diff --git a/.azurepipelines/Ubuntu-GCC5.yml b/.azurepipelines/Ubuntu-GCC5.yml index 5f5aca8f..736662d7 100644 --- a/.azurepipelines/Ubuntu-GCC5.yml +++ b/.azurepipelines/Ubuntu-GCC5.yml @@ -23,7 +23,7 @@ resources: ref: refs/tags/v1.4.2 containers: - container: linux-gcc - image: ghcr.io/tianocore/containers/fedora-35-build:2113a0e + image: ghcr.io/tianocore/containers/fedora-35-build:5b8a008 variables: - group: architectures-arm-64-x86-64 diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4d82ce9f..1155d9f2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -28,6 +28,8 @@ updates: schedule: interval: "weekly" day: "monday" + timezone: "America/Los_Angeles" + time: "06:00" commit-message: prefix: "GitHub Action" labels: @@ -37,6 +39,8 @@ updates: directory: "/" schedule: interval: "daily" + timezone: "America/Los_Angeles" + time: "01:00" commit-message: prefix: "pip" labels: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index b8f98075..0f216b6d 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -12,10 +12,26 @@ For each item, place an "x" in between `[` and `]` if true. Example: `[x]`. _(you can also check items in the GitHub UI)_ - [ ] Impacts functionality? + - **Functionality** - Does the change ultimately impact how firmware functions? + - Examples: Add a new library, publish a new PPI, update an algorithm, ... - [ ] Impacts security? + - **Security** - Does the change have a direct security impact on an application, + flow, or firmware? + - Examples: Crypto algorithm change, buffer overflow fix, parameter + validation improvement, ... - [ ] Breaking change? + - **Breaking change** - Will anyone consuming this change experience a break + in build or boot behavior? + - Examples: Add a new library class, move a module to a different repo, call + a function in a new library class in a pre-existing module, ... - [ ] Includes tests? + - **Tests** - Does the change include any explicit test code? + - Examples: Unit tests, integration tests, robot tests, ... - [ ] Includes documentation? + - **Documentation** - Does the change contain explicit documentation additions + outside direct code modifications (and comments)? + - Examples: Update readme file, add feature readme file, link to documentation + on an a separate Web page, ... ## How This Was Tested diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 19a95214..c6ff888b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -18,6 +18,11 @@ section of the relevant Project Mu GitHub repo. Every Project Mu repo has an `Issues` section. Bug reports, feature requests, and documentation requests can all be submitted in the issues section. +## Security Vulnerabilities + +Please review the repos `Security Policy` but in general every Project Mu repo has `Private vulnerability reporting` +enabled. Please use the security tab to report a potential issue. + ### Identify Where to Report Project Mu is distributed across multiple repositories. Use features such as issues and discussions in the repository diff --git a/SECURITY.md b/SECURITY.md index e138ec5d..4af52553 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,41 +1,41 @@ - - -## Security - -Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). - -If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. - -## Reporting Security Issues - -**Please do not report security vulnerabilities through public GitHub issues.** - -Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). - -If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). - -You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). - -Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: - - * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) - * Full paths of source file(s) related to the manifestation of the issue - * The location of the affected source code (tag/branch/commit or direct URL) - * Any special configuration required to reproduce the issue - * Step-by-step instructions to reproduce the issue - * Proof-of-concept or exploit code (if possible) - * Impact of the issue, including how an attacker might exploit the issue - -This information will help us triage your report more quickly. - -If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. - -## Preferred Languages - -We prefer all communications to be in English. - -## Policy - -Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). - - +# Project Mu Security Policy + +Project Mu is an open source firmware project that is leveraged by and combined into +other projects to build the firmware for a given product. We build and maintain this +code with the intent that any consuming projects can use this code as-is. If features +or fixes are necessary we ask that they contribute them back to the project. **But**, that +said, in the firmware ecosystem there is a lot of variation and differentiation, and +the license in this project allows flexibility for use without contribution back to +Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu. + + +## Supported Versions + +Due to the usage model we generally only supply fixes to the most recent release branch (or main). +For a serious vulnerability we may patch older release branches. + +## Additional Notes + +Project Mu contains code that is available and/or originally authored in other +repositories (see as one such example). For any +vulnerability found, we may be subject to their security policy and may need to work +with those groups to resolve amicably and patch the "upstream". This might involve +additional time to release and/or additional confidentiality requirements. + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead please use **Github Private vulnerability reporting**, which is enabled for each Project Mu +repository. This process is well documented by github in their documentation [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). + +This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability. + + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).