Checker: Improve checking for provider-metadata.json using all methods, including DNS Path. - Githubissues

csaf-poc / csaf_distribution

Tools to download or provide CSAF (Common Security Advisory Framework) documents.

https://csaf.io

38 stars 22 forks source link

Checker: Improve checking for provider-metadata.json using all methods, including DNS Path. #29

Closed Fadiabb closed 2 years ago

Fadiabb commented 2 years ago

Split out from #24 .

The checker has to check if the provider-metadata.json can be found in at least one of the following to be valid:

The security.txt through the CSAF field Requirment 8
The .well-known path Requirment 9
Through the DNS path Requirment 10

These should be fulfilled according to the second group of the requirements in Role: CSAF provider

bernhardreiter commented 2 years ago

Is addressed in branch https://github.com/csaf-poc/csaf_distribution/tree/checker-locate-provider-metadata-json

bernhardreiter commented 2 years ago

Should be implemented. @Fadiabb please give it a test.

bernhardreiter commented 2 years ago

Current head does not do searching for DNS correctley, here is my test (internal):

curl https://csaf.data.security.intevation.de --insecure --silent | head -2
{
  "canonical_url": "https://localhost:8443/.well-known/csaf/provider-metadata.json",

./bin-linux-amd64/csaf_checker --version
0.3.1-31-g29f26e0

./bin-linux-amd64/csaf_checker intevation.de
[..]
"No provider-metadata.json found.",
[...]
"num": 10,
          "description": "DNS path",
          "messages": [
            "No csaf.data.security.domain.tld DNS record checked."

bernhardreiter commented 2 years ago

Branch https://github.com/csaf-poc/csaf_distribution/tree/dev-dns-detection will have improvements.

bernhardreiter commented 2 years ago

With #138 we check for DNS, so we check at least all methods once. As for the specific order and details, the remaining part of this is tracked in #60. (With this overlap resolved, we can close here.)