Skip to content

Releases: zmap/zlint

v3.0.0-rc1

29 Nov 21:02
v3.0.0-rc1
fe65bae
Compare
Choose a tag to compare
v3.0.0-rc1 Pre-release
Pre-release

ZLint v3.0.0-rc1

The ZMap team is happy to share ZLint v3.0.0-rc1. Above bugfixes and new lints this major release candidate also has a few breaking changes from v2.x.x that we want to draw to your attention.

Breaking Changes:

  • w_dnsname_wildcard_left_of_public_suffix and w_san_iana_pub_suffix_empty have been demoted from warnings to notices and renamed accordingly (n_dnsname_wildcard_left_of_public_suffix and n_san_iana_pub_suffix_empty).
  • The e_tls_server_cert_valid_time_longer_than_398_days lint now only returns an error finding for certs exceeeding the 398 lifetime. The warning result previously returned for exceeding the 397 day lifetime suggestion is now a separate w_tls_server_cert_valid_time_longer_than_397_days lint.
  • The lint.AppleCTPolicy lint source was renamed to lint.AppleRootStorePolicy.
  • The lint.AWSLabs and lint.ZLint lint sources were combined into one new lint source lint.Community.

New Lints:

  • w_tls_server_cert_valid_time_longer_than_397_days - see breaking change notes above.

Bug Fixes:

  • Previously n_san_iana_pub_suffix_empty could only flag one DNS name in a certificate and would potentially return NA for certificates with one or more names that fail to be parsed by publicsuffix-go. It now handles both cases correctly.
  • Removed testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem and test case. Updated Go 1.15/ZCrypto throw a parse error for this test case now that they are QcStatement aware.

Misc:

  • Project and releases now built with Go 1.15.x
  • Updated TLD data (Current to 2020-11-21).
  • Integration test failures now include error/warning/info overviews.
  • ZCrypto dependency bumped to latest commit.
  • Project CI converted from Travis CI to Github Actions.

Full Changelog

fe65bae project: bump major version to 3.0.0 (#510)
0d48ea1 lint: combine ZLint and AWSLabs Sources into Community. (#509)
8dc66d0 Update to Go 1.15, latest , fix n_san_iana_pub_suffix_empty. (#508)
da00f3f CI: Switch from Travis to Github Actions. (#505)
7f7ef1f lints: split Apple cert lifetime lint per-result. (#506)
c42a358 lint: rename Source AppleCTPolicy -> AppleRootProgramPolicy (#501)
71e2966 gTLD autopull: 2020-11-21T16:05:09Z (#498)
29b3fa9 Update Contributing Guidelines (#495)
e2b3658 make two lints notice instead of warn, (#493)
7b54a38 Improve readability of "EKU" abbreviation (#489)
f46d09c tests: include error/warning/info overview for integration test failures (#488)
cca4a6b gTLD autopull: 2020-10-19T15:48:38Z (#487)

v2.2.1

14 Oct 22:09
v2.2.1
def029d
Compare
Choose a tag to compare

The ZMap team is happy to share ZLint v2.2.1. This minor release primarily includes a fix for a security vulnerability in a dependency. We encourage anyone using ZLint on untrusted certificate inputs to upgrade.

Bug Fixes:

  • golang.org/x/text dependency bumped to v0.3.3 to address CVE-2020-14040.

Misc:

  • Better error message from test/helpers.go's ReadTestCert helper in the case where an input certificate causes a panic during parse.
  • Updated TLD data (Current to 2020-10-08).

Full Changelog

6b73243 deps: bump golang.org/x/text to 0.3.3 to fix CVE-2020-14040 (#481)
f7543c7 Improve error message of ReadTestCert panic (#478)
c16b5bd README: Add Nexus CM to list of users/integrations (#477)
def029d misc: gitignore Visual Studio Code configuration files (#485)
1fd4782 README: Correction of link to Siemens PKI (#486)
5ed7e13 gTLD autopull: 2020-10-08T15:44:26Z (#484)

v2.2.1-rc1

06 Oct 23:44
v2.2.1-rc1
6b73243
Compare
Choose a tag to compare
v2.2.1-rc1 Pre-release
Pre-release

The ZMap team is happy to share a v2.2.1 release candidate. This minor release primarily includes a fix for a security vulnerability in a dependency. We encourage anyone using ZLint on untrusted certificates to upgrade.

Bug Fixes:

  • golang.org/x/text dependency bumped to v0.3.3 to address CVE-2020-14040.

Misc:

  • Better error message from test/helpers.go's ReadTestCert helper in the case where an input certificate causes a panic during parse.

Changelog

6b73243 deps: bump golang.org/x/text to 0.3.3 to fix CVE-2020-14040 (#481)
f7543c7 Improve error message of ReadTestCert panic (#478)
c16b5bd README: Add Nexus CM to list of users/integrations (#477)

v2.2.0

17 Sep 22:39
v2.2.0
aa4e261
Compare
Choose a tag to compare

ZLint v2.2.0

The ZMap team is happy to share ZLint v2.2.0. This minor release primarily includes bug fixes and new lints.

New Lints:

  • New RFC 5280 Lints

    • e_cert_sig_alg_not_match_tbs_sig_alg to verify tbsCertificate algorithm matches certificate's signature algorithm.
  • New CA/Browser Forum Lints:

    • e_san_dns_name_onion_invalid to validate .onion certificate subject addresses are well-formed.

Updated Lints:

  • e_ext_tor_service_descriptor_hash_invalid updated for Ballot SC27 to only require the extension for EV certificates.

Removed Lints:

  • e_sub_ca_aia_does_not_contain_ocsp_url, as of Ballot SC31 this lint is no longer required.

Command Line Utility Updates:

  • -summary and -longSummary command line flags added to zlint utility for presenting lint results in a human-readable tabular form.

Bug Fixes:

  • lint_ev_valid_time_too_long maximum validity calculation fixed and source/citation/package corrected to CABF EV Guidelines.
  • e_ev_business_category_missing, e_ev_country_name_missing, e_ev_organization_name_missing, and e_ev_serial_number_missing source/citation/package corrected to CABF EV Guidelines.
  • e_tls_server_cert_valid_time_longer_than_398_days fixed to not apply to CA certificates.
  • e_tls_server_cert_valid_time_longer_than_398_days fixed off-by-one calculation of validity period.

Misc:

  • README updates.
  • Updated ZCrypto dependency (Added QCStatement support).
  • Updated TLD data (Current to 2020-09-08).

Full Changelog

aa4e261 autopull: 2020-09-08T15:28:12Z (#470)
2b994a7 Align Validity Period definition with RFC 5280 (#469)
f20a717 CONTRIBUTING: Add notes on publishing a release. (#468)
e1a9412 Add citation for sub-CAs to ca_digital_signature_not_set (#464)
9ab0643 Ballot SC31 makes OCSP optional for intermediate certificates. (#463)
3f689d2 README to suggest checking x509.ParseCertificate error (#460)
ada0991 autopull: 2020-07-29T15:10:15Z (#459)
6d02ef7 tests: add NA test case for e_tls_server_cert_valid_time_longer_than_398_days (#457)
34310bd this lint shouldn't apply to CA certs (#456)
ca9532d Create options for human-readable output formats (#437)
5f05d1d gTLD autopull: 2020-07-18T15:05:07Z (#455)
a9b0032 gTLD autopull: 2020-06-27T14:52:30Z (#452)
f530e42 docs: add Entrust Datacard to README ZLInt users. (#451)
d4acbba lints: cabf_br lint to verify .onion addresses are well-formed (#450)
84a8a20 Fix .onion tests to only apply to EV certificates (#449)
ecf8678 Move EV-specific tests to cabf_ev (#445)
c820d95 Fix the EV validity check (#447)
37a03da docs: correct link to integration test documentation (#446)
ce1631b autopull: 2020-06-03T14:39:17Z (#444)
de9eafb Check tbsCertificate signature algorithm matches certificate (#436)
82e1f43 gTLD autopull: 2020-05-28T14:35:00Z (#442)
da06a3a autopull: 2020-05-27T14:34:02Z (#441)
9957909 Deps: Update ZCrypto, fix assoc. test breakage. (#435)
a42b778 ci: remove vendor dir, Go 1.13.x -> 1.14.x, fix integration test data (#432)
bb6c7a7 docs: add ZLint announcements mailing list to README (#431)
ee0c915 Adding mailing list link to README.
2b994a7 Align Validity Period definition with RFC 5280 (#469)
f20a717 CONTRIBUTING: Add notes on publishing a release. (#468)

v2.2.0-rc2

08 Sep 15:30
2b994a7
Compare
Choose a tag to compare
v2.2.0-rc2 Pre-release
Pre-release

ZLint v2.2.0-rc2

The ZMap team is happy to share a v2.2.0 release candidate 2. This minor release primarily includes bug fixes and new lints.

