Skip to content

Security: Fabio3rs/cppapiframework

Security

SECURITY.md

Security Policy

Enterprise Security Framework

This project implements enterprise-grade security scanning and follows security best practices for C++ API development.

Security Scanning Coverage

πŸ” Static Application Security Testing (SAST)

  • GitHub CodeQL: Comprehensive semantic analysis with security-extended queries
  • Enhanced clang-tidy: Security-focused static analysis with cert-, bugprone-, and cppcoreguidelines-* rules
  • cppcheck: Additional static analysis for memory safety and undefined behavior
  • Compiler Security: Hardened build flags including stack protection and position-independent executables

πŸ”— Software Composition Analysis (SCA)

  • GitHub Dependabot: Automated vulnerability scanning for dependencies
  • Dependency monitoring: Weekly scans for known vulnerabilities in:
    • MySQL Connector/C++
    • Poco C++ Libraries
    • Pistache HTTP framework
    • Google Test framework
    • System packages and build tools

πŸ” Secret Scanning

  • GitHub Secret Scanning: Automatic detection of exposed credentials
  • Custom patterns: Project-specific secret detection rules
  • Pre-commit hooks: Local secret detection (recommended)

πŸ—οΈ Supply Chain Security

  • Software Bill of Materials (SBOM): Automatic generation via GitHub Actions
  • Signed commits: Verification of contributor identity
  • Protected branches: Required security reviews for main branch

Security Features in Code

Input Validation & Sanitization

  • SQL Injection Prevention: Parameterized queries and input escaping in CSql class
  • Input Validation Framework: Comprehensive validation in WebInputValidator
  • JSON Input Validation: Schema-based validation with type checking
  • Hash Verification: Optional input hash checking for integrity

Memory Safety

  • RAII Pattern: Resource management with automatic cleanup
  • Smart Pointers: Prefer std::unique_ptr and std::shared_ptr
  • Stack Protection: Compiler flags for buffer overflow protection
  • Position Independent Executables: PIE enabled for address space randomization

Authentication & Authorization

  • JWT Token Support: Token-based authentication system
  • Session Management: Secure session handling
  • CORS Policy: Configurable cross-origin request policies

Vulnerability Reporting

🚨 Report Security Vulnerabilities

For security vulnerabilities, please DO NOT create public issues.

Instead, please report security vulnerabilities through one of the following channels:

  1. GitHub Security Advisories: Use the "Security" tab in this repository
  2. Email: Send details to the project maintainer privately
  3. Encrypted communication: Available upon request

What to Include in Reports

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Suggested fix (if available)
  • Your contact information

Response Timeline

  • Acknowledgment: Within 48 hours
  • Initial assessment: Within 7 days
  • Security fix: Target 30 days for critical issues
  • Public disclosure: After fix deployment or 90 days (whichever comes first)

Security Best Practices for Contributors

πŸ”’ Development Guidelines

  1. Never commit secrets: Use environment variables or secure vaults
  2. Validate all inputs: Assume all external input is malicious
  3. Use safe functions: Avoid deprecated C functions prone to buffer overflows
  4. Enable compiler warnings: Build with -Wall -Wextra
  5. Run security tools: Use provided clang-tidy and cppcheck configurations
  6. Update dependencies: Keep all libraries and tools current

πŸ§ͺ Testing Security

  1. Input fuzzing: Test with malformed and edge-case inputs
  2. Boundary testing: Verify buffer and array bounds
  3. Authentication bypass: Test all authentication mechanisms
  4. SQL injection testing: Verify parameterized query implementation

Security Monitoring

πŸ“Š Automated Scanning Schedule

  • CodeQL: On every push and PR, weekly scheduled scans
  • Dependabot: Weekly dependency vulnerability checks
  • cppcheck: On every build in CI/CD pipeline
  • clang-tidy security rules: On every build

πŸ” Manual Security Reviews

  • Required for all changes to authentication/authorization code
  • Required for database interaction modifications
  • Required for input validation changes
  • Required for cryptographic implementations

Security Incident Response

🚨 In Case of Security Incident

  1. Immediate containment: Remove vulnerable code or deploy hotfix
  2. Impact assessment: Determine scope of potential damage
  3. User notification: Inform users of security updates
  4. Post-incident analysis: Review and improve security measures

πŸ“‹ Security Checklist for Releases

  • All security scans passing (CodeQL, cppcheck, clang-tidy)
  • Dependencies scanned for vulnerabilities
  • Security-focused code review completed
  • Authentication/authorization testing passed
  • Input validation testing passed
  • Memory safety testing passed

Supported Versions

Version Supported Security Updates
main βœ… Yes βœ… Active
develop βœ… Yes (pre-release) βœ… Active
< 1.0 ❌ No ❌ Not supported

Security Resources

Security is a shared responsibility. Thank you for helping keep our project and community safe! πŸ›‘οΈ

There aren’t any published security advisories