Skip to content

Commit 25e9bd8

Browse files
sameehjsameehj
committed
ci: fix codespell, source-text, and SBOM check failures
Normalize CRLF->LF in advisory feature files (advisory.yml, gen-advisory, CVE records, testdata) to clear check-source-text CR violations. Ignore "cna" and skip cwe-names.json in codespell; rename "justs" var. Drop dead/buggy props block in sbom.yml that hit KeyError 'name' on SPDX annotations (no 'name' key). Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
1 parent 29b84d8 commit 25e9bd8

17 files changed

Lines changed: 2605 additions & 2613 deletions

.github/workflows/advisory.yml

Lines changed: 217 additions & 217 deletions
Large diffs are not rendered by default.

.github/workflows/codespell.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,8 @@ jobs:
2424
check_filenames: true
2525
check_hidden: true
2626
# Add comma separated list of words that occur multiple times that should be ignored (sorted alphabetically, case sensitive)
27-
ignore_words_list: adin,aNULL,brunch,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te,HSI,failT,toLen,
27+
ignore_words_list: adin,aNULL,brunch,carryIn,chainG,ciph,cLen,cliKs,cna,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te,HSI,failT,toLen,
2828
# The exclude_file contains lines of code that should be ignored. This is useful for individual lines which have non-words that can safely be ignored.
2929
exclude_file: '.codespellexcludelines'
3030
# To skip files entirely from being processed, add it to the following list:
31-
skip: '*.cproject,*.csr,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg,*.revoked,./examples/asn1/dumpasn1.cfg,./examples/asn1/oid_names.h'
31+
skip: '*.cproject,*.csr,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg,*.revoked,./examples/asn1/dumpasn1.cfg,./examples/asn1/oid_names.h,./scripts/cwe-names.json'

.github/workflows/sbom.yml

Lines changed: 2 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -738,11 +738,6 @@ jobs:
738738
assert 'purl' in refs, refs
739739
assert re.match(r'pkg:github/open-quantum-safe/liboqs@', refs['purl']), \
740740
refs['purl']
741-
# Algorithm enablement must still be visible via build_props
742-
# (parsed from options.h), not via the dep entry.
743-
props = {p['name']: p['value']
744-
for p in d['packages'][0].get('annotations', [])
745-
if p.get('annotationType') == 'OTHER'}
746741
# CycloneDX side: same package + version present.
747742
with open(glob.glob('wolfssl-*.cdx.json')[0]) as f:
748743
cdx = json.load(f)
@@ -759,12 +754,9 @@ jobs:
759754
import glob, json
760755
with open(glob.glob('wolfssl-*.spdx.json')[0]) as f:
761756
d = json.load(f)
762-
wolf = [p for p in d['packages'] if p['name'] == 'wolfssl'][0]
763-
props = {p['name']: p['value']
764-
for p in wolf.get('annotations', [])
765-
if p.get('annotationType') == 'OTHER'}
766757
# Build props can land as annotations or as a 'attributionTexts'
767-
# block depending on SPDX version; check both.
758+
# block depending on SPDX version; serialize the whole doc and
759+
# check the flag is present somewhere.
768760
combined = json.dumps(d)
769761
assert 'HAVE_FALCON' in combined, \
770762
"HAVE_FALCON missing from SBOM build properties"

Makefile.am

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -464,7 +464,7 @@ WOLFSSL_LIB_DSO_BASENAMES = \
464464
# LicenseRef is in use; `make sbom` exits with an
465465
# error if it is missing.
466466
# SBOM_DOCUMENT_NAMESPACE Override the SPDX documentNamespace. Default
467-
# is a deterministic urn:uuid (SPDX 2.3 §6.5
467+
# is a deterministic urn:uuid (SPDX 2.3 sec. 6.5
468468
# requires only uniqueness, not resolvability).
469469
# Downstream packagers re-hosting the SBOM under
470470
# their own URL should set this to a URI they

