* Create dummy structure to uniquely identify each advisory
* Remove dummy values, remove unused variable for now
* Formatting
* Add Evaluation of whether a white Advisory is access protected and add it to the respective slice, implement functionality
* Initialize p.whiteAdvisories before using it, stop sorting if no Client was used
* Ammend rules to include requirement 4, warning instead of error if white advisory is found protected, use badWhitePermissions.use()
* Formatting
* Fix typo: avaible -> available
* Improve check on whether building identifier failed
* Move extracting of tlp labels and related functions from processor to roliecheck
* Create Labelchecker and check access of white advisories regardless of whether ROLIE feeds exist. Only check Ranks if ROLIE feeds are used
* Formatting
* Do not use label checker as a pointer.
* Rename label checker
* Add XXX to questionable code.
* Simplify checking white advisories.
* Improve error message if no checks for accessibility of white advisories were done
* Extract TLP label directly without extractTLP function, consistent plural in error message
* Add comments and check type assertion in tlp label extraction.
* Move check for white advisories to label checker.
* Improve methods naming an comments.
* Address a few review questions.
* Move functionality of checkProtection fully into evaluateTLP
* Add comments and warn only if we are in a white feed or in a dirlisting.
---------
Co-authored-by: JanHoefelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
Co-authored-by: JanHoefelmeyer <hoefelmeyer.jan@gmail.com>
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
* Add badROLIEfeed as Topic Message
* Use badROLIEfeed to guarantee existant TLP labels White, Green or unlabeled. (Test not implemented)
* syntax
* Formatting
* Add Tlp check, completion struct
* Add mismatch to completion, add function checkCompletion to fill mismatch and also give an error if invalid tlp levels have been used
* formatting
* Add function to remove incomplete csaf feeds from list of complete csaf feeds for a given tlp level
* Add checkSummary function that checks whether a given feed would qualify as summary feed between all currently checked feeds
* Add completed check of tlp levels
* Add checks for correct hashes and signatures in ROLIE feed
* formatting
* Add rolieFeedReporter functionality
* fix typo
* Add todo, add return values to functions
* Switch error, ... return value so error returns last
* Fix typo
* Remove hash/sig checks that don't work, improve ROLIE message
* Add handling for advisories without tlp level
* Formatting
* Clean up rolie checks.
* Started with simplifying rolie checking
* Every ROLIE with data should have a summary.
* Clean up ROLIE feed label checker.
* if no TLP level can be extracted, return Unlabeled, not WHITE
* Add handling of advisories whose tlp exists, but has no label
* Also check TLP Red for completeness
* Only remove advisory from remain when it has exactly the right tlp color.
* Fix import in new rolie feed checker.
* Update comment to reflect current functionality
* Accept advisory of lesser tlp color in feed as completing.
* Collect advisory labels from advisories.
* Clarify that if no summary feed was found, it may exist but be either not listed or not accessible.
* Do not clone advisory lookup before.
* Move rolie check code to respective file.
---------
Co-authored-by: JanHoefelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
Co-authored-by: JanHoefelmeyer <hoefelmeyer.jan@gmail.com>
* Rephrase csaf validation result
* Change Checker report depending on whether and how a remote validator was used.
* Formatting
* Improve code readability
---------
Co-authored-by: JanHoefelmeyer <hoefelmeyer.jan@gmail.com>
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
* Change checking to test for Security, wellknown and DNS requirement at once and only throws error if all three fail.
* Use security.txt parser from csaf/util to extract provider url.
* Improve code comments and messages for the reports.
Co-authored-by: Jan Höfelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
Co-authored-by: Bernhard Reiter <bernhard@intevation.de>
* Changes phrasing of redirects to be clearer. Now omits redirects if they are already listed as part of a larger redirect chain
* Rebuilt how the redirection string is built. Now checks for duplicate redirections after all redirections have been read
* Fixes intendation error
* Fixed redirect output.
* Fixed recording redirects.
Co-authored-by: Jan Höfelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
* updates phrasing of error message if processor does not check security.txt due to an earlier error
* Fixes typo in error message
Co-authored-by: Jan Höfelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
* Make it dynamic by the domain given for the check.
* Change reporting text to be more clear about which is the dynamic
part (in lack of direct access to the path which was checked.)
* Implement testing if the provider-metadata.json is under
/.well-known/csaf/ available.
* Implement testing if the DNS is available and serves the
provider-metadata.json
* Remove minor typos.
* Go upper case for HTTPS as this is more common.
* Make texts indicating a good result start with somethink else
than "No", this removes an indirection in thinking and also offers
a visible difference.
* Bump copyright year to 2022.
* Do PGP to "public OpenPGP keys" while at the reporters.go file
while at it (to make merging easier).
* Use an explicit message to indicate that a check is not done because
of a missing implementation.
