[Security] Build & supply-chain security — blocking CI security gates, toolchain hardening, source/dependency pinning #149

Open
opened 2026-07-03 10:29:21 +00:00 by jabber.developer2 · 0 comments
Collaborator

The build/CI/supply-chain block: make security scans blocking CI gates (SAST, sanitizers, dependency-CVE, secret-scan, fuzzing), harden the toolchain, pin all third-party sources to integrity-verified identities, and maintain a dependency inventory / SBOM.

Part of #144. Decision legend: M must-do, C could-do, W won't-do (this cycle); investigate = verify the problem is real / scope it before implementing.

Subtasks & findings

T12 — Toolchain hardening (PIE/RELRO/noexecstack) + null-deref warn

Owner: Either · Decision: M · Effort: ~3–4d · Investigate: triage -Wnull-dereference false positives (MEM-08)

Across both build systems; add checksec CI gate.

  • REQ-MEM-01 (high · m) — Incomplete hardening: autotools lacks PIE/noexecstack, Meson release path ships zero hardening
    • Evidence: configure.ac (no -fPIE/-pie); meson.build:33,64-71,536
    • Fix: Add probed -fPIE -pie -Wl,-z,noexecstack to autotools; move Meson hardening out of is_debug + b_pie/relro/now; add checksec/readelf CI gate on binary + .so across both build systems
    • Maps to: NIST PR.PS-01/PR.PS-06; ISO A.8.25/A.8.27/A.8.28; CIS 16.7
  • REQ-MEM-08 (medium · m (check)) — -Wnull-dereference only under non-CI --enable-hardening
    • Evidence: configure.ac:454-464 (gated behind --enable-hardening)
    • Fix: Enable -Wnull-dereference in one CI config; triage -O2 false positives (marginal if folded into REQ-MEM-02 job)
    • Maps to: NIST PR.PS-01/DE.CM-01; ISO A.8.28

T14 — Supply-chain source pinning (wrap + Actions + images + clones)

Owner: Either · Decision: M / C · Effort: ~2–3d

Shared pin lint; merges SUP-05 + CIS-03.

  • REQ-SUP-01 (high · m) — libstrophe Meson wrap pinned to revision = HEAD (mutable XMPP parser) (merges CIS-2.6/16.5)
    • Evidence: subprojects/libstrophe.wrap:3
    • Fix: Replace revision = HEAD with vetted 40-hex SHA (or tag+source_hash); add CI grep failing on revision = HEAD/bare-branch wraps (shared lint with REQ-SUP-05)
    • Maps to: NIST GV.SC-05/ID.RA-09/PR.PS-01; ISO A.5.21/A.5.23/A.8.8/A.8.30; CIS 2.2/2.6/7.2/16.5
  • REQ-SUP-05 (low) — folded into REQ-SUP-01 (same fix). GitHub Actions pinned to mutable tags, not commit SHAs
  • REQ-SUP-02 (high · c) — CI base images use mutable tags; bootstrapped deps cloned at HEAD unverified
    • Evidence: Dockerfile.debian:2,44-45; Dockerfile.arch:1,61-65
    • Fix: Digest-pin both FROMs; commit-pin the three git clone --depth 1; sha256/gpg-verify the AUR libstrophe-git snapshot
    • Maps to: NIST GV.SC-05/06/07; ISO A.5.20/A.5.21/A.5.23/A.8.30; CIS 7.4/16.5
  • REQ-CIS-03 (high) — folded into REQ-SUP-02 (same fix). Build-time and runtime library sources not pinned to an integrity-verified identity

T15 — Dependency inventory & version floors (SBOM deferred)

Owner: Either · Decision: C / W · Effort: ~0.5d now; +3–4d if SBOM

Align gpgme/gcrypt/sqlite floors now (C); SBOM generation is W (deferred).

