Skip to content

Commit 610b003

Browse files
dfa1claude
andcommitted
security: pin setup-zig to a commit SHA; mark temp-dir vuln reviewed
Resolve the SECURITY-category Sonar findings: - S7637: pin the third-party mlugg/setup-zig action to a full commit SHA (d1434d0, v2) in ci/sonar/publish workflows, so a moved tag can't swap the action under us. The first-party actions/* are not flagged. - S5443: NativeLibrary extracts the bundled library into an owner-only directory (Files.createTempDirectory, 0700 on POSIX) — the rule's warning is already mitigated with no further code change available, so suppress it for that file via sonar.issue.ignore with a documented why. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 7cfcfe9 commit 610b003

5 files changed

Lines changed: 13 additions & 5 deletions

File tree

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
cache: maven
2525

2626
- name: Set up Zig
27-
uses: mlugg/setup-zig@v2
27+
uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
2828
with:
2929
version: 0.16.0
3030

.github/workflows/publish.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ jobs:
3131
gpg-passphrase: GPG_PASSPHRASE
3232

3333
- name: Set up Zig
34-
uses: mlugg/setup-zig@v2
34+
uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
3535
with:
3636
version: 0.16.0
3737

.github/workflows/sonar.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828
cache: maven
2929

3030
- name: Set up Zig
31-
uses: mlugg/setup-zig@v2
31+
uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
3232
with:
3333
version: 0.16.0
3434

pom.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,14 @@
6363
<sonar.host.url>https://sonarcloud.io</sonar.host.url>
6464
<sonar.organization>dfa11</sonar.organization>
6565
<sonar.projectKey>dfa1_zstd-java</sonar.projectKey>
66+
<!-- S5443 (temp dir in a publicly-writable location) on NativeLibrary is a
67+
reviewed false positive: the bundled library is extracted into a private
68+
directory created with Files.createTempDirectory, which is owner-only
69+
(0700) on POSIX, closing the swap/symlink window the rule warns about.
70+
There is no further code mitigation, so suppress it for that file. -->
71+
<sonar.issue.ignore.multicriteria>tempdir</sonar.issue.ignore.multicriteria>
72+
<sonar.issue.ignore.multicriteria.tempdir.ruleKey>java:S5443</sonar.issue.ignore.multicriteria.tempdir.ruleKey>
73+
<sonar.issue.ignore.multicriteria.tempdir.resourceKey>**/NativeLibrary.java</sonar.issue.ignore.multicriteria.tempdir.resourceKey>
6674
<!-- The benchmark module is a JMH harness, not shipped runtime: its
6775
@Setup/@TearDown lifecycle trips false "resource not closed" reports and
6876
it has no tests by design. Exclude from analysis entirely (which also

zstd/src/main/java/io/github/dfa1/zstd/ZstdFrame.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
public final class ZstdFrame {
1515

1616
/// Sentinel returned by `ZSTD_decompressBound` when the input is not valid.
17-
private static final long CONTENTSIZE_ERROR = -2L;
17+
private static final long CONTENT_SIZE_ERROR = -2L;
1818

1919
/// Tests whether `data` begins with a valid zstd frame (standard or skippable).
2020
///
@@ -213,7 +213,7 @@ private static long decompressedBound(MemorySegment data, long size) {
213213
} catch (Throwable t) {
214214
throw NativeCall.rethrow(t);
215215
}
216-
if (bound == CONTENTSIZE_ERROR) {
216+
if (bound == CONTENT_SIZE_ERROR) {
217217
throw new ZstdException("not valid zstd data");
218218
}
219219
return bound;

0 commit comments

Comments
 (0)