SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Fix: Now give errors if lookup methods fail, refactor accordingly

Browse source
This commit is contained in:
JanHoefelmeyer 2025-01-29 09:02:18 +01:00
parent 69df4c0624
commit 7d74543bbb
1 changed files with 33 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

72
cmd/csaf_checker/processor.go
View file

@ -1340,49 +1340,57 @@ func (p *processor) checkSecurityFolder(folder string) string {
// checkDNS checks if the "csaf.data.security.domain.tld" DNS record is available // checkDNS checks if the "csaf.data.security.domain.tld" DNS record is available
// and serves the "provider-metadata.json". // and serves the "provider-metadata.json".
// It returns an empty string if all checks are passed, otherwise the errormessage. // It returns an empty string if all checks are passed, otherwise the errormessage.
func (p *processor) checkDNS(domain string) string { func (p *processor) checkDNS(domain string) {
p.badDNSPath.use()
client := p.httpClient() client := p.httpClient()
path := "https://csaf.data.security." + domain path := "https://csaf.data.security." + domain
res, err := client.Get(path) res, err := client.Get(path)
if err != nil { if err != nil {
return fmt.Sprintf("Fetching %s failed: %v", path, err) p.badDNSPath.add(ErrorType,
fmt.Sprintf("Fetching %s failed: %v", path, err))
return
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
return fmt.Sprintf("Fetching %s failed. Status code %d (%s)", p.badDNSPath.add(ErrorType,
path, res.StatusCode, res.Status) fmt.Sprintf("Fetching %s failed. Status code %d (%s)",
path, res.StatusCode, res.Status))
} }
hash := sha256.New() hash := sha256.New()
defer res.Body.Close() defer res.Body.Close()
content, err := io.ReadAll(res.Body) content, err := io.ReadAll(res.Body)
if err != nil { if err != nil {
return fmt.Sprintf("Error while reading the response from %s", path) p.badDNSPath.add(ErrorType,
fmt.Sprintf("Error while reading the response from %s", path))
} }
hash.Write(content) hash.Write(content)
if !bytes.Equal(hash.Sum(nil), p.pmd256) { if !bytes.Equal(hash.Sum(nil), p.pmd256) {
return fmt.Sprintf("%s does not serve the same provider-metadata.json as previously found", path) p.badDNSPath.add(ErrorType,
fmt.Sprintf("%s does not serve the same provider-metadata.json as previously found",
path))
} }
return ""
} }
// checkWellknownMetadataReporter checks if the provider-metadata.json file is // checkWellknown checks if the provider-metadata.json file is
// available under the /.well-known/csaf/ directory. Returns the errormessage if // available under the /.well-known/csaf/ directory. Returns the errormessage if
// an error was encountered, or an empty string otherwise // an error was encountered, or an empty string otherwise
func (p *processor) checkWellknown(domain string) string { func (p *processor) checkWellknown(domain string) {
p.badWellknownMetadata.use()
client := p.httpClient() client := p.httpClient()
path := "https://" + domain + "/.well-known/csaf/provider-metadata.json" path := "https://" + domain + "/.well-known/csaf/provider-metadata.json"
res, err := client.Get(path) res, err := client.Get(path)
if err != nil { if err != nil {
return fmt.Sprintf("Fetching %s failed: %v", path, err) p.badWellknownMetadata.add(ErrorType,
fmt.Sprintf("Fetching %s failed: %v", path, err))
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
return fmt.Sprintf("Fetching %s failed. Status code %d (%s)", p.badWellknownMetadata.add(ErrorType, fmt.Sprintf("Fetching %s failed. Status code %d (%s)",
path, res.StatusCode, res.Status) path, res.StatusCode, res.Status))
} }
return ""
} }
// checkWellknownSecurityDNS // checkWellknownSecurityDNS
@ -1401,50 +1409,36 @@ func (p *processor) checkWellknown(domain string) string {
// In that case, errors are returned. // In that case, errors are returned.
func (p *processor) checkWellknownSecurityDNS(domain string) error { func (p *processor) checkWellknownSecurityDNS(domain string) error {
warningsW := p.checkWellknown(domain) p.checkWellknown(domain)
p.checkDNS(domain)
// Security check for well known (default) and legacy location // Security check for well known (default) and legacy location
warningsS, sDMessage := p.checkSecurity(domain, false) warnings, sDMessage := p.checkSecurity(domain, false)
// if the security.txt under .well-known was not okay // if the security.txt under .well-known was not okay
// check for a security.txt within its legacy location // check for a security.txt within its legacy location
sLMessage := "" sLMessage := ""
if warningsS == 1 { if warnings == 1 {
warningsS, sLMessage = p.checkSecurity(domain, true) warnings, sLMessage = p.checkSecurity(domain, true)
} }
warningsD := p.checkDNS(domain)
p.badWellknownMetadata.use()
p.badSecurity.use() p.badSecurity.use()
p.badDNSPath.use()
var kind MessageType
if warningsS != 1 || warningsD == "" || warningsW == "" {
kind = WarnType
} else {
kind = ErrorType
}
// Info, Warning or Error depending on kind and warningS // Info, Warning or Error depending on kind and warningS
kindSD := kind kindSD := WarnType
if warningsS == 0 { if warnings == 0 {
kindSD = InfoType kindSD = InfoType
} }
kindSL := kind kindSL := ErrorType
if warningsS == 2 { if warnings == 2 {
kindSL = InfoType kindSL = InfoType
} }
if warningsW != "" {
p.badWellknownMetadata.add(kind, warningsW)
}
p.badSecurity.add(kindSD, sDMessage) p.badSecurity.add(kindSD, sDMessage)
// only if the well-known security.txt was not successful: // only if the well-known security.txt was not successful:
// report about the legacy location // report about the legacy location
if warningsS != 0 { if warnings != 0 {
p.badSecurity.add(kindSL, sLMessage) p.badSecurity.add(kindSL, sLMessage)
} }
if warningsD != "" {
p.badDNSPath.add(kind, warningsD)
}
return nil return nil
} }