Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Repository Security Advisories APIs #2902

Merged
merged 14 commits into from
Oct 5, 2023
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 33 additions & 12 deletions github/event_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -1610,18 +1610,33 @@ type WorkflowRunEvent struct {
//
// GitHub API docs: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#security_advisory
type SecurityAdvisory struct {
CVSS *AdvisoryCVSS `json:"cvss,omitempty"`
CWEs []*AdvisoryCWEs `json:"cwes,omitempty"`
GHSAID *string `json:"ghsa_id,omitempty"`
Summary *string `json:"summary,omitempty"`
Description *string `json:"description,omitempty"`
Severity *string `json:"severity,omitempty"`
Identifiers []*AdvisoryIdentifier `json:"identifiers,omitempty"`
References []*AdvisoryReference `json:"references,omitempty"`
PublishedAt *Timestamp `json:"published_at,omitempty"`
UpdatedAt *Timestamp `json:"updated_at,omitempty"`
WithdrawnAt *Timestamp `json:"withdrawn_at,omitempty"`
Vulnerabilities []*AdvisoryVulnerability `json:"vulnerabilities,omitempty"`
CVSS *AdvisoryCVSS `json:"cvss,omitempty"`
CWEs []*AdvisoryCWEs `json:"cwes,omitempty"`
GHSAID *string `json:"ghsa_id,omitempty"`
Summary *string `json:"summary,omitempty"`
Description *string `json:"description,omitempty"`
Severity *string `json:"severity,omitempty"`
Identifiers []*AdvisoryIdentifier `json:"identifiers,omitempty"`
References []*AdvisoryReference `json:"references,omitempty"`
PublishedAt *Timestamp `json:"published_at,omitempty"`
UpdatedAt *Timestamp `json:"updated_at,omitempty"`
WithdrawnAt *Timestamp `json:"withdrawn_at,omitempty"`
Vulnerabilities []*AdvisoryVulnerability `json:"vulnerabilities,omitempty"`
CVEID *string `json:"cve_id,omitempty"`
URL *string `json:"url,omitempty"`
HTMLURL *string `json:"html_url,omitempty"`
Author *User `json:"author,omitempty"`
Publisher *User `json:"publisher,omitempty"`
State *string `json:"state,omitempty"`
CreatedAt *Timestamp `json:"created_at,omitempty"`
ClosedAt *Timestamp `json:"closed_at,omitempty"`
Submission *SecurityAdvisorySubmission `json:"submission,omitempty"`
CWEIDs []string `json:"cwe_ids,omitempty"`
Credits []*RepoAdvisoryCredit `json:"credits,omitempty"`
CreditsDetailed []*RepoAdvisoryCreditDetailed `json:"credits_detailed,omitempty"`
CollaboratingUsers []*User `json:"collaborating_users,omitempty"`
CollaboratingTeams []*Team `json:"collaborating_teams,omitempty"`
PrivateFork *Repository `json:"private_fork,omitempty"`
}

// AdvisoryIdentifier represents the identifier for a Security Advisory.
Expand All @@ -1641,6 +1656,12 @@ type AdvisoryVulnerability struct {
Severity *string `json:"severity,omitempty"`
VulnerableVersionRange *string `json:"vulnerable_version_range,omitempty"`
FirstPatchedVersion *FirstPatchedVersion `json:"first_patched_version,omitempty"`

// PatchedVersions and VulnerableFunctions are used in the following APIs:
// - https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28#list-repository-security-advisories-for-an-organization
// - https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28#list-repository-security-advisories
PatchedVersions *string `json:"patched_versions,omitempty"`
VulnerableFunctions []string `json:"vulnerable_functions,omitempty"`
}

// VulnerabilityPackage represents the package object for an Advisory Vulnerability.
Expand Down
92 changes: 92 additions & 0 deletions github/security_advisories.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,50 @@ import (

type SecurityAdvisoriesService service

// SecurityAdvisorySubmission represents the Security Advisory Submission.
type SecurityAdvisorySubmission struct {
// Accepted represents whether a private vulnerability report was accepted by the repository's administrators.
Accepted *bool `json:"accepted,omitempty"`
}

