├── .flake8 ├── .gitignore ├── CODE_OF_CONDUCT.md ├── Dockerfile ├── LICENSE ├── MANIFEST.in ├── README.rst ├── httpobscli ├── __init__.py └── cli.py ├── requirements.txt ├── setup.cfg └── setup.py /.flake8: -------------------------------------------------------------------------------- 1 | [flake8] 2 | max-line-length = 119 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /dist 2 | /build 3 | .coverage 4 | *.egg-info 5 | .idea 6 | __pycache__ 7 | /venv 8 | *.pyc 9 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Community Participation Guidelines 2 | 3 | This repository is governed by Mozilla's code of conduct and etiquette guidelines. 4 | For more details, please read the 5 | [Mozilla Community Participation Guidelines](https://www.mozilla.org/about/governance/policies/participation/). 6 | 7 | ## How to Report 8 | For more information on how to report violations of the Community Participation Guidelines, please read our '[How to Report](https://www.mozilla.org/about/governance/policies/participation/reporting/)' page. 9 | 10 | 16 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | ## 2 | # NAME : fgribreau/httpobs-cli 3 | # VERSION : latest 4 | # DOCKER-VERSION : 1.5 5 | # DESCRIPTION : 6 | # TO_BUILD : docker build --pull=true --no-cache -t fgribreau/httpobs-cli . 7 | # TO_SHIP : docker push fgribreau/httpobs-cli 8 | # TO_RUN : docker run -d fgribreau/httpobs-cli 9 | ## 10 | 11 | FROM python:3-slim 12 | 13 | RUN pip install httpobs-cli 14 | 15 | ENTRYPOINT [ "httpobs-cli" ] 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License, version 2.0 2 | 3 | 1. Definitions 4 | 5 | 1.1. "Contributor" 6 | 7 | means each individual or legal entity that creates, contributes to the 8 | creation of, or owns Covered Software. 9 | 10 | 1.2. "Contributor Version" 11 | 12 | means the combination of the Contributions of others (if any) used by a 13 | Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | 17 | means Covered Software of a particular Contributor. 18 | 19 | 1.4. "Covered Software" 20 | 21 | means Source Code Form to which the initial Contributor has attached the 22 | notice in Exhibit A, the Executable Form of such Source Code Form, and 23 | Modifications of such Source Code Form, in each case including portions 24 | thereof. 25 | 26 | 1.5. "Incompatible With Secondary Licenses" 27 | means 28 | 29 | a. that the initial Contributor has attached the notice described in 30 | Exhibit B to the Covered Software; or 31 | 32 | b. that the Covered Software was made available under the terms of 33 | version 1.1 or earlier of the License, but not also under the terms of 34 | a Secondary License. 35 | 36 | 1.6. "Executable Form" 37 | 38 | means any form of the work other than Source Code Form. 39 | 40 | 1.7. "Larger Work" 41 | 42 | means a work that combines Covered Software with other material, in a 43 | separate file or files, that is not Covered Software. 44 | 45 | 1.8. "License" 46 | 47 | means this document. 48 | 49 | 1.9. "Licensable" 50 | 51 | means having the right to grant, to the maximum extent possible, whether 52 | at the time of the initial grant or subsequently, any and all of the 53 | rights conveyed by this License. 54 | 55 | 1.10. "Modifications" 56 | 57 | means any of the following: 58 | 59 | a. any file in Source Code Form that results from an addition to, 60 | deletion from, or modification of the contents of Covered Software; or 61 | 62 | b. any new file in Source Code Form that contains any Covered Software. 63 | 64 | 1.11. "Patent Claims" of a Contributor 65 | 66 | means any patent claim(s), including without limitation, method, 67 | process, and apparatus claims, in any patent Licensable by such 68 | Contributor that would be infringed, but for the grant of the License, 69 | by the making, using, selling, offering for sale, having made, import, 70 | or transfer of either its Contributions or its Contributor Version. 71 | 72 | 1.12. "Secondary License" 73 | 74 | means either the GNU General Public License, Version 2.0, the GNU Lesser 75 | General Public License, Version 2.1, the GNU Affero General Public 76 | License, Version 3.0, or any later versions of those licenses. 77 | 78 | 1.13. "Source Code Form" 79 | 80 | means the form of the work preferred for making modifications. 