From f9a4e9c588588f5fbb9c056f219a18470032f2d1 Mon Sep 17 00:00:00 2001 From: Daniel Olatunji Date: Fri, 26 Jan 2024 09:27:39 +0100 Subject: [PATCH 01/15] codeql: add security-extended query suite Add the CodeQL security-extended suite to the CodeQL workflow configuration. --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e467241adbf5..e7fc1e43c06a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,6 +42,7 @@ jobs: uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + queries: security-extended - run: | sudo apt-get update From e891ef3d4ed414987b485d88ac144e5d6fb981f0 Mon Sep 17 00:00:00 2001 From: jason taylor Date: Wed, 31 Jan 2024 14:51:58 +0000 Subject: [PATCH 02/15] doc: add pcap file logging variable details Signed-off-by: jason taylor --- doc/userguide/configuration/suricata-yaml.rst | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index c04573778b03..920be735302d 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -505,6 +505,27 @@ the alert. mode: normal # "normal" or multi conditional: alerts +In ``normal`` mode a pcap file "filename" is created in the default-log-dir or as +specified by "dir". ``normal`` mode is generally not as performant as ``multi`` +mode. + +In multi mode, multiple pcap files are created (per thread) which performs +better than ``normal`` mode. + +In multi mode the filename takes a few special variables: + - %n representing the thread number + - %i representing the thread id + - %t representing the timestamp (secs or secs.usecs based on 'ts-format') + + Example: filename: pcap.%n.%t + +.. note:: It is possible to use directories but the directories are not + created by Suricata. For example ``filename: pcaps/%n/log.%s`` will log into + the pre-existing ``pcaps`` directory and per thread sub directories. + +.. note:: that the limit and max-files settings are enforced per thread. So the + size limit using 8 threads with 1000mb files and 2000 files is about 16TiB. + Verbose Alerts Log (alert-debug.log) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From 2a1a70b3089751b30f623871063ce155451d4cbc Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Sun, 4 Feb 2024 09:44:44 -0500 Subject: [PATCH 03/15] threads/mutex: Ensure mutex held before signaling Ensure that the mutex protecting the condition variable is held before signaling it. This ensures that the thread(s) awaiting the signal are notified. Issue: 6569 --- src/tm-threads.c | 10 ++++++++++ src/tmqh-simple.c | 5 ++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/tm-threads.c b/src/tm-threads.c index 10ef45da278f..e1eee3b6412c 100644 --- a/src/tm-threads.c +++ b/src/tm-threads.c @@ -1239,13 +1239,17 @@ static int TmThreadKillThread(ThreadVars *tv) } if (tv->inq != NULL) { for (int i = 0; i < (tv->inq->reader_cnt + tv->inq->writer_cnt); i++) { + SCMutexLock(&tv->inq->pq->mutex_q); SCCondSignal(&tv->inq->pq->cond_q); + SCMutexUnlock(&tv->inq->pq->mutex_q); } SCLogDebug("signalled tv->inq->id %" PRIu32 "", tv->inq->id); } if (tv->ctrl_cond != NULL ) { + SCCtrlMutexLock(tv->ctrl_mutex); pthread_cond_broadcast(tv->ctrl_cond); + SCCtrlMutexUnlock(tv->ctrl_mutex); } return 0; } @@ -1425,7 +1429,9 @@ void TmThreadDisableReceiveThreads(void) if (tv->inq != NULL) { for (int i = 0; i < (tv->inq->reader_cnt + tv->inq->writer_cnt); i++) { + SCMutexLock(&tv->inq->pq->mutex_q); SCCondSignal(&tv->inq->pq->cond_q); + SCMutexUnlock(&tv->inq->pq->mutex_q); } SCLogDebug("signalled tv->inq->id %" PRIu32 "", tv->inq->id); } @@ -1505,7 +1511,9 @@ void TmThreadDisablePacketThreads(void) * THV_KILL flag. */ if (tv->inq != NULL) { for (int i = 0; i < (tv->inq->reader_cnt + tv->inq->writer_cnt); i++) { + SCMutexLock(&tv->inq->pq->mutex_q); SCCondSignal(&tv->inq->pq->cond_q); + SCMutexUnlock(&tv->inq->pq->mutex_q); } SCLogDebug("signalled tv->inq->id %" PRIu32 "", tv->inq->id); } @@ -2296,7 +2304,9 @@ void TmThreadsInjectFlowById(Flow *f, const int id) /* wake up listening thread(s) if necessary */ if (tv->inq != NULL) { + SCMutexLock(&tv->inq->pq->mutex_q); SCCondSignal(&tv->inq->pq->cond_q); + SCMutexUnlock(&tv->inq->pq->mutex_q); } else if (tv->break_loop) { TmThreadsCaptureBreakLoop(tv); } diff --git a/src/tmqh-simple.c b/src/tmqh-simple.c index 47faed5702c5..0bfa173e5009 100644 --- a/src/tmqh-simple.c +++ b/src/tmqh-simple.c @@ -76,8 +76,11 @@ void TmqhInputSimpleShutdownHandler(ThreadVars *tv) return; } - for (i = 0; i < (tv->inq->reader_cnt + tv->inq->writer_cnt); i++) + for (i = 0; i < (tv->inq->reader_cnt + tv->inq->writer_cnt); i++) { + SCMutexLock(&tv->inq->pq->mutex_q); SCCondSignal(&tv->inq->pq->cond_q); + SCMutexUnlock(&tv->inq->pq->mutex_q); + } } void TmqhOutputSimple(ThreadVars *t, Packet *p) From c99d93c2574cfa0fe2b94c1ab3a2cacd5a15035c Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 12 Feb 2024 13:42:14 +0100 Subject: [PATCH 04/15] app-layer/template: use a max number of txs Ticket: 6773 --- rust/src/applayertemplate/template.rs | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/rust/src/applayertemplate/template.rs b/rust/src/applayertemplate/template.rs index acc6c26c37fa..dbbc7841fad5 100644 --- a/rust/src/applayertemplate/template.rs +++ b/rust/src/applayertemplate/template.rs @@ -17,6 +17,7 @@ use super::parser; use crate::applayer::{self, *}; +use crate::conf::conf_get; use crate::core::{AppProto, Flow, ALPROTO_UNKNOWN, IPPROTO_TCP}; use nom7 as nom; use std; @@ -24,10 +25,14 @@ use std::collections::VecDeque; use std::ffi::CString; use std::os::raw::{c_char, c_int, c_void}; +static mut TEMPLATE_MAX_TX: usize = 256; + static mut ALPROTO_TEMPLATE: AppProto = ALPROTO_UNKNOWN; #[derive(AppLayerEvent)] -enum TemplateEvent {} +enum TemplateEvent { + TooManyTransactions, +} pub struct TemplateTransaction { tx_id: u64, @@ -145,7 +150,13 @@ impl TemplateState { SCLogNotice!("Request: {}", request); let mut tx = self.new_tx(); tx.request = Some(request); + if self.transactions.len() >= unsafe {TEMPLATE_MAX_TX} { + tx.tx_data.set_event(TemplateEvent::TooManyTransactions as u8); + } self.transactions.push_back(tx); + if self.transactions.len() >= unsafe {TEMPLATE_MAX_TX} { + return AppLayerResult::err(); + } } Err(nom::Err::Incomplete(_)) => { // Not enough data. This parser doesn't give us a good indication @@ -429,6 +440,13 @@ pub unsafe extern "C" fn rs_template_register_parser() { if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { let _ = AppLayerRegisterParser(&parser, alproto); } + if let Some(val) = conf_get("app-layer.protocols.template.max-tx") { + if let Ok(v) = val.parse::() { + TEMPLATE_MAX_TX = v; + } else { + SCLogError!("Invalid value for template.max-tx"); + } + } SCLogNotice!("Rust template parser registered."); } else { SCLogNotice!("Protocol detector and parser disabled for TEMPLATE."); From 3a7a4cd581b8140fa4c5f2e41d4b6ae5fdc81b4a Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Sat, 27 Jan 2024 22:13:37 +0100 Subject: [PATCH 05/15] http: code simplification removing function unused parameter tx_id in HTPFileOpen And using directly tx instead of its id in HTPFileOpenWithRange --- src/app-layer-htp-file.c | 13 ++++--------- src/app-layer-htp-file.h | 6 +++--- src/app-layer-htp.c | 12 ++++++------ 3 files changed, 13 insertions(+), 18 deletions(-) diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c index 7b3ba62edcee..b2c8776a7192 100644 --- a/src/app-layer-htp-file.c +++ b/src/app-layer-htp-file.c @@ -48,7 +48,7 @@ extern StreamingBufferConfig htp_sbcfg; * \retval -2 not handling files on this flow */ int HTPFileOpen(HtpState *s, HtpTxUserData *tx, const uint8_t *filename, uint16_t filename_len, - const uint8_t *data, uint32_t data_len, uint64_t txid, uint8_t direction) + const uint8_t *data, uint32_t data_len, uint8_t direction) { int retval = 0; uint16_t flags = 0; @@ -147,8 +147,8 @@ static int HTPParseAndCheckContentRange( * \retval -1 error */ int HTPFileOpenWithRange(HtpState *s, HtpTxUserData *txud, const uint8_t *filename, - uint16_t filename_len, const uint8_t *data, uint32_t data_len, uint64_t txid, - bstr *rawvalue, HtpTxUserData *htud) + uint16_t