MCPcopy
hub / github.com/jtesta/ssh-audit / post_process_findings

Function post_process_findings

src/ssh_audit/ssh_audit.py:409–562  ·  view source on GitHub ↗

Perform post-processing on scan results before reporting them to the user. Returns a list of algorithms that should not be recommended and a list of notes.

(banner: Optional[Banner], algs: Algorithms, client_audit: bool, dh_rate_test_notes: str)

Source from the content-addressed store, hash-verified

407
408
409def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_audit: bool, dh_rate_test_notes: str) -> Tuple[List[str], List[str]]:
410 '''Perform post-processing on scan results before reporting them to the user. Returns a list of algorithms that should not be recommended and a list of notes.'''
411
412 def _add_terrapin_warning(db: Dict[str, Dict[str, List[List[Optional[str]]]]], category: str, algorithm_name: str) -> None:
413 '''Adds a warning regarding the Terrapin vulnerability for the specified algorithm.'''
414 # Ensure that a slot for warnings exists for this algorithm.
415 while len(db[category][algorithm_name]) < 3:
416 db[category][algorithm_name].append([])
417
418 db[category][algorithm_name][2].append("vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation")
419
420 def _get_chacha_ciphers_enabled(algs: Algorithms) -> List[str]:
421 '''Returns a list of chacha20-poly1305 ciphers that the peer supports.'''
422 ret = []
423
424 if algs.ssh2kex is not None:
425 ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption
426 for cipher in ciphers_supported:
427 if cipher.startswith("chacha20-poly1305"):
428 ret.append(cipher)
429
430 return ret
431
432 def _get_chacha_ciphers_not_enabled(db: Dict[str, Dict[str, List[List[Optional[str]]]]], algs: Algorithms) -> List[str]:
433 '''Returns a list of all chacha20-poly1305 in our algorithm database.'''
434 ret = []
435
436 for cipher in db["enc"]:
437 if cipher.startswith("chacha20-poly1305") and cipher not in _get_chacha_ciphers_enabled(algs):
438 ret.append(cipher)
439
440 return ret
441
442 def _get_cbc_ciphers_enabled(algs: Algorithms) -> List[str]:
443 '''Returns a list of CBC ciphers that the peer supports.'''
444 ret = []
445
446 if algs.ssh2kex is not None:
447 ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption
448 for cipher in ciphers_supported:
449 if cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se":
450 ret.append(cipher)
451
452 return ret
453
454 def _get_cbc_ciphers_not_enabled(db: Dict[str, Dict[str, List[List[Optional[str]]]]], algs: Algorithms) -> List[str]:
455 '''Returns a list of all CBC ciphers in our algorithm database.'''
456 ret = []
457
458 for cipher in db["enc"]:
459 if (cipher.endswith("-cbc") or cipher.endswith("-cbc@openssh.org") or cipher.endswith("-cbc@ssh.com") or cipher == "rijndael-cbc@lysator.liu.se") and cipher not in _get_cbc_ciphers_enabled(algs):
460 ret.append(cipher)
461
462 return ret
463
464 def _get_etm_macs_enabled(algs: Algorithms) -> List[str]:
465 '''Returns a list of ETM MACs that the peer supports.'''
466 ret = []

Callers 1

outputFunction · 0.85

Calls 9

_add_terrapin_warningFunction · 0.85
_get_cbc_ciphers_enabledFunction · 0.85
_get_etm_macs_enabledFunction · 0.85
dh_modulus_sizesMethod · 0.80
get_dbMethod · 0.45

Tested by

no test coverage detected