-
Aqua Security’s Trivy GitHub Action was compromised, and Checkmarx’s KICS too: a reminder that I wrote an Actions audit script that can search for particular Actions and versions run in workflows (or just list all Actions with exact commit versions run in all workflows).
Auditing script:
https://github.com/github/audit-actions-workflow-runsStepSecurity blogs in the thread 🧵
-
I added Pyre 🔥 to my :python: linter Action , adding a 4th type checker to choose from.
-
@joxean tilck, seL4 or the Firefly Kernel might fit the bill?
https://github.com/vvaltchev/tilck
-
I've made a Python :python: code linting Action ▶️ for GitHub :github: Code Scanning.
It wraps up #Ruff, #Flake8, #Pylint, #Fixit2, #Mypy, #Pyright and #Pytype into an Action that uploads to Code Scanning, part of Advanced Security, the GitHub appsec platform.
ℹ️ that’s free for open source repos hosted on GitHub!
Read 📖 about it👇 on my blog:
https://lnkd.in/es_pd2W6Try ⚙️ it👇 on the Actions ▶️ marketplace:
https://lnkd.in/ei7-H2V9#Python #Linting #CodeQuality #Linters #SARIF #GitHubActions
-
@hpux735 a cloud editor can break the constraints of being on an iPad, e.g. Codespaces:
https://dev.to/cubikca/using-github-codespaces-on-ipad-5412
https://github.com/features/codespaces
There’s a technical preview of CoPilot Voice that might help, since that works with VSCode, and that’s the IDE in Codespaces:
https://githubnext.com/projects/copilot-voice/
#CoPilotVoice #Accessibility #VisuallyImpaired #BlindCoding #SpeechToText #TextToSpeech
-
Do you want Infrastructure as Code security? :kubernetes: :github: :microsoft:
Do you use CodeQL to scan your code (which is, btw, free for open source code)?
From today you can use #CodeQL to scan it, using a new open source package written by my team mate @geekmasher
Scan #Terraform, #GitHubActions, #HelmChart, and #AzureBicep, with more in progress.
#IAC #InfrastructureAsCode #SAST #CodeSecurity #CodeSmells #StaticAnalysis #GitHub #AdvancedSecurity
-
I've had my first :github: CodeQL query merged into the experimental section of the official CodeQL rules!
https://lnkd.in/dk_tTiQZ (and a "local" variant, https://lnkd.in/dP88QJwa).
That's query ids java/command-line-injection-extra and java/command-line-injection-extra-local
They spot something the existing :java: command injection query does, but in a way that's more robust to unusual code.
It’s an edge case, but one that was important to a customer.
-
I've wrapped up SpotBugs/FindSecBugs in a bow 🎁 in a GitHub Action, so you can use it in GitHub Code Scanning - free for open source projects, and also available for paid users of GitHub Advanced Security.
SpotBugs and FindSecBugs work with JVM languages - Scala, Java, and Clojure, mainly.
https://github.com/marketplace/actions/spotbugs-with-findsecbugs
Point it at the results of the build, and go.
#GitHub #SAST #Scala #JVM #Clojure #Java #CodeSecurity #SpotBugs #FindSecBugs #DevSecOps #SDLC
-
@Logical_Error I’ve not done it myself, but they have detailed docs on contributing patches: https://docs.kernel.org/process/submitting-patches.html
-
I’ve released 🤲 a GitHub Action to convert Dart/Flutter analyzer output to SARIF.
That lets you upload ⬆️ the results to GitHub Advanced Security, as I show in a sample workflow.
-
I have a plan around #Scala :scala:
I want to statically analyse it using tools that understand #Java :java: , by decompiling the .class files that the Scala source compiles to, then analysing the decompiled Java source.
That works 💪 (on trivial stuff!) but I need to match up line numbers. Scala‘s debug output in .tasty files and some decompiler info should do, but I haven’t done it yet.
Thoughts?
Know a good static analyser for Scala that outputs SARIF?
-
:github: is looking for #Swift #opensource projects to try out the upcoming Swift support in #GitHub code scanning.
Sign up here:
https://github.com/github/codeql/discussions/12522
You’ll be able to get access to the new CodeQL-powered static source code analysis before it ships to everyone else.
#SwiftLang #IOSdev #SAST #SecureCoding #DevSecOps #CodeQL #BetaTesting #PrivateBeta #MobileDev
-
There’s some really top notch secure coding advice on this site 🤣
https://raisistance.com/implementing-gets-in-a-safe-manner/
(via LiveOverflow)
#gets #SecureCoding #AdversarialAI #AdversarialAttack #Luddites
-
@vordenken as a happy owner of the MX Keys Mini for Mac I’m curious what the result will be!
-
@thecesrom Jythooooooooon! In my best Kirk voice.
:java: and :python: together is a great idea, but not having the Python 3 `main` branch working, and having no clear progress makes it feel like Perl 6 all over again.
