From d344a1ee04e6b461a896caae99529f2659201fdc Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 1 Mar 2018 13:47:34 +0100 Subject: [PATCH] JSON(PRETTY) + CSV output when scan interrupted, WARN severity If a severity level >= INFO was supplied,JSON* and CSV output were not writing error conditions in fileout(). As those indicate a problem of the assessment, this has been fixed so that if any severity is supplied to testssl.sh it will always write WARN conditions to file when detected. Also if the scan was interrupted on the client side where previously a scanTime of 0 was written to the log file now it will raise a warning that the scan was interrupted. See also #769. Error conditions after starting a scan on the server side (TCP Reset, DROP after a while) still won't be treated accurately in the file output with an error message but the resulting JSON should be still valid. --- testssl.sh | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index 93462a6..c3820da 100755 --- a/testssl.sh +++ b/testssl.sh @@ -379,6 +379,7 @@ set_severity_level() { elif [[ "$severity" == "CRITICAL" ]]; then SEVERITY_LEVEL=$CRITICAL else + # WARN will always be logged echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!" help 1 fi @@ -388,12 +389,12 @@ show_finding() { local severity=$1 ( [[ "$severity" == "DEBUG" ]] ) || - ( [[ "$severity" == "WARN" ]] ) || ( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) || ( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) || ( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) || ( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) || ( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) || + ( [[ "$severity" == "WARN" ]] ) || ( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] ) } @@ -663,12 +664,21 @@ strip_quote() { fileout_json_footer() { if "$do_json"; then - # no scan time in --severity=low and above, also needed for Travis. Bit hackish... - [[ $SEVERITY_LEVEL -lt $LOW ]] && fileout_json_finding "scanTime" "INFO" "$SCAN_TIME" "" "" "" + if [[ "$SCAN_TIME" -eq 0 ]]; then + fileout_json_finding "scanTime" "WARN" "Scan interrupted" "" "" "" + elif [[ $SEVERITY_LEVEL -lt $LOW ]] ; then + # no scan time in --severity=low and above, also needed for Travis, hackish... + fileout_json_finding "scanTime" "INFO" $SCAN_TIME "" "" "" + fi printf "]\n" >> "$JSONFILE" fi - "$do_pretty_json" && echo -e " ], - \"scanTime\" : \"$SCAN_TIME\"\n}" >> "$JSONFILE" + if "$do_pretty_json"; then + if [[ "$SCAN_TIME" -eq 0 ]]; then + echo -e " ],\n \"scanTime\" : \"Scan interrupted\"\n}" >> "$JSONFILE" + else + echo -e " ],\n \"scanTime\" : ${SCAN_TIME}\n}" >> "$JSONFILE" + fi + fi } fileout_json_section() { @@ -3154,8 +3164,7 @@ run_cipher_match(){ stopwatch run_cipher_match fileout_section_footer true outln - END_TIME=$(date +%s) - SCAN_TIME=$(( END_TIME - START_TIME )) + calc_scantime datebanner " Done" "$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME" @@ -3169,6 +3178,7 @@ run_cipher_match(){ } + # test for all ciphers locally configured (w/o distinguishing whether they are good or bad) run_allciphers() { local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 sclient_success=0 @@ -14915,6 +14925,10 @@ EOF outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n" } +calc_scantime() { + END_TIME=$(date +%s) + SCAN_TIME=$(( END_TIME - START_TIME )) +} cleanup() { # If parallel mass testing is being performed, then the child tests need @@ -16940,8 +16954,7 @@ lets_roll() { fileout_section_footer true outln - END_TIME=$(date +%s) - SCAN_TIME=$(( END_TIME - START_TIME )) + calc_scantime datebanner " Done" "$MEASURE_TIME" && printf "$1: %${COLUMNS}s\n" "$SCAN_TIME"