advisories/records/CVE-2026-5501.json

Lines changed: 122 additions & 122 deletions
Original file line numberDiff line numberDiff line change
@@ -1,122 +1,122 @@
1-
{
2-
"dataType": "CVE_RECORD",
3-
"dataVersion": "5.2",
4-
"cveMetadata": {
5-
"cveId": "CVE-2026-5501",
6-
"assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
7-
"state": "PUBLISHED",
8-
"assignerShortName": "wolfSSL",
9-
"dateReserved": "2026-04-03T15:46:09.302Z",
10-
"datePublished": "2026-04-10T03:07:39.604Z",
11-
"dateUpdated": "2026-04-22T13:59:28.514Z"
12-
},
13-
"containers": {
14-
"cna": {
15-
"providerMetadata": {
16-
"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
17-
"shortName": "wolfSSL",
18-
"dateUpdated": "2026-04-10T03:07:39.604Z"
19-
},
20-
"title": "Improper Certificate Signature Verification in X.509 Chain Validation Allows Forged Leaf Certificates",
21-
"problemTypes": [
22-
{
23-
"descriptions": [
24-
{
25-
"lang": "en",
26-
"cweId": "CWE-295",
27-
"description": "CWE-295 Improper certificate validation",
28-
"type": "CWE"
29-
}
30-
]
31-
}
32-
],
33-
"affected": [
34-
{
35-
"vendor": "wolfSSL",
36-
"product": "wolfSSL",
37-
"modules": [
38-
"wolfSSL_X509_verify_cert"
39-
],
40-
"programFiles": [
41-
"src/x509_str.c"
42-
],
43-
"versions": [
44-
{
45-
"status": "affected",
46-
"version": "0",
47-
"lessThanOrEqual": "5.9.0",
48-
"versionType": "semver"
49-
}
50-
],
51-
"defaultStatus": "unaffected"
52-
}
53-
],
54-
"descriptions": [
55-
{
56-
"lang": "en",
57-
"value": "wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy.",
58-
"supportingMedia": [
59-
{
60-
"type": "text/html",
61-
"base64": false,
62-
"value": "wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy."
63-
}
64-
]
65-
}
66-
],
67-
"references": [
68-
{
69-
"url": "https://github.com/wolfSSL/wolfssl/pull/10102"
70-
}
71-
],
72-
"metrics": [
73-
{
74-
"format": "CVSS",
75-
"scenarios": [
76-
{
77-
"lang": "en",
78-
"value": "GENERAL"
79-
}
80-
],
81-
"cvssV4_0": {
82-
"attackVector": "NETWORK",
83-
"attackComplexity": "LOW",
84-
"attackRequirements": "NONE",
85-
"privilegesRequired": "LOW",
86-
"userInteraction": "NONE",
87-
"vulnConfidentialityImpact": "HIGH",
88-
"subConfidentialityImpact": "NONE",
89-
"vulnIntegrityImpact": "HIGH",
90-
"subIntegrityImpact": "NONE",
91-
"vulnAvailabilityImpact": "NONE",
92-
"subAvailabilityImpact": "NONE",
93-
"exploitMaturity": "NOT_DEFINED",
94-
"Safety": "NOT_DEFINED",
95-
"Automatable": "NOT_DEFINED",
96-
"Recovery": "NOT_DEFINED",
97-
"valueDensity": "NOT_DEFINED",
98-
"vulnerabilityResponseEffort": "NOT_DEFINED",
99-
"providerUrgency": "NOT_DEFINED",
100-
"version": "4.0",
101-
"baseSeverity": "HIGH",
102-
"baseScore": 8.6,
103-
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
104-
}
105-
}
106-
],
107-
"credits": [
108-
{
109-
"lang": "en",
110-
"value": "Calif.io in collaboration with Claude and Anthropic Research",
111-
"type": "finder"
112-
}
113-
],
114-
"source": {
115-
"discovery": "EXTERNAL"
116-
},
117-
"x_generator": {
