|
| 1 | +// Copyright 2024 The Go Authors. All rights reserved. |
| 2 | +// Use of this source code is governed by a BSD-style |
| 3 | +// license that can be found in the LICENSE file. |
| 4 | + |
| 5 | +// Package vex defines the Vulnerability EXchange Format (VEX) types |
| 6 | +// supported by govulncheck. |
| 7 | +// |
| 8 | +// These types match the OpenVEX standard. See https://github.com/openvex for |
| 9 | +// more information on VEX and OpenVEX. |
| 10 | +package openvex |
| 11 | + |
| 12 | +import "time" |
| 13 | + |
| 14 | +const ( |
| 15 | + ContextURI = "https://openvex.dev/ns/v0.2.0" |
| 16 | + Tooling = "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck" |
| 17 | + Impact = "Govulncheck determined that the vulnerable code isn't called" |
| 18 | + |
| 19 | + DefaultAuthor = "Unknown Author" |
| 20 | + DefaultPID = "Unknown Product" |
| 21 | + |
| 22 | + // The following are defined by the VEX standard. |
| 23 | + StatusAffected = "affected" |
| 24 | + StatusNotAffected = "not_affected" |
| 25 | + |
| 26 | + // The following are defined by the VEX standard. |
| 27 | + JustificationNotExecuted = "vulnerable_code_not_in_execute_path" |
| 28 | + JustificationNotPresent = "vulnerable_code_not_present" |
| 29 | +) |
| 30 | + |
| 31 | +// Document is the top-level struct for a VEX document. |
| 32 | +type Document struct { |
| 33 | + // Context is an IRI pointing to the version of openVEX being used by the doc |
| 34 | + // For govulncheck, it will always be https://openvex.dev/ns/v0.2.0 |
| 35 | + Context string `json:"@context,omitempty"` |
| 36 | + |
| 37 | + // ID is the identifying string for the VEX document. |
| 38 | + // govulncheck/vex-[content-based-hash] |
| 39 | + ID string `json:"@id,omitempty"` |
| 40 | + |
| 41 | + // Author is the identifier for the author of the VEX statement. |
| 42 | + // Govulncheck will leave this field default (Unknown author) to be filled in by the user. |
| 43 | + Author string `json:"author,omitempty"` |
| 44 | + |
| 45 | + // Timestamp defines the time at which the document was issued. |
| 46 | + Timestamp time.Time `json:"timestamp,omitempty"` |
| 47 | + |
| 48 | + // Version is the document version. For govulncheck's output, this will always be 1. |
| 49 | + Version int `json:"version,omitempty"` |
| 50 | + |
| 51 | + // Tooling expresses how the VEX document and contained VEX statements were |
| 52 | + // generated. In this case, it will always be: |
| 53 | + // "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck" |
| 54 | + Tooling string `json:"tooling,omitempty"` |
| 55 | + |
| 56 | + // Statements are all statements for a given govulncheck output. |
| 57 | + // Each OSV emitted by govulncheck will have a corresponding statement. |
| 58 | + Statements []Statement `json:"statements,omitempty"` |
| 59 | +} |
| 60 | + |
| 61 | +// Statement conveys a single status for a single vulnerability for one or more products. |
| 62 | +type Statement struct { |
| 63 | + // Vulnerability is the vuln being referenced by the statement. |
| 64 | + Vulnerability Vulnerability `json:"vulnerability,omitempty"` |
| 65 | + |
| 66 | + // Products are the products associated with the given vulnerability in the statement. |
| 67 | + Products []Product `json:"products,omitempty"` |
| 68 | + |
| 69 | + // The status of the vulnerability. Will be either not_affected or affected for govulncheck. |
| 70 | + Status string `json:"status,omitempty"` |
| 71 | + |
| 72 | + // If the status is not_affected, this must be filled. The official VEX justification that |
| 73 | + // best matches govulncheck's vuln filtering is "vulnerable_code_not_in_execute_path" |
| 74 | + Justification string `json:"justification,omitempty"` |
| 75 | + |
| 76 | + // If the status is not_affected, this must be filled. For govulncheck, this will always be: |
| 77 | + // "Govulncheck determined that the vulnerable code isn't called" |
| 78 | + ImpactStatement string `json:"impact_statement,omitempty"` |
| 79 | +} |
| 80 | + |
| 81 | +// Vulnerability captures a vulnerability and its identifiers/aliases. |
| 82 | +type Vulnerability struct { |
| 83 | + // ID is a URI that in govulncheck's case points to the govulndb link for the vulnerability. |
| 84 | + // I.E. https://pkg.go.dev/vuln/GO-2024-2497 |
| 85 | + ID string `json:"@id,omitempty"` |
| 86 | + |
| 87 | + // Name is the main identifier for the vulnerability (GO-YYYY-XXXX) |
| 88 | + Name string `json:"name,omitempty"` |
| 89 | + |
| 90 | + // Description is a short text description of the vulnerability. |
| 91 | + // It will be populated from the 'summary' field of the vuln's OSV if it exists, |
| 92 | + // and the 'description' field of the osv if a summary isn't present. |
| 93 | + Description string `json:"description,omitempty"` |
| 94 | + |
| 95 | + // Aliases a list of identifiers that other systems are using to track the vulnerability. |
| 96 | + // I.E. GHSA or CVE ids. |
| 97 | + Aliases []string `json:"aliases,omitempty"` |
| 98 | +} |
| 99 | + |
| 100 | +// Product identifies the products associated with the given vuln. |
| 101 | +type Product struct { |
| 102 | + // For now, the ID will always be "Unknown product". |
| 103 | + // This is temporary and is subject to change. |
| 104 | + ID string `json:"@id,omitempty"` |
| 105 | +} |
0 commit comments