From 4c6a0aa6df9e70b148925ea57efe18ca99064270 Mon Sep 17 00:00:00 2001 From: Joshua Wright Date: Fri, 17 Oct 2025 09:39:18 +0100 Subject: [PATCH 1/2] feat: Update Mozilla Cert Report URL; Allow Specify as CMD incase URL becomes invalid in Future --- cmd/inspect.go | 4 +++- cmd/options/analyse.go | 15 +++++++++++++++ internal/analyse/analyse.go | 18 ++++++++++++------ 3 files changed, 30 insertions(+), 7 deletions(-) create mode 100644 cmd/options/analyse.go diff --git a/cmd/inspect.go b/cmd/inspect.go index c157aff..bee95b1 100644 --- a/cmd/inspect.go +++ b/cmd/inspect.go @@ -18,6 +18,7 @@ import ( func newInspect(ctx context.Context) *cobra.Command { var imgOpts *options.Image + var analyseOpts *options.Analyse cmd := &cobra.Command{ Use: "inspect [flags] image", @@ -47,7 +48,7 @@ Partial certificates are also all printed for further inspection. return err } - analyser, err := analyse.NewAnalyser() + analyser, err := analyse.NewAnalyser(analyseOpts.MozillaRemovedCertsURL) if err != nil { return errors.Wrap(err, "failed to initialise analyser") } @@ -97,6 +98,7 @@ Partial certificates are also all printed for further inspection. } imgOpts = options.RegisterImage(cmd) + analyseOpts = options.RegisterAnalyse(cmd) cmd.Args = cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs) return cmd diff --git a/cmd/options/analyse.go b/cmd/options/analyse.go new file mode 100644 index 0000000..7f16588 --- /dev/null +++ b/cmd/options/analyse.go @@ -0,0 +1,15 @@ +package options + +import "github.com/spf13/cobra" + +// Analyse are options for configuring certificate analysis. +type Analyse struct { + // MozillaRemovedCertsURL is the URL to fetch the Mozilla removed CA certificates list from. + MozillaRemovedCertsURL string `json:"mozilla_removed_certs_url"` +} + +func RegisterAnalyse(cmd *cobra.Command) *Analyse { + var opts Analyse + cmd.PersistentFlags().StringVar(&opts.MozillaRemovedCertsURL, "mozilla-removed-certs-url", "https://ccadb.my.salesforce-sites.com/mozilla/RemovedCACertificateReportCSVFormat", "URL to fetch Mozilla's removed CA certificate list from.") + return &opts +} diff --git a/internal/analyse/analyse.go b/internal/analyse/analyse.go index 75a6ced..33bfa04 100644 --- a/internal/analyse/analyse.go +++ b/internal/analyse/analyse.go @@ -38,19 +38,25 @@ type Analyser struct { // NewAnalyser creates a new Analyzer using the public Mozilla CA removed certificate list as part of // its checks. This method performs HTTP requests to retrieve that list. The request will be made with the given -// context. -func NewAnalyser() (*Analyser, error) { - rc, err := downloadMozillaRemovedCACertsList() +// context. If mozillaRemovedCertsURL is empty, the default Mozilla URL will be used. +func NewAnalyser(mozillaRemovedCertsURL string) (*Analyser, error) { + rc, err := downloadMozillaRemovedCACertsList(mozillaRemovedCertsURL) if err != nil { return nil, err } return &Analyser{RemovedCertificates: rc}, nil } -func downloadMozillaRemovedCACertsList() ([]removedCertificate, error) { - const mozillaRemovedCACertificateReportURL = "https://ccadb-public.secure.force.com/mozilla/RemovedCACertificateReportCSVFormat" +func downloadMozillaRemovedCACertsList(mozillaRemovedCertsURL string) ([]removedCertificate, error) { + const defaultMozillaRemovedCACertificateReportURL = "https://ccadb.my.salesforce-sites.com/mozilla/RemovedCACertificateReportCSVFormat" - resp, err := http.Get(mozillaRemovedCACertificateReportURL) + // Use default URL if none provided + url := mozillaRemovedCertsURL + if url == "" { + url = defaultMozillaRemovedCACertificateReportURL + } + + resp, err := http.Get(url) if err != nil { return nil, err } From 9fa70fcf312649f0ff9f25e6e5ffff3dc988ac6d Mon Sep 17 00:00:00 2001 From: Joshua Wright Date: Fri, 17 Oct 2025 09:53:46 +0100 Subject: [PATCH 2/2] feat: Reflect Comments --- cmd/inspect.go | 2 +- internal/analyse/analyse.go | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/cmd/inspect.go b/cmd/inspect.go index bee95b1..3e2e653 100644 --- a/cmd/inspect.go +++ b/cmd/inspect.go @@ -48,7 +48,7 @@ Partial certificates are also all printed for further inspection. return err } - analyser, err := analyse.NewAnalyser(analyseOpts.MozillaRemovedCertsURL) + analyser, err := analyse.NewAnalyser(analyseOpts) if err != nil { return errors.Wrap(err, "failed to initialise analyser") } diff --git a/internal/analyse/analyse.go b/internal/analyse/analyse.go index 33bfa04..cfa51bb 100644 --- a/internal/analyse/analyse.go +++ b/internal/analyse/analyse.go @@ -11,6 +11,7 @@ import ( "time" "github.com/hako/durafmt" + "github.com/jetstack/paranoia/cmd/options" ) type NoteLevel string @@ -36,22 +37,23 @@ type Analyser struct { RemovedCertificates []removedCertificate } +const defaultMozillaRemovedCACertificateReportURL = "https://ccadb.my.salesforce-sites.com/mozilla/RemovedCACertificateReportCSVFormat" + // NewAnalyser creates a new Analyzer using the public Mozilla CA removed certificate list as part of // its checks. This method performs HTTP requests to retrieve that list. The request will be made with the given -// context. If mozillaRemovedCertsURL is empty, the default Mozilla URL will be used. -func NewAnalyser(mozillaRemovedCertsURL string) (*Analyser, error) { - rc, err := downloadMozillaRemovedCACertsList(mozillaRemovedCertsURL) +// context. The options struct configures various aspects of the analysis. +func NewAnalyser(opts *options.Analyse) (*Analyser, error) { + rc, err := downloadMozillaRemovedCACertsList(opts) if err != nil { return nil, err } return &Analyser{RemovedCertificates: rc}, nil } -func downloadMozillaRemovedCACertsList(mozillaRemovedCertsURL string) ([]removedCertificate, error) { - const defaultMozillaRemovedCACertificateReportURL = "https://ccadb.my.salesforce-sites.com/mozilla/RemovedCACertificateReportCSVFormat" +func downloadMozillaRemovedCACertsList(opts *options.Analyse) ([]removedCertificate, error) { // Use default URL if none provided - url := mozillaRemovedCertsURL + url := opts.MozillaRemovedCertsURL if url == "" { url = defaultMozillaRemovedCACertificateReportURL }