capability

package

v0.4.9 Latest Latest Go to latest Published: Feb 24, 2026 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/1homsi/gorisk

Links

Open Source Insights

Documentation ¶

Index ¶

func KnownCapability(name string) bool
func RiskValue(level string) int
type Capability
type CapabilityEvidence
type CapabilityRole
- func ClassifyCapability(cap Capability) CapabilityRole
type CapabilitySet
type PatternSet
- func LoadPatterns(lang string) (*PatternSet, error)
- func MustLoadPatterns(lang string) *PatternSet

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func KnownCapability ¶

func KnownCapability(name string) bool

KnownCapability reports whether name is a recognised capability.

func RiskValue ¶

func RiskValue(level string) int

RiskValue converts a risk-level string to a comparable integer (HIGH=3, MEDIUM=2, LOW=1).

Types ¶

type Capability ¶

type Capability = string

Capability is the string name of a detected capability (e.g. "exec", "fs:read"). Using a string alias instead of a bitflag removes the 16-capability ceiling and lets new languages introduce capabilities without touching this file.

const (
	CapFSRead  Capability = "fs:read"
	CapFSWrite Capability = "fs:write"
	CapNetwork Capability = "network"
	CapExec    Capability = "exec"
	CapEnv     Capability = "env"
	CapUnsafe  Capability = "unsafe"
	CapCrypto  Capability = "crypto"
	CapReflect Capability = "reflect"
	CapPlugin  Capability = "plugin"
)

type CapabilityEvidence ¶

type CapabilityEvidence struct {
	File       string  `json:"file,omitempty"`
	Line       int     `json:"line,omitempty"`
	Context    string  `json:"context,omitempty"`
	Via        string  `json:"via,omitempty"`        // "import" | "callSite" | "installScript"
	Confidence float64 `json:"confidence,omitempty"` // 0.0–1.0
}

CapabilityEvidence records a single piece of evidence for a detected capability.

type CapabilityRole ¶ added in v0.2.1

type CapabilityRole int

CapabilityRole classifies capabilities by their role in taint analysis.

const (
	RoleSource    CapabilityRole = iota // env, network, fs:read
	RoleSink                            // exec, unsafe, fs:write, plugin
	RoleSanitizer                       // crypto
	RoleNeutral                         // reflect
)

func ClassifyCapability ¶ added in v0.2.1

func ClassifyCapability(cap Capability) CapabilityRole

ClassifyCapability returns the taint analysis role for a capability.

type CapabilitySet ¶

type CapabilitySet struct {
	Score    int
	Evidence map[string][]CapabilityEvidence // cap name → evidence list
	// contains filtered or unexported fields
}

CapabilitySet is a sorted, deduplicated set of capabilities with an accumulated score. Value copies are safe; mutations (Add, AddWithEvidence, Merge) require a pointer receiver.

func (*CapabilitySet) Add ¶

func (cs *CapabilitySet) Add(cap Capability)

Add inserts cap into the set if not already present, accumulating its weight. It is a shortcut for AddWithEvidence with a zero-value evidence (no source location recorded).

func (*CapabilitySet) AddWithEvidence ¶

func (cs *CapabilitySet) AddWithEvidence(cap Capability, ev CapabilityEvidence)

AddWithEvidence inserts cap into the set, accumulating its weight if new, and records evidence.

func (CapabilitySet) Confidence ¶

func (cs CapabilitySet) Confidence(cap string) float64

Confidence returns the average confidence for a capability across all recorded evidence. Returns 0 if no evidence is recorded (backward-compatible default).

func (CapabilitySet) Has ¶

func (cs CapabilitySet) Has(cap Capability) bool

Has reports whether cap is present.

func (CapabilitySet) IsEmpty ¶

func (cs CapabilitySet) IsEmpty() bool

IsEmpty reports whether the set contains no capabilities.

func (CapabilitySet) List ¶

func (cs CapabilitySet) List() []string

List returns a sorted copy of the capability names.

func (*CapabilitySet) Merge ¶

func (cs *CapabilitySet) Merge(other CapabilitySet)

Merge adds all capabilities from other into cs without propagating evidence.

func (*CapabilitySet) MergeWithEvidence ¶

func (cs *CapabilitySet) MergeWithEvidence(other CapabilitySet)

MergeWithEvidence adds all capabilities and their evidence from other into cs.

func (CapabilitySet) RiskLevel ¶

func (cs CapabilitySet) RiskLevel() string

RiskLevel returns "HIGH", "MEDIUM", or "LOW" based on the accumulated score.

func (CapabilitySet) String ¶

func (cs CapabilitySet) String() string

String returns a comma-separated list of capability names.

func (CapabilitySet) Without ¶ added in v0.3.5

func (cs CapabilitySet) Without(excepts map[string]bool) CapabilitySet

Without returns a new CapabilitySet that excludes the capabilities in excepts. Used by the policy engine to filter excepted capabilities before composite scoring.

type PatternSet ¶

type PatternSet struct {
	Name      string
	Imports   map[string][]Capability // import path  → capabilities
	CallSites map[string][]Capability // call pattern → capabilities
}

PatternSet holds the resolved capability-detection patterns for a language. It is loaded from a languages/*.yaml file via LoadPatterns.

func LoadPatterns ¶

func LoadPatterns(lang string) (*PatternSet, error)

LoadPatterns reads and validates languages/<lang>.yaml from the embedded FS. Capability name strings are validated against the known taxonomy and converted to typed Capability values — unknown names cause an early error.

func MustLoadPatterns ¶

func MustLoadPatterns(lang string) *PatternSet

MustLoadPatterns is like LoadPatterns but panics on error. Safe to call at package-init time since the YAML is embedded at compile time.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL