[Security] Build & supply-chain security — blocking CI security gates, toolchain hardening, source/dependency pinning #149
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The build/CI/supply-chain block: make security scans blocking CI gates (SAST, sanitizers, dependency-CVE, secret-scan, fuzzing), harden the toolchain, pin all third-party sources to integrity-verified identities, and maintain a dependency inventory / SBOM.
Part of #144. Decision legend: M must-do, C could-do, W won't-do (this cycle); investigate = verify the problem is real / scope it before implementing.
Subtasks & findings
T12 — Toolchain hardening (PIE/RELRO/noexecstack) + null-deref warn
Owner: Either · Decision: M · Effort: ~3–4d · Investigate: triage -Wnull-dereference false positives (MEM-08)
Across both build systems; add checksec CI gate.
configure.ac (no -fPIE/-pie); meson.build:33,64-71,536configure.ac:454-464 (gated behind --enable-hardening)T14 — Supply-chain source pinning (wrap + Actions + images + clones)
Owner: Either · Decision: M / C · Effort: ~2–3d
Shared pin lint; merges SUP-05 + CIS-03.
subprojects/libstrophe.wrap:3Dockerfile.debian:2,44-45; Dockerfile.arch:1,61-65T15 — Dependency inventory & version floors (SBOM deferred)
Owner: Either · Decision: C / W · Effort: ~0.5d now; +3–4d if SBOM
Align gpgme/gcrypt/sqlite floors now (C); SBOM generation is W (deferred).
configure.ac:309,351; meson.build:96 (sqlite 3.22.0 vs 3.35.0)no *.spdx/*.cdx/bom.* in treeT17 — CI security gates (BIG umbrella — REQ-CIS-04)
Owner: Either · Decision: M (mixed) · Effort: ~1w+ (phased) · Investigate: investigate/triage first green of each scan; SDLC-05 not urgent
User-flagged BIG. Make scans blocking. SDLC-04 = W; SDLC-05 = investigate/not-urgent.
ci-code.yml continue-on-error; no sanitizer/fuzz jobconfigure.ac:74-75,441-452; ci-build.sh:193-205ci-code.yml (no CVE scan); no .github/dependabot.ymlno gitleaks/detect-secrets in .github/workflowsci-code.yml:40,94no fuzz/oss-fuzz/libfuzzer targets or corpusChecklist
T12 — Toolchain hardening (PIE/RELRO/noexecstack) + null-deref warn
T14 — Supply-chain source pinning (wrap + Actions + images + clones)
T15 — Dependency inventory & version floors (SBOM deferred)
T17 — CI security gates (BIG umbrella — REQ-CIS-04)
Notes