Merge branch 'main' into fix-luajit-checker

intel · Jun 6, 2023 · 6dcde7a · 6dcde7a
2 parents c7fcd39 + dfd0663
commit 6dcde7a
Show file tree

Hide file tree

Showing 163 changed files with 3,570 additions and 1,553 deletions.
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
@@ -126,6 +126,7 @@ dhcpcd
 dhcpd
 distro
 distros
+dmidecode
 dnsmasq
 docstring
 DOCTYPE
@@ -139,6 +140,7 @@ dsa
 dtls
 e
 elfutils
+emacs
 endoflife
 enscript
 entrypoint
@@ -167,6 +169,7 @@ filetype
 filterdiv
 firefox
 flac
+fluidsynth
 freeradius
 freerdp
 FReeshabh
@@ -183,6 +186,7 @@ fuzzer
 GAD
 gcc
 gdb
+gdk
 Gemfile
 Gemfiles
 geopy
@@ -217,6 +221,7 @@ gsoc
 gstreamer
 gupnp
 gvfs
+gzip
 Hacktoberfest
 haproxy
 harfbuzz
@@ -272,6 +277,7 @@ kodi
 kritirikhi
 kubernetes
 landley
+ldns
 lftp
 lgpl
 lgtm
@@ -287,6 +293,7 @@ libebml
 libev
 libexpat
 libgcrypt
+libgd
 libgit
 libical
 libidn
@@ -296,6 +303,7 @@ libksba
 liblas
 libmatroska
 libmemcached
+libmicrohttpd
 libnss
 libpcap
 libpng
@@ -312,6 +320,7 @@ libsoup
 libsqlite
 libsrtp
 libssh
+libtasn
 libtiff
 libtomcrypt
 libupnp
@@ -351,6 +360,7 @@ metabiswadeep
 metadata
 microsoft
 mingw
+mini
 minicom
 minidlna
 miniupnpc
@@ -442,6 +452,8 @@ perl
 php
 picocom
 pigz
+pixbuf
+pixman
 plotly
 png
 pocoo
@@ -517,6 +529,7 @@ securityscorecards
 shadowsocks
 shreyamalviya
 sip
+sngrep
 snort
 sofia
 somefile
@@ -552,6 +565,7 @@ syslogng
 sysstat
 systemd
 SYSV
+tagvalue
 taskbar
 tcpdump
 tcpreplay

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,3 +7,52 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: pip
+    directory: /doc
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
+
+# Scanning is disabled for files in /test/ to avoid false positives.
+# These files are used for testing; vulnerable code is never installed or used.
+
+  - package-ecosystem: cargo
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: bundler
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: gomod
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: pip
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: maven
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '38 0 * * 4'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -38,12 +41,17 @@ jobs:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +62,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -10,8 +10,13 @@ jobs:
   coverity:
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
-    - uses: vapier/coverity-scan-action@v1
+    - name: Harden Runner
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: vapier/coverity-scan-action@cae3c096a2eb21c431961a49375ac17aea2670ce # v1.7.0
       with:
         email: ${{ secrets.COVERITY_SCAN_EMAIL }}
         token: ${{ secrets.COVERITY_SCAN_TOKEN }}

diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml
@@ -5,14 +5,22 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   cve_scan:
     name: CVE scan on dependencies
     runs-on: ubuntu-22.04
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: '3.x'
           cache: 'pip'
@@ -22,7 +30,7 @@ jobs:
         run: |
           echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
       - name: Get cached database
-        uses: actions/cache@v3
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, 
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
diff --git a/.github/workflows/export_data.yml b/.github/workflows/export_data.yml
@@ -14,14 +14,25 @@ env:
   NO_EXIT_CVE_NUM: 1
   nvd_api_key: ${{ secrets.NVD_API_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-22.04
 
     steps: 
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: '3.x'
 
@@ -39,7 +50,7 @@ jobs:
           python -m cve_bin_tool.cli --export-json exported_data
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
         with:
           commit-message: 'chore: update database copy'
           title: 'chore: create copy of NVD database'

diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
@@ -7,13 +7,24 @@ on:
     paths:
       - 'cve_bin_tool/checkers/__init__.py'
 
+permissions:
+  contents: read
+
 jobs:
   formatting:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update checkers table
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: '3.x'
           cache: 'pip'
@@ -25,7 +36,7 @@ jobs:
         run: |
           python cve_bin_tool/format_checkers.py
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
         with:
           commit-message: "chore: update checkers table"
           title: "chore: update checkers table"

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   linting:
     name: Linting
@@ -14,8 +17,13 @@ jobs:
       matrix:
         tool: ['isort', 'black', 'pyupgrade', 'flake8', 'bandit', 'gitlint', 'mypy']
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: '3.x'
           cache: 'pip'