v2.0.0-rc1

ZLint v2.0.0 RC-1

The ZMap team is proud to share the first v2.0.0 release candidate. This release contains fairly significant refactoring and testing/feedback would be most appreciated.

Breaking Changes

• The exported types from lints have been moved to lint (e.g. lints.LintInterface, lints.LintSource, lints.LintStatus, lints.LintResult are now lint.LintInterface, lint.LintSource, lint.LintStatus, lint.LintResult)
• Lints are now separated in the source code tree under lints/ by source.
• The lint.LintMap exported map of registered lints was removed. Users should rely on the exported functions of the Registry returned by lint.GlobalRegistry() instead.
• The zlint.LintCertificateFiltered function was removed. The same behaviour can be achieved using zlint.LintCertificateEx (see below).
• The zlint.EncodeLintDescriptionsToJSON function was removed. The same behaviour can be achieved by calling WriteJSON on a Registry.
• The lint.Source type was changed from an int enum to a string enum.

ZLint CMD Updates

The zlint command (cmd/zlint/main.go) was updated to add four new command line flags:

• -list-lints-sources - Prints a list of lint sources, one per line.
• -excludeSources - Comma-separated list of lint sources to exclude.
• -includeSources - Comma-separated list of lint sources to include.
• -nameFilter - Regex used to match lint names to include (cannot be used at the same time as -excludeSources or -includeSources)

Two existing flags were renamed:

• -include is now -includeNames
• -exclude is now -excludeNames.

One flag was removed:

• -list-lints-schema was removed. ZSchema is deprecated for ZLint.

Library Updates

• A new zlint.LintCertificateEx function was introduced allowing customizing which lints are applied by providing an explicit Registry of lints. Lints can be excluded/included by source and name by filtering the lint.GlobalRegistry() with lint.FilterOptions.

New Lints

• New Mozilla PKI Policy Lints
  • n_mp_allowed_eku
  • e_mp_authority_key_identifier_correct
  • e_mp_exponent_cannot_be_one
  • e_mp_modulus_must_be_2048_bits_or_more
  • e_mp_modulus_must_be_divisible_by_8

Bug Fixes

• The golang.org/crypto dependency was updated to to 8b5121be2f68 to address CVE-2020-7919
• The e_signature_algorithm_not_supported lint was updated to return lint.Warn for RSA-PSS with SHA256, SHA384 or SHA512.
• The w_subject_contains_malformed_arpa_ip lint was updated to clarify its citation/description.

Misc

• Updated TLD data (Current to 2020-01-30).
• README updates.

Full Changelog

24e7a0d README: Update, split out a CONTRIBUTING.md (#386)
79424f2 cmd/zlint: fix panic w/ deref of nil registry. (#385)
7741587 zlint: refactor lint reg., allow filtering lints used. (#372)
72fb7ad project: add goreleaser configuration. (#374)
8a37cc7 gTLD autopull: 2020-01-30T17:10:08Z (#375)
1107123 deps: update golang.org/crypto/cryptobyte to 8b5121be2f68. (#373)
77026f6 Add reference to RFC 6818 to clarify explicitText (#370)
c0407b6 lints: improve template_test.go (#367)
dbb54ce lints/mozilla: fix moz lint packages (#365)
cc90ed6 test: more comments in helpers.go (#366)
2cce203 lints: better test utils, avoid accessing lint.Lints directly (#364)
566701e Lints: add new lints for Mozilla Root Store Policy (adopted) (#353)
ea19827 README: fix crt.sh link target. (#349)
4a01d2e README: Link to company sites, not bugzilla bugs. (#348)
2c5688e README: Add Google Trust Services to list of users/integrations (#347)
b7425cb lints: add more context to w_subject_contains_malformed_arpa_ip. (#345)
9bba7b7 lints: warn for RSA-PSS sigalg in cabf lint, not err. (#342)
359be75 gTLD autopull: 2020-01-06T16:47:48Z (#341)
86bcc67 Misc. cleanups, unit test for finding leftover template bits. (#340)
e3ad0f9 Split of lints into directories by source (#337)
0ab41f2 README: add note about small PRs (#339)
257d49d gTLD autopull: 2019-12-25T16:40:11Z (#338)
c74b45b CI: Add golangci-lint, enforce Go best practices (#335)
872e431 gTLD autopull: 2019-12-06T16:32:55Z (#334)