Security Scan last scan date

hedgehog · April 28, 2022, 2:21pm

Hi, I did a security scan and received a Rating of A for NC 21.0.1 - Major version still supported
I did this for about 10 month or so and I always received a Grade A. So I thought, fine - no need to update. Until I read today when the last scan took place

I suggest to emphasis more when the last scan to place, maybe even a warning symbol or so. People like me whould help that quite a bit.
Thanks.

grafik

devnull · April 28, 2022, 2:30pm

Have you click “trigger re-scan” and reload the website?

Also you can only use https://cloud.server.tld/status.php to find out your Nextcloud version. I think if the installation is actual and the certificate is fine you do not need the scanning website.

Check certificate: SSL Server Test (Powered by Qualys SSL Labs)

Make sure that your certificate is updated regularly.
Update also your operating system (security patches).

fernosan · April 28, 2022, 4:24pm

I think you missed the point. Of course, one should do this and that.

Hedgehog is making a case for an improvement in the design of that particular page.

Speaking of that, maybe there is no point in showing a rating made 6 months ago, so it should be grey or anything that signalizes in 0.1s that something is wrong instead of a big A+ scanned in 2019. Additionally, instead of only “scanned in YY-MM-DD”, a “scanned X months ago” would be nice too. And yes, the button for trigger re-scan should be flashier

tflidd · April 28, 2022, 6:31pm

They check everytime again.

Does it make sense at all to show results that are older than 1 month? New minor release come nearly every month…

devnull · April 29, 2022, 5:51am

The SSL Server Test tests the SSL certificate. The application Nextcloud is not tested. I think if someone is admin of a Nextcloud and has no idea at all about updates and security https://scan.nextcloud.com is needed to find out that the used Nextcloud instance is supported.

https://www.ssllabs.com/ssltest (checks only SSL)
https://scan.nextcloud.com (checks also Nextcloud version)
Maintenance and Release Schedule · nextcloud/server Wiki · GitHub

@tflidd
Can you post a link with all supported Nextcloud versions and subversions?

tflidd · April 29, 2022, 6:18am

That’s all the supported versions.

They just test the version, should all be much easier than checking the whole SSL setup.

wwe · April 29, 2022, 10:05pm

they check little bit more like cookies etc but this definitely less sophisticated than SSL Labs check.

it would be great this link appears next to the test result (perfectly scan result reacts to outdated versions and e.g. enforce re-scan of the instance)

1 or 2 months may be OK
…but 3+ months is definitely bad habit… in my eyes if somebody visit a security scan page

if the scan is older 72d (?)
– re-trigger new scan and shown some intermediate page e.g. “waiting for results…”
if the scan is newer 72d (?)
– found vulnerable or outdated version → show some warning (without details)
– highlight “re-scan” button so admins could easily verify upgrade’s

tflidd · April 30, 2022, 1:26pm

I created a bug report on github:

github.com/nextcloud/nextcloud.com

Limit cache age for Security Scan

opened 01:26PM - 30 Apr 22 UTC

tflidd

When users run a security scan of their setup (often after upgrades), they tend …to find rather old results from the last time their host was scanned. The small greyed out testing date can be easily missed and people start to doubt about their setups. There was [a discussion on the forum](https://help.nextcloud.com/t/security-scan-last-scan-date/138253?u=tflidd), if you can't just remove old scan results and redo new scans? There isn't any sense in showing such old result (up to a year) or is there?

Please continue with your thoughts and suggestions there.