Documentation
¶
Overview ¶
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. * * This product includes software developed at Datadog (https://www.datadoghq.com) Copyright 2024 Datadog, Inc.
Index ¶
- Constants
- Variables
- func Range(start, end int) (lines []int)
- func RemoveDuplicates(lines []int) []int
- type AnalyzedPaths
- type ArtifactChange
- type ArtifactLocation
- type CodeLine
- type CommentCommand
- type CommentsCommands
- type Counters
- type DiffAware
- type Document
- type Documents
- type Extensions
- type ExtractedPathObject
- type FileKind
- type FileMetadata
- type FileMetadatas
- type FixContent
- type FixMessage
- type FixReplacement
- type Framework
- type Ignore
- type IssueType
- type LineObject
- type PathParameters
- type QueryConfig
- type QueryMetadata
- type QueryResult
- type QueryResultSlice
- type RepositoryCommitInfo
- type ResolvedFile
- type ResolvedFileSplit
- type ResolvedFiles
- type ResolvedHelm
- type ResourceLine
- type ResourceLocation
- type SCIInfo
- type SarifFix
- type SarifRegion
- type SarifResourceLocation
- type Severity
- type SeveritySummary
- type Summary
- type Times
- type Vulnerability
- type VulnerabilityLines
- type VulnerableFile
Constants ¶
const ( SeverityCritical = "CRITICAL" SeverityHigh = "HIGH" SeverityMedium = "MEDIUM" SeverityLow = "LOW" SeverityInfo = "INFO" SeverityTrace = "TRACE" )
Constants to describe vulnerability's severity
Variables ¶
var ( AllSeverities = []Severity{ SeverityCritical, SeverityHigh, SeverityMedium, SeverityLow, SeverityInfo, SeverityTrace, } AllIssueTypesAsString = []string{ string(IssueTypeMissingAttribute), string(IssueTypeRedundantAttribute), string(IssueTypeIncorrectValue), } )
Arrays to group all constants of one type
var ( // KICSCommentRgxp is the regexp to identify if a comment is a KICS comment KICSCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)*\s*dd-iac-scan\s*`) // KICSGetContentCommentRgxp to gets the kics comment on the hel case KICSGetContentCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)*\s*dd-iac-scan([^\n]*)\n`) // KICSCommentRgxpYaml is the regexp to identify if the comment has KICS comment at the end of the comment in YAML KICSCommentRgxpYaml = regexp.MustCompile(`((/{2})|#)*\s*dd-iac-scan\s*(ignore-line|ignore-block)\s*\n*$`) )
Functions ¶
func RemoveDuplicates ¶
RemoveDuplicates removes duplicate lines from a slice of lines.
Types ¶
type AnalyzedPaths ¶
AnalyzedPaths is a slice of types and excluded files obtained from the Analyzer
type ArtifactChange ¶
type ArtifactChange struct {
ArtifactLocation ArtifactLocation `json:"artifactLocation"`
Replacements []FixReplacement `json:"replacements"`
}
type ArtifactLocation ¶
type ArtifactLocation struct {
URI string `json:"uri"`
}
type CodeLine ¶
CodeLine is the lines containing and adjacent to the vulnerability line with their respective positions
type CommentCommand ¶
type CommentCommand string
CommentCommand represents a command given from a comment
const ( IgnoreLine CommentCommand = "ignore-line" IgnoreBlock CommentCommand = "ignore-block" IgnoreComment CommentCommand = "ignore-comment" )
Constants to describe commands given from comments
func ProcessCommands ¶
func ProcessCommands(commands []string) CommentCommand
ProcessCommands processes a slice of commands.
