models

package
v1.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 1, 2026 License: MIT Imports: 3 Imported by: 0

Documentation

Overview

Package models - Error definitions for CSVSA

Package models defines the core data structures used throughout CSVSA. These models represent the normalized vulnerability data and analysis results that flow through the system's pipeline.

Design Philosophy: - Immutable data structures where possible - Clear separation between raw scanner output and normalized data - Support for extensibility through composition

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrScannerNotFound indicates a requested scanner is not installed.
	ErrScannerNotFound = errors.New("scanner not found")

	// ErrScannerTimeout indicates a scanner exceeded its time limit.
	ErrScannerTimeout = errors.New("scanner execution timed out")

	// ErrScannerFailed indicates a scanner returned a non-zero exit code.
	ErrScannerFailed = errors.New("scanner execution failed")

	// ErrInvalidTarget indicates the scan target is invalid or inaccessible.
	ErrInvalidTarget = errors.New("invalid scan target")

	// ErrParseFailure indicates JSON parsing failed.
	ErrParseFailure = errors.New("failed to parse scanner output")

	// ErrNoScanners indicates no scanners are available.
	ErrNoScanners = errors.New("no scanners available")

	// ErrAllScannersFailed indicates all scanner executions failed.
	ErrAllScannersFailed = errors.New("all scanners failed")

	// ErrInvalidConfig indicates configuration validation failed.
	ErrInvalidConfig = errors.New("invalid configuration")
)

Standard errors used throughout CSVSA. Using sentinel errors enables callers to use errors.Is() for comparison.

Functions

This section is empty.

Types

type ConfidenceLevel 

type ConfidenceLevel string

ConfidenceLevel represents the confidence in a vulnerability finding. 

const (
	// ConfidenceHigh indicates the vulnerability was found by multiple scanners.
	ConfidenceHigh ConfidenceLevel = "HIGH"

	// ConfidenceMedium indicates the vulnerability was found by one scanner
	// but has strong supporting evidence.
	ConfidenceMedium ConfidenceLevel = "MEDIUM"

	// ConfidenceLow indicates the vulnerability was found by only one scanner.
	ConfidenceLow ConfidenceLevel = "LOW"
)

type ConsensusResult 

type ConsensusResult struct {
	// Target is the image or filesystem that was analyzed.
	Target string `json:"target"`

	// Scanners lists all scanners that participated in the analysis.
	Scanners []string `json:"scanners"`

	// Consensus contains vulnerabilities found by ALL scanners.
	Consensus []Vulnerability `json:"consensus"`

	// UniqueFindings maps scanner name to vulnerabilities only that scanner found.
	UniqueFindings map[string][]Vulnerability `json:"unique_findings"`

	Statistics Statistics `json:"statistics"`

	// AllVulnerabilities contains the complete deduplicated list.
	AllVulnerabilities []Vulnerability `json:"all_vulnerabilities"`

	// OverlapPercentage is the percentage of vulnerabilities found by all scanners.
	OverlapPercentage float64 `json:"overlap_percentage"`

	// ScanResults contains the original results from each scanner.
	ScanResults []ScanResult `json:"scan_results"`

	// AnalysisTime is when the consensus analysis was performed.
	AnalysisTime time.Time `json:"analysis_time"`

	// TotalDuration is the total time for all scans and analysis.
	TotalDuration time.Duration `json:"total_duration"`
}

ConsensusResult represents the analysis of vulnerabilities across multiple scanners.

func (*ConsensusResult) ConsensusSeverityDistribution 

func (c *ConsensusResult) ConsensusSeverityDistribution() map[Severity]int

ConsensusSeverityDistribution returns counts for consensus vulnerabilities only.

func (*ConsensusResult) SeverityDistribution 

func (c *ConsensusResult) SeverityDistribution() map[Severity]int

SeverityDistribution returns counts for each severity level across all vulnerabilities.

func (*ConsensusResult) SuccessfulScanners 

func (c *ConsensusResult) SuccessfulScanners() int

SuccessfulScanners returns the count of scanners that completed successfully.

type KEVInfo added in v1.0.2 

type KEVInfo struct {
	IsKEV             bool   `json:"is_kev"`
	VulnerabilityName string `json:"vulnerability_name,omitempty"`
	DateAdded         string `json:"date_added,omitempty"`
	RequiredAction    string `json:"required_action,omitempty"`
	DueDate           string `json:"due_date,omitempty"`
	ShortDescription  string `json:"short_description,omitempty"`
}

KEVInfo holds CISA Known Exploited Vulnerability metadata.

type ParseError 

type ParseError struct {
	Scanner  string // Which scanner's output we were parsing
	Field    string // Which field caused the issue (if known)
	RawValue string // The problematic raw value (if applicable)
	Err      error  // The underlying error
}

ParseError represents an error that occurred while parsing scanner output.

func NewParseError 

func NewParseError(scanner, field string, err error) *ParseError

NewParseError creates a new ParseError with the given context.

func (*ParseError) Error 

func (e *ParseError) Error() string

Error implements the error interface.

func (*ParseError) Unwrap 

func (e *ParseError) Unwrap() error

Unwrap returns the underlying error.

type ScanConfig 

type ScanConfig struct {
	// Target is the container image or filesystem path to scan.
	Target string

	// Timeout is the maximum duration for each scanner.
	Timeout time.Duration

	// Scanners lists which scanners to use. Empty means use all available.
	Scanners []string

	// OutputFormat specifies the desired output format(s).
	OutputFormat []string

	// OutputPath is where to write the output (empty for stdout).
	OutputPath string

	// Verbose enables detailed logging.
	Verbose bool

	// FailOnVulnerability causes the tool to exit with error if vulnerabilities found.
	FailOnVulnerability bool

