mirror of
https://github.com/gocsaf/csaf.git
synced 2025-12-22 18:15:42 +01:00
Merge pull request #122 from csaf-poc/checker-more-implementation
Checker more implementation
This commit is contained in:
Sascha L. Teichmann
GitHub
commit
de4f50787d
2 changed files with 95 additions and 14 deletions
|
|
@ -57,6 +57,8 @@ type processor struct {
|
||||||
badIndices topicMessages
|
badIndices topicMessages
|
||||||
badChanges topicMessages
|
badChanges topicMessages
|
||||||
badFolders topicMessages
|
badFolders topicMessages
|
||||||
|
badWellknownMetadata topicMessages
|
||||||
|
badDNSPath topicMessages
|
||||||
|
|
||||||
expr *util.PathEval
|
expr *util.PathEval
|
||||||
}
|
}
|
||||||
|
|
@ -191,6 +193,8 @@ func (p *processor) checkDomain(domain string) error {
|
||||||
(*processor).checkSecurity,
|
(*processor).checkSecurity,
|
||||||
(*processor).checkCSAFs,
|
(*processor).checkCSAFs,
|
||||||
(*processor).checkMissing,
|
(*processor).checkMissing,
|
||||||
|
(*processor).checkWellknownMetadataReporter,
|
||||||
|
(*processor).checkDNSPathReporter,
|
||||||
} {
|
} {
|
||||||
if err := check(p, domain); err != nil && err != errContinue {
|
if err := check(p, domain); err != nil && err != errContinue {
|
||||||
if err == errStop {
|
if err == errStop {
|
||||||
|
|
@ -1003,3 +1007,64 @@ func (p *processor) checkPGPKeys(domain string) error {
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// checkWellknownMetadataReporter checks if the provider-metadata.json file is
|
||||||
|
// avaialable under the /.well-known/csaf/ directory.
|
||||||
|
// It returns nil if all checks are passed, otherwise error.
|
||||||
|
func (p *processor) checkWellknownMetadataReporter(domain string) error {
|
||||||
|
|
||||||
|
client := p.httpClient()
|
||||||
|
|
||||||
|
p.badWellknownMetadata.use()
|
||||||
|
|
||||||
|
path := "https://" + domain + "/.well-known/csaf/provider-metadata.json"
|
||||||
|
|
||||||
|
res, err := client.Get(path)
|
||||||
|
if err != nil {
|
||||||
|
p.badWellknownMetadata.add("Fetiching %s failed: %v", path, err)
|
||||||
|
return errContinue
|
||||||
|
}
|
||||||
|
if res.StatusCode != http.StatusOK {
|
||||||
|
p.badWellknownMetadata.add("Fetching %s failed. Status code %d (%s)",
|
||||||
|
path, res.StatusCode, res.Status)
|
||||||
|
return errContinue
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// checkDNSPathReporter checks if the "csaf.data.security.domain.tld" DNS record is available
|
||||||
|
// and serves the "provider-metadata.json".
|
||||||
|
// It returns nil if all checks are passed, otherwise error.
|
||||||
|
func (p *processor) checkDNSPathReporter(domain string) error {
|
||||||
|
|
||||||
|
client := p.httpClient()
|
||||||
|
|
||||||
|
p.badDNSPath.use()
|
||||||
|
|
||||||
|
path := "https://csaf.data.security.domain.tld"
|
||||||
|
res, err := client.Get(path)
|
||||||
|
if err != nil {
|
||||||
|
p.badDNSPath.add("Fetiching %s failed: %v", path, err)
|
||||||
|
return errContinue
|
||||||
|
}
|
||||||
|
if res.StatusCode != http.StatusOK {
|
||||||
|
p.badDNSPath.add("Fetching %s failed. Status code %d (%s)",
|
||||||
|
path, res.StatusCode, res.Status)
|
||||||
|
return errContinue
|
||||||
|
}
|
||||||
|
hash := sha256.New()
|
||||||
|
defer res.Body.Close()
|
||||||
|
content, err := io.ReadAll(res.Body)
|
||||||
|
if err != nil {
|
||||||
|
p.badDNSPath.add("Error while reading the response form %s", path)
|
||||||
|
return errContinue
|
||||||
|
}
|
||||||
|
hash.Write(content)
|
||||||
|
if !bytes.Equal(hash.Sum(nil), p.pmd256) {
|
||||||
|
p.badDNSPath.add("The csaf.data.security.domain.tld DNS record does not serve the provider-metatdata.json")
|
||||||
|
return errContinue
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -119,16 +119,32 @@ func (r *securityReporter) report(p *processor, domain *Domain) {
|
||||||
req.Messages = p.badSecurity
|
req.Messages = p.badSecurity
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *wellknownMetadataReporter) report(_ *processor, domain *Domain) {
|
//report tests the availability of the "provider-metadata.json" under /.well-known/csaf/ directoy.
|
||||||
// TODO: Implement me!
|
func (r *wellknownMetadataReporter) report(p *processor, domain *Domain) {
|
||||||
req := r.requirement(domain)
|
req := r.requirement(domain)
|
||||||
req.message("(Not checked, missing implementation.)")
|
if !p.badWellknownMetadata.used() {
|
||||||
|
req.message("No check if provider-metadata.json is under /.well-known/csaf/ was done.")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(p.badWellknownMetadata) == 0 {
|
||||||
|
req.message("Found /.well-known/csaf/provider-metadata.json")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
req.Messages = p.badWellknownMetadata
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *dnsPathReporter) report(_ *processor, domain *Domain) {
|
// report tests if the "csaf.data.security.domain.tld" DNS record available and serves the "provider-metadata.json"
|
||||||
// TODO: Implement me!
|
func (r *dnsPathReporter) report(p *processor, domain *Domain) {
|
||||||
req := r.requirement(domain)
|
req := r.requirement(domain)
|
||||||
req.message("(Not checked, missing implementation.)")
|
if !p.badDNSPath.used() {
|
||||||
|
req.message("No csaf.data.security.domain.tld DNS record checked.")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(p.badDNSPath) == 0 {
|
||||||
|
req.message("csaf.data.security.domain.tld DNS record is available and serves the provider-metadata.json.")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
req.Messages = p.badDNSPath
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *oneFolderPerYearReport) report(p *processor, domain *Domain) {
|
func (r *oneFolderPerYearReport) report(p *processor, domain *Domain) {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue