SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 18:15:42 +01:00
Code Issues Releases Activity Actions

Add tests for no hash given or available

Browse source
This commit is contained in:
koplas 2024-12-13 15:54:39 +01:00
parent ebd96011fc
commit 9dd4b7fc8d
6 changed files with 711 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

10
cmd/csaf_checker/processor.go
View file

@ -20,7 +20,6 @@ import (
"fmt" "fmt"
"io" "io"
"log" "log"
"log/slog"
"net/http" "net/http"
"net/url" "net/url"
"path/filepath" "path/filepath"
@ -586,14 +585,11 @@ func (p *processor) rolieFeedEntries(feed string) ([]csaf.AdvisoryFile, error) {
switch { switch {
case sha256 == "" && sha512 == "": case sha256 == "" && sha512 == "":
slog.Error("No hash listed on ROLIE feed", "file", url) p.badROLIEFeed.error("No hash listed on ROLIE feed %s", url)
return
case sign == "": case sign == "":
slog.Error("No signature listed on ROLIE feed", "file", url) p.badROLIEFeed.error("No signature listed on ROLIE feed %s", url)
return
default:
file = csaf.PlainAdvisoryFile{Path: url, SHA256: sha256, SHA512: sha512, Sign: sign}
} }
file = csaf.PlainAdvisoryFile{Path: url, SHA256: sha256, SHA512: sha512, Sign: sign}
files = append(files, file) files = append(files, file)
}) })

101
cmd/csaf_checker/processor_test.go
View file

@ -29,6 +29,9 @@ func getRequirementTestData(t *testing.T, params testutil.ProviderParams, direct
if params.EnableSha512 { if params.EnableSha512 {
path += "sha512-" path += "sha512-"
} }
if params.ForbidHashFetching {
path += "forbid-hash-fetching-"
}
if directoryProvider { if directoryProvider {
path += "directory" path += "directory"
} else { } else {
@ -61,46 +64,74 @@ func getRequirementTestData(t *testing.T, params testutil.ProviderParams, direct
func TestShaMarking(t *testing.T) { func TestShaMarking(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
directoryProvider bool directoryProvider bool
enableSha256 bool enableSha256 bool
enableSha512 bool enableSha512 bool
forbidHashFetching bool
}{ }{
{ {
name: "deliver sha256 and sha512", name: "deliver sha256 and sha512",
directoryProvider: false, directoryProvider: false,
enableSha256: true, enableSha256: true,
enableSha512: true, enableSha512: true,
forbidHashFetching: false,
}, },
{ {
name: "only deliver sha256", name: "enable sha256 and sha512, forbid fetching",
directoryProvider: false, directoryProvider: false,
enableSha256: true, enableSha256: true,
enableSha512: false, enableSha512: true,
forbidHashFetching: true,
}, },
{ {
name: "only deliver sha512", name: "only deliver sha256",
directoryProvider: false, directoryProvider: false,
enableSha256: false, enableSha256: true,
enableSha512: true, enableSha512: false,
forbidHashFetching: false,
}, },
{ {
name: "deliver sha256 and sha512, directory provider", name: "only deliver sha512",
directoryProvider: true, directoryProvider: false,
enableSha256: true, enableSha256: false,
enableSha512: true, enableSha512: true,
forbidHashFetching: false,
}, },
{ {
name: "only deliver sha256, directory provider", name: "deliver sha256 and sha512, directory provider",
directoryProvider: true, directoryProvider: true,
enableSha256: true, enableSha256: true,
enableSha512: false, enableSha512: true,
forbidHashFetching: false,
}, },
{ {
name: "only deliver sha512, directory provider", name: "only deliver sha256, directory provider",
directoryProvider: true, directoryProvider: true,
enableSha256: false, enableSha256: true,
enableSha512: true, enableSha512: false,
forbidHashFetching: false,
},
{
name: "only deliver sha512, directory provider",
directoryProvider: true,
enableSha256: false,
enableSha512: true,
forbidHashFetching: false,
},
{
name: "no hash",
directoryProvider: false,
enableSha256: false,
enableSha512: false,
forbidHashFetching: false,
},
{
name: "no hash, directory provider",
directoryProvider: true,
enableSha256: false,
enableSha512: false,
forbidHashFetching: false,
}, },
} }
@ -111,9 +142,10 @@ func TestShaMarking(t *testing.T) {
tt.Parallel() tt.Parallel()
serverURL := "" serverURL := ""
params := testutil.ProviderParams{ params := testutil.ProviderParams{
URL: "", URL: "",
EnableSha256: test.enableSha256, EnableSha256: test.enableSha256,
EnableSha512: test.enableSha512, EnableSha512: test.enableSha512,
ForbidHashFetching: test.forbidHashFetching,
} }
server := httptest.NewTLSServer(testutil.ProviderHandler(&params, test.directoryProvider)) server := httptest.NewTLSServer(testutil.ProviderHandler(&params, test.directoryProvider))
defer server.Close() defer server.Close()
@ -141,9 +173,10 @@ func TestShaMarking(t *testing.T) {
} }
expected := getRequirementTestData(t, expected := getRequirementTestData(t,
testutil.ProviderParams{ testutil.ProviderParams{
URL: serverURL, URL: serverURL,
EnableSha256: test.enableSha256, EnableSha256: test.enableSha256,
EnableSha512: test.enableSha512, EnableSha512: test.enableSha512,
ForbidHashFetching: test.forbidHashFetching,
}, },
test.directoryProvider) test.directoryProvider)
for i, got := range report.Domains[0].Requirements { for i, got := range report.Domains[0].Requirements {

