I reviewed libgit2 1.5.1+ds-1ubuntu1 as checked into mantic. This shouldn't be considered a full audit but rather a quick gauge of maintainability. Upstream: https://github.com/libgit2/libgit2 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language that supports C bindings. - CVE History: * 14 CVEs, 11 of them are from the 2016-2018 period. * Since 2018 the only 3 CVEs found are NFTS-related or certs-related. * Only one in the last 3 years (cert-related) * In some cases, fixes have been backported officially. - Build-Depends? * debhelper-compat (= 13), python3-minimal:any, pkg-config, ca-certificates, cmake, zlib1g-dev, libssl-dev, libssh2-1-dev, libhttp-parser-dev, libpcre2-dev, libkrb5-dev * It uses libssl, libssh, libhttp-parser, krb5. - pre/post inst/rm scripts? * None. - init scripts? * None. - systemd units? * None. - dbus services? * None. - setuid binaries? * None. - binaries in PATH? * None. - sudo fragments? * None. - polkit files? * None. - udev rules? * None. - unit tests / autopkgtests? * Autopkgtest test only checks if the library can be loaded and calls version retrieval. * It has extensive unit tests, they are run at build time. - cron jobs? * None. - Build logs: * Warn/Error on build logs: * Cmake warnings regarding unused variables. * Build warning about uninitialized variables, deprecated SSH functions. * Some lintian errors on examples (fixture binary). - Processes spawned? * The library does not spawn any processes. - Memory management? * Memory is handled with care, always performing checks and validating the return values. * Specific structs have been created to manage memory more safely, like git_str. * Specific macros/functions have been created to perform sensitive operations in the safest way possible. - File IO? * File paths are recontstructed from the Git tree. If someone can modify the .git tree files then they already have access. No security issues. * File contents are not sanitized, as expected. * Files are created with the umask specified in the Git object. - Logging? * Yes, most of the output is handled by git_str_printf, which does it safely. - Environment variable usage? * They are not sanitized but they don't look like they could be abused. * Main use case is reading specific Git env variables or getting the home directory. - Use of privileged functions? * None. - Use of cryptography / random number sources etc? * It relies on libssh2 to perform most of the ssh handling. * It relies on openssl for https and sha functions. * They do certificate check by default since CVE-2023-22742, but before it would be possible to do it if specified. * There is hostname checking against cert in verify_server_cert. - Use of temp files? * None. - Use of networking? * Network is used for sync with remote repositories. * Input is not filtered/sanitized but that's expected. - Use of WebKit? * None. - Use of PolicyKit? * None. - Any significant cppcheck results? * Nothing significant regarding the library's code. - Any significant Coverity results? * Most of the issues are regarding tests. * Nothing relevant to the library itself: * Recursive inclusion warnings but it seems to work fine. * Out of bounds but those are right, checking against ULONG_MAX, UINT_MAX, etc. * Null dereferences properly handled by macros/other checks. - Any significant shellcheck results? * Nothing significant regarding the library's code. - Any significant bandit results? * Nothing significant regarding the library's code. - Any significant govulncheck results? * None. * It has a security page: https://libgit2.org/security/ * This project is covered by the oss-fuzz platform: https://storage.googleapis.com/oss-fuzz-introspector/libgit2/inspector-report/20230608/fuzz_report.html * Security policy (Security.md) in place. * Code is programmed with security in mind: * Macros like GIT_ERROR_CHECK_ALLOC, GIT_ASSERT * Functions to handle pointers are used, like git_str_set, which do it safely. * Special structures to better handle pointers like git_str. * Properly documented. * Actively developed. * They run sanitizers (Memory, Undefined Behaviour and Thread) in their CI/CD pipelines. * Manual testing doesn't show any issues with unknown/unexpected inputs. Security team ACK for promoting libgit2 to main in mantic.