118-
"engine": "Vulnogram 1.0.1"
119-
}
120-
}
121-
}
122-
}
1+
{
2+
"dataType": "CVE_RECORD",
3+
"dataVersion": "5.2",
4+
"cveMetadata": {
5+
"cveId": "CVE-2026-5501",
6+
"assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
7+
"state": "PUBLISHED",
8+
"assignerShortName": "wolfSSL",
9+
"dateReserved": "2026-04-03T15:46:09.302Z",
10+
"datePublished": "2026-04-10T03:07:39.604Z",
11+
"dateUpdated": "2026-04-22T13:59:28.514Z"
12+
},
13+
"containers": {
14+
"cna": {
15+
"providerMetadata": {
16+
"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
17+
"shortName": "wolfSSL",
18+
"dateUpdated": "2026-04-10T03:07:39.604Z"
19+
},
20+
"title": "Improper Certificate Signature Verification in X.509 Chain Validation Allows Forged Leaf Certificates",
21+
"problemTypes": [
22+
{
23+
"descriptions": [
24+
{
25+
"lang": "en",
26+
"cweId": "CWE-295",
27+
"description": "CWE-295 Improper certificate validation",
28+
"type": "CWE"
29+
}
30+
]
31+
}
32+
],
33+
"affected": [
34+
{
35+
"vendor": "wolfSSL",
36+
"product": "wolfSSL",
37+
"modules": [
38+
"wolfSSL_X509_verify_cert"
39+
],
40+
"programFiles": [
41+
"src/x509_str.c"
42+
],
43+
"versions": [
44+
{
45+
"status": "affected",
46+
"version": "0",
47+
"lessThanOrEqual": "5.9.0",
48+
"versionType": "semver"
49+
}
50+
],
51+
"defaultStatus": "unaffected"
52+
}
53+
],
54+
"descriptions": [
55+
{
56+
"lang": "en",
57+
"value": "wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy.",
58+
"supportingMedia": [
59+
{
60+
"type": "text/html",
61+
"base64": false,
62+
"value": "wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy."
63+
}
64+
]
65+
}
66+
],
67+
"references": [
68+
{
69+
"url": "https://github.com/wolfSSL/wolfssl/pull/10102"
70+
}
71+
],
72+
"metrics": [
73+
{
74+
"format": "CVSS",
75+
"scenarios": [
76+
{
77+
"lang": "en",
78+
"value": "GENERAL"
79+
}
80+
],
81+
"cvssV4_0": {
82+
"attackVector": "NETWORK",
83+
"attackComplexity": "LOW",
84+
"attackRequirements": "NONE",
85+
"privilegesRequired": "LOW",
86+
"userInteraction": "NONE",
87+
"vulnConfidentialityImpact": "HIGH",
88+
"subConfidentialityImpact": "NONE",
89+
"vulnIntegrityImpact": "HIGH",
90+
"subIntegrityImpact": "NONE",
91+
"vulnAvailabilityImpact": "NONE",
92+
"subAvailabilityImpact": "NONE",
93+
"exploitMaturity": "NOT_DEFINED",
94+
"Safety": "NOT_DEFINED",
95+
"Automatable": "NOT_DEFINED",
96+
"Recovery": "NOT_DEFINED",
97+
"valueDensity": "NOT_DEFINED",
98+
"vulnerabilityResponseEffort": "NOT_DEFINED",
99+
"providerUrgency": "NOT_DEFINED",
100+
"version": "4.0",
101+
"baseSeverity": "HIGH",
102+
"baseScore": 8.6,
103+
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
104+
}
105+
}
106+
],
107+
"credits": [
108+
{
109+
"lang": "en",
110+
"value": "Calif.io in collaboration with Claude and Anthropic Research",
111+
"type": "finder"
112+
}
113+
],
114+
"source": {
115+
"discovery": "EXTERNAL"
116+
},
117+
"x_generator": {
118+
"engine": "Vulnogram 1.0.1"
119+
}
120+
}
121+
}
122+
}

0 commit comments

Comments
 (0)