Comment 13 for bug 1990655

I reviewed libgit2 1.5.1+ds-1ubuntu1 as checked into mantic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

Upstream: https://github.com/libgit2/libgit2

libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant
linkable library with a solid API, allowing you to write native speed custom Git applications
in any language that supports C bindings.

- CVE History:
  * 14 CVEs, 11 of them are from the 2016-2018 period.
  * Since 2018 the only 3 CVEs found are NFTS-related or certs-related.
  * Only one in the last 3 years (cert-related)
  * In some cases, fixes have been backported officially.
- Build-Depends?
  * debhelper-compat (= 13), python3-minimal:any, pkg-config, ca-certificates, cmake, zlib1g-dev,
    libssl-dev, libssh2-1-dev, libhttp-parser-dev, libpcre2-dev, libkrb5-dev
  * It uses libssl, libssh, libhttp-parser, krb5.
- pre/post inst/rm scripts?
  * None.
- init scripts?
  * None.
- systemd units?
  * None.
- dbus services?
  * None.
- setuid binaries?
  * None.
- binaries in PATH?
  * None.
- sudo fragments?
  * None.
- polkit files?
  * None.
- udev rules?
  * None.
- unit tests / autopkgtests?
  * Autopkgtest test only checks if the library can be loaded and calls version retrieval.
  * It has extensive unit tests, they are run at build time.
- cron jobs?
  * None.
- Build logs:
  * Warn/Error on build logs:
    * Cmake warnings regarding unused variables.
    * Build warning about uninitialized variables, deprecated SSH functions.
  * Some lintian errors on examples (fixture binary).

- Processes spawned?
  * The library does not spawn any processes.
- Memory management?
  * Memory is handled with care, always performing checks and validating the
    return values.
  * Specific structs have been created to manage memory more safely, like
    git_str.
  * Specific macros/functions have been created to perform sensitive operations
    in the safest way possible.
- File IO?
  * File paths are recontstructed from the Git tree.
    If someone can modify the .git tree files then they already have access.
    No security issues.
  * File contents are not sanitized, as expected.
  * Files are created with the umask specified in the Git object.
- Logging?
  * Yes, most of the output is handled by git_str_printf, which does it safely.
- Environment variable usage?
  * They are not sanitized but they don't look like they could be abused.
  * Main use case is reading specific Git env variables or getting the home directory.
- Use of privileged functions?
  * None.
- Use of cryptography / random number sources etc?
  * It relies on libssh2 to perform most of the ssh handling.
  * It relies on openssl for https and sha functions.
  * They do certificate check by default since CVE-2023-22742, but before it would be
    possible to do it if specified.
  * There is hostname checking against cert in verify_server_cert.
- Use of temp files?
  * None.
- Use of networking?
  * Network is used for sync with remote repositories.
  * Input is not filtered/sanitized but that's expected.
- Use of WebKit?
  * None.
- Use of PolicyKit?
  * None.

- Any significant cppcheck results?
  * Nothing significant regarding the library's code.
- Any significant Coverity results?
  * Most of the issues are regarding tests.
  * Nothing relevant to the library itself:
    * Recursive inclusion warnings but it seems to work fine.
    * Out of bounds but those are right, checking against ULONG_MAX, UINT_MAX, etc.
    * Null dereferences properly handled by macros/other checks.
- Any significant shellcheck results?
  * Nothing significant regarding the library's code.
- Any significant bandit results?
  * Nothing significant regarding the library's code.
- Any significant govulncheck results?
  * None.

* It has a security page: https://libgit2.org/security/
* This project is covered by the oss-fuzz platform: https://storage.googleapis.com/oss-fuzz-introspector/libgit2/inspector-report/20230608/fuzz_report.html
* Security policy (Security.md) in place.
* Code is programmed with security in mind:
  * Macros like GIT_ERROR_CHECK_ALLOC, GIT_ASSERT
  * Functions to handle pointers are used, like git_str_set, which do it safely.
  * Special structures to better handle pointers like git_str.
* Properly documented.
* Actively developed.
* They run sanitizers (Memory, Undefined Behaviour and Thread) in their CI/CD pipelines.
* Manual testing doesn't show any issues with unknown/unexpected inputs.

Security team ACK for promoting libgit2 to main in mantic.