Documentation
¶
Overview ¶
Package fingerprint provides unified fingerprint generation algorithms for deduplication of security findings across SDK and Backend.
IMPORTANT: This package is shared between sdk and api. Any changes to fingerprint algorithms must be backward compatible or coordinated across both projects.
Index ¶
- func Generate(input Input) string
- func GenerateAuto(input Input) string
- func GenerateContainer(imageTarget, packageName, packageVersion, vulnID string) string
- func GenerateDAST(templateID, targetHost, targetPath, parameter string) string
- func GenerateGeneric(ruleID, filePath string, startLine, endLine int, message string) string
- func GenerateMisconfiguration(resourceType, resourceName, ruleID, filePath string) string
- func GenerateSAST(filePath, ruleID string, startLine, endLine int) string
- func GenerateSCA(packageName, packageVersion, vulnID string) string
- func GenerateSecret(filePath, ruleID string, startLine int, secretValue string) string
- func GenerateWeb3(contractAddress string, chainID int, swcID, functionSignature string) string
- func Hash(s string) string
- type Input
- type Type
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Generate ¶
Generate creates a fingerprint for the given input. The fingerprint is a SHA256 hash (64 hex characters) that uniquely identifies a finding based on its type and relevant attributes.
The algorithm varies by finding type to ensure optimal deduplication:
- SAST: file + rule + location (same vulnerability in same place)
- SCA: package + version + vuln ID (same vuln in same dependency)
- Secret: file + rule + location + secret hash (same secret in same place)
- Misconfig: resource + rule (same misconfiguration on same resource)
- Generic: rule + file + location + message (fallback)
func GenerateAuto ¶
GenerateAuto automatically detects the type and generates a fingerprint. Use this when you're not sure which specific generator to use.
func GenerateContainer ¶
GenerateContainer creates a fingerprint for container image vulnerability findings. imageTarget is the image name or digest (e.g., "nginx:latest"). packageName is the vulnerable package name. packageVersion is the installed package version. vulnID is the CVE or other vulnerability identifier.
func GenerateDAST ¶
GenerateDAST creates a fingerprint for DAST findings (Nuclei, ZAP, etc.). templateID is the scanner rule/template ID. targetHost is the hostname being scanned. targetPath is the URL path where the finding was detected. parameter is the affected parameter name (not value).
func GenerateGeneric ¶
GenerateGeneric creates a fingerprint for generic findings. Use this when the finding type doesn't fit other categories.
func GenerateMisconfiguration ¶
GenerateMisconfiguration creates a fingerprint for misconfiguration findings.
func GenerateSAST ¶
GenerateSAST creates a fingerprint for SAST/code vulnerability findings. This is a convenience function for the common SAST case.
func GenerateSCA ¶
GenerateSCA creates a fingerprint for SCA/dependency vulnerability findings. This is a convenience function for the common SCA case.
func GenerateSecret ¶
GenerateSecret creates a fingerprint for secret detection findings. This is a convenience function for the common secret case.
func GenerateWeb3 ¶
GenerateWeb3 creates a fingerprint for smart contract findings (Slither, Mythril, etc.). contractAddress is the contract address (e.g., "0x..."). chainID is the blockchain chain ID (e.g., 1 for Ethereum mainnet). swcID is the SWC registry ID (e.g., "SWC-101"). functionSignature is the affected function (e.g., "transfer(address,uint256)").
Types ¶
type Input ¶
type Input struct {
// Type of finding (sast, sca, secret, misconfig, generic)
Type Type
// Common fields
RuleID string // Rule/check identifier
FilePath string // File path where finding was detected
Message string // Finding message/description
// Location fields (for SAST, Secret)
StartLine int
EndLine int
StartColumn int
EndColumn int
// SCA-specific fields
PackageName string // Package/dependency name
PackageVersion string // Package version
VulnerabilityID string // CVE ID or other vuln identifier
// Secret-specific fields
SecretValue string // The actual secret (will be hashed)
// Misconfiguration-specific fields
ResourceType string // e.g., "aws_s3_bucket", "dockerfile"
ResourceName string // Resource identifier
// DAST-specific fields (for Nuclei, ZAP)
TargetHost string // Target hostname (e.g., "example.com")
TargetPath string // URL path (e.g., "/api/users")
Parameter string // Affected parameter name (e.g., "id")
// Container-specific fields (for Trivy image)
ImageTarget string // Image name or digest (e.g., "nginx:latest", "sha256:abc...")
// Web3-specific fields (for Slither)
ContractAddress string // Contract address (e.g., "0x...")
ChainID int // Blockchain chain ID (e.g., 1 for Ethereum mainnet)
SWCID string // SWC registry ID (e.g., "SWC-101")
FunctionSignature string // Function signature (e.g., "transfer(address,uint256)")
}
Input contains the data needed to generate a fingerprint. Not all fields are required - only the relevant ones for the finding type.
type Type ¶
type Type string
Type represents the type of finding for fingerprint generation.
const ( // TypeSAST is for Static Application Security Testing findings (code vulnerabilities). TypeSAST Type = "sast" // TypeSCA is for Software Composition Analysis findings (dependency vulnerabilities). TypeSCA Type = "sca" // TypeSecret is for secret/credential detection findings. TypeSecret Type = "secret" // TypeMisconfiguration is for infrastructure/configuration findings. TypeMisconfiguration Type = "misconfig" // TypeDAST is for Dynamic Application Security Testing findings (Nuclei, ZAP). TypeDAST Type = "dast" // TypeContainer is for container image vulnerability findings (Trivy image). TypeContainer Type = "container" // TypeWeb3 is for smart contract/blockchain findings (Slither). TypeWeb3 Type = "web3" // TypeGeneric is for findings that don't fit other categories. TypeGeneric Type = "generic" )
func DetectType ¶
DetectType attempts to detect the finding type from available data. This is useful when the type is not explicitly provided.
Source Files