SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 18:15:42 +01:00
Code Issues Releases Activity Actions

Call the checks again.

Browse source
This commit is contained in:
Sascha L. Teichmann 2021-12-15 21:22:38 +01:00
parent d201cda542
commit 30789e60d5
3 changed files with 81 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

4
cmd/csaf_checker/main.go
View file

@ -98,8 +98,8 @@ func writeReport(report *Report, opts *options) error {
return writer(report, w) return writer(report, w)
} }
func buildReporters() []Reporter { func buildReporters() []reporter {
return []Reporter{ return []reporter{
&tlsReporter{baseReporter{num: 3, description: "TLS"}}, &tlsReporter{baseReporter{num: 3, description: "TLS"}},
&redirectsReporter{baseReporter{num: 6, description: "Redirects"}}, &redirectsReporter{baseReporter{num: 6, description: "Redirects"}},
&providerMetadataReport{baseReporter{num: 7, description: "provider-metadata.json"}}, &providerMetadataReport{baseReporter{num: 7, description: "provider-metadata.json"}},

133
cmd/csaf_checker/processor.go
View file

@ -26,12 +26,15 @@ import (
"github.com/PaesslerAG/gval" "github.com/PaesslerAG/gval"
"github.com/PaesslerAG/jsonpath" "github.com/PaesslerAG/jsonpath"
"github.com/ProtonMail/gopenpgp/v2/crypto" "github.com/ProtonMail/gopenpgp/v2/crypto"
"github.com/csaf-poc/csaf_distribution/csaf" "github.com/csaf-poc/csaf_distribution/csaf"
"github.com/csaf-poc/csaf_distribution/util" "github.com/csaf-poc/csaf_distribution/util"
) )
type processor struct { type processor struct {
opts *options opts *options
client *http.Client
redirects map[string]string redirects map[string]string
noneTLS map[string]struct{} noneTLS map[string]struct{}
alreadyChecked map[string]struct{} alreadyChecked map[string]struct{}
@ -43,14 +46,14 @@ type processor struct {
badPGPs []string badPGPs []string
badSignatures []string badSignatures []string
badProviderMetadatas []string badProviderMetadatas []string
badSecurity []string badSecurities []string
badIntegrity []string badIntegrity []string
builder gval.Language builder gval.Language
exprs map[string]gval.Evaluable exprs map[string]gval.Evaluable
} }
type Reporter interface { type reporter interface {
report(*processor, *Domain) report(*processor, *Domain)
} }
@ -85,11 +88,11 @@ func (p *processor) clean() {
p.badPGPs = nil p.badPGPs = nil
p.badSignatures = nil p.badSignatures = nil
p.badProviderMetadatas = nil p.badProviderMetadatas = nil
p.badSecurity = nil p.badSecurities = nil
p.badIntegrity = nil p.badIntegrity = nil
} }
func (p *processor) run(reporter []Reporter, domains []string) (*Report, error) { func (p *processor) run(reporters []reporter, domains []string) (*Report, error) {
var report Report var report Report
@ -102,8 +105,8 @@ domainsLoop:
return nil, err return nil, err
} }
domain := &Domain{Name: d} domain := &Domain{Name: d}
for _, ch := range reporter { for _, r := range reporters {
ch.report(p, domain) r.report(p, domain)
} }
report.Domains = append(report.Domains, domain) report.Domains = append(report.Domains, domain)
p.clean() p.clean()
@ -115,9 +118,17 @@ domainsLoop:
func (p *processor) checkDomain(domain string) error { func (p *processor) checkDomain(domain string) error {
// TODO: Implement me! // TODO: Implement me!
