jmrenouard
diff --git a/‎Changelog‎
Lines changed: 7 additions & 1 deletion b/‎Changelog‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎POTENTIAL_ISSUES‎
Lines changed: 13 additions & 9 deletions b/‎POTENTIAL_ISSUES‎
Lines changed: 13 additions & 9 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 42 additions & 15 deletions b/‎SECURITY.md‎
Lines changed: 42 additions & 15 deletions
@@ -1,6 +1,12 @@
 2.8.37 2026-02-14
 
-- refactor: replace system calls (whoami, hostname, printenv) with native Core Perl functions.
+- refactor: replace massive system calls (awk, grep, uname, getconf, sysctl) with native Core Perl functions for Linux.
+- feat: implement native parsing for /proc/cpuinfo, /proc/meminfo, /proc/sys/vm/swappiness and /etc/resolv.conf.
+- refactor: optimize CPU core count, logical CPU detection, and OS memory setup for local environments.
+- refactor: use POSIX::uname and POSIX::sysconf for standardized system and architecture reporting.
+- fix: resolve MariaDB socket authentication regression and restore automatic credential discovery (Issue #875).
+- fix: remediate Prototype Pollution vulnerability in lodash (CVE-2021-23341) by forcing update to 4.17.23.
+- test: add reproduction test for authentication discovery chain (tests/issue_875_regression.t).
 - chore: bump version to 2.8.37.
 
 2.8.36 2026-02-13
 
@@ -57,21 +57,21 @@ The following external commands are currently used via `execute_system_command`
 
 #### High Priority Replacements (Low Complexity)
 
-- [ ] **Command**: `whoami` (line 701)
-  - **Replacement**: `(getpwuid($<))[0]` or `POSIX::cuserid()`
-- [ ] **Command**: `env` / `printenv` (lines 1673, 1890, 1955)
+- [x] **Command**: `whoami` (line 701)
+  - **Replacement**: `(getpwuid($<))[0]` (Native core Perl used).
+- [x] **Command**: `env` / `printenv` (lines 1673, 1890, 1955)
   - **Replacement**: Access the `%ENV` hash directly.
-- [ ] **Command**: `hostname` (line 3051)
+- [x] **Command**: `hostname` (line 3051)
   - **Replacement**: `use Sys::Hostname; hostname();` (Core since Perl 5.6).
-- [ ] **Command**: `grep ... /proc/meminfo` (lines 1399, 1414, 3099)
+- [x] **Command**: `grep ... /proc/meminfo` (lines 1399, 1414, 3099)
   - **Replacement**: Open `/proc/meminfo` and parse line-by-line (Core file handles).
-- [ ] **Command**: `grep -c ^processor /proc/cpuinfo` (line 949)
+- [x] **Command**: `grep -c ^processor /proc/cpuinfo` (line 949)
   - **Replacement**: Open `/proc/cpuinfo` and count lines starting with `processor`.
-- [ ] **Command**: `which` (lines 1552, 1576)
+- [x] **Command**: `which` (lines 1552, 1576)
   - **Replacement**: Iterate through `split(/:/, $ENV{PATH})` and check file existence with `-x`.
-- [ ] **Command**: `getconf PAGESIZE` (line 2718)
+- [x] **Command**: `getconf PAGESIZE` (line 2718)
   - **Replacement**: `use POSIX; POSIX::sysconf(POSIX::_SC_PAGESIZE);`
-- [ ] **Command**: `uname` (lines 1108, 1395, 3044, 3049, 3117)
+- [x] **Command**: `uname` (lines 1108, 1395, 3044, 3049, 3117)
   - **Replacement**: `use POSIX; POSIX::uname();` or `$^O`.
 
