core

package
v0.1.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Overview

File: internal/analysis/core/context.go

File: internal/analysis/core/definitions.go

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckIfSanitizer 

func CheckIfSanitizer(path []string) bool

CheckIfSanitizer checks if a function call path matches a known sanitizer.

Types

type AdapterRegistry 

type AdapterRegistry map[schemas.TaskType]Analyzer

AdapterRegistry is a type alias for a map that associates a specific task type with its corresponding `Analyzer` implementation. This registry is used by workers to dispatch tasks to the correct analysis module.

type AnalysisContext 

type AnalysisContext struct {
	Global    *GlobalContext
	Task      schemas.Task
	TargetURL *url.URL
	Logger    *zap.Logger
	Artifacts *schemas.Artifacts
	Findings  []schemas.Finding
	KGUpdates *schemas.KnowledgeGraphUpdate
	// Session allows an analyzer to operate on a pre-existing browser session,
	// which is crucial for agent-driven, multi-step analysis scenarios.
	Session schemas.SessionContext
}

AnalysisContext encapsulates all the information and resources required for a single, specific analysis task. It contains the task details, the target URL, a task-specific logger, and access to the shared `GlobalContext`.

func (*AnalysisContext) AddFinding 

func (ac *AnalysisContext) AddFinding(finding schemas.Finding)

AddFinding is a convenience method for analyzers to report a new vulnerability finding. It automatically populates the finding with the scan ID from the current task context before appending it to the list of findings.

type Analyzer 

type Analyzer interface {
	Name() string
	Description() string
	Type() AnalyzerType
	Analyze(ctx context.Context, analysisCtx *AnalysisContext) error
}

Analyzer is the core interface that all security analysis modules must implement. It defines the standard contract for how the analysis engine interacts with a specific scanner, regardless of whether it's active, passive, or static.

type AnalyzerType 

type AnalyzerType string

AnalyzerType distinguishes between passive and active analysis modules. 

const (
	// TypeActive analyzers interact with the target application.
	TypeActive AnalyzerType = "ACTIVE"
	// TypePassive analyzers only inspect artifacts (HAR, DOM, etc.).
	TypePassive AnalyzerType = "PASSIVE"
	// TypeStatic is a more descriptive alias for passive analysis.
	// Static analysis, by its nature, operates on collected data without direct interaction.
	TypeStatic AnalyzerType = "STATIC"
	// TypeAgent analyzers are for autonomous agent missions.
	TypeAgent AnalyzerType = "AGENT"
)

type BaseAnalyzer 

type BaseAnalyzer struct {
	Logger *zap.Logger // Exposed for use in specific analyzer implementations.
	// contains filtered or unexported fields
}

BaseAnalyzer provides a foundational implementation of the `Analyzer` interface, handling common fields like name, description, and type. It is intended to be embedded within specific analyzer implementations to reduce boilerplate code.

func NewBaseAnalyzer 

func NewBaseAnalyzer(name, description string, analyzerType AnalyzerType, logger *zap.Logger) *BaseAnalyzer

NewBaseAnalyzer creates and initializes a new BaseAnalyzer, which can be embedded in other analyzer structs to provide default implementations of the Analyzer interface methods.

func (*BaseAnalyzer) Description 

func (b *BaseAnalyzer) Description() string

Description returns the analyzer's description.

func (*BaseAnalyzer) Name 

func (b *BaseAnalyzer) Name() string

Name returns the analyzer's name.

func (*BaseAnalyzer) Type 

func (b *BaseAnalyzer) Type() AnalyzerType

Type returns the analyzer's type (e.g., ACTIVE, PASSIVE).

type GlobalContext 

type GlobalContext struct {
	Config         config.Interface
	Logger         *zap.Logger
	BrowserManager schemas.BrowserManager
	DBPool         *pgxpool.Pool
	KGClient       schemas.KnowledgeGraphClient
	OASTProvider   schemas.OASTProvider
	FindingsChan   chan<- schemas.Finding
	// Adapters provides access to the registry of all available analysis adapters,
	// allowing for dynamic invocation by components like the agent.
	Adapters AdapterRegistry
}

GlobalContext provides a centralized container for application-wide services, configurations, and resources that are shared across all analysis tasks. This includes database connections, loggers, and the browser manager.

type IdentifierLocation 

type IdentifierLocation string

IdentifierLocation specifies the exact part of an HTTP request where an identifier was discovered. 

const (
	LocationURLPath    IdentifierLocation = "URLPath"
	LocationQueryParam IdentifierLocation = "QueryParam"
	LocationJSONBody   IdentifierLocation = "JSONBody"
	LocationHeader     IdentifierLocation = "Header"
)

type IdentifierType 

type IdentifierType string

IdentifierType provides a classification for different kinds of resource identifiers found in HTTP requests, such as numeric IDs or UUIDs. 

