inventory

package

v0.4.2 Latest Latest Go to latest Published: Jan 12, 2026 License: Apache-2.0, BSD-3-Clause, MIT Imports: 7 Imported by: 3

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/google/osv-scalibr

Links

Documentation ¶

Overview ¶

Package inventory stores the scan result types SCALIBR can return.

Index ¶

func PackageToAffected(pkg *extractor.Package, fixed string, severity *osvpb.Severity) []*osvpb.Affected
type AdvisoryID
type EmbeddedFS
type Finding
type GenericFinding
type GenericFindingAdvisory
type GenericFindingTargetDetails
type Inventory
- func (i *Inventory) Append(other ...Inventory)
- func (i Inventory) IsEmpty() bool
type PackageVuln
type Secret
type SecretValidationResult
type SeverityEnum

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func PackageToAffected ¶ added in v0.3.1

func PackageToAffected(pkg *extractor.Package, fixed string, severity *osvpb.Severity) []*osvpb.Affected

PackageToAffected creates an osvpb.Affected struct from the given Package, fixed ecosystem version, and severity.

Types ¶

type AdvisoryID ¶ added in v0.3.1

type AdvisoryID struct {
	Publisher string // e.g. "CVE".
	Reference string // e.g. "CVE-2023-1234".
}

AdvisoryID is a unique identifier per advisory.

type EmbeddedFS ¶ added in v0.3.6

type EmbeddedFS struct {
	// Path is a unique identifier for the embedded filesystem.
	// It is typically formed by concatenating the path to the source file
	// with the partition index from which the filesystem was extracted.
	Path string

	// TempPaths holds temporary files or directories created during extraction.
	// These should be cleaned up once all extractors, annotators, and detectors
	// have completed their operations.
	// TempPaths will be set when there are temporary directories to clean up.
	TempPaths []string

	// GetEmbeddedFS is a function that mounts or initializes the underlying
	// embedded filesystem and returns a scalibrfs.FS interface for accessing it.
	// The returned filesystem should be closed or cleaned up by the caller
	// when no longer needed.
	GetEmbeddedFS func(context.Context) (scalibrfs.FS, error)
}

EmbeddedFS represents a mountable filesystem extracted from within another file (e.g., a disk image, partition, or archive). This is not proto serialized since it's only used as temporary storage to traverse embedded filesystems during extraction.

type Finding ¶ added in v0.3.1

type Finding struct {
	PackageVulns    []*PackageVuln
	GenericFindings []*GenericFinding
}

Finding is a struct returned by Detectors that contains all security finding related inventory types.

type GenericFinding ¶ added in v0.3.1

type GenericFinding struct {
	// Info specific to the vuln. Should always be the same for the same type of vuln.
	Adv *GenericFindingAdvisory
	// Instance-specific info such as location of the vulnerable files.
	Target *GenericFindingTargetDetails
	// The plugins (e.g. Detectors, Enrichers) that found this vuln.
	Plugins []string
	// Signals that indicate this finding is not exploitable.
	ExploitabilitySignals []*vex.FindingExploitabilitySignal
}

GenericFinding is used to describe generic security findings not associated with any specific package, e.g. weak credentials. Note: If you need to store more structured data related to a vulnerability, consider introducing a new vulnerability type instead of using GenericFinding.

type GenericFindingAdvisory ¶ added in v0.3.1

type GenericFindingAdvisory struct {
	// A unique ID for the finding.
	ID *AdvisoryID
	// Title, short description and recommendation steps for the finding. Users should be able to rely
	// on these fields to understand the vulnerability and remediate it.
	// Title of the finding, e.g. "CVE-2024-1234 - RCE Vulnerability on Foo".
	Title string
	// Description of the finding, e.g. "Foo prior to version 1.2.3 is affected by a Remote Code
	// Execution vulnerability.".
	Description string
	// Recommendation for how to remediate the finding, e.g. "Upgrade Foo to version 1.2.4 or
	// higher.".
	Recommendation string
	Sev            SeverityEnum
}

GenericFindingAdvisory describes a security finding and how to remediate it. It should not contain any information specific to the target (e.g. which files were found vulnerable).

type GenericFindingTargetDetails ¶ added in v0.3.1

type GenericFindingTargetDetails struct {
	// Free-text info.
	Extra string
}

GenericFindingTargetDetails contains instance-specific details about the generic security finding.

type Inventory ¶

type Inventory struct {
	Packages               []*extractor.Package
	PackageVulns           []*PackageVuln
	GenericFindings        []*GenericFinding
	Secrets                []*Secret
	ContainerImageMetadata []*extractor.ContainerImageMetadata
	EmbeddedFSs            []*EmbeddedFS
}

Inventory stores the artifacts (e.g. software packages, security findings) that a scan found.

func (*Inventory) Append ¶

func (i *Inventory) Append(other ...Inventory)

Append adds one or more inventories to the current one.

func (Inventory) IsEmpty ¶

func (i Inventory) IsEmpty() bool

IsEmpty returns true if there are no packages, findings, etc. in this Inventory.

type PackageVuln ¶ added in v0.3.1

type PackageVuln struct {
	// The OSV vulnerability information.
	Vulnerability *osvpb.Vulnerability

	// The extracted package associated with this vuln.
	Package *extractor.Package
	// The plugins (e.g. Detectors, Enrichers) that found this vuln.
	Plugins []string
	// Signals that indicate this finding is not exploitable.
	ExploitabilitySignals []*vex.FindingExploitabilitySignal
}

PackageVuln is a vulnerability (e.g. a CVE) related to a package. It follows the OSV Schema format: https://ossf.github.io/osv-schema

type Secret ¶ added in v0.3.1

type Secret struct {
	Secret   veles.Secret
	Location string

	Validation SecretValidationResult
}

Secret (i.e. a credential) found via the Veles secret scanning library. Scalibr handles secrets transparently, only Veles cares about what concrete type they are.

type SecretValidationResult ¶ added in v0.3.1

type SecretValidationResult struct {
	// At is the time at which the validation was performed.
	At time.Time
	// Status is the ValidationStatus obtained from the Validation.
	Status veles.ValidationStatus
	// Err is only set in case Status is ValidationFailed. In that case, it
	// contains the error encountered during validation.
	Err error
}

SecretValidationResult is the result of validating a given Secret with the corresponding Veles Validator via Enrichment.

type SeverityEnum ¶ added in v0.3.1

type SeverityEnum int

SeverityEnum is an enum-based representation of the finding's severity.

const (
	SeverityUnspecified SeverityEnum = iota
	SeverityMinimal
	SeverityLow
	SeverityMedium
	SeverityHigh
	SeverityCritical
)

SeverityEnum values.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
osvecosystem Package osvecosystem provides the Parsed type which represents an OSV ecosystem string.	Package osvecosystem provides the Parsed type which represents an OSV ecosystem string.
vex Package vex stores data structures used to represent exploitability signals in SCALIBR scan results.	Package vex stores data structures used to represent exploitability signals in SCALIBR scan results.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL