I reviewed msgraph 0.2.1-0ubuntu3 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
msgraph is a library written in C using the glib, libgoa, and libsoup
for providing access to the Microsoft Graph API services.
- CVE History
- None
- Build-Depends
- libgoa, glib, libsoup
- claims to use librest via meson.build but I couldn't find any evidence of
that so sent a MR to remove this - as such should hopefully be able to be
removed from Build-Depends in a future update
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- Non
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- unit tests are run at build time via dh_auto_test
- autopkgtest simply runs unit tests as well
- tests use uhttpmock to mock the service server
- average test coverage is 72% as reported by gcovr
- cron jobs
- None
- Build logs
- Contains the following warnings:
- dh_girepository: warning: Missing Build-Depends: gir1.2-gobject-2.0-dev
(ideally with <!nogir>)
- dh_girepository: warning: Missing Build-Depends: gir1.2-gio-2.0-dev
(ideally with <!nogir>)
- dh_girepository: warning: libgoa-1.0-dev should have Provides:
gir1.2-goa-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-json-1.0-dev
(ideally with <!nogir>)
- dh_girepository: warning: librest-dev should have Provides:
gir1.2-rest-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-soup-3.0-dev
(ideally with <!nogir>)
- Lintian reports the following issues:
- libmsgraph-0-1_0.2.1-0ubuntu3_amd64.deb:
E: libmsgraph-0-1: custom-library-search-path RUNPATH
/usr/lib/x86_64-linux-gnu/libmsgraph
[usr/lib/x86_64-linux-gnu/libmsgraph-0.so.0.2.1]
- libmsgraph-doc_0.2.1-0ubuntu3_all.deb:
W: libmsgraph-doc: stray-devhelp-documentation
[usr/share/doc/msgraph-0/msgraph-0.devhelp2]
- Processes spawned
- No subprocesses spawned
- Memory management
- Uses standard glib APIs like g_new / g_free appropriately - no obvious
memory leaks or similar
- File IO
- None
- Logging
- Only a very small amount of direct logging using `g_debug()` to trace use
of various functions and when the https port number is changed via environment
variable `SG_HTTPS_PORT`
- Uses glib GError etc to return error information etc
- Sets up libsoup to debug via `g_debug()`
- No apparent use of unsafe format-string directives
- Environment variable usage
- SG_HTTPS_PORT to override https port during testing
- MSG_DEBUG - used to set the debug level in libsoup
- MSG_LAX_SSL_CERTIFICATES - used to relax SSL validation of certificates for
testing to allow to use an expired test cert in this case - this is done by
connecting to the accept-certificate signal of libsoup's SoupMessage which is
emitted during the TLS handshake after an unacceptable TLS certificate has been
received, and hence to override this despite it having various errors
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- Uses libsoup to do certificate validation etc
- Use of temp files
- None
- Use of networking
- Uses libsoup to handle underlying network communications - libsoup
internally uses GIO's GTlsConnection etc to handle TLS certificate validation
etc - this does certification validation etc by default
- Use of WebKit
- None
- Use of PolicyKit
- None
- No significant cppcheck results
- No significant Coverity results
- Upstream already does their own Coverity scans:
-
https://gitlab.gnome.org/GNOME/msgraph/-/blob/main/.gitlab-ci.yml?ref_type=heads#L54
- No significant shellcheck results
- No significant Semgrep results
The upstream project looks quite young (first commit was 23 July 2022 in
a private repo, the public project only has commits since 14 Feb 2024)
but the project appears to be quite high quality. Tests account for
~1/5th of the total code and provide 72% code coverage across 90% of all
functions are run during the build and via autopkgtests. They also have
plans to add additional unit tests for the async function variants in
https://gitlab.gnome.org/GNOME/msgraph/-/merge_requests/21. Finally,
they also do static analysis via Coverity as well as clang's scan-build
to proactively detect any security issues.
I sent a MR to remove the unused librest dependency as well in
https://gitlab.gnome.org/GNOME/msgraph/-/merge_requests/22
Security team ACK for promoting msgraph to main.
** Changed in: msgraph (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060035
Title:
[MIR] msgraph
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
