Source: security_advisories.go in package github.com/google/go-github/v66/github

Source File
	security_advisories.go

Belonging Package
	github.com/google/go-github/v66/github

// Copyright 2023 The go-github AUTHORS. All rights reserved.
//
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package github

import (
	"context"
	"encoding/json"
	"fmt"
)

type SecurityAdvisoriesService service

// SecurityAdvisorySubmission represents the Security Advisory Submission.
type SecurityAdvisorySubmission struct {
	// Accepted represents whether a private vulnerability report was accepted by the repository's administrators.
	Accepted *bool `json:"accepted,omitempty"`
}

// RepoAdvisoryCredit represents the credit object for a repository Security Advisory.
type RepoAdvisoryCredit struct {
	Login *string `json:"login,omitempty"`
	Type  *string `json:"type,omitempty"`
}

// RepoAdvisoryCreditDetailed represents a credit given to a user for a repository Security Advisory.
type RepoAdvisoryCreditDetailed struct {
	User  *User   `json:"user,omitempty"`
	Type  *string `json:"type,omitempty"`
	State *string `json:"state,omitempty"`
}

// ListRepositorySecurityAdvisoriesOptions specifies the optional parameters to list the repository security advisories.
type ListRepositorySecurityAdvisoriesOptions struct {
	ListCursorOptions

	// Direction in which to sort advisories. Possible values are: asc, desc.
	// Default is "asc".
	Direction string `url:"direction,omitempty"`

	// Sort specifies how to sort advisories. Possible values are: created, updated,
	// and published. Default value is "created".
	Sort string `url:"sort,omitempty"`

	// State filters advisories based on their state. Possible values are: triage, draft, published, closed.
	State string `url:"state,omitempty"`
}

// ListGlobalSecurityAdvisoriesOptions specifies the optional parameters to list the global security advisories.
type ListGlobalSecurityAdvisoriesOptions struct {
	ListCursorOptions

	// If specified, only advisories with this GHSA (GitHub Security Advisory) identifier will be returned.
	GHSAID *string `url:"ghsa_id,omitempty"`

	// If specified, only advisories of this type will be returned.
	// By default, a request with no other parameters defined will only return reviewed advisories that are not malware.
	// Default: reviewed
	// Can be one of: reviewed, malware, unreviewed
	Type *string `url:"type,omitempty"`

	// If specified, only advisories with this CVE (Common Vulnerabilities and Exposures) identifier will be returned.
	CVEID *string `url:"cve_id,omitempty"`

	// If specified, only advisories for these ecosystems will be returned.
	// Can be one of: actions, composer, erlang, go, maven, npm, nuget, other, pip, pub, rubygems, rust
	Ecosystem *string `url:"ecosystem,omitempty"`

	// If specified, only advisories with these severities will be returned.
	// Can be one of: unknown, low, medium, high, critical
	Severity *string `url:"severity,omitempty"`

	// If specified, only advisories with these Common Weakness Enumerations (CWEs) will be returned.
	// Example: cwes=79,284,22 or cwes[]=79&cwes[]=284&cwes[]=22
	CWEs []string `url:"cwes,omitempty"`

	// Whether to only return advisories that have been withdrawn.
	IsWithdrawn *bool `url:"is_withdrawn,omitempty"`

	// If specified, only return advisories that affect any of package or package@version.
	// A maximum of 1000 packages can be specified. If the query parameter causes
	// the URL to exceed the maximum URL length supported by your client, you must specify fewer packages.
	// Example: affects=package1,package2@1.0.0,package3@^2.0.0 or affects[]=package1&affects[]=package2@1.0.0
	Affects *string `url:"affects,omitempty"`

	// If specified, only return advisories that were published on a date or date range.
	Published *string `url:"published,omitempty"`

	// If specified, only return advisories that were updated on a date or date range.
	Updated *string `url:"updated,omitempty"`

	// If specified, only show advisories that were updated or published on a date or date range.
	Modified *string `url:"modified,omitempty"`
}

// GlobalSecurityAdvisory represents the global security advisory object response.
type GlobalSecurityAdvisory struct {
	SecurityAdvisory
	ID                    *int64                         `json:"id,omitempty"`
	RepositoryAdvisoryURL *string                        `json:"repository_advisory_url,omitempty"`
	Type                  *string                        `json:"type,omitempty"`
	SourceCodeLocation    *string                        `json:"source_code_location,omitempty"`
	References            []string                       `json:"references,omitempty"`
	Vulnerabilities       []*GlobalSecurityVulnerability `json:"vulnerabilities,omitempty"`
	GithubReviewedAt      *Timestamp                     `json:"github_reviewed_at,omitempty"`
	NVDPublishedAt        *Timestamp                     `json:"nvd_published_at,omitempty"`
	Credits               []*Credit                      `json:"credits,omitempty"`
}

// GlobalSecurityVulnerability represents a vulnerability for a global security advisory.
type GlobalSecurityVulnerability struct {
	Package                *VulnerabilityPackage `json:"package,omitempty"`
	FirstPatchedVersion    *string               `json:"first_patched_version,omitempty"`
	VulnerableVersionRange *string               `json:"vulnerable_version_range,omitempty"`
	VulnerableFunctions    []string              `json:"vulnerable_functions,omitempty"`
}

// Credit represents the credit object for a global security advisory.
type Credit struct {
	User *User   `json:"user,omitempty"`
	Type *string `json:"type,omitempty"`
}