New Lints:

  • New RFC 5280 Lints

    • e_cert_sig_alg_not_match_tbs_sig_alg to verify tbsCertificate algorithm matches certificate's signature algorithm.
  • New CA/Browser Forum Lints:

    • e_san_dns_name_onion_invalid to validate .onion certificate subject addresses are well-formed.

Updated Lints:

  • e_ext_tor_service_descriptor_hash_invalid updated for Ballot SC27 to only require the extension for EV certificates.

Removed Lints:

  • e_sub_ca_aia_does_not_contain_ocsp_url, as of Ballot SC31 this lint is no longer required.

Command Line Utility Updates:

  • -summary and -longSummary command line flags added to zlint utility for presenting lint results in a human-readable tabular form.

Bug Fixes:

  • lint_ev_valid_time_too_long maximum validity calculation fixed and source/citation/package corrected to CABF EV Guidelines.
  • e_ev_business_category_missing, e_ev_country_name_missing, e_ev_organization_name_missing, and e_ev_serial_number_missing source/citation/package corrected to CABF EV Guidelines.
  • e_tls_server_cert_valid_time_longer_than_398_days fixed to not apply to CA certificates.
  • e_tls_server_cert_valid_time_longer_than_398_days off by one second fix

Misc:

  • README updates.
  • Updated ZCrypto dependency (Added QCStatement support).
  • Updated TLD data (Current to 2020-07-29).

Full Changelog

e1a9412 Add citation for sub-CAs to ca_digital_signature_not_set (#464)
9ab0643 Ballot SC31 makes OCSP optional for intermediate certificates. (#463)
3f689d2 README to suggest checking x509.ParseCertificate error (#460)
ada0991 autopull: 2020-07-29T15:10:15Z (#459)
6d02ef7 tests: add NA test case for e_tls_server_cert_valid_time_longer_than_398_days (#457)
34310bd this lint shouldn't apply to CA certs (#456)
ca9532d Create options for human-readable output formats (#437)
5f05d1d gTLD autopull: 2020-07-18T15:05:07Z (#455)
a9b0032 gTLD autopull: 2020-06-27T14:52:30Z (#452)
f530e42 docs: add Entrust Datacard to README ZLInt users. (#451)
d4acbba lints: cabf_br lint to verify .onion addresses are well-formed (#450)
84a8a20 Fix .onion tests to only apply to EV certificates (#449)
ecf8678 Move EV-specific tests to cabf_ev (#445)
c820d95 Fix the EV validity check (#447)
37a03da docs: correct link to integration test documentation (#446)
ce1631b autopull: 2020-06-03T14:39:17Z (#444)
de9eafb Check tbsCertificate signature algorithm matches certificate (#436)
82e1f43 gTLD autopull: 2020-05-28T14:35:00Z (#442)
da06a3a autopull: 2020-05-27T14:34:02Z (#441)
9957909 Deps: Update ZCrypto, fix assoc. test breakage. (#435)
a42b778 ci: remove vendor dir, Go 1.13.x -> 1.14.x, fix integration test data (#432)
bb6c7a7 docs: add ZLint announcements mailing list to README (#431)
ee0c915 Adding mailing list link to README.
2b994a7 Align Validity Period definition with RFC 5280 (#469)
f20a717 CONTRIBUTING: Add notes on publishing a release. (#468)

v2.2.0-rc1

02 Sep 00:01
v2.2.0-rc1
e1a9412
Compare
Choose a tag to compare
v2.2.0-rc1 Pre-release
Pre-release

ZLint v2.2.0-rc1

The ZMap team is happy to share a v2.2.0 release candidate. This minor release primarily includes bug fixes and new lints.

