Merge branch 'csaf-poc:main' into main

README.md

@@ -58,7 +58,7 @@ Download the binaries from the most recent release assets on Github.
 
 ### Build from sources
 
-- A recent version of **Go** (1.21+) should be installed. [Go installation](https://go.dev/doc/install)
+- A recent version of **Go** (1.20+) should be installed. [Go installation](https://go.dev/doc/install)
 
 - Clone the repository `git clone https://github.com/csaf-poc/csaf_distribution.git `
 

cmd/csaf_checker/processor.go

@@ -33,7 +33,6 @@ import (
 	"golang.org/x/time/rate"
 
 	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
 	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
@@ -548,7 +547,7 @@ func (p *processor) rolieFeedEntries(feed string) ([]csaf.AdvisoryFile, error) {
 
 		// Filter if we have date checking.
 		if accept := p.cfg.Range; accept != nil {
-			if pub := time.Time(entry.Published); !pub.IsZero() && !accept.Contains(pub) {
+			if t := time.Time(entry.Updated); !t.IsZero() && !accept.Contains(t) {
 				return
 			}
 		}
@@ -667,11 +666,6 @@ func (p *processor) integrity(
 		var folderYear *int
 		if m := yearFromURL.FindStringSubmatch(u); m != nil {
 			year, _ := strconv.Atoi(m[1])
-			// Check if the year is in the accepted time interval.
-			if accept := p.cfg.Range; accept != nil &&
-				!accept.Intersects(models.Year(year)) {
-				continue
-			}
 			folderYear = &year
 		}
 
@@ -1262,10 +1256,26 @@ func (p *processor) checkProviderMetadata(domain string) bool {
 // It checks the existence of the CSAF field in the file content and tries to fetch
 // the value of this field. Returns an empty string if no error was encountered,
 // the errormessage otherwise.
-func (p *processor) checkSecurity(domain string) string {
+func (p *processor) checkSecurity(domain string, legacy bool) (int, string) {
+	folder := "https://" + domain + "/"
+	if !legacy {
+		folder = folder + ".well-known/"
+	}
+	msg := p.checkSecurityFolder(folder)
+	if msg == "" {
+		if !legacy {
+			return 0, "Found valid security.txt within the well-known directory"
+		}
+		return 2, "Found valid security.txt in the legacy location"
+	}
+	return 1, folder + "security.txt: " + msg
+}
+
+// checkSecurityFolder checks the security.txt in a given folder.
+func (p *processor) checkSecurityFolder(folder string) string {
 
 	client := p.httpClient()
-	path := "https://" + domain + "/.well-known/security.txt"
+	path := folder + "security.txt"
 	res, err := client.Get(path)
 	if err != nil {
 		return fmt.Sprintf("Fetching %s failed: %v", path, err)
@@ -1298,7 +1308,7 @@ func (p *processor) checkSecurity(domain string) string {
 		return fmt.Sprintf("CSAF URL '%s' invalid: %v", u, err)
 	}
 
-	base, err := url.Parse("https://" + domain + "/.well-known/")
+	base, err := url.Parse(folder)
 	if err != nil {
 		return err.Error()
 	}
@@ -1391,25 +1401,45 @@ func (p *processor) checkWellknown(domain string) string {
 func (p *processor) checkWellknownSecurityDNS(domain string) error {
 
 	warningsW := p.checkWellknown(domain)
-	warningsS := p.checkSecurity(domain)
+	// Security check for well known (default) and legacy location
+	warningsS, sDMessage := p.checkSecurity(domain, false)
+	// if the security.txt under .well-known was not okay
+	// check for a security.txt within its legacy location
+	sLMessage := ""
+	if warningsS == 1 {
+		warningsS, sLMessage = p.checkSecurity(domain, true)
+	}
 	warningsD := p.checkDNS(domain)
 
 	p.badWellknownMetadata.use()
 	p.badSecurity.use()
 	p.badDNSPath.use()
 
 	var kind MessageType
-	if warningsS == "" || warningsD == "" || warningsW == "" {
+	if warningsS != 1 || warningsD == "" || warningsW == "" {
 		kind = WarnType
 	} else {
 		kind = ErrorType
 	}
 
