77
88## Summary
99
10- This work reduces GitHub CodeQL and Trivy findings through source-level privacy
11- fixes, setup-secret hardening, and container dependency remediation.
10+ This work addresses the 423-alert baseline (416 Trivy and seven CodeQL) through
11+ source-level privacy fixes, setup-secret and filesystem hardening, workflow
12+ supply-chain controls, and production-container dependency remediation. The
13+ verified image inventory is 140 non-fixable medium/low findings. Six original
14+ C# alerts and the fresh C# findings have source fixes; the Python setup alert is
15+ handled by a hardened, necessary persistence boundary and narrow documented
16+ suppression. Fresh Actions and JavaScript/TypeScript scans report zero
17+ findings. Fresh workflow-equivalent default and security-extended Python scans
18+ also report zero findings under the local threat model.
1219
1320## Changes
1421
@@ -47,11 +54,19 @@ fixes, setup-secret hardening, and container dependency remediation.
4754 explicit overwrite, POSIX permissions, symlink refusal, and non-regular
4855 destination handling for the interactive container setup path.
4956- ` scripts/tests/test_code_scanning_security.py ` - Covers bounded Link-header
50- parsing under adversarial input and secret-free demo-user success/failure
51- output.
57+ parsing under adversarial input, exact-origin HTTPS request and redirect
58+ enforcement, bounded redirect behavior, and secret-free demo-user
59+ success/failure output.
5260- ` scripts/tests/test_incoming_clean_up.py ` - Covers canonical root boundaries,
5361 symlink and outside-root refusal, Zip Slip/symlink-member rejection, SFV
54- traversal, safe encoding repair, pretend mode, and contained live deletion.
62+ traversal, private extraction permissions, descriptor-relative race defense,
63+ safe encoding repair, pretend mode, and contained live deletion.
64+ - ` tests/Melodee.Tests.Common/Services/SecurityLogSanitizationTests.cs ` - Covers
65+ the untrusted player, playlist, script setting, configuration key, provider,
66+ and artist values reported by the fresh C# CodeQL scan.
67+ - ` tests/Melodee.Tests.Common/TestHelpers/RecordingLogEventSink.cs ` - Captures
68+ rendered security-sensitive log events for assertions without external
69+ logging infrastructure.
5570
5671### Modified
5772
@@ -83,14 +98,18 @@ fixes, setup-secret hardening, and container dependency remediation.
8398- ` scripts/run-container-setup.py ` - Uses the same secure writer for normal,
8499 confirmed-overwrite, and forced setup paths.
85100- ` scripts/create_code_scanning_combined_serif.py ` - Replaces a polynomial
86- backtracking Link-header expression with a bounded linear parser while
87- preserving GitHub pagination relations.
101+ backtracking Link-header expression with a bounded linear parser and confines
102+ API requests, pagination, redirects, and downloads to the configured exact
103+ HTTPS origin.
88104- ` scripts/create-demo-user.py ` - Stops printing the demo password, generated
89105 API/public keys, encrypted password, and secret-bearing exception payloads.
90106- ` scripts/incoming_clean_up.py ` - Adds an explicit trusted filesystem boundary,
91- canonical containment before every access/mutation, symlink-safe destructive
92- operations, full ZIP-member preflight/extraction, and traversal-safe SFV
93- verification and renaming.
107+ canonical containment before every access/mutation, pinned descriptor-relative
108+ no-follow operations, ` renameat2(RENAME_NOREPLACE) ` quarantine publication,
109+ full ZIP-member preflight/extraction, and traversal-safe SFV verification and
110+ renaming. Live cleanup fails closed where the required Linux/POSIX primitives
111+ are unavailable; extracted directories and files are private ` 0700 ` and
112+ ` 0600 ` objects respectively.
94113- ` scripts/tests/test_setup_melodee.py ` - Covers secret generation, POSIX
95114 permissions, existing-file preservation, malformed templates, symlink
96115 refusal, and non-regular destinations.
@@ -103,6 +122,19 @@ fixes, setup-secret hardening, and container dependency remediation.
103122- ` .github/codeql/codeql-config.yml ` - Removes invalid model configuration and
104123 broad rule exclusions while retaining the default remote threat model for
105124 the compiled web application.
125+ - ` src/Melodee.Common/Services/DeviceIdentificationService.cs ` ,
126+ ` src/Melodee.Common/Services/PlaylistImportService.cs ` ,
127+ ` src/Melodee.Common/Services/ScriptEvaluation/ScriptAdminService.cs ` ,
128+ ` src/Melodee.Common/Services/SearchEngines/ArtistSearchEngineService.cs ` , and
129+ ` src/Melodee.Common/Services/SettingService.cs ` - Sanitize the six
130+ attacker-controlled fields found by the fresh default-remote C# log-forging
131+ scan.