10
internal/testutil/testutil.go
View file

@ -18,9 +18,10 @@ import (
// ProviderParams configures the test provider. // ProviderParams configures the test provider.
type ProviderParams struct { type ProviderParams struct {
URL string URL string
EnableSha256 bool EnableSha256 bool
EnableSha512 bool EnableSha512 bool
ForbidHashFetching bool
} }
// ProviderHandler returns a test provider handler with the specified configuration. // ProviderHandler returns a test provider handler with the specified configuration.
@ -49,6 +50,9 @@ func ProviderHandler(params *ProviderParams, directoryProvider bool) http.Handle
w.Header().Add("Content-Type", "text/html") w.Header().Add("Content-Type", "text/html")
case strings.HasSuffix(path, ".json"): case strings.HasSuffix(path, ".json"):
w.Header().Add("Content-Type", "application/json") w.Header().Add("Content-Type", "application/json")
case (strings.HasSuffix(path, ".sha256") || strings.HasSuffix(path, ".sha512")) && params.ForbidHashFetching:
w.WriteHeader(http.StatusForbidden)
return
case strings.HasSuffix(path, ".sha256") && directoryProvider && !params.EnableSha256: case strings.HasSuffix(path, ".sha256") && directoryProvider && !params.EnableSha256:
w.WriteHeader(http.StatusNotFound) w.WriteHeader(http.StatusNotFound)
return return

210
testdata/processor-requirements/directory.json vendored Normal file
View file

@ -0,0 +1,210 @@
[
{
"num": 1,
"description": "Valid CSAF documents",
"messages": [
{
"type": 1,
"text": "No remote validator configured"
},
{
"type": 0,
"text": "All advisories validated fine against the schema."
}
]
},
{
"num": 2,
"description": "Filename",
"messages": [
{
"type": 0,
"text": "All found filenames are conforming."
}
]
},
{
"num": 3,
"description": "TLS",
"messages": [
{
"type": 0,
"text": "All tested URLs were HTTPS."
}
]
},
{
"num": 4,
"description": "TLP:WHITE",
"messages": [
{
"type": 0,
"text": "All advisories labeled TLP:WHITE were freely accessible."
}
]
},
{
"num": 5,
"description": "TLP:AMBER and TLP:RED",
"messages": [
{
"type": 0,
"text": "No advisories labeled TLP:AMBER or TLP:RED tested for accessibility."
}
]
},
{
"num": 6,
"description": "Redirects",
"messages": [
{
"type": 0,
"text": "No redirections found."
}
]
},
{
"num": 7,
"description": "provider-metadata.json",
"messages": [
{
"type": 0,
"text": "Found good provider metadata."
}
]
},
{
"num": 8,
"description": "security.txt",
"messages": [
{
"type": 0,
"text": "Performed no test of security.txt since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 9,
"description": "/.well-known/csaf/provider-metadata.json",
"messages": [
{
"type": 0,
"text": "Performed no test on whether the provider-metadata.json is available under the .well-known path since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 10,
"description": "DNS path",
"messages": [
{
"type": 0,
"text": "Performed no test on the contents of https://csaf.data.security.DOMAIN since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 11,
"description": "One folder per year",
"messages": [
{
"type": 2,
"text": "No year folder found in {{.URL}}/white/avendor-advisory-0004.json"
}
]
},
{
"num": 12,
"description": "index.txt",
"messages": [
{
"type": 0,
"text": "Found {{.URL}}/white/index.txt"
}
]
},
{
"num": 13,
"description": "changes.csv",
"messages": [
{
"type": 0,
"text": "Found {{.URL}}/white/changes.csv"
}
]
},
{
"num": 14,
"description": "Directory listings",
"messages": [
{
"type": 0,
"text": "All directory listings are valid."
}
]
},
{
"num": 15,
"description": "ROLIE feed",
"messages": [
{
"type": 2,
"text": "ROLIE feed based distribution was not used."
}
]
},
{
"num": 16,
"description": "ROLIE service document",
"messages": [
{
"type": 1,
"text": "No ROLIE service document found."
}
]
},
{
"num": 17,
"description": "ROLIE category document",
"messages": [
{
"type": 1,
"text": "No ROLIE category document found."
}
]
},
{
"num": 18,
"description": "Integrity",
"messages": [
{
"type": 0,
"text": "Fetching {{.URL}}/white/avendor-advisory-0004.json.sha256 failed: Status code 404 (404 Not Found)"
},
{
"type": 0,
"text": "Fetching {{.URL}}/white/avendor-advisory-0004.json.sha512 failed: Status code 404 (404 Not Found)"
}
]
},
{
"num": 19,
"description": "Signatures",
"messages": [
{
"type": 0,
"text": "All signatures verified."
}
]
},
{
"num": 20,
"description": "Public OpenPGP Key",
"messages": [
{
"type": 0,
"text": "1 public OpenPGP key(s) loaded."
}
]
}
]

