vulndb

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 25, 2025 License: MIT Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var KnownVulnerableActions = map[string][]ActionVulnerability{
	"actions/checkout": {
		{
			ID:       "CHECKOUT-001",
			Action:   "actions/checkout",
			Affected: []string{"v1", "v2.0.0", "v2.1.0"},
			Summary:  "actions/checkout vulnerable to command injection via branch names",
			Severity: "HIGH",
			References: []string{
				"https://github.com/actions/checkout/security/advisories/GHSA-mw99-9chc-xw7r",
			},
			PublishedAt: "2020-12-15T00:00:00Z",
		},
	},
	"actions/cache": {
		{
			ID:       "CACHE-001",
			Action:   "actions/cache",
			Affected: []string{"v1", "v2.0.0", "v2.0.1"},
			Summary:  "Cache action vulnerable to cache poisoning in public repositories",
			Severity: "MEDIUM",
			References: []string{
				"https://github.com/actions/cache/issues/319",
			},
			PublishedAt: "2020-10-02T00:00:00Z",
		},
	},
}

KnownVulnerableActions contains a hardcoded list of known vulnerable actions This is based on Poutine's vulnerability database

View Source 
var TrustedPublishers = []string{
	"actions",
	"github",
	"microsoft",
	"azure",
	"docker",
	"aws-actions",
	"google-github-actions",
	"hashicorp",
}

TrustedPublishers contains a list of trusted action publishers

View Source 
var UnpinnableActions = []string{
	"0daryo/labelcommit",
	"0h-n0/flet-action-windows",
	"0x61nas/aur-release-action",
	"1024pix/pix-actions/auto-merge",
	"1024pix/pix-actions/release",
	"104corp/docker-php-testing",
	"10up/action-wordpress-plugin-build-zip",
	"10up/action-wordpress-plugin-deploy",
	"10up/wpcs-action",
}

UnpinnableActions contains actions that cannot be pinned to specific versions Based on Poutine's unpinnable_actions.txt

Functions

This section is empty.

Types

type ActionSecurityAnalysis 

type ActionSecurityAnalysis struct {
	ActionRef       string                     `json:"action_ref"`
	PURL            *PURL                      `json:"purl"`
	Vulnerabilities []OSVDetailedVulnerability `json:"vulnerabilities"`
	RiskScore       float64                    `json:"risk_score"`
	RiskLevel       string                     `json:"risk_level"`
	Summary         string                     `json:"summary"`
	Recommendations []string                   `json:"recommendations"`
	AnalyzedAt      time.Time                  `json:"analyzed_at"`
}

type ActionVulnerability 

type ActionVulnerability struct {
	ID          string   `json:"id"`
	Action      string   `json:"action"`
	Affected    []string `json:"affected"`
	Summary     string   `json:"summary"`
	Severity    string   `json:"severity"`
	CVEID       string   `json:"cve_id,omitempty"`
	References  []string `json:"references,omitempty"`
	PublishedAt string   `json:"published_at"`
}

ActionVulnerability represents a vulnerability in a GitHub Action

type OSVAffected 

type OSVAffected struct {
	Package           OSVPackage    `json:"package"`
	Severity          []OSVSeverity `json:"severity"`
	Ranges            []OSVRange    `json:"ranges"`
	Versions          []string      `json:"versions"`
	EcosystemSpecific interface{}   `json:"ecosystem_specific"`
	DatabaseSpecific  interface{}   `json:"database_specific"`
}

type OSVClient 

type OSVClient struct {
	// contains filtered or unexported fields
}

OSVClient provides access to the OSV.dev vulnerability database

func NewOSVClient 

func NewOSVClient(cacheDir string) *OSVClient

NewOSVClient creates a new OSV.dev API client

func (*OSVClient) AnalyzeActionSecurity 

func (c *OSVClient) AnalyzeActionSecurity(actionRef string) (*ActionSecurityAnalysis, error)

Advanced vulnerability analysis methods

func (*OSVClient) QueryVulnerabilities 

func (c *OSVClient) QueryVulnerabilities(actionRef string) ([]OSVDetailedVulnerability, error)

QueryVulnerabilities queries OSV.dev for vulnerabilities

func (*OSVClient) QueryVulnerabilityByID 

func (c *OSVClient) QueryVulnerabilityByID(vulnID string) (*OSVDetailedVulnerability, error)

