Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 25 additions & 23 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ env:
BUILD_CONFIG_REL: 'Release'
BUILD_CONFIG_DBG: 'Debug'

permissions: read-all

jobs:
build-and-test:
name: Build & Test (${{ matrix.os }})
Expand All @@ -34,15 +36,15 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v7
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
submodules: recursive

- name: Setup .NET 10 (Preview)
uses: actions/setup-dotnet@v5
- name: Setup .NET 10
uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
dotnet-quality: 'preview'
dotnet-quality: 'ga'
cache: true
cache-dependency-path: |
**/*.csproj
Expand Down Expand Up @@ -74,14 +76,14 @@ jobs:
run: dotnet test ${{ env.SOLUTION_NAME }} --configuration ${{ env.BUILD_CONFIG_REL }} --no-build --verbosity normal --logger "trx;LogFileName=test-results-${{ matrix.os }}.trx" --blame-hang-timeout 5m --collect:"XPlat Code Coverage" --results-directory ./coverage/${{ matrix.os }}

- name: Upload Test Results
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
if: always()
with:
name: test-results-${{ matrix.os }}
path: '**/test-results-*.trx'

- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage/${{ matrix.os }}/**/coverage.cobertura.xml
Expand All @@ -93,15 +95,15 @@ jobs:
needs: build-and-test
steps:
- name: Checkout repository
uses: actions/checkout@v7
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
submodules: recursive

- name: Setup .NET 10 (Preview)
uses: actions/setup-dotnet@v5
- name: Setup .NET 10
uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
dotnet-quality: 'preview'
dotnet-quality: 'ga'
cache: true
cache-dependency-path: |
**/*.csproj
Expand All @@ -122,7 +124,7 @@ jobs:
run: dotnet pack ${{ env.SOLUTION_NAME }} --configuration ${{ env.BUILD_CONFIG_REL }} --no-build --output ./artifacts/packages

- name: Upload packages
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: nuget-packages
path: |
Expand All @@ -140,15 +142,15 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v7
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
submodules: recursive

- name: Setup .NET 10
uses: actions/setup-dotnet@v5
uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
dotnet-quality: 'preview'
dotnet-quality: 'ga'
cache: true
cache-dependency-path: |
**/*.csproj
Expand Down Expand Up @@ -187,15 +189,15 @@ jobs:
run: dotnet format ${{ env.SOLUTION_NAME }} --verify-no-changes --verbosity diagnostic --exclude ./modules --no-restore

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
uses: github/codeql-action/init@fb84f6228fd846d3c392887f22b18ce2d9139495 # v4
with:
languages: csharp

- name: Build for CodeQL
run: dotnet build ${{ env.SOLUTION_NAME }} --configuration ${{ env.BUILD_CONFIG_REL }} --no-restore /p:UseSharedCompilation=false

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
uses: github/codeql-action/analyze@fb84f6228fd846d3c392887f22b18ce2d9139495 # v4

native-profiler-build:
name: Native Profiler Build (MSVC)
Expand All @@ -208,19 +210,19 @@ jobs:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v7
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
submodules: recursive

- name: Setup MSVC Developer Command Prompt
uses: ilammy/msvc-dev-cmd@v1
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1

# CodeQL for the native profiler: this repo's only SAST-covered C++, since
# LoadLibraryW-driven chaining, IL rewriting, and raw metadata parsing live here.
# build-mode: manual because the actual build happens via the CMake steps below, not an
# autodetected build system.
- name: Initialize CodeQL (cpp)
uses: github/codeql-action/init@v4
uses: github/codeql-action/init@fb84f6228fd846d3c392887f22b18ce2d9139495 # v4
with:
languages: cpp
build-mode: manual
Expand All @@ -232,12 +234,12 @@ jobs:
run: cmake --build src/Rasp.Native.Profiler/build

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
uses: github/codeql-action/analyze@fb84f6228fd846d3c392887f22b18ce2d9139495 # v4
with:
category: "/language:cpp"

- name: Upload built DLL
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: Rasp.Native.Profiler-dll
path: src/Rasp.Native.Profiler/build/*.dll
Expand All @@ -258,10 +260,10 @@ jobs:
cmake --build src/Rasp.Native.Profiler/build-release

- name: Setup .NET 10 (for live-attach smoke test)
uses: actions/setup-dotnet@v5
uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
dotnet-quality: 'preview'
dotnet-quality: 'ga'

- name: Build live-attach smoke test fixture
# -p:Platform=AnyCPU overrides the `Platform=x64` environment variable left behind by
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v5
- uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand Down
14 changes: 8 additions & 6 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ on:
release:
types: [published]

permissions: read-all

jobs:
publish:
name: Build, Pack & Publish
Expand All @@ -19,7 +21,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v7
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
submodules: recursive
fetch-depth: 0
Expand All @@ -32,10 +34,10 @@ jobs:
fi