type CommentsCommands ¶
CommentsCommands list of commands on a file that will be parsed
type Counters ¶
type Counters struct {
ScannedFiles int `json:"files_scanned"`
ScannedFilesLines int `json:"lines_scanned"`
ParsedFiles int `json:"files_parsed"`
ParsedFilesLines int `json:"lines_parsed"`
IgnoredFilesLines int `json:"lines_ignored"`
FailedToScanFiles int `json:"files_failed_to_scan"`
TotalQueries int `json:"queries_total"`
FailedToExecuteQueries int `json:"queries_failed_to_execute"`
FailedSimilarityID int `json:"queries_failed_to_compute_similarity_id"`
FoundResources int `json:"resources_found"`
}
Counters hold information about how many files were scanned, parsed, failed to be scaned, the total of queries and how many queries failed to execute
type DiffAware ¶
type DiffAware struct {
Enabled bool `json:"enabled"`
ConfigDigest string `json:"config_digest"`
BaseSha string `json:"base_sha"`
Files string `json:"files"`
}
DiffAware contains the necessary information to be able to perform a diff between two reports
type Extensions ¶
type Extensions map[string]struct{}
Extensions represents a list of supported extensions
func (Extensions) Include ¶
func (e Extensions) Include(ext string) bool
Include returns true if an extension is included in supported extensions listed otherwise returns false
func (Extensions) MatchedFilesRegex ¶
func (e Extensions) MatchedFilesRegex() string
MatchedFilesRegex returns the regex rule to identify if an extension is supported or not
type ExtractedPathObject ¶
ExtractedPathObject is the struct that contains the path location of extracted source and a boolean to check if it is a local source
type FileKind ¶
type FileKind string
FileKind is the extension of a file
const ( KindTerraform FileKind = "TF" KindBICEP FileKind = "BICEP" KindDOCKER FileKind = "DOCKER" KindJSON FileKind = "JSON" KindYAML FileKind = "YAML" KindYML FileKind = "YML" KindPROTO FileKind = "PROTO" KindCOMMON FileKind = "*" KindHELM FileKind = "HELM" KindBUILDAH FileKind = "SH" KindCFG FileKind = "CFG" KindINI FileKind = "INI" )
Constants to describe what kind of file refers
type FileMetadata ¶
type FileMetadata struct {
ID string `db:"id"`
ScanID string `db:"scan_id"`
Document Document
LineInfoDocument map[string]interface{}
OriginalData string `db:"orig_data"`
Kind FileKind `db:"kind"`
FilePath string `db:"file_path"`
HelmID string
IDInfo map[int]interface{}
Commands CommentsCommands
LinesIgnore []int
ResolvedFiles map[string]ResolvedFile
LinesOriginalData *[]string
IsMinified bool
}
FileMetadata is a representation of basic information and content of a file
type FileMetadatas ¶
type FileMetadatas []*FileMetadata
FileMetadatas is a slice of FileMetadata pointers
func (FileMetadatas) Combine ¶
func (m FileMetadatas) Combine(ctx context.Context, lineInfo bool) Documents
Combine merge documents from FileMetadatas using the ID as reference for Document ID and FileName as reference for file
func (FileMetadatas) ToMap ¶
func (m FileMetadatas) ToMap() map[string]*FileMetadata
ToMap creates a map of FileMetadatas, which the key is the FileMetadata ID and the value is a pointer to the FileMetadata
type FixContent ¶
type FixContent struct {
Text string `json:"text"`
}
type FixMessage ¶
type FixMessage struct {
Text string `json:"text"`
}
type FixReplacement ¶
type FixReplacement struct {
DeletedRegion SarifRegion `json:"deletedRegion"`
InsertedContent FixContent `json:"insertedContent,omitempty"`
}
type Framework ¶
type Framework struct {
Framework string `json:"framework"`
FrameworkVersion string `json:"framework_version"`
Requirement string `json:"requirement"`
Control string `json:"control"`
}
Framework represents a framework mapping for a query
type Ignore ¶
type Ignore struct {
// Lines is the lines to ignore
Lines []int
}
Ignore is a struct that holds the lines to ignore
type LineObject ¶
type LineObject struct {
Line int `json:"_kics_line"`
Arr []map[string]*LineObject `json:"_kics_arr,omitempty"`
}
