security: resolve Sonar SECURITY-category issues#20
Merged
Conversation
Resolve the SECURITY-category Sonar findings: - S7637: pin the third-party mlugg/setup-zig action to a full commit SHA (d1434d0, v2) in ci/sonar/publish workflows, so a moved tag can't swap the action under us. The first-party actions/* are not flagged. - S5443: NativeLibrary extracts the bundled library into an owner-only directory (Files.createTempDirectory, 0700 on POSIX) — the rule's warning is already mitigated with no further code change available, so suppress it for that file via sonar.issue.ignore with a documented why. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Properly fix S5443 instead of suppressing it: create the extraction directory with an explicit owner-only (rwx------) POSIX permission attribute at creation time, the rule's compliant pattern. Falls back to no attribute on non-POSIX file systems, where the temp directory is already per-user. Revert the earlier pom-level suppression. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Clears the SECURITY-impact findings on the Sonar security view.
S7637 — unpinned GitHub Action (×3, MAJOR vulnerability)
Pin the third-party
mlugg/setup-zig@v2to a full commit SHA (d1434d0…, kept readable with a# v2comment) inci.yml,sonar.yml,publish.yml. A moved/compromised tag can no longer swap the action mid-build. The first-partyactions/*uses aren't flagged by the rule.S5443 — temp dir in a publicly-writable location (CRITICAL vulnerability)
Real fix (not a suppression):
NativeLibrarynow creates the extraction directory with an explicit owner-only POSIX permission attribute (rwx------) set atomically at creation — the rule's compliant pattern — instead of relying on the default. On non-POSIX file systems it falls back to no attribute (the Windows temp directory is already per-user, and the POSIX attribute is unsupported there). This closes the swap/symlink window for the bundledlibzstdbetween extraction anddlopen.Test
./mvnw -pl zstd -am test— green; native library loads via the hardened path. checkstyle + IntelliJ clean.🤖 Generated with Claude Code