chore(deps): update module github.com/zmap/zlint/v3 to v3.6.4 #56
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate-bot
force-pushed
the
renovate/github.com-zmap-zlint-v3-3.x
branch
from
10fa8fb
to
5418320
Compare
renovate-bot
changed the title
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate-bot
force-pushed
the
renovate/github.com-zmap-zlint-v3-3.x
branch
from
5418320
to
c6fb8df
Compare
renovate-bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v3.6.1->v3.6.4Release Notes
zmap/zlint (github.com/zmap/zlint/v3)
v3.6.4Compare Source
ZLint v3.6.4
The ZMap team is happy to share ZLint v3.6.4.
Thank you to everyone who contributes to ZLint!
New Lints
e_crl_distrib_points_not_httpThe scheme of each CRL Distribution Point MUST be 'http'e_cs_crl_distribution_pointsThis extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL servicee_cs_eku_requiredIf the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be presente_cs_key_usage_requiredThis extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.e_cs_rsa_key_sizee_cs_rsa_key_sizeBug Fixes
e_ev_orgid_inconsistent_subj_and_extto address Mozilla #1897538 (https://bugzilla.mozilla.org/show_bug.cgi?id=1897538)e_sub_cert_aia_does_not_contain_ocsp_urlto have an ineffective date.Changelog
ddaf5ccutil: gtld_map autopull updates for 2024-09-28T16:21:05 UTC (#882)77a6468fix: Fix PSD2 based cabfOrganizationIdentifier check (#880)372cdc6RFC8813 is not referrable from the CLI as a valid lint source (#879)caa62acAdd lint to check that all CRL Distribution Points only contain "http" URLs (per CABF BRs 7.1.2.11.2) (#867)8eb670fFix old lint checking that an OCSP URL is present in TLS Server certificates: add ineffective date (#871)2e67fb9Update main.go to have CRL linting lint on provided registry (#874)f83e4e2README: Add pkimetal to users list (#873)33ee62aAdd Code Signing lints for EKU, Key Usage, RSA Key Size and CRLDistributionPoints (#865)Full Changelog:zmap/zlint@v3.6.3...v3.6.4
v3.6.3Compare Source
ZLint v3.6.3
The ZMap team is happy to share ZLint v3.6.3.
Thank you to everyone who contributes to ZLint!
New Lints
e_ev_invalid_business_categoryChecks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3e_subj_orgunit_in_ca_certThe organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.e_subj_country_not_uppercaseAlpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Ze_aia_must_contain_permitted_access_methodThe AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.e_aia_ocsp_must_have_http_onlyThe id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowede_aia_unique_access_locationsWhen multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.e_cabf_org_identifier_psd_vat_has_stateThe cabfOrganizationIdentifier field for PSD org VAT Registration Schemes cannot include the referenceStateOrProvince field.e_aia_ca_issuers_must_have_http_onlyhe id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowede_duplicate_subject_attribsEach Name MUST NOT contain more than one instance of a given AttributeTypeAndValue across all RDNse_ca_invalid_ekuChecks that SubCA certificates do not contain forbidden values in their EKU extensione_empty_sct_listAt least one SCT MUST be included in the SignedCertificateTimestampList extensione_precert_with_sct_listSCTs must be embedded in the final certificate, not in a precertificatee_cert_ext_invalid_derChecks that the 'critical' flag of extensions is not FALSE when present (as per DER encoding)e_crl_missing_crl_numberCRL issuers conforming to this profile MUST include this extension in all CRLse_sub_cert_eku_checkSubscriber certificates MUST have id-kp-serverAuth and MAY have id-kp-clientAuth present in extKeyUsagee_invalid_cps_uriIf the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URLe_crl_empty_revoked_certificatesWhen there are no revoked certificates, the revoked certificates list MUST be absente_crl_revoked_certificates_field_must_be_emptyWhen the revokedCertificates field is empty, it MUST be absent from the DER-encoded ASN.1 data structuree_ev_orgid_inconsistent_subj_and_extChecks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistente_subject_rdns_correct_encodingCAs that include attributes in the Certificate subject field that are listed in the Tables 77 and 78 of BR 2.0.0 SHALL follow the specified encoding requirements for the attributeMiscellaneous
util.IsEmailProtectionCertto consider whether the certificate in question has an email SAN and whether it is an S/MIME BR certificate.util.IsServerAuthCertto presume that certificate with unknown key usages are server certificates.w_sub_cert_eku_extra_valuesis now ineffective as of CABF/BRs 2.0.0e_sub_cert_eku_server_auth_client_auth_missingis now ineffective as of CABF/BRs 2.0.0Changelog
