Checker: "Requirement 14: Directory listings"

[s-l-teichmann]

The checker currently assumes that the directory listings to fulfill "7.1.14 Requirement 14: Directory listings" is generated on the server side and served as a per-rendered HTML page.

There is/are provider(s) e.g. https://msrc.microsoft.com/csaf/2024 which generates these listings
in the browser via JavaScript. In this case the links to the advisories can not be found in
the loaded page directly.

What should be the solution for this?

Executing the JS locally in the checker seems to be not a good idea to me.
We could document this behavior. Maybe we can write some hints into the report if we don't find a lot of advisories in the page.

@tschmidtb51, @bernhardreiter any other ideas?

[bernhardreiter]

The standard 2.0 says :

Directory listing SHALL be enabled to support manual navigation.

A directory listing constructed with Javascript would be fine for manual browsing in most cases. In rare cases Javascript in browsers is disabled for security reasons. So it is for the standard to decide if a HTML+CSS only directory listing is mandatory for the rare use cases or if this is too much detail.

The checker for 2.0 should acknowledge the possibility that manual browsing is possible with Javascript and add a hint about this. Consequently it should raise a warning in that situation so that users know they need to check with a webbrowser.