detect-engine: use ports only after edge case handling #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: builds | |
on: | |
push: | |
pull_request: | |
workflow_dispatch: | |
inputs: | |
LIBHTP_REPO: | |
LIBHTP_BRANCH: | |
SU_REPO: | |
SU_BRANCH: | |
SV_REPO: | |
SV_BRANCH: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: read-all | |
env: | |
DEFAULT_SV_REPO: https://github.com/OISF/suricata-verify | |
DEFAULT_SV_BRANCH: master | |
DEFAULT_CFLAGS: "-Wall -Wextra -Werror -Wno-unused-parameter -Wno-unused-function" | |
# Apt sometimes likes to ask for user input, this will prevent that. | |
DEBIAN_FRONTEND: "noninteractive" | |
# A recent version of stable Rust that is known to pass build, test and other | |
# verification steps in this workflow. This was added because using "stable" | |
# could cause some steps to fail. | |
RUST_VERSION_KNOWN: "1.70.0" | |
# The minimum version of Rust supported. | |
RUST_VERSION_MIN: "1.63.0" | |
jobs: | |
prepare-deps: | |
name: Prepare dependencies | |
runs-on: ubuntu-latest | |
steps: | |
- name: Dumping github context for debugging | |
run: echo $JSON | |
env: | |
JSON: ${{ toJSON(github) }} | |
- run: sudo apt update && sudo apt -y install jq curl | |
- name: Parse repo and branch information | |
env: | |
# We fetch the actual pull request to get the latest body as | |
# github.event.pull_request.body has the body from the | |
# initial pull request. | |
PR_HREF: ${{ github.event.pull_request._links.self.href }} | |
run: | | |
if test "${PR_HREF}"; then | |
body=$(curl -s "${PR_HREF}" | jq -r .body | tr -d '\r') | |
echo "Parsing branch and PR info from:" | |
echo "${body}" | |
LIBHTP_REPO=$(echo "${body}" | awk -F = '/^LIBHTP_REPO=/ { print $2 }') | |
LIBHTP_BRANCH=$(echo "${body}" | awk -F = '/^LIBHTP_BRANCH=/ { print $2 }') | |
SU_REPO=$(echo "${body}" | awk -F = '/^SU_REPO=/ { print $2 }') | |
SU_BRANCH=$(echo "${body}" | awk -F = '/^SU_BRANCH=/ { print $2 }') | |
SV_REPO=$(echo "${body}" | awk -F = '/^SV_REPO=/ { print $2 }') | |
SV_BRANCH=$(echo "${body}" | awk -F = '/^SV_BRANCH=/ { print $2 }') | |
else | |
echo "No pull request body, will use inputs or defaults." | |
LIBHTP_REPO=${{ inputs.LIBHTP_REPO }} | |
LIBHTP_BRANCH=${{ inputs.LIBHTP_BRANCH }} | |
SU_REPO=${{ inputs.SU_REPO }} | |
SU_BRANCH=${{ inputs.SU_BRANCH }} | |
SV_REPO=${{ inputs.SV_REPO }} | |
SV_BRANCH=${{ inputs.SV_BRANCH }} | |
fi | |
# If the _REPO variables don't contain a full URL, add GitHub. | |
if [ "${LIBHTP_REPO}" ] && ! echo "${LIBHTP_REPO}" | grep -q '^https://'; then | |
LIBHTP_REPO="https://github.com/${LIBHTP_REPO}" | |
fi | |
if [ "${SU_REPO}" ] && ! echo "${SU_REPO}" | grep -q '^https://'; then | |
SU_REPO="https://github.com/${SU_REPO}" | |
fi | |
if [ "${SV_REPO}" ] && ! echo "${SV_REPO}" | grep -q '^https://'; then | |
SV_REPO="https://github.com/${SV_REPO}" | |
fi | |
echo LIBHTP_REPO=${LIBHTP_REPO} | tee -a ${GITHUB_ENV} | |
echo LIBHTP_BRANCH=${LIBHTP_BRANCH} | tee -a ${GITHUB_ENV} | |
echo SU_REPO=${SU_REPO} | tee -a ${GITHUB_ENV} | |
echo SU_BRANCH=${SU_BRANCH} | tee -a ${GITHUB_ENV} | |
echo SV_REPO=${SV_REPO:-${DEFAULT_SV_REPO}} | tee -a ${GITHUB_ENV} | |
echo SV_BRANCH=${SV_BRANCH:-${DEFAULT_SV_BRANCH}} | tee -a ${GITHUB_ENV} | |
- name: Annotate output | |
run: | | |
echo "::notice:: LIBHTP_REPO=${LIBHTP_REPO}" | |
echo "::notice:: LIBHTP_BRANCH=${LIBHTP_BRANCH}" | |
echo "::notice:: SU_REPO=${SU_REPO}" | |
echo "::notice:: SU_BRANCH=${SU_BRANCH}" | |
echo "::notice:: SV_REPO=${SV_REPO}" | |
echo "::notice:: SV_BRANCH=${SV_BRANCH}" | |
# Now checkout Suricata for the bundle script. | |
- name: Checking out Suricata | |
uses: actions/[email protected] | |
- name: Fetching libhtp | |
run: | | |
DESTDIR=./bundle ./scripts/bundle.sh libhtp | |
tar zcf libhtp.tar.gz -C bundle libhtp | |
- name: Fetching suricata-update | |
run: | | |
DESTDIR=./bundle ./scripts/bundle.sh suricata-update | |
tar zcf suricata-update.tar.gz -C bundle suricata-update | |
- name: Fetching suricata-verify | |
run: | | |
# Looking for a pull request number. in the SV_BRANCH | |
# value. This could be "pr/NNN", "pull/NNN" or a link to an | |
# OISF/suricata-verify pull request. | |
pr=$(echo "${SV_BRANCH}" | sed -n \ | |
-e 's/^https:\/\/github.com\/OISF\/suricata-verify\/pull\/\([0-9]*\)$/\1/p' \ | |
-e 's/^pull\/\([0-9]*\)$/\1/p' \ | |
-e 's/^pr\/\([0-9]*\)$/\1/p') | |
if [ "${pr}" ]; then | |
SV_BRANCH="refs/pull/${pr}/head" | |
echo "Using suricata-verify pull-request ${SV_BRANCH}" | |
else | |
echo "Using suricata-verify branch ${SV_BRANCH}" | |
fi | |
git clone --depth 1 ${SV_REPO} suricata-verify | |
cd suricata-verify | |
git fetch --depth 1 origin ${SV_BRANCH} | |
git -c advice.detachedHead=false checkout FETCH_HEAD | |
cd .. | |
tar zcf suricata-verify.tar.gz suricata-verify | |
- name: Uploading prep archive | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce | |
with: | |
name: prep | |
path: | | |
libhtp.tar.gz | |
suricata-update.tar.gz | |
suricata-verify.tar.gz | |
prepare-cbindgen: | |
name: Prepare cbindgen | |
runs-on: ubuntu-latest | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Installing Rust | |
run: | | |
curl https://sh.rustup.rs -sSf | sh -s -- -y | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
rustup target add x86_64-unknown-linux-musl | |
- name: Building static cbindgen for Linux | |
run: | | |
cargo install --target x86_64-unknown-linux-musl --debug cbindgen | |
cp $HOME/.cargo/bin/cbindgen . | |
- name: Uploading prep archive | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce | |
with: | |
name: prep | |
path: . | |
almalinux-9: | |
name: AlmaLinux 9 | |
runs-on: ubuntu-latest | |
container: almalinux:9 | |
needs: [prepare-deps] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
key: ${{ github.job }}-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
- uses: actions/[email protected] | |
# Download and extract dependency archives created during prep | |
# job. | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xvf prep/libhtp.tar.gz | |
- run: tar xvf prep/suricata-update.tar.gz | |
- run: tar xvf prep/suricata-verify.tar.gz | |
- name: Install system packages | |
run: | | |
dnf -y install dnf-plugins-core epel-release | |
dnf config-manager --set-enabled crb | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cargo-vendor \ | |
cbindgen \ | |
diffutils \ | |
numactl-devel \ | |
dpdk-devel \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-devel \ | |
python3-sphinx \ | |
python3-yaml \ | |
rust-toolset \ | |
sudo \ | |
which \ | |
zlib-devel | |
# These packages required to build the PDF. | |
dnf -y install \ | |
texlive-latex \ | |
texlive-cmap \ | |
texlive-collection-latexrecommended \ | |
texlive-fncychap \ | |
texlive-titlesec \ | |
texlive-tabulary \ | |
texlive-framed \ | |
texlive-wrapfig \ | |
texlive-upquote \ | |
texlive-capt-of \ | |
texlive-needspace | |
#- name: Setup cppclean | |
# run: | | |
# git clone --depth 1 --branch suricata https://github.com/catenacyber/cppclean | |
# cd cppclean | |
# python3 setup.py install | |
- name: Configuring | |
