forked from khulnasoft-lab/vul-db
-
Notifications
You must be signed in to change notification settings - Fork 0
/
types.go
188 lines (157 loc) · 5.84 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
package types
import (
"encoding/json"
"fmt"
"time"
)
type Severity int
type VendorSeverity map[SourceID]Severity
type CVSS struct {
V2Vector string `json:"V2Vector,omitempty"`
V3Vector string `json:"V3Vector,omitempty"`
V2Score float64 `json:"V2Score,omitempty"`
V3Score float64 `json:"V3Score,omitempty"`
}
type CVSSVector struct {
V2 string `json:"v2,omitempty"`
V3 string `json:"v3,omitempty"`
}
type VendorCVSS map[SourceID]CVSS
const (
SeverityUnknown Severity = iota
SeverityLow
SeverityMedium
SeverityHigh
SeverityCritical
)
var (
SeverityNames = []string{
"UNKNOWN",
"LOW",
"MEDIUM",
"HIGH",
"CRITICAL",
}
)
func NewSeverity(severity string) (Severity, error) {
for i, name := range SeverityNames {
if severity == name {
return Severity(i), nil
}
}
return SeverityUnknown, fmt.Errorf("unknown severity: %s", severity)
}
func CompareSeverityString(sev1, sev2 string) int {
s1, _ := NewSeverity(sev1)
s2, _ := NewSeverity(sev2)
return int(s2) - int(s1)
}
func (s Severity) String() string {
return SeverityNames[s]
}
type LastUpdated struct {
Date time.Time
}
type VulnerabilityDetail struct {
ID string `json:",omitempty"` // e.g. CVE-2019-8331, OSVDB-104365
CvssScore float64 `json:",omitempty"`
CvssVector string `json:",omitempty"`
CvssScoreV3 float64 `json:",omitempty"`
CvssVectorV3 string `json:",omitempty"`
Severity Severity `json:",omitempty"`
SeverityV3 Severity `json:",omitempty"`
CweIDs []string `json:",omitempty"` // e.g. CWE-78, CWE-89
References []string `json:",omitempty"`
Title string `json:",omitempty"`
Description string `json:",omitempty"`
PublishedDate *time.Time `json:",omitempty"` // Take from NVD
LastModifiedDate *time.Time `json:",omitempty"` // Take from NVD
}
type AdvisoryDetail struct {
PlatformName string
PackageName string
AdvisoryItem interface{}
}
// SourceID represents data source such as NVD.
type SourceID string
type DataSource struct {
ID SourceID `json:",omitempty"`
Name string `json:",omitempty"`
URL string `json:",omitempty"`
}
type Advisory struct {
VulnerabilityID string `json:",omitempty"` // CVE-ID or vendor ID
VendorIDs []string `json:",omitempty"` // e.g. RHSA-ID and DSA-ID
Arches []string `json:",omitempty"`
// It is filled only when FixedVersion is empty since it is obvious the state is "Fixed" when FixedVersion is not empty.
// e.g. Will not fix and Affected
Status Status `json:"-"`
// Tunnel DB has "vulnerability" bucket and severities are usually stored in the bucket per a vulnerability ID.
// In some cases, the advisory may have multiple severities depending on the packages.
// For example, CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3.
// e.g. https://security-tracker.debian.org/tracker/CVE-2015-2328
Severity Severity `json:",omitempty"`
// Versions for os package
FixedVersion string `json:",omitempty"`
AffectedVersion string `json:",omitempty"` // Only for Arch Linux
// MajorVersion ranges for language-specific package
// Some advisories provide VulnerableVersions only, others provide PatchedVersions and UnaffectedVersions
VulnerableVersions []string `json:",omitempty"`
PatchedVersions []string `json:",omitempty"`
UnaffectedVersions []string `json:",omitempty"`
// DataSource holds where the advisory comes from
DataSource *DataSource `json:",omitempty"`
// Custom is basically for extensibility and is not supposed to be used in OSS
Custom interface{} `json:",omitempty"`
}
// _Advisory is an internal struct for Advisory to avoid infinite MarshalJSON loop.
type _Advisory Advisory
type dbAdvisory struct {
_Advisory
IntStatus int `json:"Status,omitempty"`
}
// MarshalJSON customizes how an Advisory is marshaled to JSON.
// It is used when saving the Advisory to the BoltDB database.
// To reduce the size of the database, the Status field is converted to an integer before being saved,
// while the status is normally exported as a string in JSON.
// This is done by creating an anonymous struct that has all the same fields as Advisory,
// but with the Status field replaced by an IntStatus field of type int.
func (a *Advisory) MarshalJSON() ([]byte, error) {
advisory := dbAdvisory{
_Advisory: _Advisory(*a),
IntStatus: int(a.Status),
}
return json.Marshal(advisory)
}
func (a *Advisory) UnmarshalJSON(data []byte) error {
var advisory dbAdvisory
if err := json.Unmarshal(data, &advisory); err != nil {
return err
}
advisory._Advisory.Status = Status(advisory.IntStatus)
*a = Advisory(advisory._Advisory)
return nil
}
// Advisories saves fixed versions for each arches/vendorIDs
// e.g. this is required when CVE has different fixed versions for different arches
type Advisories struct {
FixedVersion string `json:",omitempty"` // For backward compatibility
Entries []Advisory `json:",omitempty"`
// Custom is basically for extensibility and is not supposed to be used in OSS
Custom interface{} `json:",omitempty"` // For backward compatibility
}
type Vulnerability struct {
Title string `json:",omitempty"`
Description string `json:",omitempty"`
Severity string `json:",omitempty"` // Selected from VendorSeverity, depending on a scan target
CweIDs []string `json:",omitempty"` // e.g. CWE-78, CWE-89
VendorSeverity VendorSeverity `json:",omitempty"`
CVSS VendorCVSS `json:",omitempty"`
References []string `json:",omitempty"`
PublishedDate *time.Time `json:",omitempty"` // Take from NVD
LastModifiedDate *time.Time `json:",omitempty"` // Take from NVD
// Custom is basically for extensibility and is not supposed to be used in OSS
Custom interface{} `json:",omitempty"`
}
// Ecosystem represents language-specific ecosystem
type Ecosystem string