You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* security: pin setup-zig to a commit SHA; mark temp-dir vuln reviewed
Resolve the SECURITY-category Sonar findings:
- S7637: pin the third-party mlugg/setup-zig action to a full commit SHA
(d1434d0, v2) in ci/sonar/publish workflows, so a moved tag can't swap
the action under us. The first-party actions/* are not flagged.
- S5443: NativeLibrary extracts the bundled library into an owner-only
directory (Files.createTempDirectory, 0700 on POSIX) — the rule's
warning is already mitigated with no further code change available, so
suppress it for that file via sonar.issue.ignore with a documented why.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* security: set owner-only temp dir permissions atomically (S5443)
Properly fix S5443 instead of suppressing it: create the extraction
directory with an explicit owner-only (rwx------) POSIX permission
attribute at creation time, the rule's compliant pattern. Falls back to
no attribute on non-POSIX file systems, where the temp directory is
already per-user. Revert the earlier pom-level suppression.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
0 commit comments