json-schema-diff 0.1.0

data/examples/capslock/capslock-v0.5.0.json

@@ -0,0 +1,78 @@
+{
+  "capability_info": [
+    {
+      "package_name": "github.com/example/myapp",
+      "capability": "CAPABILITY_FILES",
+      "dep_path": "direct",
+      "path": [
+        {
+          "name": "ReadConfig",
+          "site": {
+            "filename": "config.go",
+            "line": 42,
+            "column": 8
+          },
+          "package": "github.com/example/myapp/config"
+        },
+        {
+          "name": "os.ReadFile",
+          "site": {
+            "filename": "config.go",
+            "line": 45,
+            "column": 12
+          },
+          "package": "os"
+        }
+      ],
+      "package_dir": "/home/user/myapp",
+      "capability_type": "CAPABILITY_TYPE_DIRECT"
+    },
+    {
+      "package_name": "github.com/example/myapp/server",
+      "capability": "CAPABILITY_NETWORK",
+      "dep_path": "direct",
+      "path": [
+        {
+          "name": "StartServer",
+          "site": {
+            "filename": "server.go",
+            "line": 25,
+            "column": 5
+          },
+          "package": "github.com/example/myapp/server"
+        },
+        {
+          "name": "http.ListenAndServe",
+          "site": {
+            "filename": "server.go",
+            "line": 30,
+            "column": 8
+          },
+          "package": "net/http"
+        }
+      ],
+      "package_dir": "/home/user/myapp/server",
+      "capability_type": "CAPABILITY_TYPE_DIRECT"
+    }
+  ],
+  "module_info": [
+    {
+      "path": "github.com/example/myapp",
+      "version": "v1.0.0"
+    },
+    {
+      "path": "github.com/gorilla/mux",
+      "version": "v1.8.0"
+    }
+  ],
+  "package_info": [
+    {
+      "path": "github.com/example/myapp",
+      "ignored_files": []
+    },
+    {
+      "path": "github.com/example/myapp/server",
+      "ignored_files": ["server_test.go"]
+    }
+  ]
+}

data/examples/capslock/capslock-v0.6.0.json

@@ -0,0 +1,113 @@
+{
+  "capability_info": [
+    {
+      "package_name": "github.com/example/myapp",
+      "capability": "CAPABILITY_FILES",
+      "dep_path": "direct",
+      "path": [
+        {
+          "name": "ReadConfig",
+          "site": {
+            "filename": "config.go",
+            "line": 42,
+            "column": 8
+          },
+          "package": "github.com/example/myapp/config"
+        },
+        {
+          "name": "os.ReadFile",
+          "site": {
+            "filename": "config.go",
+            "line": 45,
+            "column": 12
+          },
+          "package": "os"
+        }
+      ],
+      "package_dir": "/home/user/myapp",
+      "capability_type": "CAPABILITY_TYPE_DIRECT"
+    },
+    {
+      "package_name": "github.com/example/myapp/server",
+      "capability": "CAPABILITY_NETWORK",
+      "dep_path": "direct",
+      "path": [
+        {
+          "name": "StartServer",
+          "site": {
+            "filename": "server.go",
+            "line": 25,
+            "column": 5
+          },
+          "package": "github.com/example/myapp/server"
+        },
+        {
+          "name": "http.ListenAndServe",
+          "site": {
+            "filename": "server.go",
+            "line": 30,
+            "column": 8
+          },
+          "package": "net/http"
+        }
+      ],
+      "package_dir": "/home/user/myapp/server",
+      "capability_type": "CAPABILITY_TYPE_DIRECT"
+    },
+    {
+      "package_name": "github.com/example/myapp/crypto",
+      "capability": "CAPABILITY_ARBITRARY_EXECUTION",
+      "dep_path": "github.com/suspicious/lib@v1.2.3",
+      "path": [
+        {
+          "name": "ProcessData",
+          "site": {
+            "filename": "crypto.go",
+            "line": 15,
+            "column": 10
+          },
+          "package": "github.com/example/myapp/crypto"
+        },
+        {
+          "name": "ExecuteCode",
+          "site": {
+            "filename": "executor.go",
+            "line": 88,
+            "column": 2
+          },
+          "package": "github.com/suspicious/lib/executor"
+        }
+      ],
+      "package_dir": "/home/user/myapp/crypto",
+      "capability_type": "CAPABILITY_TYPE_TRANSITIVE"
+    }
+  ],
+  "module_info": [
+    {
+      "path": "github.com/example/myapp",
+      "version": "v1.1.0"
+    },
+    {
+      "path": "github.com/gorilla/mux",
+      "version": "v1.8.1"
+    },
+    {
+      "path": "github.com/suspicious/lib",
+      "version": "v1.2.3"
+    }
+  ],
+  "package_info": [
+    {
+      "path": "github.com/example/myapp",
+      "ignored_files": []
+    },
+    {
+      "path": "github.com/example/myapp/server",
+      "ignored_files": ["server_test.go"]
+    },
+    {
+      "path": "github.com/example/myapp/crypto",
+      "ignored_files": []
+    }
+  ]
+}

