vuln

package

v0.0.0-...-87c4152 Latest Latest Go to latest Published: Apr 26, 2024 License: BSD-3-Clause Imports: 24 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

cs.opensource.google/go/x/pkgsite

Links

Documentation ¶

Overview ¶

Package vulns provides utilities to interact with vuln APIs.

Index ¶

func CanonicalAlias(id string) (_ string, ok bool)
func CanonicalGoID(id string) (_ string, ok bool)
func NewSource(src string) (source, error)
func URLToFilePath(u *url.URL) (string, error)
type AffectedComponent
- func AffectedComponents(e *osv.Entry) (pkgs, modsNoPkgs []*AffectedComponent)
type Client
- func NewClient(src string) (*Client, error)
- func NewInMemoryClient(entries []*osv.Entry) (*Client, error)
type DBMeta
type ModuleMeta
type ModuleVuln
type PackageRequest
type Vuln
- func VulnsForPackage(ctx context.Context, modulePath, version, packagePath string, vc *Client) []Vuln
type VulnMeta

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CanonicalAlias ¶

func CanonicalAlias(id string) (_ string, ok bool)

Canonical returns the canonical form of the given alias ID string (a CVE or GHSA id) by correcting the case.

If no canonical form can be found, returns false.

func CanonicalGoID ¶

func CanonicalGoID(id string) (_ string, ok bool)

Canonical returns the canonical form of the given Go ID string by correcting the case.

If no canonical form can be found, returns false.

func NewSource ¶

func NewSource(src string) (source, error)

NewSource returns a source interface from a http:// or file:// prefixed url src. It errors if the given url is invalid or does not exist.

func URLToFilePath ¶

func URLToFilePath(u *url.URL) (string, error)

URLToFilePath converts a file-scheme url to a file path.

Types ¶

type AffectedComponent ¶

type AffectedComponent struct {
	Path     string
	Versions string
	// Lists of affected symbols (for packages).
	// If both of these lists are empty, all symbols in the package are affected.
	ExportedSymbols   []string
	UnexportedSymbols []string
}

AffectedComponent holds information about a module/package affected by a certain vulnerability.

func AffectedComponents ¶

func AffectedComponents(e *osv.Entry) (pkgs, modsNoPkgs []*AffectedComponent)

AffectedComponents extracts information about affected packages (and // modules, if there are any with no package information) from the given osv.Entry.

func NewClient ¶

func NewClient(src string) (*Client, error)

NewClient returns a client that can read from the vulnerability database in src (a URL representing either a http or file source).

func NewInMemoryClient ¶

func NewInMemoryClient(entries []*osv.Entry) (*Client, error)

NewInMemoryClient creates an in-memory vulnerability client for use in tests.

func (*Client) ByAlias ¶

func (c *Client) ByAlias(ctx context.Context, alias string) (_ string, err error)

ByAlias returns the Go ID of the OSV entry that has the given alias, or a NotFound error if there isn't one.

func (*Client) ByID ¶

func (c *Client) ByID(ctx context.Context, id string) (_ *osv.Entry, err error)

ByID returns the OSV entry with the given ID or (nil, nil) if there isn't one.

func (*Client) ByPackage ¶

func (c *Client) ByPackage(ctx context.Context, req *PackageRequest) (_ []*osv.Entry, err error)

ByPackage returns the OSV entries matching the package request.

func (*Client) ByPackagePrefix ¶

func (c *Client) ByPackagePrefix(ctx context.Context, prefix string) (_ []*osv.Entry, err error)

ByPackagePrefix returns all the OSV entries that match the given package prefix, in descending order by ID, or (nil, nil) if there are none.

An entry matches a prefix if:

Any affected module or package equals the given prefix, OR
Any affected module or package's path begins with the given prefix interpreted as a full path. (E.g. "example.com/module/package" matches the prefix "example.com/module" but not "example.com/mod")

func (*Client) Entries ¶

func (c *Client) Entries(ctx context.Context, n int) (_ []*osv.Entry, err error)

Entries returns all entries in the database, sorted in descending order by Go ID (most recent to least recent). If n >= 0, only the n most recent entries are returned.

func (*Client) IDs ¶

func (c *Client) IDs(ctx context.Context) (_ []string, err error)

IDs returns a list of the IDs of all the entries in the database.

type DBMeta ¶

type DBMeta struct {
	// Modified is the time the database was last modified, calculated
	// as the most recent time any single OSV entry was modified.
	Modified time.Time `json:"modified"`
}

DBMeta contains metadata about the database itself.

type ModuleMeta ¶

type ModuleMeta struct {
	// Path is the module path.
	Path string `json:"path"`
	// Vulns is a list of vulnerabilities that affect this module.
	Vulns []ModuleVuln `json:"vulns"`
}

ModuleMeta contains metadata about a Go module that has one or more vulnerabilities in the database.

Found in the "index/modules" endpoint of the vulnerability database.

type ModuleVuln ¶

type ModuleVuln struct {
	// ID is a unique identifier for the vulnerability.
	// The Go vulnerability database issues IDs of the form
	// GO-<YEAR>-<ENTRYID>.
	ID string `json:"id"`
	// Modified is the time the vuln was last modified.
	Modified time.Time `json:"modified"`
	// Fixed is the latest version that introduces a fix for the
	// vulnerability, in SemVer 2.0.0 format, with no leading "v" prefix.
	Fixed string `json:"fixed,omitempty"`
}

ModuleVuln contains metadata about a vulnerability that affects a certain module.

type PackageRequest ¶

type PackageRequest struct {
	// Module is the module path to filter on.
	// ByPackage will only return entries that affect this module.
	// This must be set (if empty, ByPackage will always return nil).
	Module string
	// The package path to filter on.
	// ByPackage will only return entries that affect this package.
	// If empty, ByPackage will not filter based on the package.
	Package string
	// The version to filter on.
	// ByPackage will only return entries affected at this module
	// version.
	// If empty, ByPackage will not filter based on version.
	Version string
}

type Vuln ¶

type Vuln struct {
	// The vulndb ID.
	ID string
	// A description of the vulnerability, or the problem in obtaining it.
	Details string
}

A Vuln contains information to display about a vulnerability.

func VulnsForPackage ¶

func VulnsForPackage(ctx context.Context, modulePath, version, packagePath string, vc *Client) []Vuln

VulnsForPackage obtains vulnerability information for the given package. If packagePath is empty, it returns all entries for the module at version. If there is an error, VulnsForPackage returns a single Vuln that describes the error.

type VulnMeta ¶

type VulnMeta struct {
	// ID is a unique identifier for the vulnerability.
	// The Go vulnerability database issues IDs of the form
	// GO-<YEAR>-<ENTRYID>.
	ID string `json:"id"`
	// Modified is the time the vulnerability was last modified.
	Modified time.Time `json:"modified"`
	// Aliases is a list of IDs for the same vulnerability in other
	// databases.
	Aliases []string `json:"aliases,omitempty"`
}

VulnMeta contains metadata about a vulnerability in the database.

Found in the "index/vulns" endpoint of the vulnerability database.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL