From 85b9b0e8130177d1a8973489bbbf80cc4586a98f Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sat, 14 Feb 2026 20:47:48 +0100 Subject: [PATCH 01/10] Create ci_new.yml --- .github/workflows/ci_new.yml | 236 +++++++++++++++++++++++++++++++++++ 1 file changed, 236 insertions(+) create mode 100644 .github/workflows/ci_new.yml diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml new file mode 100644 index 0000000000..9581f30583 --- /dev/null +++ b/.github/workflows/ci_new.yml @@ -0,0 +1,236 @@ +name: Quality Assurance new + +on: + push: + pull_request: + +jobs: + build-linux: + name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) + + # Ubuntu 24.04 does not provide native 32-bit (i386) installation images. + # Only amd64 (x86_64) is officially supported. 32-bit has been removed from this matrix. + runs-on: ubuntu-24.04 + + strategy: + fail-fast: false + matrix: + platform: + - { label: "x64", arch: "amd64", configure: "" } + + compiler: + - { label: "gcc", cc: "gcc", cxx: "g++" } + - { label: "clang", cc: "clang", cxx: "clang++" } + + configure: + - { label: "with parser generation", opt: "--enable-parser-generation" } + - { label: "without curl", opt: "--without-curl" } + - { label: "without lua", opt: "--without-lua" } + - { label: "without maxmind", opt: "--without-maxmind" } + - { label: "without libxml", opt: "--without-libxml" } + - { label: "without geoip", opt: "--without-geoip" } + - { label: "without ssdeep", opt: "--without-ssdeep" } + - { label: "with lmdb", opt: "--with-lmdb" } + - { label: "with pcre", opt: "--with-pcre" } + + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + submodules: true + + - name: Ensure submodules are fully initialized (recursive) + run: git submodule update --init --recursive + + - name: Install dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y \ + libyajl-dev \ + libcurl4-openssl-dev \ + liblmdb-dev \ + liblua5.2-dev \ + libmaxminddb-dev \ + libpcre2-dev \ + libgeoip-dev \ + libxml2-dev \ + libfuzzy-dev \ + pcre2-utils \ + bison \ + flex + + - name: Run build preparation script + run: ./build.sh + + - name: Configure + env: + CC: ${{ matrix.compiler.cc }} + CXX: ${{ matrix.compiler.cxx }} + run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes + + - uses: ammaraskar/gcc-problem-matcher@master + + - name: Compile + run: make -j "$(nproc)" + + - name: Run tests + run: make check + + build-macos: + name: macOS (${{ matrix.configure.label }}) + runs-on: macos-15 + + strategy: + fail-fast: false + matrix: + configure: + - { label: "with parser generation", opt: "--enable-parser-generation" } + - { label: "without curl", opt: "--without-curl" } + - { label: "without lua", opt: "--without-lua" } + - { label: "without maxmind", opt: "--without-maxmind" } + - { label: "without libxml", opt: "--without-libxml" } + - { label: "without geoip", opt: "--without-geoip" } + - { label: "without ssdeep", opt: "--without-ssdeep" } + - { label: "with lmdb", opt: "--with-lmdb" } + - { label: "with pcre", opt: "--with-pcre" } + + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + submodules: true + + - name: Ensure submodules are fully initialized (recursive) + run: git submodule update --init --recursive + + - name: Install dependencies + # curl and pcre2 are typically already available in the macOS runner image + run: | + brew install autoconf \ + automake \ + libtool \ + yajl \ + lmdb \ + lua \ + libmaxminddb \ + libxml2 \ + ssdeep \ + pcre \ + bison \ + flex + + - name: Build GeoIP library + run: | + git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git + cd geoip-api-c + git fetch --tags + # last release v1.6.12 + git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a + autoreconf --install + ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew + make install + + - name: Run build preparation script + run: ./build.sh + + - name: Configure + run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes + + - uses: ammaraskar/gcc-problem-matcher@master + + - name: Compile + run: make -j "$(sysctl -n hw.logicalcpu)" + + - name: Run tests + run: make check + + build-windows: + name: Windows (${{ matrix.platform.label }}, ${{ matrix.configure.label }}) + runs-on: windows-2025 + + strategy: + fail-fast: false + matrix: + platform: + - { label: "x64", arch: "x86_64" } + configuration: [Release] + configure: + - { label: "full", opt: "" } + - { label: "without curl", opt: "-DWITH_CURL=OFF" } + - { label: "without lua", opt: "-DWITH_LUA=OFF" } + - { label: "without maxmind", opt: "-DWITH_MAXMIND=OFF" } + - { label: "without libxml", opt: "-DWITH_LIBXML2=OFF" } + - { label: "with lmdb", opt: "-DWITH_LMDB=ON" } + + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + submodules: true + + - name: Ensure submodules are fully initialized (recursive) + run: git submodule update --init --recursive + + - name: Install Conan package manager + run: | + pip3 install conan --upgrade + conan profile detect + + - uses: ammaraskar/msvc-problem-matcher@master + + - name: Build project + shell: cmd + run: vcbuild.bat ${{ matrix.configuration }} ${{ matrix.platform.arch }} NO_ASAN "${{ matrix.configure.opt }}" + + - name: Prepare test environment + working-directory: build\win32\build\${{ matrix.configuration }} + env: + BASE_DIR: ..\..\..\.. + shell: cmd + run: | + copy unit_tests.exe %BASE_DIR%\test + copy regression_tests.exe %BASE_DIR%\test + copy libModSecurity.dll %BASE_DIR%\test + copy %BASE_DIR%\unicode.mapping %BASE_DIR%\test + md \tmp + md \bin + copy "C:\Program Files\Git\usr\bin\echo.exe" \bin + copy "C:\Program Files\Git\usr\bin\echo.exe" \bin\echo + + - name: Disable unsupported tests on Windows + working-directory: test\test-cases\regression + shell: cmd + run: | + jq "map(if .title == \"Test match variable (1/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json + jq "map(if .title == \"Test match variable (2/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json + jq "map(if .title == \"Test match variable (3/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json + jq "map(if .title == \"Variable offset - FILES_NAMES\" then .enabled = 0 else . end)" offset-variable.json > tmp.json && move /Y tmp.json offset-variable.json + + - name: Run tests + working-directory: build\win32\build + run: ctest -C ${{ matrix.configuration }} --output-on-failure + + cppcheck: + name: Static analysis (cppcheck) + runs-on: macos-15 + + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + submodules: true + + - name: Ensure submodules are fully initialized (recursive) + run: git submodule update --init --recursive + + - name: Install cppcheck + run: | + brew install autoconf automake libtool cppcheck + + - name: Configure project + run: | + ./build.sh + ./configure + + - name: Run cppcheck + run: make check-static From d4d0ec4150c45799c8b905d19e2eb675b136521a Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sun, 15 Feb 2026 20:49:05 +0100 Subject: [PATCH 02/10] Update ci_new.yml --- .github/workflows/ci_new.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index 9581f30583..df176774d2 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -31,7 +31,7 @@ jobs: - { label: "without geoip", opt: "--without-geoip" } - { label: "without ssdeep", opt: "--without-ssdeep" } - { label: "with lmdb", opt: "--with-lmdb" } - - { label: "with pcre", opt: "--with-pcre" } + - { label: "with pcre2", opt: "--with-pcre2" } steps: - uses: actions/checkout@v6 @@ -57,7 +57,9 @@ jobs: libfuzzy-dev \ pcre2-utils \ bison \ - flex + flex \ + pkg-config + - name: Run build preparation script run: ./build.sh From 5b51d17b76e48f9e53cda8b7962d21f5b1b2bb6a Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sat, 21 Feb 2026 15:02:08 +0100 Subject: [PATCH 03/10] Update ci_new.yml --- .github/workflows/ci_new.yml | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index df176774d2..5f6b281343 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -236,3 +236,54 @@ jobs: - name: Run cppcheck run: make check-static + + cppcheck-linux: + name: Static analysis (cppcheck, Linux, debian:sid) + runs-on: ubuntu-latest + container: debian:sid + + steps: + - name: Install basic tools + run: | + apt-get update + apt-get install -y git + + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + submodules: true + + - name: Ensure submodules are fully initialized (recursive) + run: git submodule update --init --recursive + + - name: Install dependencies (v2 style) + run: | + apt-get update + apt-get install -y \ + autoconf \ + automake \ + build-essential \ + libtool \ + pkg-config \ + cppcheck \ + libyajl-dev \ + libcurl4-openssl-dev \ + liblmdb-dev \ + liblua5.2-dev \ + libmaxminddb-dev \ + libpcre2-dev \ + libgeoip-dev \ + libxml2-dev \ + libfuzzy-dev \ + pcre2-utils \ + bison \ + flex + + - name: Run build preparation script + run: ./build.sh + + - name: Configure project + run: ./configure + + - name: Run cppcheck + run: make check-static \ No newline at end of file From a37d3a36cebd8bdfb9feeb1a7f5424c097ef7929 Mon Sep 17 00:00:00 2001 From: Easton97-Jens Date: Sat, 21 Feb 2026 15:08:58 +0100 Subject: [PATCH 04/10] Update ci_new.yml --- .github/workflows/ci_new.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index 5f6b281343..396d24f3d7 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -253,6 +253,9 @@ jobs: fetch-depth: 0 submodules: true + - name: Mark repo as safe for git + run: git config --global --add safe.directory $GITHUB_WORKSPACE + - name: Ensure submodules are fully initialized (recursive) run: git submodule update --init --recursive From 486a57ba0c3a68818b86818ef20d0033079f76f0 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Mon, 23 Feb 2026 16:51:59 +0100 Subject: [PATCH 05/10] Add files via upload --- .github/workflows/ci_v2_master.yml | 177 +++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 .github/workflows/ci_v2_master.yml diff --git a/.github/workflows/ci_v2_master.yml b/.github/workflows/ci_v2_master.yml new file mode 100644 index 0000000000..b76d6dd3d3 --- /dev/null +++ b/.github/workflows/ci_v2_master.yml @@ -0,0 +1,177 @@ +name: Quality Assurance + +on: + push: + pull_request: + +jobs: + build-linux: + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-24.04] + platform: [x32, x64] + compiler: [gcc, clang] + configure: + - {label: "with pcre2, no study, no jit", opt: "--enable-pcre-study=no" } + - {label: "with pcre2, with study, no jit", opt: "--enable-pcre-study=yes" } + - {label: "with pcre2, no study, with jit", opt: "--enable-pcre-study=no --enable-pcre-jit" } + - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } + - {label: "with pcre", opt: "--with-pcre --enable-pcre-study=no" } + - {label: "with pcre, with study, no jit", opt: "--with-pcre --enable-pcre-study=yes" } + - {label: "with pcre, no study, with jit", opt: "--with-pcre --enable-pcre-study=no --enable-pcre-jit" } + - {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } + - {label: "with lua", opt: "--with-lua" } + - {label: "wo lua", opt: "--without-lua" } + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data + - uses: actions/checkout@v2 + - name: autogen.sh + run: ./autogen.sh + - name: configure ${{ matrix.configure.label }} + run: ./configure --enable-assertions ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `nproc` + - name: install module + run: sudo make install + - name: prepare config + run: | + sudo cp .github/security2.conf /etc/apache2/mods-enabled/ + sudo cp modsecurity.conf-recommended /etc/apache2/modsecurity.conf + sudo cp unicode.mapping /etc/apache2/ + sudo mkdir -p /var/cache/modsecurity + sudo chown -R www-data:www-data /var/cache/modsecurity + - name: first check config (to get syntax errors) + run: sudo apachectl configtest + - name: start apache with module + run: sudo systemctl restart apache2.service + - name: Search for errors/warnings in error log + run: | + # '|| :' handles the case grep doesn't match, otherwise the script exits with 1 (error) + errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) || : + if [[ -z "${errors}" ]]; then exit 0; fi + echo "::error:: Found errors/warnings in error.log" + echo "${errors}" + exit 1 + - name: Check error.log + run: | + # Send requests & check log format + # Valid request + curl -s http://127.0.01/ > /dev/null || echo $? + # Invalid request + curl -s http://127.0.01/%2e%2f > /dev/null || echo $? + # Check log format + grep -F ModSecurity < /var/log/apache2/error.log | grep -vP "^\[[^\]]+\] \[security2:[a-z]+\] \[pid [0-9]+:tid [0-9]+\] (?:\[client [0-9.:]+\] )?ModSecurity" || exit 0 + # grep -v succeeded => found some lines with invalid format + exit 1 + - name: Show httpd