Hi Michael,
Thanks, that helps. I looked at the Github mirror but CodeQL does not seem available - do you make this public elsewhere? The fact that libcss only does parsing and not rendering does reduce the attack surface, but there are a number of parsing vulnerabilities like ReDos that have affected other libraries such as WebKIT css parser.
Best,
Aaron
On Wednesday, September 17th, 2025 at 9:29 AM, Michael Drake <dmarc-noreply@freelists.org> wrote:
Hi Aaron,For static analysis be have Coverity and Clang scan-build for libcss on Jenkins.And on the GitHub mirror we have CodeQL.Some of our libraries have been been fuzzed but I'm not sure if it's done routinely or ad-hoc. I'm also not sure if libcss was covered.Best regards,MichaelOn Wed, 17 Sept 2025 at 14:20, Aaron Boxer <dmarc-noreply@freelists.org> wrote:Hello!I am interested in learning more about the safety and security of the NetSurf project in general, and the libcss library in particular. I don't see any CVEs listed for NetSurf, have there been any security incidents in the past, and is there any infrastructure in place like fuzzing or static analysis to mitigate standard C security issues like buffer overflow or use after free ?I am interested in libcss in particular because I would like to use it in another project, GStreamer, which is part of many Linux distros; security is a big issue.Many Thanks,Aaron