New Lints:

  • New RFC 5280 Lints

    • e_cert_sig_alg_not_match_tbs_sig_alg to verify tbsCertificate algorithm matches certificate's signature algorithm.
  • New CA/Browser Forum Lints:

    • e_san_dns_name_onion_invalid to validate .onion certificate subject addresses are well-formed.

Updated Lints:

  • e_ext_tor_service_descriptor_hash_invalid updated for Ballot SC27 to only require the extension for EV certificates.

Removed Lints:

  • e_sub_ca_aia_does_not_contain_ocsp_url, as of Ballot SC31 this lint is no longer required.

Command Line Utility Updates:

  • -summary and -longSummary command line flags added to zlint utility for presenting lint results in a human-readable tabular form.

Bug Fixes:

  • lint_ev_valid_time_too_long maximum validity calculation fixed and source/citation/package corrected to CABF EV Guidelines.
  • e_ev_business_category_missing, e_ev_country_name_missing, e_ev_organization_name_missing, and e_ev_serial_number_missing source/citation/package corrected to CABF EV Guidelines.
  • e_tls_server_cert_valid_time_longer_than_398_days fixed to not apply to CA certificates.

Misc:

  • README updates.
  • Updated ZCrypto dependency (Added QCStatement support).
  • Updated TLD data (Current to 2020-07-29).

Full Changelog

e1a9412 Add citation for sub-CAs to ca_digital_signature_not_set (#464)
9ab0643 Ballot SC31 makes OCSP optional for intermediate certificates. (#463)
3f689d2 README to suggest checking x509.ParseCertificate error (#460)
ada0991 autopull: 2020-07-29T15:10:15Z (#459)
6d02ef7 tests: add NA test case for e_tls_server_cert_valid_time_longer_than_398_days (#457)
34310bd this lint shouldn't apply to CA certs (#456)
ca9532d Create options for human-readable output formats (#437)
5f05d1d gTLD autopull: 2020-07-18T15:05:07Z (#455)
a9b0032 gTLD autopull: 2020-06-27T14:52:30Z (#452)
f530e42 docs: add Entrust Datacard to README ZLInt users. (#451)
d4acbba lints: cabf_br lint to verify .onion addresses are well-formed (#450)
84a8a20 Fix .onion tests to only apply to EV certificates (#449)
ecf8678 Move EV-specific tests to cabf_ev (#445)
c820d95 Fix the EV validity check (#447)
37a03da docs: correct link to integration test documentation (#446)
ce1631b autopull: 2020-06-03T14:39:17Z (#444)
de9eafb Check tbsCertificate signature algorithm matches certificate (#436)
82e1f43 gTLD autopull: 2020-05-28T14:35:00Z (#442)
da06a3a autopull: 2020-05-27T14:34:02Z (#441)
9957909 Deps: Update ZCrypto, fix assoc. test breakage. (#435)
a42b778 ci: remove vendor dir, Go 1.13.x -> 1.14.x, fix integration test data (#432)
bb6c7a7 docs: add ZLint announcements mailing list to README (#431)
ee0c915 Adding mailing list link to README.

v2.1.0

22 May 22:37
v2.1.0
1e160b1
Compare
Choose a tag to compare

ZLint v2.1.0

The ZMap team is happy to announce the v2.1.0 release. This minor release primarily includes bug fixes and new lints.

New Lints

  • New CABF Baseline Requirements Lint
    • e_ext_nc_intersects_reserved_ip
  • New Mozilla PKI Policy Lints
    • e_mp_rsassa-pss_in_spki
    • e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct
    • e_mp_ecdsa_pub_key_encoding_correct
    • e_mp_ecdsa_signature_encoding_correct
  • New Apple PKI Policy Lints
    • e_tls_server_cert_valid_time_longer_than_398_days

Bug Fixes

  • The 2001:5::/32 network was removed from reserved networks list since it is no longer IANA reserved.

Misc

  • Updated TLD data (Current to 2020-04-02).
  • README updates.
  • CI test for ensuring OpenSSL text prepend of test cert data.

