diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go index 8eb6404..2a5161c 100644 --- a/cmd/csaf_checker/processor.go +++ b/cmd/csaf_checker/processor.go @@ -1262,10 +1262,26 @@ func (p *processor) checkProviderMetadata(domain string) bool { // It checks the existence of the CSAF field in the file content and tries to fetch // the value of this field. Returns an empty string if no error was encountered, // the errormessage otherwise. -func (p *processor) checkSecurity(domain string) string { +func (p *processor) checkSecurity(domain string, legacy bool) (int, string) { + folder := "https://" + domain + "/" + if !legacy { + folder = folder + ".well-known/" + } + msg := p.checkSecurityFolder(folder) + if msg == "" { + if !legacy { + return 0, "Found valid security.txt within the well-known directory" + } + return 2, "Found valid security.txt in the legacy location" + } + return 1, folder + "security.txt: " + msg +} + +// checkSecurityFolder checks the security.txt in a given folder. +func (p *processor) checkSecurityFolder(folder string) string { client := p.httpClient() - path := "https://" + domain + "/.well-known/security.txt" + path := folder + "security.txt" res, err := client.Get(path) if err != nil { return fmt.Sprintf("Fetching %s failed: %v", path, err) @@ -1298,7 +1314,7 @@ func (p *processor) checkSecurity(domain string) string { return fmt.Sprintf("CSAF URL '%s' invalid: %v", u, err) } - base, err := url.Parse("https://" + domain + "/.well-known/") + base, err := url.Parse(folder) if err != nil { return err.Error() } @@ -1391,7 +1407,14 @@ func (p *processor) checkWellknown(domain string) string { func (p *processor) checkWellknownSecurityDNS(domain string) error { warningsW := p.checkWellknown(domain) - warningsS := p.checkSecurity(domain) + // Security check for well known (default) and legacy location + warningsS, sDMessage := p.checkSecurity(domain, false) + // if the security.txt under .well-known was not okay + // check for a security.txt within its legacy location + sLMessage := "" + if warningsS == 1 { + warningsS, sLMessage = p.checkSecurity(domain, true) + } warningsD := p.checkDNS(domain) p.badWellknownMetadata.use() @@ -1399,17 +1422,30 @@ func (p *processor) checkWellknownSecurityDNS(domain string) error { p.badDNSPath.use() var kind MessageType - if warningsS == "" || warningsD == "" || warningsW == "" { + if warningsS != 1 || warningsD == "" || warningsW == "" { kind = WarnType } else { kind = ErrorType } + // Info, Warning or Error depending on kind and warningS + kindSD := kind + if warningsS == 0 { + kindSD = InfoType + } + kindSL := kind + if warningsS == 2 { + kindSL = InfoType + } + if warningsW != "" { p.badWellknownMetadata.add(kind, warningsW) } - if warningsS != "" { - p.badSecurity.add(kind, warningsS) + p.badSecurity.add(kindSD, sDMessage) + // only if the well-known security.txt was not successful: + // report about the legacy location + if warningsS != 0 { + p.badSecurity.add(kindSL, sLMessage) } if warningsD != "" { p.badDNSPath.add(kind, warningsD) diff --git a/cmd/csaf_checker/reporters.go b/cmd/csaf_checker/reporters.go index 51731e1..c707a14 100644 --- a/cmd/csaf_checker/reporters.go +++ b/cmd/csaf_checker/reporters.go @@ -251,10 +251,6 @@ func (r *securityReporter) report(p *processor, domain *Domain) { req.message(WarnType, "Performed no in-depth test of security.txt.") return } - if len(p.badSecurity) == 0 { - req.message(InfoType, "Found CSAF entry in security.txt.") - return - } req.Messages = p.badSecurity } diff --git a/csaf/providermetaloader.go b/csaf/providermetaloader.go index 4e4eb49..62e8876 100644 --- a/csaf/providermetaloader.go +++ b/csaf/providermetaloader.go @@ -132,8 +132,7 @@ func (pmdl *ProviderMetadataLoader) Load(domain string) *LoadedProviderMetadata } // Next load the PMDs from security.txt - secURL := "https://" + domain + "/.well-known/security.txt" - secResults := pmdl.loadFromSecurity(secURL) + secResults := pmdl.loadFromSecurity(domain) // Filter out the results which are valid. var secGoods []*LoadedProviderMetadata @@ -199,56 +198,63 @@ func (pmdl *ProviderMetadataLoader) Load(domain string) *LoadedProviderMetadata } // loadFromSecurity loads the PMDs mentioned in the security.txt. -func (pmdl *ProviderMetadataLoader) loadFromSecurity(path string) []*LoadedProviderMetadata { +func (pmdl *ProviderMetadataLoader) loadFromSecurity(domain string) []*LoadedProviderMetadata { - res, err := pmdl.client.Get(path) - if err != nil { - pmdl.messages.Add( - HTTPFailed, - fmt.Sprintf("Fetching %q failed: %v", path, err)) - return nil - } - if res.StatusCode != http.StatusOK { - pmdl.messages.Add( - HTTPFailed, - fmt.Sprintf("Fetching %q failed: %s (%d)", path, res.Status, res.StatusCode)) - return nil - } - - // Extract all potential URLs from CSAF. - urls, err := func() ([]string, error) { - defer res.Body.Close() - return ExtractProviderURL(res.Body, true) - }() - - if err != nil { - pmdl.messages.Add( - HTTPFailed, - fmt.Sprintf("Loading %q failed: %v", path, err)) - return nil - } - - var loaded []*LoadedProviderMetadata - - // Load the URLs -nextURL: - for _, url := range urls { - lpmd := pmdl.loadFromURL(url) - // If loading failed note it down. - if !lpmd.Valid() { - pmdl.messages.AppendUnique(lpmd.Messages) + // If .well-known fails try legacy location. + for _, path := range []string{ + "https://" + domain + "/.well-known/security.txt", + "https://" + domain + "/security.txt", + } { + res, err := pmdl.client.Get(path) + if err != nil { + pmdl.messages.Add( + HTTPFailed, + fmt.Sprintf("Fetching %q failed: %v", path, err)) continue } - // Check for duplicates - for _, l := range loaded { - if l == lpmd { - continue nextURL - } + if res.StatusCode != http.StatusOK { + pmdl.messages.Add( + HTTPFailed, + fmt.Sprintf("Fetching %q failed: %s (%d)", path, res.Status, res.StatusCode)) + continue } - loaded = append(loaded, lpmd) - } - return loaded + // Extract all potential URLs from CSAF. + urls, err := func() ([]string, error) { + defer res.Body.Close() + return ExtractProviderURL(res.Body, true) + }() + + if err != nil { + pmdl.messages.Add( + HTTPFailed, + fmt.Sprintf("Loading %q failed: %v", path, err)) + continue + } + + var loaded []*LoadedProviderMetadata + + // Load the URLs + nextURL: + for _, url := range urls { + lpmd := pmdl.loadFromURL(url) + // If loading failed note it down. + if !lpmd.Valid() { + pmdl.messages.AppendUnique(lpmd.Messages) + continue + } + // Check for duplicates + for _, l := range loaded { + if l == lpmd { + continue nextURL + } + } + loaded = append(loaded, lpmd) + } + + return loaded + } + return nil } // loadFromURL loads a provider metadata from a given URL.