SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Merge pull request #138 from csaf-poc/dev-dns-detection

Browse source 
Improve metadata detection for checker
This commit is contained in:
Sascha L. Teichmann 2022-05-17 16:21:11 +02:00 committed by GitHub
commit e12a47f2f1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 35 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

39
cmd/csaf_checker/processor.go
View file

@ -729,6 +729,7 @@ func (p *processor) locateProviderMetadata(
client := p.httpClient() client := p.httpClient()
tryURL := func(url string) (bool, error) { tryURL := func(url string) (bool, error) {
log.Printf("Trying: %v\n", url)
res, err := client.Get(url) res, err := client.Get(url)
if err != nil || res.StatusCode != http.StatusOK || if err != nil || res.StatusCode != http.StatusOK ||
res.Header.Get("Content-Type") != "application/json" { res.Header.Get("Content-Type") != "application/json" {
@ -762,33 +763,39 @@ func (p *processor) locateProviderMetadata(
// Read from security.txt // Read from security.txt
path := "https://" + domain + "/.well-known/security.txt" path := "https://" + domain + "/.well-known/security.txt"
log.Printf("Searching in: %v\n", path)
res, err := client.Get(path) res, err := client.Get(path)
if err != nil { if err == nil && res.StatusCode == http.StatusOK {
return err
}
if res.StatusCode != http.StatusOK {
return nil
}
loc, err := func() (string, error) { loc, err := func() (string, error) {
defer res.Body.Close() defer res.Body.Close()
return p.extractProviderURL(res.Body) return p.extractProviderURL(res.Body)
}() }()
if err != nil { if err != nil {
log.Printf("error: %v\n", err) log.Printf("did not find provider URL in /.well-known/security.txt, error: %v\n", err)
return nil
} }
if loc != "" { if loc != "" {
if _, err = tryURL(loc); err == errContinue { if _, err = tryURL(loc); err == errContinue {
err = nil err = nil
} }
return err
}
} }
// Read from DNS path
path = "https://csaf.data.security." + domain
ok, err := tryURL(path)
if err != nil {
return err return err
} }
if ok {
return nil
}
return errStop
}
func (p *processor) extractProviderURL(r io.Reader) (string, error) { func (p *processor) extractProviderURL(r io.Reader) (string, error) {
urls, err := csaf.ExtractProviderURL(r, true) urls, err := csaf.ExtractProviderURL(r, true)
@ -1032,7 +1039,7 @@ func (p *processor) checkPGPKeys(domain string) error {
} }
// checkWellknownMetadataReporter checks if the provider-metadata.json file is // checkWellknownMetadataReporter checks if the provider-metadata.json file is
// avaialable under the /.well-known/csaf/ directory. // available under the /.well-known/csaf/ directory.
// It returns nil if all checks are passed, otherwise error. // It returns nil if all checks are passed, otherwise error.
func (p *processor) checkWellknownMetadataReporter(domain string) error { func (p *processor) checkWellknownMetadataReporter(domain string) error {
@ -1044,7 +1051,7 @@ func (p *processor) checkWellknownMetadataReporter(domain string) error {
res, err := client.Get(path) res, err := client.Get(path)
if err != nil { if err != nil {
p.badWellknownMetadata.add("Fetiching %s failed: %v", path, err) p.badWellknownMetadata.add("Fetching %s failed: %v", path, err)
return errContinue return errContinue
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
@ -1065,10 +1072,10 @@ func (p *processor) checkDNSPathReporter(domain string) error {
p.badDNSPath.use() p.badDNSPath.use()
path := "https://csaf.data.security.domain.tld" path := "https://csaf.data.security." + domain
res, err := client.Get(path) res, err := client.Get(path)
if err != nil { if err != nil {
p.badDNSPath.add("Fetiching %s failed: %v", path, err) p.badDNSPath.add("Fetching %s failed: %v", path, err)
return errContinue return errContinue
} }
if res.StatusCode != http.StatusOK { if res.StatusCode != http.StatusOK {
@ -1080,12 +1087,12 @@ func (p *processor) checkDNSPathReporter(domain string) error {
defer res.Body.Close() defer res.Body.Close()
content, err := io.ReadAll(res.Body) content, err := io.ReadAll(res.Body)
if err != nil { if err != nil {
p.badDNSPath.add("Error while reading the response form %s", path) p.badDNSPath.add("Error while reading the response from %s", path)
return errContinue return errContinue
} }
hash.Write(content) hash.Write(content)
if !bytes.Equal(hash.Sum(nil), p.pmd256) { if !bytes.Equal(hash.Sum(nil), p.pmd256) {
p.badDNSPath.add("The csaf.data.security.domain.tld DNS record does not serve the provider-metatdata.json") p.badDNSPath.add("%s does not serve the same provider-metadata.json as previously found", path)
return errContinue return errContinue
} }

4
cmd/csaf_checker/reporters.go
View file

@ -137,11 +137,11 @@ func (r *wellknownMetadataReporter) report(p *processor, domain *Domain) {
func (r *dnsPathReporter) report(p *processor, domain *Domain) { func (r *dnsPathReporter) report(p *processor, domain *Domain) {
req := r.requirement(domain) req := r.requirement(domain)
if !p.badDNSPath.used() { if !p.badDNSPath.used() {
req.message("No csaf.data.security.domain.tld DNS record checked.") req.message("No download from https://csaf.data.security.DOMAIN attempted.")
return return
} }
if len(p.badDNSPath) == 0 { if len(p.badDNSPath) == 0 {
req.message("csaf.data.security.domain.tld DNS record is available and serves the provider-metadata.json.") req.message("https://csaf.data.security.DOMAIN is available and serves the provider-metadata.json.")
return return
} }
req.Messages = p.badDNSPath req.Messages = p.badDNSPath