81 | 82 | 1.14. "You" (or "Your") 83 | 84 | means an individual or a legal entity exercising rights under this 85 | License. For legal entities, "You" includes any entity that controls, is 86 | controlled by, or is under common control with You. For purposes of this 87 | definition, "control" means (a) the power, direct or indirect, to cause 88 | the direction or management of such entity, whether by contract or 89 | otherwise, or (b) ownership of more than fifty percent (50%) of the 90 | outstanding shares or beneficial ownership of such entity. 91 | 92 | 93 | 2. License Grants and Conditions 94 | 95 | 2.1. Grants 96 | 97 | Each Contributor hereby grants You a world-wide, royalty-free, 98 | non-exclusive license: 99 | 100 | a. under intellectual property rights (other than patent or trademark) 101 | Licensable by such Contributor to use, reproduce, make available, 102 | modify, display, perform, distribute, and otherwise exploit its 103 | Contributions, either on an unmodified basis, with Modifications, or 104 | as part of a Larger Work; and 105 | 106 | b. under Patent Claims of such Contributor to make, use, sell, offer for 107 | sale, have made, import, and otherwise transfer either its 108 | Contributions or its Contributor Version. 109 | 110 | 2.2. Effective Date 111 | 112 | The licenses granted in Section 2.1 with respect to any Contribution 113 | become effective for each Contribution on the date the Contributor first 114 | distributes such Contribution. 115 | 116 | 2.3. Limitations on Grant Scope 117 | 118 | The licenses granted in this Section 2 are the only rights granted under 119 | this License. No additional rights or licenses will be implied from the 120 | distribution or licensing of Covered Software under this License. 121 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 122 | Contributor: 123 | 124 | a. for any code that a Contributor has removed from Covered Software; or 125 | 126 | b. for infringements caused by: (i) Your and any other third party's 127 | modifications of Covered Software, or (ii) the combination of its 128 | Contributions with other software (except as part of its Contributor 129 | Version); or 130 | 131 | c. under Patent Claims infringed by Covered Software in the absence of 132 | its Contributions. 133 | 134 | This License does not grant any rights in the trademarks, service marks, 135 | or logos of any Contributor (except as may be necessary to comply with 136 | the notice requirements in Section 3.4). 137 | 138 | 2.4. Subsequent Licenses 139 | 140 | No Contributor makes additional grants as a result of Your choice to 141 | distribute the Covered Software under a subsequent version of this 142 | License (see Section 10.2) or under the terms of a Secondary License (if 143 | permitted under the terms of Section 3.3). 144 | 145 | 2.5. Representation 146 | 147 | Each Contributor represents that the Contributor believes its 148 | Contributions are its original creation(s) or it has sufficient rights to 149 | grant the rights to its Contributions conveyed by this License. 150 | 151 | 2.6. Fair Use 152 | 153 | This License is not intended to limit any rights You have under 154 | applicable copyright doctrines of fair use, fair dealing, or other 155 | equivalents. 156 | 157 | 2.7. Conditions 158 | 159 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in 160 | Section 2.1. 161 | 162 | 163 | 3. Responsibilities 164 | 165 | 3.1. Distribution of Source Form 166 | 167 | All distribution of Covered Software in Source Code Form, including any 168 | Modifications that You create or to which You contribute, must be under 169 | the terms of this License. You must inform recipients that the Source 170 | Code Form of the Covered Software is governed by the terms of this 171 | License, and how they can obtain a copy of this License. You may not 172 | attempt to alter or restrict the recipients' rights in the Source Code 173 | Form. 174 | 175 | 3.2. Distribution of Executable Form 176 | 177 | If You distribute Covered Software in Executable Form then: 178 | 179 | a. such Covered Software must also be made available in Source Code Form, 180 | as described in Section 3.1, and You must inform recipients of the 181 | Executable Form how they can obtain a copy of such Source Code Form by 182 | reasonable means in a timely manner, at a charge no more than the cost 183 | of distribution to the recipient; and 184 | 185 | b. You may distribute such Executable Form under the terms of this 186 | License, or sublicense it under different terms, provided that the 187 | license for the Executable Form does not attempt to limit or alter the 188 | recipients' rights in the Source Code Form under this License. 