package vuln

import "golang.org/x/pkgsite/internal/vuln"

Package vulns provides utilities to interact with vuln APIs.

Index ¶

• func CanonicalAlias(id string) (_ string, ok bool)
• func CanonicalGoID(id string) (_ string, ok bool)
• func NewSource(src string) (source, error)
• func URLToFilePath(u *url.URL) (string, error)
• type AffectedComponent
• func AffectedComponents(e *osv.Entry) (pkgs, modsNoPkgs []*AffectedComponent)
• type Client
• func NewClient(src string) (*Client, error)
• func NewInMemoryClient(entries []*osv.Entry) (*Client, error)
• func (c *Client) ByAlias(ctx context.Context, alias string) (_ string, err error)
• func (c *Client) ByID(ctx context.Context, id string) (_ *osv.Entry, err error)
• func (c *Client) ByPackage(ctx context.Context, req *PackageRequest) (_ []*osv.Entry, err error)
• func (c *Client) ByPackagePrefix(ctx context.Context, prefix string) (_ []*osv.Entry, err error)
• func (c *Client) Entries(ctx context.Context, n int) (_ []*osv.Entry, err error)
• func (c *Client) IDs(ctx context.Context) (_ []string, err error)
• type DBMeta
• type ModuleMeta
• type ModuleVuln
• type PackageRequest
• type Vuln
• func VulnsForPackage(ctx context.Context, modulePath, version, packagePath string, vc *Client) []Vuln
• type VulnMeta

Functions ¶

func CanonicalAlias ¶

func CanonicalAlias(id string) (_ string, ok bool)

CanonicalAlias returns the canonical form of the given alias ID string (a CVE or GHSA id) by correcting the case.

If no canonical form can be found, it returns false.

func CanonicalGoID ¶

func CanonicalGoID(id string) (_ string, ok bool)

CanonicalGoID returns the canonical form of the given Go ID string by correcting the case.

If no canonical form can be found, it returns false.

func NewSource ¶

func NewSource(src string) (source, error)

NewSource returns a source interface from src, which must be a URL with one of the schemes "file", http", or "https". It returns an error if the given url is invalid or does not exist.

func URLToFilePath ¶

func URLToFilePath(u *url.URL) (string, error)

URLToFilePath converts a file-scheme url to a file path.

Types ¶

type AffectedComponent ¶

type AffectedComponent struct {
	Path           string
	Versions       string
	CustomVersions string
	// Lists of affected symbols (for packages).
	// If both of these lists are empty, all symbols in the package are affected.
	ExportedSymbols   []string
	UnexportedSymbols []string
}

AffectedComponent holds information about a module/package affected by a certain vulnerability.

func AffectedComponents ¶

func AffectedComponents(e *osv.Entry) (pkgs, modsNoPkgs []*AffectedComponent)

AffectedComponents extracts information about affected packages (and modules, if there are any with no package information) from the given osv.Entry.

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

Client reads Go vulnerability databases.

func NewClient ¶

func NewClient(src string) (*Client, error)

NewClient returns a client that can read from the vulnerability database in src, a URL representing either an http or file source.

func NewInMemoryClient ¶

func NewInMemoryClient(entries []*osv.Entry) (*Client, error)

NewInMemoryClient creates an in-memory vulnerability client for use in tests.

func (*Client) ByAlias ¶

func (c *Client) ByAlias(ctx context.Context, alias string) (_ string, err error)

ByAlias returns the Go ID of the OSV entry that has the given alias, or a NotFound error if there isn't one.

func (*Client) ByID ¶

func (c *Client) ByID(ctx context.Context, id string) (_ *osv.Entry, err error)

ByID returns the OSV entry with the given ID or (nil, nil) if there isn't one.

func (*Client) ByPackage ¶

func (c *Client) ByPackage(ctx context.Context, req *PackageRequest) (_ []*osv.Entry, err error)

ByPackage returns the OSV entries matching the package request.

func (*Client) ByPackagePrefix ¶

func (c *Client) ByPackagePrefix(ctx context.Context, prefix string) (_ []*osv.Entry, err error)

ByPackagePrefix returns all the OSV entries that match the given package prefix, in descending order by ID, or (nil, nil) if there are none.