Full Changelog

1e160b1 ci: update goreleaser install URL. (#429)
3bf4bbf lints: enforce Mozilla PKI policy for ECDSA pubkey/sig alg curves/encoding. (#378)
206df7d gTLD autopull: 2020-04-02T17:35:25Z (#425)
d933f03 autopull: 2020-03-28T17:34:11Z (#423)
4ca0695 Fix spelling of 'distinguished' in lint descriptions (#422)
94d7dde util: rewrite test/prepend_testcerts_openssl.sh, update testdata (#421)
83d24bd lints: lint for upcoming Apple max cert lifetime policy. (#417)
cfbfdec gTLD autopull: 2020-03-14T17:26:52Z (#420)
c7c6a31 lints: enforce Mozilla PKI policy RSASSA-PSS encoding requirements (#377)
b28794b docs: fix template to use v2 package import. (#416)
1968515 lints: disallow reserved iPAddresses in NCs (#414)
48bf6ee remove lisp reserved range since no longer IANA reserved (#415)
3329bb6 README: fix a typo and fix the example for LintCertificateEx (#409)
5b2df5c lints: enforce Mozilla PKI policy omission of id-RSASSA-PSS oid (#376)

v2.1.0-rc1

12 May 14:55
v2.1.0-rc1
1e160b1
Compare
Choose a tag to compare
v2.1.0-rc1 Pre-release
Pre-release

ZLint v2.1.0

The ZMap team is proud to share a v2.1.0 release candidate. This minor release primary includes bug fixes and new lints.

New Lints

  • New CABF Baseline Requirements Lint
    • e_ext_nc_intersects_reserved_ip
  • New Mozilla PKI Policy Lints
    • e_mp_rsassa-pss_in_spki
    • e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct
    • e_mp_ecdsa_pub_key_encoding_correct
    • e_mp_ecdsa_signature_encoding_correct
  • New Apple PKI Policy Lints
    • e_tls_server_cert_valid_time_longer_than_398_days

Bug Fixes

  • The 2001:5::/32 network was removed from reserved networks list since it is no longer IANA reserved.

Misc

  • Updated TLD data (Current to 2020-04-02).
  • README updates.
  • CI test for ensuring OpenSSL text prepend of test cert data.

Full Changelog

1e160b1 ci: update goreleaser install URL. (#429)
3bf4bbf lints: enforce Mozilla PKI policy for ECDSA pubkey/sig alg curves/encoding. (#378)
206df7d gTLD autopull: 2020-04-02T17:35:25Z (#425)
d933f03 autopull: 2020-03-28T17:34:11Z (#423)
4ca0695 Fix spelling of 'distinguished' in lint descriptions (#422)
94d7dde util: rewrite test/prepend_testcerts_openssl.sh, update testdata (#421)
83d24bd lints: lint for upcoming Apple max cert lifetime policy. (#417)
cfbfdec gTLD autopull: 2020-03-14T17:26:52Z (#420)
c7c6a31 lints: enforce Mozilla PKI policy RSASSA-PSS encoding requirements (#377)
b28794b docs: fix template to use v2 package import. (#416)
1968515 lints: disallow reserved iPAddresses in NCs (#414)
48bf6ee remove lisp reserved range since no longer IANA reserved (#415)
3329bb6 README: fix a typo and fix the example for LintCertificateEx (#409)
5b2df5c lints: enforce Mozilla PKI policy omission of id-RSASSA-PSS oid (#376)

v2.0.0

19 Feb 18:02
36d042e
Compare
Choose a tag to compare

ZLint v2.0.0

The ZMap team is proud to share a finalized v2.0.0 release. This release contains fairly significant refactoring and testing/feedback would be most appreciated.

Breaking Changes

  • The exported types from lints have been moved to lint (e.g. lints.LintInterface, lints.LintSource, lints.LintStatus, lints.LintResult are now lint.LintInterface, lint.LintSource, lint.LintStatus, lint.LintResult)
  • Lints are now separated in the source code tree under lints/ by source.
  • The lint.LintMap exported map of registered lints was removed. Users should rely on the exported functions of the Registry returned by lint.GlobalRegistry() instead.
  • The zlint.LintCertificateFiltered function was removed. The same behaviour can be achieved using zlint.LintCertificateEx (see below).
  • The zlint.EncodeLintDescriptionsToJSON function was removed. The same behaviour can be achieved by calling WriteJSON on a Registry.
  • The lint.Source type was changed from an int enum to a string enum.

