entities

package
v0.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 12, 2026 License: GPL-2.0, GPL-2.0-only Imports: 4 Imported by: 0

Documentation

Overview

Package entities defines the domain data structures for SCANOSS crypto-finder.

Index

Constants

View Source 
const InterimFormatVersion = "1.3"

InterimFormatVersion is the current version of the interim report schema.

Variables

This section is empty.

Functions

This section is empty.

Types

type CryptographicAsset 

type CryptographicAsset struct {
	// StartLine is the first line number where the asset was detected
	StartLine int `json:"start_line"`

	// EndLine is the last line number where the asset was detected
	EndLine int `json:"end_line"`

	// Match is the actual code snippet that was matched
	Match string `json:"match"`

	// Rules contains information about all detection rules that triggered this finding
	// This allows multiple rules to detect the same cryptographic asset
	Rules []RuleInfo `json:"rules"`

	// Status represents the current state of this finding
	// Values: "pending", "identified", "dismissed", "reviewed"
	Status string `json:"status"`

	// Metadata contains metadata extracted from the cryptographic asset
	// such as key length, algorithm, etc.
	Metadata map[string]string `json:"metadata"`

	// OID is the Object Identifier for the cryptographic algorithm.
	// Sources: NIST CSOR, PKCS#1, ANSI X9.62, etc.
	// Example: "2.16.840.1.101.3.4.1.2" for AES-128-CBC
	OID string `json:"oid,omitempty"`

	// FindingID is a stable, short hash identifier for cross-referencing this finding
	// with the callgraph export. Generated as SHA-256(file_path:start_line:rule_id)[:8].
	FindingID string `json:"finding_id,omitempty"`

	// Source indicates how this finding was discovered.
	// Values: "direct" (found in user code), "dependency" (found in a dependency).
	Source string `json:"source,omitempty"`

	// DependencyInfo contains attribution data when the finding originates from a dependency.
	DependencyInfo *DependencyInfo `json:"dependency_info,omitempty"`
}

CryptographicAsset represents a single detected cryptographic element.

func (*CryptographicAsset) GetKey added in v0.2.0 

func (c *CryptographicAsset) GetKey() string

GetKey generates a unique key for deduplication based on asset type and identifying metadata. Assets with the same key are considered the same cryptographic entity and will be merged. The key is constructed using asset-type-specific identifying fields:

  • algorithm: algorithmName if available, otherwise algorithmFamily + mode + padding, otherwise algorithmFamily
  • related-crypto-material: materialType
  • protocol: protocolType
  • certificate: certificateSerialNumber (or location-based fallback when missing)

This method provides a single source of truth for asset identity across the codebase, used by both the deduplicator (per-file) and aggregator (cross-file).

func (*CryptographicAsset) UnmarshalJSON added in v0.1.5 

func (c *CryptographicAsset) UnmarshalJSON(data []byte) error

UnmarshalJSON provides backward compatibility for the old "rule" field format. It handles both:

  • Old format: {"rule": {...}} -> converted to {"rules": [{...}]}
  • New format: {"rules": [{...}, {...}]}.

type DependencyInfo added in v0.4.0 

type DependencyInfo struct {
	// Module is the dependency module path (e.g., "golang.org/x/crypto").
	Module string `json:"module"`
	// Version is the dependency version (e.g., "v0.17.0").
	Version string `json:"version"`
}

DependencyInfo contains attribution metadata for findings originating from dependencies.

type Finding 

type Finding struct {
	// FilePath is the path to the file containing cryptographic assets
	FilePath string `json:"file_path"`

	// Language is the programming language of the file (e.g., "java", "python", "go")
	Language string `json:"language"`

	// CryptographicAssets contains all cryptographic materials found in this file
	CryptographicAssets []CryptographicAsset `json:"cryptographic_assets"`
}

Finding represents all cryptographic assets discovered in a single file. Each file that contains cryptographic material will have one Finding entry.

type InterimReport 

type InterimReport struct {
	// Version of the interim report schema (e.g., "1.0")
	Version string `json:"version"`

	// Tool contains information about the scanner that generated this report
	Tool ToolInfo `json:"tool"`

	// Rules describes the ruleset that was used for this scan. Downstream
	// systems (e.g. crypto-mining-service) stamp this on every persisted
	// result so a re-mine can be triggered when the rules pack changes,
	// and a finding's provenance is auditable. Empty when no rule source
	// could supply a version (e.g. ad-hoc local files with no manifest).
	Rules RulesInfo `json:"rules,omitempty"`

	// Findings contains all detected cryptographic assets grouped by file
	Findings []Finding `json:"findings"`
}

InterimReport is the standardized output format for all scanners. This format provides a unified representation of cryptographic findings that can be consumed by the SCANOSS ecosystem and other downstream tools.

func (*InterimReport) SortAssets added in v0.2.1 

func (r *InterimReport) SortAssets()

SortAssets sorts CryptographicAssets within each Finding by StartLine. This ensures assets within the same file appear in line order.

func (*InterimReport) SortFindings added in v0.2.1 

func (r *InterimReport) SortFindings()

SortFindings sorts the Findings array by FilePath (lexicographically). This ensures deterministic output regardless of scan order.

type MetavarInfo 

type MetavarInfo struct {
	Start struct {
		Line   int `json:"line"`
		Col    int `json:"col"`
		Offset int `json:"offset"`
	} `json:"start"`
	End struct {
		Line   int `json:"line"`
		Col    int `json:"col"`
		Offset int `json:"offset"`
	} `json:"end"`
	AbstractContent string                  `json:"abstract_content"`
	PropagatedValue *MetavarPropagatedValue `json:"propagated_value"`
}

