From d8e903587a8744b51227da17867505da75a44c41 Mon Sep 17 00:00:00 2001
From: koplas <pschwabauer@intevation.de>
Date: Wed, 18 Dec 2024 15:37:58 +0100
Subject: [PATCH] Warn only if the other hash could be fetched

---
 cmd/csaf_checker/processor.go                 | 28 +++++++++++++------
 .../sha256-sha512-forbid-sha256-rolie.json    |  2 +-
 .../sha256-sha512-forbid-sha512-rolie.json    |  2 +-
 3 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
index b913864..224e225 100644
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@@ -757,6 +757,9 @@ func (p *processor) integrity(
 			hashes = append(hashes, hash{"SHA512", f.SHA512URL, s512.Sum(nil)})
 		}
 
+		couldFetchHash := false
+		hashFetchErrors := []string{}
+
 		for _, x := range hashes {
 			hu, err := url.Parse(x.url())
 			if err != nil {
@@ -768,19 +771,15 @@ func (p *processor) integrity(
 
 			p.checkTLS(hashFile)
 			if res, err = client.Get(hashFile); err != nil {
-				p.badIntegrities.error("Fetching %s failed: %v.", hashFile, err)
+				hashFetchErrors = append(hashFetchErrors, fmt.Sprintf("Fetching %s failed: %v.", hashFile, err))
 				continue
 			}
 			if res.StatusCode != http.StatusOK {
-				if f.IsDirectory() {
-					p.badIntegrities.info("Fetching %s failed: Status code %d (%s)",
-						hashFile, res.StatusCode, res.Status)
-				} else {
-					p.badIntegrities.error("Fetching %s failed: Status code %d (%s)",
-						hashFile, res.StatusCode, res.Status)
-				}
+				hashFetchErrors = append(hashFetchErrors, fmt.Sprintf("Fetching %s failed: Status code %d (%s)",
+					hashFile, res.StatusCode, res.Status))
 				continue
 			}
+			couldFetchHash = true
 			h, err := func() ([]byte, error) {
 				defer res.Body.Close()
 				return util.HashFromReader(res.Body)
@@ -798,6 +797,19 @@ func (p *processor) integrity(
 					x.ext, u, hashFile)
 			}
 		}
+
+		msgType := ErrorType
+		// Log only as warning, if the other hash could be fetched
+		if couldFetchHash {
+			msgType = WarnType
+		}
+		if f.IsDirectory() {
+			msgType = InfoType
+		}
+		for _, fetchError := range hashFetchErrors {
+			p.badIntegrities.add(msgType, fetchError)
+		}
+
 		// Check signature
 		su, err := url.Parse(f.SignURL())
 		if err != nil {
diff --git a/testdata/processor-requirements/sha256-sha512-forbid-sha256-rolie.json b/testdata/processor-requirements/sha256-sha512-forbid-sha256-rolie.json
index 2a1f2a8..72a173a 100644
--- a/testdata/processor-requirements/sha256-sha512-forbid-sha256-rolie.json
+++ b/testdata/processor-requirements/sha256-sha512-forbid-sha256-rolie.json
@@ -182,7 +182,7 @@
     "description": "Integrity",
     "messages": [
       {
-        "type": 2,
+        "type": 1,
         "text": "Fetching {{.URL}}/white/avendor-advisory-0004.json.sha256 failed: Status code 403 (403 Forbidden)"
       }
     ]
diff --git a/testdata/processor-requirements/sha256-sha512-forbid-sha512-rolie.json b/testdata/processor-requirements/sha256-sha512-forbid-sha512-rolie.json
index 2a4c98f..1ab8f1e 100644
--- a/testdata/processor-requirements/sha256-sha512-forbid-sha512-rolie.json
+++ b/testdata/processor-requirements/sha256-sha512-forbid-sha512-rolie.json
@@ -182,7 +182,7 @@
     "description": "Integrity",
     "messages": [
       {
-        "type": 2,
+        "type": 1,
         "text": "Fetching {{.URL}}/white/avendor-advisory-0004.json.sha512 failed: Status code 403 (403 Forbidden)"
       }
     ]