From 9d52e63caeaa361e444da2f6a7712bec104abd17 Mon Sep 17 00:00:00 2001 From: inter0hm Date: Mon, 11 Nov 2024 13:39:10 -0500 Subject: [PATCH 01/14] Create .deepsource.toml --- .github/workflows/.deepsource.toml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/workflows/.deepsource.toml diff --git a/.github/workflows/.deepsource.toml b/.github/workflows/.deepsource.toml new file mode 100644 index 0000000..d9914df --- /dev/null +++ b/.github/workflows/.deepsource.toml @@ -0,0 +1 @@ +version = 1 From 46d798e21f24896843eeda945a11a7a0e874ba41 Mon Sep 17 00:00:00 2001 From: inter0hm Date: Mon, 11 Nov 2024 13:39:37 -0500 Subject: [PATCH 02/14] Create .deepsource.toml --- .deepsource.toml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .deepsource.toml diff --git a/.deepsource.toml b/.deepsource.toml new file mode 100644 index 0000000..d9914df --- /dev/null +++ b/.deepsource.toml @@ -0,0 +1 @@ +version = 1 From f0e62aa46b5292e53712e5cf2620bc73c9aa5672 Mon Sep 17 00:00:00 2001 From: inter0hm Date: Mon, 11 Nov 2024 13:40:52 -0500 Subject: [PATCH 03/14] Update .deepsource.toml --- .deepsource.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.deepsource.toml b/.deepsource.toml index d9914df..d0f3c96 100644 --- a/.deepsource.toml +++ b/.deepsource.toml @@ -1 +1,3 @@ version = 1 +[[analyzers]] +name = "cxx" From dde1b660dbe438882d96fbc9ad458f9bbd94ba3a Mon Sep 17 00:00:00 2001 From: inter0hm Date: Mon, 11 Nov 2024 13:41:06 -0500 Subject: [PATCH 04/14] Update .deepsource.toml --- .github/workflows/.deepsource.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/.deepsource.toml b/.github/workflows/.deepsource.toml index d9914df..d0f3c96 100644 --- a/.github/workflows/.deepsource.toml +++ b/.github/workflows/.deepsource.toml @@ -1 +1,3 @@ version = 1 +[[analyzers]] +name = "cxx" From 9b566f83ceba452e6ce4ebc436cc48d390608e1f Mon Sep 17 00:00:00 2001 From: inter0hm Date: Mon, 11 Nov 2024 13:55:27 -0500 Subject: [PATCH 05/14] Create msvc.yml --- .github/workflows/msvc.yml | 66 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/msvc.yml diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml new file mode 100644 index 0000000..4ed05ac --- /dev/null +++ b/.github/workflows/msvc.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '45 11 * * 4' + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +permissions: + contents: read + +jobs: + analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Analyze + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Configure CMake + run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} + + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendedRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + - name: Upload SARIF to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + # - name: Upload SARIF as an Artifact + # uses: actions/upload-artifact@v3 + # with: + # name: sarif-file + # path: ${{ steps.run-analysis.outputs.sarif }} From c5e9d41cdbf0c47bdca3ebf831feb67b09641537 Mon Sep 17 00:00:00 2001 From: inter0hm Date: Mon, 11 Nov 2024 14:14:41 -0500 Subject: [PATCH 06/14] Update .deepsource.toml --- .deepsource.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/.deepsource.toml b/.deepsource.toml index d0f3c96..d21216f 100644 --- a/.deepsource.toml +++ b/.deepsource.toml @@ -1,3 +1,4 @@ version = 1 [[analyzers]] name = "cxx" +enabled = true From 475ca2804a22dd30751a29dbe955b4f3837b9580 Mon Sep 17 00:00:00 2001 From: inter0hm Date: Mon, 11 Nov 2024 14:22:12 -0500 Subject: [PATCH 07/14] Update .deepsource.toml --- .github/workflows/.deepsource.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/.deepsource.toml b/.github/workflows/.deepsource.toml index d0f3c96..d21216f 100644 --- a/.github/workflows/.deepsource.toml +++ b/.github/workflows/.deepsource.toml @@ -1,3 +1,4 @@ version = 1 [[analyzers]] name = "cxx" +enabled = true From 51b3c88e41aec2d48581748ad9662bc43c70c32b Mon Sep 17 00:00:00 2001 From: inter0hm Date: Mon, 11 Nov 2024 19:36:18 -0500 Subject: [PATCH 08/14] Create flawfinder.yml --- .github/workflows/flawfinder.yml | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/flawfinder.yml diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml new file mode 100644 index 0000000..3f884ea --- /dev/null +++ b/.github/workflows/flawfinder.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: flawfinder + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '34 3 * * 0' + +jobs: + flawfinder: + name: Flawfinder + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: flawfinder_scan + uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c + with: + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{github.workspace}}/flawfinder_results.sarif From 7cb65b77ed47d555472919980f73dcb081127f55 Mon Sep 17 00:00:00 2001 From: inter0hm Date: Tue, 19 Nov 2024 20:25:26 -0500 Subject: [PATCH 09/14] Update codeql.yml --- .github/workflows/codeql.