@conterra/vuln-scan 0.0.35 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,94 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "$id": "jira-config-schema.json",
4
+ "title": "JiraConfig",
5
+ "description": "Configuration file (jira.json) for the ct-vuln-jira-report tool. Defines how vulnerabilities from a scan-summary.json are routed to Jira projects.",
6
+ "type": "object",
7
+ "required": ["jiraUrl", "issues"],
8
+ "additionalProperties": false,
9
+ "properties": {
10
+ "$schema": {
11
+ "description": "Optional reference to the JSON Schema used to validate this file.",
12
+ "type": "string"
13
+ },
14
+ "jiraUrl": {
15
+ "description": "Base URL of the Jira instance. Example: \"https://myorg.atlassian.net\"",
16
+ "type": "string",
17
+ "format": "uri"
18
+ },
19
+ "issues": {
20
+ "description": "List of routing rules that map scan project identifiers to target Jira projects.",
21
+ "type": "array",
22
+ "minItems": 1,
23
+ "items": {
24
+ "$ref": "#/$defs/JiraIssueConfig"
25
+ }
26
+ }
27
+ },
28
+ "$defs": {
29
+ "JiraIssueConfig": {
30
+ "description": "A single routing rule: vulnerabilities affecting any of the listed project patterns will create an issue in the given Jira project.",
31
+ "type": "object",
32
+ "required": ["jiraProject", "issueType", "reportProjects"],
33
+ "additionalProperties": false,
34
+ "properties": {
35
+ "jiraProject": {
36
+ "description": "Jira project key where issues will be created, e.g. \"PLATFORM\".",
37
+ "type": "string"
38
+ },
39
+ "issueType": {
40
+ "description": "Jira issue type name, e.g. \"Bug\", \"CVE\" or \"Task\".",
41
+ "type": "string"
42
+ },
43
+ "issueLabels": {
44
+ "description": "Global Jira labels applied to every issue created by this rule, regardless of addToBoard matching. Merged with any labels from matching addToBoard entries. Example: [\"security\", \"cve\"].",
45
+ "type": "array",
46
+ "items": {
47
+ "type": "string"
48
+ }
49
+ },
50
+ "addToBoard": {
51
+ "description": "Per-board routing rules. Each entry can target a Scrum sprint board (via sprintBoardId) and/or add labels for Kanban board routing. Sprint assignment: the first matching entry with a sprintBoardId wins; subsequent matching sprint entries and their labels are ignored. Kanban entries (no sprintBoardId) always contribute their labels.",
52
+ "type": "array",
53
+ "items": {
54
+ "$ref": "#/$defs/BoardConfig"
55
+ }
56
+ },
57
+ "reportProjects": {
58
+ "description": "Glob patterns for project identifiers (name@version) whose vulnerabilities should be routed to this Jira project. Use \"*\" to match any string. Examples: \"mapapps@*\", \"smartfinder@4.*\", \"*\".",
59
+ "type": "array",
60
+ "minItems": 1,
61
+ "items": {
62
+ "type": "string",
63
+ "description": "Glob pattern for a project identifier. Example: \"mapapps@*\""
64
+ }
65
+ }
66
+ }
67
+ },
68
+ "BoardConfig": {
69
+ "description": "Per-board routing rule within addToBoard. Controls which projects activate this entry, whether to assign the issue to an active Scrum sprint, and which labels to attach.",
70
+ "type": "object",
71
+ "additionalProperties": false,
72
+ "properties": {
73
+ "sprintBoardId": {
74
+ "description": "Jira Scrum board ID. When set, the issue is assigned to the currently active sprint of that board. Omit for Kanban boards (routing is handled by Jira's board JQL filter).",
75
+ "type": "integer"
76
+ },
77
+ "issueLabels": {
78
+ "description": "Labels to attach when this entry matches. For sprint entries: included only if this is the first matching sprint entry. For Kanban entries (no sprintBoardId): always aggregated.",
79
+ "type": "array",
80
+ "items": {
81
+ "type": "string"
82
+ }
83
+ },
84
+ "matchProjects": {
85
+ "description": "Glob patterns for project identifiers (name@version) that activate this board entry. Defaults to [\"*\"] when omitted (matches any project). Example: [\"mapapps@*\", \"smartfinder@4.*\"].",
86
+ "type": "array",
87
+ "items": {
88
+ "type": "string"
89
+ }
90
+ }
91
+ }
92
+ }
93
+ }
94
+ }
@@ -0,0 +1,156 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "$id": "summary-schema.json",
4
+ "title": "ScanSummary",
5
+ "description": "Output schema for the CVE vulnerability scan summary (scan-summary.json)",
6
+ "type": "object",
7
+ "required": [
8
+ "errors",
9
+ "vulnerabilities",
10
+ "vulnerabilityToProject",
11
+ "projectToVulnerability",
12
