I reviewed msgraph 0.2.1-0ubuntu3 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
msgraph is a library written in C using the glib, libgoa, and libsoup for providing access to the Microsoft Graph API services.
- CVE History
- None
- Build-Depends
- libgoa, glib, libsoup
- claims to use librest via meson.build but I couldn't find any evidence of that so sent a MR to remove this - as such should hopefully be able to be removed from Build-Depends in a future update
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- Non
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- unit tests are run at build time via dh_auto_test
- autopkgtest simply runs unit tests as well
- tests use uhttpmock to mock the service server
- average test coverage is 72% as reported by gcovr
- cron jobs
- None
- Build logs
- Contains the following warnings:
- dh_girepository: warning: Missing Build-Depends: gir1.2-gobject-2.0-dev (ideally with <!nogir>)
- dh_girepository: warning: Missing Build-Depends: gir1.2-gio-2.0-dev (ideally with <!nogir>)
- dh_girepository: warning: libgoa-1.0-dev should have Provides: gir1.2-goa-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-json-1.0-dev (ideally with <!nogir>)
- dh_girepository: warning: librest-dev should have Provides: gir1.2-rest-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-soup-3.0-dev (ideally with <!nogir>)
- Lintian reports the following issues:
- libmsgraph-0-1_0.2.1-0ubuntu3_amd64.deb:
E: libmsgraph-0-1: custom-library-search-path RUNPATH /usr/lib/x86_64-linux-gnu/libmsgraph [usr/lib/x86_64-linux-gnu/libmsgraph-0.so.0.2.1]
- libmsgraph-doc_0.2.1-0ubuntu3_all.deb:
W: libmsgraph-doc: stray-devhelp-documentation [usr/share/doc/msgraph-0/msgraph-0.devhelp2]
- Processes spawned
- No subprocesses spawned
- Memory management
- Uses standard glib APIs like g_new / g_free appropriately - no obvious memory leaks or similar
- File IO
- None
- Logging
- Only a very small amount of direct logging using `g_debug()` to trace use of various functions and when the https port number is changed via environment variable `SG_HTTPS_PORT`
- Uses glib GError etc to return error information etc
- Sets up libsoup to debug via `g_debug()`
- No apparent use of unsafe format-string directives
- Environment variable usage
- SG_HTTPS_PORT to override https port during testing
- MSG_DEBUG - used to set the debug level in libsoup
- MSG_LAX_SSL_CERTIFICATES - used to relax SSL validation of certificates for testing to allow to use an expired test cert in this case - this is done by connecting to the accept-certificate signal of libsoup's SoupMessage which is emitted during the TLS handshake after an unacceptable TLS certificate has been received, and hence to override this despite it having various errors
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- Uses libsoup to do certificate validation etc
- Use of temp files
- None
- Use of networking
- Uses libsoup to handle underlying network communications - libsoup internally uses GIO's GTlsConnection etc to handle TLS certificate validation etc - this does certification validation etc by default
- Use of WebKit
- None
- Use of PolicyKit
- None
The upstream project looks quite young (first commit was 23 July 2022 in a private repo, the public project only has commits since 14 Feb 2024) but the project appears to be quite high quality. Tests account for ~1/5th of the total code and provide 72% code coverage across 90% of all functions are run during the build and via autopkgtests. They also have plans to add additional unit tests for the async function variants in https://gitlab.gnome.org/GNOME/msgraph/-/merge_requests/21. Finally, they also do static analysis via Coverity as well as clang's scan-build to proactively detect any security issues.
I reviewed msgraph 0.2.1-0ubuntu3 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
msgraph is a library written in C using the glib, libgoa, and libsoup for providing access to the Microsoft Graph API services.
- CVE History gobject- 2.0-dev (ideally with <!nogir>)
- None
- Build-Depends
- libgoa, glib, libsoup
- claims to use librest via meson.build but I couldn't find any evidence of that so sent a MR to remove this - as such should hopefully be able to be removed from Build-Depends in a future update
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- Non
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- unit tests are run at build time via dh_auto_test
- autopkgtest simply runs unit tests as well
- tests use uhttpmock to mock the service server
- average test coverage is 72% as reported by gcovr
- cron jobs
- None
- Build logs
- Contains the following warnings:
- dh_girepository: warning: Missing Build-Depends: gir1.2-
- dh_girepository: warning: Missing Build-Depends: gir1.2-gio-2.0-dev (ideally with <!nogir>)
- dh_girepository: warning: libgoa-1.0-dev should have Provides: gir1.2-goa-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-json-1.0-dev (ideally with <!nogir>)
- dh_girepository: warning: librest-dev should have Provides: gir1.2-rest-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-soup-3.0-dev (ideally with <!nogir>)
- Lintian reports the following issues: 0-1_0.2. 1-0ubuntu3_ amd64.deb: library- search- path RUNPATH /usr/lib/ x86_64- linux-gnu/ libmsgraph [usr/lib/ x86_64- linux-gnu/ libmsgraph- 0.so.0. 2.1] doc_0.2. 1-0ubuntu3_ all.deb: documentation [usr/share/ doc/msgraph- 0/msgraph- 0.devhelp2]
- libmsgraph-
E: libmsgraph-0-1: custom-
- libmsgraph-
W: libmsgraph-doc: stray-devhelp-
- Processes spawned SSL_CERTIFICATE S - used to relax SSL validation of certificates for testing to allow to use an expired test cert in this case - this is done by connecting to the accept-certificate signal of libsoup's SoupMessage which is emitted during the TLS handshake after an unacceptable TLS certificate has been received, and hence to override this despite it having various errors
- No subprocesses spawned
- Memory management
- Uses standard glib APIs like g_new / g_free appropriately - no obvious memory leaks or similar
- File IO
- None
- Logging
- Only a very small amount of direct logging using `g_debug()` to trace use of various functions and when the https port number is changed via environment variable `SG_HTTPS_PORT`
- Uses glib GError etc to return error information etc
- Sets up libsoup to debug via `g_debug()`
- No apparent use of unsafe format-string directives
- Environment variable usage
- SG_HTTPS_PORT to override https port during testing
- MSG_DEBUG - used to set the debug level in libsoup
- MSG_LAX_
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- Uses libsoup to do certificate validation etc
- Use of temp files
- None
- Use of networking
- Uses libsoup to handle underlying network communications - libsoup internally uses GIO's GTlsConnection etc to handle TLS certificate validation etc - this does certification validation etc by default
- Use of WebKit
- None
- Use of PolicyKit
- None
- No significant cppcheck results /gitlab. gnome.org/ GNOME/msgraph/ -/blob/ main/.gitlab- ci.yml? ref_type= heads#L54
- No significant Coverity results
- Upstream already does their own Coverity scans:
- https:/
- No significant shellcheck results
- No significant Semgrep results
The upstream project looks quite young (first commit was 23 July 2022 in a private repo, the public project only has commits since 14 Feb 2024) but the project appears to be quite high quality. Tests account for ~1/5th of the total code and provide 72% code coverage across 90% of all functions are run during the build and via autopkgtests. They also have plans to add additional unit tests for the async function variants in https:/ /gitlab. gnome.org/ GNOME/msgraph/ -/merge_ requests/ 21. Finally, they also do static analysis via Coverity as well as clang's scan-build to proactively detect any security issues.
I sent a MR to remove the unused librest dependency as well in https:/ /gitlab. gnome.org/ GNOME/msgraph/ -/merge_ requests/ 22
Security team ACK for promoting msgraph to main.