github.com/google/go-github/v71@v71.0.0/github/security_advisories.go (about) 1 // Copyright 2023 The go-github AUTHORS. All rights reserved. 2 // 3 // Use of this source code is governed by a BSD-style 4 // license that can be found in the LICENSE file. 5 6 package github 7 8 import ( 9 "context" 10 "encoding/json" 11 "fmt" 12 ) 13 14 type SecurityAdvisoriesService service 15 16 // SecurityAdvisorySubmission represents the Security Advisory Submission. 17 type SecurityAdvisorySubmission struct { 18 // Accepted represents whether a private vulnerability report was accepted by the repository's administrators. 19 Accepted *bool `json:"accepted,omitempty"` 20 } 21 22 // RepoAdvisoryCredit represents the credit object for a repository Security Advisory. 23 type RepoAdvisoryCredit struct { 24 Login *string `json:"login,omitempty"` 25 Type *string `json:"type,omitempty"` 26 } 27 28 // RepoAdvisoryCreditDetailed represents a credit given to a user for a repository Security Advisory. 29 type RepoAdvisoryCreditDetailed struct { 30 User *User `json:"user,omitempty"` 31 Type *string `json:"type,omitempty"` 32 State *string `json:"state,omitempty"` 33 } 34 35 // ListRepositorySecurityAdvisoriesOptions specifies the optional parameters to list the repository security advisories. 36 type ListRepositorySecurityAdvisoriesOptions struct { 37 ListCursorOptions 38 39 // Direction in which to sort advisories. Possible values are: asc, desc. 40 // Default is "asc". 41 Direction string `url:"direction,omitempty"` 42 43 // Sort specifies how to sort advisories. Possible values are: created, updated, 44 // and published. Default value is "created". 45 Sort string `url:"sort,omitempty"` 46 47 // State filters advisories based on their state. Possible values are: triage, draft, published, closed. 48 State string `url:"state,omitempty"` 49 } 50 51 // ListGlobalSecurityAdvisoriesOptions specifies the optional parameters to list the global security advisories. 52 type ListGlobalSecurityAdvisoriesOptions struct { 53 ListCursorOptions 54 55 // If specified, only advisories with this GHSA (GitHub Security Advisory) identifier will be returned. 56 GHSAID *string `url:"ghsa_id,omitempty"` 57 58 // If specified, only advisories of this type will be returned. 59 // By default, a request with no other parameters defined will only return reviewed advisories that are not malware. 60 // Default: reviewed 61 // Can be one of: reviewed, malware, unreviewed 62 Type *string `url:"type,omitempty"` 63 64 // If specified, only advisories with this CVE (Common Vulnerabilities and Exposures) identifier will be returned. 65 CVEID *string `url:"cve_id,omitempty"` 66 67 // If specified, only advisories for these ecosystems will be returned. 68 // Can be one of: actions, composer, erlang, go, maven, npm, nuget, other, pip, pub, rubygems, rust 69 Ecosystem *string `url:"ecosystem,omitempty"` 70 71 // If specified, only advisories with these severities will be returned. 72 // Can be one of: unknown, low, medium, high, critical 73 Severity *string `url:"severity,omitempty"` 74 75 // If specified, only advisories with these Common Weakness Enumerations (CWEs) will be returned. 76 // Example: cwes=79,284,22 or cwes[]=79&cwes[]=284&cwes[]=22 77 CWEs []string `url:"cwes,omitempty"` 78 79 // Whether to only return advisories that have been withdrawn. 80 IsWithdrawn *bool `url:"is_withdrawn,omitempty"` 81 82 // If specified, only return advisories that affect any of package or package@version. 83 // A maximum of 1000 packages can be specified. If the query parameter causes 84 // the URL to exceed the maximum URL length supported by your client, you must specify fewer packages. 