From c4835ca1524e876873c4180caca851242124278a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 11:55:10 +0100 Subject: [PATCH 001/101] Add Dependabot configuration for updates --- .github/dependabot.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000000..647560dd85 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,15 @@ +version: 2 +updates: + - package-ecosystem: "gitsubmodule" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "Submodule Update" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "GitHub Actions Updates" From 4317e6cf627b9f6bb930bbcdd7821129c7a90e49 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:37 +0000 Subject: [PATCH 002/101] GitHub Actions Updates: Bump actions/checkout from 4 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d6895b825d..42fc403531 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,7 +56,7 @@ jobs: run: | sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ libfuzzy-dev:${{ matrix.platform.arch }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 @@ -106,7 +106,7 @@ jobs: pcre \ bison \ flex - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 @@ -147,7 +147,7 @@ jobs: - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 @@ -195,7 +195,7 @@ jobs: automake \ libtool \ cppcheck - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 From 95ef56cfb85a414eeca3020929ca30ff46e44898 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:38 +0000 Subject: [PATCH 003/101] Submodule Update: Bump others/libinjection from `b9fcaaf` to `b2d46ec` Bumps [others/libinjection](https://github.com/libinjection/libinjection) from `b9fcaaf` to `b2d46ec`. - [Commits](https://github.com/libinjection/libinjection/compare/b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9...b2d46ec124d947d2f82560074e4a348cb15148fc) --- updated-dependencies: - dependency-name: others/libinjection dependency-version: b2d46ec124d947d2f82560074e4a348cb15148fc dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- others/libinjection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/libinjection b/others/libinjection index b9fcaaf9e5..b2d46ec124 160000 --- a/others/libinjection +++ b/others/libinjection @@ -1 +1 @@ -Subproject commit b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9 +Subproject commit b2d46ec124d947d2f82560074e4a348cb15148fc From 912d2da69b9a66f50860b028a2b6bb1e9967bdc2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:40 +0000 Subject: [PATCH 004/101] Submodule Update: Bump others/mbedtls from `2ca6c28` to `e5ba96c` Bumps [others/mbedtls](https://github.com/Mbed-TLS/mbedtls) from `2ca6c28` to `e5ba96c`. - [Release notes](https://github.com/Mbed-TLS/mbedtls/releases) - [Commits](https://github.com/Mbed-TLS/mbedtls/compare/2ca6c285a0dd3f33982dd57299012dacab1ff206...e5ba96c5c6c408cee7a05f3ab77417a94fe534fe) --- updated-dependencies: - dependency-name: others/mbedtls dependency-version: e5ba96c5c6c408cee7a05f3ab77417a94fe534fe dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- others/mbedtls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/mbedtls b/others/mbedtls index 2ca6c285a0..e5ba96c5c6 160000 --- a/others/mbedtls +++ b/others/mbedtls @@ -1 +1 @@ -Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206 +Subproject commit e5ba96c5c6c408cee7a05f3ab77417a94fe534fe From 9054c6dd696abb0f69ef5f3ec448aa0e307fafbe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:41 +0000 Subject: [PATCH 005/101] Submodule Update: Bump bindings/python from `bc625d5` to `47a6925` Bumps [bindings/python](https://github.com/owasp-modsecurity/ModSecurity-Python-bindings) from `bc625d5` to `47a6925`. - [Commits](https://github.com/owasp-modsecurity/ModSecurity-Python-bindings/compare/bc625d5bb0bac6a64bcce8dc9902208612399348...47a6925df187f96e4593afab18dc92d5f22bd4d5) --- updated-dependencies: - dependency-name: bindings/python dependency-version: 47a6925df187f96e4593afab18dc92d5f22bd4d5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- bindings/python | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bindings/python b/bindings/python index bc625d5bb0..47a6925df1 160000 --- a/bindings/python +++ b/bindings/python @@ -1 +1 @@ -Subproject commit bc625d5bb0bac6a64bcce8dc9902208612399348 +Subproject commit 47a6925df187f96e4593afab18dc92d5f22bd4d5 From bf9c82d22f2da3f66c69dc6a4dad361ceb4fdc52 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 10:59:42 +0000 Subject: [PATCH 006/101] Submodule Update: Bump test/test-cases/secrules-language-tests Bumps [test/test-cases/secrules-language-tests](https://github.com/owasp-modsecurity/secrules-language-tests) from `a3d4405` to `c6e8802`. - [Commits](https://github.com/owasp-modsecurity/secrules-language-tests/compare/a3d4405e5a2c90488c387e589c5534974575e35b...c6e8802366ec3182b8c2612e23d14e19e3545b47) --- updated-dependencies: - dependency-name: test/test-cases/secrules-language-tests dependency-version: c6e8802366ec3182b8c2612e23d14e19e3545b47 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- test/test-cases/secrules-language-tests | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test-cases/secrules-language-tests b/test/test-cases/secrules-language-tests index a3d4405e5a..c6e8802366 160000 --- a/test/test-cases/secrules-language-tests +++ b/test/test-cases/secrules-language-tests @@ -1 +1 @@ -Subproject commit a3d4405e5a2c90488c387e589c5534974575e35b +Subproject commit c6e8802366ec3182b8c2612e23d14e19e3545b47 From b83dfb3276039fccdb9bf200ba6bcf2a453e34e0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 11:59:56 +0100 Subject: [PATCH 007/101] Add Dependabot auto-approve workflow --- .../workflows/dependabot-auto-approve.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/dependabot-auto-approve.yaml diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml new file mode 100644 index 0000000000..ae8bc032d5 --- /dev/null +++ b/.github/workflows/dependabot-auto-approve.yaml @@ -0,0 +1,27 @@ +name: Dependabot Auto-Approve +on: pull_request + +permissions: + pull-requests: write + contents: write + +jobs: + auto-approve: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Approve Pull Request + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + - name: Enable Auto-Merge + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From 30d1c591e5b40f93d0da4add80b8ee54c8f6c941 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 13:44:32 +0100 Subject: [PATCH 008/101] Update configure.ac --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 7a78bb6c76..d7a47a43b5 100644 --- a/configure.ac +++ b/configure.ac @@ -78,7 +78,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de AC_SUBST([LIBINJECTION_VERSION]) # Check for Mbed TLS -if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then +if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/src/base64.c"; then AC_MSG_ERROR([\ From a7e8deb2f5771a487ea6389a3783bf791128ec99 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 13:45:23 +0100 Subject: [PATCH 009/101] Update base64 header include path --- src/utils/base64.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/utils/base64.cc b/src/utils/base64.cc index e27cace943..7eb5c0edd2 100644 --- a/src/utils/base64.cc +++ b/src/utils/base64.cc @@ -10,7 +10,7 @@ * If any of the files related to licensing are missing or if you have any * other questions related to licensing please contact Trustwave Holdings, Inc. * directly using the email address security@modsecurity.org. - * + *#include "mbedtls/base64.h" */ #include "src/utils/base64.h" @@ -21,7 +21,8 @@ #include #include -#include "mbedtls/base64.h" +#include "mbedtls/include/mbedtls/tf-psa-crypto/include/mbedtls/base64.h" + template inline std::string base64Helper(const char *data, const unsigned int len, Operation op) { // cppcheck-suppress syntaxError ; false positive From 8ea7ec4b3d73a69cf6e764f20c347e812e41de90 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:12:21 +0100 Subject: [PATCH 010/101] Rename ci.yml to ci.yml.alt. --- .github/workflows/{ci.yml => ci.yml.alt.} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{ci.yml => ci.yml.alt.} (100%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml.alt. similarity index 100% rename from .github/workflows/ci.yml rename to .github/workflows/ci.yml.alt. From d65909c4085c8ca768a5e156cce5c5f412c86f2a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:12:50 +0100 Subject: [PATCH 011/101] Add CI workflow for quality assurance across platforms This workflow file sets up a CI pipeline for quality assurance on Linux, macOS, and Windows platforms. It includes jobs for building, checking dependencies, and running cppcheck for static analysis. --- .github/workflows/ci.yml | 229 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..46f5fcdd85 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,229 @@ +name: Quality Assurance + +on: + push: + pull_request: + +jobs: + build-linux: + name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-22.04] + platform: + - {label: "x64", arch: "amd64", configure: ""} + - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} + compiler: + - {label: "gcc", cc: "gcc", cxx: "g++"} + - {label: "clang", cc: "clang", cxx: "clang++"} + configure: + - {label: "with parser generation", opt: "--enable-parser-generation" } + - {label: "wo curl", opt: "--without-curl" } + - {label: "wo lua", opt: "--without-lua" } + - {label: "wo maxmind", opt: "--without-maxmind" } + - {label: "wo libxml", opt: "--without-libxml" } + - {label: "wo geoip", opt: "--without-geoip" } + - {label: "wo ssdeep", opt: "--without-ssdeep" } + - {label: "with lmdb", opt: "--with-lmdb" } + - {label: "with pcre", opt: "--with-pcre" } + exclude: + - platform: {label: "x32"} + configure: {label: "wo geoip"} + - platform: {label: "x32"} + configure: {label: "wo ssdeep"} + steps: + - name: Setup Dependencies (common) + run: | + sudo dpkg --add-architecture ${{ matrix.platform.arch }} + sudo apt-get update -y -qq + sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ + libcurl4-openssl-dev:${{ matrix.platform.arch }} \ + liblmdb-dev:${{ matrix.platform.arch }} \ + liblua5.2-dev:${{ matrix.platform.arch }} \ + libmaxminddb-dev:${{ matrix.platform.arch }} \ + libpcre2-dev:${{ matrix.platform.arch }} \ + pcre2-utils:${{ matrix.platform.arch }} \ + bison flex + - name: Setup Dependencies (x32) + if: ${{ matrix.platform.label == 'x32' }} + run: | + sudo apt-get install g++-multilib + sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ + libpcre3-dev:${{ matrix.platform.arch }} + - name: Setup Dependencies (x64) + if: ${{ matrix.platform.label == 'x64' }} + run: | + sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ + libfuzzy-dev:${{ matrix.platform.arch }} + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: build.sh + run: ./build.sh + - name: configure + env: + CC: ${{ matrix.compiler.cc }} + CXX: ${{ matrix.compiler.cxx }} + run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `nproc` + - name: check + run: make check + + build-macos: + name: macOS (${{ matrix.configure.label }}) + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [macos-14] + configure: + - {label: "with parser generation", opt: "--enable-parser-generation" } + - {label: "wo curl", opt: "--without-curl" } + - {label: "wo lua", opt: "--without-lua" } + - {label: "wo maxmind", opt: "--without-maxmind" } + - {label: "wo libxml", opt: "--without-libxml" } + - {label: "wo geoip", opt: "--without-geoip" } + - {label: "wo ssdeep", opt: "--without-ssdeep" } + - {label: "with lmdb", opt: "--with-lmdb" } + - {label: "with pcre", opt: "--with-pcre" } + steps: + - name: Setup Homebrew + run: | + echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV + echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV + - name: Install Dependencies + run: | + brew update + brew install \ + yajl \ + lmdb \ + lua@5.3 \ + libmaxminddb \ + pcre2 \ + geoip \ + ssdeep \ + pcre \ + bison \ + flex + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: Build GeoIP + run: | + git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git + cd geoip-api-c + git fetch --tags + # Check out the last release, v1.6.12 + git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a + autoreconf --install + ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew + make install + - name: build.sh + run: ./build.sh + - name: configure + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `sysctl -n hw.logicalcpu` + - name: check + run: make check + + build-windows: + name: Windows (${{ matrix.configure.label }}) + runs-on: windows-latest + strategy: + matrix: + configure: + - {label: "default", opt: "" } + - {label: "wo curl", opt: "-DWITH_CURL=OFF" } + - {label: "wo lua", opt: "-DWITH_LUA=OFF" } + - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } + - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } + - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } + steps: + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: Install Conan + run: | + pip3 install conan + - name: Configure Conan + run: | + conan profile detect + - name: Configure CMake + run: | + cmake -S . -B build ${{ matrix.configure.opt }} + - name: Build + run: | + cmake --build build --config Release + + cppcheck-linux: + name: cppcheck (Linux) + runs-on: ubuntu-22.04 + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y \ + cppcheck \ + autoconf \ + automake \ + libtool + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: configure + run: | + ./build.sh + ./configure + - name: cppcheck + run: make check-static + + cppcheck-macos: + name: cppcheck (macOS) + runs-on: macos-14 + steps: + - name: Setup Dependencies + # curl, pcre2 not installed because they're from Apple + run: | + brew update + brew install autoconf \ + automake \ + libtool \ + cppcheck + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: configure + run: | + ./build.sh + ./configure + - name: cppcheck + run: make check-static From 7fe7f95821dfd8e9135b88a250a141a5de7e4e3a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:14:32 +0100 Subject: [PATCH 012/101] Rename .github/workflows/ci.yml.alt. to backup/ci.yml.alt --- .github/workflows/ci.yml.alt. => backup/ci.yml.alt | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/ci.yml.alt. => backup/ci.yml.alt (100%) diff --git a/.github/workflows/ci.yml.alt. b/backup/ci.yml.alt similarity index 100% rename from .github/workflows/ci.yml.alt. rename to backup/ci.yml.alt From d8d8d080e80aba48132d9eb5316cd1f36d30fcb7 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:20:45 +0100 Subject: [PATCH 013/101] Fix Mbed TLS file path in configure.ac --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index d7a47a43b5..bf2d2270e7 100644 --- a/configure.ac +++ b/configure.ac @@ -77,8 +77,8 @@ fi AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git describe && cd ../..)) AC_SUBST([LIBINJECTION_VERSION]) -# Check for Mbed TLS -if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/src/base64.c"; then +# Check for Mbed TLS +if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/mbedtls/src/base64.c"; then AC_MSG_ERROR([\ From b395579773a461471014288ddd71b4fe61bfca4d Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:22:43 +0100 Subject: [PATCH 014/101] Change Lua version from 5.3 to 5.2 in CI --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46f5fcdd85..0442fc378d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -104,7 +104,7 @@ jobs: brew install \ yajl \ lmdb \ - lua@5.3 \ + lua@5.2 \ libmaxminddb \ pcre2 \ geoip \ From cab7d513b32d306342e60b4433bb64fad1aa39c1 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:30:47 +0100 Subject: [PATCH 015/101] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0442fc378d..910ffdaddf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -104,7 +104,7 @@ jobs: brew install \ yajl \ lmdb \ - lua@5.2 \ + lua \ libmaxminddb \ pcre2 \ geoip \ From 890d3730870d0ec2692f42f9392e03adec960f52 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:48:53 +0100 Subject: [PATCH 016/101] Update ci.yml --- .github/workflows/ci.yml | 60 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 910ffdaddf..62c13d256d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,11 +66,23 @@ jobs: git submodule update --init --recursive --force - name: build.sh run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + - name: configure env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes + - uses: ammaraskar/gcc-problem-matcher@master - name: make run: make -j `nproc` @@ -132,8 +144,20 @@ jobs: make install - name: build.sh run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + - name: configure run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes + - uses: ammaraskar/gcc-problem-matcher@master - name: make run: make -j `sysctl -n hw.logicalcpu` @@ -194,10 +218,22 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: configure + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout run: | - ./build.sh - ./configure + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure + - name: cppcheck run: make check-static @@ -221,9 +257,21 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: configure + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout run: | - ./build.sh - ./configure + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure + - name: cppcheck run: make check-static From 3cc1ee1287a24905dbe4899f20bffb157bb47e8e Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 14:51:49 +0100 Subject: [PATCH 017/101] Fix Mbed TLS base64 file path in configure.ac Update Mbed TLS base64 source file path check. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index bf2d2270e7..7763786e0a 100644 --- a/configure.ac +++ b/configure.ac @@ -78,7 +78,7 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de AC_SUBST([LIBINJECTION_VERSION]) # Check for Mbed TLS -if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/mbedtls/src/base64.c"; then +if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then AC_MSG_ERROR([\ From 2fc73fc4a860a863e003e07bc4f059b28920fe71 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 15:04:04 +0100 Subject: [PATCH 018/101] Update Makefile.am --- others/Makefile.am | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/others/Makefile.am b/others/Makefile.am index b102a0330c..16d1eb9a4a 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -23,10 +23,10 @@ noinst_HEADERS = \ mbedtls/include/mbedtls/sha1.h libmbedtls_la_SOURCES = \ - mbedtls/library/base64.c \ - mbedtls/library/md5.c \ - mbedtls/library/sha1.c \ - mbedtls/library/platform_util.c + mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/md5.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ + mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include libmbedtls_la_CPPFLAGS = From 67413c6c263488daddc23bdb73a0de4aee0e0f76 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 15:06:01 +0100 Subject: [PATCH 019/101] Update mbedtls include paths in Makefile.am --- others/Makefile.am | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/others/Makefile.am b/others/Makefile.am index 16d1eb9a4a..49d70d990f 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -15,12 +15,12 @@ noinst_HEADERS = \ libinjection/src/libinjection_sqli.h \ libinjection/src/libinjection_sqli_data.h \ libinjection/src/libinjection_xss.h \ - mbedtls/include/mbedtls/base64.h \ - mbedtls/include/mbedtls/check_config.h \ - mbedtls/include/mbedtls/mbedtls_config.h \ - mbedtls/include/mbedtls/md5.h \ - mbedtls/include/mbedtls/platform.h \ - mbedtls/include/mbedtls/sha1.h + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/base64.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/check_config.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/mbedtls_config.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/platform.h \ + mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c \ @@ -28,6 +28,6 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From 4a480eb454042a7cbd455cceeb75faf1015a3f85 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 16:35:48 +0100 Subject: [PATCH 020/101] Update Makefile.am --- others/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/others/Makefile.am b/others/Makefile.am index 49d70d990f..ad57935053 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -15,11 +15,11 @@ noinst_HEADERS = \ libinjection/src/libinjection_sqli.h \ libinjection/src/libinjection_sqli_data.h \ libinjection/src/libinjection_xss.h \ - mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/base64.h \ + mbedtls/tf-psa-crypto/include/mbedtls/base64.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/check_config.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/mbedtls_config.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ - mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/platform.h \ + mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h libmbedtls_la_SOURCES = \ From e0b919de1a092e9fb6da2152b43a28ab32683e7c Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 16:41:41 +0100 Subject: [PATCH 021/101] Update mbedtls_config.h include path --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index ad57935053..dc4485ca30 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -17,7 +17,7 @@ noinst_HEADERS = \ libinjection/src/libinjection_xss.h \ mbedtls/tf-psa-crypto/include/mbedtls/base64.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/check_config.h \ - mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/mbedtls_config.h \ + mbedtls/include/mbedtls/mbedtls_config.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/sha1.h From ba80aa4c2c9b7e20763d1c725579e4436747c52b Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 16:49:52 +0100 Subject: [PATCH 022/101] Update include path for mbedtls in Makefile.am --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index dc4485ca30..8151d10630 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -28,6 +28,6 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From 26ffe965fdb5f0da5a25b92ea2978c9b2ceb3908 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:06:47 +0100 Subject: [PATCH 023/101] Update Makefile to reference check_crypto_config.h --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index 8151d10630..0488de8afc 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -16,7 +16,7 @@ noinst_HEADERS = \ libinjection/src/libinjection_sqli_data.h \ libinjection/src/libinjection_xss.h \ mbedtls/tf-psa-crypto/include/mbedtls/base64.h \ - mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/check_config.h \ + mbedtls/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h \ mbedtls/include/mbedtls/mbedtls_config.h \ mbedtls/tf-psa-crypto/drivers/builtin/include/mbedtls/private/md5.h \ mbedtls/tf-psa-crypto/include/mbedtls/platform.h \ From ed32c438e9b0735f8e71145963523dc2dfa8e1a0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:12:39 +0100 Subject: [PATCH 024/101] Update Makefile.am --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index 0488de8afc..dbfc5a48b8 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -28,6 +28,6 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From 9728a108b490a0d6e2b90d47978c94e0c6bf8613 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:13:37 +0100 Subject: [PATCH 025/101] Add include path for builtin drivers in Makefile --- others/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index dbfc5a48b8..eec9d03fe0 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -28,6 +28,6 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From 3199b2951974d40bf30c31cfb8360ecbeadb538a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:14:16 +0100 Subject: [PATCH 026/101] Update Makefile.am --- others/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index eec9d03fe0..30d9c08729 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -28,6 +28,7 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/sha1.c \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c -libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include +libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From ce21b15f9041bf1cb416884f0e2dbe1f824255e9 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:18:10 +0100 Subject: [PATCH 027/101] Update ci.yml --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62c13d256d..5357b8037b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -119,7 +119,6 @@ jobs: lua \ libmaxminddb \ pcre2 \ - geoip \ ssdeep \ pcre \ bison \ From 3b767ac73ff441c4011987a0684a77dff638089a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 19:06:47 +0100 Subject: [PATCH 028/101] Update Makefile.am --- others/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/others/Makefile.am b/others/Makefile.am index 30d9c08729..b8be3af6eb 100644 --- a/others/Makefile.am +++ b/others/Makefile.am @@ -29,6 +29,7 @@ libmbedtls_la_SOURCES = \ mbedtls/tf-psa-crypto/drivers/builtin/src/platform_util.c libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -I$(top_srcdir)/others/mbedtls/include \ - -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core libmbedtls_la_CPPFLAGS = libmbedtls_la_LIBADD = From daff882469b2647b90f11e2e75b91febe9923e93 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 7 Dec 2025 19:48:29 +0100 Subject: [PATCH 029/101] update --- backup/md5.h | 32 +++++++++++++++++++ backup/sha1.h | 75 +++++++++++++++++++++++++++++++++++++++++++++ src/utils/base64.cc | 2 +- src/utils/md5.h | 57 ++++++++++++++++++++++++---------- src/utils/sha1.h | 72 +++++++++++++++++++++++++++++-------------- 5 files changed, 198 insertions(+), 40 deletions(-) create mode 100644 backup/md5.h create mode 100644 backup/sha1.h diff --git a/backup/md5.h b/backup/md5.h new file mode 100644 index 0000000000..68f5d748e4 --- /dev/null +++ b/backup/md5.h @@ -0,0 +1,32 @@ +/* + * ModSecurity, http://www.modsecurity.org/ + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. + * + */ + +#ifndef SRC_UTILS_MD5_H_ +#define SRC_UTILS_MD5_H_ + +#include "src/utils/sha1.h" +#include "mbedtls/md5.h" +#include + +namespace modsecurity::Utils { + + +class Md5 : public DigestImpl<&mbedtls_md5, 16> { +}; + + +} // namespace modsecurity::Utils + +#endif // SRC_UTILS_MD5_H_ \ No newline at end of file diff --git a/backup/sha1.h b/backup/sha1.h new file mode 100644 index 0000000000..a40d7fa1c8 --- /dev/null +++ b/backup/sha1.h @@ -0,0 +1,75 @@ +/* + * ModSecurity, http://www.modsecurity.org/ + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. + * + */ + +#ifndef SRC_UTILS_SHA1_H_ +#define SRC_UTILS_SHA1_H_ + +#include +#include + +#include "src/utils/string.h" +#include "mbedtls/sha1.h" + +namespace modsecurity::Utils { + + +using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); + + +template +class DigestImpl { + public: + + static std::string digest(const std::string& input) { + return digestHelper(input, [](const auto digest) { + return std::string(digest); + }); + } + + static void digestReplace(std::string& value) { + digestHelper(value, [&value](const auto digest) mutable { + value = digest; + }); + } + + static std::string hexdigest(const std::string &input) { + return digestHelper(input, [](const auto digest) { + return utils::string::string_to_hex(digest); + }); + } + +private: + + template + static auto digestHelper(const std::string &input, + ConvertOp convertOp) -> auto { + char digest[DigestSize]; + + const auto ret = (*digestOp)(reinterpret_cast(input.c_str()), + input.size(), reinterpret_cast(digest)); + assert(ret == 0); + + return convertOp(std::string_view(digest, DigestSize)); + } +}; + + +class Sha1 : public DigestImpl<&mbedtls_sha1, 20> { +}; + + +} // namespace modsecurity::Utils + +#endif // SRC_UTILS_SHA1_H_ diff --git a/src/utils/base64.cc b/src/utils/base64.cc index 7eb5c0edd2..6fc1ec360b 100644 --- a/src/utils/base64.cc +++ b/src/utils/base64.cc @@ -21,7 +21,7 @@ #include #include -#include "mbedtls/include/mbedtls/tf-psa-crypto/include/mbedtls/base64.h" +#include "mbedtls/base64.h" template diff --git a/src/utils/md5.h b/src/utils/md5.h index 68f5d748e4..d77bde4fbf 100644 --- a/src/utils/md5.h +++ b/src/utils/md5.h @@ -1,32 +1,57 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. * + * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_MD5_H_ #define SRC_UTILS_MD5_H_ -#include "src/utils/sha1.h" -#include "mbedtls/md5.h" +#include "src/utils/sha1.h" // bringt DigestImpl und psa/crypto.h rein #include namespace modsecurity::Utils { - -class Md5 : public DigestImpl<&mbedtls_md5, 16> { +// Wrapper mit gleicher Signatur wie mbedtls_md5, +// intern aber PSA-API. +inline int modsec_psa_md5(const unsigned char *input, + size_t ilen, + unsigned char output[16]) +{ + // sha1.h macht bereits ein lazy psa_crypto_init() in modsec_psa_sha1, + // aber falls MD5 vor SHA1 benutzt wird, sorgen wir hier auch nochmal vor. + static bool psa_initialized = false; + + if (!psa_initialized) { + psa_status_t init_status = psa_crypto_init(); + if (init_status != PSA_SUCCESS) { + return -1; + } + psa_initialized = true; + } + + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_MD5, + input, + ilen, + output, + 16, + &out_len + ); + + if (status != PSA_SUCCESS || out_len != 16) { + return -1; + } + + return 0; +} + +// Statt &mbedtls_md5 benutzen wir jetzt &modsec_psa_md5. +class Md5 : public DigestImpl<&modsec_psa_md5, 16> { }; - } // namespace modsecurity::Utils -#endif // SRC_UTILS_MD5_H_ \ No newline at end of file +#endif // SRC_UTILS_MD5_H_ diff --git a/src/utils/sha1.h b/src/utils/sha1.h index a40d7fa1c8..74cbad408f 100644 --- a/src/utils/sha1.h +++ b/src/utils/sha1.h @@ -1,29 +1,23 @@ /* * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. * + * Licensed under the Apache License, Version 2.0 */ #ifndef SRC_UTILS_SHA1_H_ #define SRC_UTILS_SHA1_H_ #include +#include #include #include "src/utils/string.h" -#include "mbedtls/sha1.h" -namespace modsecurity::Utils { +// NEU: PSA statt mbedtls/sha1.h +#include +namespace modsecurity::Utils { using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); @@ -31,44 +25,76 @@ using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); template class DigestImpl { public: - static std::string digest(const std::string& input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](const auto digest) { return std::string(digest); }); } static void digestReplace(std::string& value) { - digestHelper(value, [&value](const auto digest) mutable { + digestHelper(value, [&value](const auto digest) mutable { value = digest; }); } static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](const auto digest) { + return digestHelper(input, [](const auto digest) { return utils::string::string_to_hex(digest); }); } -private: - + private: template static auto digestHelper(const std::string &input, - ConvertOp convertOp) -> auto { + ConvertOp convertOp) -> auto { char digest[DigestSize]; - const auto ret = (*digestOp)(reinterpret_cast(input.c_str()), - input.size(), reinterpret_cast(digest)); + const auto ret = (*digestOp)( + reinterpret_cast(input.c_str()), + input.size(), + reinterpret_cast(digest) + ); assert(ret == 0); return convertOp(std::string_view(digest, DigestSize)); } }; +// NEU: Wrapper, der die PSA-API in die alte Signatur presst. +inline int modsec_psa_sha1(const unsigned char *input, + size_t ilen, + unsigned char output[20]) +{ + static bool psa_initialized = false; + + if (!psa_initialized) { + psa_status_t init_status = psa_crypto_init(); + if (init_status != PSA_SUCCESS) { + return -1; + } + psa_initialized = true; + } -class Sha1 : public DigestImpl<&mbedtls_sha1, 20> { -}; + size_t out_len = 0; + psa_status_t status = psa_hash_compute( + PSA_ALG_SHA_1, + input, + ilen, + output, + 20, + &out_len + ); + + if (status != PSA_SUCCESS || out_len != 20) { + return -1; + } + + return 0; +} +// Statt &mbedtls_sha1 nehmen wir jetzt unseren PSA-Wrapper +class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> { +}; } // namespace modsecurity::Utils From 8385394dcf9673ef8f2983b1a62351fdb7afb822 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 19:53:55 +0100 Subject: [PATCH 030/101] Update Makefile.am --- src/Makefile.am | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Makefile.am b/src/Makefile.am index 14c26697b5..c2b146d38f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -296,6 +296,9 @@ libmodsecurity_la_CPPFLAGS = \ -g \ -I$(top_srcdir)/others \ -I$(top_srcdir)/others/mbedtls/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/drivers/builtin/include \ + -I$(top_srcdir)/others/mbedtls/tf-psa-crypto/core \ -fPIC \ -O3 \ -I$(top_srcdir)/headers \ From 06ebdafcbc07096dda9fa6e967e4077c4fb73e0f Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:09:21 +0100 Subject: [PATCH 031/101] Add mbedcrypto to Makefile dependencies --- src/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index c2b146d38f..413cfbd712 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -345,5 +345,5 @@ libmodsecurity_la_LIBADD = \ $(PCRE2_LDADD) \ $(MAXMIND_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) - + $(YAJL_LDADD) \ + -lmbedcrypto From 9e1d5133ab3ac0fab3774c1dcd4bf9f4b81c16b3 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:19:01 +0100 Subject: [PATCH 032/101] Update ci.yml --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5357b8037b..c51f8a8e7e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,6 +45,7 @@ jobs: libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ bison flex + libmbedtls-dev:${{ matrix.platform.arch }} - name: Setup Dependencies (x32) if: ${{ matrix.platform.label == 'x32' }} run: | @@ -81,6 +82,7 @@ jobs: env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} + LDFLAGS: "-lmbedcrypto" run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes - uses: ammaraskar/gcc-problem-matcher@master @@ -122,7 +124,8 @@ jobs: ssdeep \ pcre \ bison \ - flex + flex \ + mbedtls - uses: actions/checkout@v6 with: submodules: true From 96217bdaee6e93eb8db679d708ae52479ca8ab85 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:19:50 +0100 Subject: [PATCH 033/101] Add mbedcrypto library to rules-check Makefile --- tools/rules-check/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/rules-check/Makefile.am b/tools/rules-check/Makefile.am index 8080411716..ecf82cabf5 100644 --- a/tools/rules-check/Makefile.am +++ b/tools/rules-check/Makefile.am @@ -17,7 +17,8 @@ modsec_rules_check_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + -lmbedcrypto modsec_rules_check_LDFLAGS = \ $(GEOIP_LDFLAGS) \ From 7108fff4e8083cc2404570b05a7ed688aa1256e4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:24:23 +0100 Subject: [PATCH 034/101] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c51f8a8e7e..8e1f523125 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: libmaxminddb-dev:${{ matrix.platform.arch }} \ libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ - bison flex + bison flex \ libmbedtls-dev:${{ matrix.platform.arch }} - name: Setup Dependencies (x32) if: ${{ matrix.platform.label == 'x32' }} From a7570b42f883c759eb96e6ed06968af6e760e6a4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:29:22 +0100 Subject: [PATCH 035/101] Update ci.yml --- .github/workflows/ci.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8e1f523125..7b3321760d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,19 +44,20 @@ jobs: libmaxminddb-dev:${{ matrix.platform.arch }} \ libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ - bison flex \ - libmbedtls-dev:${{ matrix.platform.arch }} + bison flex - name: Setup Dependencies (x32) if: ${{ matrix.platform.label == 'x32' }} run: | sudo apt-get install g++-multilib sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} + libpcre3-dev:${{ matrix.platform.arch }} \ + libmbedtls-dev:${{ matrix.platform.arch }} - name: Setup Dependencies (x64) if: ${{ matrix.platform.label == 'x64' }} run: | sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} + libfuzzy-dev:${{ matrix.platform.arch }} \ + libmbedtls-dev:${{ matrix.platform.arch }} - uses: actions/checkout@v6 with: submodules: true From 84a4eee7623d6365031e5f329d190149f3e343ad Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:33:27 +0100 Subject: [PATCH 036/101] Update ci.yml --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b3321760d..9d2f17d0c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -50,8 +50,7 @@ jobs: run: | sudo apt-get install g++-multilib sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} \ - libmbedtls-dev:${{ matrix.platform.arch }} + libpcre3-dev:${{ matrix.platform.arch }} - name: Setup Dependencies (x64) if: ${{ matrix.platform.label == 'x64' }} run: | From 1e92fe9503454faa28d0d9e3590f0d97b19853a6 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:44:35 +0100 Subject: [PATCH 037/101] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9d2f17d0c6..85485d48fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,7 @@ jobs: sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ libcurl4-openssl-dev:${{ matrix.platform.arch }} \ liblmdb-dev:${{ matrix.platform.arch }} \ - liblua5.2-dev:${{ matrix.platform.arch }} \ + liblua5.3-dev:${{ matrix.platform.arch }} \ libmaxminddb-dev:${{ matrix.platform.arch }} \ libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ From 42b38a569cda6dd22b50e778084f53f87e294283 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:51:21 +0100 Subject: [PATCH 038/101] Update CI workflow to remove libmbedtls-dev Removed installation of libmbedtls-dev from CI workflow. --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 85485d48fe..2d9d5d66ff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,8 +55,7 @@ jobs: if: ${{ matrix.platform.label == 'x64' }} run: | sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} \ - libmbedtls-dev:${{ matrix.platform.arch }} + libfuzzy-dev:${{ matrix.platform.arch }} - uses: actions/checkout@v6 with: submodules: true From d8ad34b92e39a93e3b7564f4fa32ed51bbc37c40 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:51:42 +0100 Subject: [PATCH 039/101] Remove -lmbedcrypto from Makefile.am --- src/Makefile.am | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index 413cfbd712..b224d3f773 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -345,5 +345,4 @@ libmodsecurity_la_LIBADD = \ $(PCRE2_LDADD) \ $(MAXMIND_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) \ - -lmbedcrypto + $(YAJL_LDADD) From e0986ac235def651a5c9377c3c0fbdcbf20533f7 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 20:51:59 +0100 Subject: [PATCH 040/101] Fix Makefile.am by adjusting YAJL_LDADD line --- tools/rules-check/Makefile.am | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/rules-check/Makefile.am b/tools/rules-check/Makefile.am index ecf82cabf5..8080411716 100644 --- a/tools/rules-check/Makefile.am +++ b/tools/rules-check/Makefile.am @@ -17,8 +17,7 @@ modsec_rules_check_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) \ - -lmbedcrypto + $(YAJL_LDADD) modsec_rules_check_LDFLAGS = \ $(GEOIP_LDFLAGS) \ From c3556c890b1af1579e674cd6b2bf13c1a42bd9ae Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:14:28 +0100 Subject: [PATCH 041/101] Update build.sh --- build.sh | 46 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/build.sh b/build.sh index 7f47f03c04..78c73fc5d6 100755 --- a/build.sh +++ b/build.sh @@ -1,8 +1,13 @@ #!/bin/sh +set -e # bei Fehler abbrechen + rm -rf autom4te.cache rm -f aclocal.m4 +## +## 1. headers.mk erzeugen (wie bisher) +## cd src rm -f headers.mk echo "noinst_HEADERS = \\" > headers.mk @@ -22,14 +27,45 @@ ls -1 \ variables/*.h \ engine/*.h \ *.h | tr "\012" " " >> headers.mk -cd ../ +cd .. + +## +## 2. Vendored Mbed TLS bauen – MIT PROGRAMMEN UND TESTS +## +if [ -d "others/mbedtls" ]; then + echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." + ( + cd others/mbedtls + + mkdir -p build + + # Laut offizieller CMake-Options: + # - ENABLE_PROGRAMS=ON -> Tools/Beispiele bauen + # - ENABLE_TESTING=ON -> Test-Binaries + CTest + cmake -S . -B build \ + -DENABLE_PROGRAMS=ON \ + -DENABLE_TESTING=ON + + cmake --build build --config Release + + echo "==> Running Mbed TLS tests..." + cd build + ctest --output-on-failure + ) +else + echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" +fi + +## +## 3. Autotools für ModSecurity initialisieren +## +case `uname` in + Darwin*) glibtoolize --force --copy ;; + *) libtoolize --force --copy ;; +esac -case `uname` in Darwin*) glibtoolize --force --copy ;; - *) libtoolize --force --copy ;; esac autoreconf --install autoheader automake --add-missing --foreign --copy --force-missing autoconf --force rm -rf autom4te.cache - - From 72d62fa5f98bab0fae13acddf64281fbba2edd7d Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:16:12 +0100 Subject: [PATCH 042/101] Update Makefile.am --- src/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Makefile.am b/src/Makefile.am index b224d3f773..f77b9f3dc5 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -13,6 +13,8 @@ libmodsecurity_ladir = $(prefix)/include libmodsecurity_includesub_collectiondir = $(pkgincludedir)/collection/ libmodsecurity_includesub_actionsdir = $(pkgincludedir)/actions/ +MBEDTLS_CRYPTO_LIB = ../others/mbedtls/build/library/libmbedcrypto.a + # pregenerated parser + parser sources EXTRA_DIST = \ From fe8a464b284b61398c30897593d04c05bd7a6283 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:18:09 +0100 Subject: [PATCH 043/101] Add cmake to CI dependencies Added cmake to the list of dependencies in the CI workflow. --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2d9d5d66ff..90808a0de4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: libmaxminddb-dev:${{ matrix.platform.arch }} \ libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ - bison flex + bison flex cmake - name: Setup Dependencies (x32) if: ${{ matrix.platform.label == 'x32' }} run: | @@ -124,7 +124,8 @@ jobs: pcre \ bison \ flex \ - mbedtls + mbedtls\ + cmake - uses: actions/checkout@v6 with: submodules: true From 0db7cddc1894dde33147614352a570a712f3160e Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:36:13 +0100 Subject: [PATCH 044/101] Update ci.yml --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 90808a0de4..c8b0040426 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,7 +81,6 @@ jobs: env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} - LDFLAGS: "-lmbedcrypto" run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes - uses: ammaraskar/gcc-problem-matcher@master From 267507af0e92ccfc537322449ca6a489b6b18973 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 21:52:18 +0100 Subject: [PATCH 045/101] Update Makefile.am --- tools/rules-check/Makefile.am | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/rules-check/Makefile.am b/tools/rules-check/Makefile.am index 8080411716..0dc4002910 100644 --- a/tools/rules-check/Makefile.am +++ b/tools/rules-check/Makefile.am @@ -5,6 +5,8 @@ bin_PROGRAMS = modsec-rules-check modsec_rules_check_SOURCES = \ rules-check.cc +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a + modsec_rules_check_LDADD = \ $(top_builddir)/src/.libs/libmodsecurity.la \ $(CURL_LDADD) \ @@ -17,7 +19,8 @@ modsec_rules_check_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) modsec_rules_check_LDFLAGS = \ $(GEOIP_LDFLAGS) \ From 71baa33e7b0f6b111d787d0c16239905e58fd714 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:05:38 +0100 Subject: [PATCH 046/101] Update Makefile.am --- examples/multithread/Makefile.am | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/multithread/Makefile.am b/examples/multithread/Makefile.am index 0871efa1e1..33e3e20029 100644 --- a/examples/multithread/Makefile.am +++ b/examples/multithread/Makefile.am @@ -5,6 +5,8 @@ noinst_PROGRAMS = multithread multithread_SOURCES = \ multithread.cc +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a + multithread_LDADD = \ $(CURL_LDADD) \ $(GEOIP_LDADD) \ @@ -16,7 +18,8 @@ multithread_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB multithread_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From c91936c57fe96bde0d036f129c19022931cfc763 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:06:31 +0100 Subject: [PATCH 047/101] Update Makefile.am --- examples/multiprocess_c/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/multiprocess_c/Makefile.am b/examples/multiprocess_c/Makefile.am index 726d1d9057..59f675b601 100644 --- a/examples/multiprocess_c/Makefile.am +++ b/examples/multiprocess_c/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = multi @@ -9,7 +9,8 @@ multi_LDADD = \ $(SSDEEP_LDADD) \ $(LUA_LDADD) \ $(MAXMIND_LDADD) \ - $(GLOBAL_LDADD) + $(GLOBAL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) multi_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From d7a202736ee3e9a0c2f55aeceb10ae8f37bad40a Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:07:36 +0100 Subject: [PATCH 048/101] Update Makefile.am --- examples/reading_logs_via_rule_message/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/reading_logs_via_rule_message/Makefile.am b/examples/reading_logs_via_rule_message/Makefile.am index 5a6ba74b2a..4db723bf14 100644 --- a/examples/reading_logs_via_rule_message/Makefile.am +++ b/examples/reading_logs_via_rule_message/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = simple_request @@ -16,7 +16,8 @@ simple_request_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) simple_request_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 054408a90803f1738ebf942eef84785fbad88af0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:08:47 +0100 Subject: [PATCH 049/101] Update Makefile.am --- examples/reading_logs_with_offset/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/reading_logs_with_offset/Makefile.am b/examples/reading_logs_with_offset/Makefile.am index a98ed48d0e..e28d4219fe 100644 --- a/examples/reading_logs_with_offset/Makefile.am +++ b/examples/reading_logs_with_offset/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = read @@ -16,7 +16,8 @@ read_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) read_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 711eae7918a7132174294421632924b38e6be864 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:09:37 +0100 Subject: [PATCH 050/101] Update Makefile.am --- examples/using_bodies_in_chunks/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/using_bodies_in_chunks/Makefile.am b/examples/using_bodies_in_chunks/Makefile.am index 9eb438f368..1024ccb588 100644 --- a/examples/using_bodies_in_chunks/Makefile.am +++ b/examples/using_bodies_in_chunks/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = simple_request @@ -16,7 +16,8 @@ simple_request_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) simple_request_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 18051fe17c643cf57a75a5de17adc070342c636e Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 7 Dec 2025 22:11:06 +0100 Subject: [PATCH 051/101] Update Makefile.am --- examples/simple_example_using_c/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/simple_example_using_c/Makefile.am b/examples/simple_example_using_c/Makefile.am index b03ab96d48..cbb1145a26 100644 --- a/examples/simple_example_using_c/Makefile.am +++ b/examples/simple_example_using_c/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = test @@ -8,7 +8,8 @@ test_SOURCES = \ test_LDADD = \ $(GLOBAL_LDADD) \ $(LUA_LDADD) \ - $(SSDEEP_LDADD) + $(SSDEEP_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) test_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From bba944a126a6d5436a2d1f696025bf9b8ee73252 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 17:43:33 +0100 Subject: [PATCH 052/101] Update ci.yml --- .github/workflows/ci.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c8b0040426..2ea1911dbd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,7 +81,7 @@ jobs: env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} - run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes + run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master - name: make @@ -96,15 +96,15 @@ jobs: matrix: os: [macos-14] configure: - - {label: "with parser generation", opt: "--enable-parser-generation" } - - {label: "wo curl", opt: "--without-curl" } - - {label: "wo lua", opt: "--without-lua" } - - {label: "wo maxmind", opt: "--without-maxmind" } - - {label: "wo libxml", opt: "--without-libxml" } + - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" } + - {label: "wo curl", opt: "--without-curl --without-geoip" } + - {label: "wo lua", opt: "--without-lua --without-geoip" } + - {label: "wo maxmind", opt: "--without-maxmind --without-geoip" } + - {label: "wo libxml", opt: "--without-libxml --without-geoip" } - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep" } - - {label: "with lmdb", opt: "--with-lmdb" } - - {label: "with pcre", opt: "--with-pcre" } + - {label: "wo ssdeep", opt: "--without-ssdeep --without-geoip" } + - {label: "with lmdb", opt: "--with-lmdb --without-geoip" } + - {label: "with pcre", opt: "--with-pcre --without-geoip" } steps: - name: Setup Homebrew run: | @@ -157,7 +157,7 @@ jobs: find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - name: configure - run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master - name: make @@ -233,7 +233,7 @@ jobs: find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - name: configure - run: ./configure + run: ./configure --disable-dependency-tracking - name: cppcheck run: make check-static @@ -272,7 +272,7 @@ jobs: find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - name: configure - run: ./configure + run: ./configure --disable-dependency-tracking - name: cppcheck run: make check-static From 8471748dbc265d2f74ec6c636372a1364c30559b Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 17:47:45 +0100 Subject: [PATCH 053/101] Update ci.yml --- .github/workflows/ci.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2ea1911dbd..e6b7874ecb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -133,16 +133,6 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: Build GeoIP - run: | - git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git - cd geoip-api-c - git fetch --tags - # Check out the last release, v1.6.12 - git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a - autoreconf --install - ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew - make install - name: build.sh run: ./build.sh From 5dc7b1ba3d163eb3372f57c23372741ae83545c0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 18:04:46 +0100 Subject: [PATCH 054/101] Update Makefile.am --- examples/multithread/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/multithread/Makefile.am b/examples/multithread/Makefile.am index 33e3e20029..795b15047b 100644 --- a/examples/multithread/Makefile.am +++ b/examples/multithread/Makefile.am @@ -19,7 +19,7 @@ multithread_LDADD = \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ $(YAJL_LDADD) \ - $(MBEDTLS_CRYPTO_LIB + $(MBEDTLS_CRYPTO_LIB) multithread_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 44261aabf6317aea9ccb611156d52538abcdb23f Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 18:20:34 +0100 Subject: [PATCH 055/101] a --- .github/workflows/ci.yml | 36 +++++++++++++++++++++++++----------- test/benchmark/Makefile.am | 5 +++-- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e6b7874ecb..f3d636880b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -110,29 +110,41 @@ jobs: run: | echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV + - name: Install Dependencies run: | brew update brew install \ - yajl \ - lmdb \ - lua \ - libmaxminddb \ - pcre2 \ - ssdeep \ - pcre \ - bison \ - flex \ - mbedtls\ - cmake + yajl \ + lmdb \ + lua \ + libmaxminddb \ + pcre2 \ + ssdeep \ + pcre \ + bison \ + flex \ + mbedtls \ + cmake + + # 🔧 NEU: Python-Dependency für mbedtls-Skripte + - name: Install Python dependencies (jinja2) + run: | + python3 -m pip install --upgrade pip + python3 -m pip install jinja2 + # falls das Skript "python" statt "python3" nutzt: + python -m pip install jinja2 || true + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 + - name: Init git submodules run: | git submodule sync --recursive git submodule update --init --recursive --force + - name: build.sh run: ./build.sh @@ -150,8 +162,10 @@ jobs: run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master + - name: make run: make -j `sysctl -n hw.logicalcpu` + - name: check run: make check diff --git a/test/benchmark/Makefile.am b/test/benchmark/Makefile.am index 2ac9d92111..d2bcb57f44 100644 --- a/test/benchmark/Makefile.am +++ b/test/benchmark/Makefile.am @@ -1,4 +1,4 @@ - +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a noinst_PROGRAMS = benchmark @@ -16,7 +16,8 @@ benchmark_LDADD = \ $(SSDEEP_LDADD) \ $(LUA_LDADD) \ $(LIBXML2_LDADD) \ - $(GLOBAL_LDADD) + $(GLOBAL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) benchmark_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From ab564fa83af32ca68997bc57936d502c0e4c166a Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 18:32:53 +0100 Subject: [PATCH 056/101] update --- .github/workflows/ci.yml | 14 ++++++++++---- test/Makefile.am | 10 +++++++--- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f3d636880b..6ee42da0d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -130,10 +130,16 @@ jobs: # 🔧 NEU: Python-Dependency für mbedtls-Skripte - name: Install Python dependencies (jinja2) run: | - python3 -m pip install --upgrade pip - python3 -m pip install jinja2 - # falls das Skript "python" statt "python3" nutzt: - python -m pip install jinja2 || true + # Nur im User-Space installieren, das ist mit PEP 668 erlaubt + python3 -m pip install --user jinja2 + + # Debug-Ausgabe, um sicher zu sein, dass es klappt + python3 - << 'EOF' + import jinja2, sys + print("Python:", sys.executable) + print("jinja2:", jinja2.__version__, "from", jinja2.__file__) + EOF + - uses: actions/checkout@v6 with: diff --git a/test/Makefile.am b/test/Makefile.am index 2e7e05d614..467386a3de 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -41,6 +41,7 @@ noinst_HEADERS = \ unit/*.h \ regression/*.h +MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a unit_tests_LDADD = \ $(CURL_LDADD) \ @@ -53,7 +54,8 @@ unit_tests_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) unit_tests_LDFLAGS = \ @@ -108,7 +110,8 @@ regression_tests_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) regression_tests_LDFLAGS = \ @@ -162,7 +165,8 @@ rules_optimization_LDADD = \ $(PCRE_LDADD) \ $(PCRE2_LDADD) \ $(SSDEEP_LDADD) \ - $(YAJL_LDADD) + $(YAJL_LDADD) \ + $(MBEDTLS_CRYPTO_LIB) rules_optimization_LDFLAGS = \ -L$(top_builddir)/src/.libs/ \ From 6de1f14b46e11ba3091cabd373aa740a31f5144f Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 18:56:45 +0100 Subject: [PATCH 057/101] update --- .github/workflows/ci.yml | 56 ++++---- backup/ci.yml | 289 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 318 insertions(+), 27 deletions(-) create mode 100644 backup/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6ee42da0d0..de73a1dd60 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,10 +10,9 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-22.04] + os: [ubuntu-24.04] platform: - - {label: "x64", arch: "amd64", configure: ""} - - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} + - {label: "x64", arch: "amd64", configure: ""} # nur noch x64 compiler: - {label: "gcc", cc: "gcc", cxx: "g++"} - {label: "clang", cc: "clang", cxx: "clang++"} @@ -27,43 +26,42 @@ jobs: - {label: "wo ssdeep", opt: "--without-ssdeep" } - {label: "with lmdb", opt: "--with-lmdb" } - {label: "with pcre", opt: "--with-pcre" } - exclude: - - platform: {label: "x32"} - configure: {label: "wo geoip"} - - platform: {label: "x32"} - configure: {label: "wo ssdeep"} + # keine excludes mehr nötig – es gibt kein x32 + steps: - name: Setup Dependencies (common) + # kein dpkg --add-architecture mehr, nur native amd64-Pakete run: | - sudo dpkg --add-architecture ${{ matrix.platform.arch }} sudo apt-get update -y -qq - sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ - libcurl4-openssl-dev:${{ matrix.platform.arch }} \ - liblmdb-dev:${{ matrix.platform.arch }} \ - liblua5.3-dev:${{ matrix.platform.arch }} \ - libmaxminddb-dev:${{ matrix.platform.arch }} \ - libpcre2-dev:${{ matrix.platform.arch }} \ - pcre2-utils:${{ matrix.platform.arch }} \ - bison flex cmake - - name: Setup Dependencies (x32) - if: ${{ matrix.platform.label == 'x32' }} - run: | - sudo apt-get install g++-multilib - sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} + sudo apt-get install -y \ + libyajl-dev \ + libcurl4-openssl-dev \ + liblmdb-dev \ + liblua5.3-dev \ + libmaxminddb-dev \ + libpcre2-dev \ + pcre2-utils \ + bison flex cmake + + # x32-Setup fällt komplett weg + - name: Setup Dependencies (x64) if: ${{ matrix.platform.label == 'x64' }} run: | - sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} + sudo apt-get install -y \ + libgeoip-dev \ + libfuzzy-dev + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 + - name: Init git submodules run: | git submodule sync --recursive git submodule update --init --recursive --force + - name: build.sh run: ./build.sh @@ -81,14 +79,17 @@ jobs: env: CC: ${{ matrix.compiler.cc }} CXX: ${{ matrix.compiler.cxx }} - run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master + - name: make run: make -j `nproc` + - name: check run: make check + build-macos: name: macOS (${{ matrix.configure.label }}) runs-on: ${{ matrix.os }} @@ -125,7 +126,8 @@ jobs: bison \ flex \ mbedtls \ - cmake + cmake \ + pipx # 🔧 NEU: Python-Dependency für mbedtls-Skripte - name: Install Python dependencies (jinja2) diff --git a/backup/ci.yml b/backup/ci.yml new file mode 100644 index 0000000000..b99ceb047c --- /dev/null +++ b/backup/ci.yml @@ -0,0 +1,289 @@ +name: Quality Assurance + +on: + push: + pull_request: + +jobs: + build-linux: + name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-22.04] + platform: + - {label: "x64", arch: "amd64", configure: ""} + - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} + compiler: + - {label: "gcc", cc: "gcc", cxx: "g++"} + - {label: "clang", cc: "clang", cxx: "clang++"} + configure: + - {label: "with parser generation", opt: "--enable-parser-generation" } + - {label: "wo curl", opt: "--without-curl" } + - {label: "wo lua", opt: "--without-lua" } + - {label: "wo maxmind", opt: "--without-maxmind" } + - {label: "wo libxml", opt: "--without-libxml" } + - {label: "wo geoip", opt: "--without-geoip" } + - {label: "wo ssdeep", opt: "--without-ssdeep" } + - {label: "with lmdb", opt: "--with-lmdb" } + - {label: "with pcre", opt: "--with-pcre" } + exclude: + - platform: {label: "x32"} + configure: {label: "wo geoip"} + - platform: {label: "x32"} + configure: {label: "wo ssdeep"} + steps: + - name: Setup Dependencies (common) + run: | + sudo dpkg --add-architecture ${{ matrix.platform.arch }} + sudo apt-get update -y -qq + sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ + libcurl4-openssl-dev:${{ matrix.platform.arch }} \ + liblmdb-dev:${{ matrix.platform.arch }} \ + liblua5.3-dev:${{ matrix.platform.arch }} \ + libmaxminddb-dev:${{ matrix.platform.arch }} \ + libpcre2-dev:${{ matrix.platform.arch }} \ + pcre2-utils:${{ matrix.platform.arch }} \ + bison flex cmake + - name: Setup Dependencies (x32) + if: ${{ matrix.platform.label == 'x32' }} + run: | + sudo apt-get install g++-multilib + sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ + libpcre3-dev:${{ matrix.platform.arch }} + - name: Setup Dependencies (x64) + if: ${{ matrix.platform.label == 'x64' }} + run: | + sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ + libfuzzy-dev:${{ matrix.platform.arch }} + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + env: + CC: ${{ matrix.compiler.cc }} + CXX: ${{ matrix.compiler.cxx }} + run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking + + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `nproc` + - name: check + run: make check + + build-macos: + name: macOS (${{ matrix.configure.label }}) + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [macos-14] + configure: + - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" } + - {label: "wo curl", opt: "--without-curl --without-geoip" } + - {label: "wo lua", opt: "--without-lua --without-geoip" } + - {label: "wo maxmind", opt: "--without-maxmind --without-geoip" } + - {label: "wo libxml", opt: "--without-libxml --without-geoip" } + - {label: "wo geoip", opt: "--without-geoip" } + - {label: "wo ssdeep", opt: "--without-ssdeep --without-geoip" } + - {label: "with lmdb", opt: "--with-lmdb --without-geoip" } + - {label: "with pcre", opt: "--with-pcre --without-geoip" } + steps: + - name: Setup Homebrew + run: | + echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV + echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV + + - name: Install Dependencies + run: | + brew update + brew install \ + yajl \ + lmdb \ + lua \ + libmaxminddb \ + pcre2 \ + ssdeep \ + pcre \ + bison \ + flex \ + mbedtls \ + cmake \ + pipx + + # 🔧 NEU: Python-Dependency für mbedtls-Skripte + - name: Install Python dependencies (jinja2) + run: | + # Nur im User-Space installieren, das ist mit PEP 668 erlaubt + python3 -m pip install --user jinja2 + + # Debug-Ausgabe, um sicher zu sein, dass es klappt + python3 - << 'EOF' + import jinja2, sys + print("Python:", sys.executable) + print("jinja2:", jinja2.__version__, "from", jinja2.__file__) + EOF + + + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking + + - uses: ammaraskar/gcc-problem-matcher@master + + - name: make + run: make -j `sysctl -n hw.logicalcpu` + + - name: check + run: make check + + build-windows: + name: Windows (${{ matrix.configure.label }}) + runs-on: windows-latest + strategy: + matrix: + configure: + - {label: "default", opt: "" } + - {label: "wo curl", opt: "-DWITH_CURL=OFF" } + - {label: "wo lua", opt: "-DWITH_LUA=OFF" } + - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } + - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } + - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } + steps: + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: Install Conan + run: | + pip3 install conan + - name: Configure Conan + run: | + conan profile detect + - name: Configure CMake + run: | + cmake -S . -B build ${{ matrix.configure.opt }} + - name: Build + run: | + cmake --build build --config Release + + cppcheck-linux: + name: cppcheck (Linux) + runs-on: ubuntu-22.04 + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y \ + cppcheck \ + autoconf \ + automake \ + libtool + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure --disable-dependency-tracking + + - name: cppcheck + run: make check-static + + cppcheck-macos: + name: cppcheck (macOS) + runs-on: macos-14 + steps: + - name: Setup Dependencies + # curl, pcre2 not installed because they're from Apple + run: | + brew update + brew install autoconf \ + automake \ + libtool \ + cppcheck + - uses: actions/checkout@v6 + with: + submodules: true + fetch-depth: 0 + - name: Init git submodules + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: build.sh + run: ./build.sh + + - name: Debug mbedtls layout + run: | + pwd + echo "=== others ===" + ls -l others || echo "others fehlt" + echo "=== others/mbedtls ===" + ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" + echo "=== Suche nach base64.c ===" + find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" + + - name: configure + run: ./configure --disable-dependency-tracking + + - name: cppcheck + run: make check-static From 1c40ec0d6f3f49171984f36d5afd3d22ffdfa2e5 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 19:08:56 +0100 Subject: [PATCH 058/101] Update ci.yml --- .github/workflows/ci.yml | 49 +++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index de73a1dd60..7d67d852e1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,27 +30,25 @@ jobs: steps: - name: Setup Dependencies (common) - # kein dpkg --add-architecture mehr, nur native amd64-Pakete run: | + sudo dpkg --add-architecture ${{ matrix.platform.arch }} sudo apt-get update -y -qq - sudo apt-get install -y \ - libyajl-dev \ - libcurl4-openssl-dev \ - liblmdb-dev \ - liblua5.3-dev \ - libmaxminddb-dev \ - libpcre2-dev \ - pcre2-utils \ - bison flex cmake - + sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ + libcurl4-openssl-dev:${{ matrix.platform.arch }} \ + liblmdb-dev:${{ matrix.platform.arch }} \ + liblua5.3-dev:${{ matrix.platform.arch }} \ + libmaxminddb-dev:${{ matrix.platform.arch }} \ + libpcre2-dev:${{ matrix.platform.arch }} \ + pcre2-utils:${{ matrix.platform.arch }} \ + libpcre3-dev:${{ matrix.platform.arch }} \ + bison flex cmake # x32-Setup fällt komplett weg - name: Setup Dependencies (x64) if: ${{ matrix.platform.label == 'x64' }} run: | - sudo apt-get install -y \ - libgeoip-dev \ - libfuzzy-dev + sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ + libfuzzy-dev:${{ matrix.platform.arch }} - uses: actions/checkout@v6 with: @@ -89,7 +87,6 @@ jobs: - name: check run: make check - build-macos: name: macOS (${{ matrix.configure.label }}) runs-on: ${{ matrix.os }} @@ -106,6 +103,7 @@ jobs: - {label: "wo ssdeep", opt: "--without-ssdeep --without-geoip" } - {label: "with lmdb", opt: "--with-lmdb --without-geoip" } - {label: "with pcre", opt: "--with-pcre --without-geoip" } + steps: - name: Setup Homebrew run: | @@ -126,23 +124,21 @@ jobs: bison \ flex \ mbedtls \ - cmake \ - pipx + cmake - # 🔧 NEU: Python-Dependency für mbedtls-Skripte - - name: Install Python dependencies (jinja2) + - name: Setup Python venv with jinja2 run: | - # Nur im User-Space installieren, das ist mit PEP 668 erlaubt - python3 -m pip install --user jinja2 - - # Debug-Ausgabe, um sicher zu sein, dass es klappt - python3 - << 'EOF' - import jinja2, sys + python3 -m venv .venv + . .venv/bin/activate + pip install jinja2 + echo "VIRTUAL_ENV=$PWD/.venv" >> $GITHUB_ENV + echo "PATH=$PWD/.venv/bin:$PATH" >> $GITHUB_ENV + python - << 'EOF' + import sys, jinja2 print("Python:", sys.executable) print("jinja2:", jinja2.__version__, "from", jinja2.__file__) EOF - - uses: actions/checkout@v6 with: submodules: true @@ -177,6 +173,7 @@ jobs: - name: check run: make check + build-windows: name: Windows (${{ matrix.configure.label }}) runs-on: windows-latest From ea0658f9f293ced609a3eb13f874611de86a1706 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 19:44:03 +0100 Subject: [PATCH 059/101] update make und ci --- .github/workflows/ci.yml | 6 ++-- configure.ac | 28 +++++++++++++++++++ examples/multiprocess_c/Makefile.am | 2 +- examples/multithread/Makefile.am | 2 +- .../reading_logs_via_rule_message/Makefile.am | 2 +- examples/reading_logs_with_offset/Makefile.am | 2 +- examples/simple_example_using_c/Makefile.am | 2 +- examples/using_bodies_in_chunks/Makefile.am | 2 +- test/Makefile.am | 2 +- test/benchmark/Makefile.am | 2 +- tools/rules-check/Makefile.am | 2 +- 11 files changed, 41 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d67d852e1..480ed2f7e5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,8 @@ jobs: libpcre2-dev:${{ matrix.platform.arch }} \ pcre2-utils:${{ matrix.platform.arch }} \ libpcre3-dev:${{ matrix.platform.arch }} \ - bison flex cmake + bison flex cmake \ + libmbedtls-dev:${{ matrix.platform.arch }} # x32-Setup fällt komplett weg - name: Setup Dependencies (x64) @@ -124,7 +125,8 @@ jobs: bison \ flex \ mbedtls \ - cmake + cmake \ + mbedtls - name: Setup Python venv with jinja2 run: | diff --git a/configure.ac b/configure.ac index 7763786e0a..723a8608a8 100644 --- a/configure.ac +++ b/configure.ac @@ -77,6 +77,34 @@ fi AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git describe && cd ../..)) AC_SUBST([LIBINJECTION_VERSION]) +# ============================================================ +# Check for Mbed TLS / mbedcrypto (PSA) +# ============================================================ + +AC_MSG_CHECKING([for mbedcrypto (PSA crypto library)]) + +MBEDTLS_CRYPTO_LIB="" + +# 1. Erst versuchen wir die System-Lib: -lmbedcrypto +AC_CHECK_LIB([mbedcrypto], [psa_crypto_init], + [MBEDTLS_CRYPTO_LIB="-lmbedcrypto" + AC_MSG_RESULT([using system libmbedcrypto (-lmbedcrypto)])], + [ + # 2. Fallback: vendored libmbedcrypto.a aus others/mbedtls + AC_MSG_RESULT([system libmbedcrypto not found, trying vendored mbedtls]) + + AC_CHECK_FILE([others/mbedtls/build/library/libmbedcrypto.a], + [MBEDTLS_CRYPTO_LIB='$(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a' + AC_MSG_RESULT([using vendored libmbedcrypto.a])], + [AC_MSG_ERROR([Could not find mbedcrypto: + - install libmbedtls-dev / Homebrew mbedtls (libmbedcrypto), + or + - build others/mbedtls before running configure])]) + ]) + +AC_SUBST([MBEDTLS_CRYPTO_LIB]) + + # Check for Mbed TLS if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then AC_MSG_ERROR([\ diff --git a/examples/multiprocess_c/Makefile.am b/examples/multiprocess_c/Makefile.am index 59f675b601..59aa448545 100644 --- a/examples/multiprocess_c/Makefile.am +++ b/examples/multiprocess_c/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = multi diff --git a/examples/multithread/Makefile.am b/examples/multithread/Makefile.am index 795b15047b..1465749193 100644 --- a/examples/multithread/Makefile.am +++ b/examples/multithread/Makefile.am @@ -5,7 +5,7 @@ noinst_PROGRAMS = multithread multithread_SOURCES = \ multithread.cc -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ multithread_LDADD = \ $(CURL_LDADD) \ diff --git a/examples/reading_logs_via_rule_message/Makefile.am b/examples/reading_logs_via_rule_message/Makefile.am index 4db723bf14..7e1723e920 100644 --- a/examples/reading_logs_via_rule_message/Makefile.am +++ b/examples/reading_logs_via_rule_message/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = simple_request diff --git a/examples/reading_logs_with_offset/Makefile.am b/examples/reading_logs_with_offset/Makefile.am index e28d4219fe..ba021a5203 100644 --- a/examples/reading_logs_with_offset/Makefile.am +++ b/examples/reading_logs_with_offset/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = read diff --git a/examples/simple_example_using_c/Makefile.am b/examples/simple_example_using_c/Makefile.am index cbb1145a26..a1ddb38692 100644 --- a/examples/simple_example_using_c/Makefile.am +++ b/examples/simple_example_using_c/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = test diff --git a/examples/using_bodies_in_chunks/Makefile.am b/examples/using_bodies_in_chunks/Makefile.am index 1024ccb588..bb5376ebbf 100644 --- a/examples/using_bodies_in_chunks/Makefile.am +++ b/examples/using_bodies_in_chunks/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = simple_request diff --git a/test/Makefile.am b/test/Makefile.am index 467386a3de..f670c754f6 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -41,7 +41,7 @@ noinst_HEADERS = \ unit/*.h \ regression/*.h -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ unit_tests_LDADD = \ $(CURL_LDADD) \ diff --git a/test/benchmark/Makefile.am b/test/benchmark/Makefile.am index d2bcb57f44..c89e42234e 100644 --- a/test/benchmark/Makefile.am +++ b/test/benchmark/Makefile.am @@ -1,4 +1,4 @@ -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ noinst_PROGRAMS = benchmark diff --git a/tools/rules-check/Makefile.am b/tools/rules-check/Makefile.am index 0dc4002910..95da5773d2 100644 --- a/tools/rules-check/Makefile.am +++ b/tools/rules-check/Makefile.am @@ -5,7 +5,7 @@ bin_PROGRAMS = modsec-rules-check modsec_rules_check_SOURCES = \ rules-check.cc -MBEDTLS_CRYPTO_LIB = $(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a +MBEDTLS_CRYPTO_LIB = @MBEDTLS_CRYPTO_LIB@ modsec_rules_check_LDADD = \ $(top_builddir)/src/.libs/libmodsecurity.la \ From 37a9885ab24d896a6e32632172d5c160fc5f9c13 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 20:02:10 +0100 Subject: [PATCH 060/101] update build.sh --- .github/workflows/ci.yml | 16 ++++++++-------- build.sh => build_on_linux.sh | 0 build_on_macos.sh | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 8 deletions(-) rename build.sh => build_on_linux.sh (100%) mode change 100755 => 100644 create mode 100644 build_on_macos.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 480ed2f7e5..0369a4a647 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,8 +61,8 @@ jobs: git submodule sync --recursive git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh + - name: build_on_linux.sh + run: ./build_on_linux.sh - name: Debug mbedtls layout run: | @@ -151,8 +151,8 @@ jobs: git submodule sync --recursive git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh + - name: build_on_macos.sh + run: ./build_on_macos.sh - name: Debug mbedtls layout run: | @@ -230,8 +230,8 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh + - name: build_on_linux.sh + run: ./build_on_linux.sh - name: Debug mbedtls layout run: | @@ -269,8 +269,8 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh + - name: build_on_macos.sh + run: ./build_on_macos.sh - name: Debug mbedtls layout run: | diff --git a/build.sh b/build_on_linux.sh old mode 100755 new mode 100644 similarity index 100% rename from build.sh rename to build_on_linux.sh diff --git a/build_on_macos.sh b/build_on_macos.sh new file mode 100644 index 0000000000..24ab1d90a9 --- /dev/null +++ b/build_on_macos.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +rm -rf autom4te.cache +rm -f aclocal.m4 + +cd src +rm -f headers.mk +echo "noinst_HEADERS = \\" > headers.mk +ls -1 \ + actions/*.h \ + actions/ctl/*.h \ + actions/data/*.h \ + actions/disruptive/*.h \ + actions/transformations/*.h \ + debug_log/*.h \ + audit_log/writer/*.h \ + collection/backend/*.h \ + operators/*.h \ + parser/*.h \ + request_body_processor/*.h \ + utils/*.h \ + variables/*.h \ + engine/*.h \ + *.h | tr "\012" " " >> headers.mk +cd ../ + +case `uname` in Darwin*) glibtoolize --force --copy ;; + *) libtoolize --force --copy ;; esac +autoreconf --install +autoheader +automake --add-missing --foreign --copy --force-missing +autoconf --force +rm -rf autom4te.cache \ No newline at end of file From dccbb4e39f77dd9603f257b7bb57dbb8d96c2d87 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 20:08:15 +0100 Subject: [PATCH 061/101] Update ci.yml --- .github/workflows/ci.yml | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0369a4a647..58920c0faf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,6 +61,9 @@ jobs: git submodule sync --recursive git submodule update --init --recursive --force + - name: Build-Script ausführbar machen + run: chmod +x build_on_linux.sh + - name: build_on_linux.sh run: ./build_on_linux.sh @@ -128,19 +131,6 @@ jobs: cmake \ mbedtls - - name: Setup Python venv with jinja2 - run: | - python3 -m venv .venv - . .venv/bin/activate - pip install jinja2 - echo "VIRTUAL_ENV=$PWD/.venv" >> $GITHUB_ENV - echo "PATH=$PWD/.venv/bin:$PATH" >> $GITHUB_ENV - python - << 'EOF' - import sys, jinja2 - print("Python:", sys.executable) - print("jinja2:", jinja2.__version__, "from", jinja2.__file__) - EOF - - uses: actions/checkout@v6 with: submodules: true @@ -151,6 +141,8 @@ jobs: git submodule sync --recursive git submodule update --init --recursive --force + - name: Build-Script ausführbar machen + run: chmod +x build_on_macos.sh - name: build_on_macos.sh run: ./build_on_macos.sh @@ -212,7 +204,7 @@ jobs: cppcheck-linux: name: cppcheck (Linux) - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Setup Dependencies run: | @@ -230,6 +222,9 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force + - name: Build-Script ausführbar machen + run: chmod +x build_on_linux.sh + - name: build_on_linux.sh run: ./build_on_linux.sh @@ -269,6 +264,8 @@ jobs: run: | git submodule sync --recursive git submodule update --init --recursive --force + - name: Build-Script ausführbar machen + run: chmod +x build_on_macos.sh - name: build_on_macos.sh run: ./build_on_macos.sh From 163c23d57fbb7101d2555ae37f33f17a612d66b4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 20:21:33 +0100 Subject: [PATCH 062/101] Update ci.yml --- .github/workflows/ci.yml | 39 --------------------------------------- 1 file changed, 39 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58920c0faf..b297c46355 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,16 +67,6 @@ jobs: - name: build_on_linux.sh run: ./build_on_linux.sh - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - name: configure env: CC: ${{ matrix.compiler.cc }} @@ -146,16 +136,6 @@ jobs: - name: build_on_macos.sh run: ./build_on_macos.sh - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - name: configure run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking @@ -228,15 +208,6 @@ jobs: - name: build_on_linux.sh run: ./build_on_linux.sh - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - name: configure run: ./configure --disable-dependency-tracking @@ -269,16 +240,6 @@ jobs: - name: build_on_macos.sh run: ./build_on_macos.sh - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - name: configure run: ./configure --disable-dependency-tracking From b58ebf982252b47067ca581af98000b1079a01bc Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 20:26:31 +0100 Subject: [PATCH 063/101] Update ci.yml --- .github/workflows/ci.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b297c46355..afa2deabec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -107,19 +107,19 @@ jobs: - name: Install Dependencies run: | brew update - brew install \ - yajl \ - lmdb \ - lua \ - libmaxminddb \ - pcre2 \ - ssdeep \ - pcre \ - bison \ - flex \ - mbedtls \ - cmake \ - mbedtls + brew install autoconf \ + automake \ + libtool \ + yajl \ + lmdb \ + lua \ + libmaxminddb \ + libxml2 \ + ssdeep \ + pcre \ + bison \ + flex \ + mbedtls - uses: actions/checkout@v6 with: From 41fa370a503f3c1492893cf7b38837b00b4b4ba4 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Mon, 8 Dec 2025 21:01:08 +0100 Subject: [PATCH 064/101] Update configure.ac --- configure.ac | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/configure.ac b/configure.ac index 723a8608a8..48b5e0bd7e 100644 --- a/configure.ac +++ b/configure.ac @@ -78,33 +78,40 @@ AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git de AC_SUBST([LIBINJECTION_VERSION]) # ============================================================ -# Check for Mbed TLS / mbedcrypto (PSA) +# Check for PSA crypto lib (Mbed TLS / TF-PSA-Crypto) # ============================================================ -AC_MSG_CHECKING([for mbedcrypto (PSA crypto library)]) +AC_MSG_CHECKING([for PSA crypto library (Mbed TLS / TF-PSA-Crypto)]) MBEDTLS_CRYPTO_LIB="" -# 1. Erst versuchen wir die System-Lib: -lmbedcrypto -AC_CHECK_LIB([mbedcrypto], [psa_crypto_init], - [MBEDTLS_CRYPTO_LIB="-lmbedcrypto" - AC_MSG_RESULT([using system libmbedcrypto (-lmbedcrypto)])], +# 1. Mbed TLS 4 / TF-PSA-Crypto: libtfpsacrypto +AC_CHECK_LIB([tfpsacrypto], [psa_crypto_init], + [MBEDTLS_CRYPTO_LIB="-ltfpsacrypto" + AC_MSG_RESULT([using system libtfpsacrypto (-ltfpsacrypto)])], [ - # 2. Fallback: vendored libmbedcrypto.a aus others/mbedtls - AC_MSG_RESULT([system libmbedcrypto not found, trying vendored mbedtls]) - - AC_CHECK_FILE([others/mbedtls/build/library/libmbedcrypto.a], - [MBEDTLS_CRYPTO_LIB='$(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a' - AC_MSG_RESULT([using vendored libmbedcrypto.a])], - [AC_MSG_ERROR([Could not find mbedcrypto: - - install libmbedtls-dev / Homebrew mbedtls (libmbedcrypto), + # 2. Legacy-Name: libmbedcrypto (Mbed TLS <= 3 oder Distros, die das so bereitstellen) + AC_CHECK_LIB([mbedcrypto], [psa_crypto_init], + [MBEDTLS_CRYPTO_LIB="-lmbedcrypto" + AC_MSG_RESULT([using system libmbedcrypto (-lmbedcrypto)])], + [ + # 3. Fallback: vendored libmbedcrypto.a aus others/mbedtls + AC_MSG_RESULT([no system PSA crypto lib found, trying vendored mbedtls]) + + AC_CHECK_FILE([others/mbedtls/build/library/libmbedcrypto.a], + [MBEDTLS_CRYPTO_LIB='$(top_builddir)/others/mbedtls/build/library/libmbedcrypto.a' + AC_MSG_RESULT([using vendored libmbedcrypto.a])], + [AC_MSG_ERROR([Could not find PSA crypto library: + - install Mbed TLS / TF-PSA-Crypto (providing libtfpsacrypto or libmbedcrypto), or - build others/mbedtls before running configure])]) + ]) ]) AC_SUBST([MBEDTLS_CRYPTO_LIB]) + # Check for Mbed TLS if ! test -f "${srcdir}/others/mbedtls/tf-psa-crypto/drivers/builtin/src/base64.c"; then AC_MSG_ERROR([\ From b9cb9b9ba6760d9f5966d5a78245e313b3e93905 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Tue, 9 Dec 2025 05:45:16 +0100 Subject: [PATCH 065/101] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index afa2deabec..6ec236a4f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -213,7 +213,7 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static + run: make check-static -j$(nproc) cppcheck-macos: name: cppcheck (macOS) From 62b14567d0bb2459643b2cb2f9279bb7dc1ac3e3 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Tue, 9 Dec 2025 05:54:04 +0100 Subject: [PATCH 066/101] Add files via upload --- backup/build_on_linux.sh | 71 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 backup/build_on_linux.sh diff --git a/backup/build_on_linux.sh b/backup/build_on_linux.sh new file mode 100644 index 0000000000..78c73fc5d6 --- /dev/null +++ b/backup/build_on_linux.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +set -e # bei Fehler abbrechen + +rm -rf autom4te.cache +rm -f aclocal.m4 + +## +## 1. headers.mk erzeugen (wie bisher) +## +cd src +rm -f headers.mk +echo "noinst_HEADERS = \\" > headers.mk +ls -1 \ + actions/*.h \ + actions/ctl/*.h \ + actions/data/*.h \ + actions/disruptive/*.h \ + actions/transformations/*.h \ + debug_log/*.h \ + audit_log/writer/*.h \ + collection/backend/*.h \ + operators/*.h \ + parser/*.h \ + request_body_processor/*.h \ + utils/*.h \ + variables/*.h \ + engine/*.h \ + *.h | tr "\012" " " >> headers.mk +cd .. + +## +## 2. Vendored Mbed TLS bauen – MIT PROGRAMMEN UND TESTS +## +if [ -d "others/mbedtls" ]; then + echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." + ( + cd others/mbedtls + + mkdir -p build + + # Laut offizieller CMake-Options: + # - ENABLE_PROGRAMS=ON -> Tools/Beispiele bauen + # - ENABLE_TESTING=ON -> Test-Binaries + CTest + cmake -S . -B build \ + -DENABLE_PROGRAMS=ON \ + -DENABLE_TESTING=ON + + cmake --build build --config Release + + echo "==> Running Mbed TLS tests..." + cd build + ctest --output-on-failure + ) +else + echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" +fi + +## +## 3. Autotools für ModSecurity initialisieren +## +case `uname` in + Darwin*) glibtoolize --force --copy ;; + *) libtoolize --force --copy ;; +esac + +autoreconf --install +autoheader +automake --add-missing --foreign --copy --force-missing +autoconf --force +rm -rf autom4te.cache From 8c2d60616b62bb6013c96885073becaae8f58e19 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Tue, 9 Dec 2025 05:55:36 +0100 Subject: [PATCH 067/101] Update build_on_linux.sh --- build_on_linux.sh | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/build_on_linux.sh b/build_on_linux.sh index 78c73fc5d6..dde78d0798 100644 --- a/build_on_linux.sh +++ b/build_on_linux.sh @@ -2,11 +2,20 @@ set -e # bei Fehler abbrechen +## +## Parallel-Jobs bestimmen (nur Linux) +## Überschreibbar mit: JOBS=4 ./bootstrap.sh +## +if [ -z "$JOBS" ]; then + JOBS=$(nproc) +fi +echo "==> Using $JOBS parallel build jobs" + rm -rf autom4te.cache rm -f aclocal.m4 ## -## 1. headers.mk erzeugen (wie bisher) +## 1. headers.mk erzeugen ## cd src rm -f headers.mk @@ -39,31 +48,25 @@ if [ -d "others/mbedtls" ]; then mkdir -p build - # Laut offizieller CMake-Options: - # - ENABLE_PROGRAMS=ON -> Tools/Beispiele bauen - # - ENABLE_TESTING=ON -> Test-Binaries + CTest cmake -S . -B build \ -DENABLE_PROGRAMS=ON \ -DENABLE_TESTING=ON - cmake --build build --config Release + # Parallel bauen + cmake --build build --config Release --parallel "$JOBS" echo "==> Running Mbed TLS tests..." cd build - ctest --output-on-failure + ctest --output-on-failure -j"$JOBS" ) else echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" fi ## -## 3. Autotools für ModSecurity initialisieren +## 3. Autotools für ModSecurity initialisieren (nur Linux) ## -case `uname` in - Darwin*) glibtoolize --force --copy ;; - *) libtoolize --force --copy ;; -esac - +libtoolize --force --copy autoreconf --install autoheader automake --add-missing --foreign --copy --force-missing From 181ede7443625a6ce2b4dbd58401673b914f4145 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 17:40:13 +0100 Subject: [PATCH 068/101] Update ci.yml --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6ec236a4f8..8ae1bfc0b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,6 +137,8 @@ jobs: run: ./build_on_macos.sh - name: configure + export CPPFLAGS="-I/opt/homebrew/opt/mbedtls/include" + export LDFLAGS="-L/opt/homebrew/opt/mbedtls/lib" run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master From 37b2b773eaf566f6777620e68460f4ca0a53d6da Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 17:46:29 +0100 Subject: [PATCH 069/101] Update ci.yml --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ae1bfc0b3..8b41f1706d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,8 +137,9 @@ jobs: run: ./build_on_macos.sh - name: configure - export CPPFLAGS="-I/opt/homebrew/opt/mbedtls/include" - export LDFLAGS="-L/opt/homebrew/opt/mbedtls/lib" + env: + CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include + LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - uses: ammaraskar/gcc-problem-matcher@master From 3d6c94c7b7b52df2c0cfaa57928aa448744eab9e Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 17:58:14 +0100 Subject: [PATCH 070/101] update --- .github/workflows/ci.yml | 3 ++- Makefile.am | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b41f1706d..57dbeb8594 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -188,6 +188,7 @@ jobs: cppcheck-linux: name: cppcheck (Linux) runs-on: ubuntu-24.04 + timeout-minutes: 120 steps: - name: Setup Dependencies run: | @@ -216,7 +217,7 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static -j$(nproc) + run: make check-static JOBS=$(nproc) cppcheck-macos: name: cppcheck (macOS) diff --git a/Makefile.am b/Makefile.am index 7ac184b504..56ebdb0000 100644 --- a/Makefile.am +++ b/Makefile.am @@ -55,8 +55,13 @@ parser: +# Anzahl der cppcheck-Jobs, von außen überschreibbar: JOBS=8 make check-static +JOBS ?= 1 + cppcheck: - @cppcheck -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT \ + @echo "Running cppcheck with $(JOBS) jobs..." + @cppcheck -j $(JOBS) \ + -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT \ -D MS_CPPCHECK_DISABLED_FOR_PARSER -U YY_USER_INIT \ --suppressions-list=./test/cppcheck_suppressions.txt \ --inline-suppr \ @@ -70,7 +75,6 @@ cppcheck: --std=c++17 \ --force --verbose . - check-static: cppcheck check-style: check-coding-style From f1ec16e6d74553c304aa1cfc2b11a99326f8cb99 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 18:11:42 +0100 Subject: [PATCH 071/101] Update ci.yml --- .github/workflows/ci.yml | 77 +++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 37 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57dbeb8594..c1725f1395 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -86,7 +86,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [macos-14] + os: [macos-14, macos-15, macos-26] configure: - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" } - {label: "wo curl", opt: "--without-curl --without-geoip" } @@ -151,39 +151,39 @@ jobs: run: make check - build-windows: - name: Windows (${{ matrix.configure.label }}) - runs-on: windows-latest - strategy: - matrix: - configure: - - {label: "default", opt: "" } - - {label: "wo curl", opt: "-DWITH_CURL=OFF" } - - {label: "wo lua", opt: "-DWITH_LUA=OFF" } - - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } - - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } - - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } - steps: - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: Install Conan - run: | - pip3 install conan - - name: Configure Conan - run: | - conan profile detect - - name: Configure CMake - run: | - cmake -S . -B build ${{ matrix.configure.opt }} - - name: Build - run: | - cmake --build build --config Release + # build-windows: + # name: Windows (${{ matrix.configure.label }}) + # runs-on: windows-latest + # strategy: + # matrix: + # configure: + # - {label: "default", opt: "" } + # - {label: "wo curl", opt: "-DWITH_CURL=OFF" } + # - {label: "wo lua", opt: "-DWITH_LUA=OFF" } + # - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } + # - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } + # - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } + # steps: + # - uses: actions/checkout@v6 + # with: + # submodules: true + # fetch-depth: 0 + # - name: Init git submodules + # run: | + # git submodule sync --recursive + # git submodule update --init --recursive --force + # - name: Install Conan + # run: | + # pip3 install conan + # - name: Configure Conan + # run: | + # conan profile detect + # - name: Configure CMake + # run: | + # cmake -S . -B build ${{ matrix.configure.opt }} + # - name: Build + # run: | + # cmake --build build --config Release cppcheck-linux: name: cppcheck (Linux) @@ -212,7 +212,6 @@ jobs: - name: build_on_linux.sh run: ./build_on_linux.sh - - name: configure run: ./configure --disable-dependency-tracking @@ -230,7 +229,8 @@ jobs: brew install autoconf \ automake \ libtool \ - cppcheck + cppcheck \ + mbedtls - uses: actions/checkout@v6 with: submodules: true @@ -245,7 +245,10 @@ jobs: run: ./build_on_macos.sh - name: configure + env: + CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include + LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static + run: make check-static JOBS=$(nproc) From 0702c36ed33f3bba892a246b5e278c9d88850b53 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 18:25:43 +0100 Subject: [PATCH 072/101] =?UTF-8?q?aufr=C3=A4umen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/dependabot.yaml | 15 - .github/workflows/ci.yml | 6 +- .../workflows/dependabot-auto-approve.yaml | 27 -- backup/build_on_linux.sh | 71 ----- backup/ci.yml | 289 ------------------ backup/ci.yml.alt | 207 ------------- backup/md5.h | 32 -- backup/sha1.h | 75 ----- 8 files changed, 3 insertions(+), 719 deletions(-) delete mode 100644 .github/dependabot.yaml delete mode 100644 .github/workflows/dependabot-auto-approve.yaml delete mode 100644 backup/build_on_linux.sh delete mode 100644 backup/ci.yml delete mode 100644 backup/ci.yml.alt delete mode 100644 backup/md5.h delete mode 100644 backup/sha1.h diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml deleted file mode 100644 index 647560dd85..0000000000 --- a/.github/dependabot.yaml +++ /dev/null @@ -1,15 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "gitsubmodule" - directory: "/" - schedule: - interval: "daily" - commit-message: - prefix: "Submodule Update" - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - commit-message: - prefix: "GitHub Actions Updates" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c1725f1395..4fa38fe9f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -216,8 +216,8 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static JOBS=$(nproc) - + run: make check-static -j$(nproc) + cppcheck-macos: name: cppcheck (macOS) runs-on: macos-14 @@ -251,4 +251,4 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static JOBS=$(nproc) + run: make check-static -j$(nproc) \ No newline at end of file diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml deleted file mode 100644 index ae8bc032d5..0000000000 --- a/.github/workflows/dependabot-auto-approve.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Dependabot Auto-Approve -on: pull_request - -permissions: - pull-requests: write - contents: write - -jobs: - auto-approve: - runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Fetch Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v2 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Approve Pull Request - run: gh pr review --approve "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - name: Enable Auto-Merge - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/backup/build_on_linux.sh b/backup/build_on_linux.sh deleted file mode 100644 index 78c73fc5d6..0000000000 --- a/backup/build_on_linux.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/sh - -set -e # bei Fehler abbrechen - -rm -rf autom4te.cache -rm -f aclocal.m4 - -## -## 1. headers.mk erzeugen (wie bisher) -## -cd src -rm -f headers.mk -echo "noinst_HEADERS = \\" > headers.mk -ls -1 \ - actions/*.h \ - actions/ctl/*.h \ - actions/data/*.h \ - actions/disruptive/*.h \ - actions/transformations/*.h \ - debug_log/*.h \ - audit_log/writer/*.h \ - collection/backend/*.h \ - operators/*.h \ - parser/*.h \ - request_body_processor/*.h \ - utils/*.h \ - variables/*.h \ - engine/*.h \ - *.h | tr "\012" " " >> headers.mk -cd .. - -## -## 2. Vendored Mbed TLS bauen – MIT PROGRAMMEN UND TESTS -## -if [ -d "others/mbedtls" ]; then - echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." - ( - cd others/mbedtls - - mkdir -p build - - # Laut offizieller CMake-Options: - # - ENABLE_PROGRAMS=ON -> Tools/Beispiele bauen - # - ENABLE_TESTING=ON -> Test-Binaries + CTest - cmake -S . -B build \ - -DENABLE_PROGRAMS=ON \ - -DENABLE_TESTING=ON - - cmake --build build --config Release - - echo "==> Running Mbed TLS tests..." - cd build - ctest --output-on-failure - ) -else - echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" -fi - -## -## 3. Autotools für ModSecurity initialisieren -## -case `uname` in - Darwin*) glibtoolize --force --copy ;; - *) libtoolize --force --copy ;; -esac - -autoreconf --install -autoheader -automake --add-missing --foreign --copy --force-missing -autoconf --force -rm -rf autom4te.cache diff --git a/backup/ci.yml b/backup/ci.yml deleted file mode 100644 index b99ceb047c..0000000000 --- a/backup/ci.yml +++ /dev/null @@ -1,289 +0,0 @@ -name: Quality Assurance - -on: - push: - pull_request: - -jobs: - build-linux: - name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-22.04] - platform: - - {label: "x64", arch: "amd64", configure: ""} - - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} - compiler: - - {label: "gcc", cc: "gcc", cxx: "g++"} - - {label: "clang", cc: "clang", cxx: "clang++"} - configure: - - {label: "with parser generation", opt: "--enable-parser-generation" } - - {label: "wo curl", opt: "--without-curl" } - - {label: "wo lua", opt: "--without-lua" } - - {label: "wo maxmind", opt: "--without-maxmind" } - - {label: "wo libxml", opt: "--without-libxml" } - - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep" } - - {label: "with lmdb", opt: "--with-lmdb" } - - {label: "with pcre", opt: "--with-pcre" } - exclude: - - platform: {label: "x32"} - configure: {label: "wo geoip"} - - platform: {label: "x32"} - configure: {label: "wo ssdeep"} - steps: - - name: Setup Dependencies (common) - run: | - sudo dpkg --add-architecture ${{ matrix.platform.arch }} - sudo apt-get update -y -qq - sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ - libcurl4-openssl-dev:${{ matrix.platform.arch }} \ - liblmdb-dev:${{ matrix.platform.arch }} \ - liblua5.3-dev:${{ matrix.platform.arch }} \ - libmaxminddb-dev:${{ matrix.platform.arch }} \ - libpcre2-dev:${{ matrix.platform.arch }} \ - pcre2-utils:${{ matrix.platform.arch }} \ - bison flex cmake - - name: Setup Dependencies (x32) - if: ${{ matrix.platform.label == 'x32' }} - run: | - sudo apt-get install g++-multilib - sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} - - name: Setup Dependencies (x64) - if: ${{ matrix.platform.label == 'x64' }} - run: | - sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh - - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - - name: configure - env: - CC: ${{ matrix.compiler.cc }} - CXX: ${{ matrix.compiler.cxx }} - run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `nproc` - - name: check - run: make check - - build-macos: - name: macOS (${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [macos-14] - configure: - - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" } - - {label: "wo curl", opt: "--without-curl --without-geoip" } - - {label: "wo lua", opt: "--without-lua --without-geoip" } - - {label: "wo maxmind", opt: "--without-maxmind --without-geoip" } - - {label: "wo libxml", opt: "--without-libxml --without-geoip" } - - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep --without-geoip" } - - {label: "with lmdb", opt: "--with-lmdb --without-geoip" } - - {label: "with pcre", opt: "--with-pcre --without-geoip" } - steps: - - name: Setup Homebrew - run: | - echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV - echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV - - - name: Install Dependencies - run: | - brew update - brew install \ - yajl \ - lmdb \ - lua \ - libmaxminddb \ - pcre2 \ - ssdeep \ - pcre \ - bison \ - flex \ - mbedtls \ - cmake \ - pipx - - # 🔧 NEU: Python-Dependency für mbedtls-Skripte - - name: Install Python dependencies (jinja2) - run: | - # Nur im User-Space installieren, das ist mit PEP 668 erlaubt - python3 -m pip install --user jinja2 - - # Debug-Ausgabe, um sicher zu sein, dass es klappt - python3 - << 'EOF' - import jinja2, sys - print("Python:", sys.executable) - print("jinja2:", jinja2.__version__, "from", jinja2.__file__) - EOF - - - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - - name: build.sh - run: ./build.sh - - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - - name: configure - run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - - - uses: ammaraskar/gcc-problem-matcher@master - - - name: make - run: make -j `sysctl -n hw.logicalcpu` - - - name: check - run: make check - - build-windows: - name: Windows (${{ matrix.configure.label }}) - runs-on: windows-latest - strategy: - matrix: - configure: - - {label: "default", opt: "" } - - {label: "wo curl", opt: "-DWITH_CURL=OFF" } - - {label: "wo lua", opt: "-DWITH_LUA=OFF" } - - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } - - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } - - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } - steps: - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: Install Conan - run: | - pip3 install conan - - name: Configure Conan - run: | - conan profile detect - - name: Configure CMake - run: | - cmake -S . -B build ${{ matrix.configure.opt }} - - name: Build - run: | - cmake --build build --config Release - - cppcheck-linux: - name: cppcheck (Linux) - runs-on: ubuntu-22.04 - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y \ - cppcheck \ - autoconf \ - automake \ - libtool - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh - - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - - name: configure - run: ./configure --disable-dependency-tracking - - - name: cppcheck - run: make check-static - - cppcheck-macos: - name: cppcheck (macOS) - runs-on: macos-14 - steps: - - name: Setup Dependencies - # curl, pcre2 not installed because they're from Apple - run: | - brew update - brew install autoconf \ - automake \ - libtool \ - cppcheck - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: build.sh - run: ./build.sh - - - name: Debug mbedtls layout - run: | - pwd - echo "=== others ===" - ls -l others || echo "others fehlt" - echo "=== others/mbedtls ===" - ls -R others/mbedtls | head -n 200 || echo "others/mbedtls fehlt" - echo "=== Suche nach base64.c ===" - find others/mbedtls -name 'base64.c' -maxdepth 8 || echo "keine base64.c gefunden" - - - name: configure - run: ./configure --disable-dependency-tracking - - - name: cppcheck - run: make check-static diff --git a/backup/ci.yml.alt b/backup/ci.yml.alt deleted file mode 100644 index 42fc403531..0000000000 --- a/backup/ci.yml.alt +++ /dev/null @@ -1,207 +0,0 @@ -name: Quality Assurance - -on: - push: - pull_request: - -jobs: - build-linux: - name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-22.04] - platform: - - {label: "x64", arch: "amd64", configure: ""} - - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"} - compiler: - - {label: "gcc", cc: "gcc", cxx: "g++"} - - {label: "clang", cc: "clang", cxx: "clang++"} - configure: - - {label: "with parser generation", opt: "--enable-parser-generation" } - - {label: "wo curl", opt: "--without-curl" } - - {label: "wo lua", opt: "--without-lua" } - - {label: "wo maxmind", opt: "--without-maxmind" } - - {label: "wo libxml", opt: "--without-libxml" } - - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep" } - - {label: "with lmdb", opt: "--with-lmdb" } - - {label: "with pcre", opt: "--with-pcre" } - exclude: - - platform: {label: "x32"} - configure: {label: "wo geoip"} - - platform: {label: "x32"} - configure: {label: "wo ssdeep"} - steps: - - name: Setup Dependencies (common) - run: | - sudo dpkg --add-architecture ${{ matrix.platform.arch }} - sudo apt-get update -y -qq - sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \ - libcurl4-openssl-dev:${{ matrix.platform.arch }} \ - liblmdb-dev:${{ matrix.platform.arch }} \ - liblua5.2-dev:${{ matrix.platform.arch }} \ - libmaxminddb-dev:${{ matrix.platform.arch }} \ - libpcre2-dev:${{ matrix.platform.arch }} \ - pcre2-utils:${{ matrix.platform.arch }} \ - bison flex - - name: Setup Dependencies (x32) - if: ${{ matrix.platform.label == 'x32' }} - run: | - sudo apt-get install g++-multilib - sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \ - libpcre3-dev:${{ matrix.platform.arch }} - - name: Setup Dependencies (x64) - if: ${{ matrix.platform.label == 'x64' }} - run: | - sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \ - libfuzzy-dev:${{ matrix.platform.arch }} - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: build.sh - run: ./build.sh - - name: configure - env: - CC: ${{ matrix.compiler.cc }} - CXX: ${{ matrix.compiler.cxx }} - run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `nproc` - - name: check - run: make check - - build-macos: - name: macOS (${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [macos-14] - configure: - - {label: "with parser generation", opt: "--enable-parser-generation" } - - {label: "wo curl", opt: "--without-curl" } - - {label: "wo lua", opt: "--without-lua" } - - {label: "wo maxmind", opt: "--without-maxmind" } - - {label: "wo libxml", opt: "--without-libxml" } - - {label: "wo geoip", opt: "--without-geoip" } - - {label: "wo ssdeep", opt: "--without-ssdeep" } - - {label: "with lmdb", opt: "--with-lmdb" } - - {label: "with pcre", opt: "--with-pcre" } - steps: - - name: Setup Dependencies - # curl, pcre2 not installed because they're already - # included in the image - run: | - brew install autoconf \ - automake \ - libtool \ - yajl \ - lmdb \ - lua \ - libmaxminddb \ - libxml2 \ - ssdeep \ - pcre \ - bison \ - flex - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Build GeoIP - run: | - git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git - cd geoip-api-c - git fetch --tags - # Check out the last release, v1.6.12 - git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a - autoreconf --install - ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew - make install - - name: build.sh - run: ./build.sh - - name: configure - run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `sysctl -n hw.logicalcpu` - - name: check - run: make check - - build-windows: - name: Windows (${{ matrix.platform.label }}, ${{ matrix.configure.label }}) - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [windows-2022] - platform: - - {label: "x64", arch: "x86_64"} - configuration: [Release] - configure: - - {label: "full", opt: "" } - - {label: "wo curl", opt: "-DWITH_CURL=OFF" } - - {label: "wo lua", opt: "-DWITH_LUA=OFF" } - - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" } - - {label: "wo libxml", opt: "-DWITH_LIBXML2=OFF" } - - {label: "with lmdb", opt: "-DWITH_LMDB=ON" } - steps: - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Install Conan - run: | - pip3 install conan --upgrade - conan profile detect - - uses: ammaraskar/msvc-problem-matcher@master - - name: Build ${{ matrix.configuration }} ${{ matrix.platform.arch }} ${{ matrix.configure.label }} - shell: cmd - run: vcbuild.bat ${{ matrix.configuration }} ${{ matrix.platform.arch }} NO_ASAN "${{ matrix.configure.opt }}" - - name: Set up test environment - working-directory: build\win32\build\${{ matrix.configuration }} - env: - BASE_DIR: ..\..\..\.. - shell: cmd - run: | - copy unit_tests.exe %BASE_DIR%\test - copy regression_tests.exe %BASE_DIR%\test - copy libModSecurity.dll %BASE_DIR%\test - copy %BASE_DIR%\unicode.mapping %BASE_DIR%\test - md \tmp - md \bin - copy "C:\Program Files\Git\usr\bin\echo.exe" \bin - copy "C:\Program Files\Git\usr\bin\echo.exe" \bin\echo - - name: Disable tests that don't work on Windows - working-directory: test\test-cases\regression - shell: cmd - run: | - jq "map(if .title == \"Test match variable (1/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json - jq "map(if .title == \"Test match variable (2/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json - jq "map(if .title == \"Test match variable (3/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json - jq "map(if .title == \"Variable offset - FILES_NAMES\" then .enabled = 0 else . end)" offset-variable.json > tmp.json && move /Y tmp.json offset-variable.json - - name: Run tests - working-directory: build\win32\build - run: | - ctest -C ${{ matrix.configuration }} --output-on-failure - - cppcheck: - runs-on: [macos-14] - steps: - - name: Setup Dependencies - run: | - brew install autoconf \ - automake \ - libtool \ - cppcheck - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: configure - run: | - ./build.sh - ./configure - - name: cppcheck - run: make check-static diff --git a/backup/md5.h b/backup/md5.h deleted file mode 100644 index 68f5d748e4..0000000000 --- a/backup/md5.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. - * - */ - -#ifndef SRC_UTILS_MD5_H_ -#define SRC_UTILS_MD5_H_ - -#include "src/utils/sha1.h" -#include "mbedtls/md5.h" -#include - -namespace modsecurity::Utils { - - -class Md5 : public DigestImpl<&mbedtls_md5, 16> { -}; - - -} // namespace modsecurity::Utils - -#endif // SRC_UTILS_MD5_H_ \ No newline at end of file diff --git a/backup/sha1.h b/backup/sha1.h deleted file mode 100644 index a40d7fa1c8..0000000000 --- a/backup/sha1.h +++ /dev/null @@ -1,75 +0,0 @@ -/* - * ModSecurity, http://www.modsecurity.org/ - * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * You may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. - * - */ - -#ifndef SRC_UTILS_SHA1_H_ -#define SRC_UTILS_SHA1_H_ - -#include -#include - -#include "src/utils/string.h" -#include "mbedtls/sha1.h" - -namespace modsecurity::Utils { - - -using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); - - -template -class DigestImpl { - public: - - static std::string digest(const std::string& input) { - return digestHelper(input, [](const auto digest) { - return std::string(digest); - }); - } - - static void digestReplace(std::string& value) { - digestHelper(value, [&value](const auto digest) mutable { - value = digest; - }); - } - - static std::string hexdigest(const std::string &input) { - return digestHelper(input, [](const auto digest) { - return utils::string::string_to_hex(digest); - }); - } - -private: - - template - static auto digestHelper(const std::string &input, - ConvertOp convertOp) -> auto { - char digest[DigestSize]; - - const auto ret = (*digestOp)(reinterpret_cast(input.c_str()), - input.size(), reinterpret_cast(digest)); - assert(ret == 0); - - return convertOp(std::string_view(digest, DigestSize)); - } -}; - - -class Sha1 : public DigestImpl<&mbedtls_sha1, 20> { -}; - - -} // namespace modsecurity::Utils - -#endif // SRC_UTILS_SHA1_H_ From 9f5ace3054779694210bb2e225cf38cf8ea2966b Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Tue, 9 Dec 2025 18:31:05 +0100 Subject: [PATCH 073/101] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4fa38fe9f3..c435c9e3ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -216,7 +216,7 @@ jobs: run: ./configure --disable-dependency-tracking - name: cppcheck - run: make check-static -j$(nproc) + run: make check-static JOBS=$(nproc) cppcheck-macos: name: cppcheck (macOS) From b96a0a520ca2043b418991c8b0e36ea335537eab Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 16:32:28 +0100 Subject: [PATCH 074/101] update --- .github/dependabot.yaml | 15 ++ .github/workflows/ci.yml | 70 +--------- .github/workflows/codeql.yml | 56 ++++++++ .github/workflows/cppcheck.yml | 132 ++++++++++++++++++ .../workflows/dependabot-auto-approve.yaml | 27 ++++ 5 files changed, 231 insertions(+), 69 deletions(-) create mode 100644 .github/dependabot.yaml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/cppcheck.yml create mode 100644 .github/workflows/dependabot-auto-approve.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000000..16d9dd8134 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,15 @@ +version: 2 +updates: + - package-ecosystem: "gitsubmodule" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "Submodule Update" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "GitHub Actions Updates" \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c435c9e3ac..1dbe104a29 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -183,72 +183,4 @@ jobs: # cmake -S . -B build ${{ matrix.configure.opt }} # - name: Build # run: | - # cmake --build build --config Release - - cppcheck-linux: - name: cppcheck (Linux) - runs-on: ubuntu-24.04 - timeout-minutes: 120 - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y \ - cppcheck \ - autoconf \ - automake \ - libtool - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: Build-Script ausführbar machen - run: chmod +x build_on_linux.sh - - - name: build_on_linux.sh - run: ./build_on_linux.sh - - - name: configure - run: ./configure --disable-dependency-tracking - - - name: cppcheck - run: make check-static JOBS=$(nproc) - - cppcheck-macos: - name: cppcheck (macOS) - runs-on: macos-14 - steps: - - name: Setup Dependencies - # curl, pcre2 not installed because they're from Apple - run: | - brew update - brew install autoconf \ - automake \ - libtool \ - cppcheck \ - mbedtls - - uses: actions/checkout@v6 - with: - submodules: true - fetch-depth: 0 - - name: Init git submodules - run: | - git submodule sync --recursive - git submodule update --init --recursive --force - - name: Build-Script ausführbar machen - run: chmod +x build_on_macos.sh - - name: build_on_macos.sh - run: ./build_on_macos.sh - - - name: configure - env: - CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include - LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib - run: ./configure --disable-dependency-tracking - - - name: cppcheck - run: make check-static -j$(nproc) \ No newline at end of file + # cmake --build build --config Release \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..3a3712eeda --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,56 @@ +name: CodeQL + +on: + push: + branches: ["master", "main"] + pull_request: + branches: ["master", "main"] + schedule: + - cron: "19 3 * * 1" # montags + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: CodeQL (C/C++) + runs-on: ubuntu-24.04 + + steps: + - name: Checkout (with submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + fetch-depth: 0 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: c-cpp + build-mode: manual + query-suite: security-extended + + - name: Install build dependencies + run: | + sudo apt-get update + sudo apt-get install -y \ + build-essential pkg-config \ + autoconf automake libtool \ + flex bison \ + libyajl-dev \ + libxml2-dev \ + libpcre2-dev \ + libcurl4-openssl-dev \ + zlib1g-dev \ + ca-certificates + + - name: Build (required for CodeQL C/C++) + run: | + ./build.sh + ./configure --disable-dependency-tracking + make -j"$(nproc)" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 \ No newline at end of file diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml new file mode 100644 index 0000000000..660264c242 --- /dev/null +++ b/.github/workflows/cppcheck.yml @@ -0,0 +1,132 @@ +name: Quality Assurance - cppcheck + +on: + push: + branches: ["master", "main"] + pull_request: + branches: ["master", "main"] + schedule: + # z.B. täglich nachts (kannst du auch wöchentlich machen) + #- cron: "15 2 * * *" + - cron: "15 2 * * 1" # montags + +jobs: + cppcheck-linux: + name: cppcheck (Linux) + runs-on: ubuntu-24.04 + timeout-minutes: 120 + + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y \ + cppcheck \ + autoconf \ + automake \ + libtool + + - name: Checkout (with submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + fetch-depth: 0 + + - name: Ensure submodules are up to date + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + + - name: Build-Script ausführbar machen + run: chmod +x build_on_linux.sh + + - name: build_on_linux.sh + run: ./build_on_linux.sh + + - name: configure + run: ./configure --disable-dependency-tracking + + # Full scan nur im scheduled run + - name: cppcheck (full - scheduled) + if: github.event_name == 'schedule' + run: make check-static JOBS=$(nproc) + + # PR/Push: schneller Scan nur für geänderte Dateien + - name: cppcheck (changed files - PR/Push) + if: github.event_name != 'schedule' + run: | + BASE_REF="${{ github.base_ref }}" + if [ -z "$BASE_REF" ]; then + BASE_REF="master" + fi + + git fetch origin "$BASE_REF" --depth=1 || true + CHANGED="$(git diff --name-only "origin/$BASE_REF"...HEAD -- \ + '*.c' '*.cc' '*.cpp' '*.cxx' '*.h' '*.hh' '*.hpp' '*.hxx' | tr '\n' ' ')" + + if [ -z "$CHANGED" ]; then + echo "No changed C/C++ files detected." + exit 0 + fi + + cppcheck --enable=warning,style,performance,portability \ + --inline-suppr --error-exitcode=1 \ + $CHANGED + + cppcheck-macos: + name: cppcheck (macOS) + runs-on: macos-14 + + steps: + - name: Setup Dependencies + run: | + brew update + brew install autoconf automake libtool cppcheck mbedtls + + - name: Checkout (with submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + fetch-depth: 0 + + - name: Ensure submodules are up to date + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + + - name: Build-Script ausführbar machen + run: chmod +x build_on_macos.sh + + - name: build_on_macos.sh + run: ./build_on_macos.sh + + - name: configure + env: + CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include + LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib + run: ./configure --disable-dependency-tracking + + - name: cppcheck (full - scheduled) + if: github.event_name == 'schedule' + run: make check-static JOBS=$(sysctl -n hw.ncpu) + + - name: cppcheck (changed files - PR/Push) + if: github.event_name != 'schedule' + run: | + BASE_REF="${{ github.base_ref }}" + if [ -z "$BASE_REF" ]; then + BASE_REF="master" + fi + + git fetch origin "$BASE_REF" --depth=1 || true + CHANGED="$(git diff --name-only "origin/$BASE_REF"...HEAD -- \ + '*.c' '*.cc' '*.cpp' '*.cxx' '*.h' '*.hh' '*.hpp' '*.hxx' | tr '\n' ' ')" + + if [ -z "$CHANGED" ]; then + echo "No changed C/C++ files detected." + exit 0 + fi + + cppcheck --enable=warning,style,performance,portability \ + --inline-suppr --error-exitcode=1 \ + $CHANGED \ No newline at end of file diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml new file mode 100644 index 0000000000..c1ba6975f1 --- /dev/null +++ b/.github/workflows/dependabot-auto-approve.yaml @@ -0,0 +1,27 @@ +name: Dependabot Auto-Approve +on: pull_request + +permissions: + pull-requests: write + contents: write + +jobs: + auto-approve: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Approve Pull Request + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + - name: Enable Auto-Merge + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file From 07807345d0b12dff32c361397027ebb0e77ed7f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Dec 2025 15:33:39 +0000 Subject: [PATCH 075/101] Submodule Update: Bump others/mbedtls from `e5ba96c` to `abb0b22` Bumps [others/mbedtls](https://github.com/Mbed-TLS/mbedtls) from `e5ba96c` to `abb0b22`. - [Release notes](https://github.com/Mbed-TLS/mbedtls/releases) - [Commits](https://github.com/Mbed-TLS/mbedtls/compare/e5ba96c5c6c408cee7a05f3ab77417a94fe534fe...abb0b22954922cc0a28fda4ccf541273c882e171) --- updated-dependencies: - dependency-name: others/mbedtls dependency-version: abb0b22954922cc0a28fda4ccf541273c882e171 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- others/mbedtls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/others/mbedtls b/others/mbedtls index e5ba96c5c6..abb0b22954 160000 --- a/others/mbedtls +++ b/others/mbedtls @@ -1 +1 @@ -Subproject commit e5ba96c5c6c408cee7a05f3ab77417a94fe534fe +Subproject commit abb0b22954922cc0a28fda4ccf541273c882e171 From 555ad387eb06e27ae74192b0bb58815043a344d9 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 17:17:49 +0100 Subject: [PATCH 076/101] Update codeql.yml --- .github/workflows/codeql.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3a3712eeda..3cf5786880 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,13 +1,14 @@ name: CodeQL on: + workflow_dispatch: push: branches: ["master", "main"] pull_request: branches: ["master", "main"] schedule: - - cron: "19 3 * * 1" # montags - + - cron: "19 3 * * 1" + permissions: actions: read contents: read @@ -53,4 +54,4 @@ jobs: make -j"$(nproc)" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 \ No newline at end of file + uses: github/codeql-action/analyze@v4 From fc2a3349714dda872949ab2cc616a14579824e93 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 17:53:33 +0100 Subject: [PATCH 077/101] Update codeql.yml --- .github/workflows/codeql.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3cf5786880..a40b38ff42 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -name: CodeQL +name: CodeQL_on_linux on: workflow_dispatch: @@ -45,11 +45,12 @@ jobs: libpcre2-dev \ libcurl4-openssl-dev \ zlib1g-dev \ + libmbedtls-dev \ ca-certificates - name: Build (required for CodeQL C/C++) run: | - ./build.sh + ./build_on_linux.sh ./configure --disable-dependency-tracking make -j"$(nproc)" From c522618fe4ae50c6cab402a167ead1235ea2220e Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:00:26 +0100 Subject: [PATCH 078/101] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a40b38ff42..5ca80195c9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,7 +31,7 @@ jobs: with: languages: c-cpp build-mode: manual - query-suite: security-extended + queries: security-extended - name: Install build dependencies run: | From 187e1ee4afbb1dd5bdbf355d6cdbc8bc21cbca48 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:01:11 +0100 Subject: [PATCH 079/101] Update cppcheck.yml --- .github/workflows/cppcheck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml index 660264c242..8c377aee14 100644 --- a/.github/workflows/cppcheck.yml +++ b/.github/workflows/cppcheck.yml @@ -1,6 +1,7 @@ name: Quality Assurance - cppcheck on: + workflow_dispatch: push: branches: ["master", "main"] pull_request: From f86a33d04fbe91d681421320acb7c2a23ccf1c06 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:15:55 +0100 Subject: [PATCH 080/101] Update cppcheck.yml --- .github/workflows/cppcheck.yml | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml index 8c377aee14..1fa8642ba1 100644 --- a/.github/workflows/cppcheck.yml +++ b/.github/workflows/cppcheck.yml @@ -2,14 +2,18 @@ name: Quality Assurance - cppcheck on: workflow_dispatch: + inputs: + full: + description: "Run FULL cppcheck (make check-static). If false: only changed files." + required: true + default: "false" push: branches: ["master", "main"] pull_request: branches: ["master", "main"] schedule: - # z.B. täglich nachts (kannst du auch wöchentlich machen) - #- cron: "15 2 * * *" - - cron: "15 2 * * 1" # montags + #- cron: "15 2 * * 1" # montags 02:15 UTC (anpassen wenn du willst) + - cron: "15 2 * * 1" # montags jobs: cppcheck-linux: @@ -47,14 +51,14 @@ jobs: - name: configure run: ./configure --disable-dependency-tracking - # Full scan nur im scheduled run - - name: cppcheck (full - scheduled) - if: github.event_name == 'schedule' + # FULL scan: scheduled ODER workflow_dispatch(full=true) + - name: cppcheck (full) + if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.full == 'true') run: make check-static JOBS=$(nproc) - # PR/Push: schneller Scan nur für geänderte Dateien - - name: cppcheck (changed files - PR/Push) - if: github.event_name != 'schedule' + # FAST scan: Push/PR oder workflow_dispatch(full=false) + - name: cppcheck (changed files) + if: github.event_name != 'schedule' && !(github.event_name == 'workflow_dispatch' && inputs.full == 'true') run: | BASE_REF="${{ github.base_ref }}" if [ -z "$BASE_REF" ]; then @@ -107,12 +111,14 @@ jobs: LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib run: ./configure --disable-dependency-tracking - - name: cppcheck (full - scheduled) - if: github.event_name == 'schedule' + # FULL scan: scheduled ODER workflow_dispatch(full=true) + - name: cppcheck (full) + if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.full == 'true') run: make check-static JOBS=$(sysctl -n hw.ncpu) - - name: cppcheck (changed files - PR/Push) - if: github.event_name != 'schedule' + # FAST scan: Push/PR oder workflow_dispatch(full=false) + - name: cppcheck (changed files) + if: github.event_name != 'schedule' && !