Update semgrep.yml #181
Open
Update semgrep.yml #181
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add README Co-authored-by: Peter Wu <[email protected]>
Include the `-cf` tag so this fork can be identified. Include the `devel` tag such that we can potentially add new APIs to the api/next.txt file in order to please the TestDependencies test.
This allows applications to use build tags to maintain compatibility with both this fork as well as standard Go. [ bas 2023-10-6: Fix cfgo build tag and add a test (#156) ]
Tests can be run from the repo with: `docker-compose run test`
[pwu: Go 1.22.0: resolve conflicts: git rm -r .github/ISSUE_TEMPLATE]
The "API check" test requires new APIs to be tracked in api/go1.X.txt or api/next/X.txt. Since Go 1.19 (commit b7041c7), every line in these files also need a comment with the approval issue number. To reduce development friction, we disable the requirement of updating these files when the `-cf` tag is present in the VERSION file.
Add basic support for handshake metrics: * Adds the ability to set a callback via the CFEventHandlerContextKey context value on the handshake context. It will be called at various points during the handshake to respond to various events. See #146. * Use this callback to expose client and server intra-handshake state machine durations, respectively. Each event records elapsed timestamps (durations) for relevant events during the course of a connection, such as reading and writing handshake messages of interest. This will be useful for recording intra-stack costs of TLS extensions such as ECH and KEMTLS. [pwu: Go 1.20.4: moved Config.CFEventHandler to context value] [pwu: Go 1.20.4: moved CFEvent code from tls_cf.go to cfevent.go]
This patch adds:
- X25519Kyber768Draft00, this is the de facto standard for early
deployment, see
https://mailarchive.ietf.org/arch/msg/tls/HAWpNpgptl--UZNSYuvsjB-Pc2k/
https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/02/
- X25519Kyber768Draft00Old, which is the same as the previous, but
under an old identifiers.
- X25519Kyber512Draft00. This should only be used for testing,
whether the smaller shares are advantageous.
- P256Kyber768Draft00. Uses a non-standard identifier. Should not be used.
Adds CFEvents to detect `HelloRetryRequest`s and to signal which
key agreement was used.
Co-authored-by: Christopher Wood <[email protected]>
Co-authored-by: Peter Wu <[email protected]>
To avoid having to regenerate all testdata files, add an option to control whether PQ signature algorithms are advertised. Tests were added for the client side. Since Go 1.19, FIPS-only mode must remain disabled to enable PQ sigalgs. [pwu: Go 1.17: moved parsePublicKey changes from x509/x509.go to x509/parser.go] [pwu: Go 1.22.5: add eddilithium2 support, fix eddilithium3, by Bas in #176] Co-authored-by: Christopher Patton <[email protected]> Co-authored-by: Peter Wu <[email protected]>
* Define API for delegated credentials so they are fetched using the same mechanisms used to fetch certificates * Allow the usage of other keyUsage when checking for the DC extension. * Add tool for generating delegated credentials. Co-authored-by: Jonathan Hoyland <[email protected]>
Adds support for draft 13 of the Encrypted ClientHello (ECH) extension for TLS. This requires CIRCL to implement draft 08 or later of the HPKE specification (draft-irtf-cfrg-hpke-08). Adds a CFEvent for reporting when ECH is offered or greased by the client, when ECH is accepted or rejected by the server, and when the outer SNI doesn't match the public name of the ECH config. Missing ECH features: * Record-level padding. * Proper validation of the public name by the client. * Retry after rejection. * PSKs are disabled when ECH is accepted.
…o send RTG-2919 [ Bas 1.21.3: Send empty keyshare extension instead of leaving it out ]
In contrast to upstream Go, we will send an HelloRetryRequest and accept an extra roundtrip if there is a more preferred group, than the one the client has provided a keyshare for in the initial ClientHello. Cf. https://datatracker.ietf.org/doc/draft-davidben-tls-key-share-prediction/
DummyKex is a key agreeement similar in size but purposefully incompatible with X25519. The goal is to have a key agreement that servers will not support, so we can test HelloRetryRquest.
Updating Semgrep.yml file - Semgrep is a tool that will be used to scan Cloudflare's public repos for Supply chain, code and secrets. This work is part of Application & Product Security team's initiative to onboard Semgrep onto all of Cloudflare's public repos. In case of any questions, please reach out to "Hrushikesh Deshpande" on cf internal chat.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updating Semgrep.yml file - Semgrep is a tool that will be used to scan Cloudflare's public repos for Supply chain, code and secrets. This work is part of Application & Product Security team's initiative to onboard Semgrep onto all of Cloudflare's public repos.
In case of any questions, please reach out to "Hrushikesh Deshpande" on cf internal chat.
Most PRs should be linked to an issue. See https://github.com/cloudflare/go/wiki/Contributing for guidance on when and how to open a PR.