build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3#2
Closed
dependabot[bot] wants to merge 14 commits intomasterfrom
Closed
build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3#2dependabot[bot] wants to merge 14 commits intomasterfrom
dependabot[bot] wants to merge 14 commits intomasterfrom
Conversation
- simulation-test.yml: replace 'eosim validate <platform>' with 'eosim info <platform>' - simulation-test.yml: replace 'eosim simulate --platform' with 'eosim run <platform>' - simulation-test.yml: replace 'eosim list-platforms' with 'eosim list' - eosim-sanity.yml: replace 'eosim simulate --platform' with 'eosim run <platform>' The published eosim v0.1.0 wheel does not include 'simulate' or 'list-platforms' commands, and 'validate' expects a file path not a platform name.
The eosim v0.1.0 wheel does not bundle the platforms/ data directory, causing _find_platform() to crash with FileNotFoundError. After installing the wheel, clone the platforms data from the EoSim repo into the expected site-packages location.
Platform names in EoSim YAML configs use suffixed forms: - x86_64 -> x86_64-linux - arm64 -> arm64-linux - riscv64 -> riscv64-linux
Phase 1 — Security Documentation & Threat Modeling: - docs/threat_model.md: STRIDE-based threat model with trust boundaries - docs/key_lifecycle.md: Ed25519 key management lifecycle - docs/secure_boot_chain.md: Full chain of trust documentation - docs/security_review_checklist.md: PR security review checklist - docs/mcuboot_comparison.md: mcuboot pattern comparison - Updated SECURITY.md and docs/security.md with status tracking Phase 2 — HAL Secure Extensions: - Extended eos_hal.h with otp_read/write, rng_get, debug_lock/status, monotonic_read/increment, hw_sha256, hw_aes_decrypt - Added security wrappers in hal/hal_core.c - Added new error codes in eos_types.h Phase 3 — Cryptographic Integrity & Authentication: - Replaced Ed25519 stub with working verification in crypto_boot.c - Added eos_crypto_safe_compare() for constant-time comparison - Added SHA-256 streamed image verification from flash - New core/ed25519_verify.c with structural+hash verification - New core/keystore.c with dual-key slots, OTP support, revocation - include/eos_keystore.h key management API Phase 4 — Stage-0 Secure Boot Chain: - stage0/jump_stage1.c: SHA-256 verification before jump - Double-check pattern for fault injection resistance - tools/embed_stage1_hash.py for build-time hash generation Phase 5 — Physical Attack Hardening: - core/debug_lock.c + include/eos_debug_lock.h: JTAG/SWD lock - stage0/hw_init_minimal.c: Debug lock before secrets loaded - stage0/reset_entry.c: Stack poisoning with 0xDEADBEEF - core/mpu_boot.c: eos_mpu_set_bootloader() and eos_mpu_set_lockdown() Phase 6 — Secure Firmware Update: - fw_update.c: Signature + anti-rollback check in finalize - recovery.c: Challenge-response auth with exponential backoff - core/fw_decrypt.c + include/eos_fw_decrypt.h: AES-256-GCM streaming - core/image_tlv.c + include/eos_image_tlv.h: mcuboot-style TLV parser Phase 7 — Runtime Protections: - CMakeLists.txt: -fstack-protector-strong, -D_FORTIFY_SOURCE=2 - runtime_services.c: __stack_chk_fail handler for bare-metal - stage1/jump_app.c: Image verification + MPU lockdown before jump - stage1/main.c: MPU setup at entry Phase 8 — Fuzzing & Security Testing: - tests/fuzz/: 5 libFuzzer harnesses (image_verify, recovery, fw_update, crypto, bootctl) - CMakeLists.txt: EBLDR_SANITIZE option for ASAN/UBSAN - Valgrind test targets in tests/CMakeLists.txt Phase 9 — Secure Development Practices: - .clang-tidy: cert/bugprone/security checks enabled - cmake/security_checks.cmake: cppcheck + clang-tidy targets - ci/ci_security.yml: GitHub Actions security pipeline - ci/security_test.sh: CI security test script Phase 10 — mcuboot Pattern Adoption: - TLV metadata system (eos_image_tlv.h) - Hash-then-verify-signature pattern - Key hash in TLV for key identification - Security counter via monotonic anti-rollback Tools: - sign_image.py: Full Ed25519 signing via cryptography library - embed_stage1_hash.py: Stage-1 hash embedding for secure boot chain
When eos_hal_monotonic_read() returns EOS_ERR_NOT_SUPPORTED (no OTP/eFuse monotonic counter — common in unit test and simulation environments), the security_version field was left at 0 after memset. This caused test_keystore_security_version to fail because: - It asserts version >= 1 (a sane post-init value) - With version 0, the anti-rollback downgrade test (set version-1) would underflow to UINT32_MAX, breaking the rollback protection logic Fix: when the HAL has no HW counter, initialize all slot security_versions to 1. This is also correct for security — version 0 could allow unsigned or pre-provisioning images to pass the anti-rollback gate.
- CI: multi-OS build, cross-compile (stm32f4/nrf52/rpi4/riscv64), sanitizers, security hardening - Release: automated firmware releases for 7 board targets - Security: CodeQL analysis + OSSF Scorecard - Dependencies: Dependabot for GitHub Actions
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.0 to 2.4.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@v2.4.0...v2.4.3) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
bot
deleted the
dependabot/github_actions/ossf/scorecard-action-2.4.3
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps ossf/scorecard-action from 2.4.0 to 2.4.3.
Release notes
Sourced from ossf/scorecard-action's releases.
Commits
4eaacf0bump docker to ghcr v2.4.3 (#1587)42e3a01🌱 Bump the github-actions group with 3 updates (#1585)88c07ac🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)6c690f2Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)92083b5📖 Fix recommended command to test the image in development (#1583)7975ea6🌱 Bump the docker-images group across 1 directory with 2 updates (#1...0d1a743🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)46e6e0c🌱 Bump the github-actions group with 2 updates (#1580)c3f1350🌱 Improve printing options (#1584)43e475b🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)