210
testdata/processor-requirements/rolie.json vendored Normal file
View file

@ -0,0 +1,210 @@
[
{
"num": 1,
"description": "Valid CSAF documents",
"messages": [
{
"type": 1,
"text": "No remote validator configured"
},
{
"type": 0,
"text": "All advisories validated fine against the schema."
}
]
},
{
"num": 2,
"description": "Filename",
"messages": [
{
"type": 0,
"text": "All found filenames are conforming."
}
]
},
{
"num": 3,
"description": "TLS",
"messages": [
{
"type": 0,
"text": "All tested URLs were HTTPS."
}
]
},
{
"num": 4,
"description": "TLP:WHITE",
"messages": [
{
"type": 0,
"text": "All advisories labeled TLP:WHITE were freely accessible."
}
]
},
{
"num": 5,
"description": "TLP:AMBER and TLP:RED",
"messages": [
{
"type": 0,
"text": "No advisories labeled TLP:AMBER or TLP:RED tested for accessibility."
}
]
},
{
"num": 6,
"description": "Redirects",
"messages": [
{
"type": 0,
"text": "No redirections found."
}
]
},
{
"num": 7,
"description": "provider-metadata.json",
"messages": [
{
"type": 0,
"text": "Found good provider metadata."
}
]
},
{
"num": 8,
"description": "security.txt",
"messages": [
{
"type": 0,
"text": "Performed no test of security.txt since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 9,
"description": "/.well-known/csaf/provider-metadata.json",
"messages": [
{
"type": 0,
"text": "Performed no test on whether the provider-metadata.json is available under the .well-known path since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 10,
"description": "DNS path",
"messages": [
{
"type": 0,
"text": "Performed no test on the contents of https://csaf.data.security.DOMAIN since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 11,
"description": "One folder per year",
"messages": [
{
"type": 2,
"text": "No year folder found in {{.URL}}/white/avendor-advisory-0004.json"
}
]
},
{
"num": 12,
"description": "index.txt",
"messages": [
{
"type": 2,
"text": "Fetching index.txt failed: {{.URL}}/index.txt not found."
}
]
},
{
"num": 13,
"description": "changes.csv",
"messages": [
{
"type": 2,
"text": "Fetching changes.csv failed: {{.URL}}/changes.csv not found."
}
]
},
{
"num": 14,
"description": "Directory listings",
"messages": [
{
"type": 2,
"text": "Fetching {{.URL}}/white/ failed. Status code 404 (404 Not Found)"
},
{
"type": 2,
"text": "Not listed advisories: {{.URL}}/white/avendor-advisory-0004.json"
}
]
},
{
"num": 15,
"description": "ROLIE feed",
"messages": [
{
"type": 2,
"text": "No hash listed on ROLIE feed {{.URL}}/white/avendor-advisory-0004.json"
}
]
},
{
"num": 16,
"description": "ROLIE service document",
"messages": [
{
"type": 0,
"text": "ROLIE service document validated fine."
}
]
},
{
"num": 17,
"description": "ROLIE category document",
"messages": [
{
"type": 1,
"text": "Fetching {{.URL}}/white/category-white.json failed. Status code 404 (404 Not Found)"
}
]
},
{
"num": 18,
"description": "Integrity",
"messages": [
{
"type": 0,
"text": "All checksums match."
}
]
},
{
"num": 19,
"description": "Signatures",
"messages": [
{
"type": 0,
"text": "All signatures verified."
}
]
},
{
"num": 20,
"description": "Public OpenPGP Key",
"messages": [
{
"type": 0,
"text": "1 public OpenPGP key(s) loaded."
}
]
}
]