data/examples/capslock/capslock.schema.json

@@ -0,0 +1,169 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://github.com/google/capslock/schema/output.json",
+  "title": "Capslock CLI JSON Output Schema",
+  "description": "JSON schema for the output of the capslock CLI tool when using -output=json",
+  "type": "object",
+  "properties": {
+    "capability_info": {
+      "type": "array",
+      "description": "List of capability information for analyzed packages",
+      "items": {
+        "$ref": "#/definitions/CapabilityInfo"
+      }
+    },
+    "module_info": {
+      "type": "array",
+      "description": "Information about Go modules analyzed",
+      "items": {
+        "$ref": "#/definitions/ModuleInfo"
+      }
+    },
+    "package_info": {
+      "type": "array",
+      "description": "Information about Go packages analyzed",
+      "items": {
+        "$ref": "#/definitions/PackageInfo"
+      }
+    }
+  },
+  "required": [],
+  "additionalProperties": false,
+  "definitions": {
+    "CapabilityInfo": {
+      "type": "object",
+      "description": "Information about a specific capability found in the code",
+      "properties": {
+        "package_name": {
+          "type": "string",
+          "description": "The name of the package where the capability is found"
+        },
+        "capability": {
+          "$ref": "#/definitions/Capability",
+          "description": "The type of capability detected"
+        },
+        "dep_path": {
+          "type": "string",
+          "description": "The dependency path to where the capability is incurred"
+        },
+        "path": {
+          "type": "array",
+          "description": "The call path showing how the capability is reached, with each element being a function or method",
+          "items": {
+            "$ref": "#/definitions/Function"
+          }
+        },
+        "package_dir": {
+          "type": "string",
+          "description": "The location/directory of the package"
+        },
+        "capability_type": {
+          "$ref": "#/definitions/CapabilityType",
+          "description": "Classification of how the capability was incurred (direct or transitive)"
+        }
+      },
+      "additionalProperties": false
+    },
+    "Function": {
+      "type": "object",
+      "description": "Information about a function in a call path",
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "The name of the function"
+        },
+        "site": {
+          "$ref": "#/definitions/FunctionSite",
+          "description": "Location information for the function call"
+        },
+        "package": {
+          "type": "string",
+          "description": "The package containing this function"
+        }
+      },
+      "additionalProperties": false
+    },
+    "FunctionSite": {
+      "type": "object",
+      "description": "Source location information for a function",
+      "properties": {
+        "filename": {
+          "type": "string",
+          "description": "The source file containing the function"
+        },
+        "line": {
+          "type": "integer",
+          "description": "The line number in the source file"
+        },
+        "column": {
+          "type": "integer",
+          "description": "The column number in the source file"
+        }
+      },
+      "additionalProperties": false
+    },
+    "ModuleInfo": {
+      "type": "object",
+      "description": "Information about a Go module",
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "The module path/import path"
+        },
+        "version": {
+          "type": "string",
+          "description": "The version of the module"
+        }
+      },
+      "additionalProperties": false
+    },
+    "PackageInfo": {
+      "type": "object",
+      "description": "Information about a Go package",
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "The package import path"
+        },
+        "ignored_files": {
+          "type": "array",
+          "description": "List of source files in the package directory that were ignored due to build configuration and build tags",
+          "items": {
+            "type": "string"
+          }
+        }
+      },
+      "additionalProperties": false
+    },
+    "Capability": {
+      "type": "string",
+      "description": "Types of capabilities that can be detected by capslock",
+      "enum": [
+        "CAPABILITY_UNSPECIFIED",
+        "CAPABILITY_SAFE",
+        "CAPABILITY_FILES",
+        "CAPABILITY_NETWORK",
+        "CAPABILITY_RUNTIME",
+        "CAPABILITY_READ_SYSTEM_STATE",
+        "CAPABILITY_MODIFY_SYSTEM_STATE",
+        "CAPABILITY_OPERATING_SYSTEM",
+        "CAPABILITY_SYSTEM_CALLS",
+        "CAPABILITY_ARBITRARY_EXECUTION",
+        "CAPABILITY_CGO",
+        "CAPABILITY_UNANALYZED",
+        "CAPABILITY_UNSAFE_POINTER",
+        "CAPABILITY_REFLECT",
+        "CAPABILITY_EXEC"
+      ]
+    },
+    "CapabilityType": {
+      "type": "string",
+      "description": "Classification of how a capability was incurred",
+      "enum": [
+        "CAPABILITY_TYPE_UNSPECIFIED",
+        "CAPABILITY_TYPE_DIRECT",
+        "CAPABILITY_TYPE_TRANSITIVE"
+      ]
+    }
+  }
+}

