diff --git a/.github/workflows/build-app.yml b/.github/workflows/build-app.yml index fe25bb3..e2b1a1e 100644 --- a/.github/workflows/build-app.yml +++ b/.github/workflows/build-app.yml @@ -14,15 +14,15 @@ on: - cron: '42 0 * * 6' # Refresh image every Sunday at 00:42 env: - GO_VERSION: 1.22 + GO_VERSION: 1.22 REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_SHA: ${{ github.sha }} -permissions: - contents: read - +permissions: + contents: read + jobs: build-app: runs-on: ubuntu-latest @@ -31,11 +31,11 @@ jobs: packages: write steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Log in to the Container registry @@ -96,11 +96,11 @@ jobs: runs-on: ubuntu-latest needs: ['build-app'] steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -128,11 +128,11 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/Dockerfile b/Dockerfile index df1d283..d97e75a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,8 +8,8 @@ COPY go.mod . RUN go get -d -v . &&\ go build -v -o /go/bin/app . -RUN go test -v -fuzz=Fuzz -fuzztime=30s -run ^t_fuzz* ./... -RUN go test -v -coverprofile=coverage.out -covermode=atomic ./... +RUN go test -v -vet off -fuzz=Fuzz -fuzztime=60s -run ^t_fuzz* ./... +RUN go test -v -coverprofile=coverage.out -covermode=count ./... # --- Publish test coverage results diff --git a/charts/kapparmor/CHANGELOG.md b/charts/kapparmor/CHANGELOG.md index a5a1e45..1672bd8 100644 --- a/charts/kapparmor/CHANGELOG.md +++ b/charts/kapparmor/CHANGELOG.md @@ -21,22 +21,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Move global vars to structs passed by reference --- -## [0.2.0 - ](https://github.com/tuxerrante/kapparmor/releases/tag/kapparmor-0.1.6) - +## [0.2.0 - ](https://github.com/tuxerrante/kapparmor/releases/tag/kapparmor-0.2.0) +CI: - [X] Fixed Codecov plugin issues +- [X] Refresh container image every Sunday night - [X] Git auto CRLF set to false `git config --global core.autocrlf false` -- [X] [Signed commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits): `git config commit.gpgsign true` +- [X] Bumped multiple actions +- [X] Bash CI to automate go version bump from one source of truth (`config/config`) + +Code: - [X] golang:1.22 as builder containerfile image -- [X] Refresh container image every Sunday night - [X] The k8s service resource is now settable from the values.yaml -- [X] Added repository Security policy +- [X] Introduced Fuzz testing for profile filenames +- [X] If POLL_TIME is set less than 1 it will default to 1 second + +Project Security Fixes +- [X] [Signed commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits): `git config commit.gpgsign true` +- [X] Added repository [Security policy](https://github.com/tuxerrante/kapparmor/blob/main/SECURITY.md) - [X] Added OpenSSF scorecard workflow -- Bump actions/checkout to 4.1.1 -- Bump [actions/upload-artifact](https://github.com/actions/upload-artifact/releases/tag/v4.3.1) to 4.3.1 -- Bump [github/codeql-action/upload-sarif](https://github.com/github/codeql-action/blob/v3/upload-sarif/action.yml) to v3 -- Introduced Fuzz testing for profile filenames -- Bash CI to automate go version bump from one source of truth (`config/config`) -- If POLL_TIME is set less than 1 it will default to 1 second +- [X] Least Privileged GitHub Actions Token Permissions: setting minimum token permissions for the GITHUB_TOKEN +- [X] Pinning actions to full length commit +- [X] Intergated [Harden-Runner](https://github.com/step-security/harden-runner) in the CI: it prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access. +- [X] Pinned image tags to digests in Dockerfiles. +- [X] Closed 44 (!) security issues coming from [Scorecard security scanner](https://github.com/marketplace/actions/ossf-scorecard-action). Also with the help of [stepsecurity.io](https://app.stepsecurity.io/) + --- ## [0.1.5 - 2023-05-16](https://github.com/tuxerrante/kapparmor/releases/tag/kapparmor-0.1.5) diff --git a/go/src/app/filesystemOperations.go b/go/src/app/filesystemOperations.go index a96ceb1..65c9093 100644 --- a/go/src/app/filesystemOperations.go +++ b/go/src/app/filesystemOperations.go @@ -244,6 +244,9 @@ func isValidPath(path string) (bool, error) { if len(substring) == 1 && substring[0] == '.' { return true, nil } + if ok, err := isValidFilename(substring); !ok { + return false, err + } } return true, nil } @@ -267,7 +270,7 @@ func isValidFilename(filename string) (bool, error) { return false, fmt.Errorf("%q is not a valid filename", filename) } - if len(filename) > 255 { + if len(filename) >= 255 { return false, fmt.Errorf("file name too long") } diff --git a/go/src/app/t_fuzzIsProfileNameCorrect_test.go b/go/src/app/t_fuzzIsProfileNameCorrect_test.go index 7de87e9..24e3d38 100644 --- a/go/src/app/t_fuzzIsProfileNameCorrect_test.go +++ b/go/src/app/t_fuzzIsProfileNameCorrect_test.go @@ -23,9 +23,6 @@ func FuzzIsProfileNameCorrect(f *testing.F) { //t.Logf("expected error for invalid filename %q", filename) return } - if len(filename) > 255 { - return - } if ok, _ := isValidPath(directory); !ok { return } else {