214
testdata/processor-requirements/sha256-sha512-forbid-hash-fetching-rolie.json vendored Normal file
View file

@ -0,0 +1,214 @@
[
{
"num": 1,
"description": "Valid CSAF documents",
"messages": [
{
"type": 1,
"text": "No remote validator configured"
},
{
"type": 0,
"text": "All advisories validated fine against the schema."
}
]
},
{
"num": 2,
"description": "Filename",
"messages": [
{
"type": 0,
"text": "All found filenames are conforming."
}
]
},
{
"num": 3,
"description": "TLS",
"messages": [
{
"type": 0,
"text": "All tested URLs were HTTPS."
}
]
},
{
"num": 4,
"description": "TLP:WHITE",
"messages": [
{
"type": 0,
"text": "All advisories labeled TLP:WHITE were freely accessible."
}
]
},
{
"num": 5,
"description": "TLP:AMBER and TLP:RED",
"messages": [
{
"type": 0,
"text": "No advisories labeled TLP:AMBER or TLP:RED tested for accessibility."
}
]
},
{
"num": 6,
"description": "Redirects",
"messages": [
{
"type": 0,
"text": "No redirections found."
}
]
},
{
"num": 7,
"description": "provider-metadata.json",
"messages": [
{
"type": 0,
"text": "Found good provider metadata."
}
]
},
{
"num": 8,
"description": "security.txt",
"messages": [
{
"type": 0,
"text": "Performed no test of security.txt since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 9,
"description": "/.well-known/csaf/provider-metadata.json",
"messages": [
{
"type": 0,
"text": "Performed no test on whether the provider-metadata.json is available under the .well-known path since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 10,
"description": "DNS path",
"messages": [
{
"type": 0,
"text": "Performed no test on the contents of https://csaf.data.security.DOMAIN since the direct url of the provider-metadata.json was used."
}
]
},
{
"num": 11,
"description": "One folder per year",
"messages": [
{
"type": 2,
"text": "No year folder found in {{.URL}}/white/avendor-advisory-0004.json"
}
]
},
{
"num": 12,
"description": "index.txt",
"messages": [
{
"type": 2,
"text": "Fetching index.txt failed: {{.URL}}/index.txt not found."
}
]
},
{
"num": 13,
"description": "changes.csv",
"messages": [
{
"type": 2,
"text": "Fetching changes.csv failed: {{.URL}}/changes.csv not found."
}
]
},
{
"num": 14,
"description": "Directory listings",
"messages": [
{
"type": 2,
"text": "Fetching {{.URL}}/white/ failed. Status code 404 (404 Not Found)"
},
{
"type": 2,
"text": "Not listed advisories: {{.URL}}/white/avendor-advisory-0004.json"
}
]
},
{
"num": 15,
"description": "ROLIE feed",
"messages": [
{
"type": 0,
"text": "All checked ROLIE feeds validated fine."
}
]
},
{
"num": 16,
"description": "ROLIE service document",
"messages": [
{
"type": 0,
"text": "ROLIE service document validated fine."
}
]
},
{
"num": 17,
"description": "ROLIE category document",
"messages": [
{
"type": 1,
"text": "Fetching {{.URL}}/white/category-white.json failed. Status code 404 (404 Not Found)"
}
]
},
{
"num": 18,
"description": "Integrity",
"messages": [
{
"type": 2,
"text": "Fetching {{.URL}}/white/avendor-advisory-0004.json.sha256 failed: Status code 403 (403 Forbidden)"
},
{
"type": 2,
"text": "Fetching {{.URL}}/white/avendor-advisory-0004.json.sha512 failed: Status code 403 (403 Forbidden)"
}
]
},
{
"num": 19,
"description": "Signatures",
"messages": [
{
"type": 0,
"text": "All signatures verified."
}
]
},
{
"num": 20,
"description": "Public OpenPGP Key",
"messages": [
{
"type": 0,
"text": "1 public OpenPGP key(s) loaded."
}
]
}
]