  • REQ-SUP-03 (high · c) — gpgme unversioned, libgcrypt no floor, autotools/meson version floors diverge
    • Evidence: configure.ac:309,351; meson.build:96 (sqlite 3.22.0 vs 3.35.0)
    • Fix: Versioned PKG_CHECK_MODULES for gpgme + gcrypt floor; align sqlite3 floor to one source; optional parity lint
    • Maps to: NIST ID.RA-09/GV.SC-04/PR.PS-02; ISO A.5.21/A.8.8/A.8.28; CIS 2.1/2.2/16.4
  • REQ-CIS-01 (medium · w) — No machine-readable SBOM / third-party software inventory (merges CIS-2.1/16.4)
    • Evidence: no *.spdx/*.cdx/bom.* in tree
    • Fix: Author component inventory; script CycloneDX/SPDX generation from PKG_CHECK_MODULES floors; reconcile divergent autotools/meson floors; CI diff-check (overlaps REQ-SUP-03/CIS-08)
    • Maps to: CIS 2.1/16.4/15.1; NIST ID.AM-08/GV.SC-04; ISO A.5.21/A.8.8

T17 — CI security gates (BIG umbrella — REQ-CIS-04)

Owner: Either · Decision: M (mixed) · Effort: ~1w+ (phased) · Investigate: investigate/triage first green of each scan; SDLC-05 not urgent

User-flagged BIG. Make scans blocking. SDLC-04 = W; SDLC-05 = investigate/not-urgent.

  • REQ-CIS-04 (high · BIG: bundles REQ-MEM-02, REQ-SDLC-04, REQ-SUP-04, REQ-SDLC-01, REQ-SDLC-05) — Code-level security checks (SAST/fuzz/sanitizers/CVE/secret scan) not blocking CI (merges REQ-MEM-02-ci/CIS-16.12)
    • Evidence: ci-code.yml continue-on-error; no sanitizer/fuzz job
    • Fix: Make scan-build, --enable-sanitizers && make check, scheduled fuzz, OSV/Dependabot, gitleaks all blocking gates (bundles REQ-MEM-02, REQ-SDLC-04, REQ-SUP-04, REQ-SDLC-01, REQ-SDLC-05)
    • Maps to: CIS 16.12/16.13/18.1; NIST PR.PS-06/ID.RA-01/DE.CM-01; ISO A.8.28/A.8.29
  • REQ-MEM-02 (high · m) — ASan/UBSan sanitizer build never exercised in CI (merges REQ-CIS-04-san)
    • Evidence: configure.ac:74-75,441-452; ci-build.sh:193-205
    • Fix: Add non-continue-on-error job ./configure --enable-sanitizers && make check + suppressions; triage first-green findings (shared job with REQ-MEM-08)
    • Maps to: NIST PR.PS-06/DE.CM-01/ID.RA-01; ISO A.8.28/A.8.29/A.8.25; CIS 16.12
  • REQ-SUP-04 (high · c) — No dependency-CVE scanning in CI (no OSV/Dependabot/Trivy)
    • Evidence: ci-code.yml (no CVE scan); no .github/dependabot.yml
    • Fix: Add OSV-Scanner/Trivy (over a curated component list or the built image) + Dependabot on push+cron with a severity gate
    • Maps to: NIST ID.RA-01/GV.SC-08/ID.IM-02; ISO A.5.7/A.8.8; CIS 7.4/16.5
  • REQ-SDLC-01 (high · c) — No secret-scanning step in CI
    • Evidence: no gitleaks/detect-secrets in .github/workflows
    • Fix: Add a gitleaks-action job (PR diff + full-history with fetch-depth:0) + a .gitleaks.toml allowlist for test-fixture false positives
    • Maps to: NIST PR.AA-01/GV.OC-03; ISO A.8.4/A.5.8; CIS 16.12
  • REQ-SDLC-04 (medium · w) — Style/auto-type/CWE-134/spell CI checks marked continue-on-error
    • Evidence: ci-code.yml:40,94
    • Fix: Remove continue-on-error: true at both sites so checks block merges (fix any pre-existing violations surfaced)
    • Maps to: NIST PR.PS-01/PR.PS-06; ISO A.8.25/A.8.28; CIS 16.9/16.12
  • REQ-SDLC-05 (medium · m (investigate, not urgent)) — No fuzz harness over untrusted-input parsers
    • Evidence: no fuzz/oss-fuzz/libfuzzer targets or corpus
    • Fix: Stand up libFuzzer/AFL++ harnesses over stanza/XML, jid_create, OMEMO/PGP/OX decode (decouple from session/ctx globals); build plumbing, seed corpora, scheduled CI
    • Maps to: NIST PR.PS-06/ID.RA-01; ISO A.8.29/A.8.25; CIS 16.13/18.1

Checklist

T12 — Toolchain hardening (PIE/RELRO/noexecstack) + null-deref warn

  • REQ-MEM-01 · high · M — Incomplete hardening: autotools lacks PIE/noexecstack, Meson release path ships zero hardening
  • REQ-MEM-08 · medium · M · investigate — -Wnull-dereference only under non-CI --enable-hardening

