Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-11-22 16:45:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: --rating-only flag to only test checks required for rating

Browse Source
This commit is contained in:
Magnus Larsen
2025-11-12 11:14:16 +01:00
parent 932c91f67c
commit 640444e1fc
2 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/testssl.1.md
View File

@@ -156,6 +156,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
`--add-ca <CAfile>` enables you to add your own CA(s) in PEM format for trust chain checks. `CAfile` can be a directory containing files with a \.pem extension, a single file or multiple files as a comma separated list of root CAs. Internally they will be added during runtime to all CA stores. This is (only) useful for internal hosts whose certificates are issued by internal CAs. Alternatively ADDTL_CA_FILES is the environment variable for this.
`--rating-only` makes testssl.sh do the bare minimum to allow rating to succeed. See RATING for more
### SINGLE CHECK OPTIONS
@@ -448,7 +449,7 @@ set_grade_warning "Documentation is always right"
#### Implementing a new check which contains grade caps
When implementing a new check (be it vulnerability or not) that sets grade caps, the `set_rating_state()` has to be updated (i.e. the `$do_mycheck` variable-name has to be added to the loop, and `$nr_enabled` if-statement has to be incremented)
When implementing a new check (be it vulnerability or not) that sets grade caps, the `set_rating_state()` has to be updated (i.e. the `$do_mycheck` variable-name has to be added to the loop, and `$nr_enabled` if-statement has to be incremented), and the `--rating-only` switch statement needs to have `$do_mycheck=true` added
The `set_rating_state()` automatically disables rating, if all the required checks are *not* enabled.
This is to prevent giving out a misleading or wrong grade.

28
testssl.sh
View File

@@ -21598,6 +21598,7 @@ tuning / connect options (most also can be preset via environment variables):
--mtls <CLIENT CERT file> path to <CLIENT CERT> file in PEM format containing unencrypted certificate key (beta)
--basicauth <user:pass> provide HTTP basic auth information
--reqheader <header> add custom http request headers
--rating-only test only the checks required for rating
output options (can also be preset via environment variables):
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
@@ -21610,7 +21611,7 @@ output options (can also be preset via environment variables):
--color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers)
--colorblind swap green and blue in the output
--debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
--disable-rating Explicitly disables the rating output
--disable-rating explicitly disables the rating output
file output options (can also be preset via environment variables)
--log, --logging logs stdout to '\${NODE}-p\${port}\${YYYYMMDD-HHMM}.log' in current working directory (cwd)
@@ -25147,6 +25148,31 @@ parse_cmd_line() {
[[ $? -eq 0 ]] && shift
REQHEADERS+=("$REQHEADER")
;;
--rating[-_]only)
# Do only the bare minimum for rating to be successfully done
# See set_rating_state() for required variables
do_protocols=true
do_cipherlists=true
do_fs=true
do_server_defaults=true
do_header=true
do_heartbleed=true
do_ccs_injection=true
do_ticketbleed=true
do_robot=true
do_renego=true
do_crime=true
do_ssl_poodle=true
do_tls_fallback_scsv=true
do_drown=true
do_beast=true
do_rc4=true
do_logjam=true
do_allciphers=true
# Force vuln. checks to be shown under the same header
VULN_THRESHLD=-1
;;
(--) shift
break
;;