security

package
v1.16.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 15, 2025 License: MIT Imports: 34 Imported by: 0

Documentation

Overview

Package security contains the logic for fetching artifact details, attaching SBOM's, etc. for ace-dt security scan.

Index

Constants

View Source 
const (
	BoldRed = "\033[1;31m"
	Red     = "\033[31m"
	Yellow  = "\033[33m"
	Blue    = "\033[34m"
	Green   = "\033[32m"
	Gray    = "\033[37m"
	Reset   = "\033[0m"
)

These are the ANSI color code definitions.

View Source 
const (
	// ArtifactTypeSPDX is the standard artifact type for SPDX formatted SBOMs.
	ArtifactTypeSPDX = "application/spdx+json"
	// ArtifactTypeHarborSBOM is the artifact type given to SBOMs generated via the Harbor UI.
	ArtifactTypeHarborSBOM = "application/vnd.goharbor.harbor.sbom.v1"
	// ArtifactTypeVulnerabilityReport is the artifact type given to ASCE vulnerability results.
	ArtifactTypeVulnerabilityReport = "application/vnd.act3-ace.data.cve.results+json"
	// AnnotationGrypeDatabaseChecksum is the checksum of the grype database that is attached to the vulnerability results.
	AnnotationGrypeDatabaseChecksum = "vnd.act3-ace.scan.database.checksum"
	// MediaTypeHelmChartConfig defines the expected media type of a helm chart config manifest.
	MediaTypeHelmChartConfig = "application/vnd.cncf.helm.config.v1+json"
)

Variables

View Source 
var SeverityLevels = map[string]int{
	"critical":   5,
	"high":       4,
	"medium":     3,
	"low":        2,
	"negligible": 1,
	"unknown":    0,
}

SeverityLevels enumerates the string severity levels for filtering.

Functions

func FormatSources 

func FormatSources(ctx context.Context, sourceFile, gatherArtifact string, repo *remote.Repository, concurrency int) ([][]string, error)

FormatSources is a formatting helper function that parses the sources in a sourcefile or gather artifact and returns the source and originating reference.

func GenerateSBOM 

func GenerateSBOM(
	ctx context.Context,
	reference,
	grypeDBChecksum string,
	repository oras.GraphTarget,
	pushReport bool) (map[*ocispec.Descriptor]*Results, error)

GenerateSBOM will generate and attach an SBOM for a given artifact. It will grype the SBOM inline and return a map of the SBOM descriptor and results.

func IsSBOM 

func IsSBOM(artifactType string) bool

IsSBOM is a helper function that identifies whether the given artifact type belongs to an ASCE or Harbor SBOM.

func PrintCSV 

func PrintCSV(out io.Writer, results []*ArtifactDetails, vulnerabilityLevel string) error

PrintCSV prints out the ArtifactDetails in CSV format to the io.Writer defined.

func PrintCustomTable 

func PrintCustomTable(out io.Writer, table [][]string) error

PrintCustomTable accepts a slice of string slices and will format it into table format with separator strings and spacing.

func PrintJSON 

func PrintJSON(out io.Writer, results []*ArtifactDetails) error

PrintJSON prints out the ArtifactDetails in JSON format to the io.Writer defined.

func PrintMarkdown 

func PrintMarkdown(out io.Writer, results []*ArtifactDetails, vulnerabilityLevel string) error

PrintMarkdown prints out the ArtifactDetails in markdown format to the io.Writer defined. Includes mermaid and platform coverage charts.

func PrintTable 

func PrintTable(out io.Writer, results []*ArtifactDetails, vulnerabilityLevel string, displayCVEs, displayPlatforms bool) error

PrintTable prints out the ArtifactDetails in a printed table format to the io.Writer defined.

Types

type Artifact 

type Artifact struct {
	ID      string `json:"id"`
	Name    string `json:"name"`
	Version string `json:"version"`
}

Artifact represents the identifying details for a given artifact.

type ArtifactDetails 

type ArtifactDetails struct {
	SBOMs map[string][]*ocispec.Descriptor

	CalculatedResults ArtifactScanReport `json:"results"`
	// contains filtered or unexported fields
}

ArtifactDetails contains all of the details needed to scan for vulnerabilities of a given artifact.

func GetArtifactDetails 

func GetArtifactDetails(
	ctx context.Context,
	reference string,
	repo oras.GraphTarget) (*ArtifactDetails, error)

GetArtifactDetails fetches the ArtifactDetails for a given reference.

func ScanArtifacts 

func ScanArtifacts(ctx context.Context,
	opts ScanOptions,
	repoFunction func(context.Context, string) (*remote.Repository, error),
	concurrency int) ([]*ArtifactDetails, error)

ScanArtifacts will fetch the artifact details for each image in a source file or a mirror (gather) artifact. It will then generate SBOMs for the reference if dryRun is false, upload them to the target repository, and use them for scanning. If dryRun is set to true, the artifacts will be scanned by reference. It returns a slice of results (derived from grype's json results) for the artifacts.

func (*ArtifactDetails) FetchExistingResultsReportManifest 

func (ad *ArtifactDetails) FetchExistingResultsReportManifest(ctx context.Context) (*ocispec.Manifest, error)

FetchExistingResultsReportManifest fetches the artifact's existing scan report.

type ArtifactScanReport 

type ArtifactScanReport struct {
	CriticalVulnerabilities   []Matches `json:"CriticalVulnerabilities"`
	HighVulnerabilities       []Matches `json:"HighVulnerabilities"`
	MediumVulnerabilities     []Matches `json:"MediumVulnerabilities"`
	LowVulnerabilities        []Matches `json:"LowVulnerabilities"`
	UnknownVulnerabilities    []Matches `json:"UnknownVulnerabilities"`
	NegligibleVulnerabilities []Matches `json:"NegligibleVulnerabilities"`
}

ArtifactScanReport formats the artifact's pertinent grype JSON results for printing.

func (*ArtifactScanReport) GetVulnerabilityCVEs 

func (cr *ArtifactScanReport) GetVulnerabilityCVEs(severity string) []string

GetVulnerabilityCVEs parses the results json and returns a slice of CVE IDs for the given severity level.

func (*ArtifactScanReport) GetVulnerabilityCount 

func (cr *ArtifactScanReport) GetVulnerabilityCount(severity string) int

GetVulnerabilityCount parses the results json and returns a count for the given vulnerability severity level.

type Matches 

type Matches struct {
	Vulnerabilities Vulnerability `json:"vulnerability"`
	Artifact        Artifact      `json:"artifact"`
}

Matches represents the vulnerability matches and details for a given artifact.

type Results 

type Results struct {
	Matches []Matches `json:"matches"`
}

Results holds the vulnerability data for all given artifacts.

type ScanOptions 

type ScanOptions struct {
	SourceFile              string
	GatherArtifactReference string
	Output                  []string
	SaveReport              string
	VulnerabilityLevel      string
	DryRun                  bool
	PushReport              bool
}

ScanOptions defines the options needed to run the scan operation.

type Vulnerability 

type Vulnerability struct {
	ID          string `json:"id"`
	Source      string `json:"dataSource"`
	Severity    string `json:"severity"`
	Description string `json:"description"`
	State       string `json:"state"`
}

Vulnerability represents a specific vulnerability for a given artifact.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.