if err := p.checkProviderMetadata(domain); err != nil && err != errContinue { for _, check := range []func(*processor, string) error{
return err (*processor).checkProviderMetadata,
(*processor).checkPGPKeys,
(*processor).checkSecurity,
(*processor).checkCSAFs,
} {
if err := check(p, domain); err != nil && err != errContinue {
return err
}
} }
return nil return nil
} }
@ -170,19 +181,24 @@ func (p *processor) checkRedirect(r *http.Request, via []*http.Request) error {
} }
func (p *processor) httpClient() *http.Client { func (p *processor) httpClient() *http.Client {
client := http.Client{
if p.client != nil {
return p.client
}
p.client = &http.Client{
CheckRedirect: p.checkRedirect, CheckRedirect: p.checkRedirect,
} }
if p.opts.Insecure { if p.opts.Insecure {
client.Transport = &http.Transport{ p.client.Transport = &http.Transport{
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{
InsecureSkipVerify: true, InsecureSkipVerify: true,
}, },
} }
} }
return &client return p.client
} }
func (p *processor) badHash(format string, args ...interface{}) { func (p *processor) badHash(format string, args ...interface{}) {
@ -201,10 +217,13 @@ func (p *processor) badPGP(format string, args ...interface{}) {
p.badPGPs = append(p.badPGPs, fmt.Sprintf(format, args...)) p.badPGPs = append(p.badPGPs, fmt.Sprintf(format, args...))
} }
func (p *processor) badSecurity(format string, args ...interface{}) {
p.badSecurities = append(p.badSecurities, fmt.Sprintf(format, args...))
}
func (p *processor) integrity( func (p *processor) integrity(
files []string, files []string,
base string, base string,
lg func(string, ...interface{}),
) error { ) error {
b, err := url.Parse(base) b, err := url.Parse(base)
if err != nil { if err != nil {
@ -217,7 +236,7 @@ func (p *processor) integrity(
for _, f := range files { for _, f := range files {
fp, err := url.Parse(f) fp, err := url.Parse(f)
if err != nil { if err != nil {
lg("Bad URL %s: %v", f, err) p.badProviderMetadata("Bad URL %s: %v", f, err)
continue continue
} }
u := b.ResolveReference(fp).String() u := b.ResolveReference(fp).String()
@ -227,11 +246,11 @@ func (p *processor) integrity(
p.checkTLS(u) p.checkTLS(u)
res, err := client.Get(u) res, err := client.Get(u)
if err != nil { if err != nil {
lg("Fetching %s failed: %v.", u, err) p.badProviderMetadata("Fetching %s failed: %v.", u, err)
continue continue
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
lg("Fetching %s failed: Status code %d (%s)", p.badProviderMetadata("Fetching %s failed: Status code %d (%s)",
u, res.StatusCode, res.Status) u, res.StatusCode, res.Status)
continue continue
} }
@ -248,17 +267,18 @@ func (p *processor) integrity(
tee := io.TeeReader(res.Body, hasher) tee := io.TeeReader(res.Body, hasher)
return json.NewDecoder(tee).Decode(&doc) return json.NewDecoder(tee).Decode(&doc)
}(); err != nil { }(); err != nil {
lg("Reading %s failed: %v", u, err) p.badProviderMetadata("Reading %s failed: %v", u, err)
continue continue
} }
errors, err := csaf.ValidateCSAF(doc) errors, err := csaf.ValidateCSAF(doc)
if err != nil { if err != nil {
lg("Failed to validate %s: %v", u, err) p.badProviderMetadata("Failed to validate %s: %v", u, err)
continue continue
} }
if len(errors) > 0 { if len(errors) > 0 {
lg("CSAF file %s has %d validation errors.", u, len(errors)) p.badProviderMetadata(
"CSAF file %s has %d validation errors.", u, len(errors))
} }
// Check hashes // Check hashes
@ -344,16 +364,16 @@ func (p *processor) integrity(
return nil return nil
} }
func (p *processor) processFeed(feed string, lg func(string, ...interface{})) error { func (p *processor) processFeed(feed string) error {
client := p.httpClient() client := p.httpClient()
res, err := client.Get(feed) res, err := client.Get(feed)
if err != nil { if err != nil {
lg("Cannot fetch feed %s: %v", feed, err) p.badProviderMetadata("Cannot fetch feed %s: %v", feed, err)
return errContinue return errContinue
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
lg("Fetching %s failed. Status code %d (%s)", p.badProviderMetadata("Fetching %s failed. Status code %d (%s)",
feed, res.StatusCode, res.Status) feed, res.StatusCode, res.Status)
return errContinue return errContinue
} }
