Merge pull request #195 from step-security-bot/stepsecurity_remediation_1711216890

[StepSecurity] ci: Harden GitHub Actions
2024-10-06 10:15:56 +02:00 · 2024-03-23 19:06:20 +01:00 · 2024-03-23 18:01:31 +00:00 · 2024-03-23 18:59:10 +01:00 · 2024-03-23 17:34:47 +01:00 · 2024-03-23 17:28:04 +01:00
7 changed files with 78 additions and 1 deletions
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@ -0,0 +1,21 @@
 # SPDX-FileCopyrightText: 2022 Winni Neessen <winni@neessen.dev>
 #
 # SPDX-License-Identifier: CC0-1.0
 name: Govulncheck Security Scan
 on: [push, pull_request]
 permissions:
  contents: read
 jobs:
  test:
    runs-on: ubuntu-latest
    steps: 
    - name: Harden Runner
      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
      with:
        egress-policy: audit
    - name: Run govulncheck
      uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@ -6,6 +6,9 @@ name: REUSE Compliance Check
 on: [push, pull_request]
 permissions:
  contents: read
 jobs:
  test:
    runs-on: ubuntu-latest
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@ -3,6 +3,10 @@
 # SPDX-License-Identifier: CC0-1.0
 name: SonarQube
 permissions:
  contents: read
 on:
  push:
    branches:
--- a/.gitignore
+++ b/.gitignore
@ -55,3 +55,5 @@ com_crashlytics_export_strings.xml
 crashlytics.properties
 crashlytics-build.properties
 fabric.properties
 testdata
--- a/README.md
+++ b/README.md
@ -12,6 +12,7 @@ SPDX-License-Identifier: CC0-1.0
 [![Mentioned in Awesome Go](https://awesome.re/mentioned-badge-flat.svg)](https://github.com/avelino/awesome-go)
 [![#go-mail on Discord](https://img.shields.io/badge/Discord-%23go%E2%80%93mail-blue.svg)](https://discord.gg/ysQXkaccXk) 
 [![REUSE status](https://api.reuse.software/badge/github.com/wneessen/go-mail)](https://api.reuse.software/info/github.com/wneessen/go-mail)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8701/badge)](https://www.bestpractices.dev/projects/8701)
 <a href="https://ko-fi.com/D1D24V9IX"><img src="https://uploads-ssl.webflow.com/5c14e387dab576fe667689cf/5cbed8a4ae2b88347c06c923_BuyMeACoffee_blue.png" height="20" alt="buy ma a coffee"></a>
 <p align="center"><img src="./assets/gopher2.svg" width="250" alt="go-mail logo"/></p>
--- a/b64linebreaker_test.go
+++ b/b64linebreaker_test.go
@ -5,6 +5,7 @@
 package mail
 import (
 	"bufio"
 	"bytes"
 	"encoding/base64"
 	"fmt"
@ -461,3 +462,20 @@ func (e errorWriter) Write([]byte) (int, error) {
 func (e errorWriter) Close() error {
 	return fmt.Errorf("supposed to always fail")
 }
 func FuzzBase64LineBreaker_Write(f *testing.F) {
 	f.Add([]byte("abc"))
 	f.Add([]byte("def"))
 	f.Add([]uint8{0o0, 0o1, 0o2, 30, 255})
 	buf := bytes.Buffer{}
 	bw := bufio.NewWriter(&buf)
 	f.Fuzz(func(t *testing.T, data []byte) {
 		b := &Base64LineBreaker{out: bw}
 		if _, err := b.Write(data); err != nil {
 			t.Errorf("failed to write to B64LineBreaker: %s", err)
 		}
 		if err := b.Close(); err != nil {
 			t.Errorf("failed to close B64LineBreaker: %s", err)
 		}
 	})
 }
--- a/msg_test.go
+++ b/msg_test.go
@ -3219,3 +3219,31 @@ func TestNewMsgWithNoDefaultUserAgent(t *testing.T) {
 		t.Errorf("WithNoDefaultUserAgent() failed. Expected: %t, got: %t", true, false)
 	}
 }
 // Fuzzing tests
 func FuzzMsg_Subject(f *testing.F) {
 	f.Add("Testsubject")
 	f.Add("")
 	f.Add("This is a longer test subject.")
