audit

package
v0.0.0-...-032f043 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 24, 2022 License: BSD-3-Clause Imports: 21 Imported by: 0

Documentation

Overview

Package audit finds vulnerabilities affecting Go packages.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Finding 

type Finding struct {
	Symbol   string
	Position *token.Position `json:",omitempty"`
	Type     SymbolType
	Trace    []TraceElem
	// contains filtered or unexported fields
}

Finding represents a finding for the use of a vulnerable symbol or an imported vulnerable package. Provides info on symbol location and the trace leading up to the symbol use.

func (Finding) String 

func (f Finding) String() string

String method for findings.

type ModuleVulnerabilities 

type ModuleVulnerabilities []modVulns

func FetchVulnerabilities 

func FetchVulnerabilities(client client.Client, modules []*packages.Module) (ModuleVulnerabilities, error)

FetchVulnerabilities fetches vulnerabilities that affect the supplied modules.

func (ModuleVulnerabilities) Filter 

func (mv ModuleVulnerabilities) Filter(os, arch string) ModuleVulnerabilities

func (ModuleVulnerabilities) Num 

func (mv ModuleVulnerabilities) Num() int

func (ModuleVulnerabilities) Vulns 

func (mv ModuleVulnerabilities) Vulns() []*osv.Entry

Vulns returns vulnerabilities for all modules in `mv`.

func (ModuleVulnerabilities) VulnsForPackage 

func (mv ModuleVulnerabilities) VulnsForPackage(importPath string) []*osv.Entry

VulnsForPackage returns the vulnerabilities for the module which is the most specific prefix of importPath, or nil if there is no matching module with vulnerabilities.

func (ModuleVulnerabilities) VulnsForSymbol 

func (mv ModuleVulnerabilities) VulnsForSymbol(importPath, symbol string) []*osv.Entry

VulnsForSymbol returns vulnerabilities for `symbol` in `mv.VulnsForPackage(importPath)`.

type Results 

type Results struct {
	SearchMode SearchType

	// TODO: identify vulnerability with <ID, package, symbol>?
	// Vulnerabilities in dependent modules.
	Vulnerabilities []osv.Entry

	VulnFindings map[string][]Finding // vuln.ID -> findings
}

Results contains the information on findings and identified vulnerabilities by audit search.

func VulnerableImports 

func VulnerableImports(pkgs []*ssa.Package, modVulns ModuleVulnerabilities) Results

VulnerableImports returns vulnerability findings for packages imported by `pkgs` given the vulnerability and platform info captured in `env`.

Returns all findings reachable from `pkgs` while analyzing each package only once, preferring findings of shorter import traces. For instance, given import chains 

A -> B -> V
A -> D -> B -> V
D -> B -> V

where A and D are top level packages and V is a vulnerable package, VulnerableImports can return either 

A -> B -> V

or 

D -> B -> V

as traces of importing a vulnerable package V.

Findings for each vulnerability are sorted by estimated usefulness to the user.

func VulnerablePackageSymbols 

func VulnerablePackageSymbols(packageSymbols map[string][]string, modVulns ModuleVulnerabilities) Results

VulnerablePackageSymbols returns a list of vulnerability findings for per-package symbols in packageSymbols, given the `modVulns` vulnerabilities.

Findings for each vulnerability are sorted by estimated usefulness to the user and do not have an associated trace.

func VulnerableSymbols 

func VulnerableSymbols(pkgs []*ssa.Package, modVulns ModuleVulnerabilities) Results

VulnerableSymbols returns vulnerability findings for symbols transitively reachable through the callgraph built using VTA analysis from the entry points of pkgs, given 'modVulns' vulnerabilities.

Returns all findings reachable from pkgs while analyzing each package only once, preferring findings of shorter import traces. For instance, given call chains 

A() -> B() -> V
A() -> D() -> B() -> V
D() -> B() -> V

where A and D are top level packages and V is a vulnerable symbol, VulnerableSymbols can return either 

A() -> B() -> V

or 

D() -> B() -> V

as traces of transitively using a vulnerable symbol V.

Findings for each vulnerability are sorted by estimated usefulness to the user.

Panics if packages in pkgs do not belong to the same program.

func (Results) String 

func (r Results) String() string

String method for results.

type SearchType 

type SearchType int

SearchType represents a type of an audit search: call graph, imports, or binary. 

const (
	CallGraphSearch SearchType = iota
	ImportsSearch
	BinarySearch
)

enum values for SearchType.

type SymbolType 

type SymbolType int

SymbolType represents a type of a symbol use: function, global, or an import statement. 

const (
	FunctionType SymbolType = iota
	ImportType
	GlobalType
)

enum values for SymbolType.

func (SymbolType) MarshalText 

func (s SymbolType) MarshalText() ([]byte, error)

MarshalText implements the encoding.TextMarshaler interface.

type TraceElem 

type TraceElem struct {
	Description string
	Position    *token.Position `json:",omitempty"`
}

TraceElem represents an entry in the finding trace. Represents a function call or an import statement.

func (TraceElem) String 

func (e TraceElem) String() string

String method for trace elements.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.