csaf_checker fails in jsonPath without referencing the input data it fails on

[tolim]

When trying to check a domain with the csaf_checker, I get the following error message:

$ ./csaf_checker www.domain.com
2022/01/11 15:51:08 error: no document to extract data from

Why does the command fail?

Thanks in advance!
Tobi

[bernhardreiter]

Hi @tolim
note that we are still "work in progress", so some stuff may still fail or be suboptimal.

The failure comes from a call to

csaf_distribution/cmd/csaf_checker/processor.go

Lines 177 to 179 in 2a69c13

	func (p *processor) jsonPath(expr string, doc interface{}) (interface{}, error) {
	if doc == nil {
	return nil, errors.New("no document to extract data from")

So I guess that some required attribute is missing from the provider-metatdata.json file.

We'll take this as a hint to add more diagnostic messages.
Thanks for the feedback!
Bernhard

[s-l-teichmann]

The decoding of the metadata fails earlier, but this error is wrongly rated as none essential and is only written to the report.
The analysis continues and dies later as the invariant of having the document loaded is not fulfilled.
The report then is never written out so that the reason of the error vanishes into nowhere.

I'm going to fix this.

[s-l-teichmann]

PR #26 introduces a mechanism to stop a running domain check and still dump out the report. This needs some work because the parts of the check which do not run due to the stop are currently marked as successful. This is not correct.

[tschmidtb51]

I was stumbling upon

csaf_distribution/cmd/csaf_checker/processor.go

Lines 708 to 712 in c57de75

	url := "https://" + domain + "/.well-known/csaf/provider-metadata.json"
	use(&p.badProviderMetadatas)
	res, err := client.Get(url)

but I might be on the wrong track:

The provider-metadata.json can be found either

• through the CSAF field in the security.txt (Requirement 8) or
• in the .well-known path (Requirement 9) or
• through the DNS path (Requirement 10)

More than one may exist, however to be valid at least one MUST exist... Even though the .well-known path is preferred it is not the only option here.

[bernhardreiter]

I suggest we make the location of the provider-metadata.json a new issue and refer to 7.2.2: "satisfies at least one of the requirements 8 to 10"

As far as I know, the first issue here is improved: we get a diagnostic message now with current main.

[tschmidtb51]

I suggest we make the location of the provider-metadata.json a new issue and refer to 7.2.2: "satisfies at least one of the requirements 8 to 10"

Sounds good to me.

[bernhardreiter]

The situation has improved. A call like

./bin-linux-amd64/csaf_checker example.org

now contains the following in the output:

  "domains": [
    {
      "name": "example.org",
[..]
         "description": "provider-metadata.json",
          "messages": [
            "No provider-metadata.json found.",
            "STOPPING here - cannot perform other checks."

So we believe this issue to be resolved.