threatintel

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 12, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package threatintel provides the threat intelligence domain model.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrEPSSNotFound is returned when an EPSS score is not found.
	ErrEPSSNotFound = errors.New("epss score not found")

	// ErrKEVNotFound is returned when a KEV entry is not found.
	ErrKEVNotFound = errors.New("kev entry not found")

	// ErrSyncStatusNotFound is returned when a sync status is not found.
	ErrSyncStatusNotFound = errors.New("sync status not found")

	// ErrSyncAlreadyRunning is returned when a sync is already in progress.
	ErrSyncAlreadyRunning = errors.New("sync already running")

	// ErrSyncDisabled is returned when sync is disabled for a source.
	ErrSyncDisabled = errors.New("sync is disabled for this source")

	// ErrInvalidCVEID is returned when CVE ID format is invalid.
	ErrInvalidCVEID = errors.New("invalid CVE ID format")

	// ErrFetchFailed is returned when fetching threat intel data fails.
	ErrFetchFailed = errors.New("failed to fetch threat intel data")

	// ErrParseFailed is returned when parsing threat intel data fails.
	ErrParseFailed = errors.New("failed to parse threat intel data")
)

Domain errors for threat intelligence.

Functions

This section is empty.

Types

type EPSSRepository 

type EPSSRepository interface {
	// Upsert creates or updates an EPSS score.
	Upsert(ctx context.Context, score *EPSSScore) error

	// UpsertBatch creates or updates multiple EPSS scores.
	UpsertBatch(ctx context.Context, scores []*EPSSScore) error

	// GetByCVEID retrieves an EPSS score by CVE ID.
	GetByCVEID(ctx context.Context, cveID string) (*EPSSScore, error)

	// GetByCVEIDs retrieves EPSS scores for multiple CVE IDs.
	GetByCVEIDs(ctx context.Context, cveIDs []string) ([]*EPSSScore, error)

	// GetHighRisk retrieves all high-risk EPSS scores (score > threshold).
	GetHighRisk(ctx context.Context, threshold float64, limit int) ([]*EPSSScore, error)

	// GetTopPercentile retrieves scores in top N percentile.
	GetTopPercentile(ctx context.Context, percentile float64, limit int) ([]*EPSSScore, error)

	// Count returns the total number of EPSS scores.
	Count(ctx context.Context) (int64, error)

	// DeleteAll removes all EPSS scores (for full refresh).
	DeleteAll(ctx context.Context) error
}

EPSSRepository defines the interface for EPSS score persistence.

type EPSSRiskLevel 

type EPSSRiskLevel string

EPSSRiskLevel represents EPSS-based risk levels. 

const (
	EPSSRiskLevelLow      EPSSRiskLevel = "low"      // < 0.05 (5%)
	EPSSRiskLevelMedium   EPSSRiskLevel = "medium"   // 0.05 - 0.1 (5-10%)
	EPSSRiskLevelHigh     EPSSRiskLevel = "high"     // 0.1 - 0.3 (10-30%)
	EPSSRiskLevelCritical EPSSRiskLevel = "critical" // > 0.3 (30%)
)

func EPSSRiskLevelFromScore 

func EPSSRiskLevelFromScore(score float64) EPSSRiskLevel

EPSSRiskLevelFromScore returns the risk level for an EPSS score.

func (EPSSRiskLevel) String 

func (e EPSSRiskLevel) String() string

String returns the string representation.

type EPSSScore 

type EPSSScore struct {
	// contains filtered or unexported fields
}

EPSSScore represents an EPSS score entry from FIRST.org.

func NewEPSSScore 

func NewEPSSScore(cveID string, score, percentile float64, modelVersion string, scoreDate time.Time) *EPSSScore

NewEPSSScore creates a new EPSSScore.

func ReconstituteEPSSScore 

func ReconstituteEPSSScore(
	cveID string,
	score, percentile float64,
	modelVersion string,
	scoreDate time.Time,
	createdAt, updatedAt time.Time,
) *EPSSScore

ReconstituteEPSSScore recreates an EPSSScore from persistence.

func (*EPSSScore) CVEID 

func (e *EPSSScore) CVEID() string

CVEID returns the CVE ID.

func (*EPSSScore) CreatedAt 

func (e *EPSSScore) CreatedAt() time.Time

CreatedAt returns the creation time.

func (*EPSSScore) IsCriticalRisk 

func (e *EPSSScore) IsCriticalRisk() bool

IsCriticalRisk returns true if EPSS score indicates critical risk (> 0.3 or 30%).

func (*EPSSScore) IsHighRisk 

func (e *EPSSScore) IsHighRisk() bool

IsHighRisk returns true if EPSS score indicates high risk (> 0.1 or 10%).

