Skip to content
CI

Do not document dependencies in CI (#21) #11

Sign in to view logs

Do not document dependencies in CI (#21)

Do not document dependencies in CI (#21) #11

Workflow file for this run

.github/workflows/ci.yml at 0ee60dc
---
# SDL task names take the form "<task_id> ([NE]/(NA|C|I|IP)) - <task_description>" where:
# - N: No evidence required
# - E: Evidence required
# - NA: Not Applicable
# - C: Complete
# - I: Incomplete
# - IP: In Progress
#
# List of SDL tasks that are NOT checked by this pipeline:
# - CT636: Trade compliance classification: Published free of nonstandard crypto
# - CT52: Obtain Open Source PBT Approval
# - CT38: Conduct security progress reviews
# - CT36: Register SW components in OneBOM
# - CT25: Perform gap analysis on SDL plan
# - CT23: Disposition security vulnerabilities
# - CT22: Conduct manual code reviews
# - CT47: Complete a risk assessment for reused components
name: CI
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
env:
CARGO_TERM_COLOR: always
SIMICS_PUBLIC_ISPM_VERSION: 1.7.5
# Simics base
SIMICS_PUBLIC_PACKAGE_VERSION_1000: 6.0.169
# QSP X86
SIMICS_PUBLIC_PACKAGE_VERSION_2096: 6.0.70
# QSP CPU
SIMICS_PUBLIC_PACKAGE_VERSION_8112: 6.0.17
jobs:
build_and_test:
name: Build and Test
strategy:
matrix:
simics_version: [
# Public package tests only check latest SIMICS release
"6.0.169",
]
container: ubuntu:22.04
runs-on: ubuntu-latest
steps:
- name: Install Dependencies
shell: bash
run: |
apt-get -y update && \
apt-get -y install \
git \
curl \
build-essential \
cmake \
git-lfs
- uses: actions/checkout@v3
with:
lfs: true
- uses: dtolnay/rust-toolchain@nightly
with:
toolchain: nightly
components: rustfmt,clippy,miri
- name: Install SIMICS (External)
shell: bash
run: |
mkdir -p "${HOME}/simics/ispm"
tar --strip-components=1 -C "${HOME}/simics/ispm" \
-xvf .github/simics/intel-simics-package-manager-${{ env.SIMICS_PUBLIC_ISPM_VERSION }}-linux64.tar.gz
"${HOME}/simics/ispm/ispm" \
packages \
--non-interactive \
--verbose \
--install-dir "${HOME}/simics" \
--install .github/simics/simics-pkg-1000-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_1000 }}-linux64.ispm \
--install .github/simics/simics-pkg-2096-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_2096 }}-linux64.ispm \
--install .github/simics/simics-pkg-8112-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_8112 }}-linux64.ispm
- name: Set up .env
shell: bash
run: |
echo "SIMICS_HOME=${HOME}/simics" > .env
- name: Build Project
run: |
cargo build --features=${{ matrix.simics_version }}
- name: Check Project
run: |
cargo clippy --features=${{ matrix.simics_version}}
- name: Test Project
run: |
cargo test --features=${{ matrix.simics_version }} || ( echo "❗ Tests failed for SIMICS version ${{ matrix.simics_version }}" && exit 1 )
echo "✅ Tests passed for SIMICS version ${{ matrix.simics_version }}"
- name: (T157, T375, T300) (N/C) - Temporary files must be cleaned up after the resource is used, Release resources when no longer needed, Test that temporary files are cleaned up after the resource is used
run: |
cargo test --manifest-path util/tmp-dir/Cargo.toml \
|| ( echo "❗ [T157] tmp-dir tests failed" && exit 1 )
echo "✅ [T157] tmp-dir tests pass"
echo "✅ [T375] Temporary file/directory resources are released, see T157 test results"
echo "✅ [T375] LibAFL Shared memory resources are released via clean shutdown in with ::send_exiting"
echo "✅ [T300] Temporary files are cleaned up. See T157."
