owasp-modsecurity · Easton97-Jens · Dec 7, 2025 · Dec 7, 2025 · Dec 7, 2025 · Dec 7, 2025
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,21 @@
+name: "CodeQL config for ModSecurity"
+
+queries:
+  - uses: security-extended
+
+paths-ignore:
+  # Tests
+  - "tests/**"
+  - "test/**"
+  - "**/*test*"
+
+  # Third-party / submodules
+  - "others/**"
+  - "bindings/**"
+  - "examples/**"
+  - "doc/**"
+
+  # Build & generated files
+  - "build/**"
+  - "**/*.png"
+  - "**/*.md"
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "Submodule Update"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "GitHub Actions Updates"
diff --git a/.github/security-scan-excludes.txt b/.github/security-scan-excludes.txt
@@ -0,0 +1,28 @@
+# Build & Output
+build
+build/*
+out
+out/*
+dist
+dist/*
+
+# Dependencies / Vendored
+vendor
+vendor/*
+third_party
+third_party/*
+deps
+deps/*
+external
+external/*
+
+# VCS / CI
+.git
+.github
+
+# Docs & misc
+docs
+examples
+tests
+test
+benchmarks
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,10 +10,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-22.04]
+        os: [ubuntu-24.04]
         platform:
-          - {label: "x64", arch: "amd64", configure: ""}
-          - {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32"}
+          - {label: "x64", arch: "amd64", configure: ""}   # nur noch x64
         compiler:
           - {label: "gcc", cc: "gcc", cxx: "g++"}
           - {label: "clang", cc: "clang", cxx: "clang++"}
@@ -27,11 +26,8 @@ jobs:
           - {label: "wo ssdeep",  opt: "--without-ssdeep" }
           - {label: "with lmdb",  opt: "--with-lmdb" }
           - {label: "with pcre", opt: "--with-pcre" }
-        exclude:
-          - platform: {label: "x32"}
-            configure: {label: "wo geoip"}
-          - platform: {label: "x32"}
-            configure: {label: "wo ssdeep"}
+      # keine excludes mehr nötig – es gibt kein x32
+
     steps:
       - name: Setup Dependencies (common)
         run: |
@@ -40,36 +36,48 @@ jobs:
           sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \
                                   libcurl4-openssl-dev:${{ matrix.platform.arch }} \
                                   liblmdb-dev:${{ matrix.platform.arch }} \
-                                  liblua5.2-dev:${{ matrix.platform.arch }} \
+                                  liblua5.3-dev:${{ matrix.platform.arch }} \
                                   libmaxminddb-dev:${{ matrix.platform.arch }} \
                                   libpcre2-dev:${{ matrix.platform.arch }} \
                                   pcre2-utils:${{ matrix.platform.arch }} \
-                                  bison flex
-      - name: Setup Dependencies (x32)
-        if: ${{ matrix.platform.label == 'x32' }}
-        run: |
-          sudo apt-get install g++-multilib
-          sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \
-                                  libpcre3-dev:${{ matrix.platform.arch }}
+                                  libpcre3-dev:${{ matrix.platform.arch }} \
+                                  bison flex cmake \
+                                  libmbedtls-dev:${{ matrix.platform.arch }}
+      # x32-Setup fällt komplett weg
+
       - name: Setup Dependencies (x64)
         if: ${{ matrix.platform.label == 'x64' }}
         run: |
           sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \
-                                  libfuzzy-dev:${{ matrix.platform.arch }}
-      - uses: actions/checkout@v4
+                                  libfuzzy-dev:${{ matrix.platform.arch }} 
+
+      - uses: actions/checkout@v6
         with:
           submodules: true
           fetch-depth: 0
-      - name: build.sh
-        run: ./build.sh
+
+      - name: Init git submodules
+        run: |
+          git submodule sync --recursive
+          git submodule update --init --recursive --force
+
+      - name: Build-Script ausführbar machen
+        run: chmod +x build_on_linux.sh
+
+      - name: build_on_linux.sh
+        run: ./build_on_linux.sh
+
       - name: configure
         env:
