From 3d6b3279124baccbbb81c3832d2899f08dc82b77 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 08:38:40 +0000 Subject: [PATCH 1/9] Bump jinja2 from 2.11.3 to 3.1.6 in /scripts Bumps [jinja2](https://github.com/pallets/jinja) from 2.11.3 to 3.1.6. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/2.11.3...3.1.6) --- updated-dependencies: - dependency-name: jinja2 dependency-version: 3.1.6 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- scripts/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 8a240a6dab..38360eb44f 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -4,7 +4,7 @@ chardet==3.0.4 gitdb==4.0.5 GitPython==3.1.41 idna==2.10 -Jinja2==2.11.3 +Jinja2==3.1.6 MarkupSafe==1.1.1 requests==2.31.0 smmap==3.0.5 From 7cc483858b05fcf63dbbef4855441037e573e0bf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 08:48:01 +0000 Subject: [PATCH 2/9] Bump idna from 3.4 to 3.7 in /scripts/upgrade-codeql-dependencies Bumps [idna](https://github.com/kjd/idna) from 3.4 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.4...v3.7) --- updated-dependencies: - dependency-name: idna dependency-version: '3.7' dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- scripts/upgrade-codeql-dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade-codeql-dependencies/requirements.txt b/scripts/upgrade-codeql-dependencies/requirements.txt index 55b810e4aa..acfbc3b49b 100644 --- a/scripts/upgrade-codeql-dependencies/requirements.txt +++ b/scripts/upgrade-codeql-dependencies/requirements.txt @@ -1,6 +1,6 @@ certifi==2023.7.22 charset-normalizer==3.2.0 -idna==3.4 +idna==3.7 requests==2.31.0 semantic-version==2.10.0 urllib3==1.26.18 From 7c01dae34599582086d9c54e1a486d49e2b8c948 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Aug 2025 15:14:19 +0000 Subject: [PATCH 3/9] Bump certifi from 2023.7.22 to 2024.7.4 in /scripts Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2024.7.4. - [Commits](https://github.com/certifi/python-certifi/compare/2023.07.22...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-version: 2024.7.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- scripts/requirements.txt | 2 +- scripts/upgrade-codeql-dependencies/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 8a240a6dab..8e93573613 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -1,5 +1,5 @@ beautifulsoup4==4.9.3 -certifi==2023.7.22 +certifi==2024.7.4 chardet==3.0.4 gitdb==4.0.5 GitPython==3.1.41 diff --git a/scripts/upgrade-codeql-dependencies/requirements.txt b/scripts/upgrade-codeql-dependencies/requirements.txt index acfbc3b49b..78e3d382e5 100644 --- a/scripts/upgrade-codeql-dependencies/requirements.txt +++ b/scripts/upgrade-codeql-dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2023.7.22 +certifi==2024.7.4 charset-normalizer==3.2.0 idna==3.7 requests==2.31.0 From 9d10a4ce99e6ae37ad34abacace149e625790cbb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Aug 2025 15:14:23 +0000 Subject: [PATCH 4/9] Bump urllib3 in /scripts/upgrade-codeql-dependencies Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.18 to 2.5.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/1.26.18...2.5.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.5.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- scripts/upgrade-codeql-dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade-codeql-dependencies/requirements.txt b/scripts/upgrade-codeql-dependencies/requirements.txt index acfbc3b49b..d05ccf0d8a 100644 --- a/scripts/upgrade-codeql-dependencies/requirements.txt +++ b/scripts/upgrade-codeql-dependencies/requirements.txt @@ -3,5 +3,5 @@ charset-normalizer==3.2.0 idna==3.7 requests==2.31.0 semantic-version==2.10.0 -urllib3==1.26.18 +urllib3==2.5.0 pyyaml==6.0.1 \ No newline at end of file From dd3387a9a4746936094ee7b7ae21d0e0e5d479d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Aug 2025 15:15:12 +0000 Subject: [PATCH 5/9] Bump requests from 2.31.0 to 2.32.4 in /scripts Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.4. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.31.0...v2.32.4) --- updated-dependencies: - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- scripts/requirements.txt | 2 +- scripts/upgrade-codeql-dependencies/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 8a240a6dab..d3d7ebfae2 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -6,7 +6,7 @@ GitPython==3.1.41 idna==2.10 Jinja2==2.11.3 MarkupSafe==1.1.1 -requests==2.31.0 +requests==2.32.4 smmap==3.0.5 soupsieve==2.0.1 pyyaml==6.0.1 diff --git a/scripts/upgrade-codeql-dependencies/requirements.txt b/scripts/upgrade-codeql-dependencies/requirements.txt index acfbc3b49b..3faa31e88f 100644 --- a/scripts/upgrade-codeql-dependencies/requirements.txt +++ b/scripts/upgrade-codeql-dependencies/requirements.txt @@ -1,7 +1,7 @@ certifi==2023.7.22 charset-normalizer==3.2.0 idna==3.7 -requests==2.31.0 +requests==2.32.4 semantic-version==2.10.0 urllib3==1.26.18 pyyaml==6.0.1 \ No newline at end of file From 6e60f6833b15f1f875ae34a179648878de63ad17 