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c9c3e04..3e3a3da 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,7 +9,7 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL" +name: "CodeQL Advanced" on: push: @@ -17,7 +17,7 @@ on: pull_request: branches: [ "main" ] schedule: - - cron: '17 14 * * 0' + - cron: '35 2 * * 5' jobs: analyze: @@ -28,7 +28,6 @@ jobs: # - https://gh.io/using-larger-runners (GitHub.com only) # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: # required for all workflows security-events: write From a163909e09b3a79e5931edbc0f58d82882a53e3f Mon Sep 17 00:00:00 2001 From: inter0hm Date: Tue, 19 Nov 2024 20:26:00 -0500 Subject: [PATCH 10/14] Update semgrep.yml --- .github/workflows/semgrep.yml | 61 ++++++++++++++++++++++++----------- 1 file changed, 43 insertions(+), 18 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 3f540b1..1541b0a 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,24 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + on: - workflow_dispatch: {} - pull_request: {} push: - branches: - - main - - master - paths: - - .github/workflows/semgrep.yml + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] schedule: - # random HH:MM to avoid a load spike on GitHub Actions at 00:00 - - cron: 11 9 * * * -name: Semgrep + - cron: '28 18 * * 0' + +permissions: + contents: read + jobs: semgrep: - name: semgrep/ci - runs-on: ubuntu-20.04 - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - container: - image: returntocorp/semgrep + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Scan + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - run: semgrep ci + # Checkout project source + - uses: actions/checkout@v4 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + if: always() From 1e9181e7a7964cbd5aa3c362b544bb93d72d843b Mon Sep 17 00:00:00 2001 From: inter0hm Date: Tue, 19 Nov 2024 20:26:05 -0500 Subject: [PATCH 11/14] Create frogbot-scan-and-fix.yml --- .github/workflows/frogbot-scan-and-fix.yml | 65 ++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 .github/workflows/frogbot-scan-and-fix.yml diff --git a/.github/workflows/frogbot-scan-and-fix.yml b/.github/workflows/frogbot-scan-and-fix.yml new file mode 100644 index 0000000..e5bcd07 --- /dev/null +++ b/.github/workflows/frogbot-scan-and-fix.yml @@ -0,0 +1,65 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Frogbot Scan and Fix does the following: +# Automatically creates pull requests with fixes for vulnerable project dependencies. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot + +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration + +name: "Frogbot Scan and Fix" +on: + push: + branches: [ "main" ] +permissions: + contents: write + pull-requests: write + security-events: write +jobs: + create-fix-pull-requests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 + env: + # [Mandatory if the two conditions below are met] + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") + # JF_INSTALL_DEPS_CMD: "" + + # [Mandatory] + # JFrog platform URL + JF_URL: ${{ secrets.JF_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" From fc2734c98d537054a22a7f5ce9a5c2a8e28fff3c Mon Sep 17 00:00:00 2001 From: inter0hm Date: Tue, 19 Nov 2024 20:27:31 -0500 Subject: [PATCH 12/14] Delete .github/workflows/flawfinder.yml --- .github/workflows/flawfinder.yml | 38 -------------------------------- 1 file changed, 38 deletions(-) delete mode 100644 .github/workflows/flawfinder.yml diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml deleted file mode 100644 index 3f884ea..0000000 --- a/.github/workflows/flawfinder.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: flawfinder - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '34 3 * * 0' - -jobs: - flawfinder: - name: Flawfinder - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: flawfinder_scan - uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c - with: - arguments: '--sarif ./' - output: 'flawfinder_results.sarif' - - - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{github.workspace}}/flawfinder_results.sarif From c9634852b37bbab9dd15d5ca759ce54552de02e9 Mon Sep 17 00:00:00 2001 From: inter0hm Date: Tue, 19 Nov 2024 20:27:45 -0500 Subject: [PATCH 13/14] Rename .deepsource.toml to deepsource.toml --- .github/workflows/{.deepsource.toml => deepsource.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{.deepsource.toml => deepsource.toml} (100%) diff --git a/.github/workflows/.deepsource.toml b/.github/workflows/deepsource.toml similarity index 100% rename from .github/workflows/.deepsource.toml rename to .github/workflows/deepsource.toml From e6eeca5319a33b56ef6c9b3960fe455f65bce18f Mon Sep 17 00:00:00 2001 From: inter0hm Date: Tue, 19 Nov 2024 20:38:04 -0500 Subject: [PATCH 14/14] Update issue templates --- .github/ISSUE_TEMPLATE/bug_report.md | 38 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 20 ++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..dd84ea7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,38 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Desktop (please complete the following information):** + - OS: [e.g. iOS] + - Browser [e.g. chrome, safari] + - Version [e.g. 22] + +**Smartphone (please complete the following information):** + - Device: [e.g. iPhone6] + - OS: [e.g. iOS8.1] + - Browser [e.g. stock browser, safari] + - Version [e.g. 22] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..bbcbbe7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here.