Merge pull request #122 from csaf-poc/checker-more-implementation

Checker more implementation
2025-12-22 11:55:40 +01:00 · 2022-05-04 15:49:19 +02:00 · 2022-05-04 15:49:19 +02:00 · de4f50787d
commit de4f50787d
parent e1f71a5693 72e6df2987
2 changed files with 95 additions and 14 deletions
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@ -49,14 +49,16 @@ type processor struct {
 	pmd            interface{}
 	keys           []*crypto.KeyRing

-	badIntegrities      topicMessages
-	badPGPs             topicMessages
-	badSignatures       topicMessages
-	badProviderMetadata topicMessages
-	badSecurity         topicMessages
-	badIndices          topicMessages
-	badChanges          topicMessages
-	badFolders          topicMessages
+	badIntegrities       topicMessages
+	badPGPs              topicMessages
+	badSignatures        topicMessages
+	badProviderMetadata  topicMessages
+	badSecurity          topicMessages
+	badIndices           topicMessages
+	badChanges           topicMessages
+	badFolders           topicMessages
+	badWellknownMetadata topicMessages
+	badDNSPath           topicMessages

 	expr *util.PathEval
 }
@ -191,6 +193,8 @@ func (p *processor) checkDomain(domain string) error {
 		(*processor).checkSecurity,
 		(*processor).checkCSAFs,
 		(*processor).checkMissing,
+		(*processor).checkWellknownMetadataReporter,
+		(*processor).checkDNSPathReporter,
 	} {
 		if err := check(p, domain); err != nil && err != errContinue {
 			if err == errStop {
@ -1003,3 +1007,64 @@ func (p *processor) checkPGPKeys(domain string) error {
 	}
 	return nil
 }
+
+// checkWellknownMetadataReporter checks if the provider-metadata.json file is
+// avaialable under the /.well-known/csaf/ directory.
+// It returns nil if all checks are passed, otherwise error.
+func (p *processor) checkWellknownMetadataReporter(domain string) error {
+
+	client := p.httpClient()
+
+	p.badWellknownMetadata.use()
+
+	path := "https://" + domain + "/.well-known/csaf/provider-metadata.json"
+
+	res, err := client.Get(path)
+	if err != nil {
+		p.badWellknownMetadata.add("Fetiching %s failed: %v", path, err)
+		return errContinue
+	}
+	if res.StatusCode != http.StatusOK {
+		p.badWellknownMetadata.add("Fetching %s failed. Status code %d (%s)",
+			path, res.StatusCode, res.Status)
+		return errContinue
+	}
+
+	return nil
+}
+
+// checkDNSPathReporter checks if the "csaf.data.security.domain.tld" DNS record is available
+// and serves the "provider-metadata.json".
+// It returns nil if all checks are passed, otherwise error.
+func (p *processor) checkDNSPathReporter(domain string) error {
+
+	client := p.httpClient()
+
+	p.badDNSPath.use()
+
+	path := "https://csaf.data.security.domain.tld"
+	res, err := client.Get(path)
+	if err != nil {
+		p.badDNSPath.add("Fetiching %s failed: %v", path, err)
+		return errContinue
+	}
+	if res.StatusCode != http.StatusOK {
+		p.badDNSPath.add("Fetching %s failed. Status code %d (%s)",
+			path, res.StatusCode, res.Status)
+		return errContinue
+	}
+	hash := sha256.New()
+	defer res.Body.Close()
+	content, err := io.ReadAll(res.Body)
+	if err != nil {
+		p.badDNSPath.add("Error while reading the response form %s", path)
+		return errContinue
+	}
+	hash.Write(content)
+	if !bytes.Equal(hash.Sum(nil), p.pmd256) {
+		p.badDNSPath.add("The csaf.data.security.domain.tld DNS record does not serve the provider-metatdata.json")
+		return errContinue
+	}
+
+	return nil
+}
--- a/cmd/csaf_checker/reporters.go
+++ b/cmd/csaf_checker/reporters.go
@ -119,16 +119,32 @@ func (r *securityReporter) report(p *processor, domain *Domain) {
 	req.Messages = p.badSecurity
 }

-func (r *wellknownMetadataReporter) report(_ *processor, domain *Domain) {
-	// TODO: Implement me!
+//report tests the availability of the "provider-metadata.json" under /.well-known/csaf/ directoy.
+func (r *wellknownMetadataReporter) report(p *processor, domain *Domain) {
 	req := r.requirement(domain)
-	req.message("(Not checked, missing implementation.)")
+	if !p.badWellknownMetadata.used() {
+		req.message("No check if provider-metadata.json is under /.well-known/csaf/ was done.")
+		return
+	}
+	if len(p.badWellknownMetadata) == 0 {
+		req.message("Found /.well-known/csaf/provider-metadata.json")
+		return
+	}
+	req.Messages = p.badWellknownMetadata
 }

-func (r *dnsPathReporter) report(_ *processor, domain *Domain) {
-	// TODO: Implement me!
+// report tests if the "csaf.data.security.domain.tld" DNS record available and serves the "provider-metadata.json"
+func (r *dnsPathReporter) report(p *processor, domain *Domain) {
 	req := r.requirement(domain)
-	req.message("(Not checked, missing implementation.)")
+	if !p.badDNSPath.used() {
+		req.message("No csaf.data.security.domain.tld DNS record checked.")
+		return
+	}
+	if len(p.badDNSPath) == 0 {
+		req.message("csaf.data.security.domain.tld DNS record is available and serves the provider-metadata.json.")
+		return
+	}
+	req.Messages = p.badDNSPath
 }

 func (r *oneFolderPerYearReport) report(p *processor, domain *Domain) {