boB Rudis
5 years ago
5 changed files with 186 additions and 189 deletions
@ -1,123 +1,151 @@ |
|||
|
|||
[![Build Status](https://travis-ci.org/hrbrmstr/securitytxt.svg?branch=master)](https://travis-ci.org/hrbrmstr/securitytxt) [![Build status](https://ci.appveyor.com/api/projects/status/o654jge4mce4a7lg?svg=true)](https://ci.appveyor.com/project/hrbrmstr/securitytxt) ![Coverage Status](http://img.shields.io/codecov/c/github/hrbrmstr/securitytxt/master.svg) |
|||
|
|||
securitytxt |
|||
=========== |
|||
[![Project Status: Active – The project has reached a stable, usable |
|||
state and is being actively |
|||
developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) |
|||
[![Signed |
|||
by](https://img.shields.io/badge/Keybase-Verified-brightgreen.svg)](https://keybase.io/hrbrmstr) |
|||
![Signed commit |
|||
%](https://img.shields.io/badge/Signed_Commits-16.7%25-lightgrey.svg) |
|||
[![Linux build |
|||
Status](https://travis-ci.org/hrbrmstr/securitytxt.svg?branch=master)](https://travis-ci.org/hrbrmstr/securitytxt) |
|||
[![Windows build |
|||
status](https://ci.appveyor.com/api/projects/status/github/hrbrmstr/securitytxt?svg=true)](https://ci.appveyor.com/project/hrbrmstr/securitytxt) |
|||
[![Coverage |
|||
Status](https://codecov.io/gh/hrbrmstr/securitytxt/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/securitytxt) |
|||
[![cran |
|||
checks](https://cranchecks.info/badges/worst/securitytxt)](https://cranchecks.info/pkgs/securitytxt) |
|||
[![CRAN |
|||
status](https://www.r-pkg.org/badges/version/securitytxt)](https://www.r-pkg.org/pkg/securitytxt) |
|||
![Minimal R |
|||
Version](https://img.shields.io/badge/R%3E%3D-3.2.0-blue.svg) |
|||
![License](https://img.shields.io/badge/License-MIT-blue.svg) |
|||
|
|||
# securitytxt |
|||
|
|||
Identify and Parse Web Security Policies Files |
|||
|
|||
Description |
|||
----------- |
|||
|
|||
When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. The 'security.txt' 'Web Security Policies' specification defines a 'IETF' standard to help organizations define the process for security researchers to securely disclose security vulnerabilities. |
|||
|
|||
Tools are provided to identify and parse 'security.txt' files, enabling analysis of the usage of these policies. |
|||
|
|||
- [IETF Draft](https://tools.ietf.org/html/draft-foudil-securitytxt-00) |
|||
## Description |
|||
|
|||
When security risks in web services are discovered by independent |
|||
security researchers who understand the severity of the risk, they often |
|||
lack the channels to properly disclose them. As a result, security |
|||
issues may be left unreported. The ‘security.txt’ ‘Web Security |
|||
Policies’ specification defines an ‘IETF’ draft standard |
|||
<https://tools.ietf.org/html/draft-foudil-securitytxt-00> to help |
|||
organizations define the process for security researchers to securely |
|||
disclose security vulnerabilities. Tools are provided to help identify |
|||
and parse ‘security.txt’ files to enable analysis of the usage and |
|||
adoption of these policies. |
|||
|
|||
- [IETF |
|||
Draft](https://tools.ietf.org/html/draft-foudil-securitytxt-00) |
|||
- [Information hub](https://securitytxt.org/) |
|||
- [GitHub Organization](https://github.com/securitytxt) |
|||
|
|||
What's Inside The Tin |
|||
--------------------- |
|||
## What’s Inside The Tin |
|||
|
|||
The following functions are implemented: |
|||
|
|||
- `sectxt`: Parse a 'security.txt' Web Security Policies file & create a 'sectxt' object |
|||
- `sectxt_info`: Retrieve a data frame of `security.txt` keys/values |
|||
- `sectxt_validate`: Validate a 'security.txt' Web Security Policies file |
|||
- `sectxt_url`: Determine `security.txt` URL for a given site/URL |
|||
- `sectxt_info`: Retrieve a data frame of security.txt keys/values |
|||
- `sectxt_url`: Determine security.txt URL for a given site/URL |
|||
- `sectxt_validate`: Validate a security.txt Web Security Policies |
|||
file |
|||
- `sectxt`: Parse a security.txt Web Security Policies file & create a |
|||
sectxt object |
|||
|
|||
Installation |
|||
------------ |
|||
## Installation |
|||
|
|||
``` r |
|||
devtools::install_git("git://gitlab.com/hrbrmstr/securitytxt") |
|||
remotes::install_gitlab("hrbrmstr/securitytxt") |
|||
# or |
|||
remotes::install_github("hrbrmstr/securitytxt") |
|||
``` |
|||
|
|||
Usage |
|||
----- |
|||
NOTE: To use the ‘remotes’ install options you will need to have the |
|||
[{remotes} package](https://github.com/r-lib/remotes) installed. |
|||
|