run: | | |
./autogen.sh | |
CFLAGS="${DEFAULT_CFLAGS}" ./configure | |
- run: make -j2 distcheck | |
env: | |
DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk" | |
- run: test -e doc/userguide/suricata.1 | |
- name: Checking includes | |
run: | | |
cppclean src/*.h | grep "does not need to be #included" | python3 scripts/cppclean_check.py | |
- name: Building Rust documentation | |
run: make doc | |
working-directory: rust | |
- run: make install | |
- run: suricatasc -h | |
- run: suricata-update -V | |
- name: Check if Suricata-Update example configuration files are installed | |
run: | | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/disable.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/drop.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/enable.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml | |
- name: Build C json filetype plugin | |
working-directory: examples/plugins/c-json-filetype | |
run: make | |
- name: Check C json filetype plugin | |
run: test -e examples/plugins/c-json-filetype/.libs/json-filetype.so.0.0.0 | |
- name: Installing headers and library | |
run: | | |
make install-headers | |
make install-library | |
- name: Test plugin build with Makefile.example | |
working-directory: examples/plugins/c-json-filetype | |
run: PATH=/usr/local/bin:$PATH make -f Makefile.example | |
almalinux-9-templates: | |
name: AlmaLinux 9 Test Templates | |
runs-on: ubuntu-latest | |
container: almalinux:9 | |
needs: [prepare-deps] | |
steps: | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
# TODO: Find some variable that matches the job name. | |
key: almalinux-9-templates-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo/registry | |
key: cargo-registry | |
- uses: actions/[email protected] | |
# Download and extract dependency archives created during prep | |
# job. | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xvf prep/libhtp.tar.gz | |
- run: tar xvf prep/suricata-update.tar.gz | |
- run: tar xvf prep/suricata-verify.tar.gz | |
- name: Install system packages | |
run: | | |
dnf -y install dnf-plugins-core epel-release | |
dnf config-manager --set-enabled crb | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cbindgen \ | |
diffutils \ | |
numactl-devel \ | |
dpdk-devel \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-devel \ | |
python3-sphinx \ | |
python3-yaml \ | |
sudo \ | |
which \ | |
zlib-devel | |
- run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain stable -y | |
- run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: rustup component add rustfmt | |
- run: rustup component add clippy | |
- name: Build | |
run: | | |
./autogen.sh | |
CFLAGS="${DEFAULT_CFLAGS}" ./configure | |
make -j2 | |
- run: ./scripts/setup-app-layer.py --parser --logger --detect FooBar payload | |
- run: make -j2 | |
- run: ./src/suricata --list-app-layer-protos | grep foobar | |
- name: Verify rustfmt | |
run: rustfmt -v --check src/applayerfoobar/*.rs | |
working-directory: rust | |
- name: Verify clippy | |
run: cargo clippy --all-features | |
working-directory: rust | |
almalinux-8: | |
name: AlmaLinux 8 | |
runs-on: ubuntu-latest | |
container: almalinux:8 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
key: ${{ github.job }}-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
- uses: actions/[email protected] | |
# Prebuild check for duplicate SIDs | |
- name: Check for duplicate SIDs | |
run: | | |
dups=$(sed -n 's/^alert.*sid:\([[:digit:]]*\);.*/\1/p' ./rules/*.rules|sort|uniq -d|tr '\n' ' ') | |
if [[ "${dups}" != "" ]]; then | |
echo "::error::Duplicate SIDs found:${dups}" | |
exit 1 | |
fi | |
# Download and extract dependency archives created during prep | |
# job. | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xvf prep/libhtp.tar.gz | |
- run: tar xvf prep/suricata-update.tar.gz | |
- run: tar xvf prep/suricata-verify.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- name: Install system packages | |
run: | | |
yum -y install dnf-plugins-core | |
yum config-manager --set-enabled powertools | |
yum -y install \ | |
autoconf \ | |
automake \ | |
cargo-vendor \ | |
diffutils \ | |
numactl-devel \ | |
dpdk-devel \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-devel \ | |
python3-yaml \ | |
rust-toolset \ | |
sudo \ | |
which \ | |
zlib-devel | |
- name: Configuring | |
run: | | |
./autogen.sh | |
CFLAGS="${DEFAULT_CFLAGS}" ./configure | |
- run: make -j2 check | |
- name: Checking includes | |
run: | | |
cppclean src/*.h | grep "does not need to be #included" | python3 scripts/cppclean_check.py | |
- run: make install | |
- run: suricatasc -h | |
- run: suricata-update -V | |
centos-stream9: | |
name: CentOS Stream 9 | |
runs-on: ubuntu-latest | |
container: quay.io/centos/centos:stream9 | |
needs: [prepare-deps, debian-12-dist] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
key: ${{ github.job }}-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
- name: Install system packages | |
run: | | |
dnf -y install dnf-plugins-core epel-release | |
dnf config-manager --set-enabled crb | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cargo-vendor \ | |
cbindgen \ | |
diffutils \ | |
numactl-devel \ | |
dpdk-devel \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-devel \ | |
python3-sphinx \ | |
python3-yaml \ | |
rust-toolset \ | |
sudo \ | |
which \ | |
zlib-devel | |
- name: Download suricata.tar.gz | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: dist | |
- run: tar zxvf suricata-*.tar.gz --strip-components=1 | |
- name: ./configure | |
run: CFLAGS="${DEFAULT_CFLAGS}" ./configure | |
- run: make -j2 | |
- run: make install | |
- run: make install-conf | |
- run: suricatasc -h | |
- run: suricata-update -V | |
- name: Check if Suricata-Update example configuration files are installed | |
run: | | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/disable.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/drop.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/enable.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/suricata-verify.tar.gz | |
- run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: suricata-update -V | |
- run: suricatasc -h | |
centos-stream8: | |
name: CentOS Stream 8 | |
runs-on: ubuntu-latest | |
container: quay.io/centos/centos:stream8 | |
needs: [prepare-deps, debian-12-dist] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
key: ${{ github.job }}-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
- name: Install system packages | |
run: | | |
dnf -y install dnf-plugins-core epel-release | |
dnf config-manager --set-enabled powertools | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
diffutils \ | |
numactl-devel \ | |
dpdk-devel \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-devel \ | |
python3-yaml \ | |
rust-toolset \ | |
sudo \ | |
which \ | |
zlib-devel | |
- name: Download suricata.tar.gz | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: dist | |