LineObject is the struct that will hold line information for each key
type PathParameters ¶
type PathParameters struct {
ScannedPaths []string
PathExtractionMap map[string]ExtractedPathObject
}
PathParameters - structure wraps the required fields for temporary path translation
type QueryConfig ¶
QueryConfig is a struct that contains the fileKind and platform of the rego query
type QueryMetadata ¶
type QueryMetadata struct {
InputData string
Query string
Content string
Metadata map[string]interface{}
Platform string
CWE string
// special field for generic queries
// represents how many queries are aggregated into a single rego file
Aggregation int
Experimental bool
}
QueryMetadata is a representation of general information about a query
type QueryResult ¶
type QueryResult struct {
QueryName string `json:"query_name"`
QueryID string `json:"query_id"`
QueryURI string `json:"query_url"`
Severity Severity `json:"severity"`
Platform string `json:"platform"`
CWE string `json:"cwe,omitempty"`
CloudProvider string `json:"cloud_provider,omitempty"`
Category string `json:"category"`
Experimental bool `json:"experimental"`
Description string `json:"description"`
DescriptionID string `json:"description_id"`
CISDescriptionIDFormatted string `json:"cis_description_id,omitempty"`
CISDescriptionTitle string `json:"cis_description_title,omitempty"`
CISDescriptionTextFormatted string `json:"cis_description_text,omitempty"`
CISDescriptionID string `json:"cis_description_id_raw,omitempty"`
CISDescriptionText string `json:"cis_description_text_raw,omitempty"`
CISRationaleText string `json:"cis_description_rationale,omitempty"`
CISBenchmarkName string `json:"cis_benchmark_name,omitempty"`
CISBenchmarkVersion string `json:"cis_benchmark_version,omitempty"`
Frameworks []Framework `json:"frameworks,omitempty"`
Files []VulnerableFile `json:"files"`
}
QueryResult contains a query that tested positive ID, name, severity and a list of files that tested vulnerable
type QueryResultSlice ¶
type QueryResultSlice []QueryResult
QueryResultSlice is a slice of QueryResult
type RepositoryCommitInfo ¶
type ResolvedFile ¶
ResolvedFile is a struct that contains the information of a resolved file, the path and the content in bytes of the file
type ResolvedFileSplit ¶
ResolvedFileSplit is a struct that contains the information of a resolved file, the path and the lines of the file
type ResolvedFiles ¶
type ResolvedFiles struct {
File []ResolvedHelm
Excluded []string
}
ResolvedFiles keeps the information of all file/template resolved
type ResolvedHelm ¶
type ResolvedHelm struct {
FileName string
Content []byte
OriginalData []byte
SplitID string
IDInfo map[int]interface{}
}
ResolvedHelm keeps the information of a file/template resolved
type ResourceLine ¶
ResourceLine is the line information of the resource with their respective positions
type ResourceLocation ¶
type ResourceLocation struct {
Start ResourceLine
End ResourceLine
}
ResourceLocation is the line information of the resource with their respective start and end positions
type SCIInfo ¶
type SCIInfo struct {
DiffAware DiffAware
RepositoryDir string
RepositoryCommitInfo RepositoryCommitInfo `json:"repository_commit_info"`
OrgId int64 `json:"org_id"`
}
type SarifFix ¶
type SarifFix struct {
ArtifactChanges []ArtifactChange `json:"artifactChanges"`
Description FixMessage `json:"description"`
}
type SarifRegion ¶
type SarifResourceLocation ¶
type SeveritySummary ¶
type SeveritySummary struct {
ScanID string `json:"scan_id"`
SeverityCounters map[Severity]int `json:"severity_counters"`
TotalCounter int `json:"total_counter"`
TotalBOMResources int `json:"total_bom_resources"`
}
SeveritySummary contains scans' result numbers, how many vulnerabilities of each severity was detected
type Summary ¶
type Summary struct {
Version string `json:"kics_version,omitempty"`
Counters
SeveritySummary
Times
ScannedPaths []string `json:"paths"`
Queries QueryResultSlice `json:"queries"`
Bom QueryResultSlice `json:"bill_of_materials,omitempty"`