QueryVulnerabilityByID queries a specific vulnerability by its ID

type OSVCredit 

type OSVCredit struct {
	Name    string   `json:"name"`
	Contact []string `json:"contact"`
	Type    string   `json:"type"`
}

type OSVDetailedResponse 

type OSVDetailedResponse struct {
	Vulns []OSVDetailedVulnerability `json:"vulns"`
}

type OSVDetailedVulnerability 

type OSVDetailedVulnerability struct {
	SchemaVersion    string                 `json:"schema_version"`
	ID               string                 `json:"id"`
	Modified         string                 `json:"modified"`
	Published        string                 `json:"published"`
	Withdrawn        string                 `json:"withdrawn,omitempty"`
	Aliases          []string               `json:"aliases"`
	Related          []string               `json:"related"`
	Summary          string                 `json:"summary"`
	Details          string                 `json:"details"`
	Severity         []OSVSeverity          `json:"severity"`
	Affected         []OSVAffected          `json:"affected"`
	References       []OSVReference         `json:"references"`
	Credits          []OSVCredit            `json:"credits"`
	DatabaseSpecific map[string]interface{} `json:"database_specific"`
}

type OSVEvent 

type OSVEvent struct {
	Introduced   string `json:"introduced,omitempty"`
	Fixed        string `json:"fixed,omitempty"`
	LastAffected string `json:"last_affected,omitempty"`
	Limit        string `json:"limit,omitempty"`
}

type OSVPackage 

type OSVPackage struct {
	Ecosystem string `json:"ecosystem"`
	Name      string `json:"name"`
	PURL      string `json:"purl,omitempty"`
}

type OSVQuery 

type OSVQuery struct {
	Package *OSVPackage `json:"package,omitempty"`
	Version string      `json:"version,omitempty"`
	Commit  string      `json:"commit,omitempty"`
}

Enhanced OSV structures with more detailed information

type OSVRange 

type OSVRange struct {
	Type       string     `json:"type"`
	Repo       string     `json:"repo,omitempty"`
	Introduced string     `json:"introduced,omitempty"`
	Fixed      string     `json:"fixed,omitempty"`
	Events     []OSVEvent `json:"events"`
}

type OSVReference 

type OSVReference struct {
	Type string `json:"type"`
	URL  string `json:"url"`
}

type OSVResponse 

type OSVResponse struct {
	Vulns []OSVVulnerability `json:"vulns"`
}

OSVResponse represents the response from OSV.dev API

type OSVSeverity 

type OSVSeverity struct {
	Type  string `json:"type"`
	Score string `json:"score"`
}

type OSVVulnerability 

type OSVVulnerability struct {
	ID       string   `json:"id"`
	Summary  string   `json:"summary"`
	Details  string   `json:"details"`
	Aliases  []string `json:"aliases"`
	Affected []struct {
		Package struct {
			Ecosystem string `json:"ecosystem"`
			Name      string `json:"name"`
		} `json:"package"`
		Ranges []struct {
			Type   string `json:"type"`
			Events []struct {
				Introduced string `json:"introduced,omitempty"`
				Fixed      string `json:"fixed,omitempty"`
			} `json:"events"`
		} `json:"ranges"`
	} `json:"affected"`
	Severity []struct {
		Type  string `json:"type"`
		Score string `json:"score"`
	} `json:"severity"`
	References []struct {
		Type string `json:"type"`
		URL  string `json:"url"`
	} `json:"references"`
	DatabaseSpecific interface{} `json:"database_specific"`
}

OSVVulnerability represents a vulnerability from OSV.dev

type PURL 

type PURL struct {
	Type       string            `json:"type"`
	Namespace  string            `json:"namespace,omitempty"`
	Name       string            `json:"name"`
	Version    string            `json:"version,omitempty"`
	Qualifiers map[string]string `json:"qualifiers,omitempty"`
	Subpath    string            `json:"subpath,omitempty"`
}

