diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile index efa333b..b462565 100644 --- a/.clusterfuzzlite/Dockerfile +++ b/.clusterfuzzlite/Dockerfile @@ -1,4 +1,5 @@ -FROM gcr.io/oss-fuzz-base/base-builder-rust +FROM gcr.io/oss-fuzz-base/base-builder-rust@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 2024-11-14 + RUN apt-get update && apt-get install -y make autoconf automake libtool COPY . $SRC/anvomidav WORKDIR $SRC/anvomidav diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..d4e48ab --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# All files in the repository +* @hyperpolymath diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..401b0e8 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Semgrep SAST Analysis +name: Semgrep + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + schedule: + - cron: '0 0 * * 1' # Every Monday + +permissions: read-all + +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + container: + image: returntocorp/semgrep@sha256:8e8c483db84b4bee98b60c0593521ed34d9990e8 # v1.100.0 + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 + - name: Run Semgrep + run: semgrep scan --sarif --config auto > semgrep.sarif + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.28.1 + with: + sarif_file: semgrep.sarif + if: always() diff --git a/.tool-versions b/.tool-versions index 8c14ff9..d2e1d42 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,3 +1,3 @@ # SPDX-License-Identifier: PMPL-1.0-or-later # asdf version manager configuration -rust 1.75.0 +rust stable diff --git a/CII-BEST-PRACTICES.md b/CII-BEST-PRACTICES.md new file mode 100644 index 0000000..e5e78fe --- /dev/null +++ b/CII-BEST-PRACTICES.md @@ -0,0 +1,29 @@ +# OpenSSF Best Practices (CII) Adherence + +This document tracks the project's adherence to the [OpenSSF Best Practices Badge](https://best-practices.coreinfrastructure.org/) criteria. + +## Summary +The anvomidav project is committed to following open-source security and quality best practices. + +## Change Control +- **Public Repository**: All source code is hosted on GitHub and is public. +- **Version Control**: We use Git for version control. +- **Unique Versioning**: All releases use unique version identifiers (SemVer). + +## Reporting +- **Bug Reporting Process**: Documented in `CONTRIBUTING.md`. +- **Vulnerability Reporting**: A clear `SECURITY.md` file defines the private reporting process. + +## Quality +- **Automated Builds**: We use GitHub Actions for automated builds and CI. +- **Testing**: Automated test suites are integrated into the CI pipeline. +- **New Features**: New functionality is required to have associated tests. + +## Security +- **Secure Development**: We use automated security scanners (CodeQL, Trufflehog, ClusterFuzzLite). +- **Dependency Pinning**: GitHub Actions and critical dependencies (including Fuzzing Dockerfiles) are pinned to specific versions/SHAs. +- **No Hardcoded Secrets**: Scanned via `trufflehog` and `gitleaks`. + +## Best Practices +- **SPDX Headers**: We use SPDX license identifiers in all source files. +- **Code Review**: All changes require a pull request and code review before merging to `main`. diff --git a/Cargo.lock b/Cargo.lock index 7f2f97a..00c50e5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -469,18 +469,6 @@ dependencies = [ "windows-sys 0.59.0", ] -[[package]] -name = "filetime" -version = "0.2.26" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc0505cd1b6fa6580283f6bdf70a73fcf4aba1184038c90902b92b3dd0df63ed" -dependencies = [ - "cfg-if", - "libc", - "libredox", - "windows-sys 0.60.2", -] - [[package]] name = "find-msvc-tools" version = "0.1.6" @@ -757,11 +745,11 @@ dependencies = [ [[package]] name = "inotify" -version = "0.10.2" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fdd168d97690d0b8c412d6b6c10360277f4d7ee495c5d0d5d5fe0854923255cc" +checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3" dependencies = [ - "bitflags 1.3.2", + "bitflags 2.10.0", "inotify-sys", "libc", ] @@ -775,15 +763,6 @@ dependencies = [ "libc", ] -[[package]] -name = "instant" -version = "0.1.13" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0242819d153cba4b4b05a5a8f2a7e9bbf97b6055b2a002b395c96b5ff3c0222" -dependencies = [ - "cfg-if", -] - [[package]] name = "is_ci" version = "1.2.0" @@ -834,17 +813,6 @@ version = "0.2.178" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37c93d8daa9d8a012fd8ab92f088405fb202ea0b6ab73ee2482ae66af4f42091" -[[package]] -name = "libredox" -version = "0.1.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d0b95e02c851351f877147b7deea7b1afb1df71b63aa5f8270716e0c5720616" -dependencies = [ - "bitflags 2.10.0", - "libc", - "redox_syscall 0.7.0", -] - [[package]] name = "linux-raw-sys" version = "0.11.0" @@ -998,12 +966,11 @@ dependencies = [ [[package]] name = "notify" -version = "7.0.0" +version = "8.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c533b4c39709f9ba5005d8002048266593c1cfaf3c5f0739d5b8ab0c6c504009" +checksum = "4d3d07927151ff8575b7087f245456e549fea62edf0ec4e565a5ee50c8402bc3" dependencies = [ "bitflags 2.10.0", - "filetime", "fsevent-sys", "inotify", "kqueue", @@ -1012,14 +979,14 @@ dependencies = [ "mio", "notify-types", "walkdir", - "windows-sys 0.52.0", + "windows-sys 0.60.2", ] [[package]] name = "notify-debouncer-mini" -version = "0.5.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aaa5a66d07ed97dce782be94dcf5ab4d1b457f4243f7566c7557f15cabc8c799" +checksum = "17849edfaabd9a5fef1c606d99cfc615a8e99f7ac4366406d86c7942a3184cf2" dependencies = [ "log", "notify", @@ -1029,11 +996,11 @@ dependencies = [ [[package]] name = "notify-types" -version = "1.0.1" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "585d3cb5e12e01aed9e8a1f70d5c6b5e86fe2a6e48fc8cd0b3e0b8df6f6eb174" +checksum = "42b8cfee0e339a0337359f3c88165702ac6e600dc01c0cc9579a92d62b08477a" dependencies = [ - "instant", + "bitflags 2.10.0", ] [[package]] @@ -1110,7 +1077,7 @@ checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.5.18", + "redox_syscall", "smallvec", "windows-link", ] @@ -1244,15 +1211,6 @@ dependencies = [ "bitflags 2.10.0", ] -[[package]] -name = "redox_syscall" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49f3fe0889e69e2ae9e41f4d6c4c0181701d00e4697b356fb1f74173a5e0ee27" -dependencies = [ - "bitflags 2.10.0", -] - [[package]] name = "regex-syntax" version = "0.8.8" diff --git a/SECURITY-ACKNOWLEDGMENTS.md b/SECURITY-ACKNOWLEDGMENTS.md new file mode 100644 index 0000000..949e2ac --- /dev/null +++ b/SECURITY-ACKNOWLEDGMENTS.md @@ -0,0 +1,9 @@ +# Security Acknowledgments + +We would like to thank the following researchers for their contributions to keeping anvomidav safe. + +## 2026 +- Currently no entries. + +## 2025 +- Currently no entries. diff --git a/crates/anv-cli/Cargo.toml b/crates/anv-cli/Cargo.toml index 41fe44a..c04a96f 100644 --- a/crates/anv-cli/Cargo.toml +++ b/crates/anv-cli/Cargo.toml @@ -27,5 +27,7 @@ clap = { workspace = true } miette = { workspace = true } thiserror = { workspace = true } serde_json = { workspace = true } -notify = "7.0" -notify-debouncer-mini = "0.5" +notify = "8.0" +notify-debouncer-mini = "0.7" + +