@ -362,12 +382,12 @@ func (p *processor) processFeed(feed string, lg func(string, ...interface{})) er
return csaf.LoadROLIEFeed(res.Body) return csaf.LoadROLIEFeed(res.Body)
}() }()
if err != nil { if err != nil {
lg("Loading ROLIE feed failed: %v.", err) p.badProviderMetadata("Loading ROLIE feed failed: %v.", err)
return errContinue return errContinue
} }
base, err := basePath(feed) base, err := basePath(feed)
if err != nil { if err != nil {
lg("Bad base path: %v", err) p.badProviderMetadata("Bad base path: %v", err)
return errContinue return errContinue
} }
@ -378,14 +398,11 @@ func (p *processor) processFeed(feed string, lg func(string, ...interface{})) er
files = append(files, f.Link[i].HRef) files = append(files, f.Link[i].HRef)
} }
} }
return p.integrity(files, base, lg) return p.integrity(files, base)
} }
func (p *processor) processFeeds( func (p *processor) processFeeds(domain string, feeds [][]csaf.Feed) error {
domain string,
feeds [][]csaf.Feed,
lg func(string, ...interface{}),
) error {
base, err := url.Parse("https://" + domain + "/.well-known/csaf/") base, err := url.Parse("https://" + domain + "/.well-known/csaf/")
if err != nil { if err != nil {
return err return err
@ -398,12 +415,12 @@ func (p *processor) processFeeds(
} }
up, err := url.Parse(string(*feed.URL)) up, err := url.Parse(string(*feed.URL))
if err != nil { if err != nil {
lg("Invalid URL %s in feed: %v.", *feed.URL, err) p.badProviderMetadata("Invalid URL %s in feed: %v.", *feed.URL, err)
continue continue
} }
feedURL := base.ResolveReference(up).String() feedURL := base.ResolveReference(up).String()
p.checkTLS(feedURL) p.checkTLS(feedURL)
if err := p.processFeed(feedURL, lg); err != nil && err != errContinue { if err := p.processFeed(feedURL); err != nil && err != errContinue {
return err return err
} }
} }
@ -411,7 +428,7 @@ func (p *processor) processFeeds(
return nil return nil
} }
func (p *processor) checkCSAFs(domain string, lg func(string, ...interface{})) error { func (p *processor) checkCSAFs(domain string) error {
// Check for ROLIE // Check for ROLIE
rolie, err := p.jsonPath("$.distributions[*].rolie.feeds") rolie, err := p.jsonPath("$.distributions[*].rolie.feeds")
if err != nil { if err != nil {
@ -424,10 +441,10 @@ func (p *processor) checkCSAFs(domain string, lg func(string, ...interface{})) e
if hasRolie { if hasRolie {
var feeds [][]csaf.Feed var feeds [][]csaf.Feed
if err := util.ReMarshalJSON(&feeds, rolie); err != nil { if err := util.ReMarshalJSON(&feeds, rolie); err != nil {
lg("ROLIE feeds are not compatible: %v.", err) p.badProviderMetadata("ROLIE feeds are not compatible: %v.", err)
goto noRolie goto noRolie
} }
if err := p.processFeeds(domain, feeds, lg); err != nil { if err := p.processFeeds(domain, feeds); err != nil {
if err == errContinue { if err == errContinue {
goto noRolie goto noRolie
} }
@ -488,19 +505,19 @@ func (p *processor) checkProviderMetadata(domain string) error {
return nil return nil
} }
func (p *processor) checkSecurity(domain string, lg func(string, ...interface{})) error { func (p *processor) checkSecurity(domain string) error {
client := p.httpClient() client := p.httpClient()
path := "https://" + domain + "/.well-known/security.txt" path := "https://" + domain + "/.well-known/security.txt"
res, err := client.Get(path) res, err := client.Get(path)
if err != nil { if err != nil {
lg("Fetchinig %s failed: %v", err) p.badSecurity("Fetching %s failed: %v", err)
return errContinue return errContinue
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
lg("Fetching %s failed. Status code %d (%s)", p.badSecurity("Fetching %s failed. Status code %d (%s)",
path, res.StatusCode, res.Status) path, res.StatusCode, res.Status)
return errContinue return errContinue
} }
@ -517,18 +534,18 @@ func (p *processor) checkSecurity(domain string, lg func(string, ...interface{})
return "", lines.Err() return "", lines.Err()
}() }()
if err != nil { if err != nil {
lg("Error while reading security.txt: %v", err) p.badSecurity("Error while reading security.txt: %v", err)
return errContinue return errContinue
} }
if u == "" { if u == "" {
lg("No CSAF line found in security.txt.") p.badSecurity("No CSAF line found in security.txt.")