Mon Sep 17 00:00:00 2001 From: Andres Maqueo <193985782+AndresMaqueo@users.noreply.github.com> Date: Mon, 15 Sep 2025 15:37:09 -0600 Subject: [PATCH 6/9] Add CodeQL analysis workflow configuration Add CodeQL analysis workflow configuration --- .github/workflows/codeql.yml | 104 +++++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..d9f98473ac --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,104 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '27 4 * * 4' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: c-cpp + build-mode: autobuild + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From 2a133d5950d2227784ee92a3bd074d32e8526406 Mon Sep 17 00:00:00 2001 From: Andres Maqueo <193985782+AndresMaqueo@users.noreply.github.com> Date: Mon, 15 Sep 2025 16:05:51 -0600 Subject: [PATCH 7/9] Potential fix for code scanning alert no. 25: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/verify-standard-library-dependencies.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/verify-standard-library-dependencies.yml b/.github/workflows/verify-standard-library-dependencies.yml index 06ab4d23e2..d95a55f02a 100644 --- a/.github/workflows/verify-standard-library-dependencies.yml +++ b/.github/workflows/verify-standard-library-dependencies.yml @@ -1,4 +1,6 @@ name: Verify Standard Library Dependencies +permissions: + contents: read # Run this workflow every time the "supported_codeql_configs.json" file or a "qlpack.yml" file is changed on: From 83d6018af4560a205630428dd42826d7268d8d89 Mon Sep 17 00:00:00 2001 From: Andres Maqueo <193985782+AndresMaqueo@users.noreply.github.com> Date: Wed, 17 Sep 2025 21:38:13 -0600 Subject: [PATCH 8/9] ci: use ubuntu-22.04 instead of ubuntu-latest-xl to avoid queueing Switch runners to ubuntu-22.04 para evitar colas XL; todos los checks verdes (26). --- .github/workflows/code-scanning-pack-gen.yml | 4 ++-- .github/workflows/codeql.yml | 3 ++- .github/workflows/codeql_unit_tests.yml | 3 ++- scripts/requirements.txt | 4 ++-- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/code-scanning-pack-gen.yml b/.github/workflows/code-scanning-pack-gen.yml index dde0a1a3f6..22b20ba1ad 100644 --- a/.github/workflows/code-scanning-pack-gen.yml +++ b/.github/workflows/code-scanning-pack-gen.yml @@ -37,7 +37,7 @@ jobs: create-code-scanning-pack: name: Create Code Scanning pack needs: prepare-code-scanning-pack-matrix - runs-on: ubuntu-latest-xl + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: ${{ fromJSON(needs.prepare-code-scanning-pack-matrix.outputs.matrix) }} @@ -133,4 +133,4 @@ jobs: uses: actions/upload-artifact@v4 with: name: coding-standards-codeql-packs - path: '*-coding-standards.tgz' \ No newline at end of file + path: '*-coding-standards.tgz' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d9f98473ac..4cb572f07e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -46,7 +46,7 @@ jobs: - language: actions build-mode: none - language: c-cpp - build-mode: autobuild + build-mode: none - language: javascript-typescript build-mode: none - language: python @@ -102,3 +102,4 @@ jobs: uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" + diff --git a/.github/workflows/codeql_unit_tests.yml b/.github/workflows/codeql_unit_tests.yml index 0f9aadb8b3..b30a9faefa 100644 --- a/.github/workflows/codeql_unit_tests.yml +++ b/.github/workflows/codeql_unit_tests.yml @@ -32,7 +32,7 @@ jobs: python scripts/create_language_matrix.py echo "matrix=$( python scripts/create_language_matrix.py | \ - jq --compact-output 'map([.+{os: "ubuntu-latest-xl", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT + jq --compact-output 'map([.+{os: "ubuntu-22.04", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT run-test-suites: name: Run unit tests @@ -185,3 +185,4 @@ jobs: echo $FAILING_TESTS | jq . exit 1 fi + diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 6d15036496..eceb647cce 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -5,7 +5,7 @@ gitdb==4.0.5 GitPython==3.1.41 idna==2.10 Jinja2==3.1.6 -MarkupSafe==1.1.1 +MarkupSafe==2.1.5 requests==2.32.4 smmap==3.0.5 soupsieve==2.0.1 @@ -13,4 +13,4 @@ pyyaml==6.0.1 urllib3==1.26.18 wheel==0.38.1 jsonschema==4.9.1 -marko==1.2.1 \ No newline at end of file +marko==1.2.1 From 7c7726f2559c5aee0f4b7067169664ac6be42824 Mon Sep 17 00:00:00 2001 From: Andres Maqueo <193985782+AndresMaqueo@users.noreply.github.com> Date: Thu, 18 Sep 2025 14:08:07 -0600 Subject: [PATCH 9/9] chore: bootstrap branch (#17) * chore: bootstrap branch * chore: test pipeline from WSL --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 02c226f84a..ab2b5068fc 100644 --- a/README.md +++ b/README.md @@ -59,3 +59,4 @@ All header files in [c/common/test/includes/standard-library](./c/common/test/in 1This repository incorporates portions of the SEI CERT® Coding Standards available at https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards; however, such use does not necessarily constitute or imply an endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. +