data/examples/generic/report-v1.2.0.json

@@ -0,0 +1,63 @@
+{
+  "metadata": {
+    "tool": "zizmor",
+    "version": "1.2.0",
+    "scan_id": "123e4567-e89b-12d3-a456-426614174000",
+    "timestamp": "2023-12-01T10:00:00Z",
+    "duration_ms": 1500
+  },
+  "summary": {
+    "total_issues": 3,
+    "by_severity": {
+      "critical": 1,
+      "high": 1,
+      "medium": 1,
+      "low": 0,
+      "info": 0
+    }
+  },
+  "issues": [
+    {
+      "id": "ZIZ001",
+      "severity": "critical",
+      "category": "injection",
+      "title": "Potential command injection in workflow",
+      "description": "User input is passed directly to shell command without sanitization",
+      "location": {
+        "file": ".github/workflows/ci.yml",
+        "line": 42,
+        "column": 12
+      },
+      "confidence": "high",
+      "fix_available": true
+    },
+    {
+      "id": "ZIZ002", 
+      "severity": "high",
+      "category": "authentication",
+      "title": "Secrets exposed in logs",
+      "description": "API keys may be leaked through debug output",
+      "location": {
+        "file": ".github/workflows/deploy.yml",
+        "line": 18,
+        "column": 8
+      },
+      "confidence": "medium",
+      "fix_available": false
+    },
+    {
+      "id": "ZIZ003",
+      "severity": "medium", 
+      "category": "misc",
+      "title": "Outdated action version",
+      "description": "Using deprecated version of actions/checkout",
+      "location": {
+        "file": ".github/workflows/test.yml",
+        "line": 12,
+        "column": 15
+      },
+      "confidence": "high",
+      "fix_available": true
+    }
+  ]
+}

data/examples/generic/report-v1.3.0.json

@@ -0,0 +1,77 @@
+{
+  "metadata": {
+    "tool": "zizmor",
+    "version": "1.3.0",
+    "scan_id": "987f6543-e21c-43d5-b789-012345678901",
+    "timestamp": "2023-12-15T14:30:00Z",
+    "duration_ms": 1200
+  },
+  "summary": {
+    "total_issues": 4,
+    "by_severity": {
+      "critical": 2,
+      "high": 1,
+      "medium": 0,
+      "low": 1,
+      "info": 0
+    }
+  },
+  "issues": [
+    {
+      "id": "ZIZ001",
+      "severity": "critical",
+      "category": "injection", 
+      "title": "Potential command injection in workflow",
+      "description": "User input is passed directly to shell command without sanitization",
+      "location": {
+        "file": ".github/workflows/ci.yml",
+        "line": 42,
+        "column": 12
+      },
+      "confidence": "high",
+      "fix_available": true
+    },
+    {
+      "id": "ZIZ002",
+      "severity": "high", 
+      "category": "authentication",
+      "title": "Secrets exposed in logs",
+      "description": "API keys may be leaked through debug output",
+      "location": {
+        "file": ".github/workflows/deploy.yml",
+        "line": 18,
+        "column": 8
+      },
+      "confidence": "medium",
+      "fix_available": false
+    },
+    {
+      "id": "ZIZ004",
+      "severity": "critical",
+      "category": "crypto",
+      "title": "Weak cryptographic algorithm",
+      "description": "Using MD5 hash which is cryptographically insecure",
+      "location": {
+        "file": "scripts/hash.sh",
+        "line": 8,
+        "column": 20
+      },
+      "confidence": "high",
+      "fix_available": true
+    },
+    {
+      "id": "ZIZ005",
+      "severity": "low",
+      "category": "disclosure",
+      "title": "Debug information exposed",
+      "description": "Stack traces may reveal sensitive information",
+      "location": {
+        "file": ".github/workflows/debug.yml",
+        "line": 25,
+        "column": 10
+      },
+      "confidence": "low",
+      "fix_available": false
+    }
+  ]
+}

