konarr 0.5.1

Konarr
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249

//! # Bill of Materials (BOM) module

use serde::{Deserialize, Serialize};
use std::fmt::Display;

/// Bill of Materials
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BillOfMaterials {
    /// The type of SBOM (CycloneDX, SPDX, etc.)
    pub sbom_type: BomType,
    /// Version of the SBOM format
    pub version: String,
    /// The tool used to generate the SBOM
    pub tools: Vec<BomTool>,
    /// SHA256 of the BOM
    pub sha: String,
    /// Timestamp of the SBOM
    pub timestamp: chrono::DateTime<chrono::Utc>,
    /// The container information
    pub container: Container,
    /// The dependencies of the software
    pub components: Vec<BomComponent>,
    /// List of vulnerabilities
    pub vulnerabilities: Vec<BomVulnerability>,
}

impl BillOfMaterials {
    /// Create a new Bill of Materials
    pub fn new(sbom_type: BomType, version: String) -> Self {
        Self {
            sbom_type,
            version,
            tools: Vec::new(),
            sha: String::new(),
            timestamp: chrono::Utc::now(),
            container: Container::default(),
            components: Vec::new(),
            vulnerabilities: Vec::new(),
        }
    }
}

/// SBOM Tool
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BomTool {
    /// Name of the tool
    pub name: String,
    /// Version of the tool
    pub version: String,
}

/// SBOM Type Enum
#[derive(Debug, Clone, Serialize, Deserialize)]
#[allow(non_camel_case_types)]
pub enum BomType {
    /// CycloneDX v1.5
    CycloneDX_1_5,
    /// CycloneDX v1.6
    CycloneDX_1_6,
    /// SPDX SBOM
    SPDX,
}

impl Display for BomType {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            BomType::CycloneDX_1_5 => write!(f, "CycloneDX v1.5"),
            BomType::CycloneDX_1_6 => write!(f, "CycloneDX v1.6"),
            BomType::SPDX => write!(f, "SPDX"),
        }
    }
}

impl BomType {
    /// Convert the SBOM type to a file name
    pub fn to_file_name(&self) -> String {
        match self {
            BomType::CycloneDX_1_5 | BomType::CycloneDX_1_6 => "cdx",
            BomType::SPDX => "spdx",
        }
        .to_string()
    }
}

/// Dependency Model
#[derive(Debug, Default, Clone, Serialize, Deserialize, PartialEq)]
pub struct BomComponent {
    /// Package URL
    pub purl: String,
    /// CPE
    pub cpe: Option<String>,
    /// Package Name
    pub name: String,
    /// The type of component
    pub comp_type: BomComponentType,
    /// Signature of the component
    pub signature: Option<String>,
}

impl BomComponent {
    /// Create a new Dependency from a Package URL
    pub fn from_purl(purl: String) -> Self {
        // TODO: Parse the purl to get the name
        Self {
            purl,
            ..Default::default()
        }
    }
}

/// Bill of Materials Vulnerability
#[derive(Debug, Default, Clone, Serialize, Deserialize)]
pub struct BomVulnerability {
    /// CVE/GHA/etc.
    pub name: String,
    /// Advisory Source
    pub source: String,
    /// Severity of the vulnerability
    pub severity: BomVulnerabilitySeverity,
    /// Description of the vulnerability
    pub description: Option<String>,
    /// URL to the advisory
    pub url: Option<String>,
    /// Affects packages
    pub components: Vec<BomComponent>,
}

impl BomVulnerability {
    /// Create a new BOM Vulnerability
    pub fn new(name: String, source: String, severity: String) -> Self {
        BomVulnerability {
            name,
            source,
            severity: BomVulnerabilitySeverity::from(severity),
            ..Default::default()
        }
    }
}

/// Vulnerability Severity
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub enum BomVulnerabilitySeverity {
    /// Critical severity
    Critical,
    /// High severity
    High,
    /// Medium severity
    Medium,
    /// Low severity
    Low,
    /// Informational severity
    Informational,
    /// Unknown severity
    #[default]
    Unknown,
}

impl From<String> for BomVulnerabilitySeverity {
    fn from(value: String) -> Self {
        match value.to_lowercase().as_str() {
            "critical" | "very-high" => BomVulnerabilitySeverity::Critical,
            "high" => BomVulnerabilitySeverity::High,
            "medium" | "moderate" => BomVulnerabilitySeverity::Medium,
            "low" => BomVulnerabilitySeverity::Low,
            "informational" | "very-low" => BomVulnerabilitySeverity::Informational,
            _ => BomVulnerabilitySeverity::Unknown,
        }
    }
}

/// Container Information
#[derive(Debug, Default, Clone, Serialize, Deserialize)]
pub struct Container {
    /// Container Image
    pub image: Option<String>,
    /// Container Version
    pub version: Option<String>,
    /// Container Digest
    pub image_digest: Option<String>,
    /// Container Tag
    pub image_tag: Option<String>,
}

impl From<BomType> for String {
    fn from(value: BomType) -> Self {
        value.to_string()
    }
}

impl From<BomType> for Vec<u8> {
    fn from(value: BomType) -> Self {
        match value {
            BomType::CycloneDX_1_5 => value.to_string().as_bytes().to_vec(),
            BomType::CycloneDX_1_6 => value.to_string().as_bytes().to_vec(),
            BomType::SPDX => value.to_string().as_bytes().to_vec(),
        }
    }
}

/// Component Type Enum
#[derive(Debug, Clone, Default, Serialize, Deserialize, PartialEq)]
pub enum BomComponentType {
    /// Library
    Library,
    /// Application
    Application,
    /// Framework
    Framework,
    /// Operating System
    OperatingSystem,
    /// Container
    Container,
    /// Firmware
    Firmware,
    /// CryptoLibrary
    CryptoLibrary,
    /// Service
    Service,
    /// Database
    Database,
    /// Operating Environment
    OperatingEnvironment,
    /// Middleware
    Middleware,
    /// Programming Language
    ProgrammingLanguage,
    /// Unknown
    #[default]
    Unknown,
}

impl From<String> for BomComponentType {
    fn from(value: String) -> Self {
        match value.to_lowercase().as_str() {
            "library" => BomComponentType::Library,
            "application" => BomComponentType::Application,
            "framework" => BomComponentType::Framework,
            "operating_system" => BomComponentType::OperatingSystem,
            "container" => BomComponentType::Container,
            "firmware" => BomComponentType::Firmware,
            "service" => BomComponentType::Service,
            "database" => BomComponentType::Database,
            "operating_environment" => BomComponentType::OperatingEnvironment,
            "middleware" => BomComponentType::Middleware,
            "programming_language" => BomComponentType::ProgrammingLanguage,
            _ => BomComponentType::Unknown,
        }
    }
}