- run: tar zxvf suricata-*.tar.gz --strip-components=1 | |
- name: ./configure | |
run: CFLAGS="${DEFAULT_CFLAGS}" ./configure | |
- run: make -j2 | |
- run: make install | |
- run: make install-conf | |
- run: suricatasc -h | |
- run: suricata-update -V | |
- name: Check if Suricata-Update example configuration files are installed | |
run: | | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/disable.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/drop.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/enable.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in | |
test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/suricata-verify.tar.gz | |
- run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: suricata-update -V | |
- run: suricatasc -h | |
centos-7: | |
name: CentOS 7 | |
runs-on: ubuntu-latest | |
container: centos:7 | |
needs: [prepare-deps, debian-12-dist] | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/yum | |
key: ${{ github.job }}-yum | |
- run: echo "keepcache=1" >> /etc/yum.conf | |
- name: Install system dependencies | |
run: | | |
yum -y install epel-release | |
yum -y install \ | |
autoconf \ | |
automake \ | |
cargo \ | |
diffutils \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
lz4-devel \ | |
make \ | |
nss-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python36-PyYAML \ | |
rust \ | |
sudo \ | |
which \ | |
zlib-devel | |
- name: Download suricata.tar.gz | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: dist | |
- run: tar zxvf suricata-*.tar.gz --strip-components=1 | |
# This isn't really needed as we are building from a prepared | |
# package, but some package managers like RPM and Debian like to | |
# run this command even on prepared packages, so make sure it | |
# works. | |
- name: Test autoreconf | |
run: autoreconf -fv --install | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure | |
- run: make -j2 | |
- run: make install | |
- run: make install-conf | |
- run: make distcheck | |
- run: make clean | |
- run: make -j2 | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/suricata-verify.tar.gz | |
- run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: suricata-update -V | |
- run: suricatasc -h | |
fedora-38-sv-codecov: | |
name: Fedora 38 (Suricata Verify codecov) | |
runs-on: ubuntu-latest | |
container: fedora:38 | |
needs: [prepare-deps] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
key: ${{ github.job }}-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
- run: | | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cbindgen \ | |
ccache \ | |
clang \ | |
curl \ | |
diffutils \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
hiredis-devel \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libasan \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
llvm-devel \ | |
lz4-devel \ | |
make \ | |
nss-softokn-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-yaml \ | |
sudo \ | |
which \ | |
zlib-devel | |
# packaged Rust version has no profiler support built in, so get from rustup | |
- name: Install Rust | |
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.63.0 -y | |
- run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: ./autogen.sh | |
- run: ./configure --disable-shared | |
env: | |
CC: "clang" | |
RUSTFLAGS: "-C instrument-coverage" | |
CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0" | |
- run: make -j2 | |
env: | |
CC: "clang" | |
RUSTFLAGS: "-C instrument-coverage" | |
CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0" | |
- name: Extracting suricata-verify | |
run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: llvm-profdata merge -o default.profdata $(find suricata-verify/tests/ -name '*.profraw') | |
- run: llvm-cov show ./src/suricata -instr-profile=default.profdata --show-instantiations --ignore-filename-regex="^/root/.*" > coverage.txt | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 | |
with: | |
fail_ci_if_error: false | |
flags: suricata-verify | |
# Fedora 38 build using Clang. | |
fedora-38-clang: | |
name: Fedora 38 (clang, debug, asan, wshadow, rust-strict, systemd) | |
runs-on: ubuntu-latest | |
container: fedora:38 | |
needs: [prepare-deps] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
key: ${{ github.job }}-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
- run: | | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cargo \ | |
cbindgen \ | |
ccache \ | |
clang \ | |
coccinelle \ | |
diffutils \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
hiredis-devel \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libasan \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libxdp-devel \ | |
libbpf-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-softokn-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python \ | |
python3-yaml \ | |
sudo \ | |
systemd-devel \ | |
which \ | |
zlib-devel | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: ./autogen.sh | |
- run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow" ./configure --disable-shared --enable-coccinelle | |
- name: Running unit tests and cocci checks | |
# Set the concurrency level for cocci. | |
run: CONCURRENCY_LEVEL=2 make check | |
- run: make distclean | |
- run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue --enable-lua | |
env: | |
LDFLAGS: "-fsanitize=address" | |
ac_cv_func_realloc_0_nonnull: "yes" | |
ac_cv_func_malloc_0_nonnull: "yes" | |
- run: make -j2 | |
- run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l . | |
- name: Extracting suricata-verify | |
run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
# Now install and make sure headers and libraries aren't | |
# installed until requested. | |
- run: make install | |
- run: test ! -e /usr/local/lib/libsuricata_c.a | |
- run: test ! -e /usr/local/include/suricata | |
- run: make install-headers | |
- run: test -e /usr/local/include/suricata/suricata.h | |
- run: make install-library | |
- run: test -e /usr/local/lib/libsuricata_c.a | |
- run: test -e /usr/local/lib/libsuricata_rust.a | |
- run: test -e /usr/local/bin/libsuricata-config | |
- run: test ! -e /usr/local/lib/libsuricata.so | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
# Check compilation against systemd | |
- run: ldd src/suricata | grep libsystemd &> /dev/null | |
# Fedora 38 build using GCC. | |
fedora-38-gcc: | |
name: Fedora 38 (gcc, debug, asan, wshadow, rust-strict) | |
runs-on: ubuntu-latest | |
container: fedora:38 | |
needs: [prepare-deps] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo/registry | |
key: cargo-registry | |
- run: | | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cargo \ | |
cbindgen \ | |
ccache \ | |
diffutils \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
hiredis-devel \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libasan \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-softokn-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-yaml \ | |
sudo \ | |
which \ | |
zlib-devel | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: ./autogen.sh | |