|||
## Usage |
|||
|
|||
``` r |
|||
library(securitytxt) |
|||
|
|||
# current verison |
|||
packageVersion("securitytxt") |
|||
``` |
|||
|
|||
## [1] '0.1.0' |
|||
|
|||
``` r |
|||
# built-in example |
|||
x <- sectxt(readLines(system.file("extdata", "security.txt", package="securitytxt"))) |
|||
sectxt_info(x) |
|||
``` |
|||
|
|||
## key value |
|||
## 1 contact security@example.com |
|||
## 2 encryption https://example.com/pgp-key.txt |
|||
<div class="kable-table"> |
|||
|
|||
| key | value | |
|||
| :--------- | :-------------------------------- | |
|||
| contact | <security@example.com> | |
|||
| encryption | <https://example.com/pgp-key.txt> | |
|||
|
|||
</div> |
|||
|
|||
``` r |
|||
|
|||
# "live" example |
|||
(xurl <- sectxt_url("https://securitytxt.org")) |
|||
``` |
|||
|
|||
## [1] "https://securitytxt.org/.well-known/security.txt" |
|||
|
|||
``` r |
|||
x <- sectxt(url(xurl)) |
|||
sectxt_info(x) |
|||
``` |
|||
|
|||
## key value |
|||
## 1 contact https://twitter.com/EdOverflow |
|||
<div class="kable-table"> |
|||
|
|||
``` r |
|||
sectxt_validate(x) |
|||
``` |
|||
| key | value | |
|||
| :--------------- | :------------------------------------------- | |
|||
| contact | <https://hackerone.com/ed> | |
|||
| encryption | <https://keybase.pub/edoverflow/pgp_key.asc> | |
|||
| acknowledgements | <https://hackerone.com/ed/thanks> | |
|||
|
|||
## [1] TRUE |
|||
</div> |
|||
|
|||
``` r |
|||
sectxt_validate(x) |
|||
## [1] FALSE |
|||
x |
|||
``` |
|||
|
|||
## <Web Security Policies Object> |
|||
## # Our security address |
|||
## Contact: https://twitter.com/EdOverflow |
|||
## # If you would like to report a security issue |
|||
## # you may report it to us on HackerOne. |
|||
## Contact: https://hackerone.com/ed |
|||
## Encryption: https://keybase.pub/edoverflow/pgp_key.asc |
|||
## Acknowledgements: https://hackerone.com/ed/thanks |
|||
|
|||
``` r |
|||
# another "live" example |
|||
(xurl <- sectxt_url("https://rud.is/b")) |
|||
``` |
|||
|
|||
## [1] "https://rud.is/.well-known/security.txt" |
|||
|
|||
``` r |
|||
x <- sectxt(url(xurl)) |
|||
sectxt_info(x) |
|||
``` |
|||
|
|||
## key value |
|||
## 1 contact bob@rud.is |
|||
## 2 encryption https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399 |
|||
## 3 disclosure Full |
|||
<div class="kable-table"> |
|||
|
|||
``` r |
|||
sectxt_validate(x) |
|||
``` |
|||
| key | value | |
|||
| :--------- | :---------------------------------------------------------------------------------------------- | |
|||
| contact | <bob@rud.is> | |
|||
| encryption | <https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399> | |
|||
| disclosure | Full | |
|||
|
|||
## [1] TRUE |
|||
</div> |
|||
|
|||
``` r |
|||
sectxt_validate(x) |
|||
## [1] TRUE |
|||
x |
|||
``` |
|||
|
|||
## <Web Security Policies Object> |
|||
## Contact: bob@rud.is |
|||
## Encryption: https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399 |
|||
## Disclosure: Full |
|||
``` |
|||
|
|||
Code of Conduct |
|||
--------------- |
|||
## Code of Conduct |
|||
|
|||
Please note that this project is released with a [Contributor Code of Conduct](CONDUCT.md). By participating in this project you agree to abide by its terms. |
|||
Please note that this project is released with a [Contributor Code of |
|||
Conduct](CONDUCT.md). By participating in this project you agree to |
|||
abide by its terms. |
|||
|
@ -1,37 +0,0 @@ |
|||
## Test environments |
|||
* local OS X install, R 3.4.2 |
|||
* ubuntu 14.04 (on travis-ci), R oldrel, release & devel |
|||
* ubuntu 16.04.3 (local), R 3.4.1 |
|||
* r-hub Windows |
|||
* win-builder (devel and release) |
|||
|
|||
## R CMD check results |
|||
|
|||
0 errors | 0 warnings | 1 note |
|||
|
|||
* This is a new release. |
|||
|
|||
## Reverse dependencies |
|||
|
|||
This is a new release, so there are no reverse dependencies. |
|||
|
|||
--- |
|||
|
|||
* I've used the new ORCID id in |
|||
Authors@R (not sure if I need |
|||
to note that but it's "new" so |
|||
figured it wldn't hurt to |
|||
mention it). |
|||
* There is extra copyright info |
|||
for the included C++ lib used |
|||
both in inst/COPYRIGHTS & |
|||
in the C++ source files. |
|||
* Some examples that require |
|||
internet connectivity are |
|||
marked 'dontrun' b/c they |
|||
are for illustration only. |
|||
* Tests are included and run |
|||
weekly on Travis-CI |
|||
* Tests are manuall run on AppVeyor |
|||
as well for all builds. |
|||
* Code coverage is also provided. |
Loading…
Reference in new issue