- name: Setup .NET
uses: actions/setup-dotnet@v5
uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
dotnet-quality: 'preview'
dotnet-quality: 'ga'

- name: Restore dependencies
run: dotnet restore ${{ env.SOLUTION_NAME }} --locked-mode
Expand All @@ -62,7 +64,7 @@ jobs:

- name: Generate Changelog
id: git-cliff
uses: orhun/git-cliff-action@v4
uses: orhun/git-cliff-action@4725066927d3534d0b138e68cb5a3d0cb2d4fdf5 # v4.1.0
with:
config: cliff.toml
args: -vv --latest --strip header
Expand All @@ -74,7 +76,7 @@ jobs:
# Requests a short-lived (1h) API key from nuget.org via GitHub OIDC, per the
# Trusted Publishing policy configured on nuget.org for this repo/workflow/environment.
# Requested right before the push below since the temp key expires in 1h.
uses: NuGet/login@v1
uses: NuGet/login@e41a967c3b9b46ec6fb59f232c94c921312384a6 # v1.0.1
id: nuget-login
with:
user: ${{ secrets.NUGET_USER }}
Expand All @@ -83,7 +85,7 @@ jobs:
run: dotnet nuget push "artifacts/packages/*.nupkg" --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate

- name: Update GitHub Release
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
body: ${{ steps.git-cliff.outputs.content }}
files: artifacts/packages/*
8 changes: 4 additions & 4 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,12 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@v4
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@v2.4.0
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -45,14 +45,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@e8e8e51caba890f74f97e228d00b0b81b666ee4c # v3
with:
sarif_file: results.sarif
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@ features (Stage 3): a security product nobody can `dotnet add package` is a repo

Before submitting:

- [ ] Community baseline: `CODE_OF_CONDUCT.md`, issue templates, `GOVERNANCE.md` still open.
- [x] Community baseline: `CODE_OF_CONDUCT.md`, issue templates, and `GOVERNANCE.md` are complete.
[x] `good-first-issue` backlog seeded — [docs/good-first-issues.md](docs/good-first-issues.md)
(native profiler taint-propagation targets) and
[docs/good-first-issues-dotnet.md](docs/good-first-issues-dotnet.md) (.NET-only gaps).
Expand All @@ -302,8 +302,8 @@ Before submitting:
(not all from the same employer), so this gates the application itself.
[@EderBorella](https://github.com/EderBorella) joined as collaborator and required
reviewer on the `release` environment; bus factor is now 2.
- [ ] Start the [OSSF Best Practices](https://www.bestpractices.dev/) self-certification —
a Lab-promotion criterion that is cheap to begin early.
- [x] Start the [OSSF Best Practices](https://www.bestpractices.dev/) self-certification —
a Lab-promotion criterion that costs little to begin early.
- [ ] Draft the OWASP project-page content (`index.md`, description, roadmap) in advance —
the `www-project-rasp-net` repo itself is provisioned by the OWASP Foundation under
`github.com/OWASP` only **after** acceptance; having content ready means the page goes
Expand Down
6 changes: 3 additions & 3 deletions docs/ROADMAP.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,16 +92,16 @@ comes before new detection features (Stage 3)** — a security product nobody ca

### Before submitting

- [ ] **Community baseline:** `CODE_OF_CONDUCT.md`, issue/PR templates, `GOVERNANCE.md`, and a
`good-first-issue` backlog. Taint-propagation targets (each additional `string` method to
- [x] **Community baseline:** `CODE_OF_CONDUCT.md`, issue/PR templates, and `GOVERNANCE.md` are complete.
A `good-first-issue` backlog is seeded. Taint-propagation targets (each additional `string` method to
instrument) are ideal starter issues — small, well-scoped, with an existing pattern to copy.
- [ ] **Isolate the intentionally-vulnerable demo target** (`modules/`) so its known-vulnerable
packages are never mistaken for product dependencies — clear labeling, separate solution
filter, and exclusion from any dependency-scanning badge the product advertises.
- [x] **Recruit a second project leader.** Current OWASP policy requires multiple leaders (not
all from the same employer), and all leaders need admin on the repository — this gates the
application itself, it is not a post-acceptance nicety.
- [ ] **Start the [OSSF Best Practices](https://www.bestpractices.dev/) self-certification.**
- [x] **Start the [OSSF Best Practices](https://www.bestpractices.dev/) self-certification.**
A Lab-promotion criterion that costs little to begin early — it is a questionnaire, and
most of the answers (license, tests, SECURITY.md, release discipline) already exist.
- [ ] **Draft the OWASP project-page content** (`index.md`, description, roadmap) in advance.
Expand Down
Loading