- run: ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue | |
env: | |
CFLAGS: "${{ env.DEFAULT_CFLAGS }} -Wshadow -fsanitize=address -fno-omit-frame-pointer" | |
LDFLAGS: "-fsanitize=address" | |
ac_cv_func_realloc_0_nonnull: "yes" | |
ac_cv_func_malloc_0_nonnull: "yes" | |
- run: make -j2 | |
- run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l . | |
- name: Extracting suricata-verify | |
run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
# Now install and make sure headers and libraries aren't | |
# installed until requested. | |
- run: make install | |
- run: test ! -e /usr/local/lib/libsuricata_c.a | |
- run: test ! -e /usr/local/include/suricata | |
- run: make install-headers | |
- run: test -e /usr/local/include/suricata/suricata.h | |
- run: make install-library | |
- run: test -e /usr/local/lib/libsuricata_c.a | |
- run: test -e /usr/local/lib/libsuricata_rust.a | |
- run: test -e /usr/local/bin/libsuricata-config | |
- run: test ! -e /usr/local/lib/libsuricata.so | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
# Fedora 39 build using Clang. | |
fedora-39-clang: | |
name: Fedora 39 (clang, debug, asan, wshadow, rust-strict, systemd) | |
runs-on: ubuntu-latest | |
container: fedora:39 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
key: ${{ github.job }}-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
- run: | | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cargo \ | |
cbindgen \ | |
ccache \ | |
clang \ | |
diffutils \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
hiredis-devel \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libasan \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libxdp-devel \ | |
libbpf-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-softokn-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-yaml \ | |
sudo \ | |
systemd-devel \ | |
which \ | |
zlib-devel | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: ./autogen.sh | |
- run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue --enable-lua | |
env: | |
LDFLAGS: "-fsanitize=address" | |
ac_cv_func_realloc_0_nonnull: "yes" | |
ac_cv_func_malloc_0_nonnull: "yes" | |
- run: make -j2 | |
- run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l . | |
- name: Extracting suricata-verify | |
run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
# Now install and make sure headers and libraries aren't install | |
# until requested. | |
- run: make install | |
- run: test ! -e /usr/local/lib/libsuricata_c.a | |
- run: test ! -e /usr/local/include/suricata | |
- run: make install-headers | |
- run: test -e /usr/local/include/suricata/suricata.h | |
- run: make install-library | |
- run: test -e /usr/local/lib/libsuricata_c.a | |
- run: test -e /usr/local/lib/libsuricata_rust.a | |
- run: test -e /usr/local/bin/libsuricata-config | |
- run: test ! -e /usr/local/lib/libsuricata.so | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
# Check compilation against systemd | |
- run: ldd src/suricata | grep libsystemd &> /dev/null | |
# Fedora 39 build using GCC. | |
fedora-39-gcc: | |
name: Fedora 39 (gcc, debug, asan, wshadow, rust-strict) | |
runs-on: ubuntu-latest | |
container: fedora:39 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo/registry | |
key: cargo-registry | |
- run: | | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cargo \ | |
cbindgen \ | |
ccache \ | |
diffutils \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
hiredis-devel \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libasan \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-softokn-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-yaml \ | |
sudo \ | |
which \ | |
zlib-devel | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: ./autogen.sh | |
- run: ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue | |
env: | |
CFLAGS: "${{ env.DEFAULT_CFLAGS }} -Wshadow -fsanitize=address -fno-omit-frame-pointer" | |
LDFLAGS: "-fsanitize=address" | |
ac_cv_func_realloc_0_nonnull: "yes" | |
ac_cv_func_malloc_0_nonnull: "yes" | |
- run: make -j2 | |
- run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l . | |
- name: Extracting suricata-verify | |
run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
# Now install and make sure headers and libraries aren't install | |
# until requested. | |
- run: make install | |
- run: test ! -e /usr/local/lib/libsuricata_c.a | |
- run: test ! -e /usr/local/include/suricata | |
- run: make install-headers | |
- run: test -e /usr/local/include/suricata/suricata.h | |
- run: make install-library | |
- run: test -e /usr/local/lib/libsuricata_c.a | |
- run: test -e /usr/local/lib/libsuricata_rust.a | |
- run: test -e /usr/local/bin/libsuricata-config | |
- run: test ! -e /usr/local/lib/libsuricata.so | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
# This job builds and tests Suricata as a non-root user as some | |
# issues only show up when not running as root, and by default all | |
# jobs in GitHub actions are run as root inside the container. | |
fedora-39-non-root: | |
name: Fedora 39 (non-root, debug, clang, asan, wshadow, rust-strict, systemd) | |
runs-on: ubuntu-latest | |
container: fedora:39 | |
needs: [prepare-deps] | |
steps: | |
- run: | | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cargo \ | |
cbindgen \ | |
ccache \ | |
clang \ | |
diffutils \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
hiredis-devel \ | |
jansson-devel \ | |
jq \ | |
lua-devel \ | |
libasan \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-softokn-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-yaml \ | |
sudo \ | |
systemd-devel \ | |
which \ | |
zlib-devel | |
- run: adduser suricata | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: tar xf prep/suricata-verify.tar.gz | |
- run: mkdir /home/suricata/suricata | |
- run: cp -a . /home/suricata/suricata | |
- run: chown -R suricata:suricata /home/suricata | |
- run: sudo -u suricata -s ./autogen.sh | |
working-directory: /home/suricata/suricata | |
- run: sudo -u suricata -s env PATH="/home/suricata/.cargo/bin:$PATH" ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue | |
working-directory: /home/suricata/suricata | |
env: | |
ac_cv_func_realloc_0_nonnull: "yes" | |
ac_cv_func_malloc_0_nonnull: "yes" | |
LDFLAGS: "-fsanitize=address" | |
CC: "clang" | |
CFLAGS: "${{ env.DEFAULT_CFLAGS }} -Wshadow -fsanitize=address -fno-omit-frame-pointer" | |
- run: sudo -u suricata -s env PATH="/home/suricata/.cargo/bin:$PATH" make -j2 | |
working-directory: /home/suricata/suricata | |
- run: sudo -u suricata -s make check | |
working-directory: /home/suricata/suricata | |
- run: sudo -u suricata -s python3 ./suricata-verify/run.py -q --debug-failed | |
working-directory: /home/suricata/suricata | |
# Test that ./configure fails out of libjansson is not available. | |
almalinux-9-no-jansson: | |
name: AlmaLinux 9 (no jansson) | |
runs-on: ubuntu-latest | |
container: almalinux:9 | |
needs: [prepare-deps] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Cache RPMs | |
