nextcloud.com
nextcloud.com copied to clipboard
nextcloud
scan.nextcloud.com reports don't expire
It looks like https://scan.nextcloud.com never deletes any scan reports. Even worse, the service won't rescan the website if there's already a scan report in the database - no matter how old this report is. https://scan.nextcloud.com still shows me an ancient report from July 2017 after entering the URL of one of my Nextcloud instances. There's no obvious notification about the report's date. At first I was wondering how it could possibly show me that I'm running Nextcloud 12 - and that this "Major version [is] still supported"... :unamused: The date is indeed shown in the report, but greyed out. The "trigger re-scan" button is likewise greyed out and very small.
All reports should be deleted after a reasonable period of time. I suggest deleting reports after 1 month. All reports older than 1 month have no informational value anyway. This is a matter of data privacy.
When entering a already known URL https://scan.nextcloud.com should automatically trigger a re-scan if the latest report in the database is older than a (reasonable, but rather short) period of time. I suggest re-scanning if the latest report is older than 1 day.
Yep, I got here via https://help.nextcloud.com/t/security-scan-detects-wrong-version/106493/4
Exposing old scans is unhelpful and could potentially attract attackers if a vulnerability has been detected in an old version of NC and they think you're still running that.
I can't see why you'd ever want to keep those around, unless this is not being used just as a "security scan" but is also being used to report who is using what version for some other purpose, e.g. internal monitoring. If it is then this should be made much clearer, and should not be exposed to the public after some cut-off.
I don't see why you need to cache this data for more than a day (week at a push). Users are encouraged to share the page on social media, which is crap because you might share because you want to show off "A+" status, but by the time someone clicks from S/M it may be downgraded if a point-release has come out since!
