From 3cdce17b66ba7e0b9a0afba6e36f63e14fcacfd7 Mon Sep 17 00:00:00 2001
From: Luni-4 <luni-4@hotmail.it>
Date: Fri, 1 Dec 2023 13:20:10 +0100
Subject: [PATCH 1/7] ci: Improve vulnerabilities and dependencies configs

---
 .github/workflows/dependencies.yml    | 2 +-
 .github/workflows/vulnerabilities.yml | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index 07492aafcf..a66abb0f55 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -5,7 +5,7 @@ on:
     - cron: '0 21 * * TUE' # Run every Tuesday at 21:00 (UTC)
   push:
     tags:
-      - 'v*.*.*'
+      - 'v*.*.*' # Run when a new version is being published
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
index 0b81a2bfce..ed3e5d7aef 100644
--- a/.github/workflows/vulnerabilities.yml
+++ b/.github/workflows/vulnerabilities.yml
@@ -5,10 +5,13 @@ on:
     - cron: '0 21 * * TUE' # Run every Tuesday at 21:00 (UTC)
   push:
     tags:
-      - 'v*.*.*'
+      - 'v*.*.*' # Run when a new version is being published
 
-jobs:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
+jobs:
   valgrind:
 
     runs-on: ubuntu-latest

From 0b648fdde99898bbe9fa26bf570078a839612794 Mon Sep 17 00:00:00 2001
From: Luni-4 <luni-4@hotmail.it>
Date: Fri, 1 Dec 2023 14:29:41 +0100
Subject: [PATCH 2/7] ci: Change execution day for vulnerabilities

---
 .github/workflows/vulnerabilities.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
index ed3e5d7aef..11ace31273 100644
--- a/.github/workflows/vulnerabilities.yml
+++ b/.github/workflows/vulnerabilities.yml
@@ -2,7 +2,7 @@ name: vulnerabilities
 
 on:
   schedule:
-    - cron: '0 21 * * TUE' # Run every Tuesday at 21:00 (UTC)
+    - cron: '0 21 * * WED' # Run every Wednesday at 21:00 (UTC)
   push:
     tags:
       - 'v*.*.*' # Run when a new version is being published

From 08cbcb1d84b2569745062cf1f10e3672341535f4 Mon Sep 17 00:00:00 2001
From: Luni-4 <luni-4@hotmail.it>
Date: Fri, 1 Dec 2023 14:32:58 +0100
Subject: [PATCH 3/7] ci: Clarify action

---
 .github/workflows/dependencies.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index a66abb0f55..594f77d3de 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -21,6 +21,8 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Audit Rust dependencies
+        # If a vulnerability is found, a new issue will automatically be opened
+        # since this action runs on main branch
         uses: actions-rust-lang/audit@v1
 
       - name: Detect multiple versions of the same crate

From 06f3a8fa4ed87d57a24a1efb6bd35c87632c04ce Mon Sep 17 00:00:00 2001
From: Luni-4 <luni-4@hotmail.it>
Date: Fri, 1 Dec 2023 14:38:03 +0100
Subject: [PATCH 4/7] ci: Move valgrind in a different file

---
 .github/workflows/valgrind.yml | 35 ++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 .github/workflows/valgrind.yml

diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml
new file mode 100644
index 0000000000..fa3caa39c5
--- /dev/null
+++ b/.github/workflows/valgrind.yml
@@ -0,0 +1,35 @@
+name: valgrind
+
+on:
+  schedule:
+    - cron: '0 23 * * WED' # Run every Wednesday at 23:00 (UTC)
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  valgrind:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install llvmpipe and lavapipe
+      run: |
+        sudo apt-get update -y -qq
+        sudo add-apt-repository ppa:kisak/kisak-mesa -y
+        sudo apt-get update
+        sudo apt install -y libegl1-mesa libgl1-mesa-dri libxcb-xfixes0-dev mesa-vulkan-drivers
+
+    - name: Install valgrind
+      run: |
+        sudo apt-get install valgrind
+
+    - name: Run cargo-valgrind
+      env:
+        CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUNNER: "valgrind -s --leak-check=full --show-leak-kinds=all --error-exitcode=1"
+      # Looking for vulnerabilities
+      run: |
+        cargo test

