Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
409 changes: 409 additions & 0 deletions .claude/CHANGELOG.md

Large diffs are not rendered by default.

3 changes: 1 addition & 2 deletions .claude/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -326,8 +326,7 @@ done

### If preparing a release:
- [ ] Every open Trivy finding has a corresponding statement in `.vex/` (triaged into one of: `not_affected`, `affected`, `fixed`, `under_investigation`). No silent "unknown" CVEs leave the door.
- [ ] `./tools/validate-vex.sh` exits 0.
- [ ] `./tools/tests/validate-vex-tests.sh` and `./tools/tests/assemble-openvex-tests.sh` pass.
- [ ] `make vex-validate` exits 0 (every `.vex/*.json` parses cleanly via `vexctl merge`).
- [ ] `.vex/` changes referenced in the release notes / changelog.

**Verification:** Every checked box above passes. A task is NOT complete until the full checklist is green.
Expand Down
22 changes: 22 additions & 0 deletions .github/codeql/codeql-config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Copyright (c) 2025 Erick Bourgeois, firestoned
# SPDX-License-Identifier: Apache-2.0
#
# CodeQL config consumed by .github/workflows/codeql.yaml. Keeps
# generated / vendored output out of the scanning database so the
# analyzer doesn't waste time on files we don't ship and can't fix.

name: "5-Spot CodeQL Config"

# Exclude generated or third-party content from analysis. We still
# scan every hand-written source file under src/, .github/, and
# docs/src/javascripts/.
paths-ignore:
# Rust build output (compiled artifacts, incremental-build state,
# Cargo-vendored registry caches).
- target/**
# MkDocs build output.
- docs/site/**
# Docs build dependencies — Poetry manifests, not source code.
- docs/poetry.lock
- docs/pyproject.toml
- docs/.python-version
245 changes: 210 additions & 35 deletions .github/workflows/build.yaml

Large diffs are not rendered by default.

86 changes: 86 additions & 0 deletions .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# Copyright (c) 2025 Erick Bourgeois, firestoned
# SPDX-License-Identifier: Apache-2.0
#
# CodeQL analysis — explicit language list.
#
# Writing this workflow disables GitHub's "default setup" CodeQL config
# and lets us pin exactly which languages get analyzed. We had to take
# over the default setup because it auto-detected Python from
# docs/pyproject.toml (Poetry manifest for MkDocs tooling) and then
# failed with "CodeQL detected code written in GitHub Actions, Rust
# and JavaScript/TypeScript, but not any written in Python" once the
# 5-Spot VEX Python tooling was removed in the Phase 1 cleanup
# (.claude/CHANGELOG.md 2026-04-22 19:45).
#
# Languages analyzed here are exactly the ones with real source files:
# - `rust` — src/**/*.rs (beta in CodeQL; upstream
# aware, stable enough for static
# vulnerability checks on our surface)
# - `actions` — .github/workflows/**/*.yaml
# - `javascript-typescript`
# — docs/src/javascripts/mermaid-init.js
# (MkDocs Mermaid integration)
#
# We explicitly do NOT list `python`: the pyproject.toml under docs/
# is a Poetry *manifest* for the MkDocs build, not Python source code,
# and would cause the analyzer to finalize an empty database.

name: CodeQL

on:
pull_request:
branches:
- main
push:
branches:
- main
schedule:
# Weekly full re-scan on Sundays at 07:17 UTC. Offsets the minute
# so we don't collide with the hourly cron queue. Keeps the Code
# Scanning dashboard fresh when a week passes without code changes.
- cron: '17 7 * * 0'

permissions:
contents: read

jobs:
analyze:
name: 🔍 CodeQL - ${{ matrix.language }}
runs-on: ${{ matrix.runner }}
timeout-minutes: 30
permissions:
contents: read
security-events: write
packages: read

strategy:
fail-fast: false
matrix:
include:
- language: rust
build-mode: none
runner: ubuntu-latest
- language: actions
build-mode: none
runner: ubuntu-latest
- language: javascript-typescript
build-mode: none
runner: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# Repo-local config file (paths-ignore, query suites). Keeps
# generated / vendored output out of the database.
config-file: ./.github/codeql/codeql-config.yml

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
category: "/language:${{ matrix.language }}"
23 changes: 23 additions & 0 deletions .vex/CVE-2010-4756.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://github.com/finos/5-spot/.vex/CVE-2010-4756",
"author": "erick.bourgeois@gmail.com",
"statements": [
{
"impact_statement": "5-Spot performs no file-system glob expansion; the vulnerable glibc glob() implementation is never called from the controller.",
"justification": "vulnerable_code_not_in_execute_path",
"products": [
{
"@id": "pkg:oci/5-spot"
}
],
"status": "not_affected",
"timestamp": "2026-04-19T00:00:00Z",
"vulnerability": {
"name": "CVE-2010-4756"
}
}
],
"timestamp": "2026-04-19T00:00:00Z",
"version": 1
}
12 changes: 0 additions & 12 deletions .vex/CVE-2010-4756.toml

This file was deleted.

