SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Change: cmd/csaf_checker/processor.go: Seperate check of security.txt under .well-known and legacy location into different messages to improve readability

Browse source
This commit is contained in:
JanHoefelmeyer 2023-11-21 12:09:37 +01:00
parent 3935d9aa7a
commit 318c898a83
1 changed files with 36 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

55
cmd/csaf_checker/processor.go
View file

@ -1262,22 +1262,20 @@ func (p *processor) checkProviderMetadata(domain string) bool {
// It checks the existence of the CSAF field in the file content and tries to fetch // It checks the existence of the CSAF field in the file content and tries to fetch
// the value of this field. Returns an empty string if no error was encountered, // the value of this field. Returns an empty string if no error was encountered,
// the errormessage otherwise. // the errormessage otherwise.
func (p *processor) checkSecurity(domain string) string { func (p *processor) checkSecurity(domain string, legacy bool) (int, string) {
var msgs []string folder := "https://" + domain + "/"
// Try well-known first and fall back to legacy when it fails. if !legacy {
for _, folder := range []string{ folder = folder + ".well-known/"
"https://" + domain + "/.well-known/",
"https://" + domain + "/",
} {
msg := p.checkSecurityFolder(folder)
if msg == "" {
break
}
// Show which security.txt caused this message
lmsg := folder + "security.txt: " + msg
msgs = append(msgs, lmsg)
} }
return strings.Join(msgs, "; ") msg := p.checkSecurityFolder(folder)
if msg == "" {
if !legacy {
return 0, "Found valid security.txt within the well-known directory"
} else {
return 2, "Found valid security.txt in the legacy location"
}
}
return 1, folder + "security.txt: " + msg
} }
// checkSecurityFolder checks the security.txt in a given folder. // checkSecurityFolder checks the security.txt in a given folder.
@ -1410,7 +1408,13 @@ func (p *processor) checkWellknown(domain string) string {
func (p *processor) checkWellknownSecurityDNS(domain string) error { func (p *processor) checkWellknownSecurityDNS(domain string) error {
warningsW := p.checkWellknown(domain) warningsW := p.checkWellknown(domain)
warningsS := p.checkSecurity(domain) // Security check for well known (default) and legacy location
warningsS, sDMessage := p.checkSecurity(domain, false)
// if the security.txt under .well-known was not okay
sLMessage := ""
if warningsS == 1 {
warningsS, sLMessage = p.checkSecurity(domain, true)
}
warningsD := p.checkDNS(domain) warningsD := p.checkDNS(domain)
p.badWellknownMetadata.use() p.badWellknownMetadata.use()
@ -1418,17 +1422,30 @@ func (p *processor) checkWellknownSecurityDNS(domain string) error {
p.badDNSPath.use() p.badDNSPath.use()
var kind MessageType var kind MessageType
if warningsS == "" || warningsD == "" || warningsW == "" { if warningsS != 1 || warningsD == "" || warningsW == "" {
kind = WarnType kind = WarnType
} else { } else {
kind = ErrorType kind = ErrorType
} }
// Info, Warning or Error depending on kind and warningS
kindSD := kind
if warningsS == 0 {
kindSD = InfoType
}
kindSL := kind
if warningsS == 2 {
kindSL = InfoType
}
if warningsW != "" { if warningsW != "" {
p.badWellknownMetadata.add(kind, warningsW) p.badWellknownMetadata.add(kind, warningsW)
} }
if warningsS != "" { p.badSecurity.add(kindSD, sDMessage)
p.badSecurity.add(kind, warningsS) // only if the well-known security.txt was not successful:
// report about the legacy location
if warningsS != 0 {
p.badSecurity.add(kindSL, sLMessage)
} }
if warningsD != "" { if warningsD != "" {
p.badDNSPath.add(kind, warningsD) p.badDNSPath.add(kind, warningsD)