Updating Semgrep.yml file - Semgrep is a tool that will be used to scan Cloudflare's public repos for Supply chain, code and secrets. This work is part of Application & Product Security team's initiative to onboard Semgrep onto all of Cloudflare's public repos.
In case of any questions, please reach out to "Hrushikesh Deshpande" on cf internal chat.
When attempting to build redoctober with a modern version of go
I was getting the following error in the tests:
x509: certificate relies on legacy Common Name field, use SANs
In looking at the existing test certificate, it is indeed
missing a SAN as it was probably generated as a oneliner with
the openssl CLI
```
Issuer: C = US, ST = CA, L = Everywhere, O = Internet Widgits Pty Ltd, CN = localhost
Validity
Not Before: Oct 12 12:19:40 2016 GMT
Not After : Sep 18 12:19:40 2116 GMT
Subject: C = US, ST = CA, L = Everywhere, O = Internet Widgits Pty Ltd, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
```
This remedies the issue by generating a new self-signed test
certificate which does include a SAN
```
$ cat cert.conf
[CA_default]
copy_extensions = copy
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[req_distinguished_name]
C = US
ST = CA
L = Everywhere
O = Internet Widgits Pty Ltd
CN = localhost
[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
[alternate_names]
DNS.1 = localhost
DNS.2 = *.localhost
DNS.3 = app.localhost
$ openssl req -x509 -newkey rsa:4096 -sha256 -utf8 -days 36500 -nodes -config cert.conf -keyout testdata/server.pem -out testdata/server.crt
...
$ cat testdata/server.crt | openssl x509 -noout -text
Issuer: C = US, ST = CA, L = Everywhere, O = Internet Widgits Pty Ltd, CN = localhost
Validity
Not Before: Oct 26 22:33:24 2023 GMT
Not After : Oct 2 22:33:24 2123 GMT
Subject: C = US, ST = CA, L = Everywhere, O = Internet Widgits Pty Ltd, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:localhost, DNS:*.localhost, DNS:app.localhost
X509v3 Subject Key Identifier:
1B:9B:11:0E:14:2E:D6:7D:57:4F:5D:29:CB:5B:16:01:80:34:9C:0A
```
This allows the tests to complete without running into that x509
exception or needing to set a flag in the build args to ignore it
Commit 6f8424ad38
added an public function so we can import redoctober's NewServer
function in external test packages to create an RO server without having
to actually install the binary in test environments.
This used to work until 0f06d0a051,
which makes it impossible to import main package in external packages.
This change moves `NewServer` and its related code to a non-main
package so other packages can still import it in tests or any other
places.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
The diff for this is a bit ugly due to indentation changes, but
essentially each navbar tag that exists, was converted into a tab. From
there, only one tab is shown at a time- this makes navigation generally
suck less, and is visually less painful.
In parallel, the markup for each tab was adjusted to be more consistent.