FilePaths map[string]string `json:"-"`
}
Summary is a report of a single scan
func CreateSummary ¶
func CreateSummary(ctx context.Context, counters Counters, vulnerabilities []Vulnerability, scanID string, pathExtractionMap map[string]ExtractedPathObject, repoDir string) Summary
CreateSummary creates a report for a single scan, based on its scanID
type Vulnerability ¶
type Vulnerability struct {
ID int `json:"id"`
ScanID string `db:"scan_id" json:"-"`
SimilarityID string `db:"similarity_id" json:"similarityID"`
OldSimilarityID string `db:"old_similarity_id" json:"oldSimilarityID"`
FileID string `db:"file_id" json:"-"`
FileName string `db:"file_name" json:"fileName"`
QueryID string `db:"query_id" json:"queryID"`
QueryName string `db:"query_name" json:"queryName"`
QueryURI string `json:"-"`
Category string `json:"category"`
Experimental bool `json:"experimental"`
Description string `json:"description"`
DescriptionID string `json:"descriptionID"`
Platform string `db:"platform" json:"platform"`
CWE string `db:"cwe" json:"cwe"`
Severity Severity `json:"severity"`
Line int `json:"line"`
VulnerabilityLocation ResourceLocation `json:"resourceLocation"`
VulnLines *[]CodeLine `json:"vulnLines"`
ResourceType string `db:"resource_type" json:"resourceType"`
ResourceName string `db:"resource_name" json:"resourceName"`
IssueType IssueType `db:"issue_type" json:"issueType"`
SearchKey string `db:"search_key" json:"searchKey"`
SearchLine int `db:"search_line" json:"searchLine"`
SearchValue string `db:"search_value" json:"searchValue"`
KeyExpectedValue string `db:"key_expected_value" json:"expectedValue"`
KeyActualValue string `db:"key_actual_value" json:"actualValue"`
Value *string `db:"value" json:"value"`
Output string `json:"-"`
CloudProvider string `json:"cloud_provider"`
Remediation string `db:"remediation" json:"remediation"`
RemediationType string `db:"remediation_type" json:"remediation_type"`
RemediationLocation ResourceLocation `json:"remediationLocation"`
QueryDuration time.Duration `json:"query_duration"`
LineWithVulnerability string `json:"lineWithVulnerability"`
ResourceSource string `json:"resourceSource"`
FileSource []string `json:"fileSource"`
BlockLocation ResourceLocation `json:"blockLocation"`
Frameworks []Framework `json:"frameworks,omitempty"`
}
Vulnerability is a representation of a detected vulnerability in scanned files after running a query
type VulnerabilityLines ¶
type VulnerabilityLines struct {
Line int
VulnLines *[]CodeLine
LineWithVulnerability string
ResolvedFile string
VulnerablilityLocation ResourceLocation
RemediationLocation ResourceLocation
ResourceSource string
FileSource []string
BlockLocation ResourceLocation
}
VulnerabilityLines is the representation of the found line for issue
type VulnerableFile ¶
type VulnerableFile struct {
FileName string `json:"file_name"`
SimilarityID string `json:"similarity_id"`
OldSimilarityID string `json:"old_similarity_id,omitempty"`
Line int `json:"line"`
ResourceLocation ResourceLocation `json:"resource_location"`
VulnLines *[]CodeLine `json:"-"`
ResourceType string `json:"resource_type,omitempty"`
ResourceName string `json:"resource_name,omitempty"`
IssueType IssueType `json:"issue_type"`
SearchKey string `json:"search_key"`
SearchLine int `json:"search_line"`
SearchValue string `json:"search_value"`
KeyExpectedValue string `json:"expected_value"`
KeyActualValue string `json:"actual_value"`
Value *string `json:"value,omitempty"`
Remediation string `json:"remediation,omitempty"`
RemediationType string `json:"remediation_type,omitempty"`
RemediationLocation ResourceLocation `json:"remediation_location,omitempty"`
LineWithVulnerability string `json:"line_content,omitempty"`
ResourceSource string `json:"resource_source,omitempty"`
FileSource []string `json:"file_source,omitempty"`
BlockLocation ResourceLocation `json:"block_location,omitempty"`
}
VulnerableFile contains information of a vulnerable file and where the vulnerability was found