Merge branch 'main' into add-libmodbus-checker

Author: terriko

.github/actions/spelling/allow.txt

@@ -139,6 +139,7 @@ dsa
 dtls
 e
 elfutils
+emacs
 endoflife
 enscript
 entrypoint
@@ -167,6 +168,7 @@ filetype
 filterdiv
 firefox
 flac
+fluidsynth
 freeradius
 freerdp
 FReeshabh
@@ -217,6 +219,7 @@ gsoc
 gstreamer
 gupnp
 gvfs
+gzip
 Hacktoberfest
 haproxy
 harfbuzz
@@ -272,6 +275,7 @@ kodi
 kritirikhi
 kubernetes
 landley
+ldns
 lftp
 lgpl
 lgtm
@@ -296,6 +300,7 @@ libksba
 liblas
 libmatroska
 libmemcached
+libmicrohttpd
 libnss
 libpcap
 libpng
@@ -351,6 +356,7 @@ metabiswadeep
 metadata
 microsoft
 mingw
+mini
 minicom
 minidlna
 miniupnpc
@@ -442,6 +448,7 @@ perl
 php
 picocom
 pigz
+pixman
 plotly
 png
 pocoo
@@ -517,6 +524,7 @@ securityscorecards
 shadowsocks
 shreyamalviya
 sip
+sngrep
 snort
 sofia
 somefile
@@ -552,6 +560,7 @@ syslogng
 sysstat
 systemd
 SYSV
+tagvalue
 taskbar
 tcpdump
 tcpreplay

.github/dependabot.yml

@@ -7,3 +7,52 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: pip
+    directory: /doc
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
+
+# Scanning is disabled for files in /test/ to avoid false positives.
+# These files are used for testing; vulnerable code is never installed or used.
+
+  - package-ecosystem: cargo
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: bundler
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: gomod
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: pip
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: maven
+    directory: /test/language_data
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+

.github/workflows/codeql-analysis.yml

@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '38 0 * * 4'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -38,12 +41,17 @@ jobs:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +62,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5

.github/workflows/coverity.yml

@@ -10,8 +10,13 @@ jobs:
   coverity:
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
-    - uses: vapier/coverity-scan-action@v1
+    - name: Harden Runner
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: vapier/coverity-scan-action@cae3c096a2eb21c431961a49375ac17aea2670ce # v1.7.0
       with:
         email: ${{ secrets.COVERITY_SCAN_EMAIL }}
         token: ${{ secrets.COVERITY_SCAN_TOKEN }}

.github/workflows/cve_scan.yml

@@ -5,14 +5,22 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   cve_scan:
     name: CVE scan on dependencies
     runs-on: ubuntu-22.04
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: '3.x'
           cache: 'pip'
@@ -22,7 +30,7 @@ jobs:
         run: |
           echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
       - name: Get cached database
-        uses: actions/cache@v3
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, 
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6

.github/workflows/export_data.yml

@@ -14,14 +14,25 @@ env:
   NO_EXIT_CVE_NUM: 1
   nvd_api_key: ${{ secrets.NVD_API_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-22.04
 
     steps: 
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: '3.x'
 
@@ -39,7 +50,7 @@ jobs:
           python -m cve_bin_tool.cli --export-json exported_data
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
         with:
           commit-message: 'chore: update database copy'
           title: 'chore: create copy of NVD database'

.github/workflows/formatting.yml

@@ -7,13 +7,24 @@ on:
     paths:
       - 'cve_bin_tool/checkers/__init__.py'
 
+permissions:
+  contents: read
+
 jobs:
   formatting:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update checkers table
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: '3.x'
           cache: 'pip'
@@ -25,7 +36,7 @@ jobs:
         run: |
           python cve_bin_tool/format_checkers.py
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
         with:
           commit-message: "chore: update checkers table"
           title: "chore: update checkers table"

.github/workflows/linting.yml

@@ -5,6 +5,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   linting:
     name: Linting
@@ -14,8 +17,13 @@ jobs:
       matrix:
         tool: ['isort', 'black', 'pyupgrade', 'flake8', 'bandit', 'gitlint', 'mypy']
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: '3.x'
           cache: 'pip'

.github/workflows/sbom.yml

@@ -6,16 +6,27 @@ on:
     # Runs at 02:00 UTC every Monday
     - cron: '2 0 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   sbom_gen:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Generate SBOM
     runs-on: ubuntu-22.04
     strategy:
       matrix:
         python: ['3.7', '3.8', '3.9', '3.10', '3.11']
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'
@@ -50,7 +61,7 @@ jobs:
           cp cve-bin-tool-py${{ matrix.python }}.json sbom/cve-bin-tool-py${{ matrix.python }}.json
       - name: Create Pull Request
         if: ${{ steps.diff-sbom.outputs.changed }}
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
         with:
           commit-message: "chore: update SBOM for Python ${{ matrix.python }}"
           title: "chore: update SBOM for Python ${{ matrix.python }}"