From c2c862f2e5dedeafc9310e045acecbb4e833d296 Mon Sep 17 00:00:00 2001
From: Luni-4 <luni-4@hotmail.it>
Date: Fri, 1 Dec 2023 14:48:57 +0100
Subject: [PATCH 5/7] ci: Remove valgrind and update

---
 .github/workflows/vulnerabilities.yml | 25 -------------------------
 1 file changed, 25 deletions(-)

diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
index 11ace31273..1bfa0386e9 100644
--- a/.github/workflows/vulnerabilities.yml
+++ b/.github/workflows/vulnerabilities.yml
@@ -12,31 +12,6 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  valgrind:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Install llvmpipe and lavapipe
-      run: |
-        sudo apt-get update -y -qq
-        sudo add-apt-repository ppa:kisak/kisak-mesa -y
-        sudo apt-get update
-        sudo apt install -y libegl1-mesa libgl1-mesa-dri libxcb-xfixes0-dev mesa-vulkan-drivers
-
-    - name: Install valgrind
-      run: |
-        sudo apt-get install valgrind
-
-    - name: Run cargo-valgrind
-      env:
-        CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUNNER: "valgrind -s --leak-check=full --show-leak-kinds=all --error-exitcode=1"
-      # Looking for vulnerabilities
-      run: |
-        cargo test
-
   cargo-careful:
 
     runs-on: ubuntu-latest

From 26bd3ca2844cdf59fcb0e84254f39f6b5792050e Mon Sep 17 00:00:00 2001
From: Luni-4 <luni-4@hotmail.it>
Date: Fri, 1 Dec 2023 15:56:17 +0100
Subject: [PATCH 6/7] ci: Add missing checkers

---
 .github/workflows/vulnerabilities.yml | 84 +++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)

diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
index 1bfa0386e9..257ce61e20 100644
--- a/.github/workflows/vulnerabilities.yml
+++ b/.github/workflows/vulnerabilities.yml
@@ -98,3 +98,87 @@ jobs:
         RUSTDOCFLAGS: -Zsanitizer=thread
       # Looking for data race among threads
       run: cargo test -Zbuild-std --target x86_64-unknown-linux-gnu -- --nocapture
+
+  control-flow-integrity-sanitizer:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install Rust nightly
+      uses: dtolnay/rust-toolchain@nightly
+      with:
+        toolchain: nightly
+        components: rustfmt, rust-src
+
+    - name: Install llvmpipe and lavapipe
+      run: |
+        sudo apt-get update -y -qq
+        sudo add-apt-repository ppa:kisak/kisak-mesa -y
+        sudo apt-get update
+        sudo apt install -y libegl1-mesa libgl1-mesa-dri libxcb-xfixes0-dev mesa-vulkan-drivers
+
+    - name: Run ControlFlowIntegrity
+      env:
+        RUSTFLAGS: -Clinker-plugin-lto -Clinker=clang -Clink-arg=-fuse-ld=lld -Zsanitizer=cfi
+      # Forward-edge control flow protection for both Rust-compiled code only
+      # and for C or C++ and Rust -compiled code mixed-language binaries
+      #
+      # Checks certain forms of undefined behaviours that can potentially allow
+      # attackers to subvert the program’s control flow.
+      run: cargo test -Zbuild-std -Zbuild-std-features --release --target x86_64-unknown-linux-gnu -- --nocapture
+
+  memory-sanitizer:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install Rust nightly
+      uses: dtolnay/rust-toolchain@nightly
+      with:
+        toolchain: nightly
+        components: rustfmt, rust-src
+
+    - name: Install llvmpipe and lavapipe
+      run: |
+        sudo apt-get update -y -qq
+        sudo add-apt-repository ppa:kisak/kisak-mesa -y
+        sudo apt-get update
+        sudo apt install -y libegl1-mesa libgl1-mesa-dri libxcb-xfixes0-dev mesa-vulkan-drivers
+
+    - name: Run MemorySanitizer
+      env:
+        RUSTFLAGS: -Zsanitizer=memory -Zsanitizer-memory-track-origins
+        RUSTDOCFLAGS: -Zsanitizer=memory -Zsanitizer-memory-track-origins
+      # Looking for unitialized memory.
+      run: cargo test -Zbuild-std --target x86_64-unknown-linux-gnu -- --nocapture
+
+  safe-stack:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install Rust nightly
+      uses: dtolnay/rust-toolchain@nightly
+      with:
+        toolchain: nightly
+        components: rustfmt, rust-src
+
+    - name: Install llvmpipe and lavapipe
+      run: |
+        sudo apt-get update -y -qq
+        sudo add-apt-repository ppa:kisak/kisak-mesa -y
+        sudo apt-get update
+        sudo apt install -y libegl1-mesa libgl1-mesa-dri libxcb-xfixes0-dev mesa-vulkan-drivers
+
+    - name: Run SafeStack
+      env:
+        RUSTFLAGS: -Zsanitizer=safestack -Copt-level=3
+        RUSTDOCFLAGS: -Zsanitizer=safestack -Copt-level=3
+      # Provides backward edge control flow protection
+      run: cargo test -Zbuild-std --target x86_64-unknown-linux-gnu -- --nocapture