- name: (T297, T162, T572, T595) (N/C) - Verify that target pathname is validated before retrieving local resources, Validate pathname before retrieving local resources, Check for symlinks before opening files, Test that your application checks for symlinks before opening files
run: |
cargo test --features=${{ matrix.simics_version }} --manifest-path simics-tests/Cargo.toml path \
|| ( echo "❗ [T297] Simics path tests failed" && exit 1 )
echo "✅ [T297] Simics path tests passed (tests check pathname validation)"
echo "✅ [T162] Simics path tests passed (tests check pathname validation)"
echo "✅ [T572] File paths are canonicalized/normalized before opening. See T297."
echo "✅ [T595] Symlinks are checked before using files. See T297."
- name: Build Docs
run: |
cargo doc --features=${{ matrix.simics_version }} --workspace \
--no-deps
- name: Test Docs
run: |
cargo test --doc --features=${{ matrix.simics_version }} --workspace \
--no-deps
static_analysis:
name: Run Static Analysis
container: ubuntu:22.04
runs-on: ubuntu-latest
steps:
- name: Install Dependencies
shell: bash
run: |
apt-get -y update && \
apt-get -y install \
git \
curl \
build-essential \
cmake \
git-lfs
- uses: actions/checkout@v3
with:
lfs: true
- uses: dtolnay/rust-toolchain@nightly
with:
toolchain: nightly
components: rustfmt,clippy,miri
- name: Install SIMICS (External)
shell: bash
run: |
mkdir -p "${HOME}/simics/ispm"
tar --strip-components=1 -C "${HOME}/simics/ispm" \
-xvf .github/simics/intel-simics-package-manager-${{ env.SIMICS_PUBLIC_ISPM_VERSION }}-linux64.tar.gz
"${HOME}/simics/ispm/ispm" \
packages \
--non-interactive \
--verbose \
--install-dir "${HOME}/simics" \
--install .github/simics/simics-pkg-1000-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_1000 }}-linux64.ispm \
--install .github/simics/simics-pkg-2096-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_2096 }}-linux64.ispm \
--install .github/simics/simics-pkg-8112-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_8112 }}-linux64.ispm
- name: Set up .env
shell: bash
run: |
echo "SIMICS_HOME=${HOME}/simics" > .env
- name: CT39 - Clippy Check Project
run: |
cargo clippy --features=${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_1000 }} \
|| ( echo "❗ [CT39 (1/2)] Failed clippy static analysis checks" && exit 1 )
echo "✅ [CT39 (1/2)] Passed clippy static analysis checks"
- name: CT39 - MIRI Check Project
run: |
cargo clippy --features=${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_1000 }}
MIRIFLAGS="-Zmiri-backtrace=full -Zmiri-disable-isolation -Zmiri-panic-on-unsupported" cargo \
miri test --features=${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_1000 }} \
|| ( echo "❗ [CT39 (2/2)] Failed MIRI static analysis checks" && exit 1 )
echo "✅ [CT39 (2/2)] Passed MIRI static analysis checks"
fuzz_tests:
name: Run Fuzz Tests
container: ubuntu:22.04
runs-on: ubuntu-latest
steps:
- name: Install Dependencies
shell: bash
run: |
apt-get -y update && \
apt-get -y install \
git \
curl \
build-essential \
cmake \
git-lfs
- uses: actions/checkout@v3
with:
lfs: true
- uses: dtolnay/rust-toolchain@nightly
with:
toolchain: nightly
components: rustfmt,clippy,miri
- name: Install SIMICS (External)
shell: bash
run: |
mkdir -p "${HOME}/simics/ispm"
tar --strip-components=1 -C "${HOME}/simics/ispm" \
-xvf .github/simics/intel-simics-package-manager-${{ env.SIMICS_PUBLIC_ISPM_VERSION }}-linux64.tar.gz
"${HOME}/simics/ispm/ispm" \
packages \
--non-interactive \
--verbose \
--install-dir "${HOME}/simics" \
--install .github/simics/simics-pkg-1000-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_1000 }}-linux64.ispm \
--install .github/simics/simics-pkg-2096-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_2096 }}-linux64.ispm \
--install .github/simics/simics-pkg-8112-${{ env.SIMICS_PUBLIC_PACKAGE_VERSION_8112 }}-linux64.ispm
- name: Set up .env
shell: bash
run: |
echo "SIMICS_HOME=${HOME}/simics" > .env
- name: Install Cargo-Fuzz
run: |
cargo install cargo-fuzz
- name: CT632 (E/C) - Perform fuzz testing
run: |
cd util/version-tools
cargo fuzz build
timeout --preserve-status 600 cargo fuzz run \
fuzz_version_constraint_parse || exit 0
echo "Done fuzzing!"