 #### Medium Priority Replacements (Environmental Specifics)
@@ -82,3 +82,7 @@ The following external commands are currently used via `execute_system_command`
   - **Replacement**: Read `/proc/uptime` (Linux-only) or calculate via `$^T` (script start time) for script uptime. System uptime requires `POSIX` / `/proc`.
 - [ ] **Command**: `df` (lines 2790, 2791)
   - **Replacement**: No cross-platform Core Perl replacement. Keep for now or use `statvfs` where available.
+- [x] **Command**: `grep -Ec '^flags.*\ hypervisor\ ' /proc/cpuinfo` (line 2981)
+  - **Replacement**: Native Perl parsing of `/proc/cpuinfo`.
+- [x] **Command**: `sysctl -n vm.swappiness` (line 3052)
+  - **Replacement**: Native Perl parsing of `/proc/sys/vm/swappiness`.
@@ -1,31 +1,58 @@
 # Security Policy
 
+MySQLTuner is committed to providing a secure and reliable experience for all users. This document outlines our security policies, supported versions, and the process for reporting vulnerabilities.
+
 ## Supported Versions
 
-MySQLTuner is committed to providing security updates for the following versions:
+We provide security updates for the following versions of MySQLTuner:
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 2.x     | :white_check_mark: |
-| < 2.x   | :x:                |
+| Version | Status                |
+| ------- | --------------------- |
+| v2.x    | Supported (v2.8.37)   |
+| < v2.x  | End of Life           |
 
-We strongly recommend using the latest stable release (currently v2.8.35) available on [GitHub](https://github.com/jmrenouard/MySQLTuner-perl/releases).
+We strongly recommend that all users stay updated with the latest stable release available on [GitHub Releases](https://github.com/jmrenouard/MySQLTuner-perl/releases).
 
 ## Reporting a Vulnerability
 
-If you discover a security vulnerability within this project, please report it privately to the maintainer.
+If you discover a security vulnerability in MySQLTuner, please do **not** open a public issue. Instead, report it privately to the maintainer:
+
+- **Contact**: Jean-Marie Renouard ([jmrenouard@lightpath.fr](mailto:jmrenouard@lightpath.fr))
+
+### Reporting Guidelines
 
-**Contact**: [jmrenouard@lightpath.fr](mailto:jmrenouard@lightpath.fr)
+Please include the following information in your report:
 
-### What to expect
+- A description of the vulnerability.
+- Steps to reproduce the issue (proof of concept).
+- Potential impact and affected versions.
 
-- **Acknowledgement**: You can expect an initial response within 48-72 hours.
-- **Updates**: We will provide periodic updates on the progress of any reported vulnerability until it is resolved.
+### What to Expect
+
+- **Acknowledgement**: You will receive an initial response within 48-72 hours.
+- **Triage**: We will investigate the report and determine the impact.
+- **Resolution**: We will work on a fix as a priority.
 - **Disclosure**: We will coordinate with you to determine a mutually agreeable disclosure timeline.
 
+## Security Scope
+
+### In-Scope Vulnerabilities
+
+- Local Privilege Escalation through insecure system calls.
+- Credential leaks in the report output (unless explicitly permitted via CLI options).
+- Remote Code Execution (RCE) via malicious database responses.
+- Insecure storage of temporary data.
+
+### Out-of-Scope
+
+- Vulnerabilities in the underlying Percona/MySQL/MariaDB database itself.
+- Issues requiring root access to the host machine to exploit.
+- Denial of Service (DoS) attacks that are inherent to database benchmarking or diagnostics.
+
 ## Security Philosophy
 
-- **Production Stability**: Every recommendation provided by MySQLTuner is designed to be safe for production environments.
-- **Read-Only**: MySQLTuner is a read-only script. It does not modify your database or system configuration files.
-- **CVE Detection**: The script includes features to detect known vulnerabilities (CVEs) based on your MySQL/MariaDB version.
-- **Zero-Dependency**: To maintain a secure and portable footprint, we avoid external dependencies and only use Perl Core modules.
+- **Production Stability**: Every recommendation is designed to be safe for production environments. No destructive actions are performed.
+- **Read-Only Architecture**: MySQLTuner is strictly a read-only script. It does not modify database configurations or system files.
+- **Zero-Dependency Portability**: To minimize the attack surface, MySQLTuner only uses Perl Core modules and avoids external dependencies.
+- **CVE Detection**: The script proactively checks for known CVEs based on the detected database version.
+- **Auditability**: As a single-file Perl script, MySQLTuner is easily auditable by security teams before deployment.