132+ - ` src/Melodee.Common/Services/Playback/Backends/MpdPlaybackBackend.cs ` - Keeps
133+ the MPD password command on the wire while passing only a credential-free
134+ command representation to every log path.
135+ - ` tests/Melodee.Tests.Common/Services/Playback/PlaybackBackendTests.cs ` -
136+ Verifies that password authentication still reaches MPD and never reaches
137+ application logs.
106138- ` .github/CODEQL-WORKFLOW.md ` - Documents the single advanced setup, model
107139 behavior, verification, and stale GitHub configuration cleanup.
108140- ` Dockerfile ` - Moves the shipped runtime to the official .NET 10 Ubuntu 26.04
@@ -136,3 +168,75 @@ fixes, setup-secret hardening, and container dependency remediation.
136168 pack.
137169- ` .github/docker/Dockerfile.container-scan ` - Removed the reduced scan image
138170 so CI analyzes the same final image that releases publish.
171+
172+ ## Verified Results
173+
174+ ### CodeQL
175+
176+ - The six live baseline C# password-reset privacy flows have source fixes. The
177+ Python setup-secret alert is handled by atomic owner-only persistence,
178+ regression coverage, and one narrow documented suppression for the necessary
179+ ` .env ` sink.
180+ - A fresh C# database using the default remote threat model moved from eight
181+ findings to zero after fixing six log-forging paths and two MPD
182+ password-to-log flows.
183+ - Fresh GitHub Actions and JavaScript/TypeScript databases each report zero
184+ findings.
185+ - Restored local Python analysis identified the setup persistence boundary,
186+ polynomial Link parsing, secret-bearing output, filesystem/ZIP/SFV paths, and
187+ same-origin exporter request handling. A fresh workflow-equivalent database
188+ reports zero findings and no SARIF warning/error notifications across all 45
189+ default queries. The 52-query security-extended suite also reports zero
190+ findings.
191+
192+ The shared configuration keeps the compiled C# application, JavaScript, and
193+ Actions on CodeQL's default remote trust boundary. Python alone enables the
194+ local threat model because maintenance scripts intentionally consume command
195+ line arguments, environment variables, and local files. This avoids treating
196+ ordinary application-owned database and filesystem state as remotely
197+ attacker-controlled while preserving the stricter model where it represents
198+ the Python tools' real inputs.
199+
200+ ### Container and Dependency Inventory
201+
202+ - Trivy 0.72.0 reduced raw production-image findings from 416 to 140: 276
203+ removed (66.3%). The remaining inventory represents 41 CVEs, split into 124
204+ medium and 16 low findings.
205+ - The remaining image inventory contains zero critical, high, fixable,
206+ .NET-package, or application-package findings.
207+ - GitHub receives only the intended critical/high SARIF policy. CI retains the
208+ complete all-severity JSON report for review and future fix-availability
209+ changes.
210+ - NuGet reports zero vulnerable dependencies.
211+
212+ ### Build and Runtime Verification
213+
214+ - The complete solution builds with zero warnings and errors.
215+ - The full .NET suite passes 5,885 tests with 34 skipped and zero failed.
216+ - All 109 Python script tests pass with ` ResourceWarning ` promoted to an error,
217+ including 57 focused incoming-cleanup security and race regressions.
218+ - Jekyll, ` actionlint ` , YAML parsing, shell syntax/static analysis, and Docker
219+ configuration checks pass.
220+ - A real PostgreSQL integration starts the production image with the
221+ unprivileged ` melodee ` process as PID 1, reaches healthy status, and confirms
222+ that configured database/authentication secrets are absent from container
223+ logs.
224+
225+ ## Release Summary
226+
227+ The local release gate is complete: all four CodeQL languages report zero fresh
228+ findings, the production image contains no critical, high, or currently fixable
229+ inventory, the .NET and Python suites pass, and the production container passes
230+ its real-database non-root integration. The remaining 140 raw image findings
231+ are quantified medium/low Ubuntu-package issues without available fixes.
232+
233+ ## Post-Merge Verification
234+
235+ - The final pre-merge API query still reports the 423-alert ` main ` baseline.
236+ This is expected because GitHub has not analyzed this branch; no server-side
237+ alert closure is claimed by the local results.
238+ - After the checked-in Python job completes successfully on ` main ` , delete the
239+ stale ` dynamic/github-code-scanning/codeql:analyze ` and
240+ ` dynamic/github-code-scanning/codeql:upload ` Python configurations from
241+ ** Security and quality > Code scanning > Tool status** . Retain
242+ ` .github/workflows/codeql.yml:analyze ` .
0 commit comments