BOD 18-01 Compliance Discrepancies

[cfx47]

🐛 Summary

The automated PSHTT scanner used for BOD web compliance checks is showing a few domains as having "hsts" = "false" and "hsts_max_age" = -1, when they otherwise appear to have HSTS header with a valid age. While the automated checks used for the HTTPS report shows non-compliance, using the PSHTT scanner locally returns expected HSTS results for the same domain and shows compliance.

To reproduce

Steps to reproduce the behavior:

1. Determine domain not returning expected HSTS results from the weekly results
2. Review results for said domain within the HTTPS report and note non-compliance with HSTS checks
3. Run PSHTT scans using Docker, "cisagov/domain-scan:latest --scan=pshtt"
4. Note compliant HSTS headers on Docker scan vs. non-compliant HSTS headers on automated scan

Expected behavior

BOD reports to match what is detected via the manual "pshtt" checks.

[mcdonnnj]

Would you please comment with the results of the following commands so we can see what you are using to run the scan manually?

docker images cisagov/domain-scan

and

docker run --interactive --tty --rm --entrypoint pip cisagov/domain-scan:latest list

[cfx47]

Would you please comment with the results of the following commands so we can see what you are using to run the scan manually?

docker images cisagov/domain-scan
and

docker run --interactive --tty --rm --entrypoint pip cisagov/domain-scan:latest list

$ docker images cisagov/domain-scan

REPOSITORY            TAG       IMAGE ID       CREATED       SIZE
cisagov/domain-scan   latest    2d929f9cbcaf   2 years ago   2.45GB

$ docker run --interactive --tty --rm --entrypoint pip cisagov/domain-scan:latest list

Package                       Version
----------------------------- -----------
asn1crypto                    1.5.1
attrs                         22.2.0
beautifulsoup4                4.11.1
boto3                         1.23.10
botocore                      1.26.10
builtwith                     1.3.4
cachetools                    4.2.4
certifi                       2022.12.7
cffi                          1.15.1
chardet                       5.0.0
charset-normalizer            2.0.12
cryptography                  2.5
dataclasses                   0.8
DataProperty                  0.55.0
dnspython                     2.2.1
docopt                        0.6.2
filelock                      3.4.1
google-api-core               2.8.2
google-auth                   2.15.0
google-auth-oauthlib          0.8.0
google-cloud-bigquery         3.2.0
google-cloud-bigquery-storage 2.13.2
google-cloud-core             2.3.1
google-crc32c                 1.3.0
google-resumable-media        2.3.3
googleapis-common-protos      1.56.3
grpcio                        1.48.2
grpcio-status                 1.48.2
idna                          3.4
ijson                         3.1.4
importlib-metadata            4.8.3
jmespath                      0.10.0
jsonschema                    3.2.0
lxml                          4.9.2
mbstrdecoder                  1.1.1
nassl                         2.2.0
numpy                         1.19.5
oauthlib                      3.2.2
packaging                     21.3
path                          16.2.0
pathvalidate                  2.5.2
pip                           21.3.1
proto-plus                    1.22.1
protobuf                      3.19.6
pshtt                         0.6.9
publicsuffix                  1.1.1
py3dns                        3.2.1
pyarrow                       6.0.1
pyasn1                        0.4.8
pyasn1-modules                0.2.8
pycparser                     2.21
pyOpenSSL                     19.0.0
pyparsing                     3.0.7
pyrsistent                    0.18.0
pyspf                         2.0.11
pytablereader                 0.31.3
pytablewriter                 0.64.2
python-dateutil               2.8.2
pytz                          2022.7
PyYAML                        6.0
requests                      2.27.1
requests-file                 1.5.1
requests-oauthlib             1.3.1
rsa                           4.9
s3transfer                    0.5.2
setuptools                    59.6.0
six                           1.16.0
soupsieve                     2.3.2.post1
sslyze                        2.1.4
strict-rfc3339                0.7
tabledata                     1.3.0
tcolorpy                      0.1.2
tldextract                    3.1.2
tls-parser                    1.2.2
trustymail                    0.7.5
typepy                        1.3.0
typing_extensions             4.1.1
urllib3                       1.26.13
wget                          3.2
zipp                          3.6.0