analysis

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 3, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package analysis provides canonical types for security analysis findings and shared analysis functions (detection, statistics, rule comparison) used across the audit, compliance, converter, and processor packages.

Index

Constants

View Source 
const ServiceNameSNMP = "SNMP Daemon"

ServiceNameSNMP is the display name for the SNMP service in statistics.

Variables

This section is empty.

Functions

func ComputeAnalysis 

func ComputeAnalysis(cfg *common.CommonDevice) *common.Analysis

ComputeAnalysis performs lightweight analysis of the device configuration and returns an Analysis suitable for serialization in JSON/YAML exports. The returned Analysis is derived purely from cfg with no side effects. A nil cfg returns an empty Analysis.

func ComputeConfigComplexity 

func ComputeConfigComplexity(stats *common.Statistics) int

ComputeConfigComplexity returns a normalized complexity score for the configuration based on weighted counts of various configuration elements. Returns 0 when stats is nil.

func ComputeSecurityScore 

func ComputeSecurityScore(cfg *common.CommonDevice, stats *common.Statistics) int

ComputeSecurityScore returns a security score based on detected security features, firewall rules, HTTPS Web GUI usage, SSH group configuration, and IDS/IPS enablement. The score is capped at MaxSecurityScore. Returns 0 when cfg or stats is nil.

func ComputeStatistics 

func ComputeStatistics(cfg *common.CommonDevice) *common.Statistics

ComputeStatistics analyzes a device configuration and returns aggregated statistics using the common.Statistics type suitable for serialization in JSON/YAML exports. A nil cfg returns an initialized but empty Statistics.

func ComputeTotalConfigItems 

func ComputeTotalConfigItems(stats *common.Statistics) int

ComputeTotalConfigItems calculates the total number of configuration items by summing interfaces, rules, users, groups, services, gateways, sysctl, DHCP, load balancer, VLANs, bridges, certificates, and CAs.

func DetectConsistency 

func DetectConsistency(cfg *common.CommonDevice) []common.ConsistencyFinding

DetectConsistency detects configuration consistency issues. Returns nil when no consistency issues are found.

func DetectDeadRules 

func DetectDeadRules(cfg *common.CommonDevice) []common.DeadRuleFinding

DetectDeadRules detects unreachable and duplicate firewall rules by grouping rules per interface and analyzing each group independently. Each finding carries a Kind field ("unreachable" or "duplicate") for structured classification. Returns nil when no dead rules are found.

func DetectPerformanceIssues 

func DetectPerformanceIssues(cfg *common.CommonDevice) []common.PerformanceFinding

DetectPerformanceIssues detects performance configuration issues. Returns nil when no performance issues are found.

func DetectSecurityIssues 

func DetectSecurityIssues(cfg *common.CommonDevice) []common.SecurityFinding

DetectSecurityIssues detects security configuration issues. Returns nil when no security issues are found.

func DetectUnusedInterfaces 

func DetectUnusedInterfaces(cfg *common.CommonDevice) []common.UnusedInterfaceFinding

DetectUnusedInterfaces detects enabled interfaces not referenced by firewall rules, DHCP scopes, DNS resolvers (Unbound/DNSMasq), OpenVPN instances, WireGuard, or the load balancer. DNS, WireGuard, and load balancer currently assume "lan" binding when enabled — this is a known limitation when these services are bound to non-LAN interfaces. Returns nil when no unused interfaces are found.

func FindDHCPScope 

func FindDHCPScope(scopes []common.DHCPScope, ifaceName string) *common.DHCPScope

FindDHCPScope returns the DHCP scope for the given interface, or nil if not found.

func FindInterface 

func FindInterface(interfaces []common.Interface, name string) *common.Interface

FindInterface returns the interface with the given name, or nil if not found.

func IsValidSeverity 

func IsValidSeverity(s Severity) bool

IsValidSeverity checks whether the given severity is a recognized value.

func RulesEquivalent 

func RulesEquivalent(a, b common.FirewallRule) bool

RulesEquivalent checks if two firewall rules are functionally equivalent. Interface order is normalized before comparison so that ["wan","lan"] and ["lan","wan"] are treated as equivalent. Metadata fields (Description, etc.) are intentionally excluded from comparison. A disabled rule is not equivalent to an enabled rule.

Types

type Finding 

type Finding struct {
	// Type categorizes the finding (e.g., "security", "performance", "compliance").
	Type string `json:"type"`
	// Severity indicates the severity level of the finding.
	Severity string `json:"severity,omitempty"`
	// Title is a brief description of the finding.
	Title string `json:"title"`
	// Description provides detailed information about the finding.
	Description string `json:"description"`
	// Recommendation suggests how to address the finding.
	Recommendation string `json:"recommendation"`
	// Component identifies the configuration component involved.
	Component string `json:"component"`
	// Reference provides additional information or documentation links.
	Reference string `json:"reference"`

	// Generic references and metadata
	// References contains related standard or control identifiers.
	References []string `json:"references,omitempty"`
	// Tags contains classification labels for the finding.
	Tags []string `json:"tags,omitempty"`
	// Metadata contains arbitrary key-value pairs for additional context.
	Metadata map[string]string `json:"metadata,omitempty"`
}

Finding represents a canonical analysis finding that unifies the common fields across audit, compliance, and processor findings.

JSON tag note: Recommendation, Component, and Reference intentionally lack omitempty to match compliance.Finding conventions. The subsequent migration phase that replaces processor.Finding with analysis.Finding should verify that downstream JSON consumers can handle the presence of empty-string fields for these three keys, since processor.Finding currently uses omitempty on them.

type IndexedRule 

type IndexedRule struct {
	// Index is the position of the rule in the original flat rule list.
	Index int
	// Rule is the firewall rule at this position.
	Rule common.FirewallRule
}

IndexedRule pairs a firewall rule with its original index in the flat rule list.

type Severity 

type Severity string

Severity represents the severity levels for findings. 

const (
	// SeverityCritical indicates a critical severity finding.
	SeverityCritical Severity = "critical"
	// SeverityHigh indicates a high severity finding.
	SeverityHigh Severity = "high"
	// SeverityMedium indicates a medium severity finding.
	SeverityMedium Severity = "medium"
	// SeverityLow indicates a low severity finding.
	SeverityLow Severity = "low"
	// SeverityInfo indicates an informational finding.
	SeverityInfo Severity = "info"
)

Severity level constants define the standard severity tiers for security findings.

func ValidSeverities 

func ValidSeverities() []Severity

ValidSeverities returns a fresh copy of all valid severity values. Returns a new slice each call to prevent callers from mutating shared state.

func (Severity) String 

func (s Severity) String() string

String returns the string representation of the severity.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.