Documentation
¶
Overview ¶
Package vex provides CycloneDX VEX (Vulnerability Exploitability eXchange) output. It converts graphize-appsec reachability test results into standards-compliant CycloneDX vulnerability analysis suitable for SBOM enrichment.
Index ¶
- func DecodeSBOM(r io.Reader, format cdx.BOMFileFormat) (*cdx.BOM, error)
- func DetectFormatFromPath(path string) cdx.BOMFileFormat
- func EncodeSBOM(bom *cdx.BOM, w io.Writer, format cdx.BOMFileFormat) error
- func ReadSBOM(path string) (*cdx.BOM, error)
- func TestResultToJustification(testID string, pass bool) cdx.ImpactAnalysisJustification
- func WriteSBOM(bom *cdx.BOM, path string) error
- type Converter
- type EnrichmentResult
- type SBOMEnricher
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecodeSBOM ¶
DecodeSBOM decodes a CycloneDX SBOM from a reader.
func DetectFormatFromPath ¶
func DetectFormatFromPath(path string) cdx.BOMFileFormat
DetectFormatFromPath detects the SBOM format from file extension.
func EncodeSBOM ¶
EncodeSBOM encodes a CycloneDX SBOM to a writer.
func TestResultToJustification ¶
func TestResultToJustification(testID string, pass bool) cdx.ImpactAnalysisJustification
TestResultToJustification maps a specific test ID to a VEX justification.
Types ¶
type Converter ¶
type Converter struct {
// ToolName is the name of the tool generating the VEX data.
ToolName string
// ToolVersion is the version of the tool.
ToolVersion string
// ToolVendor is the vendor of the tool.
ToolVendor string
}
Converter transforms reachability test results into CycloneDX VEX format.
func NewConverter ¶
func NewConverter() *Converter
NewConverter creates a new VEX converter with default settings.
func (*Converter) ConvertResult ¶
func (c *Converter) ConvertResult(vulnID string, result *reachability.RunResult, affectedRef string) *cdx.Vulnerability
ConvertResult converts a single reachability run result to a CycloneDX Vulnerability.
type EnrichmentResult ¶
type EnrichmentResult struct {
// OriginalVulnCount is the number of vulnerabilities in the original SBOM.
OriginalVulnCount int
// EnrichedVulnCount is the number of vulnerabilities after enrichment.
EnrichedVulnCount int
// AddedVulnCount is the number of new vulnerabilities added.
AddedVulnCount int
// UpdatedVulnCount is the number of vulnerabilities updated with VEX.
UpdatedVulnCount int
// NotAffectedCount is vulnerabilities marked as not_affected.
NotAffectedCount int
// ExploitableCount is vulnerabilities marked as exploitable.
ExploitableCount int
// InTriageCount is vulnerabilities marked as in_triage.
InTriageCount int
}
EnrichmentResult contains the result of enriching an SBOM.
type SBOMEnricher ¶
type SBOMEnricher struct {
// contains filtered or unexported fields
}
SBOMEnricher enriches CycloneDX SBOMs with VEX analysis from reachability tests.
func NewSBOMEnricher ¶
func NewSBOMEnricher() *SBOMEnricher
NewSBOMEnricher creates a new SBOM enricher.
func (*SBOMEnricher) CreateVEXDocument ¶
func (e *SBOMEnricher) CreateVEXDocument(vulnResults map[string]*reachability.RunResult) *cdx.BOM
CreateVEXDocument creates a standalone VEX document (BOM with only vulnerabilities).
func (*SBOMEnricher) Enrich ¶
func (e *SBOMEnricher) Enrich(bom *cdx.BOM, vulnResults map[string]*reachability.RunResult) (*EnrichmentResult, error)
Enrich adds VEX analysis to an SBOM based on reachability test results.
func (*SBOMEnricher) SetToolInfo ¶
func (e *SBOMEnricher) SetToolInfo(name, version, vendor string)
SetToolInfo sets the tool metadata for generated VEX.
Source Files