csaf_distribution icon indicating copy to clipboard operation
csaf_distribution copied to clipboard
verified publisher icon csaf-poc

Checker: "Requirement 14: Directory listings"

Open s-l-teichmann opened this issue 1 year ago • 1 comments

The checker currently assumes that the directory listings to fulfill "7.1.14 Requirement 14: Directory listings" is generated on the server side and served as a per-rendered HTML page.

There is/are provider(s) e.g. https://msrc.microsoft.com/csaf/2024 which generates these listings in the browser via JavaScript. In this case the links to the advisories can not be found in the loaded page directly.

What should be the solution for this?

Executing the JS locally in the checker seems to be not a good idea to me. We could document this behavior. Maybe we can write some hints into the report if we don't find a lot of advisories in the page.

@tschmidtb51, @bernhardreiter any other ideas?

s-l-teichmann avatar Nov 23 '24 12:11 s-l-teichmann

The standard 2.0 says :

Directory listing SHALL be enabled to support manual navigation.

A directory listing constructed with Javascript would be fine for manual browsing in most cases. In rare cases Javascript in browsers is disabled for security reasons. So it is for the standard to decide if a HTML+CSS only directory listing is mandatory for the rare use cases or if this is too much detail.

The checker for 2.0 should acknowledge the possibility that manual browsing is possible with Javascript and add a hint about this. Consequently it should raise a warning in that situation so that users know they need to check with a webbrowser.

bernhardreiter avatar Nov 25 '24 07:11 bernhardreiter