filename_len, const uint8_t *data, uint32_t data_len, htp_tx_t *tx, bstr *rawvalue, + HtpTxUserData *htud) { SCEnter(); uint16_t flags; @@ -159,7 +159,7 @@ int HTPFileOpenWithRange(HtpState *s, HtpTxUserData *txud, const uint8_t *filena HTTPContentRange crparsed; if (HTPParseAndCheckContentRange(rawvalue, &crparsed, s, htud) != 0) { // range is invalid, fall back to classic open - return HTPFileOpen(s, txud, filename, filename_len, data, data_len, txid, STREAM_TOCLIENT); + return HTPFileOpen(s, txud, filename, filename_len, data, data_len, STREAM_TOCLIENT); } flags = FileFlowToFlags(s->f, STREAM_TOCLIENT); FileContainer *files = &txud->files_tc; @@ -179,11 +179,6 @@ int HTPFileOpenWithRange(HtpState *s, HtpTxUserData *txud, const uint8_t *filena } // Then, we will try to handle reassembly of different ranges of the same file - // TODO have the caller pass directly the tx - htp_tx_t *tx = htp_list_get(s->conn->transactions, txid - s->tx_freed); - if (!tx) { - SCReturnInt(-1); - } uint8_t *keyurl; uint32_t keylen; if (tx->request_hostname != NULL) { diff --git a/src/app-layer-htp-file.h b/src/app-layer-htp-file.h index 4b682bc03781..b0436df22f54 100644 --- a/src/app-layer-htp-file.h +++ b/src/app-layer-htp-file.h @@ -27,10 +27,10 @@ #include "app-layer-htp.h" -int HTPFileOpen(HtpState *, HtpTxUserData *, const uint8_t *, uint16_t, const uint8_t *, uint32_t, - uint64_t, uint8_t); +int HTPFileOpen( + HtpState *, HtpTxUserData *, const uint8_t *, uint16_t, const uint8_t *, uint32_t, uint8_t); int HTPFileOpenWithRange(HtpState *, HtpTxUserData *, const uint8_t *, uint16_t, const uint8_t *, - uint32_t, uint64_t, bstr *rawvalue, HtpTxUserData *htud); + uint32_t, htp_tx_t *, bstr *rawvalue, HtpTxUserData *htud); bool HTPFileCloseHandleRange(const StreamingBufferConfig *sbcfg, FileContainer *, const uint16_t, HttpRangeContainerBlock *, const uint8_t *, uint32_t); int HTPFileStoreChunk(HtpState *, HtpTxUserData *, const uint8_t *, uint32_t, uint8_t); diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index 1d654c2c7c5b..f8e6e9e8de06 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -1571,7 +1571,7 @@ static int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud, #endif result = HTPFileOpen(hstate, htud, filename, filename_len, filedata, filedata_len, - HtpGetActiveRequestTxID(hstate), STREAM_TOSERVER); + STREAM_TOSERVER); if (result == -1) { goto end; } else if (result == -2) { @@ -1633,7 +1633,7 @@ static int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud, filedata_len = 0; } result = HTPFileOpen(hstate, htud, filename, filename_len, filedata, - filedata_len, HtpGetActiveRequestTxID(hstate), STREAM_TOSERVER); + filedata_len, STREAM_TOSERVER); if (result == -1) { goto end; } else if (result == -2) { @@ -1648,7 +1648,7 @@ static int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud, SCLogDebug("filedata_len %u", filedata_len); result = HTPFileOpen(hstate, htud, filename, filename_len, filedata, - filedata_len, HtpGetActiveRequestTxID(hstate), STREAM_TOSERVER); + filedata_len, STREAM_TOSERVER); if (result == -1) { goto end; } else if (result == -2) { @@ -1725,7 +1725,7 @@ static int HtpRequestBodyHandlePOSTorPUT(HtpState *hstate, HtpTxUserData *htud, HTPSetEvent(hstate, htud, STREAM_TOSERVER, HTTP_DECODER_EVENT_FILE_NAME_TOO_LONG); } result = HTPFileOpen(hstate, htud, filename, (uint16_t)filename_len, data, data_len, - HtpGetActiveRequestTxID(hstate), STREAM_TOSERVER); + STREAM_TOSERVER); if (result == -1) { goto end; } else if (result == -2) { @@ -1802,10 +1802,10 @@ static int HtpResponseBodyHandle(HtpState *hstate, HtpTxUserData *htud, } if (h_content_range != NULL) { result = HTPFileOpenWithRange(hstate, htud, filename, (uint16_t)filename_len, data, - data_len, HtpGetActiveResponseTxID(hstate), h_content_range->value, htud); + data_len, tx, h_content_range->value, htud); } else { result = HTPFileOpen(hstate, htud, filename, (uint16_t)filename_len, data, data_len, - HtpGetActiveResponseTxID(hstate), STREAM_TOCLIENT); + STREAM_TOCLIENT); } SCLogDebug("result %d", result); if (result == -1) { From cc2eb2d8b77e96586a607f661c7eed9ab41076fc Mon Sep 17 00:00:00 2001 From: Lukas Sismis Date: Sun, 11 Feb 2024 13:42:20 +0100 Subject: [PATCH 06/15] dpdk: sanitize integer overflow in the configuration Ticket: #6737 --- src/runmode-dpdk.