uses: actions/[email protected] | |
with: | |
path: /var/cache/dnf | |
key: ${{ github.job }}-dnf | |
- run: echo "keepcache=1" >> /etc/dnf/dnf.conf | |
- run: | | |
dnf -y install dnf-plugins-core epel-release | |
dnf config-manager --set-enable crb | |
dnf -y install \ | |
autoconf \ | |
automake \ | |
cargo \ | |
cbindgen \ | |
clang \ | |
diffutils \ | |
file-devel \ | |
gcc \ | |
gcc-c++ \ | |
git \ | |
lua-devel \ | |
libasan \ | |
libtool \ | |
libyaml-devel \ | |
libnfnetlink-devel \ | |
libnetfilter_queue-devel \ | |
libnet-devel \ | |
libcap-ng-devel \ | |
libevent-devel \ | |
libmaxminddb-devel \ | |
libpcap-devel \ | |
libtool \ | |
lz4-devel \ | |
make \ | |
nss-softokn-devel \ | |
pcre2-devel \ | |
pkgconfig \ | |
python3-yaml \ | |
sudo \ | |
which \ | |
zlib-devel | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: ./autogen.sh | |
- run: | | |
if ./configure; then | |
echo "error: configure should have failed" | |
exit 1 | |
else | |
exit 0 | |
fi | |
ubuntu-22-04-cov-ut: | |
name: Ubuntu 22.04 (unittests coverage) | |
runs-on: ubuntu-latest | |
container: ubuntu:22.04 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Install dependencies | |
run: | | |
apt update | |
apt -y install \ | |
libpcre2-dev \ | |
build-essential \ | |
autoconf \ | |
automake \ | |
clang-14 \ | |
curl \ | |
git \ | |
jq \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libnetfilter-queue-dev \ | |
libnetfilter-queue1 \ | |
libnfnetlink-dev \ | |
libnfnetlink0 \ | |
libnuma-dev \ | |
libhiredis-dev \ | |
libhyperscan-dev \ | |
liblua5.1-dev \ | |
libjansson-dev \ | |
libevent-dev \ | |
libevent-pthreads-2.1-7 \ | |
libjansson-dev \ | |
libpython2.7 \ | |
llvm-14-dev \ | |
make \ | |
parallel \ | |
python3-yaml \ | |
software-properties-common \ | |
zlib1g \ | |
zlib1g-dev \ | |
exuberant-ctags \ | |
curl \ | |
dpdk-dev | |
# packaged Rust version is too old for coverage, so get from rustup | |
- name: Install Rust | |
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.63.0 -y | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: ./autogen.sh | |
- run: ./configure --disable-shared --enable-unittests | |
env: | |
CC: "clang-14" | |
CXX: "clang++-14" | |
RUSTFLAGS: "-C instrument-coverage" | |
CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0" | |
CXXFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0" | |
- run: make -j2 | |
env: | |
CC: "clang-14" | |
CXX: "clang++-14" | |
RUSTFLAGS: "-C instrument-coverage" | |
CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0" | |
CXXFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0" | |
- run: ./src/suricata -u -l /tmp/ | |
env: | |
LLVM_PROFILE_FILE: "/tmp/ut.profraw" | |
- run: llvm-profdata-14 merge -o ut.profdata /tmp/ut.profraw | |
- run: llvm-cov-14 show ./src/suricata -instr-profile=ut.profdata --show-instantiations --ignore-filename-regex="^/root/.*" > coverage.txt | |
- run: | | |
cd rust | |
cargo test --no-run | |
cd .. | |
env: | |
RUSTFLAGS: "-C instrument-coverage" | |
CARGO_INCREMENTAL: 0 | |
- run: | | |
$(find rust/target/debug/deps/ -type f -regex 'rust/target/debug/deps/suricata\-[a-z0-9]+$') | |
env: | |
LLVM_PROFILE_FILE: "/tmp/ct.profraw" | |
CARGO_INCREMENTAL: 0 | |
- run: llvm-profdata-14 merge -o ct.profdata /tmp/ct.profraw | |
- run: llvm-cov-14 show $(find rust/target/debug/deps/ -type f -regex 'rust/target/debug/deps/suricata\-[a-z0-9]+$') -instr-profile=ct.profdata --show-instantiations --ignore-filename-regex="^/root/.*" >> coverage.txt | |
- run: | | |
cd libhtp | |
make test | |
cd .. | |
env: | |
LLVM_PROFILE_FILE: "/tmp/htp-test.profraw" | |
- run: llvm-profdata-14 merge -o htp-test.profdata /tmp/htp-test.profraw | |
- run: llvm-cov-14 show libhtp/test/test_all -instr-profile=htp-test.profdata --show-instantiations --ignore-filename-regex="^/root/.*" >> coverage.txt | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 | |
with: | |
fail_ci_if_error: false | |
flags: unittests | |
ubuntu-22-04-cov-fuzz: | |
name: Ubuntu 22.04 (fuzz corpus coverage) | |
runs-on: ubuntu-latest | |
container: ubuntu:22.04 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Install dependencies | |
run: | | |
apt update | |
apt -y install \ | |
libpcre2-dev \ | |
build-essential \ | |
autoconf \ | |
automake \ | |
llvm-14-dev \ | |
clang-14 \ | |
git \ | |
jq \ | |
libc++-dev \ | |
libc++abi-dev \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libnetfilter-queue-dev \ | |
libnetfilter-queue1 \ | |
libnfnetlink-dev \ | |
libnfnetlink0 \ | |
libnuma-dev \ | |
libhiredis-dev \ | |
liblua5.1-dev \ | |
libjansson-dev \ | |
libevent-dev \ | |
libevent-pthreads-2.1-7 \ | |
libjansson-dev \ | |
libpython2.7 \ | |
make \ | |
parallel \ | |
python3-yaml \ | |
software-properties-common \ | |
zlib1g \ | |
zlib1g-dev \ | |
exuberant-ctags \ | |
unzip \ | |
curl \ | |
time \ | |
wget \ | |
dpdk-dev | |
# packaged Rust version is too old for coverage, so get from rustup | |
- name: Install Rust | |
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.63.0 -y | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: ./autogen.sh | |
- run: ./configure --with-gnu-ld --enable-fuzztargets --disable-shared --enable-gccprotect | |
env: | |
LIB_FUZZING_ENGINE: "fail_to_onefile_driver" | |
CC: "clang-14" | |
CXX: "clang++-14" | |
RUSTFLAGS: "-C instrument-coverage" | |
CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing -fsanitize=address -fno-omit-frame-pointer -fPIC -Wno-unused-parameter -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -Wimplicit-int-float-conversion -Wimplicit-int-conversion -Werror" | |
CXXFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing -fsanitize=address -fno-omit-frame-pointer -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -stdlib=libc++ -Wimplicit-int-float-conversion -Wimplicit-int-conversion" | |
ac_cv_func_malloc_0_nonnull: "yes" | |
ac_cv_func_realloc_0_nonnull: "yes" | |
- run: make -j2 | |
env: | |
CC: "clang-14" | |
CXX: "clang++-14" | |
RUSTFLAGS: "-C instrument-coverage" | |
- run: ./qa/run-ossfuzz-corpus.sh | |
- run: llvm-profdata-14 merge -o default.profdata $(find /tmp/ -name '*.profraw') | |
- run: llvm-cov-14 show ./src/suricata -instr-profile=default.profdata --show-instantiations --ignore-filename-regex="^/root/.*" > coverage.txt | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 | |
with: | |
fail_ci_if_error: false | |
flags: fuzzcorpus | |
ubuntu-20-04-ndebug: | |
name: Ubuntu 20.04 (-DNDEBUG) | |
runs-on: ubuntu-latest | |
container: ubuntu:20.04 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Install dependencies | |
run: | | |
apt update | |
apt -y install \ | |
build-essential \ | |
autoconf \ | |
automake \ | |
cargo \ | |
git \ | |
jq \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libnetfilter-queue-dev \ | |
libnetfilter-queue1 \ | |
libnfnetlink-dev \ | |
libnfnetlink0 \ | |
libnuma-dev \ | |
libhiredis-dev \ | |
libjansson-dev \ | |
libevent-dev \ | |
libevent-pthreads-2.1-7 \ | |
libjansson-dev \ | |
libpython2.7 \ | |