(github.event_name == 'workflow_dispatch' && inputs.full == 'true') run: | BASE_REF="${{ github.base_ref }}" if [ -z "$BASE_REF" ]; then @@ -130,4 +136,4 @@ jobs: cppcheck --enable=warning,style,performance,portability \ --inline-suppr --error-exitcode=1 \ - $CHANGED \ No newline at end of file + $CHANGED From 46006bfb6e2300e537a4e47bc7c8070391cb965d Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 18:18:17 +0100 Subject: [PATCH 081/101] Update build_on_linux.sh --- build_on_linux.sh | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/build_on_linux.sh b/build_on_linux.sh index dde78d0798..1b8576bee5 100644 --- a/build_on_linux.sh +++ b/build_on_linux.sh @@ -41,27 +41,27 @@ cd .. ## ## 2. Vendored Mbed TLS bauen – MIT PROGRAMMEN UND TESTS ## -if [ -d "others/mbedtls" ]; then - echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." - ( - cd others/mbedtls - - mkdir -p build - - cmake -S . -B build \ - -DENABLE_PROGRAMS=ON \ - -DENABLE_TESTING=ON - - # Parallel bauen - cmake --build build --config Release --parallel "$JOBS" - - echo "==> Running Mbed TLS tests..." - cd build - ctest --output-on-failure -j"$JOBS" - ) -else - echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" -fi +##if [ -d "others/mbedtls" ]; then +## echo "==> Building vendored Mbed TLS (mit Programmen und Tests)..." +## ( +## cd others/mbedtls +## +## mkdir -p build +## +## cmake -S . -B build \ +## -DENABLE_PROGRAMS=ON \ +## -DENABLE_TESTING=ON +## +## # Parallel bauen +## cmake --build build --config Release --parallel "$JOBS" +## +## echo "==> Running Mbed TLS tests..." +## cd build +## ctest --output-on-failure -j"$JOBS" +## ) +##else +## echo "WARNUNG: others/mbedtls nicht gefunden – Mbed TLS wird NICHT gebaut/getestet!" +##fi ## ## 3. Autotools für ModSecurity initialisieren (nur Linux) From 3a3f74d60c341a7fbda66de1782ec9e83c15db8f Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:37:12 +0100 Subject: [PATCH 082/101] update --- .github/codeql/codeql-config.yml | 20 ++++++++++++++++++++ .github/workflows/codeql.yml | 4 +++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..4010ab26ab --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,20 @@ +name: "CodeQL config" + +queries: + - uses: security-extended + +paths-ignore: + - tests/** + - test/** + - **/*test* + + # Third-party / submodules + - others/** + - bindings/** + - examples/** + - doc/** + + # Build & generated files + - build/** + - **/*.png + - **/*.md diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5ca80195c9..7023b792eb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,6 @@ name: CodeQL_on_linux + on: workflow_dispatch: push: @@ -9,6 +10,7 @@ on: schedule: - cron: "19 3 * * 1" + permissions: actions: read contents: read @@ -31,7 +33,7 @@ jobs: with: languages: c-cpp build-mode: manual - queries: security-extended + config-file: ./.github/codeql/codeql-config.yml - name: Install build dependencies run: | From 624fc8fbde830433e70cec7f2bf327b957239bcf Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 18:46:15 +0100 Subject: [PATCH 083/101] Update ci.yml --- .github/workflows/ci.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1dbe104a29..0c8722d39c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -183,4 +183,25 @@ jobs: # cmake -S . -B build ${{ matrix.configure.opt }} # - name: Build # run: | - # cmake --build build --config Release \ No newline at end of file + # cmake --build build --config Release + + + cppcheck: + runs-on: [macos-14] + steps: + - name: Setup Dependencies + run: | + brew install autoconf \ + automake \ + libtool \ + cppcheck + - uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 0 + - name: configure + run: | + ./build.sh + ./configure + - name: cppcheck + run: make check-static \ No newline at end of file From c17aa793e34f56d54510837dd2a132bd347db0bf Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 19:07:11 +0100 Subject: [PATCH 084/101] Update codeql-config.yml --- .github/codeql/codeql-config.yml | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 4010ab26ab..a10be7a00e 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,20 +1,21 @@ -name: "CodeQL config" +name: "CodeQL config for ModSecurity" queries: - uses: security-extended paths-ignore: - - tests/** - - test/** - - **/*test* + # Tests + - "tests/**" + - "test/**" + - "**/*test*" # Third-party / submodules - - others/** - - bindings/** - - examples/** - - doc/** + - "others/**" + - "bindings/**" + - "examples/**" + - "doc/**" # Build & generated files - - build/** - - **/*.png - - **/*.md + - "build/**" + - "**/*.png" + - "**/*.md" From 1cdf8e065939b55f5b5646b775ea4b7dfef4ea9c Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 19:19:17 +0100 Subject: [PATCH 085/101] Update dependabot-auto-approve.yaml --- .github/workflows/dependabot-auto-approve.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml index c1ba6975f1..2b467fa367 100644 --- a/.github/workflows/dependabot-auto-approve.yaml +++ b/.github/workflows/dependabot-auto-approve.yaml @@ -12,7 +12,7 @@ jobs: steps: - name: Fetch Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Approve Pull Request @@ -24,4 +24,4 @@ jobs: run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From 69c2344a6fd99808fd4d3bd51b7c43e533329156 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:11:27 +0100 Subject: [PATCH 086/101] Code scanning --- .github/security-scan-excludes.txt | 28 +++++++++++++ .github/workflows/flawfinder.yml | 44 ++++++++++++++++++++ .github/workflows/ossar.yml | 32 ++++++++++++++ .github/workflows/osv-scanner-pr.yml | 15 +++++++ .github/workflows/osv-scanner-scheduled.yml | 17 ++++++++ .github/workflows/scorecard.yml | 43 +++++++++++++++++++ .github/workflows/semgrep.yml | 46 +++++++++++++++++++++ 7 files changed, 225 insertions(+) create mode 100644 .github/security-scan-excludes.txt create mode 100644 .github/workflows/flawfinder.yml create mode 100644 .github/workflows/ossar.yml create mode 100644 .github/workflows/osv-scanner-pr.yml create mode 100644 .github/workflows/osv-scanner-scheduled.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/security-scan-excludes.txt b/.github/security-scan-excludes.txt new file mode 100644 index 0000000000..0296389830 --- /dev/null +++ b/.github/security-scan-excludes.txt @@ -0,0 +1,28 @@ +# Build & Output +build +build/* +out +out/* +dist +dist/* + +# Dependencies / Vendored +vendor +vendor/* +third_party +third_party/* +deps +deps/* +external +external/* + +# VCS / CI +.git +.github + +# Docs & misc +docs +examples +tests +test +benchmarks diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml new file mode 100644 index 0000000000..b799a11812 --- /dev/null +++ b/.github/workflows/flawfinder.yml @@ -0,0 +1,44 @@ +name: Flawfinder (C/C++) + +on: + workflow_dispatch: + pull_request: + push: + branches: [ "main", "master" ] + schedule: + - cron: "20 2 * * 1" # Weekly (reduziert PR-Noise) + +permissions: + contents: read + security-events: write + +jobs: + flawfinder: + runs-on: ubuntu-latest + + steps: + - name: Checkout (inkl. Submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + + - name: Install Flawfinder + run: | + sudo apt-get update + sudo apt-get install -y flawfinder + + - name: Run Flawfinder (SARIF) + run: | + EXCLUDES=$(sed 's/^/--exclude /' .github/security-scan-excludes.txt | tr '\n' ' ') + flawfinder \ + --sarif \ + --output flawfinder.sarif \ + $EXCLUDES \ + . + + - name: Upload SARIF + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: flawfinder.sarif + category: flawfinder diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml new file mode 100644 index 0000000000..18f47bc6da --- /dev/null +++ b/.github/workflows/ossar.yml @@ -0,0 +1,32 @@ +name: OSSAR + +on: + workflow_dispatch: + pull_request: + push: + branches: [ "main", "master" ] + +permissions: + contents: read + security-events: write + +jobs: + ossar: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v6 + with: + submodules: recursive + fetch-depth: 2 + + - name: Run OSSAR + id: ossar + uses: github/ossar-action@v1 + + - name: Upload SARIF + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} + category: ossar diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml new file mode 100644 index 0000000000..7332e27e5a --- /dev/null +++ b/.github/workflows/osv-scanner-pr.yml @@ -0,0 +1,15 @@ +name: OSV Scanner (PR) + +on: + workflow_dispatch: + pull_request: + merge_group: + +permissions: + contents: read + security-events: write + actions: read + +jobs: + scan-pr: + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1 diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml new file mode 100644 index 0000000000..a3162c712f --- /dev/null +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -0,0 +1,17 @@ +name: OSV Scanner (Scheduled) + +on: + workflow_dispatch: + schedule: + - cron: "30 3 * * 1" + push: + branches: [ "main", "master" ] + +permissions: + contents: read + security-events: write + actions: read + +jobs: + scan: + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000000..5abc550c1c --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,43 @@ +name: OSSF Scorecard + +on: + workflow_dispatch: + branch_protection_rule: + push: + branches: [ "main", "master" ] + schedule: + - cron: "10 1 * * 0" + +permissions: + contents: read + +jobs: + analysis: + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + issues: read + pull-requests: read + checks: read + + steps: + - name: Checkout + uses: actions/checkout@v6 + with: + submodules: recursive + persist-credentials: false + + - name: Run Scorecard + uses: ossf/scorecard-action@v2 + with: + results_file: scorecard.sarif + results_format: sarif + publish_results: false + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: scorecard.sarif + category: scorecard diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000000..e2ff49b860 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,46 @@ +name: Semgrep (C/C++ SAST) + +on: + workflow_dispatch: + pull_request: + push: + branches: [ "main", "master" ] + +permissions: + contents: read + security-events: write + +jobs: + semgrep: + runs-on: ubuntu-latest + + steps: + - name: Checkout (inkl. Submodules) + uses: actions/checkout@v6 + with: + submodules: recursive + + - name: Install Semgrep + run: | + python3 -m pip install --upgrade pip + pip install semgrep + + - name: Fetch OSS C/C++ rules + run: | + git clone --depth 1 https://github.com/0xdea/semgrep-rules .semgrep-rules + + - name: Run Semgrep (SARIF) + run: | + EXCLUDES=$(sed 's/^/--exclude /' .github/security-scan-excludes.txt | tr '\n' ' ') + semgrep scan \ + --config .semgrep-rules \ + $EXCLUDES \ + --sarif -o semgrep.sarif \ + . + + - name: Upload SARIF + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + category: semgrep From db7bf55a3a1323c069e69cae3936892430fc4c0d Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 20:13:46 +0100 Subject: [PATCH 087/101] Update ci.yml --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c8722d39c..f20a3e8f10 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -199,9 +199,11 @@ jobs: with: submodules: true fetch-depth: 0 + - name: Build-Script ausführbar machen + run: chmod +x build_on_macos.sh - name: configure run: | - ./build.sh + ./build_on_macos.sh ./configure - name: cppcheck - run: make check-static \ No newline at end of file + run: make check-static From e2e5a9a408756868fa1d083507f48ee9eca53896 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sun, 14 Dec 2025 20:17:36 +0100 Subject: [PATCH 088/101] Update scorecard.yml --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5abc550c1c..fb0a30ae61 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: Run Scorecard - uses: ossf/scorecard-action@v2 + uses: ossf/scorecard-action@vf49aabe0b5af0936a0987cfb85d86b75731b0186 with: results_file: scorecard.sarif results_format: sarif From d4e2702ef3b9cc456e052bd6ecfdfc2dd61da90a Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:23:34 +0100 Subject: [PATCH 089/101] Code scanning update --- .github/workflows/flawfinder.yml | 21 ++++++++++++++++----- .github/workflows/ossar.yml | 18 +++++++++--------- .github/workflows/scorecard.yml | 2 +- 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index b799a11812..5deac8fb2a 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -6,7 +6,7 @@ on: push: branches: [ "main", "master" ] schedule: - - cron: "20 2 * * 1" # Weekly (reduziert PR-Noise) + - cron: "20 2 * * 1" # Weekly permissions: contents: read @@ -27,14 +27,25 @@ jobs: sudo apt-get update sudo apt-get install -y flawfinder + - name: Build source file list (with excludes) + run: | + grep -v '^\s*#' .github/security-scan-excludes.txt \ + | sed 's|^|./|' > /tmp/excludes.txt + + find . \ + \( -name '*.c' -o -name '*.cc' -o -name '*.cpp' -o -name '*.h' -o -name '*.hpp' \) \ + -type f \ + | grep -v -F -f /tmp/excludes.txt \ + > /tmp/flawfinder-files.txt + - name: Run Flawfinder (SARIF) run: | - EXCLUDES=$(sed 's/^/--exclude /' .github/security-scan-excludes.txt | tr '\n' ' ') flawfinder \ --sarif \ - --output flawfinder.sarif \ - $EXCLUDES \ - . + --quiet \ + --minlevel=1 \ + $(cat /tmp/flawfinder-files.txt) \ + > flawfinder.sarif - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index 18f47bc6da..f9ce555304 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -1,10 +1,9 @@ -name: OSSAR +name: OSSAR (best-effort) on: + schedule: + - cron: "15 4 * * 1" # Weekly, nicht auf PRs workflow_dispatch: - pull_request: - push: - branches: [ "main", "master" ] permissions: contents: read @@ -13,20 +12,21 @@ permissions: jobs: ossar: runs-on: ubuntu-latest + continue-on-error: true steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: submodules: recursive - fetch-depth: 2 - name: Run OSSAR id: ossar + continue-on-error: true uses: github/ossar-action@v1 - - name: Upload SARIF - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + - name: Upload SARIF (if present) + if: always() uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }} + sarif_file: .gdn/msdo.sarif category: ossar diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fb0a30ae61..b3b3b5f533 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: Run Scorecard - uses: ossf/scorecard-action@vf49aabe0b5af0936a0987cfb85d86b75731b0186 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 with: results_file: scorecard.sarif results_format: sarif From 338ab1549ceb1c5bf642815f828ad38e7fa836b1 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:30:09 +0100 Subject: [PATCH 090/101] Code scanning update 2 --- .github/workflows/flawfinder.yml | 52 ++++++++++++++++++++++++-------- .github/workflows/semgrep.yml | 19 ++++++++++-- 2 files changed, 57 insertions(+), 14 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 5deac8fb2a..5564ab7469 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -27,25 +27,53 @@ jobs: sudo apt-get update sudo apt-get install -y flawfinder - - name: Build source file list (with excludes) + - name: Build source file list (robust excludes) + shell: bash run: | - grep -v '^\s*#' .github/security-scan-excludes.txt \ - | sed 's|^|./|' > /tmp/excludes.txt + set -euo pipefail + EXCLUDE_FILE=".github/security-scan-excludes.txt" + EXCLUDE_TMP="/tmp/excludes.txt" + + # 1) Excludes vorbereiten (falls Datei fehlt/leer ist -> leere exclude list) + if [[ -f "$EXCLUDE_FILE" ]]; then + # Kommentare/Leerzeilen entfernen, "./" davor setzen + grep -vE '^\s*#|^\s*$' "$EXCLUDE_FILE" | sed 's|^|./|' > "$EXCLUDE_TMP" || true + else + : > "$EXCLUDE_TMP" + fi + + # 2) Relevante Quellfiles finden find . \ - \( -name '*.c' -o -name '*.cc' -o -name '*.cpp' -o -name '*.h' -o -name '*.hpp' \) \ -type f \ - | grep -v -F -f /tmp/excludes.txt \ - > /tmp/flawfinder-files.txt + \( -name '*.c' -o -name '*.cc' -o -name '*.cpp' -o -name '*.cxx' -o -name '*.h' -o -name '*.hh' -o -name '*.hpp' -o -name '*.hxx' \) \ + > /tmp/all-src.txt + + # 3) Excludes anwenden (wenn exclude list leer -> einfach alles nehmen) + if [[ -s "$EXCLUDE_TMP" ]]; then + grep -v -F -f "$EXCLUDE_TMP" /tmp/all-src.txt > /tmp/flawfinder-files.txt || true + else + cp /tmp/all-src.txt /tmp/flawfinder-files.txt + fi + + # 4) Falls nix übrig bleibt, nicht failen – nur warnen + if [[ ! -s /tmp/flawfinder-files.txt ]]; then + echo "No source files to scan after excludes." + else + echo "Files to scan: $(wc -l < /tmp/flawfinder-files.txt)" + fi - name: Run Flawfinder (SARIF) + shell: bash run: | - flawfinder \ - --sarif \ - --quiet \ - --minlevel=1 \ - $(cat /tmp/flawfinder-files.txt) \ - > flawfinder.sarif + if [[ ! -s /tmp/flawfinder-files.txt ]]; then + echo "Skipping flawfinder: no files." + echo '{"version":"2.1.0","runs":[]}' > flawfinder.sarif + exit 0 + fi + + flawfinder --sarif --quiet --minlevel=1 $(cat /tmp/flawfinder-files.txt) > flawfinder.sarif + - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index e2ff49b860..2691984328 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -29,9 +29,24 @@ jobs: run: | git clone --depth 1 https://github.com/0xdea/semgrep-rules .semgrep-rules - - name: Run Semgrep (SARIF) + - name: Run Semgrep (SARIF, robust excludes) + shell: bash run: | - EXCLUDES=$(sed 's/^/--exclude /' .github/security-scan-excludes.txt | tr '\n' ' ') + set -euo pipefail + + EXCLUDE_FILE=".github/security-scan-excludes.txt" + EXCLUDES="" + + if [[ -f "$EXCLUDE_FILE" ]]; then + while IFS= read -r line; do + # Skip comments and empty lines + [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue + EXCLUDES+=" --exclude $line" + done < "$EXCLUDE_FILE" + fi + + echo "Semgrep excludes: $EXCLUDES" + semgrep scan \ --config .semgrep-rules \ $EXCLUDES \ From acba59e02405134859ea2124ef4db7b4058e93b1 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:35:45 +0100 Subject: [PATCH 091/101] Code scanning update 3 --- .github/workflows/ci.yml | 5 +++-- .github/workflows/flawfinder.yml | 2 +- .github/workflows/ossar.