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/runmode-dpdk.c b/src/runmode-dpdk.c index 8a7643b250e6..67e1e0050ea1 100644 --- a/src/runmode-dpdk.c +++ b/src/runmode-dpdk.c @@ -475,6 +475,9 @@ static int ConfigSetMempoolSize(DPDKIfaceConfig *iconf, intmax_t entry_int) if (entry_int <= 0) { SCLogError("%s: positive memory pool size is required", iconf->iface); SCReturnInt(-ERANGE); + } else if (entry_int > UINT32_MAX) { + SCLogError("%s: memory pool size cannot exceed %" PRIu32, iconf->iface, UINT32_MAX); + SCReturnInt(-ERANGE); } iconf->mempool_size = entry_int; @@ -521,6 +524,9 @@ static int ConfigSetRxDescriptors(DPDKIfaceConfig *iconf, intmax_t entry_int) if (entry_int <= 0) { SCLogError("%s: positive number of RX descriptors is required", iconf->iface); SCReturnInt(-ERANGE); + } else if (entry_int > UINT16_MAX) { + SCLogError("%s: number of RX descriptors cannot exceed %" PRIu16, iconf->iface, UINT16_MAX); + SCReturnInt(-ERANGE); } iconf->nb_rx_desc = entry_int; @@ -533,6 +539,9 @@ static int ConfigSetTxDescriptors(DPDKIfaceConfig *iconf, intmax_t entry_int) if (entry_int <= 0) { SCLogError("%s: positive number of TX descriptors is required", iconf->iface); SCReturnInt(-ERANGE); + } else if (entry_int > UINT16_MAX) { + SCLogError("%s: number of TX descriptors cannot exceed %" PRIu16, iconf->iface, UINT16_MAX); + SCReturnInt(-ERANGE); } iconf->nb_tx_desc = entry_int; From c65ff35819845a3f42c75f79d54f9ab91c5c2ec9 Mon Sep 17 00:00:00 2001 From: Lukas Sismis Date: Sun, 11 Feb 2024 20:43:37 +0100 Subject: [PATCH 07/15] dpdk: max cache size should be lower than one of the constraints Ticket: 6741 --- src/runmode-dpdk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runmode-dpdk.c b/src/runmode-dpdk.c index 67e1e0050ea1..5bb071f7f1d7 100644 --- a/src/runmode-dpdk.c +++ b/src/runmode-dpdk.c @@ -498,7 +498,7 @@ static int ConfigSetMempoolCacheSize(DPDKIfaceConfig *iconf, const char *entry_s SCReturnInt(-EINVAL); } - uint32_t max_cache_size = MAX(RTE_MEMPOOL_CACHE_MAX_SIZE, iconf->mempool_size / 1.5); + uint32_t max_cache_size = MIN(RTE_MEMPOOL_CACHE_MAX_SIZE, iconf->mempool_size / 1.5); iconf->mempool_cache_size = GreatestDivisorUpTo(iconf->mempool_size, max_cache_size); SCReturnInt(0); } From 356f9ffa130fbaaf82e7e28de98bdc24fe32f945 Mon Sep 17 00:00:00 2001 From: Lukas Sismis Date: Sun, 11 Feb 2024 21:14:08 +0100 Subject: [PATCH 08/15] doc: mention the limited number of RX/TX descriptors on Intel NICs Ticket: 6748 --- doc/userguide/configuration/suricata-yaml.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 920be735302d..db9040aedc60 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -2138,7 +2138,11 @@ size of the cache is covered in the YAML file. To be able to run DPDK on Intel cards, it is required to change the default Intel driver to either `vfio-pci` or `igb_uio` driver. The process is described in `DPDK manual page regarding Linux drivers -`_. +`_. +The Intel NICs have the amount of RX/TX descriptors capped at 4096. +This should be possible to change by manually compiling the DPDK while +changing the value of respective macros for the desired drivers +(e.g. IXGBE_MAX_RING_DESC/I40E_MAX_RING_DESC). DPDK is natively supported by Mellanox and thus their NICs should work "out of the box". From abbd507b5ca82692efa4da854cf4cf04d9b8695f Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 10 Feb 2024 10:41:05 +0100 Subject: [PATCH 09/15] security: update policy wrt CVE ID's To match that we'll now request CVE ID's ourselves as well, and we can do it for reported issues as well. See also: https://forum.suricata.io/t/security-new-cve-policy/4473 --- SECURITY.md | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 70d57aec09e1..9eb94f32ce73 