+	// Info, Warning or Error depending on kind and warningS
+	kindSD := kind
+	if warningsS == 0 {
+		kindSD = InfoType
+	}
+	kindSL := kind
+	if warningsS == 2 {
+		kindSL = InfoType
+	}
+
 	if warningsW != "" {
 		p.badWellknownMetadata.add(kind, warningsW)
 	}
-	if warningsS != "" {
-		p.badSecurity.add(kind, warningsS)
+	p.badSecurity.add(kindSD, sDMessage)
+	// only if the well-known security.txt was not successful:
+	// report about the legacy location
+	if warningsS != 0 {
+		p.badSecurity.add(kindSL, sLMessage)
 	}
 	if warningsD != "" {
 		p.badDNSPath.add(kind, warningsD)

cmd/csaf_checker/reporters.go

@@ -251,10 +251,6 @@ func (r *securityReporter) report(p *processor, domain *Domain) {
 		req.message(WarnType, "Performed no in-depth test of security.txt.")
 		return
 	}
-	if len(p.badSecurity) == 0 {
-		req.message(InfoType, "Found CSAF entry in security.txt.")
-		return
-	}
 	req.Messages = p.badSecurity
 }
 

cmd/csaf_downloader/config.go

@@ -13,12 +13,13 @@ import (
 	"fmt"
 	"io"
 	"log"
-	"log/slog"
 	"net/http"
 	"os"
 	"path/filepath"
 	"time"
 
+	"golang.org/x/exp/slog"
+
 	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
 	"github.com/csaf-poc/csaf_distribution/v3/internal/filter"
 	"github.com/csaf-poc/csaf_distribution/v3/internal/models"

cmd/csaf_downloader/downloader.go

@@ -19,7 +19,6 @@ import (
 	"fmt"
 	"hash"
 	"io"
-	"log/slog"
 	"net/http"
 	"net/url"
 	"os"
@@ -30,6 +29,8 @@ import (
 	"sync"
 	"time"
 
+	"golang.org/x/exp/slog"
+
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"golang.org/x/time/rate"
 

cmd/csaf_downloader/forwarder.go

@@ -12,13 +12,14 @@ import (
 	"bytes"
 	"crypto/tls"
 	"io"
-	"log/slog"
 	"mime/multipart"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 
+	"golang.org/x/exp/slog"
+
 	"github.com/csaf-poc/csaf_distribution/v3/internal/misc"
 	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
@@ -57,7 +58,10 @@ type forwarder struct {
 
 // newForwarder creates a new forwarder.
 func newForwarder(cfg *config) *forwarder {
-	queue := max(1, cfg.ForwardQueue)
+	queue := cfg.ForwardQueue
+	if queue < 1 {
+		queue = 1
+	}
 	return &forwarder{
 		cfg:  cfg,
 		cmds: make(chan func(*forwarder), queue),

cmd/csaf_downloader/forwarder_test.go

@@ -14,7 +14,6 @@ import (
 	"encoding/json"
 	"errors"
 	"io"
-	"log/slog"
 	"mime"
 	"mime/multipart"
 	"net/http"
@@ -23,6 +22,8 @@ import (
 	"strings"
 	"testing"
 
+	"golang.org/x/exp/slog"
+
 	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
 	"github.com/csaf-poc/csaf_distribution/v3/util"
 )

cmd/csaf_downloader/main.go

@@ -11,10 +11,11 @@ package main
 
 import (
 	"context"
-	"log/slog"
 	"os"
 	"os/signal"
 
+	"golang.org/x/exp/slog"
+
 	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
 )
 

cmd/csaf_downloader/stats.go

@@ -8,7 +8,7 @@
 
 package main
 
-import "log/slog"
+import "golang.org/x/exp/slog"
 
 // stats contains counters of the downloads.
 type stats struct {

cmd/csaf_downloader/stats_test.go

@@ -11,8 +11,9 @@ package main
 import (
 	"bytes"
 	"encoding/json"
-	"log/slog"
 	"testing"
+
+	"golang.org/x/exp/slog"
 )
 
 func TestStatsAdd(t *testing.T) {

csaf/advisories.go

@@ -316,7 +316,7 @@ func (afp *AdvisoryFileProcessor) processROLIE(
 
 			// Filter if we have date checking.
 			if afp.AgeAccept != nil {
-				if pub := time.Time(entry.Published); !pub.IsZero() && !afp.AgeAccept(pub) {
+				if t := time.Time(entry.Updated); !t.IsZero() && !afp.AgeAccept(t) {
 					return
 				}
 			}

csaf/generate_cvss_enums.go

@@ -17,7 +17,7 @@ import (
 	"go/format"
 	"log"
 	"os"
-	"slices"
+	"sort"
 	"strings"
 	"text/template"
 )
@@ -135,7 +135,7 @@ func main() {
 			defs = append(defs, k)
 		}
 	}
-	slices.Sort(defs)
+	sort.Strings(defs)
 
 	var source bytes.Buffer
 

csaf/providermetaloader.go

@@ -132,8 +132,7 @@ func (pmdl *ProviderMetadataLoader) Load(domain string) *LoadedProviderMetadata
 	}
 
