infernode/.github/workflows/security.yml at master · infernode-os/infernode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
name: Security Analysis

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
  schedule:
    # Weekly on Sundays at midnight UTC
    - cron: '0 0 * * 0'

permissions: {}

jobs:
  # ─────────────────────────────────────────────
  # CodeQL: GitHub's semantic code analysis (free for public repos)
  # Results appear in the GitHub Security tab
  # ─────────────────────────────────────────────
  codeql:
    name: CodeQL Analysis
    runs-on: ubuntu-24.04
    timeout-minutes: 30
    permissions:
      security-events: write
      contents: read
      actions: read

    strategy:
      fail-fast: false
      matrix:
        language: [ 'c-cpp' ]

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Initialize CodeQL
      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3
      with:
        languages: ${{ matrix.language }}
        # Security-focused queries plus quality checks
        queries: security-extended

    - name: Build for CodeQL analysis
      run: |
        # CodeQL needs to observe a real build to analyze C code.
        # We bootstrap mk and build the core C libraries + emulator.
        export ROOT="$PWD"
        export SYSHOST=Linux
        export OBJTYPE=amd64
        export SYSTARG=Linux
        mkdir -p Linux/amd64/bin Linux/amd64/lib

        CFLAGS="-g -O -fno-strict-aliasing -fno-omit-frame-pointer -fcommon"
        CFLAGS="$CFLAGS -I$ROOT/Linux/amd64/include -I$ROOT/utils/include -I$ROOT/include"
        CFLAGS="$CFLAGS -DLINUX_AMD64"

        # Build lib9 (core C library)
        echo "Building lib9 for CodeQL..."
        cd "$ROOT/lib9"
        for src in *.c; do
          gcc $CFLAGS -c "$src" -o "${src%.c}.o" 2>/dev/null || true
        done
        cd "$ROOT"

        # Build libinterp (Dis interpreter + JIT)
        echo "Building libinterp for CodeQL..."
        cd "$ROOT/libinterp"
        for src in *.c; do
          gcc $CFLAGS -I"$ROOT/libinterp" -c "$src" -o "${src%.c}.o" 2>/dev/null || true
        done
        cd "$ROOT"

        # Build emu/port (emulator portable layer)
        echo "Building emu/port for CodeQL..."
        cd "$ROOT/emu/port"
        for src in *.c; do
          gcc $CFLAGS -I"$ROOT/emu/port" -c "$src" -o "${src%.c}.o" 2>/dev/null || true
        done
        cd "$ROOT"

        # Build security-relevant libraries
        for lib in libsec libmp libkeyring; do
          if [ -d "$ROOT/$lib" ]; then
            echo "Building $lib for CodeQL..."
            cd "$ROOT/$lib"
            for src in *.c; do
              gcc $CFLAGS -c "$src" -o "${src%.c}.o" 2>/dev/null || true
            done
            cd "$ROOT"
          fi
        done

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3
      with:
        category: "/language:${{ matrix.language }}"

  # ─────────────────────────────────────────────
  # cppcheck: C/C++ static analysis with SARIF upload
  # ─────────────────────────────────────────────
  cppcheck:
    name: cppcheck Static Analysis
    runs-on: ubuntu-24.04
    timeout-minutes: 15
    permissions:
      contents: read

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Install cppcheck
      run: sudo apt-get update && sudo apt-get install -y cppcheck=2.13.0-2ubuntu3

    - name: Run cppcheck
      run: |
        cppcheck \
          --enable=warning,style,performance,portability \
          --suppress=missingIncludeSystem \
          --suppress=missingInclude \
          --inconclusive \
          --force \
          --std=c11 \
          -I include \
          -I emu/port \
          --xml \
          --output-file=cppcheck-results.xml \
          emu/port/*.c \
          emu/MacOSX/*.c \
          emu/Linux/*.c \
          lib9/*.c \
          libinterp/*.c \
          libsec/*.c \
          libmp/*.c \
          libkeyring/*.c \
          2>&1

    - name: Convert cppcheck XML to SARIF
      if: always()
      run: |
        pip install --require-hashes -r .github/requirements-security.txt 2>/dev/null || true

        # Generate a human-readable summary
        echo "## cppcheck Results" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY

        if [ -f cppcheck-results.xml ]; then
          errors=$(grep -c '<error ' cppcheck-results.xml || echo "0")
          echo "Total findings: $errors" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          # Show top issues in summary
          grep '<error ' cppcheck-results.xml | head -20 | while read -r line; do
            severity=$(echo "$line" | grep -oP 'severity="\K[^"]+' || true)
            msg=$(echo "$line" | grep -oP 'msg="\K[^"]+' || true)
            if [ -n "$msg" ]; then
              echo "- **$severity**: $msg" >> $GITHUB_STEP_SUMMARY
            fi
          done
        fi