ZLint CMD Updates

The zlint command (cmd/zlint/main.go) was updated to add four new command line flags:

  • -list-lints-sources - Prints a list of lint sources, one per line.
  • -excludeSources - Comma-separated list of lint sources to exclude.
  • -includeSources - Comma-separated list of lint sources to include.
  • -nameFilter - Regex used to match lint names to include (cannot be used at the same time as -excludeSources or -includeSources)

Two existing flags were renamed:

  • -include is now -includeNames
  • -exclude is now -excludeNames.

One flag was removed:

  • -list-lints-schema was removed. ZSchema is deprecated for ZLint.

Library Updates

  • A new zlint.LintCertificateEx function was introduced allowing customizing which lints are applied by providing an explicit Registry of lints. Lints can be excluded/included by source and name by filtering the lint.GlobalRegistry() with lint.FilterOptions.

New Lints

  • New Mozilla PKI Policy Lints
    • n_mp_allowed_eku
    • e_mp_authority_key_identifier_correct
    • e_mp_exponent_cannot_be_one
    • e_mp_modulus_must_be_2048_bits_or_more
    • e_mp_modulus_must_be_divisible_by_8

Bug Fixes

  • The golang.org/crypto dependency was updated to to 8b5121be2f68 to address CVE-2020-7919
  • The e_signature_algorithm_not_supported lint was updated to return lint.Warn for RSA-PSS with SHA256, SHA384 or SHA512.
  • The w_subject_contains_malformed_arpa_ip lint was updated to clarify its citation/description.

Misc

  • Updated TLD data (Current to 2020-01-30).
  • README updates.

Full Changelog

36d042e ci: try and fix goreleaser for v2 structure (round 2) (#406)
a03f722 ci: try and fix goreleaser for v2 structure (#405)
fd40f57 Fix v2 with go.mod (#398)
53441bd misc: update newLint.sh script and contributing guide. (#397)
24e7a0d README: Update, split out a CONTRIBUTING.md (#386)
79424f2 cmd/zlint: fix panic w/ deref of nil registry. (#385)
7741587 zlint: refactor lint reg., allow filtering lints used. (#372)
72fb7ad project: add goreleaser configuration. (#374)
8a37cc7 gTLD autopull: 2020-01-30T17:10:08Z (#375)
1107123 deps: update golang.org/crypto/cryptobyte to 8b5121be2f68. (#373)
77026f6 Add reference to RFC 6818 to clarify explicitText (#370)
c0407b6 lints: improve template_test.go (#367)
dbb54ce lints/mozilla: fix moz lint packages (#365)
cc90ed6 test: more comments in helpers.go (#366)
2cce203 lints: better test utils, avoid accessing lint.Lints directly (#364)
566701e Lints: add new lints for Mozilla Root Store Policy (adopted) (#353)
ea19827 README: fix crt.sh link target. (#349)
4a01d2e README: Link to company sites, not bugzilla bugs. (#348)
2c5688e README: Add Google Trust Services to list of users/integrations (#347)
b7425cb lints: add more context to w_subject_contains_malformed_arpa_ip. (#345)
9bba7b7 lints: warn for RSA-PSS sigalg in cabf lint, not err. (#342)
359be75 gTLD autopull: 2020-01-06T16:47:48Z (#341)
86bcc67 Misc. cleanups, unit test for finding leftover template bits. (#340)
e3ad0f9 Split of lints into directories by source (#337)
0ab41f2 README: add note about small PRs (#339)
257d49d gTLD autopull: 2019-12-25T16:40:11Z (#338)
c74b45b CI: Add golangci-lint, enforce Go best practices (#335)
872e431 gTLD autopull: 2019-12-06T16:32:55Z (#334)

v2.0.0-rc4

14 Feb 19:52
36d042e
Compare
Choose a tag to compare
v2.0.0-rc4 Pre-release
Pre-release

ZLint v2.0.0 RC-4

The ZMap team is proud to share a v2.0.0 release candidate. This release contains fairly significant refactoring and testing/feedback would be most appreciated.

Compared to RC-1 this release candidate meets Go modules semantic versioning requirements. See PR #398 for more information.

