mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
JSON(PRETTY) + CSV output when scan interrupted, WARN severity
If a severity level >= INFO was supplied,JSON* and CSV output were not writing error conditions in fileout(). As those indicate a problem of the assessment, this has been fixed so that if any severity is supplied to testssl.sh it will always write WARN conditions to file when detected. Also if the scan was interrupted on the client side where previously a scanTime of 0 was written to the log file now it will raise a warning that the scan was interrupted. See also #769. Error conditions after starting a scan on the server side (TCP Reset, DROP after a while) still won't be treated accurately in the file output with an error message but the resulting JSON should be still valid.
This commit is contained in:
parent
abc956344a
commit
d344a1ee04
31
testssl.sh
31
testssl.sh
@ -379,6 +379,7 @@ set_severity_level() {
|
|||||||
elif [[ "$severity" == "CRITICAL" ]]; then
|
elif [[ "$severity" == "CRITICAL" ]]; then
|
||||||
SEVERITY_LEVEL=$CRITICAL
|
SEVERITY_LEVEL=$CRITICAL
|
||||||
else
|
else
|
||||||
|
# WARN will always be logged
|
||||||
echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!"
|
echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!"
|
||||||
help 1
|
help 1
|
||||||
fi
|
fi
|
||||||
@ -388,12 +389,12 @@ show_finding() {
|
|||||||
local severity=$1
|
local severity=$1
|
||||||
|
|
||||||
( [[ "$severity" == "DEBUG" ]] ) ||
|
( [[ "$severity" == "DEBUG" ]] ) ||
|
||||||
( [[ "$severity" == "WARN" ]] ) ||
|
|
||||||
( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
|
( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
|
||||||
( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
|
( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
|
||||||
( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
|
( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
|
||||||
( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
|
( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
|
||||||
( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
|
( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
|
||||||
|
( [[ "$severity" == "WARN" ]] ) ||
|
||||||
( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
|
( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -663,12 +664,21 @@ strip_quote() {
|
|||||||
|
|
||||||
fileout_json_footer() {
|
fileout_json_footer() {
|
||||||
if "$do_json"; then
|
if "$do_json"; then
|
||||||
# no scan time in --severity=low and above, also needed for Travis. Bit hackish...
|
if [[ "$SCAN_TIME" -eq 0 ]]; then
|
||||||
[[ $SEVERITY_LEVEL -lt $LOW ]] && fileout_json_finding "scanTime" "INFO" "$SCAN_TIME" "" "" ""
|
fileout_json_finding "scanTime" "WARN" "Scan interrupted" "" "" ""
|
||||||
|
elif [[ $SEVERITY_LEVEL -lt $LOW ]] ; then
|
||||||
|
# no scan time in --severity=low and above, also needed for Travis, hackish...
|
||||||
|
fileout_json_finding "scanTime" "INFO" $SCAN_TIME "" "" ""
|
||||||
|
fi
|
||||||
printf "]\n" >> "$JSONFILE"
|
printf "]\n" >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
"$do_pretty_json" && echo -e " ],
|
if "$do_pretty_json"; then
|
||||||
\"scanTime\" : \"$SCAN_TIME\"\n}" >> "$JSONFILE"
|
if [[ "$SCAN_TIME" -eq 0 ]]; then
|
||||||
|
echo -e " ],\n \"scanTime\" : \"Scan interrupted\"\n}" >> "$JSONFILE"
|
||||||
|
else
|
||||||
|
echo -e " ],\n \"scanTime\" : ${SCAN_TIME}\n}" >> "$JSONFILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_json_section() {
|
fileout_json_section() {
|
||||||
@ -3154,8 +3164,7 @@ run_cipher_match(){
|
|||||||
stopwatch run_cipher_match
|
stopwatch run_cipher_match
|
||||||
fileout_section_footer true
|
fileout_section_footer true
|
||||||
outln
|
outln
|
||||||
END_TIME=$(date +%s)
|
calc_scantime
|
||||||
SCAN_TIME=$(( END_TIME - START_TIME ))
|
|
||||||
datebanner " Done"
|
datebanner " Done"
|
||||||
|
|
||||||
"$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME"
|
"$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME"
|
||||||
@ -3169,6 +3178,7 @@ run_cipher_match(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
|
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
|
||||||
run_allciphers() {
|
run_allciphers() {
|
||||||
local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 sclient_success=0
|
local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 sclient_success=0
|
||||||
@ -14915,6 +14925,10 @@ EOF
|
|||||||
outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
|
outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
calc_scantime() {
|
||||||
|
END_TIME=$(date +%s)
|
||||||
|
SCAN_TIME=$(( END_TIME - START_TIME ))
|
||||||
|
}
|
||||||
|
|
||||||
cleanup() {
|
cleanup() {
|
||||||
# If parallel mass testing is being performed, then the child tests need
|
# If parallel mass testing is being performed, then the child tests need
|
||||||
@ -16940,8 +16954,7 @@ lets_roll() {
|
|||||||
fileout_section_footer true
|
fileout_section_footer true
|
||||||
|
|
||||||
outln
|
outln
|
||||||
END_TIME=$(date +%s)
|
calc_scantime
|
||||||
SCAN_TIME=$(( END_TIME - START_TIME ))
|
|
||||||
datebanner " Done"
|
datebanner " Done"
|
||||||
|
|
||||||
"$MEASURE_TIME" && printf "$1: %${COLUMNS}s\n" "$SCAN_TIME"
|
"$MEASURE_TIME" && printf "$1: %${COLUMNS}s\n" "$SCAN_TIME"
|
||||||
|
Loading…
Reference in New Issue
Block a user