	// MinSeverity sets the minimum severity to report.
	MinSeverity Severity
}

ScanConfig holds configuration for a scanning operation.

func DefaultConfig 

func DefaultConfig() ScanConfig

DefaultConfig returns a ScanConfig with sensible defaults.

type ScanError 

type ScanError struct {
	Scanner string // Which scanner produced this error
	Target  string // What was being scanned
	Op      string // What operation failed
	Err     error  // The underlying error
}

ScanError wraps an error with additional context about the scan operation.

func NewScanError 

func NewScanError(scanner, target, op string, err error) *ScanError

NewScanError creates a new ScanError with the given context.

func (*ScanError) Error 

func (e *ScanError) Error() string

Error implements the error interface.

func (*ScanError) Unwrap 

func (e *ScanError) Unwrap() error

Unwrap returns the underlying error for errors.Is() and errors.As().

type ScanResult 

type ScanResult struct {
	// Scanner identifies which scanner produced this result.
	Scanner string `json:"scanner"`

	Scanners []string `json:"scanners"`

	AnalysisTime string `json:"analysis_time"`

	// Target is the image or filesystem that was scanned.
	Target string `json:"target"`

	Consensus []Vulnerability `json:"consensus"`

	UniqueFindings map[string][]Vulnerability `json:"unique_findings"`

	Statistics Statistics `json:"statistics"`

	// Vulnerabilities is the list of detected vulnerabilities.
	Vulnerabilities []Vulnerability `json:"vulnerabilities"`

	// ScanTime is when the scan was performed.
	ScanTime time.Time `json:"scan_time"`

	// Duration is how long the scan took.
	Duration time.Duration `json:"duration"`

	// Error contains any error message if the scan failed.
	Error string `json:"error,omitempty"`

	// Success indicates whether the scan completed successfully.
	Success bool `json:"success"`

	// RawOutput stores the original JSON output for debugging.
	RawOutput []byte `json:"-"`
}

ScanResult represents the output from a single scanner execution.

func (*ScanResult) CountBySeverity 

func (r *ScanResult) CountBySeverity() map[Severity]int

CountBySeverity returns a map of severity to count.

func (*ScanResult) VulnerabilityCount 

func (r *ScanResult) VulnerabilityCount() int

VulnerabilityCount returns the total number of vulnerabilities found.

type ScannerInfo 

type ScannerInfo struct {
	// Name is the identifier for this scanner.
	Name string `json:"name"`

	// Version is the scanner's version string.
	Version string `json:"version"`

	// Available indicates if the scanner is installed and accessible.
	Available bool `json:"available"`

	// Path is the filesystem path to the scanner executable.
	Path string `json:"path,omitempty"`
}

ScannerInfo contains metadata about a scanner.

type Severity 

type Severity string

Severity represents the severity level of a vulnerability. We use a custom type to ensure type safety and enable validation. 

const (
	SeverityCritical Severity = "CRITICAL"
	SeverityHigh     Severity = "HIGH"
	SeverityMedium   Severity = "MEDIUM"
	SeverityLow      Severity = "LOW"
	SeverityUnknown  Severity = "UNKNOWN"
)

func (Severity) IsValid 

func (s Severity) IsValid() bool

IsValid checks if the severity is a recognized value.

func (Severity) Weight 

func (s Severity) Weight() int

SeverityWeight returns a numeric weight for severity comparison and sorting. Higher values indicate more severe vulnerabilities.

type Statistics added in v1.0.2 

type Statistics struct {
	TotalUnique       int     `json:"total_unique"`
	ConsensusCount    int     `json:"consensus_count"`
	OverlapPercentage float64 `json:"overlap_percentage"`
	KEVCount          int     `json:"kev_count"`           // NEW: how many are actively exploited
	KEVConsensusCount int     `json:"kev_consensus_count"` // NEW: KEV vulns confirmed by all scanners
}

Statistics holds summary metrics.

type Vulnerability 

type Vulnerability struct {
	// CVE is the Common Vulnerabilities and Exposures identifier.
	// Example: "CVE-2021-44228"
	CVE string `json:"cve"`

	CVEID string `json:"cve_id"`

	// Package is the name of the affected software package.
	// Example: "log4j-core"
	Package string `json:"package"`

	// InstalledVersion is the version of the package that was scanned.
	// Example: "2.14.1"
	InstalledVersion string `json:"installed_version"`

	// FixedVersion is the version that resolves this vulnerability (if known).
	// May be empty if no fix is available.
	FixedVersion string `json:"fixed_version,omitempty"`

	// Severity indicates the severity level of the vulnerability.
	Severity Severity `json:"severity"`

	// Scanner identifies which scanner detected this vulnerability.
	// Example: "trivy", "grype"
	Scanner string `json:"scanner"`

	Version string `json:"version"`

	// Title is a brief description of the vulnerability.
	Title string `json:"title,omitempty"`

	// Description provides detailed information about the vulnerability.
	Description string `json:"description,omitempty"`

	// References contains URLs to additional information.
	References []string `json:"references,omitempty"`

	KEV *KEVInfo `json:"kev"`
}

Vulnerability represents a normalized security vulnerability found by a scanner. This is the canonical representation used throughout the analysis pipeline.

Fields are designed to capture the essential information needed for: 1. Unique identification (CVE + Package + InstalledVersion) 2. Severity assessment 3. Provenance tracking (which scanner found it)

func (*Vulnerability) Key 

func (v *Vulnerability) Key() string

Key generates a unique identifier for this vulnerability. Used for deduplication and consensus computation. The key is composed of CVE + Package + InstalledVersion to ensure we're comparing the same vulnerability in the same package version.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.