Skip to content

Commit 4a7e08b

Browse files
authored
chore(infra): add dependabot.yml and OSV-Scanner weekly vulnerability monitoring (#561)
* chore(infra): add dependabot.yml and OSV-Scanner weekly vulnerability monitoring Add two security configurations: 1. dependabot.yml: enables Dependabot updates for GitHub Actions and git submodules with weekly schedule, assigned to kcenon. 2. osv-scanner.yml: adds weekly OSV-Scanner workflow to complement the existing Trivy daily scan. Scans vcpkg.json manifest against the Open Source Vulnerabilities (OSV) database. Results are uploaded to GitHub Security tab as SARIF. Part of kcenon/common_system#408 * fix(core): resolve TSAN data race in start_timeout_timer weak_ptr destruction Release state_weak explicitly while the strong reference s is still alive to prevent a ThreadSanitizer-detected data race on the shared_ptr control block. Previously, the captured weak_ptr was destroyed as part of the lambda closure after s went out of scope, causing a concurrent operator delete (from ~weak_ptr on zero weak count) to race with the token destructor's __release_shared read on the same control block address. By calling state_weak.reset() before s is released, the weak ref-count decrement occurs while a strong reference still exists, ensuring the control block is freed deterministically on the main thread rather than racing with the timer thread. Fixes: ThreadSanitizer warning in enhanced_cancellation_token_test.LinkedWithTimeoutParentCancel
1 parent 3a4a03d commit 4a7e08b

3 files changed

Lines changed: 107 additions & 1 deletion

File tree

.github/dependabot.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
version: 2
2+
updates:
3+
# Enable version updates for GitHub Actions
4+
- package-ecosystem: "github-actions"
5+
directory: "/"
6+
schedule:
7+
interval: "weekly"
8+
assignees:
9+
- "kcenon"
10+
labels:
11+
- "dependencies"
12+
- "github-actions"
13+
14+
# Enable version updates for git submodules
15+
- package-ecosystem: "gitsubmodule"
16+
directory: "/"
17+
schedule:
18+
interval: "weekly"
19+
assignees:
20+
- "kcenon"
21+
labels:
22+
- "dependencies"
23+
- "submodules"

.github/workflows/osv-scanner.yml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
name: OSV Vulnerability Scan
2+
3+
on:
4+
push:
5+
branches: [ main ]
6+
paths:
7+
- 'vcpkg.json'
8+
- 'vcpkg-configuration.json'
9+
- '.github/workflows/osv-scanner.yml'
10+
pull_request:
11+
branches: [ main ]
12+
paths:
13+
- 'vcpkg.json'
14+
- 'vcpkg-configuration.json'
15+
schedule:
16+
# Run every Sunday at 3:17 AM UTC (offset from Trivy daily scan at 2 AM)
17+
- cron: '17 3 * * 0'
18+
workflow_dispatch:
19+
20+
permissions:
21+
contents: read
22+
security-events: write
23+
24+
# OSV-Scanner complements the existing Trivy scan (cve-scan.yml):
25+
# - Trivy: filesystem scan, runs daily on push/PR
26+
# - OSV-Scanner: dependency manifest scan, runs weekly + on vcpkg.json changes
27+
#
28+
# OSV-Scanner uses the Open Source Vulnerabilities (OSV) database which covers
29+
# vcpkg ecosystem packages, GitHub Advisory Database, and more.
30+
# See: https://github.com/kcenon/common_system/issues/408
31+
32+
jobs:
33+
osv-scan:
34+
name: OSV Scanner
35+
runs-on: ubuntu-latest
36+
if: github.ref != 'refs/heads/gh-pages'
37+
38+
steps:
39+
- name: Checkout code
40+
uses: actions/checkout@v4
41+
42+
- name: Run OSV-Scanner on vcpkg manifest
43+
uses: google/osv-scanner-action/osv-scanner-action@v2
44+
with:
45+
scan-args: |-
46+
--lockfile=vcpkg.json
47+
--format=sarif
48+
--output=osv-results.sarif
49+
continue-on-error: true
50+
51+
- name: Run OSV-Scanner filesystem scan (fallback)
52+
if: hashFiles('osv-results.sarif') == ''
53+
uses: google/osv-scanner-action/osv-scanner-action@v2
54+
with:
55+
scan-args: |-
56+
--recursive
57+
.
58+
--format=sarif
59+
--output=osv-results.sarif
60+
continue-on-error: true
61+
62+
- name: Upload OSV SARIF to GitHub Security
63+
uses: github/codeql-action/upload-sarif@v3
64+
if: always() && hashFiles('osv-results.sarif') != ''
65+
continue-on-error: true
66+
with:
67+
sarif_file: osv-results.sarif
68+
category: osv-scanner
69+
70+
- name: Upload OSV results artifact
71+
uses: actions/upload-artifact@v4
72+
if: always() && hashFiles('osv-results.sarif') != ''
73+
with:
74+
name: osv-scan-results-${{ github.sha }}
75+
path: osv-results.sarif
76+
retention-days: 30

src/core/enhanced_cancellation_token.cpp

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -476,7 +476,7 @@ namespace kcenon::thread
476476
std::chrono::steady_clock::time_point deadline_point) -> void
477477
{
478478
std::thread timer_thread(
479-
[state_weak, deadline_point]()
479+
[state_weak, deadline_point]() mutable
480480
{
481481
auto s = state_weak.lock();
482482
if (!s)
@@ -544,6 +544,13 @@ namespace kcenon::thread
544544
}
545545

546546
s->timer_active.store(false, std::memory_order_release);
547+
548+
// Release the weak_ptr while the strong reference (s) is still alive.
549+
// This ensures ~weak_ptr() decrements the weak ref-count before the
550+
// last shared_ptr is released, preventing a data race on the control
551+
// block between this thread's operator delete and the token destructor's
552+
// __release_shared read (ThreadSanitizer: data race).
553+
state_weak.reset();
547554
});
548555

549556
timer_thread.detach();

0 commit comments

Comments
 (0)