85 // Example: affects=package1,package2@1.0.0,package3@^2.0.0 or affects[]=package1&affects[]=package2@1.0.0 86 Affects *string `url:"affects,omitempty"` 87 88 // If specified, only return advisories that were published on a date or date range. 89 Published *string `url:"published,omitempty"` 90 91 // If specified, only return advisories that were updated on a date or date range. 92 Updated *string `url:"updated,omitempty"` 93 94 // If specified, only show advisories that were updated or published on a date or date range. 95 Modified *string `url:"modified,omitempty"` 96 } 97 98 // GlobalSecurityAdvisory represents the global security advisory object response. 99 type GlobalSecurityAdvisory struct { 100 SecurityAdvisory 101 ID *int64 `json:"id,omitempty"` 102 RepositoryAdvisoryURL *string `json:"repository_advisory_url,omitempty"` 103 Type *string `json:"type,omitempty"` 104 SourceCodeLocation *string `json:"source_code_location,omitempty"` 105 References []string `json:"references,omitempty"` 106 Vulnerabilities []*GlobalSecurityVulnerability `json:"vulnerabilities,omitempty"` 107 GithubReviewedAt *Timestamp `json:"github_reviewed_at,omitempty"` 108 NVDPublishedAt *Timestamp `json:"nvd_published_at,omitempty"` 109 Credits []*Credit `json:"credits,omitempty"` 110 } 111 112 // GlobalSecurityVulnerability represents a vulnerability for a global security advisory. 113 type GlobalSecurityVulnerability struct { 114 Package *VulnerabilityPackage `json:"package,omitempty"` 115 FirstPatchedVersion *string `json:"first_patched_version,omitempty"` 116 VulnerableVersionRange *string `json:"vulnerable_version_range,omitempty"` 117 VulnerableFunctions []string `json:"vulnerable_functions,omitempty"` 118 } 119 120 // Credit represents the credit object for a global security advisory. 121 type Credit struct { 122 User *User `json:"user,omitempty"` 123 Type *string `json:"type,omitempty"` 124 } 125 126 // RequestCVE requests a Common Vulnerabilities and Exposures (CVE) for a repository security advisory. 127 // The ghsaID is the GitHub Security Advisory identifier of the advisory. 128 // 129 // GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#request-a-cve-for-a-repository-security-advisory 130 // 131 //meta:operation POST /repos/{owner}/{repo}/security-advisories/{ghsa_id}/cve 132 func (s *SecurityAdvisoriesService) RequestCVE(ctx context.Context, owner, repo, ghsaID string) (*Response, error) { 133 url := fmt.Sprintf("repos/%v/%v/security-advisories/%v/cve", owner, repo, ghsaID) 134 135 req, err := s.client.NewRequest("POST", url, nil) 136 if err != nil { 137 return nil, err 138 } 139 140 resp, err := s.client.Do(ctx, req, nil) 141 if err != nil { 142 if _, ok := err.(*AcceptedError); ok { 143 return resp, nil 144 } 145 146 return resp, err 147 } 148 149 return resp, nil 150 } 151 152 // CreateTemporaryPrivateFork creates a temporary private fork to collaborate on fixing a security vulnerability in your repository. 153 // The ghsaID is the GitHub Security Advisory identifier of the advisory. 154 // 155 // GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#create-a-temporary-private-fork 156 // 157 //meta:operation POST /repos/{owner}/{repo}/security-advisories/{ghsa_id}/forks 158 func (s *SecurityAdvisoriesService) CreateTemporaryPrivateFork(ctx context.Context, owner, repo, ghsaID string) (*Repository, *Response, error) { 159 url := fmt.Sprintf("repos/%v/%v/security-advisories/%v/forks", owner, repo, ghsaID) 160 161 req, err := s.client.NewRequest("POST", url, nil) 162 if err != nil { 163 return nil, nil, err 164 } 165 166 fork := new(Repository) 167 resp, err := s.client.Do(ctx, req, fork) 168 if err != nil { 169 if aerr, ok := err.