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -45,6 +45,15 @@ releases. Note that we'll be refining the levels based on our experiences with applying them to actual issues. +## CVE ID's and Github Security Advisories (GHSA) + +We will request a CVE ID for an issue if appropriate. Note that multiple +issues may share the same CVE ID. + +We work with the Github CNA, through the Github Security Advisory (GHSA) facility. + +The GHSA's will be published at least 2 weeks after the public release addressing +the issue, together with the redmine security tickets. ## Support Status of affected code @@ -63,13 +72,14 @@ other data, please clearly state if these can (eventually) enter our public CI/Q We will assign a severity and will share our assessment with you. -We will create a security ticket, which will be private until a few weeks after +We will create a security ticket, which will be private until at least 2 weeks after a public release addressing the issue. -We will acknowledge you in the release notes and the release announcement. If you -do not want this, please clearly state this. +We will acknowledge you in the release notes, release announcement and GHSA. If you +do not want this, please clearly state this. For the GHSA credits, please give us +your github handle. -We will not request a CVE, but if you do please let us know the CVE ID. +Please let us know if you've requested a CVE ID. If you haven't, we can do it. OISF does not participate in bug bounty programs, or offer any other rewards for reporting issues. From a87943d9bfb47687a40763774b9972c9a00d33dd Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 13 Feb 2024 09:42:55 -0600 Subject: [PATCH 10/15] github-ci: apply read-only permissions to more workflows - authors.yml - codeql.yml - scan-build.yml --- .github/workflows/authors.yml | 2 ++ .github/workflows/codeql.yml | 2 ++ .github/workflows/scan-build.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/authors.yml b/.github/workflows/authors.yml index 77bb2614de24..e4b0c563c7c3 100644 --- a/.github/workflows/authors.yml +++ b/.github/workflows/authors.yml @@ -3,6 +3,8 @@ name: New Authors Check on: pull_request: +permissions: read-all + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e7fc1e43c06a..d62339a48399 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,6 +13,8 @@ on: schedule: - cron: '18 21 * * 1' +permissions: read-all + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/scan-build.yml b/.github/workflows/scan-build.yml index f0df97e7c80e..966139d10a57 100644 --- a/.github/workflows/scan-build.yml +++ b/.github/workflows/scan-build.yml @@ -8,6 +8,8 @@ on: paths-ignore: - "doc/**" +permissions: read-all + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true From c7cb3e92a60e73c3ef225282bb46eb25e2db9358 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 13 Feb 2024 10:05:02 -0600 Subject: [PATCH 11/15] dependabot: ignore actions/{cache,checkout} v3 The CentOS 7 build requires older GitHub actions, try to make dependabot ignore these older versions. --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b10ccce16cf1..c063687ed180 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,3 +12,8 @@ updates: interval: "daily" commit-message: prefix: "github-actions:" + ignore: + - dependency-name: "actions/cache" + versions: ["3.x"] + - dependency-name: "actions/checkout" + versions: ["3.x"] From 5c686af149a02f415221556a6c72f6e5f99c5230 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 13 Feb 2024 10:08:37 -0600 Subject: [PATCH 12/15] dependabot: disable rust checks As we don't have a Cargo.toml and a Cargo.lock, dependabot for Rust hasn't been working correctly. Disable, as we now have our own cargo audit and update workflows. --- .github/dependabot.