data/examples/generic/security-report.schema.json

@@ -0,0 +1,149 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Security Report Schema",
+  "description": "Schema for security analysis reports from tools like zizmor and capslock",
+  "type": "object",
+  "properties": {
+    "metadata": {
+      "type": "object",
+      "title": "Report Metadata",
+      "properties": {
+        "tool": {
+          "type": "string",
+          "title": "Tool Name",
+          "description": "Name of the security analysis tool",
+          "enum": ["zizmor", "capslock", "semgrep", "bandit"]
+        },
+        "version": {
+          "type": "string",
+          "title": "Tool Version",
+          "description": "Version of the analysis tool"
+        },
+        "scan_id": {
+          "type": "string",
+          "title": "Scan ID",
+          "format": "uuid",
+          "description": "Unique identifier for this scan"
+        },
+        "timestamp": {
+          "type": "string",
+          "title": "Scan Timestamp",
+          "format": "date-time",
+          "description": "When the scan was performed",
+          "readOnly": true
+        },
+        "duration_ms": {
+          "type": "integer",
+          "title": "Duration",
+          "description": "Scan duration in milliseconds"
+        }
+      },
+      "required": ["tool", "version", "timestamp"]
+    },
+    "summary": {
+      "type": "object",
+      "title": "Results Summary",
+      "properties": {
+        "total_issues": {
+          "type": "integer",
+          "title": "Total Issues",
+          "description": "Total number of security issues found"
+        },
+        "by_severity": {
+          "type": "object",
+          "title": "Issues by Severity",
+          "properties": {
+            "critical": {
+              "type": "integer",
+              "title": "Critical Issues"
+            },
+            "high": {
+              "type": "integer", 
+              "title": "High Severity Issues"
+            },
+            "medium": {
+              "type": "integer",
+              "title": "Medium Severity Issues"
+            },
+            "low": {
+              "type": "integer",
+              "title": "Low Severity Issues"
+            },
+            "info": {
+              "type": "integer",
+              "title": "Informational Issues"
+            }
+          }
+        }
+      }
+    },
+    "issues": {
+      "type": "array",
+      "title": "Security Issues",
+      "items": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "title": "Issue ID",
+            "description": "Unique identifier for the issue"
+          },
+          "severity": {
+            "type": "string",
+            "title": "Severity Level",
+            "enum": ["critical", "high", "medium", "low", "info"]
+          },
+          "category": {
+            "type": "string",
+            "title": "Issue Category",
+            "description": "Type of security issue",
+            "enum": ["injection", "authentication", "authorization", "crypto", "disclosure", "dos", "misc"]
+          },
+          "title": {
+            "type": "string",
+            "title": "Issue Title",
+            "description": "Brief description of the issue"
+          },
+          "description": {
+            "type": "string",
+            "title": "Detailed Description",
+            "description": "Full explanation of the security issue"
+          },
+          "location": {
+            "type": "object",
+            "title": "Issue Location",
+            "properties": {
+              "file": {
+                "type": "string",
+                "title": "File Path",
+                "description": "Path to the file containing the issue"
+              },
+              "line": {
+                "type": "integer",
+                "title": "Line Number",
+                "description": "Line number where issue occurs"
+              },
+              "column": {
+                "type": "integer",
+                "title": "Column Number",
+                "description": "Column number where issue occurs"
+              }
+            }
+          },
+          "confidence": {
+            "type": "string",
+            "title": "Confidence Level",
+            "enum": ["high", "medium", "low"]
+          },
+          "fix_available": {
+            "type": "boolean",
+            "title": "Fix Available",
+            "description": "Whether an automated fix is available"
+          }
+        },
+        "required": ["id", "severity", "title", "location"]
+      }
+    }
+  },
+  "required": ["metadata", "summary", "issues"]
+}

data/examples/zizmor/README.md

@@ -0,0 +1,26 @@
+# Zizmor Examples
+
+This directory contains examples for [Zizmor](https://github.com/zizmorcore/zizmor), a GitHub Actions security auditor.
+
+## Files
+
+- `zizmor.schema.json` - Official zizmor JSON output schema (v1)
+- `zizmor-v0.1.0.json` - Sample audit report from zizmor v0.1.0
+- `zizmor-v0.2.0.json` - Sample audit report from zizmor v0.2.0
+
+## Example Usage
+
+```bash
+# Compare audit results between versions
+json-schema-diff zizmor.schema.json zizmor-v0.1.0.json zizmor-v0.2.0.json
+
+# Real-world usage with actual zizmor output
+zizmor --format json --output current-audit.json .
+json-schema-diff zizmor.schema.json previous-audit.json current-audit.json
+```
+
+## Key Changes Demonstrated
+
+- **New security findings**: v0.2.0 introduces detection of hardcoded credentials
+- **Severity escalation**: Dangerous actions finding upgraded from Medium to High severity
+- **Rich location data**: File paths, line numbers, and byte offsets for precise issue location