return errContinue return errContinue
} }
// Try to load // Try to load
up, err := url.Parse(u) up, err := url.Parse(u)
if err != nil { if err != nil {
lg("CSAF URL '%s' invalid: %v", u, err) p.badSecurity("CSAF URL '%s' invalid: %v", u, err)
return errContinue return errContinue
} }
@ -540,11 +557,11 @@ func (p *processor) checkSecurity(domain string, lg func(string, ...interface{})
u = base.ResolveReference(up).String() u = base.ResolveReference(up).String()
p.checkTLS(u) p.checkTLS(u)
if res, err = client.Get(u); err != nil { if res, err = client.Get(u); err != nil {
lg("Cannot fetch %s from security.txt: %v", u, err) p.badSecurity("Cannot fetch %s from security.txt: %v", u, err)
return errContinue return errContinue
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
lg("Fetching %s failed. Status code %d (%s)", p.badSecurity("Fetching %s failed. Status code %d (%s)",
u, res.StatusCode, res.Status) u, res.StatusCode, res.Status)
return errContinue return errContinue
} }
@ -552,33 +569,34 @@ func (p *processor) checkSecurity(domain string, lg func(string, ...interface{})
// Compare checksums to already read provider-metadata.json. // Compare checksums to already read provider-metadata.json.
h := sha256.New() h := sha256.New()
if _, err := io.Copy(h, res.Body); err != nil { if _, err := io.Copy(h, res.Body); err != nil {
lg("Reading %s failed: %v", u, err) p.badSecurity("Reading %s failed: %v", u, err)
return errContinue return errContinue
} }
if !bytes.Equal(h.Sum(nil), p.pmd256) { if !bytes.Equal(h.Sum(nil), p.pmd256) {
lg("Content of %s from security.txt is not identical to .well-known/csaf/provider-metadata.json", u) p.badSecurity("Content of %s from security.txt is not "+
"identical to .well-known/csaf/provider-metadata.json", u)
} }
return nil return nil
} }
func (p *processor) checkPGPKeys(domain string, lg func(string, ...interface{})) error { func (p *processor) checkPGPKeys(domain string) error {
src, err := p.jsonPath("$.pgp_keys") src, err := p.jsonPath("$.pgp_keys")
if err != nil { if err != nil {
lg("No PGP keys found: %v.", err) p.badPGP("No PGP keys found: %v.", err)
return errContinue return errContinue
} }
var keys []csaf.PGPKey var keys []csaf.PGPKey
if err := util.ReMarshalJSON(&keys, src); err != nil { if err := util.ReMarshalJSON(&keys, src); err != nil {
lg("PGP keys invalid: %v.", err) p.badPGP("PGP keys invalid: %v.", err)
return errContinue return errContinue
} }
if len(keys) == 0 { if len(keys) == 0 {
lg("No PGP keys found.") p.badPGP("No PGP keys found.")
