Merge branch 'main' into fix-html-report-severity-4392

Author: JigyasuRajput

.github/actions/spelling/allow.txt

@@ -15,6 +15,7 @@ apcupsd
 api
 apk
 apparmor
+apr
 ares
 argparse
 Args
@@ -54,6 +55,7 @@ blog
 bluetooth
 bluetoothctl
 bluez
+boa
 boinc
 bolt
 boot
@@ -77,6 +79,7 @@ ceph
 cfa
 cfea
 cff
+cflow
 chaitanyamogal
 Changelog
 charset
@@ -149,6 +152,7 @@ dio
 Dio
 distro
 distros
+djvulibre
 dlt
 dmidecode
 dnsmasq
@@ -221,6 +225,7 @@ ftp
 ftpd
 fuzzer
 g
+GAAD
 GAD
 gawk
 gcc
@@ -294,6 +299,8 @@ ikeydoherty
 img
 imgur
 imsahil
+inclusivity
+indent
 INI
 inosmeet
 iperf
@@ -597,6 +604,7 @@ readthedocs
 realpython
 rebasing
 redhat
+redis
 refactored
 refactoring
 regex
@@ -702,6 +710,7 @@ toml
 toolkit
 tools
 tor
+toybox
 tpm
 traceroute
 transmission
@@ -737,6 +746,7 @@ util
 utkarsh
 utm
 uuid
+uwsgi
 v
 varnish
 venv
@@ -756,6 +766,8 @@ Vulnerability
 Vulnerabity
 vulnerablities
 vulnerablity
+wavpack
+WCAG
 webkitgtk
 webserver
 website
@@ -785,6 +797,7 @@ xml
 xscreensaver
 xvf
 xwayland
+xz
 yakkety
 yaml
 yashugarg

.github/workflows/build-wheel.yml

@@ -28,7 +28,7 @@ jobs:
         egress-policy: audit
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+    - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'

.github/workflows/codeql-analysis.yml

@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+      uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+      uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9

.github/workflows/cve_scan.yml

@@ -22,7 +22,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.11'
           cache: 'pip'

.github/workflows/formatting.yml

@@ -24,7 +24,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.11'
           cache: 'pip'

.github/workflows/fuzzing.yml

@@ -19,17 +19,17 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python 
-        uses: actions/setup-python@v5.3.0
+        uses: actions/setup-python@v5.4.0
         with:
           python-version: 3.9  
 
       - name: Install Bazel  
         run: |
           sudo apt-get update
           sudo apt-get install -y wget
-          wget -c https://github.com/bazelbuild/bazelisk/releases/download/v1.18.0/bazelisk-linux-amd64
-          chmod +x bazelisk-linux-amd64
-          sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel
+          wget -c https://github.com/bazelbuild/bazel/releases/download/7.4.1/bazel-7.4.1-linux-x86_64
+          chmod +x bazel-7.4.1-linux-x86_64
+          sudo mv bazel-7.4.1-linux-x86_64 /usr/local/bin/bazel
           bazel --version
 
       - name: Install Fuzzing Dependencies  
@@ -67,7 +67,7 @@ jobs:
         if: env.sbom != 'true'
         run: |
           [[ -e fuzz-cache ]] && mkdir -p .cache && mv fuzz-cache ~/.cache/cve-bin-tool
-          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
+          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out --disable-data-source CURL,EPSS,GAD,NVD,OSV,PURL2CPE,RSD
           cp -r ~/.cache/cve-bin-tool fuzz-cache
           
       - name: Run Fuzzing 
@@ -84,4 +84,4 @@ jobs:
           at_index=$((($(date -u +%U) % ${#fuzzing_scripts[@]})))
           selected_script="${fuzzing_scripts[$at_index]}"
           echo "Selected script: $selected_script"
-          timeout --preserve-status --signal=SIGINT 60m python $selected_script
+          timeout --preserve-status --signal=SIGINT 60m python $selected_script

.github/workflows/linting.yml

@@ -23,7 +23,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.11'
           cache: 'pip'

.github/workflows/sbom.yml

@@ -27,7 +27,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'