 	f.Add("Let's add some umlauts: üäöß")
 	f.Add("Or even emojis: ☝️💪👍")
 	f.Fuzz(func(t *testing.T, data string) {
 		m := NewMsg()
 		m.Subject(data)
 		m.Reset()
 	})
 }
 func FuzzMsg_From(f *testing.F) {
 	f.Add("Toni Tester <toni@tester.com>")
 	f.Add("<tester@example.com>")
 	f.Add("mail@server.com")
 	f.Fuzz(func(t *testing.T, data string) {
 		m := NewMsg()
 		if err := m.From(data); err != nil &&
 			!strings.Contains(err.Error(), "failed to parse mail address") {
 			t.Errorf("failed set set FROM address: %s", err)
 		}
 		m.Reset()
 	})
 }
Author	SHA1	Message	Date
Winni Neessen	f9859799b2	Merge pull request #195 from step-security-bot/stepsecurity_remediation_1711216890 [StepSecurity] ci: Harden GitHub Actions	2024-03-23 19:06:20 +01:00
StepSecurity Bot	d87e2205d6	[StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>	2024-03-23 18:01:31 +00:00
Winni Neessen	25ee875300	"Add Govulncheck Security Scan workflow" A new GitHub Actions workflow for Govulncheck Security Scan has been added. This workflow gets activated on every push or pull request and includes runner hardening and executing 'govulncheck' to identify potential vulnerabilities.	2024-03-23 18:59:10 +01:00
Winni Neessen	4aeeca5a82	Merge pull request #194 from wneessen/OpenSSF-badge Add OpenSSF Best Practices badge to README.md	2024-03-23 17:34:47 +01:00
Winni Neessen	0dc449f582	Add OpenSSF Best Practices badge to README.md An OpenSSF Best Practices badge was added to the README file. This badge reflects adherence to critical open source software security practices.	2024-03-23 17:28:04 +01:00
Winni Neessen	11258613d5	Merge pull request #193 from wneessen/implement_fuzzing Implement fuzzing	2024-03-23 16:52:01 +01:00
Winni Neessen	a4918210f1	Update Base64LineBreaker fuzzing tests in b64linebreaker_test.go Updated the fuzzing tests in the `Base64LineBreaker_Write` function. The change specifically converts integer bytes from decimal to octal. This ensures proper testing of a wider range of input scenarios, increasing the reliability and robustness of the code.	2024-03-23 16:51:18 +01:00
Winni Neessen	dae7d80759	Add fuzzing tests for subject and from fields in msg_test.go Included two new fuzzing tests for 'Subject' and 'From' to increase code coverage and reliability. These tests expand our checking strategy by using dynamic inputs and making sure no unexpected errors occur when dealing with a variety of possible input scenarios.	2024-03-23 16:46:21 +01:00
Winni Neessen	91a3fc5261	Ignore testdata in Git Added 'testdata' to .gitignore file. This ensures that any files or folders named 'testdata', which are most likely used for local testing, will not be tracked by Git allowing for a cleaner working directory.	2024-03-23 16:36:01 +01:00
Winni Neessen	821ee0a9e1	Update Base64LineBreaker_Write testing Enhanced testing for the Base64LineBreaker_Write function by adding a fuzz test. This additional fuzz test provides the function with a variety of random byte inputs as a way of uncovering any hidden errors and contributing to more reliable coding.	2024-03-23 16:35:32 +01:00
Winni Neessen	280f85abd1	Add fuzz testing to Base64LineBreaker_Write function The update enhances testing for the Base64LineBreaker_Write function by creating a fuzz test. This new fuzz test feeds the function with a wide range of random byte inputs to improve the detection of hidden anomalies and help ensure more robust code.	2024-03-23 16:14:07 +01:00
Winni Neessen	932ac2be48	Merge pull request #192 from wneessen/fix_token_perms Add read permissions to GitHub workflow files	2024-03-23 15:52:26 +01:00
Winni Neessen	c78388a2cb	Add read permissions to GitHub workflow files This commit adds read permissions for 'contents' in the GitHub workflow files sonarqube.yml and reuse.yml. This allows these specific workflows to access the relevant contents they need for execution.	2024-03-23 15:49:03 +01:00