Complete requirement 4 (ROLIE) (#391)

* Create dummy structure to uniquely identify each advisory * Remove dummy values, remove unused variable for now * Formatting * Add Evaluation of whether a white Advisory is access protected and add it to the respective slice, implement functionality * Initialize p.whiteAdvisories before using it, stop sorting if no Client was used * Ammend rules to include requirement 4, warning instead of error if white advisory is found protected, use badWhitePermissions.use() * Formatting * Fix typo: avaible -> available * Improve check on whether building identifier failed * Move extracting of tlp labels and related functions from processor to roliecheck * Create Labelchecker and check access of white advisories regardless of whether ROLIE feeds exist. Only check Ranks if ROLIE feeds are used * Formatting * Do not use label checker as a pointer. * Rename label checker * Add XXX to questionable code. * Simplify checking white advisories. * Improve error message if no checks for accessibility of white advisories were done * Extract TLP label directly without extractTLP function, consistent plural in error message * Add comments and check type assertion in tlp label extraction. * Move check for white advisories to label checker. * Improve methods naming an comments. * Address a few review questions. * Move functionality of checkProtection fully into evaluateTLP * Add comments and warn only if we are in a white feed or in a dirlisting. --------- Co-authored-by: JanHoefelmeyer <Jan Höfelmeyer [email protected]> Co-authored-by: JanHoefelmeyer <[email protected]> Co-authored-by: Sascha L. Teichmann <[email protected]>
gocsaf · Jul 13, 2023 · de27a66 · de27a66
1 parent f05bcd3
commit de27a66
Show file tree

Hide file tree

Showing 4 changed files with 183 additions and 118 deletions.
diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
@@ -53,7 +53,7 @@ type processor struct {
 	pmd256         []byte
 	pmd            any
 	keys           *crypto.KeyRing
-	labelChecker   *rolieLabelChecker
+	labelChecker   labelChecker
 
 	invalidAdvisories      topicMessages
 	badFilenames           topicMessages
@@ -190,6 +190,10 @@ func newProcessor(opts *options) (*processor, error) {
 		expr:           util.NewPathEval(),
 		ageAccept:      ageAccept(opts),
 		validator:      validator,
+		labelChecker: labelChecker{
+			advisories:      map[csaf.TLPLabel]util.Set[string]{},
+			whiteAdvisories: map[identifier]bool{},
+		},
 	}, nil
 }
 
@@ -241,7 +245,7 @@ func (p *processor) clean() {
 	p.badROLIECategory.reset()
 	p.badWhitePermissions.reset()
 	p.badAmberRedPermissions.reset()
-	p.labelChecker = nil
+	p.labelChecker.reset()
 }
 
 // run calls checkDomain function for each domain in the given "domains" parameter.
@@ -361,6 +365,7 @@ func (p *processor) domainChecks(domain string) []func(*processor, string) error
 		(*processor).checkMissing,
 		(*processor).checkInvalid,
 		(*processor).checkListing,
+		(*processor).checkWhitePermissions,
 	)
 
 	return checks
@@ -735,28 +740,7 @@ func (p *processor) integrity(
 			}
 		}
 
-		// Extract the tlp level of the entry
-		if tlpa, err := p.expr.Eval(
-			`$.document`, doc); err != nil {
-			p.badROLIEFeed.error(
-				"Extracting 'tlp level' from %s failed: %v", u, err)
-		} else {
-			tlpe := extractTLP(tlpa)
-			// If the client has no authorization it shouldn't be able
-			// to access TLP:AMBER or TLP:RED advisories
-			if !p.opts.protectedAccess() &&
-				(tlpe == csaf.TLPLabelAmber || tlpe == csaf.TLPLabelRed) {
-
-				p.badAmberRedPermissions.use()
-				p.badAmberRedPermissions.error(
-					"Advisory %s of TLP level %v is not access protected.",
-					u, tlpe)
-			}
-			// check if current feed has correct or all of their tlp levels entries.
-			if p.labelChecker != nil {
-				p.labelChecker.check(p, tlpe, u)
-			}
-		}
+		p.labelChecker.check(p, doc, u)
 
 		// Check if file is in the right folder.
 		p.badFolders.use()
@@ -870,25 +854,6 @@ func (p *processor) integrity(
 	return nil
 }
 
-// extractTLP tries to extract a valid TLP label from an advisory
-// Returns "UNLABELED" if it does not exist, the label otherwise
-func extractTLP(tlpa any) csaf.TLPLabel {
-	if document, ok := tlpa.(map[string]any); ok {
-		if distri, ok := document["distribution"]; ok {
-			if distribution, ok := distri.(map[string]any); ok {
-				if tlp, ok := distribution["tlp"]; ok {
-					if label, ok := tlp.(map[string]any); ok {
-						if labelstring, ok := label["label"].(string); ok {
-							return csaf.TLPLabel(labelstring)
-						}
-					}
-				}
-			}
-		}
-	}
-	return csaf.TLPLabelUnlabeled
-}
-
 // checkIndex fetches the "index.txt" and calls "checkTLS" method for HTTPS checks.
 // It extracts the file names from the file and passes them to "integrity" function.
 // It returns error if fetching/reading the file(s) fails, otherwise nil.
@@ -946,7 +911,7 @@ func (p *processor) checkIndex(base string, mask whereType) error {
 	}
 
 	// Block rolie checks.
-	p.labelChecker = nil
+	p.labelChecker.feedLabel = ""
 
 	return p.integrity(files, base, mask, p.badIndices.add)
 }
@@ -1041,7 +1006,7 @@ func (p *processor) checkChanges(base string, mask whereType) error {
 	}
 
 	// Block rolie checks.
-	p.labelChecker = nil
+	p.labelChecker.feedLabel = ""
 
 	return p.integrity(files, base, mask, p.badChanges.add)
 }
@@ -1215,6 +1180,30 @@ func (p *processor) checkListing(string) error {
 	return nil
 }
 
+// checkWhitePermissions checks if the TLP:WHITE advisories are
+// available with unprotected access.
+func (p *processor) checkWhitePermissions(string) error {
+
+	var ids []string
+	for id, open := range p.labelChecker.whiteAdvisories {
+		if !open {
+			ids = append(ids, id.String())
+		}
+	}
+
+	if len(ids) == 0 {
+		return nil
+	}
+
+	sort.Strings(ids)
+
+	p.badWhitePermissions.error(
+		"TLP:WHITE advisories with ids %s are only available access-protected.",
+		strings.Join(ids, ", "))
+
+	return nil
+}
+
 // checkProviderMetadata checks provider-metadata.json. If it exists,
 // decodes, and validates against the JSON schema.
 // According to the result, the respective error messages added to

diff --git a/cmd/csaf_checker/reporters.go b/cmd/csaf_checker/reporters.go
@@ -157,7 +157,7 @@ func (r *tlsReporter) report(p *processor, domain *Domain) {
 func (r *tlpWhiteReporter) report(p *processor, domain *Domain) {
 	req := r.requirement(domain)
 	if !p.badWhitePermissions.used() {
-		req.message(InfoType, "No advisories labeled TLP:WHITE tested for accessibility.")
+		req.message(InfoType, "No access-protected advisories labeled TLP:WHITE found.")
 		return
 	}
 	if len(p.badWhitePermissions) == 0 {