Breaking Changes

  • The exported types from lints have been moved to lint (e.g. lints.LintInterface, lints.LintSource, lints.LintStatus, lints.LintResult are now lint.LintInterface, lint.LintSource, lint.LintStatus, lint.LintResult)
  • Lints are now separated in the source code tree under lints/ by source.
  • The lint.LintMap exported map of registered lints was removed. Users should rely on the exported functions of the Registry returned by lint.GlobalRegistry() instead.
  • The zlint.LintCertificateFiltered function was removed. The same behaviour can be achieved using zlint.LintCertificateEx (see below).
  • The zlint.EncodeLintDescriptionsToJSON function was removed. The same behaviour can be achieved by calling WriteJSON on a Registry.
  • The lint.Source type was changed from an int enum to a string enum.

ZLint CMD Updates

The zlint command (cmd/zlint/main.go) was updated to add four new command line flags:

  • -list-lints-sources - Prints a list of lint sources, one per line.
  • -excludeSources - Comma-separated list of lint sources to exclude.
  • -includeSources - Comma-separated list of lint sources to include.
  • -nameFilter - Regex used to match lint names to include (cannot be used at the same time as -excludeSources or -includeSources)

Two existing flags were renamed:

  • -include is now -includeNames
  • -exclude is now -excludeNames.

One flag was removed:

  • -list-lints-schema was removed. ZSchema is deprecated for ZLint.

Library Updates

  • A new zlint.LintCertificateEx function was introduced allowing customizing which lints are applied by providing an explicit Registry of lints. Lints can be excluded/included by source and name by filtering the lint.GlobalRegistry() with lint.FilterOptions.

New Lints

  • New Mozilla PKI Policy Lints
    • n_mp_allowed_eku
    • e_mp_authority_key_identifier_correct
    • e_mp_exponent_cannot_be_one
    • e_mp_modulus_must_be_2048_bits_or_more
    • e_mp_modulus_must_be_divisible_by_8

Bug Fixes

  • The golang.org/crypto dependency was updated to to 8b5121be2f68 to address CVE-2020-7919
  • The e_signature_algorithm_not_supported lint was updated to return lint.Warn for RSA-PSS with SHA256, SHA384 or SHA512.
  • The w_subject_contains_malformed_arpa_ip lint was updated to clarify its citation/description.

Misc

  • Updated TLD data (Current to 2020-01-30).
  • README updates.

Full Changelog

36d042e ci: try and fix goreleaser for v2 structure (round 2) (#406)
a03f722 ci: try and fix goreleaser for v2 structure (#405)
fd40f57 Fix v2 with go.mod (#398)
53441bd misc: update newLint.sh script and contributing guide. (#397)
24e7a0d README: Update, split out a CONTRIBUTING.md (#386)
79424f2 cmd/zlint: fix panic w/ deref of nil registry. (#385)
7741587 zlint: refactor lint reg., allow filtering lints used. (#372)
72fb7ad project: add goreleaser configuration. (#374)
8a37cc7 gTLD autopull: 2020-01-30T17:10:08Z (#375)
1107123 deps: update golang.org/crypto/cryptobyte to 8b5121be2f68. (#373)
77026f6 Add reference to RFC 6818 to clarify explicitText (#370)
c0407b6 lints: improve template_test.go (#367)
dbb54ce lints/mozilla: fix moz lint packages (#365)
cc90ed6 test: more comments in helpers.go (#366)
2cce203 lints: better test utils, avoid accessing lint.Lints directly (#364)
566701e Lints: add new lints for Mozilla Root Store Policy (adopted) (#353)
ea19827 README: fix crt.sh link target. (#349)
4a01d2e README: Link to company sites, not bugzilla bugs. (#348)
2c5688e README: Add Google Trust Services to list of users/integrations (#347)
b7425cb lints: add more context to w_subject_contains_malformed_arpa_ip. (#345)
9bba7b7 lints: warn for RSA-PSS sigalg in cabf lint, not err. (#342)
359be75 gTLD autopull: 2020-01-06T16:47:48Z (#341)
86bcc67 Misc. cleanups, unit test for finding leftover template bits. (#340)
e3ad0f9 Split of lints into directories by source (#337)
0ab41f2 README: add note about small PRs (#339)
257d49d gTLD autopull: 2019-12-25T16:40:11Z (#338)
c74b45b CI: Add golangci-lint, enforce Go best practices (#335)
872e431 gTLD autopull: 2019-12-06T16:32:55Z (#334)