23 changes: 23 additions & 0 deletions .vex/CVE-2018-20796.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://github.com/finos/5-spot/.vex/CVE-2018-20796",
"author": "erick.bourgeois@gmail.com",
"statements": [
{
"impact_statement": "5-Spot uses the Rust regex crate, a separate implementation from glibc's posix/regexec.c; the vulnerable C function is never invoked.",
"justification": "vulnerable_code_not_in_execute_path",
"products": [
{
"@id": "pkg:oci/5-spot"
}
],
"status": "not_affected",
"timestamp": "2026-04-19T00:00:00Z",
"vulnerability": {
"name": "CVE-2018-20796"
}
}
],
"timestamp": "2026-04-19T00:00:00Z",
"version": 1
}
12 changes: 0 additions & 12 deletions .vex/CVE-2018-20796.toml

This file was deleted.

23 changes: 23 additions & 0 deletions .vex/CVE-2019-1010022.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://github.com/finos/5-spot/.vex/CVE-2019-1010022",
"author": "erick.bourgeois@gmail.com",
"statements": [
{
"impact_statement": "The controller does not execute adversary-supplied native code; the pre-conditions required to reach the glibc stack-guard bypass do not exist in this workload.",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"products": [
{
"@id": "pkg:oci/5-spot"
}
],
"status": "not_affected",
"timestamp": "2026-04-19T00:00:00Z",
"vulnerability": {
"name": "CVE-2019-1010022"
}
}
],
"timestamp": "2026-04-19T00:00:00Z",
"version": 1
}
13 changes: 0 additions & 13 deletions .vex/CVE-2019-1010022.toml

This file was deleted.

23 changes: 23 additions & 0 deletions .vex/CVE-2019-1010023.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://github.com/finos/5-spot/.vex/CVE-2019-1010023",
"author": "erick.bourgeois@gmail.com",
"statements": [
{
"impact_statement": "The Distroless image ships no ldd or shell; the vulnerable workflow (running ldd on an adversary-supplied ELF) cannot occur at runtime.",
"justification": "vulnerable_code_not_in_execute_path",
"products": [
{
"@id": "pkg:oci/5-spot"
}
],
"status": "not_affected",
"timestamp": "2026-04-19T00:00:00Z",
"vulnerability": {
"name": "CVE-2019-1010023"
}
}
],
"timestamp": "2026-04-19T00:00:00Z",
"version": 1
}
12 changes: 0 additions & 12 deletions .vex/CVE-2019-1010023.toml

This file was deleted.

23 changes: 23 additions & 0 deletions .vex/CVE-2019-1010024.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://github.com/finos/5-spot/.vex/CVE-2019-1010024",
"author": "erick.bourgeois@gmail.com",
"statements": [
{
"impact_statement": "An attacker has no primitive within the 5-Spot controller to leak cached stack/heap addresses, so the ASLR-bypass precondition is absent.",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"products": [
{
"@id": "pkg:oci/5-spot"
}
],
"status": "not_affected",
"timestamp": "2026-04-19T00:00:00Z",
"vulnerability": {
"name": "CVE-2019-1010024"
}
}
],
"timestamp": "2026-04-19T00:00:00Z",
"version": 1
}
12 changes: 0 additions & 12 deletions .vex/CVE-2019-1010024.toml

This file was deleted.

23 changes: 23 additions & 0 deletions .vex/CVE-2019-1010025.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://github.com/finos/5-spot/.vex/CVE-2019-1010025",
"author": "erick.bourgeois@gmail.com",
"statements": [
{
"impact_statement": "5-Spot exposes no interface that leaks raw process memory; the pre-requisite local read primitive for this information-disclosure bug does not exist.",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"products": [
{
"@id": "pkg:oci/5-spot"
}
],
"status": "not_affected",
"timestamp": "2026-04-19T00:00:00Z",
"vulnerability": {
"name": "CVE-2019-1010025"
}
}
],
"timestamp": "2026-04-19T00:00:00Z",
"version": 1
}
13 changes: 0 additions & 13 deletions .vex/CVE-2019-1010025.toml

This file was deleted.

23 changes: 23 additions & 0 deletions .vex/CVE-2019-9192.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://github.com/finos/5-spot/.vex/CVE-2019-9192",
"author": "erick.bourgeois@gmail.com",
"statements": [
{
"impact_statement": "5-Spot uses the Rust regex crate, not glibc's POSIX regex; the vulnerable check_dst_limits_calc_pos_1 function is never invoked.",
"justification": "vulnerable_code_not_in_execute_path",
"products": [
{
"@id": "pkg:oci/5-spot"
}
],
"status": "not_affected",
"timestamp": "2026-04-19T00:00:00Z",
"vulnerability": {
"name": "CVE-2019-9192"
}
}
],
"timestamp": "2026-04-19T00:00:00Z",
"version": 1
}
13 changes: 0 additions & 13 deletions .vex/CVE-2019-9192.toml

This file was deleted.

Loading
Loading