Skip to content

Claude/security audit dependencies 01 bm d3cw m2 gwhcxfd8 q82jd l #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dxcSithLord wants to merge 3 commits into
base: c
Choose a base branch
from
Open

Claude/security audit dependencies 01 bm d3cw m2 gwhcxfd8 q82jd l #32

dxcSithLord wants to merge 3 commits into from

Conversation

@dxcSithLord
Copy link

@dxcSithLord dxcSithLord commented Nov 17, 2025

No description provided.

mend-bolt-for-github bot and others added 3 commits February 11, 2020 17:44
@mend-bolt-for-github
Add .whitesource configuration file
6292347
@dxcSithLord
Merge pull request #1 from dxcSithLord/whitesource/configure
ab4671c 
Configure WhiteSource Bolt for GitHub
@claude
Security audit: Fix sensitive data handling and update dependencies
26e0728 
This commit addresses critical security vulnerabilities identified during
a comprehensive security audit of the libsqrl codebase.

## Security Fixes (CWE-226, CWE-200, CWE-119)

### Secure Memory Clearing
- Implemented secure memory clearing functions in sqrl_secure.c
- Added sodium_memzero() calls to clear temporary key buffers in crypt.c
- Fixed memory leaks of sensitive cryptographic material
- Clear signature buffers after use in client_protocol.c
- Securely wipe transaction strings before freeing

### Buffer Overflow Prevention (CWE-119)
- Replaced unsafe strcpy() with sqrl_secure_strcpy() in:
  - client_protocol.c: Challenge/URL/SIN parsing
  - server.c: User blob operations
  - uri.c: URL parsing operations
  - client.c: Alternative identity handling
- All string operations now include bounds checking

### Sensitive Data Exposure (CWE-200)
- Clear URI data before freeing (sqrl_uri_free)
- Clear transaction strings before freeing
- Clear altIdentity tokens before freeing
- Clear user blob data before freeing

## Dependency Updates

### libsodium
- Pinned to version 1.0.20 (was: unpinned "stable" branch)
- Ensures reproducible builds and known security characteristics

### CMake
- Updated minimum from 2.8 to 3.10
- Required for CMake 4.0+ compatibility
- Avoids deprecation warnings

### Build Configuration
- Changed default build type to Release (was Debug)
- Added compiler hardening flags:
  - -Wall -Wextra -Wformat-security
  - -fstack-protector-strong
  - -D_FORTIFY_SOURCE=2
- Added linker hardening: -Wl,-z,relro,-z,now

## Test Coverage

- Added secure_test.c for testing secure memory functions
- Tests for sqrl_secure_strcpy(), sqrl_secure_strcat()
- Tests for sqrl_secure_free_string(), sqrl_secure_memzero()
- Security parameter validation tests
- Integrated into CTest framework

## CI/CD Pipeline

- Added GitHub Actions workflow (.github/workflows/ci.yml)
- Multi-OS testing (Ubuntu latest, 22.04)
- Both Release and Debug build testing
- Static analysis with cppcheck
- Memory sanitizer testing (AddressSanitizer)
- Security vulnerability scanning
- Dependency version verification
- Dangerous function detection

## Documentation

- Added comprehensive SECURITY_AUDIT.md report
- Detailed vulnerability findings with CWE references
- Upgrade path documentation for all dependencies
- Remediation plan with priorities
- Compliance notes (OWASP Top 10)

Files modified:
- CMakeLists.txt: Dependency updates, hardening flags
- src/crypto/crypt.c: Secure key buffer clearing
- src/client_protocol.c: Secure string ops, buffer clearing
- src/client.c: Secure altIdentity handling
- src/server.c: Secure user blob operations
- src/transaction.c: Secure transaction cleanup
- src/uri.c: Secure URI parsing and cleanup

New files:
- src/sqrl_secure.h: Secure utility function declarations
- src/sqrl_secure.c: Platform-aware secure implementations
- src/test/secure_test.c: Security function test suite
- .github/workflows/ci.yml: CI/CD pipeline
- SECURITY_AUDIT.md: Comprehensive audit report
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dxcSithLord @claude