func (*EPSSScore) IsTopPercentile 

func (e *EPSSScore) IsTopPercentile(n float64) bool

IsTopPercentile returns true if in top N percentile.

func (*EPSSScore) ModelVersion 

func (e *EPSSScore) ModelVersion() string

ModelVersion returns the EPSS model version.

func (*EPSSScore) Percentile 

func (e *EPSSScore) Percentile() float64

Percentile returns the percentile rank.

func (*EPSSScore) Score 

func (e *EPSSScore) Score() float64

Score returns the EPSS score (0.0 to 1.0).

func (*EPSSScore) ScoreDate 

func (e *EPSSScore) ScoreDate() time.Time

ScoreDate returns the date of the score.

func (*EPSSScore) Update 

func (e *EPSSScore) Update(score, percentile float64, modelVersion string, scoreDate time.Time)

Update updates the score values.

func (*EPSSScore) UpdatedAt 

func (e *EPSSScore) UpdatedAt() time.Time

UpdatedAt returns the last update time.

type KEVEntry 

type KEVEntry struct {
	// contains filtered or unexported fields
}

KEVEntry represents a CISA Known Exploited Vulnerability entry.

func NewKEVEntry 

func NewKEVEntry(
	cveID, vendorProject, product, vulnerabilityName, shortDescription string,
	dateAdded, dueDate time.Time,
	ransomwareUse, notes string,
	cwes []string,
) *KEVEntry

NewKEVEntry creates a new KEVEntry.

func ReconstituteKEVEntry 

func ReconstituteKEVEntry(
	cveID, vendorProject, product, vulnerabilityName, shortDescription string,
	dateAdded, dueDate time.Time,
	ransomwareUse, notes string,
	cwes []string,
	createdAt, updatedAt time.Time,
) *KEVEntry

ReconstituteKEVEntry recreates a KEVEntry from persistence.

func (*KEVEntry) CVEID 

func (k *KEVEntry) CVEID() string

CVEID returns the CVE ID.

func (*KEVEntry) CWEs 

func (k *KEVEntry) CWEs() []string

CWEs returns the CWE IDs.

func (*KEVEntry) CreatedAt 

func (k *KEVEntry) CreatedAt() time.Time

CreatedAt returns the creation time.

func (*KEVEntry) DateAdded 

func (k *KEVEntry) DateAdded() time.Time

DateAdded returns the date added to KEV.

func (*KEVEntry) DaysUntilDue 

func (k *KEVEntry) DaysUntilDue() int

DaysUntilDue returns days until due date (negative if past due).

func (*KEVEntry) DueDate 

func (k *KEVEntry) DueDate() time.Time

DueDate returns the remediation due date.

func (*KEVEntry) HasRansomwareUse 

func (k *KEVEntry) HasRansomwareUse() bool

HasRansomwareUse returns true if known ransomware campaign use.

func (*KEVEntry) IsPastDue 

func (k *KEVEntry) IsPastDue() bool

IsPastDue checks if the due date has passed.

func (*KEVEntry) KnownRansomwareCampaignUse 

func (k *KEVEntry) KnownRansomwareCampaignUse() string

KnownRansomwareCampaignUse returns ransomware campaign usage info.

func (*KEVEntry) Notes 

func (k *KEVEntry) Notes() string

Notes returns additional notes.

func (*KEVEntry) Product 

func (k *KEVEntry) Product() string

Product returns the product name.

func (*KEVEntry) ShortDescription 

func (k *KEVEntry) ShortDescription() string

ShortDescription returns the short description.

func (*KEVEntry) Update 

func (k *KEVEntry) Update(
	vendorProject, product, vulnerabilityName, shortDescription string,
	dueDate time.Time,
	ransomwareUse, notes string,
	cwes []string,
)

Update updates the KEV entry fields.

func (*KEVEntry) UpdatedAt 

func (k *KEVEntry) UpdatedAt() time.Time

UpdatedAt returns the last update time.

func (*KEVEntry) VendorProject 

func (k *KEVEntry) VendorProject() string

VendorProject returns the vendor/project name.

func (*KEVEntry) VulnerabilityName 

func (k *KEVEntry) VulnerabilityName() string

VulnerabilityName returns the vulnerability name.

type KEVRepository 

type KEVRepository interface {
	// Upsert creates or updates a KEV entry.
	Upsert(ctx context.Context, entry *KEVEntry) error

	// UpsertBatch creates or updates multiple KEV entries.
	UpsertBatch(ctx context.Context, entries []*KEVEntry) error

	// GetByCVEID retrieves a KEV entry by CVE ID.
	GetByCVEID(ctx context.Context, cveID string) (*KEVEntry, error)