           CC: ${{ matrix.compiler.cc }}
           CXX: ${{ matrix.compiler.cxx }}
-        run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes
+        run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking
+
       - uses: ammaraskar/gcc-problem-matcher@master
+
       - name: make
         run: make -j `nproc`
+
       - name: check
         run: make check
 
@@ -78,22 +86,27 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [macos-14]
+        os: [macos-14, macos-15, macos-26]
         configure:
-          - {label: "with parser generation", opt: "--enable-parser-generation" }
-          - {label: "wo curl",    opt: "--without-curl" }
-          - {label: "wo lua",     opt: "--without-lua" }
-          - {label: "wo maxmind", opt: "--without-maxmind" }
-          - {label: "wo libxml",  opt: "--without-libxml" }
+          - {label: "with parser generation", opt: "--enable-parser-generation --without-geoip" }
+          - {label: "wo curl",    opt: "--without-curl --without-geoip" }
+          - {label: "wo lua",     opt: "--without-lua --without-geoip" }
+          - {label: "wo maxmind", opt: "--without-maxmind --without-geoip" }
+          - {label: "wo libxml",  opt: "--without-libxml --without-geoip" }
           - {label: "wo geoip",   opt: "--without-geoip" }
-          - {label: "wo ssdeep",  opt: "--without-ssdeep" }
-          - {label: "with lmdb",  opt: "--with-lmdb" }
-          - {label: "with pcre", opt: "--with-pcre" }
+          - {label: "wo ssdeep",  opt: "--without-ssdeep --without-geoip" }
+          - {label: "with lmdb",  opt: "--with-lmdb --without-geoip" }
+          - {label: "with pcre", opt: "--with-pcre --without-geoip" }
+
     steps:
-      - name: Setup Dependencies
-        # curl, pcre2 not installed because they're already
-        # included in the image
+      - name: Setup Homebrew
+        run: |
+          echo "PATH=/opt/homebrew/bin:$PATH" >> $GITHUB_ENV
+          echo "PKG_CONFIG_PATH=/opt/homebrew/lib/pkgconfig:/opt/homebrew/opt/openssl/lib/pkgconfig:/opt/homebrew/opt/pcre/lib/pkgconfig:/opt/homebrew/opt/pcre2/lib/pkgconfig:/opt/homebrew/opt/libxml2/lib/pkgconfig:/opt/homebrew/opt/curl/lib/pkgconfig:/opt/homebrew/opt/icu4c/lib/pkgconfig:/opt/homebrew/opt/openssl@3/lib/pkgconfig" >> $GITHUB_ENV
+
+      - name: Install Dependencies
         run: |
+          brew update
           brew install autoconf \
                        automake \
                        libtool \
@@ -105,87 +118,74 @@ jobs:
                        ssdeep \
                        pcre \
                        bison \
-                       flex
-      - uses: actions/checkout@v4
+                       flex \
+                       mbedtls
+
+      - uses: actions/checkout@v6
         with:
           submodules: true
           fetch-depth: 0
-      - name: Build GeoIP
+
+      - name: Init git submodules
         run: |
-          git clone --depth 1 --no-checkout https://github.com/maxmind/geoip-api-c.git
-          cd geoip-api-c
-          git fetch --tags
-          # Check out the last release, v1.6.12
-          git checkout 4b526e7331ca1d692b74a0509ddcc725622ed31a
-          autoreconf --install
-          ./configure --disable-dependency-tracking --disable-silent-rules --prefix=/opt/homebrew
-          make install
-      - name: build.sh
-        run: ./build.sh
+          git submodule sync --recursive
+          git submodule update --init --recursive --force
+
+      - name: Build-Script ausführbar machen
+        run: chmod +x build_on_macos.sh
+      - name: build_on_macos.sh
+        run: ./build_on_macos.sh
+
       - name: configure
-        run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes
+        env:
+          CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include
+          LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib
+        run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking
+
       - uses: ammaraskar/gcc-problem-matcher@master
+
       - name: make
         run: make -j `sysctl -n hw.logicalcpu`
+
       - name: check
         run: make check
 
-  build-windows:
-    name: Windows (${{ matrix.platform.label }}, ${{ matrix.configure.label }})
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [windows-2022]
-        platform:
-          - {label: "x64", arch: "x86_64"}
-        configuration: [Release]
-        configure:
-          - {label: "full",       opt: "" }
-          - {label: "wo curl",    opt: "-DWITH_CURL=OFF" }
-          - {label: "wo lua",     opt: "-DWITH_LUA=OFF" }
-          - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" }
-          - {label: "wo libxml",  opt: "-DWITH_LIBXML2=OFF" }
-          - {label: "with lmdb",  opt: "-DWITH_LMDB=ON" }
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-          fetch-depth: 0
-      - name: Install Conan
-        run: |
-          pip3 install conan --upgrade
-          conan profile detect
-      - uses: ammaraskar/msvc-problem-matcher@master
-      - name: Build ${{ matrix.configuration }} ${{ matrix.platform.arch }} ${{ matrix.configure.label }}
-        shell: cmd
-        run: vcbuild.bat ${{ matrix.configuration }} ${{ matrix.platform.arch }} NO_ASAN "${{ matrix.configure.opt }}"
-      - name: Set up test environment
-        working-directory: build\win32\build\${{ matrix.configuration }}
-        env:
-          BASE_DIR: ..\..\..\..
-        shell: cmd
-        run: |
-          copy unit_tests.exe %BASE_DIR%\test
-          copy regression_tests.exe %BASE_DIR%\test
-          copy libModSecurity.dll %BASE_DIR%\test
-          copy %BASE_DIR%\unicode.mapping %BASE_DIR%\test
-          md \tmp
-          md \bin
-          copy "C:\Program Files\Git\usr\bin\echo.exe" \bin
-          copy "C:\Program Files\Git\usr\bin\echo.exe" \bin\echo
-      - name: Disable tests that don't work on Windows
-        working-directory: test\test-cases\regression
-        shell: cmd
-        run: |
-          jq "map(if .title == \"Test match variable (1/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
-          jq "map(if .title == \"Test match variable (2/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
-          jq "map(if .title == \"Test match variable (3/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
-          jq "map(if .title == \"Variable offset - FILES_NAMES\" then .enabled = 0 else . end)" offset-variable.json > tmp.json && move /Y tmp.json offset-variable.json
-      - name: Run tests
-        working-directory: build\win32\build
-        run: |
-          ctest -C ${{ matrix.configuration }} --output-on-failure
 
+ # build-windows:
+ #    name: Windows (${{ matrix.configure.label }})
+ #    runs-on: windows-latest
+ #    strategy:
+ #      matrix:
+ #        configure:
+ #          - {label: "default", opt: "" }
+ #          - {label: "wo curl",    opt: "-DWITH_CURL=OFF" }
+ #         - {label: "wo lua",     opt: "-DWITH_LUA=OFF" }
+ #          - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" }
+  #         - {label: "wo libxml",  opt: "-DWITH_LIBXML2=OFF" }
+ #          - {label: "with lmdb",  opt: "-DWITH_LMDB=ON" }
+ #    steps:
+ #      - uses: actions/checkout@v6
+ #        with:
+  #         submodules: true
+  #         fetch-depth: 0
+ #      - name: Init git submodules
+ #        run: |
+  #         git submodule sync --recursive
+ #          git submodule update --init --recursive --force
+ #      - name: Install Conan
+ #        run: |
+ #          pip3 install conan
+ #      - name: Configure Conan
+ #        run: |
+ #          conan profile detect
+ #      - name: Configure CMake
+    #     run: |
+   #        cmake -S . -B build ${{ matrix.configure.opt }}
+  #     - name: Build
+ #        run: |
+ #          cmake --build build --config Release
+
+
   cppcheck:
     runs-on: [macos-14]
     steps:
@@ -199,9 +199,11 @@ jobs:
         with:
           submodules: true
           fetch-depth: 0
+      - name: Build-Script ausführbar machen
+        run: chmod +x build_on_macos.sh
       - name: configure
         run: |
-          ./build.sh
+          ./build_on_macos.sh
           ./configure
       - name: cppcheck
         run: make check-static