An entry matches a prefix if:

• Any affected module or package equals the given prefix, OR
• Any affected module or package's path begins with the given prefix interpreted as a full path. (E.g. "example.com/module/package" matches the prefix "example.com/module" but not "example.com/mod")

func (*Client) Entries ¶

func (c *Client) Entries(ctx context.Context, n int) (_ []*osv.Entry, err error)

Entries returns all entries in the database, sorted in descending order by Go ID (most recent to least recent). If n >= 0, only the n most recent entries are returned.

func (*Client) IDs ¶

func (c *Client) IDs(ctx context.Context) (_ []string, err error)

IDs returns a list of the IDs of all the entries in the database.

type DBMeta ¶

type DBMeta struct {
	// Modified is the time the database was last modified, calculated
	// as the most recent time any single OSV entry was modified.
	Modified time.Time `json:"modified"`
}

DBMeta contains metadata about the database itself.

type ModuleMeta ¶

type ModuleMeta struct {
	// Path is the module path.
	Path string `json:"path"`
	// Vulns is a list of vulnerabilities that affect this module.
	Vulns []ModuleVuln `json:"vulns"`
}

ModuleMeta contains metadata about a Go module that has one or more vulnerabilities in the database.

Found in the "index/modules" endpoint of the vulnerability database.

type ModuleVuln ¶

type ModuleVuln struct {
	// ID is a unique identifier for the vulnerability.
	// The Go vulnerability database issues IDs of the form
	// GO-<YEAR>-<ENTRYID>.
	ID string `json:"id"`
	// Modified is the time the vuln was last modified.
	Modified time.Time `json:"modified"`
	// Fixed is the latest version that introduces a fix for the
	// vulnerability, in SemVer 2.0.0 format, with no leading "v" prefix.
	Fixed string `json:"fixed,omitempty"`
}

ModuleVuln contains metadata about a vulnerability that affects a certain module.

type PackageRequest ¶

type PackageRequest struct {
	// Module is the module path to filter on.
	// ByPackage will only return entries that affect this module.
	// This must be set (if empty, ByPackage will always return nil).
	Module string
	// The package path to filter on.
	// ByPackage will only return entries that affect this package.
	// If empty, ByPackage will not filter based on the package.
	Package string
	// The version to filter on.
	// ByPackage will only return entries affected at this module
	// version.
	// If empty, ByPackage will not filter based on version.
	Version string
}

A PackageRequest provides arguments to Client.ByPackage.

type Vuln ¶

type Vuln struct {
	// The vulndb ID.
	ID string
	// A description of the vulnerability, or the problem in obtaining it.
	Details string
}

A Vuln contains information to display about a vulnerability.

func VulnsForPackage ¶

func VulnsForPackage(ctx context.Context, modulePath, version, packagePath string, vc *Client) []Vuln

VulnsForPackage obtains vulnerability information for the given package. If packagePath is empty, it returns all entries for the module at version. If there is an error, VulnsForPackage returns a single Vuln that describes the error.

type VulnMeta ¶

type VulnMeta struct {
	// ID is a unique identifier for the vulnerability.
	// The Go vulnerability database issues IDs of the form
	// GO-<YEAR>-<ENTRYID>.
	ID string `json:"id"`
	// Modified is the time the vulnerability was last modified.
	Modified time.Time `json:"modified"`
	// Aliases is a list of IDs for the same vulnerability in other
	// databases.
	Aliases []string `json:"aliases,omitempty"`
}

VulnMeta contains metadata about a vulnerability in the database.

Found in the "index/vulns" endpoint of the vulnerability database.

Source Files ¶

client.go regexp.go schema.go source.go url.go vulns.go