MetavarInfo holds information about a captured metavariables.

type MetavarPropagatedValue 

type MetavarPropagatedValue struct {
	SvalueStart struct {
		Line   int `json:"line"`
		Col    int `json:"col"`
		Offset int `json:"offset"`
	} `json:"svalue_start"`
	SvalueEnd struct {
		Line   int `json:"line"`
		Col    int `json:"col"`
		Offset int `json:"offset"`
	} `json:"svalue_end"`
	SvalueAbstractContent string `json:"svalue_abstract_content"`
}

MetavarPropagatedValue contains propagated values for metavariables.

type RuleInfo 

type RuleInfo struct {
	// ID is the unique identifier for the rule
	// Example: "<language>.crypto.<library>.<operation>-<specifics>"
	ID string `json:"id"`

	// Message is a human-readable description of what was detected
	Message string `json:"message"`

	// Severity indicates the importance level of the finding
	// Values: "WARNING", "ERROR", "INFO"
	Severity string `json:"severity"`

	// Version is the ruleset version when known (e.g., "latest", "v1.0.1")
	Version string `json:"version,omitempty"`
}

RuleInfo contains information about the detection rule that identified the cryptographic asset.

type RulesInfo added in v0.4.0 

type RulesInfo struct {
	// Source is "remote" or "local". Empty when no rules were loaded.
	Source string `json:"source,omitempty"`

	// Name of the ruleset (e.g. "dca"). Remote sources only.
	Name string `json:"name,omitempty"`

	// Version of the ruleset (e.g. "v1.0.0", "latest"). Remote sources only.
	Version string `json:"version,omitempty"`

	// ChecksumSHA256 is the content fingerprint of the ruleset.
	// For remote sources: the manifest checksum reported by the API.
	// For local sources: SHA256 of concatenated rule file contents in path-sorted order.
	ChecksumSHA256 string `json:"checksum_sha256,omitempty"`
}

RulesInfo describes the ruleset that fed a scan. The Source field is always set when Rules is populated; Name / Version / ChecksumSHA256 are best-effort and may be empty depending on the source type.

For remote rulesets, Version is the manifest version returned by the SCANOSS API (e.g. "v1.0.0", "latest") and ChecksumSHA256 is the manifest checksum, both lifted from .cache-meta.json. For local rulesets, Version is empty and ChecksumSHA256 is a hash of the loaded rule file contents in deterministic order.

type SemgrepError 

type SemgrepError struct {
	Code    int                `json:"code,omitempty"`  // Error code
	Type    any                `json:"type"`            // Error type (string or [string, locations])
	Level   string             `json:"level"`           // Error level
	Message string             `json:"message"`         // Error message
	Path    string             `json:"path"`            // File path (if applicable)
	Spans   []SemgrepErrorSpan `json:"spans,omitempty"` // Error spans
}

SemgrepError represents an error from Semgrep execution.

type SemgrepErrorSpan 

type SemgrepErrorSpan struct {
	File  string          `json:"file"`
	Start SemgrepLocation `json:"start"`
	End   SemgrepLocation `json:"end"`
}

SemgrepErrorSpan represents a location span in a Semgrep error.

type SemgrepExtra 

type SemgrepExtra struct {
	Message  string                 `json:"message"`  // Human-readable message
	Metadata SemgrepMetadata        `json:"metadata"` // Rule metadata
	Metavars map[string]MetavarInfo `json:"metavars"` // Metavariables
	Severity string                 `json:"severity"` // Severity level
	Lines    string                 `json:"lines"`    // Matched code snippet
}

SemgrepExtra contains additional metadata from Semgrep rules.

type SemgrepLocation 

type SemgrepLocation struct {
	Line   int `json:"line"`   // Line number (1-indexed)
	Col    int `json:"col"`    // Column number (1-indexed)
	Offset int `json:"offset"` // Byte offset
}

SemgrepLocation represents a position in the source code.

type SemgrepMetadata 

type SemgrepMetadata struct {
	Category       string         `json:"category,omitempty"`
	Subcategory    string         `json:"subcategory,omitempty"`
	Confidence     string         `json:"confidence,omitempty"`
	Likelihood     string         `json:"likelihood,omitempty"`
	Impact         string         `json:"impact,omitempty"`
	CWE            any            `json:"cwe,omitempty"`
	Crypto         map[string]any `json:"crypto,omitempty"`
	Owasp          []string       `json:"owasp,omitempty"`
	References     []string       `json:"references,omitempty"`
	Recommendation string         `json:"recommendation,omitempty"`
}

SemgrepMetadata contains metadata from Semgrep rules.

type SemgrepOutput 

type SemgrepOutput struct {
	Results []SemgrepResult `json:"results"`
	Errors  []SemgrepError  `json:"errors"`
}

SemgrepOutput represents the JSON output structure from Semgrep.

type SemgrepResult 

type SemgrepResult struct {
	CheckID  string          `json:"check_id"` // Rule ID
	Path     string          `json:"path"`     // File path
	Start    SemgrepLocation `json:"start"`    // Start location
	End      SemgrepLocation `json:"end"`      // End location
	Extra    SemgrepExtra    `json:"extra"`    // Additional metadata
	Message  string          `json:"message"`  // Rule message
	Severity string          `json:"severity"` // WARNING, ERROR, INFO
}

SemgrepResult represents a single finding from Semgrep.

type ToolInfo 

type ToolInfo struct {
	// Name of the scanner tool (e.g., "crypto-finder", "cbom-toolkit", etc)
	Name string `json:"name"`

	// Version of the scanner tool (e.g., "1.45.0")
	Version string `json:"version"`
}

ToolInfo contains metadata about the scanner that produced the report.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.