// RequestCVE requests a Common Vulnerabilities and Exposures (CVE) for a repository security advisory.
// The ghsaID is the GitHub Security Advisory identifier of the advisory.
//
// GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#request-a-cve-for-a-repository-security-advisory
//
//meta:operation POST /repos/{owner}/{repo}/security-advisories/{ghsa_id}/cve
func (s *SecurityAdvisoriesService) RequestCVE(ctx context.Context, owner, repo, ghsaID string) (*Response, error) {
	url := fmt.Sprintf("repos/%v/%v/security-advisories/%v/cve", owner, repo, ghsaID)

	req, err := s.client.NewRequest("POST", url, nil)
	if err != nil {
		return nil, err
	}

	resp, err := s.client.Do(ctx, req, nil)
	if err != nil {
		if _, ok := err.(*AcceptedError); ok {
			return resp, nil
		}

		return resp, err
	}

	return resp, nil
}

// CreateTemporaryPrivateFork creates a temporary private fork to collaborate on fixing a security vulnerability in your repository.
// The ghsaID is the GitHub Security Advisory identifier of the advisory.
//
// GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#create-a-temporary-private-fork
//
//meta:operation POST /repos/{owner}/{repo}/security-advisories/{ghsa_id}/forks
func (s *SecurityAdvisoriesService) CreateTemporaryPrivateFork(ctx context.Context, owner, repo, ghsaID string) (*Repository, *Response, error) {
	url := fmt.Sprintf("repos/%v/%v/security-advisories/%v/forks", owner, repo, ghsaID)

	req, err := s.client.NewRequest("POST", url, nil)
	if err != nil {
		return nil, nil, err
	}

	fork := new(Repository)
	resp, err := s.client.Do(ctx, req, fork)
	if err != nil {
		if aerr, ok := err.(*AcceptedError); ok {
			if err := json.Unmarshal(aerr.Raw, fork); err != nil {
				return fork, resp, err
			}

			return fork, resp, err
		}
		return nil, resp, err
	}

	return fork, resp, nil
}

// ListRepositorySecurityAdvisoriesForOrg lists the repository security advisories for an organization.
//
// GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#list-repository-security-advisories-for-an-organization
//
//meta:operation GET /orgs/{org}/security-advisories
func (s *SecurityAdvisoriesService) ListRepositorySecurityAdvisoriesForOrg(ctx context.Context, org string, opt *ListRepositorySecurityAdvisoriesOptions) ([]*SecurityAdvisory, *Response, error) {
	url := fmt.Sprintf("orgs/%v/security-advisories", org)
	url, err := addOptions(url, opt)
	if err != nil {
		return nil, nil, err
	}

	req, err := s.client.NewRequest("GET", url, nil)
	if err != nil {
		return nil, nil, err
	}

	var advisories []*SecurityAdvisory
	resp, err := s.client.Do(ctx, req, &advisories)
	if err != nil {
		return nil, resp, err
	}

	return advisories, resp, nil
}

// ListRepositorySecurityAdvisories lists the security advisories in a repository.
//
// GitHub API docs: https://docs.github.com/rest/security-advisories/repository-advisories#list-repository-security-advisories
//
//meta:operation GET /repos/{owner}/{repo}/security-advisories
func (s *SecurityAdvisoriesService) ListRepositorySecurityAdvisories(ctx context.Context, owner, repo string, opt *ListRepositorySecurityAdvisoriesOptions) ([]*SecurityAdvisory, *Response, error) {
	url := fmt.Sprintf("repos/%v/%v/security-advisories", owner, repo)
	url, err := addOptions(url, opt)
	if err != nil {
		return nil, nil, err
	}

	req, err := s.client.NewRequest("GET", url, nil)
	if err != nil {
		return nil, nil, err
	}

	var advisories []*SecurityAdvisory
	resp, err := s.client.Do(ctx, req, &advisories)
	if err != nil {
		return nil, resp, err
	}

	return advisories, resp, nil
}

// ListGlobalSecurityAdvisories lists all global security advisories.
//
// GitHub API docs: https://docs.github.com/rest/security-advisories/global-advisories#list-global-security-advisories
//
//meta:operation GET /advisories
func (s *SecurityAdvisoriesService) ListGlobalSecurityAdvisories(ctx context.Context, opts *ListGlobalSecurityAdvisoriesOptions) ([]*GlobalSecurityAdvisory, *Response, error) {
	url := "advisories"
	url, err := addOptions(url, opts)
	if err != nil {
		return nil, nil, err
	}

	req, err := s.client.NewRequest("GET", url, nil)
	if err != nil {
		return nil, nil, err
	}

	var advisories []*GlobalSecurityAdvisory
	resp, err := s.client.Do(ctx, req, &advisories)
	if err != nil {
		return nil, resp, err
	}

	return advisories, resp, nil
}

// GetGlobalSecurityAdvisories gets a global security advisory using its GitHub Security Advisory (GHSA) identifier.
//
// GitHub API docs: https://docs.github.com/rest/security-advisories/global-advisories#get-a-global-security-advisory
//
//meta:operation GET /advisories/{ghsa_id}
func (s *SecurityAdvisoriesService) GetGlobalSecurityAdvisories(ctx context.Context, ghsaID string) (*GlobalSecurityAdvisory, *Response, error) {
	url := fmt.Sprintf("advisories/%s", ghsaID)
	req, err := s.client.NewRequest("GET", url, nil)
	if err != nil {
		return nil, nil, err
	}

	var advisory *GlobalSecurityAdvisory
	resp, err := s.client.Do(ctx, req, &advisory)
	if err != nil {
		return nil, resp, err
	}

	return advisory, resp, nil
}


The pages are generated with Golds v0.8.2. (GOOS=linux GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @zigo_101 (reachable from the left QR code) to get the latest news of Golds.