libpcre2-dev \ | |
make \ | |
parallel \ | |
python3-yaml \ | |
rustc \ | |
software-properties-common \ | |
zlib1g \ | |
zlib1g-dev \ | |
exuberant-ctags \ | |
dpdk-dev | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: ./autogen.sh | |
- run: CFLAGS="$DEFAULT_CFLAGS -DNDEBUG" ./configure --enable-unittests | |
- run: make -j2 | |
- run: make check | |
- run: make dist | |
- name: Extracting suricata-verify | |
run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
# Now install and make sure headers and libraries aren't install | |
# until requested. | |
- run: make install | |
- run: test ! -e /usr/local/lib/libsuricata_c.a | |
- run: test ! -e /usr/local/include/suricata | |
- run: make install-headers | |
- run: test -e /usr/local/include/suricata/suricata.h | |
- run: make install-library | |
- run: test -e /usr/local/lib/libsuricata_c.a | |
- run: test -e /usr/local/lib/libsuricata_rust.a | |
- run: test -e /usr/local/bin/libsuricata-config | |
- run: test -e /usr/local/lib/libsuricata.so | |
- run: test -e /usr/local/lib/$(readlink /usr/local/lib/libsuricata.so) | |
- run: suricata-update -V | |
- run: suricatasc -h | |
ubuntu-20-04-too-old-rust: | |
name: Ubuntu 20.04 (unsupported rust) | |
runs-on: ubuntu-latest | |
container: ubuntu:20.04 | |
needs: debian-12-dist | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Install dependencies | |
run: | | |
apt update | |
apt -y install \ | |
build-essential \ | |
curl \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libnetfilter-queue-dev \ | |
libnetfilter-queue1 \ | |
libnfnetlink-dev \ | |
libnfnetlink0 \ | |
libnuma-dev \ | |
libhiredis-dev \ | |
libjansson-dev \ | |
libevent-dev \ | |
libevent-pthreads-2.1-7 \ | |
libjansson-dev \ | |
libpython2.7 \ | |
libpcre2-dev \ | |
make \ | |
python3-yaml \ | |
software-properties-common \ | |
zlib1g \ | |
zlib1g-dev \ | |
dpdk-dev | |
- run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.62.0 -y | |
- run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- name: Download suricata.tar.gz | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: dist | |
- run: tar zxvf suricata-*.tar.gz --strip-components=1 | |
- run: | | |
if ./configure; then | |
echo "error: configure should have failed" | |
exit 1 | |
else | |
exit 0 | |
fi | |
ubuntu-22-04-debug-validation: | |
name: Ubuntu 22.04 (Debug Validation) | |
runs-on: ubuntu-22.04 | |
container: ubuntu:22.04 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Install dependencies | |
run: | | |
apt update | |
apt -y install \ | |
libpcre2-dev \ | |
build-essential \ | |
autoconf \ | |
automake \ | |
cargo \ | |
git \ | |
jq \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libnetfilter-queue-dev \ | |
libnetfilter-queue1 \ | |
libnfnetlink-dev \ | |
libnfnetlink0 \ | |
libhiredis-dev \ | |
libjansson-dev \ | |
libevent-dev \ | |
libevent-pthreads-2.1-7 \ | |
libjansson-dev \ | |
libpython2.7 \ | |
make \ | |
parallel \ | |
python3-yaml \ | |
rustc \ | |
software-properties-common \ | |
zlib1g \ | |
zlib1g-dev \ | |
exuberant-ctags | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: ./autogen.sh | |
- run: ./configure --enable-debug-validation | |
env: | |
CFLAGS: "${{ env.DEFAULT_CFLAGS }} -Wshadow -fsanitize=address -fno-omit-frame-pointer" | |
LDFLAGS: "-fsanitize=address" | |
ac_cv_func_malloc_0_nonnull: "yes" | |
ac_cv_func_realloc_0_nonnull: "yes" | |
- run: make -j2 | |
- run: make check | |
- name: Extracting suricata-verify | |
run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
# test build with afl and fuzztargets | |
ubuntu-22-04-fuzz: | |
name: Ubuntu 22.04 (Fuzz) | |
runs-on: ubuntu-22.04 | |
container: ubuntu:22.04 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- name: Install dependencies | |
run: | | |
apt update | |
apt -y install \ | |
afl \ | |
afl-clang \ | |
libpcre2-dev \ | |
build-essential \ | |
autoconf \ | |
automake \ | |
cargo \ | |
git \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libnetfilter-queue-dev \ | |
libnetfilter-queue1 \ | |
libnfnetlink-dev \ | |
libnfnetlink0 \ | |
libhiredis-dev \ | |
libjansson-dev \ | |
libjansson-dev \ | |
libpython2.7 \ | |
make \ | |
rustc \ | |
software-properties-common \ | |
zlib1g \ | |
zlib1g-dev | |
- run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: ./autogen.sh | |
- run: AFL_HARDEN=1 ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes CFLAGS="-fsanitize=address -fno-omit-frame-pointer" CXXFLAGS=$CFLAGS CC=afl-clang-fast CXX=afl-clang-fast++ LDFLAGS="-fsanitize=address" ./configure --enable-fuzztargets --disable-shared | |
- run: AFL_HARDEN=1 make -j2 | |
ubuntu-22-04-netmap-build: | |
name: Ubuntu 22.04 (Netmap build) | |
needs: [prepare-deps, prepare-cbindgen] | |
runs-on: ubuntu-22.04 | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo/registry | |
key: cargo-registry | |
- name: Install dependencies | |
run: | | |
sudo apt update | |
sudo apt -y install \ | |
libpcre2-dev \ | |
build-essential \ | |
autoconf \ | |
automake \ | |
cargo \ | |
git \ | |
jq \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libnetfilter-queue-dev \ | |
libnetfilter-queue1 \ | |
libnfnetlink-dev \ | |
libnfnetlink0 \ | |
libhiredis-dev \ | |
libjansson-dev \ | |
libevent-dev \ | |
libevent-pthreads-2.1-7 \ | |
libjansson-dev \ | |
libpython2.7 \ | |
make \ | |
parallel \ | |
python3-yaml \ | |
rustc \ | |
software-properties-common \ | |
zlib1g \ | |
zlib1g-dev \ | |
exuberant-ctags | |
- name: Install Netmap dependencies | |
run: | | |
sudo apt -y install \ | |
build-essential \ | |
git \ | |
linux-headers-$(uname -r) | |
- name: Checkout Netmap repository | |
uses: actions/[email protected] | |
with: | |
repository: luigirizzo/netmap | |
# gets cloned to $GITHUB_WORKSPACE/netmap/ | |
path: netmap/ | |
- name: Compile and install Netmap | |
run: | | |
cd $GITHUB_WORKSPACE/netmap/LINUX | |
./configure --no-drivers | |
make -j2 | |
sudo make install | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: ./autogen.sh | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-netmap | |
- run: make -j2 | |
- run: ./src/suricata --build-info | grep -E "Netmap support:\s+yes" | |
ubuntu-22-04-dpdk-build: | |
name: Ubuntu 22.04 (DPDK Build) | |
runs-on: ubuntu-22.04 | |
container: ubuntu:22.04 | |
needs: [ prepare-deps, prepare-cbindgen ] | |
strategy: | |
matrix: | |
dpdk_version: [ 22.11.3, 21.11.5, 20.11.9, 19.11.14 ] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo/registry | |
key: cargo-registry | |
- name: Install dependencies | |
run: | | |
apt update | |
apt -y install \ | |
libpcre2-dev \ | |
build-essential \ | |
autoconf \ | |
automake \ | |
cargo \ | |
git \ | |
jq \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libnetfilter-queue-dev \ | |
libnetfilter-queue1 \ | |
libnfnetlink-dev \ | |
libnfnetlink0 \ | |
libhiredis-dev \ | |
libjansson-dev \ | |
libevent-dev \ | |
libevent-pthreads-2.1-7 \ | |
libjansson-dev \ | |
libpython2.7 \ | |
make \ | |
parallel \ | |
python3-yaml \ | |
rustc \ | |
software-properties-common \ | |
