Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

JSON(PRETTY) + CSV output when scan interrupted, WARN severity

Browse Source 
If a severity level >= INFO was supplied,JSON* and CSV output were
not writing error conditions in fileout(). As those indicate a problem
of the assessment, this has been fixed so that if any severity is
supplied to testssl.sh it will always write WARN conditions
to file when detected.

Also if the scan was interrupted on the client side where previously
a scanTime of 0 was written to the log file now it will raise a warning
that the scan was interrupted.

See also #769. Error conditions after starting a scan on the server side
(TCP Reset, DROP after a while) still won't be treated accurately in the file output
with an error message but the resulting JSON should be still valid.
This commit is contained in:
Dirk 2018-03-01 13:47:34 +01:00
parent abc956344a
commit d344a1ee04
1 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
testssl.sh
View File

@ -379,6 +379,7 @@ set_severity_level() {
elif [[ "$severity" == "CRITICAL" ]]; then elif [[ "$severity" == "CRITICAL" ]]; then
SEVERITY_LEVEL=$CRITICAL SEVERITY_LEVEL=$CRITICAL
else else
# WARN will always be logged
echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!" echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!"
help 1 help 1
fi fi
@ -388,12 +389,12 @@ show_finding() {
local severity=$1 local severity=$1
( [[ "$severity" == "DEBUG" ]] ) || ( [[ "$severity" == "DEBUG" ]] ) ||
( [[ "$severity" == "WARN" ]] ) ||
( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) || ( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) || ( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) || ( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) || ( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) || ( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
( [[ "$severity" == "WARN" ]] ) ||
( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] ) ( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
} }
@ -663,12 +664,21 @@ strip_quote() {
fileout_json_footer() { fileout_json_footer() {
if "$do_json"; then if "$do_json"; then
# no scan time in --severity=low and above, also needed for Travis. Bit hackish... if [[ "$SCAN_TIME" -eq 0 ]]; then
[[ $SEVERITY_LEVEL -lt $LOW ]] && fileout_json_finding "scanTime" "INFO" "$SCAN_TIME" "" "" "" fileout_json_finding "scanTime" "WARN" "Scan interrupted" "" "" ""
elif [[ $SEVERITY_LEVEL -lt $LOW ]] ; then
# no scan time in --severity=low and above, also needed for Travis, hackish...
fileout_json_finding "scanTime" "INFO" $SCAN_TIME "" "" ""
fi
printf "]\n" >> "$JSONFILE" printf "]\n" >> "$JSONFILE"
fi fi
"$do_pretty_json" && echo -e " ], if "$do_pretty_json"; then
\"scanTime\" : \"$SCAN_TIME\"\n}" >> "$JSONFILE" if [[ "$SCAN_TIME" -eq 0 ]]; then
echo -e " ],\n \"scanTime\" : \"Scan interrupted\"\n}" >> "$JSONFILE"
else
echo -e " ],\n \"scanTime\" : ${SCAN_TIME}\n}" >> "$JSONFILE"
fi
fi
} }
fileout_json_section() { fileout_json_section() {
@ -3154,8 +3164,7 @@ run_cipher_match(){
stopwatch run_cipher_match stopwatch run_cipher_match
fileout_section_footer true fileout_section_footer true
outln outln
END_TIME=$(date +%s) calc_scantime
SCAN_TIME=$(( END_TIME - START_TIME ))
datebanner " Done" datebanner " Done"
"$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME" "$MEASURE_TIME" && printf "%${COLUMNS}s\n" "$SCAN_TIME"
@ -3169,6 +3178,7 @@ run_cipher_match(){
} }
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad) # test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
run_allciphers() { run_allciphers() {
local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 sclient_success=0 local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 sclient_success=0
@ -14915,6 +14925,10 @@ EOF
outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n" outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
} }
calc_scantime() {
END_TIME=$(date +%s)
SCAN_TIME=$(( END_TIME - START_TIME ))
}
cleanup() { cleanup() {
# If parallel mass testing is being performed, then the child tests need # If parallel mass testing is being performed, then the child tests need
@ -16940,8 +16954,7 @@ lets_roll() {
fileout_section_footer true fileout_section_footer true
outln outln
END_TIME=$(date +%s) calc_scantime
SCAN_TIME=$(( END_TIME - START_TIME ))
datebanner " Done" datebanner " Done"
"$MEASURE_TIME" && printf "$1: %${COLUMNS}s\n" "$SCAN_TIME" "$MEASURE_TIME" && printf "$1: %${COLUMNS}s\n" "$SCAN_TIME"