models

package
v2.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2026 License: Apache-2.0 Imports: 10 Imported by: 6

Documentation

Overview

Package models provides data models for osv-scanner.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AnalysisInfo 

type AnalysisInfo struct {
	Called      bool `json:"called"`
	Unimportant bool `json:"unimportant"`
}

type BaseImageDetails 

type BaseImageDetails struct {
	Name string `json:"name"`
	// TODO: Not yet filled in
	Tags []string `json:"tags"`
}

type CycloneDXVersion 

type CycloneDXVersion int
const (
	CycloneDXVersion14 CycloneDXVersion = iota
	CycloneDXVersion15
	CycloneDXVersion16
)

type ExperimentalAnalysisConfig 

type ExperimentalAnalysisConfig struct {
	Licenses ExperimentalLicenseConfig `json:"licenses"`
}

ExperimentalAnalysisConfig is an experimental type intended to contain the types of analysis performed on packages found by the scanner.

type ExperimentalLicenseConfig 

type ExperimentalLicenseConfig struct {
	Summary   bool      `json:"summary"`
	Allowlist []License `json:"allowlist"`
}

type GroupInfo 

type GroupInfo struct {
	// IDs expected to be sorted in alphanumeric order
	IDs []string `json:"ids"`
	// Aliases include all aliases and IDs
	Aliases []string `json:"aliases"`
	// Map of Vulnerability IDs to AnalysisInfo
	ExperimentalAnalysis map[string]AnalysisInfo `json:"experimental_analysis,omitempty"`
	MaxSeverity          string                  `json:"max_severity"`
}

func (*GroupInfo) IndexString 

func (groupInfo *GroupInfo) IndexString() string

func (*GroupInfo) IsCalled 

func (groupInfo *GroupInfo) IsCalled() bool

IsCalled returns true if any analysis performed determines that the vulnerability is being called Also returns true if no analysis is performed

func (*GroupInfo) IsGroupUnimportant 

func (groupInfo *GroupInfo) IsGroupUnimportant() bool

type ImageMetadata 

type ImageMetadata struct {
	OS            string               `json:"os"`
	LayerMetadata []LayerMetadata      `json:"layer_metadata"`
	BaseImages    [][]BaseImageDetails `json:"base_images"`
}

type ImageOriginDetails 

type ImageOriginDetails struct {
	Index int `json:"index"`
}

type LayerMetadata 

type LayerMetadata struct {
	DiffID         digest.Digest `json:"diff_id"`
	Command        string        `json:"command"`
	IsEmpty        bool          `json:"is_empty"`
	BaseImageIndex int           `json:"base_image_index"`
}

type License 

type License string

License is an SPDX license.

type LicenseCount 

type LicenseCount struct {
	Name  License `json:"name"`
	Count int     `json:"count"`
}

type Metadata 

type Metadata struct {
	RepoURL   string   `json:"repo_url"`
	DepGroups []string `json:"-"`
}

type PackageInfo 

type PackageInfo struct {
	Name          string              `json:"name"`
	OSPackageName string              `json:"os_package_name,omitempty"`
	Version       string              `json:"version"`
	Ecosystem     string              `json:"ecosystem"`
	Commit        string              `json:"commit,omitempty"`
	Deprecated    bool                `json:"deprecated,omitempty"`
	ImageOrigin   *ImageOriginDetails `json:"image_origin_details,omitempty"`
	Inventory     *extractor.Package  `json:"-"`
}

type PackageSource 

type PackageSource struct {
	Source SourceInfo `json:"source"`
	// Place Annotations in PackageSource instead of SourceInfo as we need SourceInfo to be mappable
	ExperimentalPES []*vex.PackageExploitabilitySignal `json:"experimental_pes,omitempty"`
	Packages        []PackageVulns                     `json:"packages"`
}

PackageSource represents Vulnerabilities associated with a Source

type PackageVulns 

type PackageVulns struct {
	Package           PackageInfo                `json:"package"`
	DepGroups         []string                   `json:"dependency_groups,omitempty"`
	Vulnerabilities   []*osvschema.Vulnerability `json:"vulnerabilities,omitempty"`
	Groups            []GroupInfo                `json:"groups,omitempty"`
	Licenses          []License                  `json:"licenses,omitempty"`
	LicenseViolations []License                  `json:"license_violations,omitempty"`
}

PackageVulns grouped by package TODO: rename this to be Package as it now includes license information too.

func (*PackageVulns) MarshalJSON added in v2.3.0 

func (p *PackageVulns) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It is required because the Vulnerabilities field is a slice of proto messages, which requires protojson to marshal, while the rest of the struct uses the standard encoding/json library.

func (*PackageVulns) UnmarshalJSON added in v2.3.0 

func (p *PackageVulns) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It is required because the Vulnerabilities field is a slice of proto messages, which requires protojson to unmarshal, while the rest of the struct uses the standard encoding/json library.

type SourceInfo 

type SourceInfo struct {
	Path string     `json:"path"`
	Type SourceType `json:"type"`
}

func (SourceInfo) String 

func (s SourceInfo) String() string

type SourceType added in v2.0.1 

type SourceType string

SourceType categorizes packages based on the extractor that extracted the "source", for use in the output. 

const (
	SourceTypeUnknown        SourceType = "unknown"
	SourceTypeOSPackage      SourceType = "os"
	SourceTypeProjectPackage SourceType = "lockfile"
	SourceTypeArtifact       SourceType = "artifact"
	SourceTypeSBOM           SourceType = "sbom"
	SourceTypeGit            SourceType = "git"
)

type VulnerabilityFlattened 

type VulnerabilityFlattened struct {
	Source            SourceInfo
	Package           PackageInfo
	DepGroups         []string
	Vulnerability     *osvschema.Vulnerability
	GroupInfo         GroupInfo
	Licenses          []License
	LicenseViolations []License
	Deprecated        bool
}

VulnerabilityFlattened is a flattened version of the VulnerabilityResults TODO: rename this to IssueFlattened or similar in the next major release as it now contains license violations.

func (*VulnerabilityFlattened) MarshalJSON added in v2.3.0 

func (v *VulnerabilityFlattened) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. It is required because the Vulnerability field is a proto message, which requires protojson to marshal, while the rest of the struct uses the standard encoding/json library.

func (*VulnerabilityFlattened) UnmarshalJSON added in v2.3.0 

func (v *VulnerabilityFlattened) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. It is required because the Vulnerability field is a proto message, which requires protojson to unmarshal, while the rest of the struct uses the standard encoding/json library.

type VulnerabilityResults 

type VulnerabilityResults struct {
	Results                     []PackageSource             `json:"results"`
	ExperimentalAnalysisConfig  ExperimentalAnalysisConfig  `json:"experimental_config"`
	ExperimentalGenericFindings []*inventory.GenericFinding `json:"experimental_generic_findings,omitempty"`
	ImageMetadata               *ImageMetadata              `json:"image_metadata,omitempty"`
	LicenseSummary              []LicenseCount              `json:"license_summary,omitempty"`
}

VulnerabilityResults is the top-level struct for the results of a scan

func (*VulnerabilityResults) Flatten 

func (vulns *VulnerabilityResults) Flatten() []VulnerabilityFlattened

Flatten the grouped/nested vulnerability results into one flat array.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.