diff --git a/checker/rule.go b/checker/rule.go index 6850730..7e91fb5 100644 --- a/checker/rule.go +++ b/checker/rule.go @@ -31,6 +31,7 @@ type issuerAgg struct { code string msg string endpoints map[string]bool + count int // number of certificates observed from this issuer } type allowList struct { @@ -152,6 +153,7 @@ func (r *caaRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts cur = &issuerAgg{sample: p, endpoints: map[string]bool{}} agg[k] = cur } + cur.count++ if severityRank(severity) >= severityRank(cur.severity) { cur.severity = severity cur.code = code @@ -233,22 +235,23 @@ func (r *caaRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts endpoints = append(endpoints, ep) } sort.Strings(endpoints) - meta := map[string]any{"endpoints": endpoints} + meta := map[string]any{"endpoints": endpoints, "cert_count": a.count} + certSuffix := fmt.Sprintf(" (%d certificate(s) checked)", a.count) switch a.severity { case SeverityCrit: out = append(out, sdk.CheckState{ - Status: sdk.StatusCrit, Message: a.msg, Code: a.code, + Status: sdk.StatusCrit, Message: a.msg + certSuffix, Code: a.code, Subject: subject, Meta: meta, }) case SeverityWarn: out = append(out, sdk.CheckState{ - Status: sdk.StatusWarn, Message: a.msg, Code: a.code, + Status: sdk.StatusWarn, Message: a.msg + certSuffix, Code: a.code, Subject: subject, Meta: meta, }) case SeverityInfo: out = append(out, sdk.CheckState{ - Status: sdk.StatusInfo, Message: a.msg, Code: a.code, + Status: sdk.StatusInfo, Message: a.msg + certSuffix, Code: a.code, Subject: subject, Meta: meta, }) default: @@ -257,7 +260,7 @@ func (r *caaRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts msg = "Certificate observed; no CAA records published" } out = append(out, sdk.CheckState{ - Status: sdk.StatusOK, Message: msg, Code: CodeOK, + Status: sdk.StatusOK, Message: msg + certSuffix, Code: CodeOK, Subject: subject, Meta: meta, }) }