return errContinue return errContinue
} }
@ -594,12 +612,12 @@ func (p *processor) checkPGPKeys(domain string, lg func(string, ...interface{}))
for i := range keys { for i := range keys {
key := &keys[i] key := &keys[i]
if key.URL == nil { if key.URL == nil {
lg("Missing URL for fingerprint %x.", key.Fingerprint) p.badPGP("Missing URL for fingerprint %x.", key.Fingerprint)
continue continue
} }
up, err := url.Parse(*key.URL) up, err := url.Parse(*key.URL)
if err != nil { if err != nil {
lg("Invalid URL '%s': %v", *key.URL, err) p.badPGP("Invalid URL '%s': %v", *key.URL, err)
continue continue
} }
@ -608,11 +626,12 @@ func (p *processor) checkPGPKeys(domain string, lg func(string, ...interface{}))
res, err := client.Get(u) res, err := client.Get(u)
if err != nil { if err != nil {
lg("Fetching PGP key %s failed: %v.", u, err) p.badPGP("Fetching PGP key %s failed: %v.", u, err)
continue continue
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
lg("Fetching PGP key %s status code: %d (%s)", u, res.StatusCode, res.Status) p.badPGP("Fetching PGP key %s status code: %d (%s)",
u, res.StatusCode, res.Status)
continue continue
} }
@ -622,24 +641,24 @@ func (p *processor) checkPGPKeys(domain string, lg func(string, ...interface{}))
}() }()
if err != nil { if err != nil {
lg("Reading PGP key %s failed: %v", u, err) p.badPGP("Reading PGP key %s failed: %v", u, err)
continue continue
} }
if ckey.GetFingerprint() != string(key.Fingerprint) { if ckey.GetFingerprint() != string(key.Fingerprint) {
lg("Fingerprint of PGP key %s do not match remotely loaded.", u) p.badPGP("Fingerprint of PGP key %s do not match remotely loaded.", u)
continue continue
} }
keyring, err := crypto.NewKeyRing(ckey) keyring, err := crypto.NewKeyRing(ckey)
if err != nil { if err != nil {
lg("Creating key ring for %s failed: %v.", u, err) p.badPGP("Creating key ring for %s failed: %v.", u, err)
continue continue
} }
p.keys = append(p.keys, keyring) p.keys = append(p.keys, keyring)
} }
if len(p.keys) == 0 { if len(p.keys) == 0 {
lg("No PGP keys loaded.") p.badPGP("No PGP keys loaded.")
} }
return nil return nil
} }

6
cmd/csaf_checker/reporters.go
View file

@ -91,11 +91,11 @@ func (r *providerMetadataReport) report(p *processor, domain *Domain) {
func (r *securityReporter) report(p *processor, domain *Domain) { func (r *securityReporter) report(p *processor, domain *Domain) {
req := r.requirement(domain) req := r.requirement(domain)
if len(p.badSecurity) == 0 { if len(p.badSecurities) == 0 {
req.message("No problems with security.txt.") req.message("No problems with security.txt.")
return return
} }
req.Messages = p.badSecurity req.Messages = p.badSecurities
} }
func (r *wellknownMetadataReporter) report(_ *processor, domain *Domain) { func (r *wellknownMetadataReporter) report(_ *processor, domain *Domain) {
@ -145,10 +145,10 @@ func (r *integrityReporter) report(p *processor, domain *Domain) {
func (r *signaturesReporter) report(p *processor, domain *Domain) { func (r *signaturesReporter) report(p *processor, domain *Domain) {
req := r.requirement(domain) req := r.requirement(domain)
req.Messages = p.badSignatures
if len(p.badSignatures) == 0 { if len(p.badSignatures) == 0 {
req.message("All signatures verified.") req.message("All signatures verified.")
} }
req.Messages = p.badSignatures
} }
func (r *publicPGPKeyReporter) report(p *processor, domain *Domain) { func (r *publicPGPKeyReporter) report(p *processor, domain *Domain) {