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c063687ed180..46cc10a4f8ce 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,11 +1,5 @@ version: 2 updates: - - package-ecosystem: "cargo" - directory: "/rust" - schedule: - interval: "daily" - commit-message: - prefix: "rust:" - package-ecosystem: "github-actions" directory: "/" schedule: From 2242d10fa0ce503ce03a2a99edc21c71925b34bf Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 13 Feb 2024 11:57:02 -0600 Subject: [PATCH 13/15] github-ci: fix authors check with special characters Dependabot is always getting flagged as a new author even tho it uses a consistent author of: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> But this doesn't work with plain grep. Fix by telling grep to treat the value as a fixed string instead of a regular expression. --- .github/workflows/authors.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/authors.yml b/.github/workflows/authors.yml index e4b0c563c7c3..242cadd181a4 100644 --- a/.github/workflows/authors.yml +++ b/.github/workflows/authors.yml @@ -29,7 +29,7 @@ jobs: touch new-authors.txt while read -r author; do echo "Checking author: ${author}" - if ! grep -q "^${author}\$" authors.txt; then + if ! grep -qFx "${author}" authors.txt; then echo "ERROR: ${author} NOT FOUND" echo "::warning ::New author found: ${author}" echo "${author}" >> new-authors.txt From 3c06457b74db5a2fd070fe1675c72f53423786de Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 27 Jan 2024 09:59:55 +0100 Subject: [PATCH 14/15] detect/tls.certs: fix direction handling Direction flag was checked against wrong field, leading to undefined behavior. Bug: #6778. --- src/detect-tls-certs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/detect-tls-certs.c b/src/detect-tls-certs.c index a082c345df4d..f1adb040d033 100644 --- a/src/detect-tls-certs.c +++ b/src/detect-tls-certs.c @@ -70,6 +70,7 @@ static int g_tls_certs_buffer_id = 0; struct TlsCertsGetDataArgs { uint32_t local_id; /**< used as index into thread inspect array */ SSLCertsChain *cert; + const uint8_t flags; }; typedef struct PrefilterMpmTlsCerts { @@ -148,7 +149,7 @@ static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx, const SSLState *ssl_state = (SSLState *)f->alstate; const SSLStateConnp *connp; - if (f->flags & STREAM_TOSERVER) { + if (cbdata->flags & STREAM_TOSERVER) { connp = &ssl_state->client_connp; } else { connp = &ssl_state->server_connp; @@ -183,7 +184,7 @@ static uint8_t DetectEngineInspectTlsCerts(DetectEngineCtx *de_ctx, DetectEngine transforms = engine->v2.transforms; } - struct TlsCertsGetDataArgs cbdata = { 0, NULL }; + struct TlsCertsGetDataArgs cbdata = { .local_id = 0, .cert = NULL, .flags = flags }; while (1) { @@ -214,7 +215,7 @@ static void PrefilterTxTlsCerts(DetectEngineThreadCtx *det_ctx, const void *pect const MpmCtx *mpm_ctx = ctx->mpm_ctx; const int list_id = ctx->list_id; - struct TlsCertsGetDataArgs cbdata = { 0, NULL }; + struct TlsCertsGetDataArgs cbdata = { .local_id = 0, .cert = NULL, .flags = flags }; while (1) { From fa98c48e65a05de7135285018954cfc17bb862a7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 19:27:24 +0000 Subject: [PATCH 15/15] github-actions: bump github/codeql-action from 2.24.0 to 3.24.1 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.24.0 to 3.24.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](https://github.com/github/codeql-action/compare/v2.24.0...v3.24.1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecards-analysis.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d62339a48399..9e0f3a7099f3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,7 +41,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v3.24.1 with: languages: ${{ matrix.language }} queries: security-extended @@ -62,4 +62,4 @@ jobs: ./configure make - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v3.24.1 diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 1fad04559e40..782488514a32 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -51,6 +51,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload SARIF results" - uses: github/codeql-action/upload-sarif@dc021d495cb77b369e4d9d04a501700fd83b8c51 # v1 + uses: github/codeql-action/upload-sarif@bc64d12bb9f349435efba65d373bac054665b85f # v1 with: sarif_file: results.sarif