github.com/google/go-github/v57@v57.0.0/github/security_advisories.go (about) 1 // Copyright 2023 The go-github AUTHORS. All rights reserved. 2 // 3 // Use of this source code is governed by a BSD-style 4 // license that can be found in the LICENSE file. 5 6 package github 7 8 import ( 9 "context" 10 "fmt" 11 ) 12 13 type SecurityAdvisoriesService service 14 15 // SecurityAdvisorySubmission represents the Security Advisory Submission. 16 type SecurityAdvisorySubmission struct { 17 // Accepted represents whether a private vulnerability report was accepted by the repository's administrators. 18 Accepted *bool `json:"accepted,omitempty"` 19 } 20 21 // RepoAdvisoryCredit represents the credit object for a repository Security Advisory. 22 type RepoAdvisoryCredit struct { 23 Login *string `json:"login,omitempty"` 24 Type *string `json:"type,omitempty"` 25 } 26 27 // RepoAdvisoryCreditDetailed represents a credit given to a user for a repository Security Advisory. 28 type RepoAdvisoryCreditDetailed struct { 29 User *User `json:"user,omitempty"` 30 Type *string `json:"type,omitempty"` 31 State *string `json:"state,omitempty"` 32 } 33 34 // ListRepositorySecurityAdvisoriesOptions specifies the optional parameters to list the repository security advisories. 35 type ListRepositorySecurityAdvisoriesOptions struct { 36 ListCursorOptions 37 38 // Direction in which to sort advisories. Possible values are: asc, desc. 39 // Default is "asc". 40 Direction string `url:"direction,omitempty"` 41 42 // Sort specifies how to sort advisories. Possible values are: created, updated, 43 // and published. Default value is "created". 44 Sort string `url:"sort,omitempty"` 45 46 // State filters advisories based on their state. Possible values are: triage, draft, published, closed. 47 State string `url:"state,omitempty"` 48 } 49 50 // ListGlobalSecurityAdvisoriesOptions specifies the optional parameters to list the global security advisories. 51 type ListGlobalSecurityAdvisoriesOptions struct { 52 ListCursorOptions 53 54 // If specified, only advisories with this GHSA (GitHub Security Advisory) identifier will be returned. 55 GHSAID *string `url:"ghsa_id,omitempty"` 56 57 // If specified, only advisories of this type will be returned. 58 // By default, a request with no other parameters defined will only return reviewed advisories that are not malware. 59 // Default: reviewed 60 // Can be one of: reviewed, malware, unreviewed 61 Type *string `url:"type,omitempty"` 62 63 // If specified, only advisories with this CVE (Common Vulnerabilities and Exposures) identifier will be returned. 64 CVEID *string `url:"cve_id,omitempty"` 65 66 // If specified, only advisories for these ecosystems will be returned. 67 // Can be one of: actions, composer, erlang, go, maven, npm, nuget, other, pip, pub, rubygems, rust 68 Ecosystem *string `url:"ecosystem,omitempty"` 69 70 // If specified, only advisories with these severities will be returned. 71 // Can be one of: unknown, low, medium, high, critical 72 Severity *string `url:"severity,omitempty"` 73 74 // If specified, only advisories with these Common Weakness Enumerations (CWEs) will be returned. 75 // Example: cwes=79,284,22 or cwes[]=79&cwes[]=284&cwes[]=22 76 CWEs []string `url:"cwes,omitempty"` 77 78 // Whether to only return advisories that have been withdrawn. 79 IsWithdrawn *bool `url:"is_withdrawn,omitempty"` 80 81 // If specified, only return advisories that affect any of package or package@version. 82 // A maximum of 1000 packages can be specified. If the query parameter causes 83 // the URL to exceed the maximum URL length supported by your client, you must specify fewer packages. 84 // Example: affects=package1,package2@1.0.0,package3@^2.0.0 or affects[]=package1&affects[]=package2@1.0.0 85 Affects *string `url:"affects,omitempty"` 86 87 // If specified, only return advisories that were published on a date or date range. 88 Published *string `url:"published,omitempty"` 89 90 // If specified, only return advisories that were updated on a date or date range. 91 Updated *string `url:"updated,omitempty"` 92 93 // If specified, only show advisories that were updated or published on a date or date range. 94 Modified *string `url:"modified,omitempty"` 95 } 96 97 // GlobalSecurityAdvisory represents the global security advisory object response. 98 type GlobalSecurityAdvisory struct { 99 SecurityAdvisory 100 ID *int64 `json:"id,omitempty"` 101 RepositoryAdvisoryURL *string `json:"repository_advisory_url,omitempty"` 102 Type *string `json:"type,omitempty"` 103 SourceCodeLocation *string `json:"source_code_location,omitempty"` 104 References []string `json:"references,omitempty"` 105 Vulnerabilities []*GlobalSecurityVulnerability `json:"vulnerabilities,omitempty"` 106 GithubReviewedAt *Timestamp `json:"github_reviewed_at,omitempty"` 107 NVDPublishedAt *Timestamp `json:"nvd_published_at,omitempty"` 108 Credits []*Credit `json:"credits,omitempty"` 109 } 110 111 // GlobalSecurityVulnerability represents a vulnerability for a global security advisory. 