	// GetByCVEIDs retrieves KEV entries for multiple CVE IDs.
	GetByCVEIDs(ctx context.Context, cveIDs []string) ([]*KEVEntry, error)

	// ExistsByCVEID checks if a CVE is in KEV.
	ExistsByCVEID(ctx context.Context, cveID string) (bool, error)

	// ExistsByCVEIDs checks which CVEs are in KEV.
	ExistsByCVEIDs(ctx context.Context, cveIDs []string) (map[string]bool, error)

	// GetPastDue retrieves KEV entries past their due date.
	GetPastDue(ctx context.Context, limit int) ([]*KEVEntry, error)

	// GetRecentlyAdded retrieves recently added KEV entries.
	GetRecentlyAdded(ctx context.Context, days, limit int) ([]*KEVEntry, error)

	// GetRansomwareRelated retrieves KEV entries with known ransomware use.
	GetRansomwareRelated(ctx context.Context, limit int) ([]*KEVEntry, error)

	// Count returns the total number of KEV entries.
	Count(ctx context.Context) (int64, error)

	// DeleteAll removes all KEV entries (for full refresh).
	DeleteAll(ctx context.Context) error
}

KEVRepository defines the interface for KEV catalog persistence.

type SyncError 

type SyncError struct {
	Source  string
	Cause   error
	Message string
}

SyncError wraps a sync error with additional context.

func NewSyncError 

func NewSyncError(source string, cause error, message string) *SyncError

NewSyncError creates a new sync error.

func (*SyncError) Error 

func (e *SyncError) Error() string

Error returns the error message.

func (*SyncError) Unwrap 

func (e *SyncError) Unwrap() error

Unwrap returns the underlying error.

type SyncState 

type SyncState string

SyncState represents the state of a sync operation. 

const (
	SyncStatePending SyncState = "pending"
	SyncStateRunning SyncState = "running"
	SyncStateSuccess SyncState = "success"
	SyncStateFailed  SyncState = "failed"
)

func AllSyncStates 

func AllSyncStates() []SyncState

AllSyncStates returns all valid sync states.

func ParseSyncState 

func ParseSyncState(s string) (SyncState, error)

ParseSyncState parses a string into a SyncState.

func (SyncState) IsValid 

func (s SyncState) IsValid() bool

IsValid checks if the sync state is valid.

func (SyncState) String 

func (s SyncState) String() string

String returns the string representation.

type SyncStatus 

type SyncStatus struct {
	// contains filtered or unexported fields
}

SyncStatus represents the sync status for a threat intel source.

func NewSyncStatus 

func NewSyncStatus(sourceName string, syncIntervalHours int) *SyncStatus

NewSyncStatus creates a new SyncStatus.

func ReconstituteSyncStatus 

func ReconstituteSyncStatus(
	id shared.ID,
	sourceName string,
	lastSyncAt *time.Time,
	lastSyncStatus SyncState,
	lastSyncError string,
	recordsSynced, syncDurationMs int,
	nextSyncAt *time.Time,
	syncIntervalHours int,
	isEnabled bool,
	metadata map[string]any,
	createdAt, updatedAt time.Time,
) *SyncStatus

ReconstituteSyncStatus recreates a SyncStatus from persistence.

func (*SyncStatus) CreatedAt 

func (s *SyncStatus) CreatedAt() time.Time

CreatedAt returns the creation time.

func (*SyncStatus) ID 

func (s *SyncStatus) ID() shared.ID

ID returns the sync status ID.

func (*SyncStatus) IsDueForSync 

func (s *SyncStatus) IsDueForSync() bool

IsDueForSync checks if sync is due.

func (*SyncStatus) IsEnabled 

func (s *SyncStatus) IsEnabled() bool

IsEnabled returns whether sync is enabled.

func (*SyncStatus) LastSyncAt 

func (s *SyncStatus) LastSyncAt() *time.Time

LastSyncAt returns the last sync time.

func (*SyncStatus) LastSyncError 

func (s *SyncStatus) LastSyncError() string

LastSyncError returns the last sync error.

func (*SyncStatus) LastSyncStatus 

func (s *SyncStatus) LastSyncStatus() SyncState

LastSyncStatus returns the last sync status.

func (*SyncStatus) MarkSyncFailed 

func (s *SyncStatus) MarkSyncFailed(err string)

MarkSyncFailed marks the sync as failed.

func (*SyncStatus) MarkSyncStarted 

func (s *SyncStatus) MarkSyncStarted()

MarkSyncStarted marks the sync as started.

func (*SyncStatus) MarkSyncSuccess 

func (s *SyncStatus) MarkSyncSuccess(recordsSynced int, durationMs int)