13c40b2Fix goreleaser to use the --clean flag rather than --rm-dist (#868)015d220Add lint to check for a valid business category in EV certificates (#830)2440571Add lint to check that Root CA and TLS SubCA certificates do not contain the OU subject attribute (#864)672100dutil: gtld_map autopull updates for 2024-07-13T13:20:09 UTC (#866)f6d07edImprove util.IsEmailProtectionCert function (#858)f7f6b51Add lint to check that the countryName attribute (C) is in uppercase (#859)24d58f9Subscriber aia lints (#860)04d863fcabfOrganizationIdentifier extension for VAT and PSD based organizationIdentifiers cannot have referenceStateOrProvince (#848)e5da476Improve the util.IsServerAuthCert() function (#856)5b73e7bFix ExpectedDetails of passing invalid subject test (#846)899709eAia ca issuers must have http only (#852)ae8d594util: gtld_map autopull updates for 2024-06-12T22:19:30 UTC (#854)b14a83bfix: Only apply CN check for Subscriber certificates (#851)bf3764cCleanup some unnecessary allocations (#849)26ca0f3Add lint to check for duplicate subject attributes (ATVs) (#850)c8164d8Add lint to check that SubCA certificates do not have illegal values in their EKU extension (#840)068ae82Avoid warning dv cn (#843)8523152Fix handling of Subject:commonName not present in lint for BR 7.1.4.2.2a mailbox-validated (#845)456dc01Add lint to check that an SCT list is not empty (#837)c73f78bAdd lint to check that precertificates do not contain an SCT list (#841)26ab5b0Add lint for checking that the 'critical' field is properly DER-encoded in extensions (#839)208af03Add lint for checking that a CRL contains the CRL Number extension (#834)d5a09f8Add lint to cover TLS BR v2 EKU checks (#833)63e3f86Add lint to detect invalid cps uri (#828)2988620Add lint to check that a CRL does not contain an empty revokedCertificates element (#831)61c73edbuild(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 in /v3 (#835)a011234build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#836)6c7d024Add lint to verify CRL TBSCertList.revokedCertificates field is absent when there are no revoked certificates (#832)4b2f38bLint for checking that organizationIdentifier Subject attribute and CABFOrganizationIdentifier extension are consistent as per EVG 9.2.8 (#820)5de620cSubject rdns correct encoding (#824)Full Changelog:zmap/zlint@v3.6.2...v3.6.3
v3.6.2Compare Source
ZLint v3.6.2
The ZMap team is happy to share ZLint v3.6.2.
Thank you to everyone who contributes to ZLint!
Bug Fixes
e_mailbox_address_shall_contain_an_rfc822_namee_dsa_correct_order_in_subgroup,e_dsa_shorter_than_2048_bits, ande_dsa_unique_correct_representation.New Lints
e_eku_critical, BRs: 7.1.2.7.6, Subscriber Certificate extkeyUsage extension MUST NOT be marked criticale_crlissuer_must_not_be_present_in_cdp, BRs: 7.1.2.11.2, crlIssuer and/or Reason field MUST NOT be present in the CDP extension.e_legal_entity_identifier, S/MIME BRs: 7.1.2.3.l, Mailbox/individual: prohibited. Organization/sponsor: may be presente_commonname_mailbox_validated, S/MIME BRs: 7.1.4.2.2a, If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox addresse_subject_country_name, S/MIME BRs: 7.1.4.2.2n, If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subjecte_cab_dv_subject_invalid_values, BRs: 7.1.2.7.2, If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.e_invalid_subject_rdn_order, BRs: 7.1.4.2, Subject field attributes (RDNs) SHALL be encoded in a specific ordere_subscribers_crl_distribution_points_are_http, S/MIME BRs: 7.1.2.3.b, cRLDistributionPoints SHALL have URI scheme HTTP.e_smime_qc_statements_must_not_be_critical, S/MIME BRs: 7.1.2.3.k, This extension MAY be present and SHALL NOT be marked critical.e_mailbox_address_shall_contain_an_rfc822_name, S/MIME BRs: 7.1.4.2.1, All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extensione_authority_key_identifier_correct, S/MIME BRs: 7.1.2.3.g, authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.e_strict_multipurpose_smime_ext_subject_directory_attr, S/MIME BRs: 7.1.2.3j, SMIME Strict and Multipurpose certificates cannot have Subject Directory Attributew_ext_subject_key_identifier_not_recommended_subscriber, BRs v2: 7.1.2.7.6, Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDEDChangelog
ae3b1f3Correct test descriptions (#829)308a138Limit scope for cn checking in SAN (#825)2980c72Add ineffective date to DSA lints. (#827)f9496faUse help Method beforeoron instead of (#717)9291729util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817)e99e725feat: Test EKU Criticality (#816)38cfd72cRLIssuer MUST NOT be present (#814)990a074Add lints for S/MIME BR 7.1.2.3l (#805)32bba7aUpdate single email if present (#808)e33bae9Update single email subject if present (#802)7c899eaAdd lint for BR 7.1.4.2.2a mailbox-validated (#806)e6650ebAdd lints for S/MIME BR 7.1.4.2.2n country name (#807)8d2c579Lint for 7.1.2.7.2 BR (#810)e76cc77Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813)a063d31Add lints for S/MIME BR 7.1.2.3.b (#779)a72ff4eutil: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811)5501be1Mailbox addresses from san for all br (#809)9c67bdbFix typo (#804)83b5f8dAdd lint for S/MIME BR 7.1.2.3 (k) (#799)b9ff71fAdd lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800)a23de3dutil: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794)bf84ed8Add test case for smime ext subject directory attr (#801)060b385Lint for S/MIME BR 7.1.2.3.g (#797)a4b46efAdd lint for subject directory attributes extension (#798)1baec6eFix copy/paste error (#796)8deb02bSubject Key Identifier is not recommended by CABF BR v2 (#790)fa85598Handle ips in aia internal names (#791)Full Changelog:zmap/zlint@v3.6.1...v3.6.2
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.