security.txt full url in finding

Fixes #1314

Author: bwbroersma

checks/migrations/0016_domaintestappsecpriv_securitytxt_found_url.py

@@ -0,0 +1,27 @@
+# AddField Generated by Django 3.2.24 on 2024-03-09 12:49
+# Manually created SQL migration to handle old reports
+
+from django.db import migrations  # , models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("checks", "0015_auto_20240212_1616"),
+    ]
+
+    operations = [
+        # migrations.AddField(
+        #     model_name='domaintestappsecpriv',
+        #     name='securitytxt_found_url',
+        #     field=models.CharField(max_length=8000, null=True),
+        # ),
+        migrations.RunSQL(
+            sql=[
+                "ALTER TABLE checks_domaintestappsecpriv ADD COLUMN securitytxt_found_url VARCHAR(8000);",
+                "UPDATE checks_domaintestappsecpriv SET securitytxt_found_url=securitytxt_found_host WHERE securitytxt_enabled;",
+            ],
+            reverse_sql=[
+                "ALTER TABLE checks_domaintestappsecpriv DROP COLUMN securitytxt_found_url;",
+            ],
+        ),
+    ]

checks/models.py

@@ -721,6 +721,8 @@ class DomainTestAppsecpriv(BaseTestModel):
     securitytxt_recommendations = ListField(default=[])
     securitytxt_score = models.IntegerField(null=True)
     securitytxt_found_host = models.CharField(null=True, max_length=255)
+    # 8000 from https://www.rfc-editor.org/rfc/rfc9110#section-4.1-5
+    securitytxt_found_url = models.CharField(null=True, max_length=8000)
 
     def __dir__(self):
         return [
@@ -753,6 +755,7 @@ def __dir__(self):
             "securitytxt_recommendations",
             "securitytxt_score",
             "securitytxt_found_host",
+            "securitytxt_found_url",
         ]
 
     def get_web_api_details(self):
@@ -772,6 +775,7 @@ def get_web_api_details(self):
             "securitytxt_errors": self.securitytxt_errors,
             "securitytxt_recommendations": self.securitytxt_recommendations,
             "securitytxt_found_host": self.securitytxt_found_host,
+            "securitytxt_found_url": self.securitytxt_found_url,
         }
 
     class Meta:

checks/tasks/appsecpriv.py

@@ -125,6 +125,7 @@ def save_results(model, results, addr, domain):
                 model.securitytxt_errors = result.get("securitytxt_errors")
                 model.securitytxt_recommendations = result.get("securitytxt_recommendations")
                 model.securitytxt_found_host = result.get("securitytxt_found_host")
+                model.securitytxt_found_url = result.get("securitytxt_found_url")
                 model.content_security_policy_enabled = result.get("content_security_policy_enabled")
                 model.content_security_policy_score = result.get("content_security_policy_score")
                 model.content_security_policy_values = result.get("content_security_policy_values")
@@ -190,7 +191,7 @@ def build_report(model, category):
             default_message = [
                 {
                     "msgid": "retrieved-from",
-                    "context": {"hostname": model.securitytxt_found_host},
+                    "context": {"url": model.securitytxt_found_url},
                 }
             ]
         else:

checks/tasks/securitytxt.py

@@ -129,6 +129,7 @@ def parser_format(parser_messages):
             "securitytxt_enabled": False,
             "securitytxt_score": scoring.WEB_APPSECPRIV_SECURITYTXT_BAD,
             "securitytxt_found_host": result.found_host,
+            "securitytxt_found_url": None,
             "securitytxt_errors": result.errors,
             "securitytxt_recommendations": [],
         }
@@ -142,6 +143,7 @@ def parser_format(parser_messages):
         "securitytxt_enabled": True,
         "securitytxt_score": score,
         "securitytxt_found_host": result.found_host,
+        "securitytxt_found_url": result.found_url,
         "securitytxt_errors": errors,
         "securitytxt_recommendations": parser_format(parser.recommendations + parser.notifications),
     }

translations/en/main.po

@@ -2022,7 +2022,7 @@ msgid "detail tech data http-securitytxt requested-from"
 msgstr "security.txt requested from {hostname}."
 
 msgid "detail tech data http-securitytxt retrieved-from"
-msgstr "security.txt retrieved from {hostname}."
+msgstr "security.txt retrieved from {url}."
 
 msgid "detail tech data http-securitytxt signed_format_issue"
 msgstr ""

translations/nl/main.po

@@ -2041,7 +2041,7 @@ msgid "detail tech data http-securitytxt requested-from"
 msgstr "security.txt opgevraagd van {hostname}."
 
 msgid "detail tech data http-securitytxt retrieved-from"
-msgstr "security.txt opgehaald van {hostname}."
+msgstr "security.txt opgehaald van {url}."
 
 msgid "detail tech data http-securitytxt signed_format_issue"
 msgstr ""