SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Update comments, clean up security check

Browse source
This commit is contained in:
JanHoefelmeyer 2025-01-29 09:26:59 +01:00
parent 7d74543bbb
commit 02787b24b7
1 changed files with 21 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

44
cmd/csaf_checker/processor.go
View file

@ -1339,7 +1339,6 @@ func (p *processor) checkSecurityFolder(folder string) string {
// checkDNS checks if the "csaf.data.security.domain.tld" DNS record is available // checkDNS checks if the "csaf.data.security.domain.tld" DNS record is available
// and serves the "provider-metadata.json". // and serves the "provider-metadata.json".
// It returns an empty string if all checks are passed, otherwise the errormessage.
func (p *processor) checkDNS(domain string) { func (p *processor) checkDNS(domain string) {
p.badDNSPath.use() p.badDNSPath.use()
@ -1373,8 +1372,7 @@ func (p *processor) checkDNS(domain string) {
} }
// checkWellknown checks if the provider-metadata.json file is // checkWellknown checks if the provider-metadata.json file is
// available under the /.well-known/csaf/ directory. Returns the errormessage if // available under the /.well-known/csaf/ directory.
// an error was encountered, or an empty string otherwise
func (p *processor) checkWellknown(domain string) { func (p *processor) checkWellknown(domain string) {
p.badWellknownMetadata.use() p.badWellknownMetadata.use()
@ -1402,15 +1400,13 @@ func (p *processor) checkWellknown(domain string) {
// 4. Finally it checks if the "csaf.data.security.domain.tld" DNS record // 4. Finally it checks if the "csaf.data.security.domain.tld" DNS record
// is available and serves the "provider-metadata.json". // is available and serves the "provider-metadata.json".
// //
// / // For the security.txt checks, it first checks the default location.
// If all three checks fail, errors are given, // Should this lookup fail, a warning is will be given and a lookup
// otherwise warnings for all failed checks. // for the legacy location will be made. If this fails as well, then an
// The function returns nil, unless errors outside the checks were found. // error is given.
// In that case, errors are returned.
func (p *processor) checkWellknownSecurityDNS(domain string) error { func (p *processor) checkWellknownSecurityDNS(domain string) error {
p.checkWellknown(domain) p.checkWellknown(domain)
p.checkDNS(domain)
// Security check for well known (default) and legacy location // Security check for well known (default) and legacy location
warnings, sDMessage := p.checkSecurity(domain, false) warnings, sDMessage := p.checkSecurity(domain, false)
@ -1423,22 +1419,24 @@ func (p *processor) checkWellknownSecurityDNS(domain string) error {
p.badSecurity.use() p.badSecurity.use()
// Info, Warning or Error depending on kind and warningS // Report about Securitytxt:
kindSD := WarnType // Only report about Legacy if default was succesful (0).
if warnings == 0 { // Report default and legacy as errors if neither was succesful (1).
kindSD = InfoType // Warn about missing security in the default position if not found
} // but found in the legacy location, and inform about finding it there (2).
kindSL := ErrorType switch warnings {
if warnings == 2 { case 0:
kindSL = InfoType p.badSecurity.add(InfoType, sDMessage)
case 1:
p.badSecurity.add(ErrorType, sDMessage)
p.badSecurity.add(ErrorType, sLMessage)
case 2:
p.badSecurity.add(WarnType, sDMessage)
p.badSecurity.add(InfoType, sLMessage)
} }
p.badSecurity.add(kindSD, sDMessage) p.checkDNS(domain)
// only if the well-known security.txt was not successful:
// report about the legacy location
if warnings != 0 {
p.badSecurity.add(kindSL, sLMessage)
}
return nil return nil
} }