112 type GlobalSecurityVulnerability struct { 113 Package *VulnerabilityPackage `json:"package,omitempty"` 114 FirstPatchedVersion *string `json:"first_patched_version,omitempty"` 115 VulnerableVersionRange *string `json:"vulnerable_version_range,omitempty"` 116 VulnerableFunctions []string `json:"vulnerable_functions,omitempty"` 117 } 118 119 // Credit represents the credit object for a global security advisory. 120 type Credit struct { 121 User *User `json:"user,omitempty"` 122 Type *string `json:"type,omitempty"` 123 } 124 125 // RequestCVE requests a Common Vulnerabilities and Exposures (CVE) for a repository security advisory. 126 // The ghsaID is the GitHub Security Advisory identifier of the advisory. 127 // 128 // GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#request-a-cve-for-a-repository-security-advisory 129 // 130 //meta:operation POST /repos/{owner}/{repo}/security-advisories/{ghsa_id}/cve 131 func (s *SecurityAdvisoriesService) RequestCVE(ctx context.Context, owner, repo, ghsaID string) (*Response, error) { 132 url := fmt.Sprintf("repos/%v/%v/security-advisories/%v/cve", owner, repo, ghsaID) 133 134 req, err := s.client.NewRequest("POST", url, nil) 135 if err != nil { 136 return nil, err 137 } 138 139 resp, err := s.client.Do(ctx, req, nil) 140 if err != nil { 141 if _, ok := err.(*AcceptedError); ok { 142 return resp, nil 143 } 144 145 return resp, err 146 } 147 148 return resp, nil 149 } 150 151 // ListRepositorySecurityAdvisoriesForOrg lists the repository security advisories for an organization. 152 // 153 // GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#list-repository-security-advisories-for-an-organization 154 // 155 //meta:operation GET /orgs/{org}/security-advisories 156 func (s *SecurityAdvisoriesService) ListRepositorySecurityAdvisoriesForOrg(ctx context.Context, org string, opt *ListRepositorySecurityAdvisoriesOptions) ([]*SecurityAdvisory, *Response, error) { 157 url := fmt.Sprintf("orgs/%v/security-advisories", org) 158 url, err := addOptions(url, opt) 159 if err != nil { 160 return nil, nil, err 161 } 162 163 req, err := s.client.NewRequest("GET", url, nil) 164 if err != nil { 165 return nil, nil, err 166 } 167 168 var advisories []*SecurityAdvisory 169 resp, err := s.client.Do(ctx, req, &advisories) 170 if err != nil { 171 return nil, resp, err 172 } 173 174 return advisories, resp, nil 175 } 176 177 // ListRepositorySecurityAdvisories lists the security advisories in a repository. 178 // 179 // GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#list-repository-security-advisories 180 // 181 //meta:operation GET /repos/{owner}/{repo}/security-advisories 182 func (s *SecurityAdvisoriesService) ListRepositorySecurityAdvisories(ctx context.Context, owner, repo string, opt *ListRepositorySecurityAdvisoriesOptions) ([]*SecurityAdvisory, *Response, error) { 183 url := fmt.Sprintf("repos/%v/%v/security-advisories", owner, repo) 184 url, err := addOptions(url, opt) 185 if err != nil { 186 return nil, nil, err 187 } 188 189 req, err := s.client.NewRequest("GET", url, nil) 190 if err != nil { 191 return nil, nil, err 192 } 193 194 var advisories []*SecurityAdvisory 195 resp, err := s.client.Do(ctx, req, &advisories) 196 if err != nil { 197 return nil, resp, err 198 } 199 200 return advisories, resp, nil 201 } 202 203 // ListGlobalSecurityAdvisories lists all global security advisories. 204 // 205 // GitHub API docs: https://docs.github.com/rest/security-advisories/global-advisories#list-global-security-advisories 206 // 207 //meta:operation GET /advisories 208 func (s *SecurityAdvisoriesService) ListGlobalSecurityAdvisories(ctx context.Context, opts *ListGlobalSecurityAdvisoriesOptions) ([]*GlobalSecurityAdvisory, *Response, error) { 209 url := "advisories" 210 url, err := addOptions(url, opts) 211 if err != nil { 212 return nil, nil, err 213 } 214 215 req, err := s.client.NewRequest("GET", url, nil) 216 if err != nil { 217 return nil, nil, err 218 } 219 220 var advisories []*GlobalSecurityAdvisory 221 resp, err := s.client.Do(ctx, req, &advisories) 222 if err != nil { 223 return nil, resp, err 224 } 225 226 return advisories, resp, nil 227 } 228 229 // GetGlobalSecurityAdvisories gets a global security advisory using its GitHub Security Advisory (GHSA) identifier. 230 // 231 // GitHub API docs: https://docs.github.com/rest/security-advisories/global-advisories#get-a-global-security-advisory 232 // 233 //meta:operation GET /advisories/{ghsa_id} 234 func (s *SecurityAdvisoriesService) GetGlobalSecurityAdvisories(ctx context.Context, ghsaID string) (*GlobalSecurityAdvisory, *Response, error) { 235 url := fmt.Sprintf("advisories/%s", ghsaID) 236 req, err := s.client.NewRequest("GET", url, nil) 237 if err != nil { 238 return nil, nil, err 239 } 240 241 var advisory *GlobalSecurityAdvisory 242 resp, err := s.client.Do(ctx, req, &advisory) 243 if err != nil { 244 return nil, resp, err 245 } 246 247 return advisory, resp, nil 248 }