-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix invalid/inaccurate json report #808
Conversation
- in case no vulnerabilities were found, seek would remove '['
When control-c cancels a scan, it should terminate reports and call report_end. When testing on the main branch a terminated scan writes the json file as it should. However, when terminating with this branch it does not. I'm not immediately spotting why. |
I assume that you mean If so, this is strange because I am not experiencing anything like this on any branch. When I press Control + C, the json is saved normally, as usual. |
If I am not mistaken If you can pinpoint a commit that breaks graceful shutdown I could look into it |
The mistake was on my end and an error I didn't notice. |
@sullo @HuntClauss is this another breaking change to the JSON report format? |
I don't believe so. This was fixing some bugs that made it invalid JSON and cleaning up how it operates to ensure the JSON is closed correctly. For example, the message may have had stray unquoted characters. |
@sullo Earlier I run two scans, one using the master branch and one using the 2.5.0 release tag. The report from 2.5.0 turned out to be invalid as expected (thats what this fix is for?):
The report form the master branch was valid:
However, notice how the master branch one is an array at the top level, where the other one is a single object? |
@HuntClauss I think that was to fix the multiple host issue--can you confirm? I'm thinking more the report should just be done using a perl json library to ensure consistency and accuracy... but that will be a release if done. |
@sullo Well, primarily my goal was to fix json report for one host only, because I didn't even know that nikto can scan more than one. But during implementation of this and couple other fixes I found out that it support multiple hosts so I changed json format accordingly. |
@HuntClauss Thank you for your reply and the fixes :)
Could we do a new release 2.5.1 which replaces 2.5.0 completely? |
@moxli thanks for the suggestions and I understand your pain. Give me a day to evaluate replacing it all with proper usage of a JSON module--to your point I'd rather do this one time and do a dot release than do it more than once. |
@moxli one thing to clarify is that I'm sure this is the non-recommended approach by most people 🤣 |
@sullo thank you very much for your reply :) |
@sullo Did you come to a conclusion about a possible rewrite of the json reporting yet?:) |
Yep, that's absolutely correct 😩 |
Base
Problems
encode
function fromJSON:PP
adds own quotes to encoded text. Because of that"msg"
field was encoded incorrectly ("msg": ""[some info]""
)json_item
commas was blindly added after every item and then removed injson_host_end
usingseek(...)
. If there were no vulnerabilities found, instead of comma, '[' would be removed.json_host_start
is not executed, despite thatjson_host_end
is. Because of that report ends up with invalid json]}
report_host_end
was called beforereport_host_start
, thus resulting in weird behavior of json report plugin