.github/workflows/testing.yml

@@ -49,7 +49,7 @@ jobs:
             pypi.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.11'
           cache: 'pip'
@@ -72,7 +72,7 @@ jobs:
     runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     strategy:
       matrix:
-        python: ['3.9', '3.11', '3.12', '3.13']
+        python: ['3.9', '3.10', '3.11', '3.12']  # updated: replaced 3.13 with 3.10 in short tests
     timeout-minutes: 90
     steps:
       - name: Harden Runner
@@ -108,7 +108,7 @@ jobs:
             www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'
@@ -185,7 +185,7 @@ jobs:
           test/test_cvedb.py
 
   long_tests:
-    name: Long tests on Python 3.10
+    name: Long tests on Python 3.13
     permissions:
       contents: read
     if: |
@@ -204,26 +204,22 @@ jobs:
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
-          python-version: '3.10'
+          python-version: '3.13'
           cache: 'pip'
 
-#      - name: "Skip tests if this is an automated sbom job"
-#        env:
-#          COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }}
-#        run: |
-#          if ${COMMIT_VAR} == true; then
-#            echo "sbom=true" >> $GITHUB_ENV
-#            echo "sbom set to true"
-#          else
-#            echo "sbom=false" >> $GITHUB_ENV
-#            echo "sbom set to false"
-#          fi
-#
-      - name: "FIXME: Skip tests so we can break out of failure loop"
+      - name: "Skip tests if this is an automated sbom job"
+        env:
+          COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }}
         run: |
+          if ${COMMIT_VAR} == true; then
             echo "sbom=true" >> $GITHUB_ENV
+            echo "sbom set to true"
+          else
+            echo "sbom=false" >> $GITHUB_ENV
+            echo "sbom set to false"
+          fi
 
       - name: Get date
         id: get-date
@@ -290,7 +286,7 @@ jobs:
           fail_ci_if_error: false
 
   long_tests_languages:
-    name: Long tests on Python 3.10 (language parsers)
+    name: Long tests on Python 3.13 (language parsers)
     permissions:
       contents: read
     if: |
@@ -309,9 +305,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
-          python-version: '3.10'
+          python-version: '3.13'
           cache: 'pip'
 
       - name: "Skip tests if this is an automated sbom job"
@@ -377,7 +373,7 @@ jobs:
           fail_ci_if_error: false
 
   long_tests_scanners:
-    name: Long tests on Python 3.10 (scanners)
+    name: Long tests on Python 3.13 (scanners)
     permissions:
       contents: read
     if: |
@@ -396,9 +392,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
-          python-version: '3.10'
+          python-version: '3.13'
           cache: 'pip'
 
       - name: "Skip tests if this is an automated sbom job"
@@ -464,7 +460,7 @@ jobs:
           fail_ci_if_error: false
 
   long_tests_sync:
-    name: Long tests on Python 3.10 (synchronous)
+    name: Long tests on Python 3.13 (synchronous)
     permissions:
       contents: read
     if: |
@@ -483,9 +479,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
-          python-version: '3.10'
+          python-version: '3.13'
           cache: 'pip'
 
       - name: "Skip tests if this is an automated sbom job"
@@ -603,9 +599,9 @@ jobs:
             www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
-          python-version: '3.10'
+          python-version: '3.13'
           cache: 'pip'
       - name: Get date
         id: get-date
@@ -709,7 +705,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.12'
           cache: 'pip'

.github/workflows/update-cache.yml

@@ -31,7 +31,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.13'
           cache: 'pip'

.github/workflows/update-js-dependencies.yml

@@ -28,7 +28,7 @@ jobs:
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.11'
 

.github/workflows/update-pre-commit.yml

@@ -28,7 +28,7 @@ jobs:
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.11'
 

.github/workflows/validate-yml.yml

@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.11'
           cache: 'pip'

.pre-commit-config.yaml

@@ -12,6 +12,7 @@ repos:
     rev: 5.13.2
     hooks:
     - id: isort
+      stages: [pre-commit, pre-merge-commit]
       exclude: ^fuzz/generated/
 
 -   repo: https://github.com/psf/black-pre-commit-mirror