From 2cfb4b8e498a4261e85aaf19033031cfb3534a9a Mon Sep 17 00:00:00 2001
From: Bernhard Reiter <bernhard@intevation.de>
Date: Tue, 17 May 2022 15:34:39 +0200
Subject: [PATCH 1/2] Fix DNS path check

 * Make it dynamic by the domain given for the check.
 * Change reporting text to be more clear about which is the dynamic
   part (in lack of direct access to the path which was checked.)
---
 cmd/csaf_checker/processor.go | 12 ++++++------
 cmd/csaf_checker/reporters.go |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
index 877d492..957e2bd 100644
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@@ -1032,7 +1032,7 @@ func (p *processor) checkPGPKeys(domain string) error {
 }
 
 // checkWellknownMetadataReporter checks if the provider-metadata.json file is
-// avaialable under the /.well-known/csaf/ directory.
+// available under the /.well-known/csaf/ directory.
 // It returns nil if all checks are passed, otherwise error.
 func (p *processor) checkWellknownMetadataReporter(domain string) error {
 
@@ -1044,7 +1044,7 @@ func (p *processor) checkWellknownMetadataReporter(domain string) error {
 
 	res, err := client.Get(path)
 	if err != nil {
-		p.badWellknownMetadata.add("Fetiching %s failed: %v", path, err)
+		p.badWellknownMetadata.add("Fetching %s failed: %v", path, err)
 		return errContinue
 	}
 	if res.StatusCode != http.StatusOK {
@@ -1065,10 +1065,10 @@ func (p *processor) checkDNSPathReporter(domain string) error {
 
 	p.badDNSPath.use()
 
-	path := "https://csaf.data.security.domain.tld"
+	path := "https://csaf.data.security." + domain
 	res, err := client.Get(path)
 	if err != nil {
-		p.badDNSPath.add("Fetiching %s failed: %v", path, err)
+		p.badDNSPath.add("Fetching %s failed: %v", path, err)
 		return errContinue
 	}
 	if res.StatusCode != http.StatusOK {
@@ -1080,12 +1080,12 @@ func (p *processor) checkDNSPathReporter(domain string) error {
 	defer res.Body.Close()
 	content, err := io.ReadAll(res.Body)
 	if err != nil {
-		p.badDNSPath.add("Error while reading the response form %s", path)
+		p.badDNSPath.add("Error while reading the response from %s", path)
 		return errContinue
 	}
 	hash.Write(content)
 	if !bytes.Equal(hash.Sum(nil), p.pmd256) {
-		p.badDNSPath.add("The csaf.data.security.domain.tld DNS record does not serve the provider-metatdata.json")
+		p.badDNSPath.add("%s does not serve the same provider-metadata.json as previously found", path)
 		return errContinue
 	}
 
diff --git a/cmd/csaf_checker/reporters.go b/cmd/csaf_checker/reporters.go
index 6abd5eb..5ec824a 100644
--- a/cmd/csaf_checker/reporters.go
+++ b/cmd/csaf_checker/reporters.go
@@ -137,11 +137,11 @@ func (r *wellknownMetadataReporter) report(p *processor, domain *Domain) {
 func (r *dnsPathReporter) report(p *processor, domain *Domain) {
 	req := r.requirement(domain)
 	if !p.badDNSPath.used() {
-		req.message("No csaf.data.security.domain.tld DNS record checked.")
+		req.message("No download from https://csaf.data.security.DOMAIN attempted.")
 		return
 	}
 	if len(p.badDNSPath) == 0 {
-		req.message("csaf.data.security.domain.tld DNS record is available and serves the provider-metadata.json.")
+		req.message("https://csaf.data.security.DOMAIN is available and serves the provider-metadata.json.")
 		return
 	}
 	req.Messages = p.badDNSPath

From 9eca8a924f3d876a864fbc7ece8e7b3b09b9c771 Mon Sep 17 00:00:00 2001
From: Bernhard Reiter <bernhard@intevation.de>
Date: Tue, 17 May 2022 16:08:38 +0200
Subject: [PATCH 2/2] Improved searching for provider-metadata.json

* Changes order to try the DNS path after security.txt.
* Add diagnostic output which URL is looked for.
---
 cmd/csaf_checker/processor.go | 47 ++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
index 957e2bd..fd2e0a4 100644
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@@ -729,6 +729,7 @@ func (p *processor) locateProviderMetadata(
 	client := p.httpClient()
 
 	tryURL := func(url string) (bool, error) {
+		log.Printf("Trying: %v\n", url)
 		res, err := client.Get(url)
 		if err != nil || res.StatusCode != http.StatusOK ||
 			res.Header.Get("Content-Type") != "application/json" {
@@ -762,32 +763,38 @@ func (p *processor) locateProviderMetadata(
 	// Read from security.txt
 
 	path := "https://" + domain + "/.well-known/security.txt"
+	log.Printf("Searching in: %v\n", path)
 	res, err := client.Get(path)
-	if err != nil {
-		return err
-	}
+	if err == nil && res.StatusCode == http.StatusOK {
+		loc, err := func() (string, error) {
+			defer res.Body.Close()
+			return p.extractProviderURL(res.Body)
+		}()
 
-	if res.StatusCode != http.StatusOK {
-		return nil
-	}
+		if err != nil {
+			log.Printf("did not find provider URL in /.well-known/security.txt, error: %v\n", err)
+		}
 
-	loc, err := func() (string, error) {
-		defer res.Body.Close()
-		return p.extractProviderURL(res.Body)
-	}()
-
-	if err != nil {
-		log.Printf("error: %v\n", err)
-		return nil
-	}
-
-	if loc != "" {
-		if _, err = tryURL(loc); err == errContinue {
-			err = nil
+		if loc != "" {
+			if _, err = tryURL(loc); err == errContinue {
+				err = nil
+			}
+			return err
 		}
 	}
 
-	return err
+	// Read from DNS path
+
+	path = "https://csaf.data.security." + domain
+	ok, err := tryURL(path)
+	if err != nil {
+		return err
+	}
+	if ok {
+		return nil
+	}
+
+	return errStop
 }
 
 func (p *processor) extractProviderURL(r io.Reader) (string, error) {