189 | 190 | 3.3. Distribution of a Larger Work 191 | 192 | You may create and distribute a Larger Work under terms of Your choice, 193 | provided that You also comply with the requirements of this License for 194 | the Covered Software. If the Larger Work is a combination of Covered 195 | Software with a work governed by one or more Secondary Licenses, and the 196 | Covered Software is not Incompatible With Secondary Licenses, this 197 | License permits You to additionally distribute such Covered Software 198 | under the terms of such Secondary License(s), so that the recipient of 199 | the Larger Work may, at their option, further distribute the Covered 200 | Software under the terms of either this License or such Secondary 201 | License(s). 202 | 203 | 3.4. Notices 204 | 205 | You may not remove or alter the substance of any license notices 206 | (including copyright notices, patent notices, disclaimers of warranty, or 207 | limitations of liability) contained within the Source Code Form of the 208 | Covered Software, except that You may alter any license notices to the 209 | extent required to remedy known factual inaccuracies. 210 | 211 | 3.5. Application of Additional Terms 212 | 213 | You may choose to offer, and to charge a fee for, warranty, support, 214 | indemnity or liability obligations to one or more recipients of Covered 215 | Software. However, You may do so only on Your own behalf, and not on 216 | behalf of any Contributor. You must make it absolutely clear that any 217 | such warranty, support, indemnity, or liability obligation is offered by 218 | You alone, and You hereby agree to indemnify every Contributor for any 219 | liability incurred by such Contributor as a result of warranty, support, 220 | indemnity or liability terms You offer. You may include additional 221 | disclaimers of warranty and limitations of liability specific to any 222 | jurisdiction. 223 | 224 | 4. Inability to Comply Due to Statute or Regulation 225 | 226 | If it is impossible for You to comply with any of the terms of this License 227 | with respect to some or all of the Covered Software due to statute, 228 | judicial order, or regulation then You must: (a) comply with the terms of 229 | this License to the maximum extent possible; and (b) describe the 230 | limitations and the code they affect. Such description must be placed in a 231 | text file included with all distributions of the Covered Software under 232 | this License. Except to the extent prohibited by statute or regulation, 233 | such description must be sufficiently detailed for a recipient of ordinary 234 | skill to be able to understand it. 235 | 236 | 5. Termination 237 | 238 | 5.1. The rights granted under this License will terminate automatically if You 239 | fail to comply with any of its terms. However, if You become compliant, 240 | then the rights granted under this License from a particular Contributor 241 | are reinstated (a) provisionally, unless and until such Contributor 242 | explicitly and finally terminates Your grants, and (b) on an ongoing 243 | basis, if such Contributor fails to notify You of the non-compliance by 244 | some reasonable means prior to 60 days after You have come back into 245 | compliance. Moreover, Your grants from a particular Contributor are 246 | reinstated on an ongoing basis if such Contributor notifies You of the 247 | non-compliance by some reasonable means, this is the first time You have 248 | received notice of non-compliance with this License from such 249 | Contributor, and You become compliant prior to 30 days after Your receipt 250 | of the notice. 251 | 252 | 5.2. If You initiate litigation against any entity by asserting a patent 253 | infringement claim (excluding declaratory judgment actions, 254 | counter-claims, and cross-claims) alleging that a Contributor Version 255 | directly or indirectly infringes any patent, then the rights granted to 256 | You by any and all Contributors for the Covered Software under Section 257 | 2.1 of this License shall terminate. 258 | 259 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user 260 | license agreements (excluding distributors and resellers) which have been 261 | validly granted by You or Your distributors under this License prior to 262 | termination shall survive termination. 