© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I reviewed msgraph 0.2.1-0ubuntu3 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
msgraph is a library written in C using the glib, libgoa, and libsoup for providing access to the Microsoft Graph API services.
- CVE History
- None
- Build-Depends
- libgoa, glib, libsoup
- claims to use librest via meson.build but I couldn't find any evidence of that so sent a MR to remove this - as such should hopefully be able to be removed from Build-Depends in a future update
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- Non
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- unit tests are run at build time via dh_auto_test
- autopkgtest simply runs unit tests as well
- tests use uhttpmock to mock the service server
- average test coverage is 72% as reported by gcovr
- cron jobs
- None
- Build logs
- Contains the following warnings:
- dh_girepository: warning: Missing Build-Depends: gir1.2-
- dh_girepository: warning: Missing Build-Depends: gir1.2-gio-2.0-dev (ideally with <!nogir>)
- dh_girepository: warning: libgoa-1.0-dev should have Provides: gir1.2-goa-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-json-1.0-dev (ideally with <!nogir>)
- dh_girepository: warning: librest-dev should have Provides: gir1.2-rest-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-soup-3.0-dev (ideally with <!nogir>)
- Lintian reports the following issues:
- libmsgraph-
E: libmsgraph-0-1: custom-
- libmsgraph-
W: libmsgraph-doc: stray-devhelp-
- Processes spawned
- No subprocesses spawned
- Memory management
- Uses standard glib APIs like g_new / g_free appropriately - no obvious memory leaks or similar
- File IO
- None
- Logging
- Only a very small amount of direct logging using `g_debug()` to trace use of various functions and when the https port number is changed via environment variable `SG_HTTPS_PORT`
- Uses glib GError etc to return error information etc
- Sets up libsoup to debug via `g_debug()`
- No apparent use of unsafe format-string directives
- Environment variable usage
- SG_HTTPS_PORT to override https port during testing
- MSG_DEBUG - used to set the debug level in libsoup
- MSG_LAX_
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- Uses libsoup to do certificate validation etc
- Use of temp files
- None
- Use of networking
- Uses libsoup to handle underlying network communications - libsoup internally uses GIO's GTlsConnection etc to handle TLS certificate validation etc - this does certification validation etc by default
- Use of WebKit
- None
- Use of PolicyKit
- None
- No significant cppcheck results
- No significant Coverity results
- Upstream already does their own Coverity scans:
- https:/
- No significant shellcheck results
- No significant Semgrep results
The upstream project looks quite young (first commit was 23 July 2022 in a private repo, the public project only has commits since 14 Feb 2024) but the project appears to be quite high quality. Tests account for ~1/5th of the total code and provide 72% code coverage across 90% of all functions are run during the build and via autopkgtests. They also have plans to add additional unit tests for the async function variants in https:/
I sent a MR to remove the unused librest dependency as well in https:/
Security team ACK for promoting msgraph to main.