const (
	TypeUnknown   IdentifierType = "Unknown"
	TypeNumericID IdentifierType = "NumericID"
	TypeUUID      IdentifierType = "UUID"
	TypeObjectID  IdentifierType = "ObjectID" // e.g., MongoDB ObjectID
	TypeBase64    IdentifierType = "Base64"
)

type ObservedIdentifier 

type ObservedIdentifier struct {
	Value     string
	Type      IdentifierType
	Location  IdentifierLocation
	Key       string // The key for headers, query params, or the JSON path.
	PathIndex int    // The index for URL path segments.
}

ObservedIdentifier provides a structured representation of a potential resource identifier discovered within an HTTP request, detailing its value, type, and precise location.

type Reporter 

type Reporter interface {
	// Write takes a `ResultEnvelope`, which can contain findings and/or
	// knowledge graph updates, and persists it.
	Write(envelope *schemas.ResultEnvelope) error
}

Reporter defines a standard, thread-safe interface for components that can publish the results of an analysis, such as writing them to a database or a file.

type SerializedResponse 

type SerializedResponse struct {
	StatusCode int         `json:"status_code"`
	Headers    http.Header `json:"headers"`
	Body       string      `json:"body"`
}

SerializedResponse provides a JSON-safe representation of an HTTP response, intended for embedding within the `Evidence` field of a finding. It ensures the response body is stored as a string.

type SinkDefinition 

type SinkDefinition struct {
	// Full property path (e.g., "Element.prototype.innerHTML").
	Name string `json:"Name" yaml:"name"`
	// The canonical sink type (e.g., SinkInnerHTML). Used for correlation.
	Type schemas.TaintSink `json:"Type" yaml:"type"`

	// True if this is a property setter.
	Setter bool `json:"Setter" yaml:"setter"`
	// The argument index to inspect for taint (for function calls).
	ArgIndex int `json:"ArgIndex" yaml:"arg_index"`
	// An optional ID for a JS-side pre-condition (e.g. "IS_STRING_ARG0").
	ConditionID string `json:"ConditionID,omitempty" yaml:"condition_id,omitempty"`
}

SinkDefinition provides the blueprint for instrumenting (IAST) or analyzing (SAST) a single JavaScript sink. It unifies the definitions previously split between taint/types.go and javascript/definitions.go. (Step 1: Moved and adapted from taint/types.go SinkDefinition)

func DefaultSinks 

func DefaultSinks() []SinkDefinition

DefaultSinks provides the unified list of JavaScript sinks. (Step 1: Moved from taint/probes.go)

type SinkType 

type SinkType string

SinkType categorizes the impact of a taint sink (used primarily in SAST reporting). 

const (
	SinkTypeExecution          SinkType = "Code Execution"
	SinkTypeHTMLInjection      SinkType = "DOM XSS (HTML Injection)"
	SinkTypeURLRedirection     SinkType = "Open Redirect/URL Manipulation"
	SinkTypeCookieManipulation SinkType = "Cookie Manipulation"
	SinkTypeAttributeInjection SinkType = "DOM XSS (Attribute Injection)"
	SinkTypeDataLeak           SinkType = "Data Leakage"
	SinkTypeUnknown            SinkType = "Unknown"
)

SinkType constants

func GetSinkType 

func GetSinkType(canonical schemas.TaintSink) SinkType

GetSinkType maps the canonical schemas.TaintSink (used by IAST) to the broader SinkType (used by SAST). This helper is crucial for correlation between the two engines (Step 5).

type TaintSink 

type TaintSink string

TaintSink represents a specific function or property name identified statically (used primarily in SAST reporting).

type TaintSource 

type TaintSource string

TaintSource represents a potential entry point for user controlled data (used primarily in SAST reporting). 

const (
	SourceLocationHash     TaintSource = "location.hash"
	SourceLocationSearch   TaintSource = "location.search"
	SourceLocationHref     TaintSource = "location.href"
	SourceDocumentCookie   TaintSource = "document.cookie"
	SourceDocumentReferrer TaintSource = "document.referrer"
	SourceWindowName       TaintSource = "window.name"
	SourceLocalStorage     TaintSource = "localStorage.getItem"
	SourceSessionStorage   TaintSource = "sessionStorage.getItem"
	SourcePostMessageData  TaintSource = "message.data"
	SourceUnknown          TaintSource = "unknown_source" // Used when propagating taint without a clear origin
)

Known Taint Sources (DOM/Browser APIs)

func CheckIfFunctionSource 

func CheckIfFunctionSource(path []string) (TaintSource, bool)

CheckIfFunctionSource checks if a function call path matches a known source.

func CheckIfPropertySource 

func CheckIfPropertySource(path []string) (TaintSource, bool)

CheckIfPropertySource checks if a property access path matches a known source.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.