T14 — Supply-chain source pinning (wrap + Actions + images + clones)

  • REQ-SUP-01 · high · M — libstrophe Meson wrap pinned to revision = HEAD (mutable XMPP parser) (merges CIS-2.6/16.5)
  • REQ-SUP-05 — folded into REQ-SUP-01 (no separate work)
  • REQ-SUP-02 · high · C — CI base images use mutable tags; bootstrapped deps cloned at HEAD unverified
  • REQ-CIS-03 — folded into REQ-SUP-02 (no separate work)

T15 — Dependency inventory & version floors (SBOM deferred)

  • REQ-SUP-03 · high · C — gpgme unversioned, libgcrypt no floor, autotools/meson version floors diverge
  • REQ-CIS-01 · medium · W — No machine-readable SBOM / third-party software inventory (merges CIS-2.1/16.4) (W — optional/defer)

T17 — CI security gates (BIG umbrella — REQ-CIS-04)

  • REQ-CIS-04 · high · — — Code-level security checks (SAST/fuzz/sanitizers/CVE/secret scan) not blocking CI (merges REQ-MEM-02-ci/CIS-16.12)
  • REQ-MEM-02 · high · M — ASan/UBSan sanitizer build never exercised in CI (merges REQ-CIS-04-san)
  • REQ-SUP-04 · high · C — No dependency-CVE scanning in CI (no OSV/Dependabot/Trivy)
  • REQ-SDLC-01 · high · C — No secret-scanning step in CI
  • REQ-SDLC-04 · medium · W — Style/auto-type/CWE-134/spell CI checks marked continue-on-error (W — optional/defer)
  • REQ-SDLC-05 · medium · M · investigate — No fuzz harness over untrusted-input parsers

