Security Scan last scan date

Hi, I did a security scan and received a Rating of A for NC 21.0.1 - Major version still supported
I did this for about 10 month or so and I always received a Grade A. So I thought, fine - no need to update. Until I read today when the last scan took place :scream:

I suggest to emphasis more when the last scan to place, maybe even a warning symbol or so. People like me whould help that quite a bit.


1 Like

Have you click “trigger re-scan” and reload the website?

Also you can only use https://cloud.server.tld/status.php to find out your Nextcloud version. I think if the installation is actual and the certificate is fine you do not need the scanning website.

Check certificate: SSL Server Test (Powered by Qualys SSL Labs)

Make sure that your certificate is updated regularly.
Update also your operating system (security patches).

1 Like

I think you missed the point. Of course, one should do this and that.

Hedgehog is making a case for an improvement in the design of that particular page.

Speaking of that, maybe there is no point in showing a rating made 6 months ago, so it should be grey or anything that signalizes in 0.1s that something is wrong instead of a big A+ scanned in 2019. Additionally, instead of only “scanned in YY-MM-DD”, a “scanned X months ago” would be nice too. And yes, the button for trigger re-scan should be flashier


They check everytime again.

Does it make sense at all to show results that are older than 1 month? New minor release come nearly every month…

The SSL Server Test tests the SSL certificate. The application Nextcloud is not tested. I think if someone is admin of a Nextcloud and has no idea at all about updates and security is needed to find out that the used Nextcloud instance is supported.

SSL Server Test (Powered by Qualys SSL Labs) (checks only SSL) (checks also Nextcloud version)
Maintenance and Release Schedule · nextcloud/server Wiki · GitHub

Can you post a link with all supported Nextcloud versions and subversions?

That’s all the supported versions.

They just test the version, should all be much easier than checking the whole SSL setup.

1 Like

they check little bit more like cookies etc but this definitely less sophisticated than SSL Labs check.

it would be great this link appears next to the test result (perfectly scan result reacts to outdated versions and e.g. enforce re-scan of the instance)

1 or 2 months may be OK
…but 3+ months is definitely bad habit… in my eyes if somebody visit a security scan page

  • if the scan is older 72d (?)
    – re-trigger new scan and shown some intermediate page e.g. “waiting for results…”
  • if the scan is newer 72d (?)
    – found vulnerable or outdated version → show some warning (without details)
    – highlight “re-scan” button so admins could easily verify upgrade’s
1 Like

I created a bug report on github:

Please continue with your thoughts and suggestions there.