github.com/wolfi-dev/wolfictl@v0.16.11/pkg/configs/advisory/v2/false_positive_determination.go

github.com/wolfi-dev/wolfictl@v0.16.11/pkg/configs/advisory/v2/false_positive_determination.go (about)

     1  package v2
     2  
     3  import (
     4  	"fmt"
     5  	"slices"
     6  	"strings"
     7  )
     8  
     9  const (
    10  	// FPTypeVulnerabilityRecordAnalysisContested indicates that the distro
    11  	// maintainers view the vulnerability record itself to be describing a behavior
    12  	// that is not a security concern or that misattributes security fault to the
    13  	// software in the distro package.
    14  	//
    15  	// VEX compatibility note: this type should be mapped to the
    16  	// "vulnerable_code_not_present" justification.
    17  	FPTypeVulnerabilityRecordAnalysisContested = "vulnerability-record-analysis-contested"
    18  
    19  	// FPTypeComponentVulnerabilityMismatch indicates that the component referred to
    20  	// by the vulnerability record is not the component found in the distribution
    21  	// package. (For example, perhaps a vulnerability scanner found a vulnerability
    22  	// for a package with the same name, but for a different language ecosystem.)
    23  	//
    24  	// VEX compatibility note: this type should be mapped to the
    25  	// "component_not_present" justification.
    26  	FPTypeComponentVulnerabilityMismatch = "component-vulnerability-mismatch"
    27  
    28  	// FPTypeVulnerableCodeVersionNotUsed indicates that the vulnerability was
    29  	// correctly matched to the component, except that the version(s) of the
    30  	// component referred to by the vulnerability record have never been present in
    31  	// a release of the distribution package.
    32  	//
    33  	// VEX compatibility note: this type should be mapped to the
    34  	// "vulnerable_code_not_present" justification.
    35  	FPTypeVulnerableCodeVersionNotUsed = "vulnerable-code-version-not-used"
    36  
    37  	// FPTypeVulnerableCodeNotIncludedInPackage indicates that the vulnerable code
    38  	// (e.g. a particular function) may have been available for use or retrieved
    39  	// during the package build process but ultimately was not included in the
    40  	// distro package.
    41  	//
    42  	// VEX compatibility note: this type should be mapped to the
    43  	// "vulnerable_code_not_present" justification.
    44  	FPTypeVulnerableCodeNotIncludedInPackage = "vulnerable-code-not-included-in-package"
    45  
    46  	// FPTypeVulnerableCodeNotInExecutionPath indicates that the vulnerable code (e.g.
    47  	// a particular function) is present in the package, but it is impossible for
    48  	// this code to be executed in the package.
    49  	//
    50  	// VEX compatibility note: this type should be mapped to the
    51  	// "vulnerable_code_not_in_execute_path" justification.
    52  	FPTypeVulnerableCodeNotInExecutionPath = "vulnerable-code-not-in-execution-path"
    53  
    54  	// FPTypeVulnerableCodeCannotBeControlledByAdversary indicates that the
    55  	// vulnerable code is present and able to be executed, but not in a way that can
    56  	// be exploited by an adversary.
    57  	//
    58  	// VEX compatibility note: this type should be mapped to the
    59  	// "vulnerable_code_cannot_be_controlled_by_adversary" justification.
    60  	FPTypeVulnerableCodeCannotBeControlledByAdversary = "vulnerable-code-cannot-be-controlled-by-adversary"
    61  
    62  	// FPTypeInlineMitigationsExist indicates that the vulnerable code is present
    63  	// and able to be exploited by an adversary, but that the vulnerability is
    64  	// mitigated by other code in the package.
    65  	//
    66  	// VEX compatibility note: this type should be mapped to the
    67  	// "inline_mitigations_already_exist" justification.
    68  	FPTypeInlineMitigationsExist = "inline-mitigations-exist"
    69  )
    70  
    71  var FPTypes = []string{
    72  	FPTypeVulnerabilityRecordAnalysisContested,
    73  	FPTypeComponentVulnerabilityMismatch,
    74  	FPTypeVulnerableCodeVersionNotUsed,
    75  	FPTypeVulnerableCodeNotIncludedInPackage,
    76  	FPTypeVulnerableCodeNotInExecutionPath,
    77  	FPTypeVulnerableCodeCannotBeControlledByAdversary,
    78  	FPTypeInlineMitigationsExist,
    79  }
    80  
    81  // FalsePositiveDetermination is an event that indicates that a previously
    82  // detected vulnerability was determined to be a false positive.
    83  type FalsePositiveDetermination struct {
    84  	Type string `yaml:"type"`
    85  	Note string `yaml:"note,omitempty"`
    86  }
    87  
    88  func (fp FalsePositiveDetermination) Validate() error {
    89  	if !slices.Contains(FPTypes, fp.Type) {
    90  		return fmt.Errorf("invalid false positive determination type %q, must be one of [%s]", fp.Type, strings.Join(FPTypes, ", "))
    91  	}
    92  
    93  	return nil
    94  }