Notes

  • Investigate first (verify/scope before implementing): REQ-MEM-08, REQ-SDLC-05.
  • Deferred (W) — safe to split out or postpone: REQ-CIS-01, REQ-SDLC-04.
  • Folded duplicates (counted once): REQ-SUP-05→REQ-SUP-01, REQ-CIS-03→REQ-SUP-02.
The build/CI/supply-chain block: make security scans blocking CI gates (SAST, sanitizers, dependency-CVE, secret-scan, fuzzing), harden the toolchain, pin all third-party sources to integrity-verified identities, and maintain a dependency inventory / SBOM. Part of #144. Decision legend: **M** must-do, **C** could-do, **W** won't-do (this cycle); *investigate* = verify the problem is real / scope it before implementing. ## Subtasks & findings ### T12 — Toolchain hardening (PIE/RELRO/noexecstack) + null-deref warn _Owner:_ Either · _Decision:_ M · _Effort:_ ~3–4d · _Investigate:_ triage -Wnull-dereference false positives (MEM-08) Across both build systems; add checksec CI gate. - **REQ-MEM-01** (high · _m_) — Incomplete hardening: autotools lacks PIE/noexecstack, Meson release path ships zero hardening - Evidence: `configure.ac (no -fPIE/-pie); meson.build:33,64-71,536` - Fix: Add probed -fPIE -pie -Wl,-z,noexecstack to autotools; move Meson hardening out of is_debug + b_pie/relro/now; add checksec/readelf CI gate on binary + .so across both build systems - Maps to: NIST PR.PS-01/PR.PS-06; ISO A.8.25/A.8.27/A.8.28; CIS 16.7 - **REQ-MEM-08** (medium · _m (check)_) — -Wnull-dereference only under non-CI --enable-hardening - Evidence: `configure.ac:454-464 (gated behind --enable-hardening)` - Fix: Enable -Wnull-dereference in one CI config; triage -O2 false positives (marginal if folded into REQ-MEM-02 job) - Maps to: NIST PR.PS-01/DE.CM-01; ISO A.8.28 ### T14 — Supply-chain source pinning (wrap + Actions + images + clones) _Owner:_ Either · _Decision:_ M / C · _Effort:_ ~2–3d Shared pin lint; merges SUP-05 + CIS-03. - **REQ-SUP-01** (high · _m_) — libstrophe Meson wrap pinned to revision = HEAD (mutable XMPP parser) (merges CIS-2.6/16.5) - Evidence: `subprojects/libstrophe.wrap:3` - Fix: Replace revision = HEAD with vetted 40-hex SHA (or tag+source_hash); add CI grep failing on revision = HEAD/bare-branch wraps (shared lint with REQ-SUP-05) - Maps to: NIST GV.SC-05/ID.RA-09/PR.PS-01; ISO A.5.21/A.5.23/A.8.8/A.8.30; CIS 2.2/2.6/7.2/16.5 - **REQ-SUP-05** (low) — folded into **REQ-SUP-01** (same fix). GitHub Actions pinned to mutable tags, not commit SHAs - **REQ-SUP-02** (high · _c_) — CI base images use mutable tags; bootstrapped deps cloned at HEAD unverified - Evidence: `Dockerfile.debian:2,44-45; Dockerfile.arch:1,61-65` - Fix: Digest-pin both FROMs; commit-pin the three git clone --depth 1; sha256/gpg-verify the AUR libstrophe-git snapshot - Maps to: NIST GV.SC-05/06/07; ISO A.5.20/A.5.21/A.5.23/A.8.30; CIS 7.4/16.5 - **REQ-CIS-03** (high) — folded into **REQ-SUP-02** (same fix). Build-time and runtime library sources not pinned to an integrity-verified identity ### T15 — Dependency inventory & version floors (SBOM deferred) _Owner:_ Either · _Decision:_ C / W · _Effort:_ ~0.5d now; +3–4d if SBOM Align gpgme/gcrypt/sqlite floors now (C); SBOM generation is W (deferred). - **REQ-SUP-03** (high · _c_) — gpgme unversioned, libgcrypt no floor, autotools/meson version floors diverge - Evidence: `configure.ac:309,351; meson.build:96 (sqlite 3.22.0 vs 3.35.0)` - Fix: Versioned PKG_CHECK_MODULES for gpgme + gcrypt floor; align sqlite3 floor to one source; optional parity lint - Maps to: NIST ID.RA-09/GV.SC-04/PR.PS-02; ISO A.5.21/A.8.8/A.8.28; CIS 2.1/2.2/16.4 - **REQ-CIS-01** (medium · _w_) — No machine-readable SBOM / third-party software inventory (merges CIS-2.1/16.4) - Evidence: `no *.spdx/*.cdx/bom.* in tree` - Fix: Author component inventory; script CycloneDX/SPDX generation from PKG_CHECK_MODULES floors; reconcile divergent autotools/meson floors; CI diff-check (overlaps REQ-SUP-03/CIS-08) - Maps to: CIS 2.1/16.4/15.1; NIST ID.AM-08/GV.SC-04; ISO A.5.21/A.8.8 ### T17 — CI security gates (BIG umbrella — REQ-CIS-04) _Owner:_ Either · _Decision:_ M (mixed) · _Effort:_ ~1w+ (phased) · _Investigate:_ investigate/triage first green of each scan; SDLC-05 not urgent User-flagged BIG. Make scans blocking. SDLC-04 = W; SDLC-05 = investigate/not-urgent. - **REQ-CIS-04** (high · _BIG: bundles REQ-MEM-02, REQ-SDLC-04, REQ-SUP-04, REQ-SDLC-01, REQ-SDLC-05_) — Code-level security checks (SAST/fuzz/sanitizers/CVE/secret scan) not blocking CI (merges