Skip to content

Commit

Permalink
CSAF field improvements (#49)
Browse files Browse the repository at this point in the history 
* added 'invalid_uri_scheme'

* added tests for wrong path and invalid uri scheme

* adding line separator test and some refactoring

* adding the securitytxt.org summary for the security.txt

* changed the line separator check

* bump to version 0.8

* fix for invalid_cert issue reported twice

* added an error if a signed security.txt is not correctly formatted according to the RFC

* bumped version to 0.8.1 for bug fix

* changed the wrong pgp message

* adding CSAF field as recommendation

* formatting with black and resolving linting issues

* adding next version

* fixed some typos

* csaf field improvements

* increased version number

---------

Co-authored-by: SanderKools <[email protected]>
  • Loading branch information
@SanderKools-Ordina
SanderKools-Ordina and SanderKools authored Apr 17, 2023
1 parent 24463a7 commit d236681
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 29 deletions.
18 changes: 9 additions & 9 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,25 +74,25 @@ a dict with three keys:
| "no_line_separators" | "Every line must end with either a carriage return and line feed characters or just a line feed character" |
| "signed_format_issue" | "Signed security.txt must start with the header '-----BEGIN PGP SIGNED MESSAGE-----'. " |
| "data_after_sig" | "Signed security.txt must not contain data after the signature." |
| "no_csaf_file" | "All CSAF field in the security.txt must point to a provider-metadata.json file" |
| "no_csaf_file" | "All CSAF fields must point to a provider-metadata.json file." |


### Possible recommendations

| code | message |
|----------------------------|----------------------------------------------------------------------------------------|
| "long_expiry" | "Date and time in 'Expires' field should be less than a year into the future." |
| "no_encryption" | "'Encryption' field should be present when 'Contact' field contains an email address." |
| "not_signed"<sup>[1]</sup> | "security.txt should be digitally signed." |
| "no_canonical" | "'Canonical' field should be present in a signed file." |
| "no_csaf" | "'CSAF' field should appear at least once" |
| code | message |
|----------------------------|------------------------------------------------------------------------------------------------|
| "long_expiry" | "Date and time in 'Expires' field should be less than a year into the future." |
| "no_encryption" | "'Encryption' field should be present when 'Contact' field contains an email address." |
| "not_signed"<sup>[1]</sup> | "security.txt should be digitally signed." |
| "no_canonical" | "'Canonical' field should be present in a signed file." |
| "multiple_csaf_fields" | "It is allowed to have more than one CSAF field, however this should be removed if possible." |

### Possible notifications

| code | message |
|-------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| "unknown_field"<sup>[2]</sup> | "Security.txt contains an unknown field. Field {unknown_field} is either a custom field which may not be widely supported, or there is a typo in a standardised field name. |
| "multiple_csaf_fields" | "It is allowed to have more than one CSAF field, however this should be removed if possible." |


---

Expand Down
13 changes: 4 additions & 9 deletions sectxt/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
import dateutil.parser
import requests

__version__ = "0.8.2"
__version__ = "0.8.3"

s = requests.Session()

Expand Down Expand Up @@ -289,21 +289,16 @@ def validate_contents(self) -> None:
"feed character",
)

if "csaf" not in self._values:
self._add_recommendation(
"no_csaf", "'CSAF' field should appear at least once"
)
else:
if "csaf" in self._values:
if not all(
v.endswith("provider-metadata.json") for v in self._values["csaf"]
):
self._add_error(
"no_csaf_file",
"All CSAF field in the security.txt must point "
"to a provider-metadata.json file",
"All CSAF fields must point to a provider-metadata.json file.",
)
if len(self._values["csaf"]) > 1:
self._add_notification(
self._add_recommendation(
"multiple_csaf_fields",
"It is allowed to have more than one csaf field, "
"however this should be removed if possible.",
Expand Down
12 changes: 1 addition & 11 deletions test/test_sectxt.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,16 +183,6 @@ def test_no_line_separators(self):
len([1 for r in p._errors if r["code"] == "no_line_separators"]), 1
)

def test_csaf_optional(self):
content = _signed_example.replace(
"CSAF: https://example.com/.well-known/csaf/provider-metadata.json", ""
)
p = Parser(content)
self.assertTrue(p.is_valid())
self.assertEqual(
len([1 for r in p._recommendations if r["code"] == "no_csaf"]), 1
)

def test_csaf_https_uri(self):
content = _signed_example.replace(
"CSAF: https://example.com/.well-known/csaf/provider-metadata.json",
Expand Down Expand Up @@ -220,7 +210,7 @@ def test_multiple_csaf_notification(self):
p = Parser(content)
self.assertTrue(p.is_valid())
self.assertEqual(
len([1 for r in p._notifications if r["code"] == "multiple_csaf_fields"]), 1
len([1 for r in p._recommendations if r["code"] == "multiple_csaf_fields"]), 1
)


Expand Down

0 comments on commit d236681

Please sign in to comment.