:"tools>tool"` // The tool used to create the BOM.
Component *BdComponent `xml:"component"` // The Component that the BOM describes.
}
BomDescriptor represents all metadata surrounding the BOM report (such as when the BOM was made, with which tool, and the item being cataloged).
func NewBomDescriptor ¶
func NewBomDescriptor(name, version string, srcMetadata source.Metadata) *BomDescriptor
NewBomDescriptor returns a new BomDescriptor tailored for the current time and "syft" tool details.
type Component ¶
type Component struct {
XMLName xml.Name `xml:"component"`
Type string `xml:"type,attr"` // Required; Describes if the Component is a library, framework, application, container, operating system, firmware, hardware device, or file
Supplier string `xml:"supplier,omitempty"` // The organization that supplied the Component. The supplier may often be the manufacture, but may also be a distributor or repackager.
Author string `xml:"author,omitempty"` // The person(s) or organization(s) that authored the Component
Publisher string `xml:"publisher,omitempty"` // The person(s) or organization(s) that published the Component
Group string `xml:"group,omitempty"` // The high-level classification that a project self-describes as. This will often be a shortened, single name of the company or project that produced the Component, or the source package or domain name.
Name string `xml:"name"` // Required; The name of the Component as defined by the project
Version string `xml:"version"` // Required; The version of the Component as defined by the project
Description string `xml:"description,omitempty"` // A description of the Component
Licenses *[]License `xml:"licenses>License"` // A node describing zero or more License names, SPDX License IDs or expressions
PackageURL string `xml:"purl,omitempty"` // Specifies the package-url (PackageURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
// TODO: source, hashes, copyright, cpe, purl, swid, modified, pedigree, externalReferences
// TODO: add user-defined parameters for syft-specific values (image layer index, cataloger, location path, etc.)
Vulnerabilities *[]Vulnerability `xml:"v:vulnerabilities>v:vulnerability,omitempty"`
}
Component represents a single element in the CycloneDX BOM
type Document ¶
type Document struct {
XMLName xml.Name `xml:"bom"`
XMLNs string `xml:"xmlns,attr"`
XMLNsV string `xml:"xmlns:v,attr"`
Version int `xml:"version,attr"`
SerialNumber string `xml:"serialNumber,attr"`
BomDescriptor *BomDescriptor `xml:"metadata"`
Components []Component `xml:"components>Component"`
}
Document represents a CycloneDX Vulnerability Document.
func NewDocument ¶
func NewDocument(packages []pkg.Package, matches match.Matches, srcMetadata *source.Metadata, provider vulnerability.MetadataProvider) (Document, error)
NewDocument returns a CycloneDX Document object populated with the SBOM and vulnerability findings.
type License ¶
type License struct {
XMLName xml.Name `xml:"license"`
ID string `xml:"id,omitempty"` // A valid SPDX License ID
Name string `xml:"name,omitempty"` // If SPDX does not define the License used, this field may be used to provide the License name
}
License represents a single software License for a Component
type Presenter ¶
type Presenter struct {
// contains filtered or unexported fields
}
Presenter writes a CycloneDX report from the given Catalog and Scope contents
func NewPresenter ¶
func NewPresenter(results match.Matches, packages []pkg.Package, srcMetadata *source.Metadata, metadataProvider vulnerability.MetadataProvider) *Presenter
NewPresenter is a *Presenter constructor
type Rating ¶
type Rating struct {
Score Score `xml:"v:score"`
Severity string `xml:"v:severity,omitempty"`
Method string `xml:"v:method,omitempty"`
Vector string `xml:"v:vector,omitempty"`
}
Rating has information about the intensity of a vulnerability
type Score ¶
type Score struct {
Base float64 `xml:"v:base"`
Impact float64 `xml:"v:impact"`
Exploitability float64 `xml:"v:exploitability"`
}
Score provides the different ways to measure how serious a vulnerability is
type Source ¶
Source is the origin of the vulnerability, like Github Advisories or NVD, along with a URL constructed with the vulnerability ID
type Vulnerability ¶
type Vulnerability struct {
Ref string `xml:"ref,attr"`
ID string `xml:"v:id"`
Source Source `xml:"v:source"`
Ratings []Rating `xml:"v:ratings>v:rating"`
// We do not capture Common Weakness Enumeration
//Cwes Cwes `xml:"v:cwes"`
Description string `xml:"v:description,omitempty"`
// We don't have recommendations (e.g. "upgrade")
//Recommendations *Recommendations `xml:"v:recommendations"`
Advisories *Advisories `xml:"v:advisories,omitempty"`
}
Vulnerability is the actual description of a vulnerable artifact
func NewVulnerability ¶
func NewVulnerability(m match.Match, p vulnerability.MetadataProvider) (Vulnerability, error)
NewVulnerability creates a Vulnerability document from a match and the metadata provider
Source Files