badkeys: handle hostkey reports for unpublished keys (analyzer)

runZeroInc · Jan 17, 2025 · 3e75ec2 · 3e75ec2
1 parent 7c0bd8e
commit 3e75ec2
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/cmd/cmd_analyze.go b/cmd/cmd_analyze.go
@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"encoding/base64"
 	"encoding/csv"
+	"encoding/hex"
 	"encoding/json"
 	"io"
 	"os"
@@ -301,11 +302,21 @@ func isBadKey(conf *ScanConfig, res *auth.AuthResult) bool {
 		if err != nil {
 			continue
 		}
-		res.AddVuln(auth.VulnResult{
-			ID:    "badkeys-" + bkr.RepoType + "-" + bkr.Repo + "-" + bkr.RepoPath + "-" + hkt,
-			Ref:   "https://badkeys.info/",
-			Proof: bkr.ToURL(),
-		})
+		if bkr.Private {
+			repStr := strconv.FormatUint(uint64(bkr.RepoID), 10)
+			hexPre := hex.EncodeToString(hpre)
+			res.AddVuln(auth.VulnResult{
+				ID:    "badkeys-private-" + repStr + "-" + hexPre,
+				Ref:   "https://badkeys.info/",
+				Proof: repStr + "-" + hexPre,
+			})
+		} else {
+			res.AddVuln(auth.VulnResult{
+				ID:    "badkeys-" + bkr.RepoType + "-" + bkr.Repo + "-" + bkr.RepoPath + "-" + hkt,
+				Ref:   "https://badkeys.info/",
+				Proof: bkr.ToURL(),
+			})
+		}
 		found++
 	}
 	return found != 0