PURL (Package URL) parsing and generation

func ParseActionToPURL 

func ParseActionToPURL(actionRef string) *PURL

ParseActionToPURL converts a GitHub Action reference to a PURL

func (*PURL) ToPURLString 

func (p *PURL) ToPURLString() string

ToPURLString converts a PURL to its string representation

type SimilarAction 

type SimilarAction struct {
	Name       string  `json:"name"`
	Similarity float64 `json:"similarity"`
	Distance   int     `json:"edit_distance"`
}

type TyposquattingDetector 

type TyposquattingDetector struct {
	// contains filtered or unexported fields
}

TyposquattingDetector provides advanced algorithms for detecting malicious action names

func NewTyposquattingDetector 

func NewTyposquattingDetector() *TyposquattingDetector

NewTyposquattingDetector creates a new typosquatting detector

func (*TyposquattingDetector) AnalyzeAction 

func (td *TyposquattingDetector) AnalyzeAction(actionName string) *TyposquattingResult

AnalyzeAction performs comprehensive typosquatting analysis

type TyposquattingResult 

type TyposquattingResult struct {
	IsTyposquatting   bool            `json:"is_typosquatting"`
	Confidence        float64         `json:"confidence"`
	SuspiciousReasons []string        `json:"suspicious_reasons"`
	SimilarActions    []SimilarAction `json:"similar_actions"`
	RecommendedAction string          `json:"recommended_action"`
	RiskLevel         string          `json:"risk_level"`
}

TyposquattingResult contains the analysis results

func (*TyposquattingResult) ToJSON 

func (tr *TyposquattingResult) ToJSON() ([]byte, error)

Export results to JSON for external analysis

type VulnerabilityCache 

type VulnerabilityCache struct {
	// contains filtered or unexported fields
}

VulnerabilityCache manages local caching of vulnerability data

func NewVulnerabilityCache 

func NewVulnerabilityCache(cacheDir string) *VulnerabilityCache

NewVulnerabilityCache creates a new vulnerability cache

func (*VulnerabilityCache) ClearExpired 

func (vc *VulnerabilityCache) ClearExpired() error

ClearExpired removes expired cache entries

func (*VulnerabilityCache) Get 

func (vc *VulnerabilityCache) Get(key string) ([]OSVDetailedVulnerability, bool)

Get retrieves cached vulnerabilities

func (*VulnerabilityCache) GetSingle 

func (vc *VulnerabilityCache) GetSingle(key string) (OSVDetailedVulnerability, bool)

GetSingle retrieves a single cached vulnerability

func (*VulnerabilityCache) Set 

func (vc *VulnerabilityCache) Set(key string, vulns []OSVDetailedVulnerability)

Set stores vulnerabilities in cache

func (*VulnerabilityCache) SetSingle 

func (vc *VulnerabilityCache) SetSingle(key string, vuln OSVDetailedVulnerability)

SetSingle stores a single vulnerability in cache

type VulnerabilityDatabase 

type VulnerabilityDatabase struct {
	// contains filtered or unexported fields
}

VulnerabilityDatabase provides access to vulnerability information

func NewVulnerabilityDatabase 

func NewVulnerabilityDatabase() *VulnerabilityDatabase

NewVulnerabilityDatabase creates a new vulnerability database client

func (*VulnerabilityDatabase) CheckActionVulnerability 

func (vdb *VulnerabilityDatabase) CheckActionVulnerability(actionName, version string) []ActionVulnerability

CheckActionVulnerability checks if an action has known vulnerabilities

func (*VulnerabilityDatabase) CheckTyposquatting 

func (vdb *VulnerabilityDatabase) CheckTyposquatting(actionName string) bool

CheckTyposquatting checks if an action name might be a typosquatting attempt

func (*VulnerabilityDatabase) IsActionUnpinnable 

func (vdb *VulnerabilityDatabase) IsActionUnpinnable(actionName string) bool

IsActionUnpinnable checks if an action cannot be pinned to a specific version

func (*VulnerabilityDatabase) IsTrustedPublisher 

func (vdb *VulnerabilityDatabase) IsTrustedPublisher(actionName string) bool

IsTrustedPublisher checks if an action comes from a trusted publisher

func (*VulnerabilityDatabase) QueryOSVDatabase 

func (vdb *VulnerabilityDatabase) QueryOSVDatabase(packageName, version string) ([]OSVVulnerability, error)

QueryOSVDatabase queries the OSV.dev database for vulnerabilities

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.