-
Notifications
You must be signed in to change notification settings - Fork 139
pshtt scan exception case drops record from report #117
Comments
@egyptiankarim Want to email me a live example so I can test? (eric.mill@gsa.gov)
Totally get this. What do you think should be in the 12,000th row (the row representing the failed run) for such a scan? |
@konklone Will do. Email on its way.
Well, just generally speaking, I think domain-scan ought to mimic whatever a regular run of the underlying scanner would give you. For the exception cases in question here, a regular pshtt scan eventually gives us a "Live" I think there's probably room for improvement on how we handle RequestExceptions (especially weird code 500 and redirect loop situations), and I'll puzzle over it, but for now I know that I get some result back running a regular pshtt scan, so whatever domain-scan gives me should approximate that rather than just dropping it. Also, I'll emphasize again that I think the "fix" for all of this is in revisiting the logic in pshtt, and I'll be working a pull request there. I just wanted to post an issue on domain-scan so that people would be aware of the gap in reports produced by each. |
@egyptiankarim I'm closing this because I think it's made moot on the domain-scan side by the refactor in #155. Try using the You may also want to try the Lambda pipeline, which definitely returns stack traces when errors are observed. |
When the version of pshtt that is loaded by domain-scan lands into an
ConnectionError
or aRequestException
exception case in itsbasic_check
method, it dumps an error and returns an empty string where a JSON object representing the domain's test results should be. This ripples through sslyze and errors out of the domain-scan pshtt invocation altogether (i.e., "Bad news scanning"), and never writes an entry to the results. Here's an example (domain redacted; hit me up for a live example):That last bit is a lie... Nothing is written because the
raw
data out of the pshtt invocation isNone
.This ultimately is an issue with the way exception cases in pshtt are ordered in the overall flow of logic, and I'll open up an issue there and eventually offer a solution. The reason I'm bringing it up here, is because pshtt will produce a report with these exception cases properly reflected (i.e., as failing), but domain-scan just ends up dropping them from the report all together, which can be confusing as anything when your target list of 12K domains only results in a results.csv of 11,999 rows (gah!). So this is more just an "awareness" issue.
The text was updated successfully, but these errors were encountered: