marcel/familienarchiv
1
0
Fork 0
Code Issues 114 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

fix(ci): pin semgrep version, add pip cache, harden rule severity
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m2s
Details
CI / OCR Service Tests (pull_request) Successful in 18s
Details
CI / Backend Unit Tests (pull_request) Successful in 2m55s
Details
CI / fail2ban Regex (pull_request) Successful in 42s
Details
CI / Semgrep Security Scan (pull_request) Successful in 18s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 59s
Details
CI / Unit & Component Tests (push) Successful in 3m3s
Details
CI / OCR Service Tests (push) Successful in 19s
Details
CI / Backend Unit Tests (push) Successful in 2m56s
Details
CI / fail2ban Regex (push) Successful in 40s
Details
CI / Semgrep Security Scan (push) Successful in 17s
Details
CI / Compose Bucket Idempotency (push) Successful in 59s
Details

Browse Source 
- Pin semgrep to 1.163.0 to prevent silent upgrades breaking the scan
- Add cache: 'pip' to setup-python@v5 for faster CI runs
- Promote all three XXE Semgrep rules from WARNING to ERROR to match
  the --error CI flag intent
- Update SAX/StAX rule messages to reference XxeSafeXmlParser and
  the OWASP XXE prevention cheat sheet
- Remove stale issue reference from regression test comment
- Document XML metacharacter constraint on buildValidOds test helper

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit was merged in pull request #610.
This commit is contained in:
Marcel
2026-05-17 16:18:03 +02:00
parent f15ea031d1
commit 669eaa7c65
3 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.semgrep/security.yml
View File

@@ -17,8 +17,9 @@ rules:
message: >
DocumentBuilderFactory without XXE protection (CWE-611).
Call XxeSafeXmlParser.hardenedFactory() instead of DocumentBuilderFactory.newInstance().
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
languages: [java]
severity: WARNING
severity: ERROR
# SAXParserFactory without XXE hardening.
- id: sax-xxe-default
@@ -30,9 +31,11 @@ rules:
...
message: >
SAXParserFactory without XXE protection (CWE-611).
Apply disallow-doctype-decl and disable external entity features before use.
Set disallow-doctype-decl=true, external-general-entities=false, external-parameter-entities=false,
and load-external-dtd=false before use. Follow the pattern in XxeSafeXmlParser.hardenedFactory().
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
languages: [java]
severity: WARNING
severity: ERROR
# XMLInputFactory without XXE hardening (StAX parser).
- id: stax-xxe-default
@@ -44,6 +47,8 @@ rules:
...
message: >
XMLInputFactory without XXE protection (CWE-611).
Set IS_SUPPORTING_EXTERNAL_ENTITIES to false and SUPPORT_DTD to false before use.
Set IS_SUPPORTING_EXTERNAL_ENTITIES=false and SUPPORT_DTD=false before use.
Follow the pattern in XxeSafeXmlParser.hardenedFactory().
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
languages: [java]
severity: WARNING
severity: ERROR