if [ -d ./fuzz/artifacts ]; then
if find ./fuzz/artifacts -mindepth 1 -maxdepth 1 2> /dev/null | read -r; then
echo "❗ [CT632] Fuzz test found an issue"
exit 1
fi
fi
cd ../..
cd util/raw-cstr
cargo fuzz build
timeout --preserve-status 600 cargo fuzz run \
fuzz_raw_cstr || exit 0
echo "Done fuzzing!"
if [ -d ./fuzz/artifacts ]; then
if find ./fuzz/artifacts -mindepth 1 -maxdepth 1 2> /dev/null | read -r; then
echo "❗ [CT632] Fuzz test found an issue"
exit 1
fi
fi
cd ../..
echo "✅ [CT632] Fuzz test completed"
exit 0
super_lint:
name: Run Super Linter
container: github/super-linter
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
lfs: false
- name: (CT222) (E/C) - Use hadolint to evaluate Dockerfile configuration
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Rust validation is handled by build_and_test
VALIDATE_RUST_2015: false
VALIDATE_RUST_2018: false
VALIDATE_RUST_2021: false
VALIDATE_RUST_CLIPPY: false
# We have no non-example CPP in the codebase
VALIDATE_CPP: false
VALIDATE_CLANG_FORMAT: false
VALIDATE_JSCPD: false
# This is way too pedantic
VALIDATE_NATURAL_LANGUAGE: false
run: |
/action/lib/linter.sh || ( echo "❗ [CT222] Super linter found an issue (possibly Hadolint)" && exit 1 )
echo "✅ [CT222] Hadolint Dockerfile check passed"
scan_hello_world:
name: Scan Hello World EFI Builder Container
container: novafacing/kaniko-trivy-alpine:kaniko-v1.12.1-debug-trivy-v0.44.1-0.0.2
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
lfs: false
- name: Build Hello World Image
run: |
/kaniko/executor \
--build-arg "http_proxy=${http_proxy}" \
--build-arg "HTTP_PROXY=${HTTP_PROXY}" \
--build-arg "https_proxy=${https_proxy}" \
--build-arg "HTTPS_PROXY=${HTTPS_PROXY}" \
--build-arg "no_proxy=${no_proxy}" \
--build-arg "NO_PROXY=${NO_PROXY}" \
--build-arg "proxy=${HTTP_PROXY}" \
--snapshot-mode=redo \
--use-new-run \
--context examples/hello-world \
--dockerfile Dockerfile \
--no-push \
--tar-path /hello-world.tar \
--destination=image
- name: (T1187, T1186) (N/C) - Test if secrets are stored in Dockerfiles (Hello World Image)
run: |
/kaniko/trivy image --input /hello-world.tar
scan_x509_parse:
name: Scan X509Parse EFI Builder Container
container: novafacing/kaniko-trivy-alpine:kaniko-v1.12.1-debug-trivy-v0.44.1-0.0.2
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
lfs: false
- name: Build X509Parse Image
run: |
/kaniko/executor \
--build-arg "http_proxy=${http_proxy}" \
--build-arg "HTTP_PROXY=${HTTP_PROXY}" \
--build-arg "https_proxy=${https_proxy}" \
--build-arg "HTTPS_PROXY=${HTTPS_PROXY}" \
--build-arg "no_proxy=${no_proxy}" \
--build-arg "NO_PROXY=${NO_PROXY}" \
--build-arg "proxy=${HTTP_PROXY}" \
--snapshot-mode=redo \
--use-new-run \
--context examples/x509-parse \
--dockerfile Dockerfile \
--no-push \
--tar-path /x509-parse.tar \
--destination=image
- name: (T1187, T1186) (N/C) - Test if secrets are stored in Dockerfiles (X509Parse Image)
run: |
/kaniko/trivy image --input /x509-parse.tar
additional_sdl_checks:
name: Perform Additional SDL Checks
container: ubuntu:22.04
runs-on: ubuntu-latest
steps:
- name: Install Dependencies
run: |
apt-get -y update && \
apt-get -y install \
git \
curl \
jq \
wget \
build-essential \
cmake \
openssl \
libssl-dev \
pkg-config \
git-lfs
- uses: actions/checkout@v3
with:
lfs: false
- uses: dtolnay/rust-toolchain@nightly
with:
toolchain: nightly
components: rustfmt,clippy,miri
- name: Install Cargo Plugins
run: |
cargo install cargo-audit cargo-outdated