From df22f69546413eaf61d6ee45d197db1cf95dce1b Mon Sep 17 00:00:00 2001
From: Luni-4 <luni-4@hotmail.it>
Date: Fri, 1 Dec 2023 15:58:38 +0100
Subject: [PATCH 7/7] Update

---
 .github/workflows/vulnerabilities.yml | 34 ++-------------------------
 1 file changed, 2 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
index 257ce61e20..1f41f70e47 100644
--- a/.github/workflows/vulnerabilities.yml
+++ b/.github/workflows/vulnerabilities.yml
@@ -99,36 +99,6 @@ jobs:
       # Looking for data race among threads
       run: cargo test -Zbuild-std --target x86_64-unknown-linux-gnu -- --nocapture
 
-  control-flow-integrity-sanitizer:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Install Rust nightly
-      uses: dtolnay/rust-toolchain@nightly
-      with:
-        toolchain: nightly
-        components: rustfmt, rust-src
-
-    - name: Install llvmpipe and lavapipe
-      run: |
-        sudo apt-get update -y -qq
-        sudo add-apt-repository ppa:kisak/kisak-mesa -y
-        sudo apt-get update
-        sudo apt install -y libegl1-mesa libgl1-mesa-dri libxcb-xfixes0-dev mesa-vulkan-drivers
-
-    - name: Run ControlFlowIntegrity
-      env:
-        RUSTFLAGS: -Clinker-plugin-lto -Clinker=clang -Clink-arg=-fuse-ld=lld -Zsanitizer=cfi
-      # Forward-edge control flow protection for both Rust-compiled code only
-      # and for C or C++ and Rust -compiled code mixed-language binaries
-      #
-      # Checks certain forms of undefined behaviours that can potentially allow
-      # attackers to subvert the program’s control flow.
-      run: cargo test -Zbuild-std -Zbuild-std-features --release --target x86_64-unknown-linux-gnu -- --nocapture
-
   memory-sanitizer:
 
     runs-on: ubuntu-latest
@@ -151,7 +121,7 @@ jobs:
 
     - name: Run MemorySanitizer
       env:
-        RUSTFLAGS: -Zsanitizer=memory -Zsanitizer-memory-track-origins
+        RUSTFLAGS: -Zsanitizer=memory -Zsanitizer-memory-track-origins -Copt-level=3
         RUSTDOCFLAGS: -Zsanitizer=memory -Zsanitizer-memory-track-origins
       # Looking for unitialized memory.
       run: cargo test -Zbuild-std --target x86_64-unknown-linux-gnu -- --nocapture
@@ -179,6 +149,6 @@ jobs:
     - name: Run SafeStack
       env:
         RUSTFLAGS: -Zsanitizer=safestack -Copt-level=3
-        RUSTDOCFLAGS: -Zsanitizer=safestack -Copt-level=3
+        RUSTDOCFLAGS: -Zsanitizer=safestack
       # Provides backward edge control flow protection
       run: cargo test -Zbuild-std --target x86_64-unknown-linux-gnu -- --nocapture