// RepoAdvisoryCredit represents the credit object for a repository Security Advisory.
type RepoAdvisoryCredit struct {
Login *string `json:"login,omitempty"`
Type *string `json:"type,omitempty"`
}

// RepoAdvisoryCreditDetailed represents a credit given to a user for a repository Security Advisory.
type RepoAdvisoryCreditDetailed struct {
User *User `json:"user,omitempty"`
Type *string `json:"type,omitempty"`
State *string `json:"state,omitempty"`
}

// Permissions represent a team's permissions.
type Permissions struct {
Admin *bool `json:"admin,omitempty"`
Pull *bool `json:"pull,omitempty"`
Push *bool `json:"push,omitempty"`
Triage *bool `json:"triage,omitempty"`
Maintain *bool `json:"maintain,omitempty"`
}

anishrajan25 marked this conversation as resolved.
Show resolved Hide resolved
// ListRepositorySecurityAdvisoriesOptions specifies the optional parameters to lists the repository security advisories.
anishrajan25 marked this conversation as resolved.
Show resolved Hide resolved
type ListRepositorySecurityAdvisoriesOptions struct {
ListCursorOptions

// Direction in which to sort advisories. Possible values are: asc, desc.
// Default is "asc".
Direction string `url:"direction,omitempty"`

// Sort specifies how to sort advisories. Possible values are: created, updated,
// and published. Default value is "created".
Sort string `url:"sort,omitempty"`

// State filters advisories based on their state. Possible values are: triage, draft, published, closed.
State string `url:"state,omitempty"`
}

// RequestCVE requests a Common Vulnerabilities and Exposures (CVE) for a repository security advisory.
// The ghsaID is the GitHub Security Advisory identifier of the advisory.
//
Expand All @@ -35,3 +79,51 @@ func (s *SecurityAdvisoriesService) RequestCVE(ctx context.Context, owner, repo,

return resp, nil
}

// ListRepositorySecurityAdvisoriesForOrg lists the repository security advisories for an organization.
//
// Github API docs: https://docs.github.com/en/rest/security-advisories/repository-advisories?apiVersion=2022-11-28#list-repository-security-advisories-for-an-organization
anishrajan25 marked this conversation as resolved.
Show resolved Hide resolved
func (s *SecurityAdvisoriesService) ListRepositorySecurityAdvisoriesForOrg(ctx context.Context, org string, opt *ListRepositorySecurityAdvisoriesOptions) ([]*SecurityAdvisory, *Response, error) {
url := fmt.Sprintf("orgs/%v/security-advisories", org)
url, err := addOptions(url, opt)
if err != nil {
return nil, nil, err
}

req, err := s.client.NewRequest("GET", url, nil)
if err != nil {
return nil, nil, err
}

var advisories []*SecurityAdvisory
resp, err := s.client.Do(ctx, req, &advisories)
if err != nil {
return nil, resp, err
}

return advisories, resp, nil
}

// ListRepositorySecurityAdvisories lists the security advisories in a repository.
//
// Github API docs: https://docs.github.com/en/enterprise-cloud@latest/rest/security-advisories/repository-advisories?apiVersion=2022-11-28#list-repository-security-advisories
anishrajan25 marked this conversation as resolved.
Show resolved Hide resolved
func (s *SecurityAdvisoriesService) ListRepositorySecurityAdvisories(ctx context.Context, owner string, repo string, opt *ListRepositorySecurityAdvisoriesOptions) ([]*SecurityAdvisory, *Response, error) {
anishrajan25 marked this conversation as resolved.
Show resolved Hide resolved
url := fmt.Sprintf("repos/%v/%v/security-advisories", owner, repo)
url, err := addOptions(url, opt)
if err != nil {
return nil, nil, err
}

req, err := s.client.NewRequest("GET", url, nil)
if err != nil {
return nil, nil, err
}

var advisories []*SecurityAdvisory
resp, err := s.client.Do(ctx, req, &advisories)
if err != nil {
return nil, resp, err
}

return advisories, resp, nil
}
Loading
Loading