- name: CT256 (N/C) - Include security.md file in open source repos
run: |
[ -f SECURITY.md ] \
|| ( echo "❗ [CT256] Missing SECURITY.md file" && exit 1 )
echo "✅ [CT256] SECURITY.md file found"
- name: CT37 (N/NA) - Scan release package for malware
run: |
# We mark this task as NA because we do not publish any release
# package, so we check that we indeed cannot publish anything
grep -q "publish = false" 'Cargo.toml' || ( echo "❗ [CT37] Crate {} is publishable" && exit 1 )
find . -mindepth 2 -type f -name 'Cargo.toml' -not -path './target/*' -print0 2> /dev/null \
| xargs -0 -i bash -c \
'grep -qE "publish.workspace = true|publish = false" {} || ( echo "❗ [CT37] Crate {} is publishable" && exit 1 )' \
|| exit 1
echo "✅ [CT37] No release package is provided by this repository"
- name: (T152, T14, T174) (N/C) - Avoid asking for and using excessive permissions, Enforce Principle of least privilege, Test that the client application is not asking for excessive permissions
run: |
# All the crates I can find that escalate do so by setting uid at some
# point
find . -type f -name '*.rs' -print0 2> /dev/null \
| xargs -0 -i bash -c \
'! grep -Eq "sudo|setuid\(0\)" {} || ( echo "❗ [T152] sudo or setuid(0) found in {}" && exit 1 )' \
|| exit 1
echo "✅ [T152] Elevated permissions not requested or used"
- name: (T349, T350) (N/C) - Protect audit information and logs against unauthorized access, Verify that audit information is sufficiently protected
run: |
# shellcheck disable=SC2016
find . -type f -name '*.rs' -not -path './simics-api-sys/scripts/*' -print0 2> /dev/null \
| xargs -0 -i bash -c \
'MATCH=$(grep -A16 -E "File::|OpenOptions::" {} | grep -B16 -A16 -i "log"); if [ -n "${MATCH}" ]; then echo "${MATCH}" > /tmp/logmatch.$(printf {} | sed "s/\//-/g"); fi'
find /tmp -name 'logmatch.*' -print0 2> /dev/null \
| xargs -0 -i bash -c 'grep -qE "set_permissions.*0o[0-9]*700" {} || ( echo "❗ [T349] No set_permissions call with safe default permissions found after File:: or OpenOptions::" && exit 1 )'
echo "✅ [T349] Safe set_permissions call found for all File:: and OpenOptions:: with log mentioned"
echo "✅ [T350] Logs are protected. See T349."
- name: (T437, T438) (N/C) - Include log reduction and report generation capabilities, Verify that log reduction and report generation capabilities exist
run: |
RESULTS=$(find . -type f -name '*.rs' -not -path './target/*' -print0 2> /dev/null \
| xargs -0 -i bash -c \
'grep "with_filter" {}' | wc -l)
if [ "${RESULTS}" -eq 0 ]; then ( echo "❗ [T437] no 'with_filter' calls found to restrict tracing output" && exit 1 ); fi
echo "✅ [T437] 'with_filter' calls found to restrict tracing output"
echo "✅ [T438] Log reduction implemented with log levels. See T437."
- name: T633 (N/C) - Mitigate deadlock and recursion in services
run: |
echo "✅ [T633] Restarting event mgr and Rust threading guarantees used to mitigate deadlock/recursion "
- name: (T34, T31, T127, T519) (N/C) - Refuse overly-long, malformed, non-printable characters, Validate all forms of input, Test for null byte injection, Test that input validation is done on all forms of input
run: |
cat simics-fuzz/src/args/mod.rs
echo "✅ [T34] Strongly-typed argument parsing in use, strings UTF-8 enforced by Rust std"
echo "✅ [T31] Input arguments are validated. See T34 output."
echo "✅ [T127] Malformed inputs are rejected via strong argument typing. See T34."
echo "✅ [T519] Input validation implemented. See T34."