    - name: Upload cppcheck report
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      if: always()
      with:
        name: cppcheck-results
        path: cppcheck-results.xml
        retention-days: 30

  # ─────────────────────────────────────────────
  # Flawfinder: C/C++ security-focused source scanner
  # ─────────────────────────────────────────────
  flawfinder:
    name: Flawfinder Security Scan
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    permissions:
      security-events: write
      contents: read

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Install flawfinder
      run: pip install --require-hashes -r .github/requirements-security.txt

    - name: Run flawfinder on security-critical code
      run: |
        echo "## Flawfinder Security Scan" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY

        # Scan security-critical directories
        # --minlevel 2 filters out low-confidence noise
        flawfinder --minlevel 2 --columns --context \
          libsec/ \
          libmp/ \
          libkeyring/ \
          libinterp/ \
          emu/port/ \
          lib9/ \
          > flawfinder-report.txt 2>&1 || true

        # Show summary
        tail -20 flawfinder-report.txt >> $GITHUB_STEP_SUMMARY

    - name: Run flawfinder (SARIF output)
      run: |
        flawfinder --sarif --minlevel 2 \
          libsec/ libmp/ libkeyring/ libinterp/ emu/port/ lib9/ \
          > flawfinder-results.sarif 2>/dev/null || true

    - name: Upload flawfinder SARIF
      uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3
      if: always()
      with:
        sarif_file: flawfinder-results.sarif
        category: flawfinder
      continue-on-error: true

    - name: Upload flawfinder report
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      if: always()
      with:
        name: flawfinder-results
        path: |
          flawfinder-report.txt
          flawfinder-results.sarif
        retention-days: 30

  # ─────────────────────────────────────────────
  # Source hardening checks
  # ─────────────────────────────────────────────
  hardening:
    name: Source Hardening Checks
    runs-on: ubuntu-24.04
    timeout-minutes: 5
    permissions:
      contents: read

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Check for dangerous C patterns
      run: |
        echo "## Source Hardening Checks" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY

        issues=0

        # Check for gets() usage (buffer overflow risk)
        if grep -rn '\bgets\s*(' --include='*.c' --include='*.h' emu/ lib9/ libinterp/ libsec/ 2>/dev/null; then
          echo "::warning::Found gets() usage - use fgets() instead"
          echo "- WARNING: gets() usage found" >> $GITHUB_STEP_SUMMARY
          issues=$((issues + 1))
        else
          echo "- PASS: No gets() usage" >> $GITHUB_STEP_SUMMARY
        fi

        # Check for unbounded sprintf
        count=$(grep -rn '\bsprintf\s*(' --include='*.c' emu/ lib9/ libinterp/ 2>/dev/null | wc -l)
        echo "- INFO: $count sprintf() calls found (consider snprintf)" >> $GITHUB_STEP_SUMMARY

        # Check for strcpy without bounds
        count=$(grep -rn '\bstrcpy\s*(' --include='*.c' emu/ lib9/ libinterp/ 2>/dev/null | wc -l)
        echo "- INFO: $count strcpy() calls found (consider strlcpy/strncpy)" >> $GITHUB_STEP_SUMMARY

        # Verify 64-bit safety fixes are present
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "### 64-bit Safety Checks" >> $GITHUB_STEP_SUMMARY

        if grep -q 'typedef intptr.*WORD' include/interp.h; then
          echo "- PASS: WORD is intptr-sized" >> $GITHUB_STEP_SUMMARY
        else
          echo "- FAIL: WORD type may not be pointer-sized" >> $GITHUB_STEP_SUMMARY
          issues=$((issues + 1))
        fi

        if grep -q 'uintptr.*Bhdr.*u.data' include/pool.h; then
          echo "- PASS: BHDRSIZE uses uintptr" >> $GITHUB_STEP_SUMMARY
        else
          echo "- FAIL: BHDRSIZE alignment issue" >> $GITHUB_STEP_SUMMARY
          issues=$((issues + 1))
        fi

        echo "" >> $GITHUB_STEP_SUMMARY
        echo "Total issues: $issues" >> $GITHUB_STEP_SUMMARY

        # Don't fail the build on these - they're informational
        # In a legacy C codebase, many of these are intentional