-
Notifications
You must be signed in to change notification settings - Fork 1
/
changelog.txt
118 lines (100 loc) · 5.11 KB
/
changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Changelog for ScirtScan
v3.1, under consideration
* config file to read specific values (e.g. CERT name in UserAgent)
and specify which checks should be done and which shouldn't
* maybe facilitate the upload of a new list of websites to scan
through the HTML page, so this can be used without shell access?
* will look into more output tools, e.g. a pie-chart to show how your
compliance is on a certain topic (e.g. SSLtest scores) and possibly a
graph over time to show improvement or getting worse
* will look into options for e-mail alerting if compliance on a certain topic
has failed for a website between consecutive checks
* will look into an option to specify primary websites (e.g. www.company.tld )
and have those shown first in the dashboard webpage
* finding open directories in the website under test
(this was on the requirement list from day one, just need to find a
reliable method to do this)
v3.0, 20240701
* major code rewrite, all checks are now seperate files
* the detailed log per site has been improved with links to errorpage
and sslscan details, so the information is more conscise
* version checks are improved
v2.2, 20231112
* SSLlabs checks run now multithreaded to speed things up
* check for HTTP->HTTPS redirect also accepts no HTTP service as OK
v2.1g, 20231109
* improved check for security.txt (thanks Paul H.)
* removed robots.txt from good/bad check, but still keep results in website log
v2.1f, 20231001
* changed stylesheet to keep the table header in place while scrolling
v2.1e, 20230820
* added a script organize.py the manage the content on the webserver
v2.1e, 20230817
* better sorting algorithm on the webpage, which handles the non-numeric values
v2.1c, 20230702
* added a check to find the word "debug" in the HTTP headers to find
websites with debug mode still enabled (for instance laravel)
v2.1b, 20230701
* check for CMS installation files left behind which disclose CMS type
and version information (README.txt, CHANGELOG.txt, etc)
* added check to see if website is reachable via HTTPS, so it now
fails gracefully is there is a DNS entry and no website and shows that
info in the dashboard etc.
* added sql2csv.py to quickly dump the database to semicolon separated
values
v2.0, 20230328
* database format stored in sqlite database itself, so sql2html
and sql2excel will read the structure from the database instead of
having this info hardcoded in the script.
v1.5b, 20230327
* HTST info is now in days so it's human readable
* finally fixed sql2exel.py to match the extra checks that are present
since v1.3
v1.5, 20230326
* HSTS duration is now stored separately and shown in a seperate column
* improved per-website logging
v1.4, 20230325
* removing the dependency of shcheck.py and doing these checks from
within the function & writing all raw headers to the per website logfile.
scroll
* adding an option to sort the table on website name, certificate age, SSLtest
score, and even the rest, so you can easily see whats most urgent
* changed the option for debug.log to -ndf (no debug log), so now
debug.log is always written, except if you explicitly tell it not to
v1.3a, 20230323
* added an option (-df) to write debug.log to a file in the YYYYMMDD
directory, so it's allways available for review
* added a user-agent that shows who is doing the scanning, and a -a
option to use a user-agent without telling that
v1.3, 20230322
* added a check to see if the website certificate is valid and if it's
going to expire within 30 days
* added a check to validate that HTTP requests get redirected to HTTPS
* replaced Qualys ssllabs-scan-v3 with python function that uses the
API directly, so thats not a dependency anymore
* added a no-cache commandline option to force Qualys to do a new
check even if the old check is less than 24 hours old
* added a defined user-agent string which is used with the HTTPS requests,
so it shows which entity is doeing the checks (best practice).
** N.B. the SQlite database format has changed because of the new checks,
so the new sql2html (v1.3) may give errors on old versions of
websites.db (but only fields are added, so probably you're fine)
** TBD. sql2excel needs to be adapted to the extra fields in the database
v1.2a, 20230226
* scirtscan.py bugfix where shcheck.py would not return json because
of a HTTP 5xx or an invalid certificate, this error is now caught and
properly dealt with
* scirtscan.py addition of check_dns function to validate that a
website name from the list resolves or otherwise move on to the next
one, because of the use of dnspython for this, requirements.txt is
also updated. The DNS info is also written to the per-website log file
so you can check if this info changes over time, as long as you keep
that information
v1.2, 20230226
* scirtscan.py, added option to view version info (-v, --view)
* added sql2excel.py to create a excel file from websites.db
* added requirements_sql2excel.txt if you want to use sql2excel.py
* added changelog.txt (this file)
v1.1 20230220
* scirtscan.py, added check for .well-known/security.txt as per rfc9116
* sql2html.py, added support for the security.txt check