zlib1g \ | |
zlib1g-dev \ | |
exuberant-ctags | |
- name: Install DPDK dependencies | |
run: | | |
apt update | |
apt install -y \ | |
curl \ | |
build-essential \ | |
libnuma-dev \ | |
ninja-build \ | |
meson \ | |
python3-pip \ | |
python3-pyelftools \ | |
python3-setuptools \ | |
python3-wheel | |
- name: Compile and install DPDK | |
run: | | |
cd $HOME | |
rm -rf dpdk_${{ matrix.dpdk_version }} | |
find /usr/ -name 'librte_*.a' -delete | |
mkdir -p dpdk_${{ matrix.dpdk_version }} && cd dpdk_${{ matrix.dpdk_version }} | |
curl -fsLS https://fast.dpdk.org/rel/dpdk-${{ matrix.dpdk_version }}.tar.xz | tar -xJ --strip-components=1 | |
rm -rf build/ | |
meson setup -Dtests=false --prefix=/usr/ build | |
ninja -C build | |
ninja -C build install | |
ldconfig | |
cd $HOME | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: ./autogen.sh | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-dpdk | |
- run: make -j2 | |
- run: make check | |
debian-12: | |
name: Debian 12 | |
runs-on: ubuntu-latest | |
container: debian:12 | |
needs: [prepare-deps] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- run: apt update | |
- run: | | |
apt -y install \ | |
autoconf \ | |
automake \ | |
build-essential \ | |
cargo \ | |
cbindgen \ | |
cmake \ | |
curl \ | |
dpdk-dev \ | |
git \ | |
jq \ | |
make \ | |
libpcre3 \ | |
libpcre3-dbg \ | |
libpcre3-dev \ | |
libpcre2-dev \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libmaxminddb-dev \ | |
libjansson-dev \ | |
libjansson4 \ | |
liblua5.1-dev \ | |
libnspr4-dev \ | |
libnuma-dev \ | |
liblz4-dev \ | |
libssl-dev \ | |
liblzma-dev \ | |
pkg-config \ | |
python3 \ | |
python3-yaml \ | |
rustc \ | |
sphinx-doc \ | |
sphinx-common \ | |
texlive-latex-base \ | |
texlive-fonts-recommended \ | |
texlive-fonts-extra \ | |
texlive-latex-extra \ | |
zlib1g \ | |
zlib1g-dev | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: tar xf prep/suricata-verify.tar.gz | |
- run: ./autogen.sh | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests | |
- run: make -j2 | |
- run: make check | |
- run: make -j2 distcheck | |
env: | |
DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk" | |
- run: test -e doc/userguide/suricata.1 | |
- run: test -e doc/userguide/userguide.pdf | |
- name: Building Rust documentation | |
run: make doc | |
working-directory: rust | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
debian-12-dist: | |
name: Debian 12 Dist Builder | |
runs-on: ubuntu-latest | |
container: debian:12 | |
needs: [prepare-deps] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- run: apt update | |
- run: | | |
apt -y install \ | |
autoconf \ | |
automake \ | |
build-essential \ | |
cargo \ | |
cbindgen \ | |
cmake \ | |
curl \ | |
git \ | |
jq \ | |
make \ | |
libpcre3 \ | |
libpcre3-dbg \ | |
libpcre3-dev \ | |
libpcre2-dev \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libjansson-dev \ | |
libjansson4 \ | |
libnspr4-dev \ | |
liblz4-dev \ | |
libssl-dev \ | |
liblzma-dev \ | |
pkg-config \ | |
python3 \ | |
python3-yaml \ | |
rustc \ | |
sphinx-doc \ | |
sphinx-common \ | |
texlive-latex-base \ | |
texlive-fonts-recommended \ | |
texlive-fonts-extra \ | |
texlive-latex-extra \ | |
zlib1g \ | |
zlib1g-dev | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: ./autogen.sh | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure | |
- run: make dist | |
- run: test -e doc/userguide/suricata.1 | |
- run: test -e doc/userguide/userguide.pdf | |
- name: Preparing distribution | |
run: | | |
mkdir dist | |
mv suricata-*.tar.gz dist | |
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce | |
name: Uploading distribution | |
with: | |
name: dist | |
path: dist | |
debian-12-msrv: | |
name: Debian 12 MSRV | |
runs-on: ubuntu-latest | |
container: debian:12 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- run: apt update | |
- run: | | |
apt -y install \ | |
autoconf \ | |
automake \ | |
build-essential \ | |
cmake \ | |
curl \ | |
dpdk-dev \ | |
git \ | |
jq \ | |
make \ | |
libpcre3 \ | |
libpcre3-dbg \ | |
libpcre3-dev \ | |
libpcre2-dev \ | |
libtool \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libmaxminddb-dev \ | |
libjansson-dev \ | |
libjansson4 \ | |
liblua5.1-dev \ | |
libnspr4-dev \ | |
libnuma-dev \ | |
liblz4-dev \ | |
libssl-dev \ | |
liblzma-dev \ | |
pkg-config \ | |
python3 \ | |
python3-yaml \ | |
sphinx-doc \ | |
sphinx-common \ | |
texlive-latex-base \ | |
texlive-fonts-recommended \ | |
texlive-fonts-extra \ | |
texlive-latex-extra \ | |
zlib1g \ | |
zlib1g-dev | |
- name: Install Rust | |
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain ${RUST_VERSION_MIN} -y | |
- run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: tar xf prep/suricata-verify.tar.gz | |
- run: ./autogen.sh | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk | |
- run: make -j2 | |
- run: make check | |
- name: Building Rust documentation | |
run: make doc | |
working-directory: rust | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
debian-11: | |
name: Debian 11 (xdp) | |
runs-on: ubuntu-latest | |
container: debian:11 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- run: | | |
echo "deb http://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list | |
apt update | |
apt -y install \ | |
automake \ | |
autoconf \ | |
build-essential \ | |
ccache \ | |
curl \ | |
git \ | |
gosu \ | |
jq \ | |
libpcre2-dev \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libjansson-dev \ | |
libgeoip-dev \ | |
liblua5.1-dev \ | |
libhiredis-dev \ | |
libevent-dev \ | |
libtool \ | |
m4 \ | |
make \ | |
python3-yaml \ | |
pkg-config \ | |
sudo \ | |
zlib1g \ | |
zlib1g-dev \ | |
clang \ | |
libbpf-dev \ | |
libelf-dev \ | |
libxdp-dev | |
- name: Install Rust | |
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain $RUST_VERSION_KNOWN -y | |
- run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
- run: ./autogen.sh | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests --enable-fuzztargets --enable-ebpf --enable-ebpf-build | |
- run: make -j2 | |
- run: make check | |
- run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
debian-10: | |
name: Debian 10 | |
runs-on: ubuntu-latest | |
container: debian:10 | |
needs: [prepare-deps, prepare-cbindgen] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- run: | | |
apt update | |
apt -y install \ | |
automake \ | |
autoconf \ | |
build-essential \ | |
ccache \ | |
curl \ | |
git \ | |
gosu \ | |
jq \ | |
libpcre2-dev \ | |
libpcap-dev \ | |
libnet1-dev \ | |
libyaml-0-2 \ | |
libyaml-dev \ | |
libcap-ng-dev \ | |
libcap-ng0 \ | |
libmagic-dev \ | |
libjansson-dev \ | |
libgeoip-dev \ | |
liblua5.1-dev \ | |
libhiredis-dev \ | |
libevent-dev \ | |
libtool \ | |
m4 \ | |
make \ | |
python3-yaml \ | |
pkg-config \ | |
sudo \ | |
zlib1g \ | |
zlib1g-dev \ | |
clang \ | |
libbpf-dev \ | |
libelf-dev | |
- name: Install Rust | |
run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain $RUST_VERSION_KNOWN -y | |
- run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- name: Setup cbindgen | |