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/semgrep.yml | 2 +- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f20a3e8f10..c235c690a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -194,8 +194,9 @@ jobs: brew install autoconf \ automake \ libtool \ - cppcheck - - uses: actions/checkout@v4 + cppcheck \ + mbedtls + - uses: actions/checkout@v6 with: submodules: true fetch-depth: 0 diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 5564ab7469..65656282dc 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -77,7 +77,7 @@ jobs: - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: flawfinder.sarif category: flawfinder diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index f9ce555304..7d5ebbda7d 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -15,7 +15,7 @@ jobs: continue-on-error: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: submodules: recursive @@ -26,7 +26,7 @@ jobs: - name: Upload SARIF (if present) if: always() - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: .gdn/msdo.sarif category: ossar diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b3b3b5f533..54052c1e11 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -37,7 +37,7 @@ jobs: publish_results: false - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: scorecard.sarif category: scorecard diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 2691984328..3120c189e4 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -55,7 +55,7 @@ jobs: - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: semgrep.sarif category: semgrep From 62215449c87a1d20cb30d40c9d7d54f681d78415 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 20:45:17 +0100 Subject: [PATCH 092/101] Code scanning update 4 --- .github/workflows/ci.yml | 8 +++++-- .github/workflows/ossar.yml | 21 +++++++++++------ .github/workflows/osv-scanner-pr.yml | 3 ++- .github/workflows/osv-scanner-scheduled.yml | 3 ++- .github/workflows/semgrep.yml | 26 +++++++++++++++------ 5 files changed, 43 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c235c690a6..f2ea2aa2a5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -202,9 +202,13 @@ jobs: fetch-depth: 0 - name: Build-Script ausführbar machen run: chmod +x build_on_macos.sh + - name: build_on_macos.sh + run: ./build_on_macos.sh - name: configure - run: | - ./build_on_macos.sh + env: + CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include + LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking ./configure - name: cppcheck run: make check-static diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index 7d5ebbda7d..0c68e74550 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -19,14 +19,21 @@ jobs: with: submodules: recursive - - name: Run OSSAR - id: ossar - continue-on-error: true - uses: github/ossar-action@v1 + - name: Reduce SARIF to a single run (GitHub Code Scanning requirement) + shell: bash + run: | + set -euo pipefail + if [ -f ".gdn/msdo.sarif" ]; then + jq '.runs = [ .runs[0] ]' .gdn/msdo.sarif > msdo.single.sarif + else + echo "No .gdn/msdo.sarif found" + exit 1 + fi - - name: Upload SARIF (if present) - if: always() + + - name: Upload SARIF uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: .gdn/msdo.sarif + sarif_file: msdo.single.sarif category: ossar + diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 7332e27e5a..fa360e8b3e 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -1,7 +1,6 @@ name: OSV Scanner (PR) on: - workflow_dispatch: pull_request: merge_group: @@ -13,3 +12,5 @@ permissions: jobs: scan-pr: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1 + with: + allow-no-lockfiles: true diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index a3162c712f..edfbe14faa 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -1,7 +1,6 @@ name: OSV Scanner (Scheduled) on: - workflow_dispatch: schedule: - cron: "30 3 * * 1" push: @@ -15,3 +14,5 @@ permissions: jobs: scan: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 + with: + allow-no-lockfiles: true diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 3120c189e4..9e744bed31 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -25,30 +25,42 @@ jobs: python3 -m pip install --upgrade pip pip install semgrep - - name: Fetch OSS C/C++ rules + - name: Fetch Semgrep Community rules run: | - git clone --depth 1 https://github.com/0xdea/semgrep-rules .semgrep-rules + git clone --depth 1 https://github.com/semgrep/semgrep-rules .semgrep-rules - - name: Run Semgrep (SARIF, robust excludes) + - name: Run Semgrep (SARIF, robust excludes + configs) shell: bash run: | set -euo pipefail + # 1) Excludes aus Datei robust einlesen (Kommentare/Leerzeilen ignorieren) EXCLUDE_FILE=".github/security-scan-excludes.txt" EXCLUDES="" - if [[ -f "$EXCLUDE_FILE" ]]; then while IFS= read -r line; do - # Skip comments and empty lines [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue EXCLUDES+=" --exclude $line" done < "$EXCLUDE_FILE" fi + echo "Semgrep excludes:$EXCLUDES" + + # 2) Configs nur hinzufügen, wenn sie existieren (Repo-Struktur kann sich ändern) + CONFIGS=() + [[ -d ".semgrep-rules/c" ]] && CONFIGS+=("--config" ".semgrep-rules/c") + [[ -d ".semgrep-rules/cpp" ]] && CONFIGS+=("--config" ".semgrep-rules/cpp") + # Optional: generische Security-Audit Rules (sprache-unabhängig/teilweise generisch) + [[ -d ".semgrep-rules/security/audit" ]] && CONFIGS+=("--config" ".semgrep-rules/security/audit") - echo "Semgrep excludes: $EXCLUDES" + if [[ ${#CONFIGS[@]} -eq 0 ]]; then + echo "No suitable Semgrep community rule directories found; skipping." + echo '{"version":"2.1.0","runs":[]}' > semgrep.sarif + exit 0 + fi + # 3) Scan semgrep scan \ - --config .semgrep-rules \ + "${CONFIGS[@]}" \ $EXCLUDES \ --sarif -o semgrep.sarif \ . From 90faa9500087cd6149a5fe9b885ebe489012bd7a Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:13:07 +0100 Subject: [PATCH 093/101] Code scanning update 5 --- .github/security-scan-excludes.txt | 1 + .github/workflows/ci.yml | 32 +++++++++++++++++++----------- .github/workflows/flawfinder.yml | 27 ++++++++++++++++++------- 3 files changed, 41 insertions(+), 19 deletions(-) diff --git a/.github/security-scan-excludes.txt b/.github/security-scan-excludes.txt index 0296389830..5a06e1c0bc 100644 --- a/.github/security-scan-excludes.txt +++ b/.github/security-scan-excludes.txt @@ -15,6 +15,7 @@ deps deps/* external external/* +others/* # VCS / CI .git diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f2ea2aa2a5..95a2255ab0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -185,30 +185,38 @@ jobs: # run: | # cmake --build build --config Release - - cppcheck: - runs-on: [macos-14] + cppcheck-macos: + name: cppcheck (macOS) + runs-on: macos-14 + steps: - name: Setup Dependencies run: | - brew install autoconf \ - automake \ - libtool \ - cppcheck \ - mbedtls - - uses: actions/checkout@v6 + brew update + brew install autoconf automake libtool cppcheck mbedtls + + - name: Checkout (with submodules) + uses: actions/checkout@v6 with: - submodules: true + submodules: recursive fetch-depth: 0 + + - name: Ensure submodules are up to date + run: | + git submodule sync --recursive + git submodule update --init --recursive --force + - name: Build-Script ausführbar machen run: chmod +x build_on_macos.sh + - name: build_on_macos.sh run: ./build_on_macos.sh + - name: configure env: CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib - run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking - ./configure + run: ./configure --disable-dependency-tracking + - name: cppcheck run: make check-static diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 65656282dc..6b7e2ef35e 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -63,21 +63,34 @@ jobs: echo "Files to scan: $(wc -l < /tmp/flawfinder-files.txt)" fi - - name: Run Flawfinder (SARIF) + - name: Build Flawfinder file list (headers only) shell: bash run: | - if [[ ! -s /tmp/flawfinder-files.txt ]]; then - echo "Skipping flawfinder: no files." - echo '{"version":"2.1.0","runs":[]}' > flawfinder.sarif + git ls-files headers '*.h' > /tmp/flawfinder-headers-files.txt + + - name: Run Flawfinder (SARIF, headers strict) + shell: bash + run: | + if [[ ! -s /tmp/flawfinder-headers-files.txt ]]; then + echo "Skipping flawfinder headers: no files." + echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif exit 0 fi - flawfinder --sarif --quiet --minlevel=1 $(cat /tmp/flawfinder-files.txt) > flawfinder.sarif + flawfinder \ + --sarif \ + --quiet \ + --minlevel=1 \ + --exclude-dir=vendor,third_party,deps,external,mbedtls \ + $(cat /tmp/flawfinder-headers-files.txt) \ + > flawfinder-headers.sarif + + - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: flawfinder.sarif - category: flawfinder + sarif_file: flawfinder-headers.sarif + category: flawfinder-headers-strict \ No newline at end of file From d08a7b0c979bd83319ba1dc73ff4210f24c40d8d Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:23:03 +0100 Subject: [PATCH 094/101] Fix memory leak #3470 --- headers/modsecurity/transaction.h | 18 ++++++++++++------ src/transaction.cc | 6 ++++++ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/headers/modsecurity/transaction.h b/headers/modsecurity/transaction.h index 3e70caa38e..d9d670d9c2 100644 --- a/headers/modsecurity/transaction.h +++ b/headers/modsecurity/transaction.h @@ -205,9 +205,12 @@ class TransactionAnchoredVariables { m_variableFilesTmpNames(t, "FILES_TMPNAMES"), m_variableMultipartPartHeaders(t, "MULTIPART_PART_HEADERS"), m_variableOffset(0), - m_variableArgsNames("ARGS_NAMES", &m_variableArgs), - m_variableArgsGetNames("ARGS_GET_NAMES", &m_variableArgsGet), - m_variableArgsPostNames("ARGS_POST_NAMES", &m_variableArgsPost) + m_pVariableArgsNames(std::make_unique("ARGS_NAMES", &m_variableArgs)), + m_variableArgsNames(*m_pVariableArgsNames), + m_pVariableArgsGetNames(std::make_unique("ARGS_GET_NAMES", &m_variableArgsGet)), + m_variableArgsGetNames(*m_pVariableArgsGetNames), + m_pVariableArgsPostNames(std::make_unique("ARGS_POST_NAMES", &m_variableArgsPost)), + m_variableArgsPostNames(*m_pVariableArgsPostNames) { } AnchoredSetVariable m_variableRequestHeadersNames; @@ -291,9 +294,12 @@ class TransactionAnchoredVariables { int m_variableOffset; - AnchoredSetVariableTranslationProxy m_variableArgsNames; - AnchoredSetVariableTranslationProxy m_variableArgsGetNames; - AnchoredSetVariableTranslationProxy m_variableArgsPostNames; + std::unique_ptr m_pVariableArgsNames; + AnchoredSetVariableTranslationProxy &m_variableArgsNames; + std::unique_ptr m_pVariableArgsGetNames; + AnchoredSetVariableTranslationProxy &m_variableArgsGetNames; + std::unique_ptr m_pVariableArgsPostNames; + AnchoredSetVariableTranslationProxy &m_variableArgsPostNames; }; class TransactionSecMarkerManagement { diff --git a/src/transaction.cc b/src/transaction.cc index 6c8ae9744c..a977464dbb 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -170,6 +170,12 @@ Transaction::~Transaction() { m_rulesMessages.clear(); + m_ruleRemoveById.clear(); + m_ruleRemoveByIdRange.clear(); + m_ruleRemoveByTag.clear(); + m_ruleRemoveTargetById.clear(); + m_ruleRemoveTargetByTag.clear(); + intervention::free(&m_it); intervention::clean(&m_it); From 6d8821329425ceffa13db01d137b8a17302ad084 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:30:02 +0100 Subject: [PATCH 095/101] Code scanning update 6 --- .github/workflows/ossar.yml | 39 --------------------- .github/workflows/osv-scanner-pr.yml | 3 +- .github/workflows/osv-scanner-scheduled.yml | 1 + 3 files changed, 3 insertions(+), 40 deletions(-) delete mode 100644 .github/workflows/ossar.yml diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml deleted file mode 100644 index 0c68e74550..0000000000 --- a/.github/workflows/ossar.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: OSSAR (best-effort) - -on: - schedule: - - cron: "15 4 * * 1" # Weekly, nicht auf PRs - workflow_dispatch: - -permissions: - contents: read - security-events: write - -jobs: - ossar: - runs-on: ubuntu-latest - continue-on-error: true - - steps: - - uses: actions/checkout@v6 - with: - submodules: recursive - - - name: Reduce SARIF to a single run (GitHub Code Scanning requirement) - shell: bash - run: | - set -euo pipefail - if [ -f ".gdn/msdo.sarif" ]; then - jq '.runs = [ .runs[0] ]' .gdn/msdo.sarif > msdo.single.sarif - else - echo "No .gdn/msdo.sarif found" - exit 1 - fi - - - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: msdo.single.sarif - category: ossar - diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index fa360e8b3e..1ebb5d7397 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -3,7 +3,8 @@ name: OSV Scanner (PR) on: pull_request: merge_group: - + workflow_dispatch: + permissions: contents: read security-events: write diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index edfbe14faa..10aaafacd2 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -1,6 +1,7 @@ name: OSV Scanner (Scheduled) on: + workflow_dispatch: schedule: - cron: "30 3 * * 1" push: From 3e3a6aa8a1b8e8cb408344d1c61d5b65fef239b3 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:40:39 +0100 Subject: [PATCH 096/101] Code scanning update 7 --- .github/workflows/flawfinder.yml | 10 ++++++++-- .github/workflows/osv-scanner-pr.yml | 5 ++--- .github/workflows/osv-scanner-scheduled.yml | 3 +-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 6b7e2ef35e..f35da11a63 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -77,6 +77,7 @@ jobs: exit 0 fi + set +e flawfinder \ --sarif \ --quiet \ @@ -84,9 +85,14 @@ jobs: --exclude-dir=vendor,third_party,deps,external,mbedtls \ $(cat /tmp/flawfinder-headers-files.txt) \ > flawfinder-headers.sarif + rc=$? + set -e - - + # 16 = findings found (nicht als Workflow-Fehler behandeln) + if [[ $rc -ne 0 && $rc -ne 16 ]]; then + echo "flawfinder failed with exit code $rc" + exit $rc + fi - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 1ebb5d7397..8abdc4a44d 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -4,7 +4,7 @@ on: pull_request: merge_group: workflow_dispatch: - + permissions: contents: read security-events: write @@ -13,5 +13,4 @@ permissions: jobs: scan-pr: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1 - with: - allow-no-lockfiles: true + diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index 10aaafacd2..0a8f5f3930 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -15,5 +15,4 @@ permissions: jobs: scan: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 - with: - allow-no-lockfiles: true + From 8993f9443b6b8310830f5817fe7fa03c936947b2 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:47:11 +0100 Subject: [PATCH 097/101] Update flawfinder.yml --- .github/workflows/flawfinder.yml | 38 +++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index f35da11a63..78d5eaedcb 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -77,6 +77,9 @@ jobs: exit 0 fi + # Defensive: remove empty lines + sed -i '/^\s*$/d' /tmp/flawfinder-headers-files.txt + set +e flawfinder \ --sarif \ @@ -84,16 +87,41 @@ jobs: --minlevel=1 \ --exclude-dir=vendor,third_party,deps,external,mbedtls \ $(cat /tmp/flawfinder-headers-files.txt) \ - > flawfinder-headers.sarif + > flawfinder-headers.sarif \ + 2> flawfinder-headers.stderr rc=$? set -e - # 16 = findings found (nicht als Workflow-Fehler behandeln) - if [[ $rc -ne 0 && $rc -ne 16 ]]; then - echo "flawfinder failed with exit code $rc" - exit $rc + echo "flawfinder exit code: $rc" + if [[ -s flawfinder-headers.stderr ]]; then + echo "---- flawfinder stderr ----" + cat flawfinder-headers.stderr + echo "---------------------------" fi + # If output isn't valid JSON (SARIF), fall back to empty SARIF so upload doesn't fail + if ! python3 - <<'PY' + import json, sys + p="flawfinder-headers.sarif" + try: + with open(p,"r",encoding="utf-8") as f: + json.load(f) + except Exception as e: + print("SARIF parse failed:", e) + sys.exit(1) + sys.exit(0) + PY + then + echo "Writing empty SARIF because flawfinder output was not valid SARIF JSON." + echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif + fi + + # Treat "findings found" as success + if [[ $rc -ne 0 && $rc -ne 16 ]]; then + exit $rc + fi + + - name: Upload SARIF if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false uses: github/codeql-action/upload-sarif@v4 From d147040b59380053fe5bc45a4d92862abe7bfe76 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:56:50 +0100 Subject: [PATCH 098/101] Update flawfinder.yml --- .github/workflows/flawfinder.yml | 62 ++++++++++++++++---------------- 1 file changed, 30 insertions(+), 32 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 78d5eaedcb..13a12daa0a 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -66,27 +66,33 @@ jobs: - name: Build Flawfinder file list (headers only) shell: bash run: | - git ls-files headers '*.h' > /tmp/flawfinder-headers-files.txt + set -euo pipefail + git ls-files 'headers/**' \ + | grep -E '\.(h|hh|hpp|hxx)$' \ + > /tmp/flawfinder-headers-files.txt || true + + echo "Header files to scan: $(wc -l < /tmp/flawfinder-headers-files.txt || echo 0)" + - name: Run Flawfinder (SARIF, headers strict) shell: bash run: | + set -euo pipefail + if [[ ! -s /tmp/flawfinder-headers-files.txt ]]; then echo "Skipping flawfinder headers: no files." - echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif + echo '{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"flawfinder","informationUri":"https://dwheeler.com/flawfinder/"}},"results":[]}]}' > flawfinder-headers.sarif exit 0 fi - # Defensive: remove empty lines - sed -i '/^\s*$/d' /tmp/flawfinder-headers-files.txt + echo "Flawfinder version:" + flawfinder --version || true + # Run flawfinder. IMPORTANT: no --quiet here. set +e - flawfinder \ - --sarif \ - --quiet \ - --minlevel=1 \ - --exclude-dir=vendor,third_party,deps,external,mbedtls \ - $(cat /tmp/flawfinder-headers-files.txt) \ + xargs -a /tmp/flawfinder-headers-files.txt \ + flawfinder --sarif --minlevel=1 \ + --exclude-dir=vendor --exclude-dir=third_party --exclude-dir=deps --exclude-dir=external --exclude-dir=mbedtls \ > flawfinder-headers.sarif \ 2> flawfinder-headers.stderr rc=$? @@ -99,27 +105,19 @@ jobs: echo "---------------------------" fi - # If output isn't valid JSON (SARIF), fall back to empty SARIF so upload doesn't fail - if ! python3 - <<'PY' - import json, sys - p="flawfinder-headers.sarif" - try: - with open(p,"r",encoding="utf-8") as f: - json.load(f) - except Exception as e: - print("SARIF parse failed:", e) - sys.exit(1) - sys.exit(0) - PY - then - echo "Writing empty SARIF because flawfinder output was not valid SARIF JSON." - echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif - fi - - # Treat "findings found" as success - if [[ $rc -ne 0 && $rc -ne 16 ]]; then - exit $rc - fi + echo "SARIF size: $(wc -c < flawfinder-headers.sarif) bytes" + head -c 200 flawfinder-headers.sarif | cat -v || true + + # Validate JSON. If invalid => write minimal valid SARIF with a run. + if ! python3 -c 'import json; json.load(open("flawfinder-headers.sarif","r",encoding="utf-8"))' 2>/dev/null; then + echo "Writing minimal SARIF because flawfinder output was not valid SARIF JSON." + echo '{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"flawfinder","informationUri":"https://dwheeler.com/flawfinder/"}},"results":[]}]}' > flawfinder-headers.sarif + fi + + # 16 = findings found => don't fail job + if [[ $rc -ne 0 && $rc -ne 16 ]]; then + exit $rc + fi - name: Upload SARIF @@ -127,4 +125,4 @@ jobs: uses: github/codeql-action/upload-sarif@v4 with: sarif_file: flawfinder-headers.sarif - category: flawfinder-headers-strict \ No newline at end of file + category: flawfinder-headers-strict From 1e445f79e7571a844e02476541e299addaa70df5 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 21:59:39 +0100 Subject: [PATCH 099/101] Update flawfinder.yml --- .github/workflows/flawfinder.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml index 13a12daa0a..f0ac0c2105 100644 --- a/.github/workflows/flawfinder.yml +++ b/.github/workflows/flawfinder.yml @@ -86,13 +86,11 @@ jobs: fi echo "Flawfinder version:" - flawfinder --version || true + flawfinder --version - # Run flawfinder. IMPORTANT: no --quiet here. set +e xargs -a /tmp/flawfinder-headers-files.txt \ flawfinder --sarif --minlevel=1 \ - --exclude-dir=vendor --exclude-dir=third_party --exclude-dir=deps --exclude-dir=external --exclude-dir=mbedtls \ > flawfinder-headers.sarif \ 2> flawfinder-headers.stderr rc=$? @@ -106,15 +104,14 @@ jobs: fi echo "SARIF size: $(wc -c < flawfinder-headers.sarif) bytes" - head -c 200 flawfinder-headers.sarif | cat -v || true - # Validate JSON. If invalid => write minimal valid SARIF with a run. + # Validate SARIF JSON if ! python3 -c 'import json; json.load(open("flawfinder-headers.sarif","r",encoding="utf-8"))' 2>/dev/null; then echo "Writing minimal SARIF because flawfinder output was not valid SARIF JSON." echo '{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"flawfinder","informationUri":"https://dwheeler.com/flawfinder/"}},"results":[]}]}' > flawfinder-headers.sarif fi - # 16 = findings found => don't fail job + # 16 = findings found → OK if [[ $rc -ne 0 && $rc -ne 16 ]]; then exit $rc fi From 047896330db1a8722ead0cb3aa444a943ae60b2e Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 22:06:47 +0100 Subject: [PATCH 100/101] OSV Scanner update --- .github/workflows/osv-scanner-pr.yml | 2 +- .github/workflows/osv-scanner-scheduled.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 8abdc4a44d..b47b2114df 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -12,5 +12,5 @@ permissions: jobs: scan-pr: - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.1 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index 0a8f5f3930..1a1b0fb6d9 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -14,5 +14,5 @@ permissions: jobs: scan: - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.1 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 From 9f9cfed39b12747687a16300b5266665bb73aba5 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 14 Dec 2025 22:20:36 +0100 Subject: [PATCH 101/101] OSV Scanner --- .github/workflows/osv-scanner-pr.yml | 5 ++++- .github/workflows/osv-scanner-scheduled.yml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index b47b2114df..971bf65ee6 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -13,4 +13,7 @@ permissions: jobs: scan-pr: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 - + with: + scan-args: | + --allow-no-lockfiles + --recursive \ No newline at end of file diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml index 1a1b0fb6d9..d862cd31d4 100644 --- a/.github/workflows/osv-scanner-scheduled.yml +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -15,4 +15,7 @@ permissions: jobs: scan: uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 - + with: + scan-args: | + --allow-no-lockfiles + --recursive