MarkSyncSuccess marks the sync as successful.

func (*SyncStatus) Metadata 

func (s *SyncStatus) Metadata() map[string]any

Metadata returns a copy of the metadata.

func (*SyncStatus) NextSyncAt 

func (s *SyncStatus) NextSyncAt() *time.Time

NextSyncAt returns the next sync time.

func (*SyncStatus) RecordsSynced 

func (s *SyncStatus) RecordsSynced() int

RecordsSynced returns the number of records synced.

func (*SyncStatus) SetEnabled 

func (s *SyncStatus) SetEnabled(enabled bool)

SetEnabled sets the enabled status.

func (*SyncStatus) SetSyncInterval 

func (s *SyncStatus) SetSyncInterval(hours int)

SetSyncInterval sets the sync interval.

func (*SyncStatus) SourceName 

func (s *SyncStatus) SourceName() string

SourceName returns the source name.

func (*SyncStatus) SyncDurationMs 

func (s *SyncStatus) SyncDurationMs() int

SyncDurationMs returns the sync duration in milliseconds.

func (*SyncStatus) SyncIntervalHours 

func (s *SyncStatus) SyncIntervalHours() int

SyncIntervalHours returns the sync interval in hours.

func (*SyncStatus) UpdatedAt 

func (s *SyncStatus) UpdatedAt() time.Time

UpdatedAt returns the last update time.

type SyncStatusRepository 

type SyncStatusRepository interface {
	// GetBySource retrieves sync status by source name.
	GetBySource(ctx context.Context, source string) (*SyncStatus, error)

	// GetAll retrieves all sync statuses.
	GetAll(ctx context.Context) ([]*SyncStatus, error)

	// GetEnabled retrieves enabled sync statuses.
	GetEnabled(ctx context.Context) ([]*SyncStatus, error)

	// GetDueForSync retrieves sources due for sync.
	GetDueForSync(ctx context.Context) ([]*SyncStatus, error)

	// Update updates a sync status.
	Update(ctx context.Context, status *SyncStatus) error
}

SyncStatusRepository defines the interface for sync status persistence.

type ThreatIntelEnrichment 

type ThreatIntelEnrichment struct {
	CVEID          string
	EPSSScore      *float64
	EPSSPercentile *float64
	InKEV          bool
	KEVDateAdded   *string
	KEVDueDate     *string
	KEVRansomware  *string
}

ThreatIntelEnrichment contains enrichment data for a CVE.

func NewThreatIntelEnrichment 

func NewThreatIntelEnrichment(cveID string) *ThreatIntelEnrichment

NewThreatIntelEnrichment creates a new enrichment result.

func (*ThreatIntelEnrichment) HasData 

func (t *ThreatIntelEnrichment) HasData() bool

HasData returns true if any enrichment data exists.

func (*ThreatIntelEnrichment) RiskLevel 

func (t *ThreatIntelEnrichment) RiskLevel() string

RiskLevel returns the combined risk level.

func (*ThreatIntelEnrichment) WithEPSS 

func (t *ThreatIntelEnrichment) WithEPSS(score, percentile float64) *ThreatIntelEnrichment

WithEPSS adds EPSS data.

func (*ThreatIntelEnrichment) WithKEV 

func (t *ThreatIntelEnrichment) WithKEV(dateAdded, dueDate, ransomware string) *ThreatIntelEnrichment

WithKEV adds KEV data.

type ThreatIntelRepository 

type ThreatIntelRepository interface {
	// EPSS returns the EPSS repository.
	EPSS() EPSSRepository

	// KEV returns the KEV repository.
	KEV() KEVRepository

	// SyncStatus returns the sync status repository.
	SyncStatus() SyncStatusRepository

	// EnrichCVEs enriches multiple CVEs with threat intel data.
	EnrichCVEs(ctx context.Context, cveIDs []string) (map[string]*ThreatIntelEnrichment, error)

	// EnrichCVE enriches a single CVE with threat intel data.
	EnrichCVE(ctx context.Context, cveID string) (*ThreatIntelEnrichment, error)
}

ThreatIntelRepository combines all threat intel repositories.

type ThreatIntelSource 

type ThreatIntelSource string

ThreatIntelSource represents a threat intelligence source. 

const (
	SourceEPSS ThreatIntelSource = "epss"
	SourceKEV  ThreatIntelSource = "kev"
)

func AllSources 

func AllSources() []ThreatIntelSource

AllSources returns all threat intel sources.

func (ThreatIntelSource) IsValid 

func (t ThreatIntelSource) IsValid() bool

IsValid checks if the source is valid.

func (ThreatIntelSource) String 

func (t ThreatIntelSource) String() string

String returns the string representation.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.