- name: (T45, T315) (N/C) - Log potential critical security events, Verify that potential security-critical events are logged
run: |
grep -A48 "let mut harness" simics-fuzz/src/fuzzer/mod.rs
echo "✅ [T45] This project is a security tool. Potential identified security issues logged by fuzzer loop"
echo "✅ [T315] Security critical events are logged. See T45."
- name: (T159, CT185, T403, T187) (N/C) - Follow best practices for secure error and exception handling, Implement full error and exception handling, Verify that errors and exceptions are securely handled, Verify that errors and exceptions are securely handled
run: |
find . -type f -name 'lib.rs' -not -path './target/*' -print0 2> /dev/null \
| xargs -0 -i bash -c \
'grep -q "unwrap_used" {} || ( echo "❗ [T159] No #![deny(clippy::unwrap_used)] directive found in {}" && exit 1 )'
echo "✅ [T159] #![deny(clippy::unwrap_used)] found in all lib.rs files"
echo "✅ [CT185] Full error and exception handling implemented. See T159 output."
echo "✅ [T403] Full error and exception handling implemented. See T159 output."
echo "✅ [T187] Full error and exception handling implemented. See T159 output."
- name: T205 (N/C) - Avoid inter-process race conditions
run: |
# This can't be grepped for
echo "✅ [T205] Data races are guarded against by using safe Rust in inter-process/inter-thread code"
- name: T206 (N/C) - Avoid TOCTOU race conditions against external resources
run: |
# This is very hard to grep for
echo "✅ [T206] Accessed resources are taken when they are checked"
- name: (T47, T229) (N/NA) - Do not log confidential data, Test that logs do not contain confidential data
run: |
echo "✅ [T47] This project does not deal with confidential data/PII"
echo "✅ [T229] This project does not deal with confidential data/PII. See T47."
- name: CT188 (N/C) - Configure minimal permissions on temporary files and directories
run: |
grep -i "DEFAULT_PERMISSIONS" util/tmp-dir/src/lib.rs
echo "✅ [CT188] Default permissions are safely set for temporary directories"
- name: T232 (N/C) - Verify that end-user transaction logs capture sufficient information
run: |
LOG_MESSAGES=$(find . -type f -name '*.rs' -not -path './target/*' -exec grep -E "trace\!|debug\!|info\!|warn\!|error\!" {} \; 2> /dev/null | wc -l)
echo "✅ [T232] ${LOG_MESSAGES} found in project"
# NOTE: We ignore vulnerabilities in GH actions' node packages explicitly, they
# are not relevant for us because we also use action checks
- name: (CT247/CT200) (N/C) - Scan 3rd-Party Components for Vulnerabilities, Verify that project is not using vulnerable 3rd party components
run: |
# shellcheck disable=SC2086,SC2143
LATEST="$(find '.github/dependabot' -name '*.csv' -print0 \
| xargs -r -0 ls -1 -t \
| head -n 1)"
if ! find '.github/dependabot' -name '*.csv' -mtime -14 | grep -q '.'; then
echo "❗ [CT247/CT200] No dependabot report found from last 2 weeks. Run ./scripts/dependabot.sh."
exit 1
fi
if tail -n+2 "${LATEST}" | grep -qv ".github/actions/toolchain"; then
cat "${LATEST}"
echo "❗ [CT247/CT200] Vulnerabilities found outside of github actions. Please remediate them."
exit 1
fi
echo "✅ [CT247/CT200] No dependabot vulnerabilities found"
- name: (CT72/CT98) (N/C) - Secure Configuration Guidance
run: |
echo "✅ [CT72/CT98] Manual secure configuration check:"
echo " - No 3rd party software/services distributed/deployed"
echo " - Dependencies configuration:"
echo " - LibAFL configured to *not* bind publicly by default"
echo " - Rust software builds with ASLR by default"
echo " - Features not used other than SIMICS version"
echo " - Compatibility settings used for SIMICS version"
echo " - No legacy features"
- name: (T186) (N/C) - Use recommended settings and latest patches for third party libraries and software
run: |
cargo audit
if ! cargo outdated --exit-code 1; then
echo "❗ [T186] Out of date third party dependencies found"
exit 1
fi
echo "✅ [T186] No outdated or vulnerable third party dependencies found"