263 | 264 | 6. Disclaimer of Warranty 265 | 266 | Covered Software is provided under this License on an "as is" basis, 267 | without warranty of any kind, either expressed, implied, or statutory, 268 | including, without limitation, warranties that the Covered Software is free 269 | of defects, merchantable, fit for a particular purpose or non-infringing. 270 | The entire risk as to the quality and performance of the Covered Software 271 | is with You. Should any Covered Software prove defective in any respect, 272 | You (not any Contributor) assume the cost of any necessary servicing, 273 | repair, or correction. This disclaimer of warranty constitutes an essential 274 | part of this License. No use of any Covered Software is authorized under 275 | this License except under this disclaimer. 276 | 277 | 7. Limitation of Liability 278 | 279 | Under no circumstances and under no legal theory, whether tort (including 280 | negligence), contract, or otherwise, shall any Contributor, or anyone who 281 | distributes Covered Software as permitted above, be liable to You for any 282 | direct, indirect, special, incidental, or consequential damages of any 283 | character including, without limitation, damages for lost profits, loss of 284 | goodwill, work stoppage, computer failure or malfunction, or any and all 285 | other commercial damages or losses, even if such party shall have been 286 | informed of the possibility of such damages. This limitation of liability 287 | shall not apply to liability for death or personal injury resulting from 288 | such party's negligence to the extent applicable law prohibits such 289 | limitation. Some jurisdictions do not allow the exclusion or limitation of 290 | incidental or consequential damages, so this exclusion and limitation may 291 | not apply to You. 292 | 293 | 8. Litigation 294 | 295 | Any litigation relating to this License may be brought only in the courts 296 | of a jurisdiction where the defendant maintains its principal place of 297 | business and such litigation shall be governed by laws of that 298 | jurisdiction, without reference to its conflict-of-law provisions. Nothing 299 | in this Section shall prevent a party's ability to bring cross-claims or 300 | counter-claims. 301 | 302 | 9. Miscellaneous 303 | 304 | This License represents the complete agreement concerning the subject 305 | matter hereof. If any provision of this License is held to be 306 | unenforceable, such provision shall be reformed only to the extent 307 | necessary to make it enforceable. Any law or regulation which provides that 308 | the language of a contract shall be construed against the drafter shall not 309 | be used to construe this License against a Contributor. 310 | 311 | 312 | 10. Versions of the License 313 | 314 | 10.1. New Versions 315 | 316 | Mozilla Foundation is the license steward. Except as provided in Section 317 | 10.3, no one other than the license steward has the right to modify or 318 | publish new versions of this License. Each version will be given a 319 | distinguishing version number. 320 | 321 | 10.2. Effect of New Versions 322 | 323 | You may distribute the Covered Software under the terms of the version 324 | of the License under which You originally received the Covered Software, 325 | or under the terms of any subsequent version published by the license 326 | steward. 327 | 328 | 10.3. Modified Versions 329 | 330 | If you create software not governed by this License, and you want to 331 | create a new license for such software, you may create and use a 332 | modified version of this License if you rename the license and remove 333 | any references to the name of the license steward (except to note that 334 | such modified license differs from this License). 335 | 336 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 337 | Licenses If You choose to distribute Source Code Form that is 338 | Incompatible With Secondary Licenses under the terms of this version of 339 | the License, the notice described in Exhibit B of this License must be 340 | attached. 341 | 342 | Exhibit A - Source Code Form License Notice 343 | 344 | This Source Code Form is subject to the 345 | terms of the Mozilla Public License, v. 346 | 2.0. If a copy of the MPL was not 347 | distributed with this file, You can 348 | obtain one at 349 | http://mozilla.org/MPL/2.0/. 