Wrong result of the Nextcloud Security Scan about -supported major version-

ℹ️ Support
,
1

Nextcloud version (eg, 20.0.5): 25.0.4.1
Operating system and version (eg, Ubuntu 20.04): (unknown)
Apache or nginx version (eg, Apache 2.4.25): (unknown)
PHP version (eg, 7.4): (unknown)

The issue you are facing:
The information about “Major version still supported” seems to be wrong because the effected NC version 25 is EOL.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Use the scanner with a specific URL
  2. Check the result of the scan

Hi, I was stumbled over a Nextcloud instance that shared files with me. I was curious if this Nextcloud instance is up to date and started the “Nextcloud Security Scan” ( https://scan.nextcloud.com ). The result:

Running Nextcloud 25.0.4.1

NOT on latest patch level

Major version still supported

It is out of question that this nextcloud instance should get an update.

But I wonder about the sentence “Major version still supported”. This version 25 is no longer supported according “Maintenance and Release Schedule · nextcloud/server Wiki · GitHub”. Is to trust the scanner when it displays a Nextcloud user, that a nextcloud instance is officially supported (which is wrong)?

Or do i miss something?

2

Unfortunately this topic comes up from time to time and the Nextcloud company who runs the scanner doesn’t seem to have any priority on aligning the scanner with the release schedule :frowning:

1 Like
3

Just to make sure it’s not a cached scan, what’s the date by the retry button? If anyone has ever checked that URL previously it’ll display old results.

Otherwise I guess maybe the scanner hasn’t been updated for v25 eol. Usually though people notice that here and nag the right people fairly quickly. :slight_smile: I’d be surprised v25 is still there. Unfortunately I don’t have a publicly exposed v25 instance to double-check against.

@SysKeeper might be able to confirm internally.

4

From quick look at the code 25 should be marked as not supported since a while now. Need to check later regarding the deployment.

But my feeling also goes strongly regarding to the cache…

2 Likes
5

Hm, during writing the issue i though about adding additional details, sorry.

In the first scan, I saw the cached data. The version was 11. Then, i triggered the re-scan. After that, the update time stamp was updated to yesterday and the mentioned nextcloud release 25.x was reported.

Yet, five minutes ago, i triggered the re-scan again and NOW the result is

Running Nextcloud 25.0.4.1
NOT on latest patch level
Major version NOT supported
Scanned at 2024-04-16 19:27:52

So it seems that there was an update of the scanner since my initial issue report time. :upside_down_face:

→ Closed! :tada:

Thanks for your answers, @wwe @SysKeeper @jtr

1 Like
6

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.