+ "projectsToComponents",
13
+ "noLongerDetectedVulnerabilities"
14
+ ],
15
+ "additionalProperties": false,
16
+ "properties": {
17
+ "$schema": {
18
+ "description": "Optional reference to the JSON Schema used to validate this file.",
19
+ "type": "string"
20
+ },
21
+ "errors": {
22
+ "description": "Scan errors that occurred per project during the scan run.",
23
+ "type": "array",
24
+ "items": {
25
+ "$ref": "#/$defs/ProjectError"
26
+ }
27
+ },
28
+ "vulnerabilities": {
29
+ "description": "Map of CVE/vulnerability ID to its details. Only covers newly detected vulnerabilities.",
30
+ "type": "object",
31
+ "additionalProperties": {
32
+ "$ref": "#/$defs/ShortVulnInfo"
33
+ }
34
+ },
35
+ "vulnerabilityToProject": {
36
+ "description": "Map of CVE/vulnerability ID to the list of affected project identifiers (name@version).",
37
+ "type": "object",
38
+ "additionalProperties": {
39
+ "type": "array",
40
+ "items": {
41
+ "type": "string"
42
+ }
43
+ }
44
+ },
45
+ "projectToVulnerability": {
46
+ "description": "Map of project identifier (name@version) to the list of CVE/vulnerability IDs detected in that project.",
47
+ "type": "object",
48
+ "additionalProperties": {
49
+ "type": "array",
50
+ "items": {
51
+ "type": "string"
52
+ }
53
+ }
54
+ },
55
+ "projectsToComponents": {
56
+ "description": "Map of project identifier (name@version) to a map of component purl to its reverse dependency tree node. Contains the component usage trees for all vulnerable components per project.",
57
+ "type": "object",
58
+ "additionalProperties": {
59
+ "type": "object",
60
+ "additionalProperties": {
61
+ "$ref": "#/$defs/ComponentNode"
62
+ }
63
+ }
64
+ },
65
+ "noLongerDetectedVulnerabilities": {
66
+ "description": "Map of CVE/vulnerability ID to the list of project identifiers (name@version) where the vulnerability was declared but is no longer detected.",
67
+ "type": "object",
68
+ "additionalProperties": {
69
+ "type": "array",
70
+ "items": {
71
+ "type": "string"
72
+ }
73
+ }
74
+ }
75
+ },
76
+ "$defs": {
77
+ "Severity": {
78
+ "description": "Severity level of a vulnerability.",
79
+ "type": "string",
80
+ "enum": ["UNKNOWN", "LOW", "MEDIUM", "HIGH", "CRITICAL"]
81
+ },
82
+ "ComponentNode": {
83
+ "description": "A node in the reverse dependency tree identifying a component by its purl.",
84
+ "type": "object",
85
+ "required": ["purl", "usedBy"],
86
+ "additionalProperties": false,
87
+ "properties": {
88
+ "purl": {
89
+ "description": "Package URL (purl) of the component.",
90
+ "type": "string"
91
+ },
92
+ "usedBy": {
93
+ "description": "Components that depend on this component. An empty array means this is a root/direct dependency.",
94
+ "type": "array",
95
+ "items": {
96
+ "$ref": "#/$defs/ComponentNode"
97
+ }
98
+ }
99
+ }
100
+ },
101
+ "ShortVulnInfo": {
102
+ "description": "Condensed vulnerability information for a single CVE/vulnerability.",
103
+ "type": "object",
104
+ "required": ["id", "severity", "title", "description", "components", "refs"],
105
+ "additionalProperties": false,
106
+ "properties": {
107
+ "id": {
108
+ "description": "Unique identifier of the vulnerability (e.g. CVE-2024-12345).",
109
+ "type": "string"
110
+ },
111
+ "severity": {
112
+ "$ref": "#/$defs/Severity"
113
+ },
114
+ "title": {
115
+ "description": "Short human-readable title of the vulnerability.",
116
+ "type": "string"
117
+ },
118
+ "description": {
119
+ "description": "Detailed description of the vulnerability.",
120
+ "type": "string"
121
+ },
122
+ "components": {
123
+ "description": "List of affected component purls.",
124
+ "type": "array",
125
+ "items": {
126
+ "type": "string"
127
+ }
128
+ },
129
+ "refs": {
130
+ "description": "List of reference URLs (advisories, NVD entries, etc.).",
131
+ "type": "array",
132
+ "items": {
133
+ "type": "string",
134
+ "format": "uri"
135
+ }
136
+ }
137
+ }
138
+ },
139
+ "ProjectError": {
140
+ "description": "An error that occurred while scanning a specific project.",
141
+ "type": "object",
142
+ "required": ["project", "error"],
143
+ "additionalProperties": false,
144
+ "properties": {
145
+ "project": {
146
+ "description": "Project identifier in the form name@version.",
147
+ "type": "string"
148
+ },
149
+ "error": {
150
+ "description": "Error message describing what went wrong during the scan.",
151
+ "type": "string"
152
+ }
153
+ }
154
+ }
155
+ }
156
+ }