Merge pull request #11 from sophos/NCL-2469c-merge

NCL-2469 strongswan upgrade to 5.9.14

Author: akodithy

.appveyor.yml

@@ -30,8 +30,8 @@ install:
       IF "%IMG%" == "2019" set OPENSSL=OpenSSL-v111
       set OPENSSL_DIR=/c/%OPENSSL%-%TEST%
       C:\%OPENSSL%-%TEST%\bin\openssl.exe version -a
-  # newer versions of msys2 don't provide autotools via base-devel anymore
-  - IF "%IMG%" == "2019" %MSYS_SH% --login -c ". /etc/profile && pacman --noconfirm -S --needed autotools"
+  # newer versions of msys2 don't provide autotools or gperf via base-devel anymore
+  - IF "%IMG%" == "2019" %MSYS_SH% --login -c ". /etc/profile && pacman --noconfirm -S --needed autotools gperf"
 
 build_script:
   - '%MSYS_SH% --login -c ". /etc/profile && cd $APPVEYOR_BUILD_FOLDER && ./scripts/test.sh deps"'

.cirrus.yml

@@ -1,11 +1,11 @@
 task:
   matrix:
-    - name: FreeBSD 13.0
+    - name: FreeBSD 14.0
       freebsd_instance:
-        image_family: freebsd-13-0
-    - name: FreeBSD 12.3
+        image_family: freebsd-14-0
+    - name: FreeBSD 13.2
       freebsd_instance:
-        image_family: freebsd-12-3
+        image_family: freebsd-13-2
 
   env:
     TESTS_REDUCED_KEYLENGTHS: yes

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,7 +1,7 @@
 ---
 name: "🐛 Bug report"
 about: Report a reproducible bug or regression
-labels: bug, needs triage
+labels: bug, new
 ---
 
 <!--

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,7 +1,7 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
-labels: enhancement, needs triage
+labels: enhancement, new
 ---
 
 <!--

.github/codeql/config.yml

@@ -0,0 +1,11 @@
+queries:
+  - uses: ./.github/codeql/cpp-queries
+
+query-filters:
+  # don't explicitly point out FIXME comments
+  - exclude:
+      id: cpp/fixme-comment
+  # this rule produces too many false positives due to our custom specifiers and
+  # the use of void pointers in swanctl
+  - exclude:
+      id: cpp/wrong-type-format-argument

.lgtm/cpp-queries/chunk_from_chars.ql …b/codeql/cpp-queries/chunk_from_chars.ql.lgtm/cpp-queries/chunk_from_chars.ql renamed to .github/codeql/cpp-queries/chunk_from_chars.ql .lgtm/cpp-queries/chunk_from_chars.ql renamed to .github/codeql/cpp-queries/chunk_from_chars.ql

@@ -0,0 +1,3 @@
+name: strongswan/cpp-queries
+dependencies:
+  codeql/cpp-all: "*"

.github/codeql/cpp-queries/qlpack.yml

@@ -26,28 +26,39 @@ jobs:
     runs-on: ubuntu-latest
     env:
       TEST: android
-      # since the NDK is newly installed every time, we have to use this to avoid cache misses
+      # since the NDK might be newly installed, we have to use this to avoid cache misses
       CCACHE_COMPILERCHECK: content
     steps:
-      # even though we don't specify a specific version in our gradle files, the
-      # build fails without this because some arbitrary NDK version, that's
-      # weirdly not installed, is requested
+      - uses: actions/checkout@v4
+      # make sure the NDK we reference is installed and exported so we can use it to build OpenSSL
       - name: Install NDK
-        run: yes | sudo ${ANDROID_HOME}/tools/bin/sdkmanager --install 'ndk;21.0.6113669'
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+        id: ndk-install
+        run: |
+          NDK_VERSION=$(grep "ndkVersion" src/frontends/android/app/build.gradle | sed -e 's/.*"\(.*\)"/\1/')
+          echo Using NDK ${NDK_VERSION}
+          yes | sudo ${ANDROID_HOME}/cmdline-tools/latest/bin/sdkmanager --install "ndk;${NDK_VERSION}"
+          echo "ANDROID_NDK_ROOT=${ANDROID_HOME}/ndk/${NDK_VERSION}" >> "$GITHUB_OUTPUT"
+      - uses: actions/cache@v4
         with:
-          path: ~/.ccache
+          path: ~/.cache/ccache
           key: ccache-android-${{ github.sha }}
           restore-keys: |
             ccache-android-
+      # necessary for newer versions of the Gradle plugin
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          cache: 'gradle'
       - run: |
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
           ccache -z
       - uses: ./.github/actions/default
+        env:
+          ANDROID_NDK_ROOT: ${{ steps.ndk-install.outputs.ANDROID_NDK_ROOT }}
       - run: ccache -s
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: Lint Results
-          path: src/frontends/android/app/build/reports/lint-results.xml
+          path: src/frontends/android/app/build/reports/lint-results*.xml

.github/workflows/android.yml

@@ -0,0 +1,74 @@
+name: "CodeQL"
+
+on: [push, pull_request]
+
+env:
+  CCACHE_BASEDIR: ${{ github.workspace }}
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 200M
+  # CodeQL currently doesn't support ccache
+  CCACHE_DISABLE: true
+  OS_NAME: linux
+
+jobs:
+  pre-check:
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip-check.outputs.should_skip }}
+    steps:
+      - id: skip-check
+        uses: fkirc/skip-duplicate-actions@master
+        with:
+          concurrent_skipping: 'same_content'
+
+  analyze:
+    needs: pre-check
+    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python', 'ruby' ]
+    steps:
+    - uses: actions/checkout@v4
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/config.yml
+
+    - if: matrix.language == 'python' || matrix.language == 'ruby'
+      name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    # this follows the steps of the Linux workflow
+    - if: matrix.language == 'cpp'
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/ccache
+        key: ccache-ubuntu-latest-gcc-codeql-${{ github.sha }}
+        restore-keys: |
+          ccache-ubuntu-latest-gcc-codeql
+          ccache-ubuntu-latest-gcc-all-${{ github.sha }}
+          ccache-ubuntu-latest-gcc-all-
+          ccache-ubuntu-latest-gcc-
+    - if: matrix.language == 'cpp'
+      run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+    - if: matrix.language == 'cpp'
+      env:
+        TEST: codeql
+      uses: ./.github/actions/default
+    - if: matrix.language == 'cpp'
+      run: ccache -s
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"