Dependency Models

This document provides a comprehensive documentation for the Python classes Package, PackageVulnerability, and Dependency. These classes are used in the context of software package management and vulnerability detection. The Package class represents a software package, while PackageVulnerability represents a vulnerability associated with a package. The Dependency class represents a dependency between an app and a package.

Overview of package-related models — Figure 1: Overview of models related to software packages and project dependencies

class mastf.MASTF.models.Package(*args, **kwargs)[source]

A Django model that represents a software package.

artifact_id: The artifact ID of the package. (may be null)

description: A brief description for report generation.

group_id: The group ID of the package. (may be null)

is_tracker: Identifies this software package to be linked to tracking services.

name: The name of the package.

package_type: The type of the package. It is a string that should be one of the values from PackageType.

package_uuid: The unique id for this package

platform: The platform on which the package can be run. It is a string that should be one of the values from Platform.

class mastf.MASTF.models.PackageVulnerability(*args, **kwargs)[source]

A Django model that represents a vulnerability associated with a software package.

cve_id: The Common Vulnerabilities and Exposures (CVE) identifier for the vulnerability.

identifier: The universally unique identifier for the vulnerability.

package: The software package that is vulnerable.

severity: The severity of the vulnerability. It is a string that should be one of the values from.

version: The version of the software package that is vulnerable.

class mastf.MASTF.models.Dependency(*args, **kwargs)[source]

Represents a dependency of a project on a software package.

dependency_uuid: The dependency’s uuid.

license: Stores all extracted license information (comma spearated)

outdated: Indicates whether the package is outdated.

package: The linked software package.

project: The project this dependency belongs to.

relation: The relation of this dependency (defaults to DIRECT). Not used yet.

scanner: The scanner which found this dependency.

version: The extracted version number. (may be blank)

vulnerabilities()[source]

Returns a generator that yields all vulnerabilities associated with the package of this dependency and its version.

Returns:: a generator of vulnerabilities
Return type:: Generator[PackageVulnerability, Any, None]

The Dependency class also has a vulnerabilities property, which returns a queryset with all vulnerabilities associated to the package and version of the dependency.