Skip to content

Releases: DigitalTrustCenter/sectxt

0.9.5

28 Oct 12:41
Compare
Choose a tag to compare

A new version which resolves the following issues:

#78 : We added an error too_many_line_separators which indicates that a PGP signed message cannot end with more than one newline.

#79 : This issue was due to an incompatibility where the library PGPy is based on implements RFC 4880, which is now outdated by RFC 9580. Inputs formatted per the new RFC 9580 could cause a NotImplementedError.
We have now updated sectxt to catch and ignore the NotImplementedError as it does not indicate a problem with the input itself.

#80 : We've forked the library causing the error, we could improve that library to resolve certain issues, which we have done with issue #81, but the maintaining of the sectxt remains the main priority.

#81 : We have fixed the imghdr issue by changing the dependency of PGPy to PGPy-dtc. We used the proposed solution from the issue on the PGPy library.

0.9.4

11 Jul 13:06
fee9d4f
Compare
Choose a tag to compare

A new version which resolves the following issues:

#70 cgi will be removed in Python 3.1:
cgi is deprecated and has been replaced with the recommended replacement.

#72 Invalid responses are not handled properly
Redirects are allowed but in the case of a redirect to a different path it should log the error that the security.txt was not found on the correct location. A global redirect to an html will cause the library to want to parse that page even if that makes no sense anymore. This has been resolved.

#73 add emails and urls properties
We have added properties on the SecurityTXT object which can be used to retrieve the first found or all of the emails, urls or phone numbers listed in the Contact field

#74 Certain security.txt files can cause parser to hang indefinitely
If the security.txt has a PGP block we check for any issues and log these if found. The library used for this is the PGPy library. Certain input however has been found to cause the library to hang indefinitly.
The possible cause for this issue has been found and a pull request has been opened on this library. For now we resolve the issue by using the specific pull request of the PGPy library. When the PGPy library updates and resolves this issue we will update to that version.

0.9.3

09 Apr 12:24
Compare
Choose a tag to compare

A new version where the byte content reading is moved to the Parser instead of the SecurityTXT class. If the user uses only the Parser class it will still show the BOM error. This is done because of the following issue: #69 Request to change Parser from utf-8 to bytes.

0.9.2

07 Mar 09:45
ad85c74
Compare
Choose a tag to compare

A new version which solves an issue with the BOM error always showing even when not applicable and fixes an error that occures on leap days. This includes the following issues:

#64 It is now possible to test local files by adding the is_local flag to True and passing a local path as the url parameter. This will only validate the content of the file given
#65 The BOM error was always shown even when not applicable. This issue has been fixed and the error message is improved.
#66 On leap days the validation check would fail because it would check for a year later. This was not done correctly and it would fail. This is fixed now.

Add error message for Byte order mark

07 Nov 12:54
27d8524
Compare
Choose a tag to compare

In this release we fixed an issue with the line numbers and we added an error message when the BOM was found.

#57 an error message has been added. If the byte order mark is present in the file it will continue to process the file without the BOM, but it will add an error to highlight that the file has the BOM present.

#60 we fixed the issue that it would override the line_no. Now it will never override the line number in the add_error function.

0.9.0

03 Aug 08:28
d56b65a
Compare
Choose a tag to compare

bugfixes included in this release: #53, #54, #55, #56, #57, #58
The issues reported on the sectxt validator have been processed, most were related to adding validation checks on the pgp message. For this I used the PGPy python module, which checks for issues with the pgp message conform the OpenPGP specification per RFC 4880.
The request for the security.txt url has also been given an user agent to mock a regular web browser
The byte content is checked for a utf-8 BOM which is removed if found

#53: Canonical "Error: Field value must be a URI (e.g. beginning with 'mailto:')"
Message is simplified to avoid confusion

#54: PGP Dash-Escaped Text is still parsed for pgp
A pgp format validator is added to find issues within the message

#55: Improve on missing newline in a file by adding line number
The line number is added for the missing newline error. And the error message is improved

#56: Singed message is not enforcing signature
A pgp format validator is added

#57: Improve parser error for Byte order mark (BOM)
The issue with the BOM could occur, but it has no meaning in utf-8. If it occurs it is removed and handled validated without it.

#58: If signed, pass data to gpg validate
A pgp format validator is added.

0.8.3

17 Apr 08:58
d236681
Compare
Choose a tag to compare

Bugfixes included in this release: #47

  • The CSAF field is now optional (like "Acknowledgments" and "Hiring") so the recommendation is removed. The errors remain, if the field is listed with an issue it will throw an error.
  • The "multiple_csaf_fields" has been moved from a notification to a recommendation.
  • The "no_csaf_file" text has been updated to be more clear.

0.8.2

14 Apr 08:11
24463a7
Compare
Choose a tag to compare

bugfixing: #44, #45 and #46
adding support for CSAF field #47

#44: Wordings "data_after_sig" error message and inclusion in README and #45: Text suggestion for "signed_format_issue" error

  • error message changed to be more clear.

#46: Unknown field: notification and textual suggestion

  • Added notifications which were already mentioned in the ReadMe and the text for the unknown_field notification is changed to be more clear.

#47: Validate new CSAF field
new key for CSAF field, it is considered optional as per the section 2.4 (https://www.rfc-editor.org/rfc/rfc9116.html#section-2.4).
If the field is not present a recommendation "no_csaf" is added. "'CSAF' field should appear at least once"
if the field does not point to the correct file an error "no_csaf_file" is added. "All CSAF field in the security.txt must point to a provider-metadata.json file"
If multiple fields are present a notification "multiple_csaf_fields" is added to remove them even though it is allowed. "It is allowed to have more than one CSAF field, however this should be removed if possible."

0.8.1

21 Feb 16:12
0143a96
Compare
Choose a tag to compare

This release resolves the following bugfixes:

  • #41 Improve parser result for impropper signed message: An error is added to indicate if the pgp signed message is not configured correct.
  • #42 invalid_cert error listed twice: If the invalid_cert error is reported it could be reported a second time. It now will only be reported once.

0.8

11 Jan 13:03
4495590
Compare
Choose a tag to compare
0.8

This release resolves the following issues:

  • #21 Check for Line Separator: Every line MUST end using a line feed. An error for this is added, which checks if the final line is an empty line. If this is not the case not all lines end with a line feed.
  • #24 What message when security.txt file is NOT available via https?: An additional check is added which checks the insecure URI scheme. If the security.txt is found than an error is added which clarifies that the scheme is not correct and the https scheme should be used.
  • #34 Note that does not verify the signature: A index is added to the signature recommendation which clarifies this.
  • #38 Set up security policy and code scanning alerts on Github: A security.md has been added which clarifies how you can report issues.