Releases: DigitalTrustCenter/sectxt
0.9.4
A new version which resolves the following issues:
#70 cgi will be removed in Python 3.1:
cgi is deprecated and has been replaced with the recommended replacement.
#72 Invalid responses are not handled properly
Redirects are allowed but in the case of a redirect to a different path it should log the error that the security.txt was not found on the correct location. A global redirect to an html will cause the library to want to parse that page even if that makes no sense anymore. This has been resolved.
#73 add emails and urls properties
We have added properties on the SecurityTXT object which can be used to retrieve the first found or all of the emails, urls or phone numbers listed in the Contact field
#74 Certain security.txt files can cause parser to hang indefinitely
If the security.txt has a PGP block we check for any issues and log these if found. The library used for this is the PGPy library. Certain input however has been found to cause the library to hang indefinitly.
The possible cause for this issue has been found and a pull request has been opened on this library. For now we resolve the issue by using the specific pull request of the PGPy library. When the PGPy library updates and resolves this issue we will update to that version.
0.9.3
0.9.2
A new version which solves an issue with the BOM error always showing even when not applicable and fixes an error that occures on leap days. This includes the following issues:
#64 It is now possible to test local files by adding the is_local flag to True and passing a local path as the url parameter. This will only validate the content of the file given
#65 The BOM error was always shown even when not applicable. This issue has been fixed and the error message is improved.
#66 On leap days the validation check would fail because it would check for a year later. This was not done correctly and it would fail. This is fixed now.
Add error message for Byte order mark
In this release we fixed an issue with the line numbers and we added an error message when the BOM was found.
#57 an error message has been added. If the byte order mark is present in the file it will continue to process the file without the BOM, but it will add an error to highlight that the file has the BOM present.
#60 we fixed the issue that it would override the line_no. Now it will never override the line number in the add_error function.
0.9.0
bugfixes included in this release: #53, #54, #55, #56, #57, #58
The issues reported on the sectxt validator have been processed, most were related to adding validation checks on the pgp message. For this I used the PGPy python module, which checks for issues with the pgp message conform the OpenPGP specification per RFC 4880.
The request for the security.txt url has also been given an user agent to mock a regular web browser
The byte content is checked for a utf-8 BOM which is removed if found
#53: Canonical "Error: Field value must be a URI (e.g. beginning with 'mailto:')"
Message is simplified to avoid confusion
#54: PGP Dash-Escaped Text is still parsed for pgp
A pgp format validator is added to find issues within the message
#55: Improve on missing newline in a file by adding line number
The line number is added for the missing newline error. And the error message is improved
#56: Singed message is not enforcing signature
A pgp format validator is added
#57: Improve parser error for Byte order mark (BOM)
The issue with the BOM could occur, but it has no meaning in utf-8. If it occurs it is removed and handled validated without it.
#58: If signed, pass data to gpg validate
A pgp format validator is added.
0.8.3
Bugfixes included in this release: #47
- The CSAF field is now optional (like "Acknowledgments" and "Hiring") so the recommendation is removed. The errors remain, if the field is listed with an issue it will throw an error.
- The "multiple_csaf_fields" has been moved from a notification to a recommendation.
- The "no_csaf_file" text has been updated to be more clear.
0.8.2
bugfixing: #44, #45 and #46
adding support for CSAF field #47
#44: Wordings "data_after_sig" error message and inclusion in README and #45: Text suggestion for "signed_format_issue" error
- error message changed to be more clear.
#46: Unknown field: notification and textual suggestion
- Added notifications which were already mentioned in the ReadMe and the text for the unknown_field notification is changed to be more clear.
#47: Validate new CSAF field
new key for CSAF field, it is considered optional as per the section 2.4 (https://www.rfc-editor.org/rfc/rfc9116.html#section-2.4).
If the field is not present a recommendation "no_csaf" is added. "'CSAF' field should appear at least once"
if the field does not point to the correct file an error "no_csaf_file" is added. "All CSAF field in the security.txt must point to a provider-metadata.json file"
If multiple fields are present a notification "multiple_csaf_fields" is added to remove them even though it is allowed. "It is allowed to have more than one CSAF field, however this should be removed if possible."
0.8.1
This release resolves the following bugfixes:
0.8
This release resolves the following issues:
- #21 Check for Line Separator: Every line MUST end using a line feed. An error for this is added, which checks if the final line is an empty line. If this is not the case not all lines end with a line feed.
- #24 What message when security.txt file is NOT available via https?: An additional check is added which checks the insecure URI scheme. If the security.txt is found than an error is added which clarifies that the scheme is not correct and the https scheme should be used.
- #34 Note that does not verify the signature: A index is added to the signature recommendation which clarifies this.
- #38 Set up security policy and code scanning alerts on Github: A security.md has been added which clarifies how you can report issues.
0.7
Fix crash when the value of expires does not contain a timezone.