I reviewed msgraph 0.2.1-0ubuntu3 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. msgraph is a library written in C using the glib, libgoa, and libsoup for providing access to the Microsoft Graph API services. - CVE History - None - Build-Depends - libgoa, glib, libsoup - claims to use librest via meson.build but I couldn't find any evidence of that so sent a MR to remove this - as such should hopefully be able to be removed from Build-Depends in a future update - pre/post inst/rm scripts - None - init scripts - None - systemd units - None - dbus services - None - setuid binaries - None - binaries in PATH - Non - sudo fragments - None - polkit files - None - udev rules - None - unit tests / autopkgtests - unit tests are run at build time via dh_auto_test - autopkgtest simply runs unit tests as well - tests use uhttpmock to mock the service server - average test coverage is 72% as reported by gcovr - cron jobs - None - Build logs - Contains the following warnings: - dh_girepository: warning: Missing Build-Depends: gir1.2-gobject-2.0-dev (ideally with ) - dh_girepository: warning: Missing Build-Depends: gir1.2-gio-2.0-dev (ideally with ) - dh_girepository: warning: libgoa-1.0-dev should have Provides: gir1.2-goa-1.0-dev (= ${binary:Version}) - dh_girepository: warning: Missing Build-Depends: gir1.2-json-1.0-dev (ideally with ) - dh_girepository: warning: librest-dev should have Provides: gir1.2-rest-1.0-dev (= ${binary:Version}) - dh_girepository: warning: Missing Build-Depends: gir1.2-soup-3.0-dev (ideally with ) - Lintian reports the following issues: - libmsgraph-0-1_0.2.1-0ubuntu3_amd64.deb: E: libmsgraph-0-1: custom-library-search-path RUNPATH /usr/lib/x86_64-linux-gnu/libmsgraph [usr/lib/x86_64-linux-gnu/libmsgraph-0.so.0.2.1] - libmsgraph-doc_0.2.1-0ubuntu3_all.deb: W: libmsgraph-doc: stray-devhelp-documentation [usr/share/doc/msgraph-0/msgraph-0.devhelp2] - Processes spawned - No subprocesses spawned - Memory management - Uses standard glib APIs like g_new / g_free appropriately - no obvious memory leaks or similar - File IO - None - Logging - Only a very small amount of direct logging using `g_debug()` to trace use of various functions and when the https port number is changed via environment variable `SG_HTTPS_PORT` - Uses glib GError etc to return error information etc - Sets up libsoup to debug via `g_debug()` - No apparent use of unsafe format-string directives - Environment variable usage - SG_HTTPS_PORT to override https port during testing - MSG_DEBUG - used to set the debug level in libsoup - MSG_LAX_SSL_CERTIFICATES - used to relax SSL validation of certificates for testing to allow to use an expired test cert in this case - this is done by connecting to the accept-certificate signal of libsoup's SoupMessage which is emitted during the TLS handshake after an unacceptable TLS certificate has been received, and hence to override this despite it having various errors - Use of privileged functions - None - Use of cryptography / random number sources etc - Uses libsoup to do certificate validation etc - Use of temp files - None - Use of networking - Uses libsoup to handle underlying network communications - libsoup internally uses GIO's GTlsConnection etc to handle TLS certificate validation etc - this does certification validation etc by default - Use of WebKit - None - Use of PolicyKit - None - No significant cppcheck results - No significant Coverity results - Upstream already does their own Coverity scans: - https://gitlab.gnome.org/GNOME/msgraph/-/blob/main/.gitlab-ci.yml?ref_type=heads#L54 - No significant shellcheck results - No significant Semgrep results The upstream project looks quite young (first commit was 23 July 2022 in a private repo, the public project only has commits since 14 Feb 2024) but the project appears to be quite high quality. Tests account for ~1/5th of the total code and provide 72% code coverage across 90% of all functions are run during the build and via autopkgtests. They also have plans to add additional unit tests for the async function variants in https://gitlab.gnome.org/GNOME/msgraph/-/merge_requests/21. Finally, they also do static analysis via Coverity as well as clang's scan-build to proactively detect any security issues. I sent a MR to remove the unused librest dependency as well in https://gitlab.gnome.org/GNOME/msgraph/-/merge_requests/22 Security team ACK for promoting msgraph to main.