error log + if: always() + run: sudo cat /var/log/apache2/error.log + - name: Show mod_security2 audit log + if: always() + run: sudo cat /var/log/apache2/modsec_audit.log + + test-linux: + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-24.04] + platform: [x32, x64] + compiler: [gcc, clang] + configure: + - {label: "with pcre2, no study, no jit", opt: "--enable-pcre-study=no" } + - {label: "with pcre2, with study, no jit", opt: "--enable-pcre-study=yes" } + - {label: "with pcre2, no study, with jit", opt: "--enable-pcre-study=no --enable-pcre-jit" } + - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } + - {label: "with pcre", opt: "--with-pcre --enable-pcre-study=no" } + - {label: "with pcre, with study, no jit", opt: "--with-pcre --enable-pcre-study=yes" } + - {label: "with pcre, no study, with jit", opt: "--with-pcre --enable-pcre-study=no --enable-pcre-jit" } + - {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } + - {label: "with lua", opt: "--with-lua" } + - {label: "wo lua", opt: "--without-lua" } + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data + - uses: actions/checkout@v2 + - name: autogen.sh + run: ./autogen.sh + - name: configure ${{ matrix.configure.label }} + run: ./configure ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' + - uses: ammaraskar/gcc-problem-matcher@master + - name: make + run: make -j `nproc` + - name: install module + run: sudo make install + - name: run tests + run: make test + + test-regression-linux: + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-24.04] + platform: [x64] + compiler: [gcc] + configure: + - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } + steps: + - name: Setup Dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl ssdeep libfuzzy-dev libfuzzy2 + - uses: actions/checkout@v2 + - name: autogen.sh + run: ./autogen.sh + - name: configure ${{ matrix.configure.label }} + run: ./configure ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' + - uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 #v0.3.0 + - name: make + run: make -j `nproc` + - name: install module + run: sudo make install + - name: run regression tests + run: make test-regression + + cppcheck: + runs-on: [ubuntu-24.04] + container: + image: debian:sid + steps: + - name: Setup Dependencies + run: | + apt-get update -y -qq + apt-get install -y --no-install-recommends build-essential \ + autoconf \ + automake \ + libtool \ + pkg-config \ + cppcheck \ + apache2-dev \ + libpcre2-dev \ + libapr1-dev \ + libaprutil1-dev \ + libxml2-dev \ + liblua5.3-dev \ + libyajl-dev \ + libfuzzy-dev \ + ssdeep \ + curl \ + ca-certificates + - uses: actions/checkout@v4 + with: + submodules: false + fetch-depth: 0 + - name: configure + run: | + ./autogen.sh + ./configure --with-apxs=/usr/bin/apxs + - name: cppcheck + run: | + make check-static + From f4eb0f0545296132b2a185cb2319c21ff747de2f Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Mon, 23 Feb 2026 17:35:01 +0100 Subject: [PATCH 06/10] ci: install pcre1 dev package for explicit --with-pcre jobs --- .github/workflows/ci_new.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index 396d24f3d7..1fbc5ca09b 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -31,7 +31,8 @@ jobs: - { label: "without geoip", opt: "--without-geoip" } - { label: "without ssdeep", opt: "--without-ssdeep" } - { label: "with lmdb", opt: "--with-lmdb" } - - { label: "with pcre2", opt: "--with-pcre2" } + - { label: "with pcre2 (default)", opt: "" } + - { label: "with pcre", opt: "--with-pcre" } steps: - uses: actions/checkout@v6 @@ -52,6 +53,7 @@ jobs: liblua5.2-dev \ libmaxminddb-dev \ libpcre2-dev \ + libpcre3-dev \ libgeoip-dev \ libxml2-dev \ libfuzzy-dev \ @@ -94,6 +96,7 @@ jobs: - { label: "without geoip", opt: "--without-geoip" } - { label: "without ssdeep", opt: "--without-ssdeep" } - { label: "with lmdb", opt: "--with-lmdb" } + - { label: "with pcre2 (default)", opt: "" } - { label: "with pcre", opt: "--with-pcre" } steps: From ee918fa180d5cb02ab21f5669fa1d383dcf4308b Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Mon, 23 Feb 2026 17:54:10 +0100 Subject: [PATCH 07/10] Delete .github/workflows/ci_v2_master.yml --- .github/workflows/ci_v2_master.yml | 177 ----------------------------- 1 file changed, 177 deletions(-) delete mode 100644 .github/workflows/ci_v2_master.yml diff --git a/.github/workflows/ci_v2_master.yml b/.github/workflows/ci_v2_master.yml deleted file mode 100644 index b76d6dd3d3..0000000000 --- a/.github/workflows/ci_v2_master.yml +++ /dev/null @@ -1,177 +0,0 @@ -name: Quality Assurance - -on: - push: - pull_request: - -jobs: - build-linux: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-24.04] - platform: [x32, x64] - compiler: [gcc, clang] - configure: - - {label: "with pcre2, no study, no jit", opt: "--enable-pcre-study=no" } - - {label: "with pcre2, with study, no jit", opt: "--enable-pcre-study=yes" } - - {label: "with pcre2, no study, with jit", opt: "--enable-pcre-study=no --enable-pcre-jit" } - - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with pcre", opt: "--with-pcre --enable-pcre-study=no" } - - {label: "with pcre, with study, no jit", opt: "--with-pcre --enable-pcre-study=yes" } - - {label: "with pcre, no study, with jit", opt: "--with-pcre --enable-pcre-study=no --enable-pcre-jit" } - - {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with lua", opt: "--with-lua" } - - {label: "wo lua", opt: "--without-lua" } - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data - - uses: actions/checkout@v2 - - name: autogen.sh - run: ./autogen.sh - - name: configure ${{ matrix.configure.label }} - run: ./configure --enable-assertions ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `nproc` - - name: install module - run: sudo make install - - name: prepare config - run: | - sudo cp .github/security2.conf /etc/apache2/mods-enabled/ - sudo cp modsecurity.conf-recommended /etc/apache2/modsecurity.conf - sudo cp unicode.mapping /etc/apache2/ - sudo mkdir -p /var/cache/modsecurity - sudo chown -R www-data:www-data /var/cache/modsecurity - - name: first check config (to get syntax errors) - run: sudo apachectl configtest - - name: start apache with module - run: sudo systemctl restart apache2.service - - name: Search for errors/warnings in error log - run: | - # '|| :' handles the case grep doesn't match, otherwise the script exits with 1 (error) - errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) || : - if [[ -z "${errors}" ]]; then exit 0; fi - echo "::error:: Found errors/warnings in error.log" - echo "${errors}" - exit 1 - - name: Check error.log - run: | - # Send requests & check log format - # Valid request - curl -s http://127.0.01/ > /dev/null || echo $? - # Invalid request - curl -s http://127.0.01/%2e%2f > /dev/null || echo $? - # Check log format - grep -F ModSecurity < /var/log/apache2/error.log | grep -vP "^\[[^\]]+\] \[security2:[a-z]+\] \[pid [0-9]+:tid [0-9]+\] (?:\[client [0-9.:]+\] )?ModSecurity" || exit 0 - # grep -v succeeded => found some lines with invalid format - exit 1 - - name: Show httpd error log - if: always() - run: sudo cat /var/log/apache2/error.log - - name: Show mod_security2 audit log - if: always() - run: sudo cat /var/log/apache2/modsec_audit.log - - test-linux: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-24.04] - platform: [x32, x64] - compiler: [gcc, clang] - configure: - - {label: "with pcre2, no study, no jit", opt: "--enable-pcre-study=no" } - - {label: "with pcre2, with study, no jit", opt: "--enable-pcre-study=yes" } - - {label: "with pcre2, no study, with jit", opt: "--enable-pcre-study=no --enable-pcre-jit" } - - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with pcre", opt: "--with-pcre --enable-pcre-study=no" } - - {label: "with pcre, with study, no jit", opt: "--with-pcre --enable-pcre-study=yes" } - - {label: "with pcre, no study, with jit", opt: "--with-pcre --enable-pcre-study=no --enable-pcre-jit" } - - {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with lua", opt: "--with-lua" } - - {label: "wo lua", opt: "--without-lua" } - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data - - uses: actions/checkout@v2 - - name: autogen.sh - run: ./autogen.sh - - name: configure ${{ matrix.configure.label }} - run: ./configure ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `nproc` - - name: install module - run: sudo make install - - name: run tests - run: make test - - test-regression-linux: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-24.04] - platform: [x64] - compiler: [gcc] - configure: - - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl ssdeep libfuzzy-dev libfuzzy2 - - uses: actions/checkout@v2 - - name: autogen.sh - run: ./autogen.sh - - name: configure ${{ matrix.configure.label }} - run: ./configure ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' - - uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 #v0.3.0 - - name: make - run: make -j `nproc` - - name: install module - run: sudo make install - - name: run regression tests - run: make test-regression - - cppcheck: - runs-on: [ubuntu-24.04] - container: - image: debian:sid - steps: - - name: Setup Dependencies - run: | - apt-get update -y -qq - apt-get install -y --no-install-recommends build-essential \ - autoconf \ - automake \ - libtool \ - pkg-config \ - cppcheck \ - apache2-dev \ - libpcre2-dev \ - libapr1-dev \ - libaprutil1-dev \ - libxml2-dev \ - liblua5.3-dev \ - libyajl-dev \ - libfuzzy-dev \ - ssdeep \ - curl \ - ca-certificates - - uses: actions/checkout@v4 - with: - submodules: false - fetch-depth: 0 - - name: configure - run: | - ./autogen.sh - ./configure --with-apxs=/usr/bin/apxs - - name: cppcheck - run: | - make check-static - From d53f7dcbbf36d38fc1a41ce5f57f313ec49f5e0e Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Mon, 23 Feb 2026 17:55:00 +0100 Subject: [PATCH 08/10] Delete .github/workflows/ci_v2_master.yml --- .github/workflows/ci_v2_master.yml | 177 ----------------------------- 1 file changed, 177 deletions(-) delete mode 100644 .github/workflows/ci_v2_master.yml diff --git a/.github/workflows/ci_v2_master.yml b/.github/workflows/ci_v2_master.yml deleted file mode 100644 index b76d6dd3d3..0000000000 --- a/.github/workflows/ci_v2_master.yml +++ /dev/null @@ -1,177 +0,0 @@ -name: Quality Assurance - -on: - push: - pull_request: - -jobs: - build-linux: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-24.04] - platform: [x32, x64] - compiler: [gcc, clang] - configure: - - {label: "with pcre2, no study, no jit", opt: "--enable-pcre-study=no" } - - {label: "with pcre2, with study, no jit", opt: "--enable-pcre-study=yes" } - - {label: "with pcre2, no study, with jit", opt: "--enable-pcre-study=no --enable-pcre-jit" } - - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with pcre", opt: "--with-pcre --enable-pcre-study=no" } - - {label: "with pcre, with study, no jit", opt: "--with-pcre --enable-pcre-study=yes" } - - {label: "with pcre, no study, with jit", opt: "--with-pcre --enable-pcre-study=no --enable-pcre-jit" } - - {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with lua", opt: "--with-lua" } - - {label: "wo lua", opt: "--without-lua" } - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data - - uses: actions/checkout@v2 - - name: autogen.sh - run: ./autogen.sh - - name: configure ${{ matrix.configure.label }} - run: ./configure --enable-assertions ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `nproc` - - name: install module - run: sudo make install - - name: prepare config - run: | - sudo cp .github/security2.conf /etc/apache2/mods-enabled/ - sudo cp modsecurity.conf-recommended /etc/apache2/modsecurity.conf - sudo cp unicode.mapping /etc/apache2/ - sudo mkdir -p /var/cache/modsecurity - sudo chown -R www-data:www-data /var/cache/modsecurity - - name: first check config (to get syntax errors) - run: sudo apachectl configtest - - name: start apache with module - run: sudo systemctl restart apache2.service - - name: Search for errors/warnings in error log - run: | - # '|| :' handles the case grep doesn't match, otherwise the script exits with 1 (error) - errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) || : - if [[ -z "${errors}" ]]; then exit 0; fi - echo "::error:: Found errors/warnings in error.log" - echo "${errors}" - exit 1 - - name: Check error.log - run: | - # Send requests & check log format - # Valid request - curl -s http://127.0.01/ > /dev/null || echo $? - # Invalid request - curl -s http://127.0.01/%2e%2f > /dev/null || echo $? - # Check log format - grep -F ModSecurity < /var/log/apache2/error.log | grep -vP "^\[[^\]]+\] \[security2:[a-z]+\] \[pid [0-9]+:tid [0-9]+\] (?:\[client [0-9.:]+\] )?ModSecurity" || exit 0 - # grep -v succeeded => found some lines with invalid format - exit 1 - - name: Show httpd error log - if: always() - run: sudo cat /var/log/apache2/error.log - - name: Show mod_security2 audit log - if: always() - run: sudo cat /var/log/apache2/modsec_audit.log - - test-linux: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-24.04] - platform: [x32, x64] - compiler: [gcc, clang] - configure: - - {label: "with pcre2, no study, no jit", opt: "--enable-pcre-study=no" } - - {label: "with pcre2, with study, no jit", opt: "--enable-pcre-study=yes" } - - {label: "with pcre2, no study, with jit", opt: "--enable-pcre-study=no --enable-pcre-jit" } - - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with pcre", opt: "--with-pcre --enable-pcre-study=no" } - - {label: "with pcre, with study, no jit", opt: "--with-pcre --enable-pcre-study=yes" } - - {label: "with pcre, no study, with jit", opt: "--with-pcre --enable-pcre-study=no --enable-pcre-jit" } - - {label: "with pcre, with study, with jit", opt: "--with-pcre --enable-pcre-study=yes --enable-pcre-jit" } - - {label: "with lua", opt: "--with-lua" } - - {label: "wo lua", opt: "--without-lua" } - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data - - uses: actions/checkout@v2 - - name: autogen.sh - run: ./autogen.sh - - name: configure ${{ matrix.configure.label }} - run: ./configure ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' - - uses: ammaraskar/gcc-problem-matcher@master - - name: make - run: make -j `nproc` - - name: install module - run: sudo make install - - name: run tests - run: make test - - test-regression-linux: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-24.04] - platform: [x64] - compiler: [gcc] - configure: - - {label: "with pcre2, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" } - steps: - - name: Setup Dependencies - run: | - sudo apt-get update -y -qq - sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl ssdeep libfuzzy-dev libfuzzy2 - - uses: actions/checkout@v2 - - name: autogen.sh - run: ./autogen.sh - - name: configure ${{ matrix.configure.label }} - run: ./configure ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security' - - uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 #v0.3.0 - - name: make - run: make -j `nproc` - - name: install module - run: sudo make install - - name: run regression tests - run: make test-regression - - cppcheck: - runs-on: [ubuntu-24.04] - container: - image: debian:sid - steps: - - name: Setup Dependencies - run: | - apt-get update -y -qq - apt-get install -y --no-install-recommends build-essential \ - autoconf \ - automake \ - libtool \ - pkg-config \ - cppcheck \ - apache2-dev \ - libpcre2-dev \ - libapr1-dev \ - libaprutil1-dev \ - libxml2-dev \ - liblua5.3-dev \ - libyajl-dev \ - libfuzzy-dev \ - ssdeep \ - curl \ - ca-certificates - - uses: actions/checkout@v4 - with: - submodules: false - fetch-depth: 0 - - name: configure - run: | - ./autogen.sh - ./configure --with-apxs=/usr/bin/apxs - - name: cppcheck - run: | - make check-static - From f9d884ce030e8107f1ee1500a546d65142a61d64 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Fri, 6 Mar 2026 16:52:39 +0100 Subject: [PATCH 09/10] Refactor CI workflow and update dependencies Updated CI workflow to use recursive submodules and changed container from debian:sid to debian:trixie. Removed GeoIP library build steps and unnecessary dependencies. --- .github/workflows/ci_new.yml | 52 ++++++++---------------------------- 1 file changed, 11 insertions(+), 41 deletions(-) diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index 1fbc5ca09b..337c211c34 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -32,16 +32,12 @@ jobs: - { label: "without ssdeep", opt: "--without-ssdeep" } - { label: "with lmdb", opt: "--with-lmdb" } - { label: "with pcre2 (default)", opt: "" } - - { label: "with pcre", opt: "--with-pcre" } steps: - uses: actions/checkout@v6 with: fetch-depth: 0 - submodules: true - - - name: Ensure submodules are fully initialized (recursive) - run: git submodule update --init --recursive + submodules: recursive - name: Install dependencies run: | @@ -53,8 +49,6 @@ jobs: liblua5.2-dev \ libmaxminddb-dev \ libpcre2-dev \ - libpcre3-dev \ - libgeoip-dev \ libxml2-dev \ libfuzzy-dev \ pcre2-utils \ @@ -97,17 +91,13 @@ jobs: - { label: "without ssdeep", opt: "--without-ssdeep" } - { label: "with lmdb", opt: "--with-lmdb" } - { label: "with pcre2 (default)", opt: "" } - - { label: "with pcre", opt: "--with-pcre" } steps: - uses: actions/checkout@v6 with: fetch-depth: 0 - submodules: true - - - name: Ensure submodules are fully initialized (recursive) - run: git submodule update --init --recursive - + submodules: recursive + - name: Install dependencies # curl and pcre2 are typically already available in the macOS runner image run: | @@ -124,17 +114,6 @@ jobs: bison \ flex - - name: Build GeoIP library - run: | - git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git - cd geoip-api-c - git fetch --tags - # last release v1.6.12 - git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a - autoreconf --install - ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew - make install - - name: Run build preparation script run: ./build.sh @@ -171,10 +150,7 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 - submodules: true - - - name: Ensure submodules are fully initialized (recursive) - run: git submodule update --init --recursive + submodules: recursive - name: Install Conan package manager run: | @@ -223,10 +199,7 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 - submodules: true - - - name: Ensure submodules are fully initialized (recursive) - run: git submodule update --init --recursive + submodules: recursive - name: Install cppcheck run: | @@ -243,7 +216,7 @@ jobs: cppcheck-linux: name: Static analysis (cppcheck, Linux, debian:sid) runs-on: ubuntu-latest - container: debian:sid + container: debian:trixie steps: - name: Install basic tools @@ -251,16 +224,14 @@ jobs: apt-get update apt-get install -y git + - name: Mark repo as safe for git + run: git config --global --add safe.directory $GITHUB_WORKSPACE + - uses: actions/checkout@v6 with: fetch-depth: 0 - submodules: true - - - name: Mark repo as safe for git - run: git config --global --add safe.directory $GITHUB_WORKSPACE + submodules: recursive - - name: Ensure submodules are fully initialized (recursive) - run: git submodule update --init --recursive - name: Install dependencies (v2 style) run: | @@ -278,7 +249,6 @@ jobs: liblua5.2-dev \ libmaxminddb-dev \ libpcre2-dev \ - libgeoip-dev \ libxml2-dev \ libfuzzy-dev \ pcre2-utils \ @@ -292,4 +262,4 @@ jobs: run: ./configure - name: Run cppcheck - run: make check-static \ No newline at end of file + run: make check-static From 82a22e55d5cf19f0780961130e3bd9843bc859f5 Mon Sep 17 00:00:00 2001 From: Easton97-Jens <66330090+Easton97-Jens@users.noreply.github.com> Date: Sat, 7 Mar 2026 04:11:23 +0100 Subject: [PATCH 10/10] Update CI workflow to include pcre and additional dependencies Added options for pcre and updated dependencies for cppcheck installation. --- .github/workflows/ci_new.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index 337c211c34..27020ae6ab 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -32,6 +32,7 @@ jobs: - { label: "without ssdeep", opt: "--without-ssdeep" } - { label: "with lmdb", opt: "--with-lmdb" } - { label: "with pcre2 (default)", opt: "" } + - { label: "with pcre", opt: "--with-pcre" } steps: - uses: actions/checkout@v6 @@ -52,6 +53,7 @@ jobs: libxml2-dev \ libfuzzy-dev \ pcre2-utils \ + libpcre3-dev \ bison \ flex \ pkg-config @@ -91,6 +93,7 @@ jobs: - { label: "without ssdeep", opt: "--without-ssdeep" } - { label: "with lmdb", opt: "--with-lmdb" } - { label: "with pcre2 (default)", opt: "" } + - { label: "with pcre", opt: "--with-pcre" } steps: - uses: actions/checkout@v6 @@ -203,7 +206,7 @@ jobs: - name: Install cppcheck run: | - brew install autoconf automake libtool cppcheck + brew install autoconf automake libtool cppcheck libmaxminddb yajl lua lmdb ssdeep - name: Configure project run: | @@ -216,7 +219,7 @@ jobs: cppcheck-linux: name: Static analysis (cppcheck, Linux, debian:sid) runs-on: ubuntu-latest - container: debian:trixie + container: debian:sid steps: - name: Install basic tools