Documentation
¶
Overview ¶
Package sarif provides SARIF 2.1.0 output format for vulnerability reports.
SARIF (Static Analysis Results Interchange Format) is an OASIS standard supported by GitHub Code Scanning and other security tools.
The package provides:
- Report: top-level SARIF document structure
- FromVulnerabilities: converts vimp vulnerabilities to SARIF format
Severity mapping:
- critical, high -> error
- medium -> warning
- low, negligible -> note
Example usage:
report := sarif.FromVulnerabilities(vulns, "vimp", "1.0.0") data, _ := json.MarshalIndent(report, "", " ") fmt.Println(string(data))
Reference: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
Index ¶
Constants ¶
const ( SchemaURI = "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json" Version = "2.1.0" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ArtifactLocation ¶
type ArtifactLocation struct {
URI string `json:"uri,omitempty"`
}
ArtifactLocation represents the location of an artifact.
type DefaultConfig ¶
type DefaultConfig struct {
Level string `json:"level,omitempty"`
}
DefaultConfig contains default rule configuration.
type Driver ¶
type Driver struct {
Name string `json:"name"`
Version string `json:"version,omitempty"`
InformationURI string `json:"informationUri,omitempty"`
Rules []Rule `json:"rules,omitempty"`
}
Driver describes the primary tool component.
type Location ¶
type Location struct {
PhysicalLocation PhysicalLocation `json:"physicalLocation,omitempty"`
LogicalLocations []LogicalLocation `json:"logicalLocations,omitempty"`
}
Location represents where a result was found.
type LogicalLocation ¶
type LogicalLocation struct {
Name string `json:"name,omitempty"`
FullyQualifiedName string `json:"fullyQualifiedName,omitempty"`
Kind string `json:"kind,omitempty"`
}
LogicalLocation represents a logical location such as a package.
type Message ¶
type Message struct {
Text string `json:"text"`
}
Message represents a localizable string.
type PhysicalLocation ¶
type PhysicalLocation struct {
ArtifactLocation ArtifactLocation `json:"artifactLocation,omitempty"`
}
PhysicalLocation represents a file location.
type Report ¶
type Report struct {
Schema string `json:"$schema"`
Version string `json:"version"`
Runs []Run `json:"runs"`
}
Report represents a SARIF 2.1.0 report. https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
func FromExposureResult ¶
func FromExposureResult(result *query.ImageExposureResult, tool, version string) *Report
FromExposureResult converts an ImageExposureResult to a SARIF report.
func FromVulnerabilities ¶
func FromVulnerabilities(vuls []*data.ImageVulnerability, tool, version string) *Report
FromVulnerabilities converts a slice of ImageVulnerability to a SARIF report.
type Result ¶
type Result struct {
RuleID string `json:"ruleId"`
RuleIndex int `json:"ruleIndex,omitempty"`
Level string `json:"level"`
Message Message `json:"message"`
Locations []Location `json:"locations,omitempty"`
}
Result represents a single finding.
type Rule ¶
type Rule struct {
ID string `json:"id"`
Name string `json:"name,omitempty"`
ShortDescription Message `json:"shortDescription,omitempty"`
FullDescription Message `json:"fullDescription,omitempty"`
HelpURI string `json:"helpUri,omitempty"`
DefaultConfig DefaultConfig `json:"defaultConfiguration,omitempty"`
}
Rule describes a rule used by the tool.
Source Files