Change: cmd/csaf_checker/processor.go: Seperate check of security.txt…

… under .well-known and legacy location into different messages to improve readability
gocsaf · Nov 21, 2023 · 318c898 · 318c898
1 parent 3935d9a
commit 318c898
Showing 1 changed file with 37 additions and 20 deletions.
diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
@@ -1262,22 +1262,20 @@ func (p *processor) checkProviderMetadata(domain string) bool {
 // It checks the existence of the CSAF field in the file content and tries to fetch
 // the value of this field. Returns an empty string if no error was encountered,
 // the errormessage otherwise.
-func (p *processor) checkSecurity(domain string) string {
-	var msgs []string
-	// Try well-known first and fall back to legacy when it fails.
-	for _, folder := range []string{
-		"https://" + domain + "/.well-known/",
-		"https://" + domain + "/",
-	} {
-		msg := p.checkSecurityFolder(folder)
-		if msg == "" {
-			break
-		}
-		// Show which security.txt caused this message
-		lmsg := folder + "security.txt: " + msg
-		msgs = append(msgs, lmsg)
-	}
-	return strings.Join(msgs, "; ")
+func (p *processor) checkSecurity(domain string, legacy bool) (int, string) {
+	folder := "https://" + domain + "/"
+	if !legacy {
+		folder = folder + ".well-known/"
+	}
+	msg := p.checkSecurityFolder(folder)
+	if msg == "" {
+		if !legacy {
+			return 0, "Found valid security.txt within the well-known directory"
+		} else {
+			return 2, "Found valid security.txt in the legacy location"
+		}
+	}
+	return 1, folder + "security.txt: " + msg
 }
 
 // checkSecurityFolder checks the security.txt in a given folder.
@@ -1410,25 +1408,44 @@ func (p *processor) checkWellknown(domain string) string {
 func (p *processor) checkWellknownSecurityDNS(domain string) error {
 
 	warningsW := p.checkWellknown(domain)
-	warningsS := p.checkSecurity(domain)
+	// Security check for well known (default) and legacy location
+	warningsS, sDMessage := p.checkSecurity(domain, false)
+	// if the security.txt under .well-known was not okay
+	sLMessage := ""
+	if warningsS == 1 {
+		warningsS, sLMessage = p.checkSecurity(domain, true)
+	}
 	warningsD := p.checkDNS(domain)
 
 	p.badWellknownMetadata.use()
 	p.badSecurity.use()
 	p.badDNSPath.use()
 
 	var kind MessageType
-	if warningsS == "" || warningsD == "" || warningsW == "" {
+	if warningsS != 1 || warningsD == "" || warningsW == "" {
 		kind = WarnType
 	} else {
 		kind = ErrorType
 	}
 
+	// Info, Warning or Error depending on kind and warningS
+	kindSD := kind
+	if warningsS == 0 {
+		kindSD = InfoType
+	}
+	kindSL := kind
+	if warningsS == 2 {
+		kindSL = InfoType
+	}
+
 	if warningsW != "" {
 		p.badWellknownMetadata.add(kind, warningsW)
 	}
-	if warningsS != "" {
-		p.badSecurity.add(kind, warningsS)
+	p.badSecurity.add(kindSD, sDMessage)
+	// only if the well-known security.txt was not successful:
+	// report about the legacy location
+	if warningsS != 0 {
+		p.badSecurity.add(kindSL, sLMessage)
 	}
 	if warningsD != "" {
 		p.badDNSPath.add(kind, warningsD)