350 | 351 | If it is not possible or desirable to put the notice in a particular file, 352 | then You may include the notice in a location (such as a LICENSE file in a 353 | relevant directory) where a recipient would be likely to look for such a 354 | notice. 355 | 356 | You may add additional accurate notices of copyright ownership. 357 | 358 | Exhibit B - "Incompatible With Secondary Licenses" Notice 359 | 360 | This Source Code Form is "Incompatible 361 | With Secondary Licenses", as defined by 362 | the Mozilla Public License, v. 2.0. 363 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include LICENSE 2 | include MANIFEST.in 3 | include README.rst 4 | include httpobscli 5 | global-exclude __pycache__ 6 | global-exclude *.py[co] 7 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | Mozilla HTTP Observatory :: Command Line Utility 2 | ================================================ 3 | 4 | Please note that this version of the Observatory CLI has been deprecated, and replaced with a `considerably more powerful version `_. 5 | 6 | Getting started with the HTTP Observatory (docker) 7 | ----------------------------------------- 8 | 9 | 10 | .. code:: bash 11 | 12 | $ docker run --rm fgribreau/httpobs-cli www.mozilla.org 13 | Score: 30 [E] 14 | Modifiers: 15 | [ -5] Initial redirection from http to https is to a different host, preventing HSTS 16 | [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https 17 | [ -5] X-Content-Type-Options header not implemented 18 | [ -10] X-XSS-Protection header not implemented 19 | [ -20] HTTP Strict Transport Security (HSTS) header not implemented 20 | [ -25] Content Security Policy (CSP) header not implemented 21 | 22 | Getting started with the HTTP Observatory (python) 23 | ----------------------------------------- 24 | 25 | First install the client: 26 | 27 | pip install httpobs-cli 28 | 29 | 30 | .. code:: bash 31 | 32 | $ pip install httpobs-cli 33 | 34 | And then scan websites to your heart's content, using our hosted 35 | service: 36 | 37 | :: 38 | 39 | $ httpobs www.mozilla.org 40 | Score: 30 [E] 41 | Modifiers: 42 | [ -5] Initial redirection from http to https is to a different host, preventing HSTS 43 | [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https 44 | [ -5] X-Content-Type-Options header not implemented 45 | [ -10] X-XSS-Protection header not implemented 46 | [ -20] HTTP Strict Transport Security (HSTS) header not implemented 47 | [ -25] Content Security Policy (CSP) header not implemented 48 | 49 | $ httpobs www.google.com 50 | Score: 35 [D-] 51 | Modifiers: 52 | [ +5] Preloaded via the HTTP Public Key Pinning (HPKP) preloading process 53 | [ -5] X-Content-Type-Options header not implemented 54 | [ -20] Cookies set without using the Secure flag or set over http 55 | [ -20] HTTP Strict Transport Security (HSTS) header not implemented 56 | [ -25] Content Security Policy (CSP) header not implemented 57 | 58 | $ httpobs --zero github.com 59 | Score: 120 [A+] 60 | Modifiers: 61 | [ +5] HTTP Public Key Pinning (HPKP) header set to a minimum of 15 days (1296000) 62 | [ +5] Preloaded via the HTTP Strict Transport Security (HSTS) preloading process 63 | [ +5] Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin 64 | [ +5] X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive 65 | [ 0] All cookies use the Secure flag and all session cookies use the HttpOnly flag 66 | [ 0] Content Security Policy (CSP) implemented with 'unsafe-inline' inside style-src 67 | [ 0] Content is not visible via cross-origin resource sharing (CORS) files or headers 68 | [ 0] Contribute.json isn't required on websites that don't belong to Mozilla 69 | [ 0] Initial redirection is to https on same host, final destination is https 70 | [ 0] X-Content-Type-Options header set to "nosniff" 71 | [ 0] X-XSS-Protection header set to "1; mode=block" 72 | 73 | If you want additional options, such as to see the raw scan output, use 74 | ``httpobs --help``: 75 | 76 | :: 77 | 78 | $ httpobs --help 79 | usage: httpobs [options] host 80 | 81 | positional arguments: 82 | host hostname of the website to scan 83 | 84 | optional arguments: 85 | -h, --help show this help message and exit 86 | -d, --debug output only raw JSON from scan and tests 87 | -r, --rescan initiate a rescan instead of showing recent scan results 88 | -v, --verbose display progress indicator 89 | -x, --hidden don't list scan in the recent scan results 90 | -z, --zero show test results that don't affect the final score 91 | 92 | Authors 93 | ------- 94 | 95 | - April King 96 | 97 | License 98 | ------- 99 | 100 | - Mozilla Public License Version 2.0 101 | -------------------------------------------------------------------------------- /httpobscli/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozilla/http-observatory-cli/180171412105bd2a98399d29fc9fc0210ec0eba2/httpobscli/__init__.py -------------------------------------------------------------------------------- /httpobscli/cli.