Hi Aaron,
The issues detected by CodeQL appear under the security tab.
Probably not available unless you're a member of the repo.
You can read about it here:
The analysis is enabled by a CI workflow:
https://github.com/netsurf-browser/libcss/blob/master/.github/workflows/static-analysis.yaml#L48
https://github.com/netsurf-browser/libcss/blob/master/.github/workflows/static-analysis.yaml#L48
There were three issues which I've squashed. I put the CodeQL Rule ID and description in the commit messages so you can see an example:
Best regards,
Michael
On Wed, 17 Sept 2025 at 14:49, Aaron Boxer <dmarc-noreply@freelists.org> wrote:
Hi Michael,Thanks, that helps. I looked at the Github mirror but CodeQL does not seem available - do you make this public elsewhere? The fact that libcss only does parsing and not rendering does reduce the attack surface, but there are a number of parsing vulnerabilities like ReDos that have affected other libraries such as WebKIT css parser.Best,AaronOn Wednesday, September 17th, 2025 at 9:29 AM, Michael Drake <dmarc-noreply@freelists.org> wrote:
Hi Aaron,For static analysis be have Coverity and Clang scan-build for libcss on Jenkins.And on the GitHub mirror we have CodeQL.Some of our libraries have been been fuzzed but I'm not sure if it's done routinely or ad-hoc. I'm also not sure if libcss was covered.Best regards,MichaelOn Wed, 17 Sept 2025 at 14:20, Aaron Boxer <dmarc-noreply@freelists.org> wrote:Hello!I am interested in learning more about the safety and security of the NetSurf project in general, and the libcss library in particular. I don't see any CVEs listed for NetSurf, have there been any security incidents in the past, and is there any infrastructure in place like fuzzing or static analysis to mitigate standard C security issues like buffer overflow or use after free ?I am interested in libcss in particular because I would like to use it in another project, GStreamer, which is part of many Linux distros; security is a big issue.Many Thanks,Aaron
No comments:
Post a Comment