h4b4n3r0
commented
2 years ago I can confirm this issue. It is still appearing.
Open tschmidtb51 opened 2 years ago
h4b4n3r0
commented
2 years ago I can confirm this issue. It is still appearing.
tschmidtb51
commented
1 year ago This is in the current version (v2.2.1-95-ga65fead) even worse as SHA-512 or SHA-256 that are missing result in failing of requirement 18.
tschmidtb51
commented
1 year ago At least the following cases must be covered:
For the first 4 cases, it would be nice to collapse the message to one summary, if it is true for all tested advisories.
bernhardreiter
commented
6 months ago Shall this done as part of service+dev? Just add the label.
tschmidtb51
commented
4 months ago Looking at the issue again, I think an additional option would be nice, where I could explicitly point out which hash should be looked for.
sonnyvanlingen
commented
5 days ago I just want to inform you that this issue impacted us too. We run a CSAF Trusted Provider I would describe as "type 4" within the list @tschmidtb51 provided (Just SHA512 present and folder based distribution used).
So under "num": 18, "description": "Integrity",
We get tons of:
"text": "Fetching https://securitybulletin.huawei.com/.well-known/csaf/xxxxxxx/xxxxxxxxxx/xxxxxxxxxxxx/en/2024/xxxxxxxxxxxxxx.json.sha256 failed: Status code 400 (400 )"Whereas corresponding .sha512 files are present.
I got the feedback from a colleague that the corresponding pull request does not fully resolve the situation (and lacks a bit of documentation on what CLI options to use).
Imo @tschmidtb51 is right with his listing of cases, and it'd be great to have a way to explicitly point out which hash the checker should be looking for.
We need to improve the error message for requirement 18, if only one hash is found: Currently, it reports the other one as missing and labels that as an error. This applies only, if the missing hash wasn't listed in the ROLIE feed.