SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Implement more tests for checker

Browse source 
* Implement testing if the provider-metadata.json is under
/.well-known/csaf/ available.
* Implement testing if the DNS is available and serves the
provider-metadata.json
This commit is contained in:
Fadi Abbud 2022-05-04 15:23:03 +02:00
parent e1f71a5693
commit ea9c6b4502
2 changed files with 95 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

83
cmd/csaf_checker/processor.go
View file

@ -49,14 +49,16 @@ type processor struct {
pmd interface{} pmd interface{}
keys []*crypto.KeyRing keys []*crypto.KeyRing
badIntegrities topicMessages badIntegrities topicMessages
badPGPs topicMessages badPGPs topicMessages
badSignatures topicMessages badSignatures topicMessages
badProviderMetadata topicMessages badProviderMetadata topicMessages
badSecurity topicMessages badSecurity topicMessages
badIndices topicMessages badIndices topicMessages
badChanges topicMessages badChanges topicMessages
badFolders topicMessages badFolders topicMessages
badWellknownMetadataReporter topicMessages
badDNSPathReporter topicMessages
expr *util.PathEval expr *util.PathEval
} }
@ -191,6 +193,8 @@ func (p *processor) checkDomain(domain string) error {
(*processor).checkSecurity, (*processor).checkSecurity,
(*processor).checkCSAFs, (*processor).checkCSAFs,
(*processor).checkMissing, (*processor).checkMissing,
(*processor).checkWellknownMetadataReporter,
(*processor).checkDNSPathReporter,
} { } {
if err := check(p, domain); err != nil && err != errContinue { if err := check(p, domain); err != nil && err != errContinue {
if err == errStop { if err == errStop {
@ -1003,3 +1007,66 @@ func (p *processor) checkPGPKeys(domain string) error {
} }
return nil return nil
} }
// checkWellknownMetadataReporter checks if the provider-metadata.json file is
// avaialable under the /.well-known/csaf/ directory.
func (p *processor) checkWellknownMetadataReporter(domain string) error {
client := p.httpClient()
p.badWellknownMetadataReporter.use()
path := "https://" + domain + "/.well-known/csaf/provider-metadata.json"
res, err := client.Get(path)
if err != nil {
p.badWellknownMetadataReporter.add("Fetiching %s failed: %v", path, err)
return errContinue
}
if res.StatusCode != http.StatusOK {
p.badWellknownMetadataReporter.add("Fetching %s failed. Status code %d (%s)",
path, res.StatusCode, res.Status)
return errContinue
}
return nil
}
func (p *processor) checkDNSPathReporter(domain string) error {
client := p.httpClient()
p.badDNSPathReporter.use()
path := "https://csaf.data.security.domain.tld"
res, err := client.Get(path)
if err != nil {
p.badDNSPathReporter.add("Fetiching %s failed: %v", path, err)
return errContinue
}
if res.StatusCode != http.StatusOK {
p.badDNSPathReporter.add("Fetching %s failed. Status code %d (%s)",
path, res.StatusCode, res.Status)
return errContinue
}
hash := sha256.New()
defer res.Body.Close()
//tee := io.TeeReader(res.Body, hash)
content, err := io.ReadAll(res.Body)
if err != nil {
p.badDNSPathReporter.add("Error while reading the response form %s", path)
return errContinue
}
hash.Write(content)
/* if err := json.NewDecoder(tee).Decode(&p.pmd); err != nil {
p.badDNSPathReporter.add("%s: Decoding JSON failed: %v", path, err)
return errContinue
} */
if !bytes.Equal(hash.Sum(nil), p.pmd256) {
p.badDNSPathReporter.add("The csaf.data.security.domain.tld DNS record does not serve the provider-metatdata.json")
return errContinue
}
return nil
}

26
cmd/csaf_checker/reporters.go
View file

@ -119,16 +119,30 @@ func (r *securityReporter) report(p *processor, domain *Domain) {
req.Messages = p.badSecurity req.Messages = p.badSecurity
} }
func (r *wellknownMetadataReporter) report(_ *processor, domain *Domain) { func (r *wellknownMetadataReporter) report(p *processor, domain *Domain) {
// TODO: Implement me!
req := r.requirement(domain) req := r.requirement(domain)
req.message("(Not checked, missing implementation.)") if !p.badWellknownMetadataReporter.used() {
req.message("No check if provider-metadata.json is under /.well-known/csaf/ was done.")
return
}
if len(p.badWellknownMetadataReporter) == 0 {
req.message("Found /.well-known/csaf/provider-metadata.json")
return
}
req.Messages = p.badWellknownMetadataReporter
} }
func (r *dnsPathReporter) report(_ *processor, domain *Domain) { func (r *dnsPathReporter) report(p *processor, domain *Domain) {
// TODO: Implement me!
req := r.requirement(domain) req := r.requirement(domain)
req.message("(Not checked, missing implementation.)") if !p.badDNSPathReporter.used() {
req.message("No csaf.data.security.domain.tld DNS record checked.")
return
}
if len(p.badDNSPathReporter) == 0 {
req.message("csaf.data.security.domain.tld DNS record is available and serves the provider-metadata.json.")
return
}
req.Messages = p.badDNSPathReporter
} }
func (r *oneFolderPerYearReport) report(p *processor, domain *Domain) { func (r *oneFolderPerYearReport) report(p *processor, domain *Domain) {