run: | | |
mkdir -p $HOME/.cargo/bin | |
cp prep/cbindgen $HOME/.cargo/bin | |
chmod 755 $HOME/.cargo/bin/cbindgen | |
- run: ./autogen.sh | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests --enable-fuzztargets --enable-ebpf --enable-ebpf-build | |
- run: make -j2 | |
- run: make check | |
- run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
macos-latest: | |
name: MacOS Latest | |
runs-on: macos-latest | |
needs: [prepare-deps] | |
steps: | |
# Cache Rust stuff. | |
- name: Cache cargo registry | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- run: | | |
brew install \ | |
autoconf \ | |
automake \ | |
curl \ | |
hiredis \ | |
jansson \ | |
jq \ | |
libmagic \ | |
libnet \ | |
libtool \ | |
libyaml \ | |
lua \ | |
pkg-config \ | |
python \ | |
rust \ | |
xz | |
- name: Install cbindgen | |
run: cargo install --debug --version 0.24.3 cbindgen | |
- run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
- run: pip3 install PyYAML | |
- uses: actions/[email protected] | |
- name: Downloading prep archive | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xvf prep/libhtp.tar.gz | |
- run: tar xvf prep/suricata-update.tar.gz | |
- run: ./autogen.sh | |
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests | |
- run: make -j2 | |
# somehow it gets included by some C++ stdlib header (case unsensitive) | |
- run: rm libhtp/VERSION && make check | |
- run: tar xf prep/suricata-verify.tar.gz | |
- name: Running suricata-verify | |
run: python3 ./suricata-verify/run.py -q --debug-failed | |
- run: make install | |
- run: suricata-update -V | |
- run: suricatasc -h | |
windows-msys2-mingw64-npcap: | |
name: Windows MSYS2 MINGW64 (NPcap) | |
runs-on: windows-latest | |
needs: [prepare-deps] | |
defaults: | |
run: | |
shell: msys2 {0} | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- uses: actions/[email protected] | |
- uses: msys2/setup-msys2@v2 | |
with: | |
msystem: MINGW64 | |
update: true | |
install: git mingw-w64-x86_64-toolchain automake1.16 automake-wrapper autoconf libtool libyaml-devel pcre2-devel jansson-devel make mingw-w64-x86_64-libyaml mingw-w64-x86_64-pcre2 mingw-w64-x86_64-rust mingw-w64-x86_64-jansson unzip p7zip python-setuptools mingw-w64-x86_64-python-yaml mingw-w64-x86_64-jq mingw-w64-x86_64-libxml2 | |
# hack: install our own cbindgen system wide as we can't get the | |
# preinstalled one to be picked up by configure | |
- name: cbindgen | |
run: cargo install --root /usr --force --debug --version 0.24.3 cbindgen | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- name: Npcap DLL | |
run: | | |
curl -sL -O https://nmap.org/npcap/dist/npcap-1.00.exe | |
7z -y x -o/npcap-bin npcap-1.00.exe | |
# hack: place dlls in cwd | |
cp /npcap-bin/*.dll . | |
- name: Npcap SDK | |
run: | | |
curl -sL -O https://nmap.org/npcap/dist/npcap-sdk-1.06.zip | |
unzip npcap-sdk-1.06.zip -d /npcap | |
cp /npcap/Lib/x64/* /usr/lib/ | |
- run: tar xf prep/suricata-verify.tar.gz | |
- name: Build | |
run: | | |
./autogen.sh | |
CFLAGS="-ggdb -Werror" ./configure --enable-unittests --enable-gccprotect --disable-gccmarch-native --disable-shared --with-libpcap-includes=/npcap/Include --with-libpcap-libraries=/npcap/Lib/x64 | |
make -j3 | |
- name: Run | |
run: | | |
./src/suricata --build-info | |
./src/suricata -u -l /tmp/ | |
# need cwd in path due to npcap dlls (see above) | |
PATH="$PATH:$(pwd)" python3 ./suricata-verify/run.py -q --debug-failed | |
- run: make install | |
- run: suricata-update -V | |
windows-msys2-mingw64-libpcap: | |
name: Windows MSYS2 MINGW64 (libpcap) | |
runs-on: windows-latest | |
needs: [prepare-deps] | |
defaults: | |
run: | |
shell: msys2 {0} | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- uses: actions/[email protected] | |
- uses: msys2/setup-msys2@v2 | |
with: | |
msystem: MINGW64 | |
update: true | |
install: git mingw-w64-x86_64-toolchain automake1.16 automake-wrapper autoconf libtool libyaml-devel pcre2-devel jansson-devel make mingw-w64-x86_64-libyaml mingw-w64-x86_64-pcre2 mingw-w64-x86_64-rust mingw-w64-x86_64-jansson unzip p7zip python-setuptools mingw-w64-x86_64-python-yaml mingw-w64-x86_64-jq mingw-w64-x86_64-libxml2 libpcap-devel mingw-w64-x86_64-libpcap | |
# hack: install our own cbindgen system wide as we can't get the | |
# preinstalled one to be picked up by configure | |
- name: cbindgen | |
run: cargo install --root /usr --force --debug --version 0.24.3 cbindgen | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- run: tar xf prep/suricata-update.tar.gz | |
- run: tar xf prep/suricata-verify.tar.gz | |
- name: Build | |
run: | | |
./autogen.sh | |
CFLAGS="-ggdb -Werror" ./configure --enable-unittests --enable-gccprotect --disable-gccmarch-native --disable-shared --with-libpcap-includes=/npcap/Include --with-libpcap-libraries=/npcap/Lib/x64 | |
make -j3 | |
- name: Run | |
run: | | |
./src/suricata --build-info | |
./src/suricata -u -l /tmp/ | |
python3 ./suricata-verify/run.py -q --debug-failed | |
- run: make install | |
- run: suricata-update -V | |
windows-msys2-mingw64-windivert: | |
name: Windows MSYS2 MINGW64 (WinDivert) | |
runs-on: windows-latest | |
needs: [prepare-deps] | |
defaults: | |
run: | |
shell: msys2 {0} | |
steps: | |
- name: Cache ~/.cargo | |
uses: actions/[email protected] | |
with: | |
path: ~/.cargo | |
key: ${{ github.job }}-cargo | |
- uses: actions/[email protected] | |
- uses: msys2/setup-msys2@v2 | |
with: | |
msystem: MINGW64 | |
update: true | |
install: git mingw-w64-x86_64-toolchain automake1.16 automake-wrapper autoconf libtool libyaml-devel pcre2-devel jansson-devel make mingw-w64-x86_64-libyaml mingw-w64-x86_64-pcre2 mingw-w64-x86_64-rust mingw-w64-x86_64-jansson unzip p7zip python-setuptools mingw-w64-x86_64-python-yaml mingw-w64-x86_64-jq mingw-w64-x86_64-libxml2 libpcap-devel mingw-w64-x86_64-libpcap | |
# hack: install our own cbindgen system wide as we can't get the | |
# preinstalled one to be picked up by configure | |
- name: cbindgen | |
run: cargo install --root /usr --force --debug --version 0.24.3 cbindgen | |
- uses: actions/[email protected] | |
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a | |
with: | |
name: prep | |
path: prep | |
- run: tar xf prep/libhtp.tar.gz | |
- name: WinDivert | |
run: | | |
curl -sL -O https://github.com/basil00/Divert/releases/download/v1.4.3/WinDivert-1.4.3-A.zip | |
unzip WinDivert-1.4.3-A.zip -d /windivert | |
cp /windivert/WinDivert-1.4.3-A/x86_64/* /usr/lib/ | |
# hack: place dlls in cwd | |
cp /windivert/WinDivert-1.4.3-A/x86_64/*.dll . | |
- name: Build | |
run: | | |
./autogen.sh | |
CFLAGS="-ggdb -Werror" ./configure --enable-gccprotect --disable-gccmarch-native --disable-shared --enable-windivert --with-windivert-include=/windivert/WinDivert-1.4.3-A/include --with-windivert-libraries=/windivert/WinDivert-1.4.3-A/x86_64 | |
make -j3 | |
- name: Run | |
run: | | |
# need cwd in path due to dlls (see above) | |
PATH="$PATH:$(pwd)" ./src/suricata --build-info | |
- run: make install | |