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | 4 | from __future__ import print_function 5 | from operator import itemgetter 6 | from os import environ 7 | from sys import exit 8 | 9 | import argparse 10 | import datetime 11 | import pytz 12 | import json 13 | import requests 14 | import sys 15 | import time 16 | 17 | # import urlparse in a Python2 / Python3 compatible way 18 | try: 19 | from urllib.parse import urlparse 20 | except ImportError: 21 | from urlparse import urlparse 22 | 23 | API_URL = environ.get('HTTPOBS_API_URL', 'https://http-observatory.security.mozilla.org/api/v1') 24 | 25 | 26 | def analyze(host): 27 | global args 28 | 29 | data = {} 30 | 31 | if args.rescan: 32 | data['rescan'] = 'true' 33 | if args.hidden: 34 | data['hidden'] = 'true' 35 | 36 | try: 37 | # First, make a POST to the Observatory to start the scan 38 | scan = requests.post(API_URL + '/analyze?host={host}'.format(host=host), data=data).json() 39 | 40 | # Notify the user if the user if they attempted a rescan too soon 41 | if (args.rescan and scan.get('error') == 'rescan-attempt-too-soon'): 42 | print('Rescan attempt is sooner than the allowed cooldown period. Returning cached results instead.\n', 43 | file=sys.stderr) 44 | 45 | # Keep polling the HTTP Observatory for the scan to finish 46 | if scan.get('state') != 'FINISHED': 47 | scan = poll(API_URL + '/analyze?host={host}'.format(host=host), 48 | key='state', 49 | values=['FINISHED'], 50 | method='GET') 51 | grade = scan['grade'] 52 | score = scan['score'] 53 | except SystemExit: 54 | raise 55 | except: 56 | print('\nCannot connect to HTTP Observatory at: {url} for Host: {host}.'.format(url=API_URL, host=host)) 57 | exit(1) 58 | 59 | # Get the test results 60 | tests = poll(API_URL + '/getScanResults?scan={scan}'.format(scan=scan['scan_id']), 61 | key='x-frame-options') 62 | 63 | # Print out a notification on stderr that it's a cached result 64 | # I hate working with datetime so much 65 | differential = datetime.datetime.now(pytz.utc) - \ 66 | pytz.timezone('GMT').localize( 67 | datetime.datetime.strptime( 68 | scan['end_time'], 69 | '%a, %d %b %Y %H:%M:%S %Z' 70 | ) 71 | ) 72 | differential = differential.days * 86400 + differential.seconds 73 | 74 | if differential > 300: 75 | hour = int(differential / 3600) 76 | minute = int((differential - 3600 * hour) / 60) 77 | sec = int(differential % 60) 78 | print('Results are cached from {hour}h{min}m{sec}s ago; use -r to rescan.\n' 79 | .format(hour=hour, min=minute, sec=sec), 80 | file=sys.stderr) 81 | 82 | # Print the grade and scan results 83 | if args.csv: 84 | print('{host},{grade},{score},"'.format(host=host, grade=grade, score=score), end="") 85 | elif args.debug: 86 | print(json.dumps({'scan': scan, 'tests': tests}, indent=4, sort_keys=True)) 87 | else: 88 | print('Score: {score} [{grade}]'.format(score=score, grade=grade)) 89 | 90 | # Print out the reasons for score modification 91 | if not args.debug: 92 | if not args.csv: 93 | print('Modifiers:') 94 | 95 | # Get all the scores that aren't 0, in descending numerical order 96 | if args.zero: 97 | scores = sorted([(tests[test]['score_modifier'], tests[test]['score_description']) for test in tests]) 98 | else: 99 | scores = sorted([(tests[test]['score_modifier'], tests[test]['score_description']) 100 | for test in tests if tests[test]['score_modifier'] != 0]) 101 | scores = sorted(scores, key=itemgetter(0), reverse=True) # [(-5, 'foo'), (-10, 'bar')] 102 | scores = [list(score) for score in scores] # convert everything from tuples to lists 103 | 104 | for score in scores: 105 | if score[0] > 0: 106 | score[0] = '+' + str(score[0]) # display 5 as +5 107 | if args.csv: 108 | # it's not fancy but it works 109 | print('[{modifier:>4}] {reason}'.format(modifier=score[0], reason=score[1].replace('"','\\"'))) 110 | else: 111 | print(' [{modifier:>4}] {reason}'.format(modifier=score[0], reason=score[1])) 112 | 113 | if args.csv: 114 | # Terminating " for the block of text, post-loop 115 | print('"') 116 | 117 | 118 | def poll(url, key, values=None, method='GET', headers=None, timeout=300): 119 | if headers is None: 120 | headers = {} 121 | 122 | # Create requests session 123 | s = requests.Session() 124 | s.headers.update(headers) 125 | 126 | # Set the start time, since we don't want to go longer than timeout seconds 127 | start_time = time.time() 128 | 129 | if args.verbose: 130 | print('Retrieving: {url}'.format(url=url), end='', file=sys.stderr) 131 | sys.stdout.flush() 132 | 133 | while True: 134 | # Retrieve the URL 135 | if method == 'POST': 136 | r = s.post(url).json() 137 | else: 138 | r = s.get(url).json() 139 | 140 | # See if error is in there; if so, we just abort the whole thing 141 | if 'error' in r: 142 | print('\nUnable to get result from the HTTP Observatory. Host:{host} Error: {error}.'.format(host, error=r['error'])) 143 | exit(1) 144 | 145 | # See if the key is one of the pollable values 146 | if values: 147 | if r[key] in values: 148 | if args.verbose: 149 | print() 150 | return r 151 | else: 152 | if key in r: 153 | if args.verbose: 154 | print() 155 | return r 156 | 157 | # Let's error out if it has taken too long 158 | if time.time() - start_time > timeout: 159 | raise requests.Timeout 160 | 161 | # If not, let's sleep and try again 162 | if args.verbose: 163 | print('.', end='', file=sys.stderr) 164 | sys.stdout.flush() 165 | time.sleep(3) 166 | 167 | 168 | def usage(cmd): 169 | print('Usage: {0} '.format(cmd)) 170 | exit(1) 171 | 172 | 173 | def main(): 174 | global args 175 | 176 | # Parse the command line 177 | parser = argparse.ArgumentParser(usage='%(prog)s [options] host') 178 | parser.add_argument('host', help='hostname of the website to scan') 179 | parser.add_argument('-d', '--debug', action='store_true', help='output only raw JSON from scan and tests') 180 | parser.add_argument('-c', '--csv', action='store_true', help='output record in quoted csv format') 181 | parser.add_argument('-r', '--rescan', 182 | action='store_true', 183 | help='initiate a rescan instead of showing recent scan results') 184 | parser.add_argument('-v', '--verbose', action='store_true', help='display progress indicator') 185 | parser.add_argument('-x', '--hidden', action='store_true', help='don\'t list scan in the recent scan results') 186 | parser.add_argument('-z', '--zero', action='store_true', 187 | help='show test results that don\'t affect the final score') 188 | args = parser.parse_args() 189 | 190 | # Try to parse the hostname, in case they used a URL instead 191 | args.host = urlparse(args.host).netloc if urlparse(args.host).netloc else args.host 192 | 193 | # Go out and scan! 194 | analyze(args.host) 195 | 196 | 197 | if __name__ == "__main__": 198 | main() 199 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | pytz 3 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [metadata] 2 | description-file = README.rst 3 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os 4 | 5 | from setuptools import find_packages, setup 6 | 7 | 8 | __dirname = os.path.abspath(os.path.dirname(__file__)) 9 | VERSION = '1.0.2' 10 | 11 | with open(os.path.join(__dirname, 'README.rst')) as readme: 12 | README = readme.read() 13 | 14 | setup( 15 | name='httpobs-cli', 16 | version=VERSION, 17 | description='HTTP Observatory: a command line tool to scan your website', 18 | url='https://github.com/mozilla/http-observatory-cli', 19 | download_url='https://github.com/mozilla/http-observatory-cli/httpobs-cli/tarball/' + VERSION, 20 | license='MPL 2.0', 21 | long_description=README, 22 | install_requires=[ 23 | 'requests', 24 | 'pytz' 25 | ], 26 | classifiers=[ 27 | 'Development Status :: 4 - Beta', 28 | 'Environment :: Web Environment', 29 | 'Intended Audience :: Developers', 30 | 'Intended Audience :: System Administrators', 31 | 'License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)', 32 | 'Natural Language :: English', 33 | 'Topic :: Security', 34 | 'Topic :: Software Development :: Quality Assurance', 35 | 'Topic :: Internet :: WWW/HTTP :: HTTP Servers', 36 | ], 37 | author='April King', 38 | author_email='april@mozilla.com', 39 | packages=find_packages(), 40 | include_package_data=False, 41 | zip_safe=True, 42 | entry_points={ 43 | 'console_scripts': [ 44 | 'httpobs = httpobscli.cli:main', 45 | 'httpobs-cli = httpobscli.cli:main', 46 | ] 47 | }, 48 | ) 49 | --------------------------------------------------------------------------------