From ce6c1b3395082cc55dbd77f9ae8a93285057270a Mon Sep 17 00:00:00 2001 From: abhisek Date: Tue, 17 Jan 2023 13:07:16 +0530 Subject: [PATCH] Update Insight service API and client --- api/insights-v1.yml | 53 +++++++++++++++++++++++++ gen/insightapi/insights.types.go | 67 +++++++++++++++++++++++++++++--- pkg/analyzer/json_dump.go | 4 +- 3 files changed, 116 insertions(+), 8 deletions(-) diff --git a/api/insights-v1.yml b/api/insights-v1.yml index 29062f3..633aaa9 100644 --- a/api/insights-v1.yml +++ b/api/insights-v1.yml @@ -757,6 +757,55 @@ components: type: integer link: type: string + PackageVulnerability: + type: object + description: | + Subset of OSV schema required to perform policy + decision by various tools + properties: + id: + type: string + description: Vulnerability identifier + summary: + type: string + description: Short summary of vulnerability + aliases: + type: array + items: + type: string + description: | + Alias identifiers of the same vulnerability in + other databases + related: + type: array + items: + type: string + description: | + Related vulnerability identifiers for similar issues + in + severities: + type: array + items: + type: object + properties: + type: + type: string + enum: + - UNSPECIFIED + - CVSS_V3 + - CVSS_V2 + score: + type: string + description: Type specific vulnerability score + risk: + type: string + enum: + - CRITICAL + - HIGH + - MEDIUM + - LOW + - UNKNOWN + description: Normalized risk rating computed from score PackageVersionInsight: type: object properties: @@ -778,3 +827,7 @@ components: $ref: '#/components/schemas/PackageDependency' scorecard: $ref: '#/components/schemas/Scorecard' + vulnerabilities: + type: array + items: + $ref: '#/components/schemas/PackageVulnerability' diff --git a/gen/insightapi/insights.types.go b/gen/insightapi/insights.types.go index 4a23f7c..b58ed7e 100644 --- a/gen/insightapi/insights.types.go +++ b/gen/insightapi/insights.types.go @@ -1021,6 +1021,28 @@ const ( LicenseZlibAcknowledgement License = "zlib-acknowledgement" ) +// Defines values for PackageVulnerabilitySeveritiesRisk. +const ( + PackageVulnerabilitySeveritiesRiskCRITICAL PackageVulnerabilitySeveritiesRisk = "CRITICAL" + + PackageVulnerabilitySeveritiesRiskHIGH PackageVulnerabilitySeveritiesRisk = "HIGH" + + PackageVulnerabilitySeveritiesRiskLOW PackageVulnerabilitySeveritiesRisk = "LOW" + + PackageVulnerabilitySeveritiesRiskMEDIUM PackageVulnerabilitySeveritiesRisk = "MEDIUM" + + PackageVulnerabilitySeveritiesRiskUNKNOWN PackageVulnerabilitySeveritiesRisk = "UNKNOWN" +) + +// Defines values for PackageVulnerabilitySeveritiesType. +const ( + PackageVulnerabilitySeveritiesTypeCVSSV2 PackageVulnerabilitySeveritiesType = "CVSS_V2" + + PackageVulnerabilitySeveritiesTypeCVSSV3 PackageVulnerabilitySeveritiesType = "CVSS_V3" + + PackageVulnerabilitySeveritiesTypeUNSPECIFIED PackageVulnerabilitySeveritiesType = "UNSPECIFIED" +) + // Defines values for ScorecardVersion. const ( ScorecardVersionV2 ScorecardVersion = "V2" @@ -1133,14 +1155,47 @@ type PackageVersion struct { // PackageVersionInsight defines model for PackageVersionInsight. type PackageVersionInsight struct { - Dependencies *[]PackageDependency `json:"dependencies,omitempty"` - Dependents *PackageDependents `json:"dependents,omitempty"` - Licenses *[]License `json:"licenses,omitempty"` - PackageVersion *PackageVersion `json:"package_version,omitempty"` - Projects *[]PackageProjectInfo `json:"projects,omitempty"` - Scorecard *Scorecard `json:"scorecard,omitempty"` + Dependencies *[]PackageDependency `json:"dependencies,omitempty"` + Dependents *PackageDependents `json:"dependents,omitempty"` + Licenses *[]License `json:"licenses,omitempty"` + PackageVersion *PackageVersion `json:"package_version,omitempty"` + Projects *[]PackageProjectInfo `json:"projects,omitempty"` + Scorecard *Scorecard `json:"scorecard,omitempty"` + Vulnerabilities *[]PackageVulnerability `json:"vulnerabilities,omitempty"` } +// Subset of OSV schema required to perform policy +// decision by various tools +type PackageVulnerability struct { + // Alias identifiers of the same vulnerability in + // other databases + Aliases *[]string `json:"aliases,omitempty"` + + // Vulnerability identifier + Id *string `json:"id,omitempty"` + + // Related vulnerability identifiers for similar issues + // in + Related *[]string `json:"related,omitempty"` + Severities *[]struct { + // Normalized risk rating computed from score + Risk *PackageVulnerabilitySeveritiesRisk `json:"risk,omitempty"` + + // Type specific vulnerability score + Score *string `json:"score,omitempty"` + Type *PackageVulnerabilitySeveritiesType `json:"type,omitempty"` + } `json:"severities,omitempty"` + + // Short summary of vulnerability + Summary *string `json:"summary,omitempty"` +} + +// Normalized risk rating computed from score +type PackageVulnerabilitySeveritiesRisk string + +// PackageVulnerabilitySeveritiesType defines model for PackageVulnerability.Severities.Type. +type PackageVulnerabilitySeveritiesType string + // Scorecard defines model for Scorecard. type Scorecard struct { Content *ScorecardContentV2 `json:"content,omitempty"` diff --git a/pkg/analyzer/json_dump.go b/pkg/analyzer/json_dump.go index 2c37051..877cc27 100644 --- a/pkg/analyzer/json_dump.go +++ b/pkg/analyzer/json_dump.go @@ -25,9 +25,9 @@ func NewJsonDumperAnalyzer(dir string) (Analyzer, error) { if err != nil { return nil, fmt.Errorf("cannot create dir: %w", err) } + } else { + return nil, fmt.Errorf("cannot stat dir: %w", err) } - - return nil, fmt.Errorf("cannot stat dir: %w", err) } if !fi.IsDir() {