 	// Next load the PMDs from security.txt
-	secURL := "https://" + domain + "/.well-known/security.txt"
-	secResults := pmdl.loadFromSecurity(secURL)
+	secResults := pmdl.loadFromSecurity(domain)
 
 	// Filter out the results which are valid.
 	var secGoods []*LoadedProviderMetadata
@@ -199,56 +198,63 @@ func (pmdl *ProviderMetadataLoader) Load(domain string) *LoadedProviderMetadata
 }
 
 // loadFromSecurity loads the PMDs mentioned in the security.txt.
-func (pmdl *ProviderMetadataLoader) loadFromSecurity(path string) []*LoadedProviderMetadata {
-
-	res, err := pmdl.client.Get(path)
-	if err != nil {
-		pmdl.messages.Add(
-			HTTPFailed,
-			fmt.Sprintf("Fetching %q failed: %v", path, err))
-		return nil
-	}
-	if res.StatusCode != http.StatusOK {
-		pmdl.messages.Add(
-			HTTPFailed,
-			fmt.Sprintf("Fetching %q failed: %s (%d)", path, res.Status, res.StatusCode))
-		return nil
-	}
-
-	// Extract all potential URLs from CSAF.
-	urls, err := func() ([]string, error) {
-		defer res.Body.Close()
-		return ExtractProviderURL(res.Body, true)
-	}()
-
-	if err != nil {
-		pmdl.messages.Add(
-			HTTPFailed,
-			fmt.Sprintf("Loading %q failed: %v", path, err))
-		return nil
-	}
+func (pmdl *ProviderMetadataLoader) loadFromSecurity(domain string) []*LoadedProviderMetadata {
+
+	// If .well-known fails try legacy location.
+	for _, path := range []string{
+		"https://" + domain + "/.well-known/security.txt",
+		"https://" + domain + "/security.txt",
+	} {
+		res, err := pmdl.client.Get(path)
+		if err != nil {
+			pmdl.messages.Add(
+				HTTPFailed,
+				fmt.Sprintf("Fetching %q failed: %v", path, err))
+			continue
+		}
+		if res.StatusCode != http.StatusOK {
+			pmdl.messages.Add(
+				HTTPFailed,
+				fmt.Sprintf("Fetching %q failed: %s (%d)", path, res.Status, res.StatusCode))
+			continue
+		}
 
-	var loaded []*LoadedProviderMetadata
+		// Extract all potential URLs from CSAF.
+		urls, err := func() ([]string, error) {
+			defer res.Body.Close()
+			return ExtractProviderURL(res.Body, true)
+		}()
 
-	// Load the URLs
-nextURL:
-	for _, url := range urls {
-		lpmd := pmdl.loadFromURL(url)
-		// If loading failed note it down.
-		if !lpmd.Valid() {
-			pmdl.messages.AppendUnique(lpmd.Messages)
+		if err != nil {
+			pmdl.messages.Add(
+				HTTPFailed,
+				fmt.Sprintf("Loading %q failed: %v", path, err))
 			continue
 		}
-		// Check for duplicates
-		for _, l := range loaded {
-			if l == lpmd {
-				continue nextURL
+
+		var loaded []*LoadedProviderMetadata
+
+		// Load the URLs
+	nextURL:
+		for _, url := range urls {
+			lpmd := pmdl.loadFromURL(url)
+			// If loading failed note it down.
+			if !lpmd.Valid() {
+				pmdl.messages.AppendUnique(lpmd.Messages)
+				continue
+			}
+			// Check for duplicates
+			for _, l := range loaded {
+				if l == lpmd {
+					continue nextURL
+				}
 			}
+			loaded = append(loaded, lpmd)
 		}
-		loaded = append(loaded, lpmd)
-	}
 
-	return loaded
+		return loaded
+	}
+	return nil
 }
 
 // loadFromURL loads a provider metadata from a given URL.