Comments (7)
s-l-teichmann
commented on August 17, 2024
2
The decoding of the metadata fails earlier, but this error is wrongly rated as none essential and is only written to the report.
The analysis continues and dies later as the invariant of having the document loaded is not fulfilled.
The report then is never written out so that the reason of the error vanishes into nowhere.
I'm going to fix this.
from csaf_distribution.
bernhardreiter
commented on August 17, 2024
1
Hi @tolim
note that we are still "work in progress", so some stuff may still fail or be suboptimal.
The failure comes from a call to
csaf_distribution/cmd/csaf_checker/processor.go
Lines 177 to 179 in 2a69c13
So I guess that some required attribute is missing from the provider-metatdata.json file.
We'll take this as a hint to add more diagnostic messages.
Thanks for the feedback!
Bernhard
from csaf_distribution.
s-l-teichmann
commented on August 17, 2024
1
PR #26 introduces a mechanism to stop a running domain check and still dump out the report. This needs some work because the parts of the check which do not run due to the stop are currently marked as successful. This is not correct.
from csaf_distribution.
tschmidtb51
commented on August 17, 2024
I was stumbling upon
csaf_distribution/cmd/csaf_checker/processor.go
Lines 708 to 712 in c57de75
but I might be on the wrong track:
The provider-metadata.json can be found either
- through the CSAF field in the security.txt (Requirement 8) or
- in the .well-known path (Requirement 9) or
- through the DNS path (Requirement 10)
More than one may exist, however to be valid at least one MUST exist... Even though the .well-known path is preferred it is not the only option here.
from csaf_distribution.
bernhardreiter
commented on August 17, 2024
I suggest we make the location of the provider-metadata.json a new issue and refer to 7.2.2: "satisfies at least one of the requirements 8 to 10"
As far as I know, the first issue here is improved: we get a diagnostic message now with current main.
from csaf_distribution.
tschmidtb51
commented on August 17, 2024
I suggest we make the location of the
provider-metadata.jsona new issue and refer to 7.2.2: "satisfies at least one of the requirements 8 to 10"
Sounds good to me.
from csaf_distribution.
bernhardreiter
commented on August 17, 2024
The situation has improved. A call like
./bin-linux-amd64/csaf_checker example.org
now contains the following in the output:
"domains": [
{
"name": "example.org",
[..]
"description": "provider-metadata.json",
"messages": [
"No provider-metadata.json found.",
"STOPPING here - cannot perform other checks."
So we believe this issue to be resolved.
from csaf_distribution.
Related Issues (20)
- Improve output when PMD is invalid HOT 1
- Correct overall result if `distributions` is missing in PMD
- Document debugging HOT 1
- Roliechecker checks for feedlabel, reports about an advisorylabel HOT 1
- Add options to specify time periods to select CSAF documents for downloading/checking HOT 2
- Support client-based authorization via certificates HOT 2
- Add Config file for downloader and checker HOT 2
- Validation of documents and protocols
- Allow for all downloaded files to be stored within a singular folder HOT 2
- Make HTTP-Header redirects no longer be a reason for checker failure HOT 1
- Improve message in requirement 4 HOT 1
- Add option for all checks
- Checker: For Trusted Providers, make Requirements 11-14 or 15-17 mandatory. HOT 1
- Checker: ROLIE validation too late?
- Filter lpmd.Messages in checkProvidermetadata in processor.go
- Fix lax redirect interpretation in 9 (and 10)
- Differentiate between different ProviderMetadataloadmessages for csaf-checker HOT 1
- Make handling of config files symmetrical HOT 2
- Remove `--years` flag from checker. HOT 2
- Document known retrieval limitation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csaf_distribution.