They should rename their moribund Jython3 repo, that's just confusing!
It's such a shame, useful Java scripting interfaces languishing in a dying ecosystem.
There was a similar lag with things that embed CPython, but they have an escape route.
-
@bug a u2; or an s2, if it's signed.
A byte is a u8, a nibble :blobcatcookienom: is a u4.
A a dword is a u32 and a qword is a u64... and so on.
Simple, unambiguous, and it even tells you whether it's signed or unsigned... but it's not cute :blobfoxboopcute:, I grant you.
I think it's unlikely to be confused with the high-altitude plane ✈️ or the rock band :blobcatcool:, given context 😁
-
GitHub :github: is laying off 10% of staff - reported in Fortune today:
I'm at :github: so please be thoughtful with your responses 🙏
-
You know how when you do...
``` sh
my_cmd file_to_read > file_to_read
```...then the redirect to write to the file truncates the file you're reading before you read from it?
Yeah, so do I. I learned that years ago.
I also refamiliarised myself with it today... 🤦
"Why is the file I'm reading from empty??" :t_blink:
When I write fragments of shell scripts in a Dockerfile or a GitHub Action my brain stops working :blobcatgoogly:
-
CW: Poll 📊 Software dev workflow
What does your team dev workflow look like?
Please tick which apply, or comment for more info.
For those who use a monorepo with trunk-based workflow, can you teach me how code review, linting and security testing (e.g. SAST) fit into your workflow?
-
@hywan gcc is not wrong though. You need to check upfront with a decent bounds check that what you will do is OK in C, rather than do it, then see if something undefined happened.
Unfortunately there weren't good tools in the C or C++ stdlib to do checking for a long time.
For C++: https://learn.microsoft.com/en-us/cpp/safeint/safeint-library
C from c23 has builtins to do this, and each common compiler does too:
https://stackoverflow.com/questions/199333/how-do-i-detect-unsigned-integer-overflow -
@joxean I usually think of "sound" in SAST as "no false negatives" (for what you are modelling, of course).
Now wrap your head around what a "soundy" analysis is...
-
@superbart the server rules ask for you to post in English only.
Sorry / 对不起.
The server rules have other restrictions on content: https://fosstodon.org/about
I'm not a mod or a server owner - you can find who they are on the website.
-
Ding, dong, the CVE is dead! :partyparrot:
The JWT nodejs "vulnerability" from December, popularised at the start of January, has been recognised as a non-issue 🫥
I'm really glad to see it gone. Hoping we get a rash of news stories to follow up on the torrent 🌊 that followed the Unit 42 blog...
I'm not sure if its removal was down to me raising an issue on the GitHub Advisory Database :omya_github: to ask for it to be removed.
#jwt #cve #errata #cve_2022_23529 #auth0 #unit42 #jsonwebtoken
-
@joxean I think a fine-grained callgraph including call site information would break this tie.
Match the call sites in the two binaries, using instruction-level comparisons. You can then differentiate between the two call edges, based on which call site they are from.
-
@rmdes I had the same thought a while back, but didn't do anything other than muse on it. Thanks for sharing!
The phrase "who pays the piper plays the tune" came to mind, could be a tagline?
This project looks at the funding of UK politicians:
https://www.tortoisemedia.com/audio/the-westminster-accounts/
Some global analysis for news orgs like that could complement what an extension can do.
-
@einonm vim is software that is quite complex and not written in a memory safe language, and not formally proven to be correct.
It has a history of vulnerabilities, like any similar software.
https://www.cvedetails.com/vulnerability-list/vendor_id-8218/opec-1/VIM.html
-
@Edent We are talking about tech people rely on for their safety, so that wasn't just for your benefit.
I use a "secure" walkie talkie on some days out - useful in a maze! - and have no illusions that it's actually secure (nor does it need to be).
-
@Edent why did you choose Berty? Their own blog cautions against using it; albeit saying isn't "war ready".
Their security claims haven't been externally verified, so I think it's premature to use it for anything other than experimentation or messages you don't mind being read.
-
@ehmatthes you could roll your own with Python's ast module, I reckon.
Try :github: CodeQL for this (free for open source). It'd be pretty easy to get call graph nodes and edges and make a GraphViz diagram (or other graph):
https://github.com/github/codeql/discussions/8063Another option would be TreeSitter, again by :github:. There's a :rust: crate for making graphs from TreeSitter: https://github.com/tree-sitter/tree-sitter-graph
(I work at GitHub)
Joern also supports Python: https://docs.joern.io/cpgql/calls/
-
A caveat to what I said - there *are* rogue Certificate Authorities out there:
That's not to say rogue CAs are a threat to every system or user equally. As the article points out, they will probably be used sparingly to get at high value targets.
Anyway, take care to audit which CAs you trust in your browsers and other applications.
If you have a very specialised server application it doesn't need to trust 100-odd CAs!