REQ-MEM-02-ci/CIS-16.12) - Evidence: `ci-code.yml continue-on-error; no sanitizer/fuzz job` - Fix: Make scan-build, --enable-sanitizers && make check, scheduled fuzz, OSV/Dependabot, gitleaks all blocking gates (bundles REQ-MEM-02, REQ-SDLC-04, REQ-SUP-04, REQ-SDLC-01, REQ-SDLC-05) - Maps to: CIS 16.12/16.13/18.1; NIST PR.PS-06/ID.RA-01/DE.CM-01; ISO A.8.28/A.8.29 - **REQ-MEM-02** (high · _m_) — ASan/UBSan sanitizer build never exercised in CI (merges REQ-CIS-04-san) - Evidence: `configure.ac:74-75,441-452; ci-build.sh:193-205` - Fix: Add non-continue-on-error job ./configure --enable-sanitizers && make check + suppressions; triage first-green findings (shared job with REQ-MEM-08) - Maps to: NIST PR.PS-06/DE.CM-01/ID.RA-01; ISO A.8.28/A.8.29/A.8.25; CIS 16.12 - **REQ-SUP-04** (high · _c_) — No dependency-CVE scanning in CI (no OSV/Dependabot/Trivy) - Evidence: `ci-code.yml (no CVE scan); no .github/dependabot.yml` - Fix: Add OSV-Scanner/Trivy (over a curated component list or the built image) + Dependabot on push+cron with a severity gate - Maps to: NIST ID.RA-01/GV.SC-08/ID.IM-02; ISO A.5.7/A.8.8; CIS 7.4/16.5 - **REQ-SDLC-01** (high · _c_) — No secret-scanning step in CI - Evidence: `no gitleaks/detect-secrets in .github/workflows` - Fix: Add a gitleaks-action job (PR diff + full-history with fetch-depth:0) + a .gitleaks.toml allowlist for test-fixture false positives - Maps to: NIST PR.AA-01/GV.OC-03; ISO A.8.4/A.5.8; CIS 16.12 - **REQ-SDLC-04** (medium · _w_) — Style/auto-type/CWE-134/spell CI checks marked continue-on-error - Evidence: `ci-code.yml:40,94` - Fix: Remove continue-on-error: true at both sites so checks block merges (fix any pre-existing violations surfaced) - Maps to: NIST PR.PS-01/PR.PS-06; ISO A.8.25/A.8.28; CIS 16.9/16.12 - **REQ-SDLC-05** (medium · _m (investigate, not urgent)_) — No fuzz harness over untrusted-input parsers - Evidence: `no fuzz/oss-fuzz/libfuzzer targets or corpus` - Fix: Stand up libFuzzer/AFL++ harnesses over stanza/XML, jid_create, OMEMO/PGP/OX decode (decouple from session/ctx globals); build plumbing, seed corpora, scheduled CI - Maps to: NIST PR.PS-06/ID.RA-01; ISO A.8.29/A.8.25; CIS 16.13/18.1 ## Checklist **T12 — Toolchain hardening (PIE/RELRO/noexecstack) + null-deref warn** - [ ] **REQ-MEM-01** · high · M — Incomplete hardening: autotools lacks PIE/noexecstack, Meson release path ships zero hardening - [ ] **REQ-MEM-08** · medium · M · investigate — -Wnull-dereference only under non-CI --enable-hardening **T14 — Supply-chain source pinning (wrap + Actions + images + clones)** - [ ] **REQ-SUP-01** · high · M — libstrophe Meson wrap pinned to revision = HEAD (mutable XMPP parser) (merges CIS-2.6/16.5) - [ ] **REQ-SUP-05** — folded into REQ-SUP-01 (no separate work) - [ ] **REQ-SUP-02** · high · C — CI base images use mutable tags; bootstrapped deps cloned at HEAD unverified - [ ] **REQ-CIS-03** — folded into REQ-SUP-02 (no separate work) **T15 — Dependency inventory & version floors (SBOM deferred)** - [ ] **REQ-SUP-03** · high · C — gpgme unversioned, libgcrypt no floor, autotools/meson version floors diverge - [ ] **REQ-CIS-01** · medium · W — No machine-readable SBOM / third-party software inventory (merges CIS-2.1/16.4) _(W — optional/defer)_ **T17 — CI security gates (BIG umbrella — REQ-CIS-04)** - [ ] **REQ-CIS-04** · high · — — Code-level security checks (SAST/fuzz/sanitizers/CVE/secret scan) not blocking CI (merges REQ-MEM-02-ci/CIS-16.12) - [ ] **REQ-MEM-02** · high · M — ASan/UBSan sanitizer build never exercised in CI (merges REQ-CIS-04-san) - [ ] **REQ-SUP-04** · high · C — No dependency-CVE scanning in CI (no OSV/Dependabot/Trivy) - [ ] **REQ-SDLC-01** · high · C — No secret-scanning step in CI - [ ] **REQ-SDLC-04** · medium · W — Style/auto-type/CWE-134/spell CI checks marked continue-on-error _(W — optional/defer)_ - [ ] **REQ-SDLC-05** · medium · M · investigate — No fuzz harness over untrusted-input parsers ## Notes - **Investigate first** (verify/scope before implementing): REQ-MEM-08, REQ-SDLC-05. - **Deferred (W)** — safe to split out or postpone: REQ-CIS-01, REQ-SDLC-04. - **Folded duplicates** (counted once): REQ-SUP-05→REQ-SUP-01, REQ-CIS-03→REQ-SUP-02.
jabber.developer added the
Kind/Security
Priority
Medium
3
labels 2026-07-03 10:32:13 +00:00
jabber.developer added this to the Plans (2025-2026) project 2026-07-03 10:32:19 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: devs/cproof#149
No description provided.