Commit graph

10 commits

Author SHA1 Message Date
fb2ae7d903 checker: suppress CVE warnings for vendor-backported OpenSSH fixes
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing
v0.3.0
Distributions backport security fixes without bumping the upstream
OpenSSH version, so a banner like "OpenSSH_9.2p1 Debian-2+deb12u3" was
wrongly flagged for regreSSHion despite carrying the fix.

Thread the banner vendor comment into analyseBannerVulns and add a
per-CVE VendorFixes table recording the earliest patched package
revision per distro/upstream version. Revisions are compared with a
faithful port of dpkg's verrevcmp ordering. Populated for CVE-2024-6387
from DSA-5724-1 (Debian) and USN-6859-1 (Ubuntu).
2026-06-18 16:55:19 +09:00
258d799a97 checker: implement ShareKey to mutualise SSH probes across targets
An SSH probe (reachability, banner, KEX/host-key algorithm posture, host keys)
depends only on the set of addresses and ports dialed and the probe knobs,
never on which domain name points at the server: SSH has no SNI, so the same
daemon answers identically behind every name. Implement sdk.ObservationSharer
so the host can probe an address set once and serve every target (of the same
user) that points at it, instead of re-connecting per record.

The share key sorts the resolved addresses and ports and folds in the probe
timeout, the auth-probe flag, and the declared SSHFP fingerprints — the latter
live in the observation and drive the SSHFP-match rule, so two services with
the same endpoints but different SSHFP must not share a verdict. The
host/Domain label is intentionally excluded, mirroring the ping checker's
exclusion of which domain the addresses belong to: it does not change
reachability, the negotiated algorithms, the host keys, or the SSHFP
comparison. Inputs with no probable address yield "" so the host falls back to
per-target caching.
2026-06-18 15:28:28 +09:00
16c82bbe16 checker: lower minimum check interval to 5 minutes
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing
v0.2.0
2026-05-15 17:29:16 +08:00
bf28f6a8b2 checker: make port 22 probe optional
Port 22 is now the default when no ports are configured, rather than
being unconditionally appended. Users can now probe non-standard ports
without also probing port 22.
2026-05-15 17:29:16 +08:00
f77895dcab checker: enforce prober-as-observation, move all analysis to rules layer 2026-05-15 17:29:16 +08:00
1e6254c289 Update go mod
All checks were successful
continuous-integration/drone/push Build is passing
2026-05-10 19:37:19 +08:00
7a8d181403 Add CI/CD pipeline
Some checks failed
continuous-integration/drone/push Build is failing
2026-05-10 19:30:20 +08:00
af5b70920b Include rules section 2026-04-30 08:46:17 +07:00
a1203425ff checker: build host FQDN from subdomain + apex at service scope 2026-04-30 08:46:08 +07:00
06036c89d9 Initial commit v0.1.0 2026-04-26 16:23:21 +07:00