(*AcceptedError); ok { 170 if err := json.Unmarshal(aerr.Raw, fork); err != nil { 171 return fork, resp, err 172 } 173 174 return fork, resp, err 175 } 176 return nil, resp, err 177 } 178 179 return fork, resp, nil 180 } 181 182 // ListRepositorySecurityAdvisoriesForOrg lists the repository security advisories for an organization. 183 // 184 // GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#list-repository-security-advisories-for-an-organization 185 // 186 //meta:operation GET /orgs/{org}/security-advisories 187 func (s *SecurityAdvisoriesService) ListRepositorySecurityAdvisoriesForOrg(ctx context.Context, org string, opt *ListRepositorySecurityAdvisoriesOptions) ([]*SecurityAdvisory, *Response, error) { 188 url := fmt.Sprintf("orgs/%v/security-advisories", org) 189 url, err := addOptions(url, opt) 190 if err != nil { 191 return nil, nil, err 192 } 193 194 req, err := s.client.NewRequest("GET", url, nil) 195 if err != nil { 196 return nil, nil, err 197 } 198 199 var advisories []*SecurityAdvisory 200 resp, err := s.client.Do(ctx, req, &advisories) 201 if err != nil { 202 return nil, resp, err 203 } 204 205 return advisories, resp, nil 206 } 207 208 // ListRepositorySecurityAdvisories lists the security advisories in a repository. 209 // 210 // GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#list-repository-security-advisories 211 // 212 //meta:operation GET /repos/{owner}/{repo}/security-advisories 213 func (s *SecurityAdvisoriesService) ListRepositorySecurityAdvisories(ctx context.Context, owner, repo string, opt *ListRepositorySecurityAdvisoriesOptions) ([]*SecurityAdvisory, *Response, error) { 214 url := fmt.Sprintf("repos/%v/%v/security-advisories", owner, repo) 215 url, err := addOptions(url, opt) 216 if err != nil { 217 return nil, nil, err 218 } 219 220 req, err := s.client.NewRequest("GET", url, nil) 221 if err != nil { 222 return nil, nil, err 223 } 224 225 var advisories []*SecurityAdvisory 226 resp, err := s.client.Do(ctx, req, &advisories) 227 if err != nil { 228 return nil, resp, err 229 } 230 231 return advisories, resp, nil 232 } 233 234 // ListGlobalSecurityAdvisories lists all global security advisories. 235 // 236 // GitHub API docs: https://docs.github.com/rest/security-advisories/global-advisories#list-global-security-advisories 237 // 238 //meta:operation GET /advisories 239 func (s *SecurityAdvisoriesService) ListGlobalSecurityAdvisories(ctx context.Context, opts *ListGlobalSecurityAdvisoriesOptions) ([]*GlobalSecurityAdvisory, *Response, error) { 240 url := "advisories" 241 url, err := addOptions(url, opts) 242 if err != nil { 243 return nil, nil, err 244 } 245 246 req, err := s.client.NewRequest("GET", url, nil) 247 if err != nil { 248 return nil, nil, err 249 } 250 251 var advisories []*GlobalSecurityAdvisory 252 resp, err := s.client.Do(ctx, req, &advisories) 253 if err != nil { 254 return nil, resp, err 255 } 256 257 return advisories, resp, nil 258 } 259 260 // GetGlobalSecurityAdvisories gets a global security advisory using its GitHub Security Advisory (GHSA) identifier. 261 // 262 // GitHub API docs: https://docs.github.com/rest/security-advisories/global-advisories#get-a-global-security-advisory 263 // 264 //meta:operation GET /advisories/{ghsa_id} 265 func (s *SecurityAdvisoriesService) GetGlobalSecurityAdvisories(ctx context.Context, ghsaID string) (*GlobalSecurityAdvisory, *Response, error) { 266 url := fmt.Sprintf("advisories/%s", ghsaID) 267 req, err := s.client.NewRequest("GET", url, nil) 268 if err != nil { 269 return nil, nil, err 270 } 271 272 var advisory *GlobalSecurityAdvisory 273 resp, err := s.client.Do(ctx, req, &advisory) 274 if err != nil { 275 return nil, resp, err 276 } 277 278 return advisory, resp, nil 279 }