Sail security demo#234
Merged
SeeWhatsOn merged 27 commits intomainfrom Apr 9, 2026
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Member
Author
|
seems broken on a fresh checkout. Let me look further |
26 tasks
Closed
Comment on lines
+42
to
+53
| { | ||
| type: "WCP3Handshake", | ||
| meta: { | ||
| connectionAttemptUuid: messageData.meta.connectionAttemptUuid, | ||
| timestamp: new Date(), | ||
| }, | ||
| payload: { | ||
| fdc3Version: "2.2", | ||
| intentResolverUrl, | ||
| channelSelectorUrl, | ||
| }, | ||
| } as BrowserTypes.WebConnectionProtocol3Handshake, |
…cation with unrestricted target origin' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Member
Author
|
@SeeWhatsOn Since we last looked at this:
Can we merge? thx |
Contributor
|
Yeah let's get this pulled in and merged. I'm reviewing now. |
SeeWhatsOn
reviewed
Apr 9, 2026
Contributor
SeeWhatsOn
left a comment
SeeWhatsOn
left a comment
There was a problem hiding this comment.
I realise that the formatting and CVEs are adding a lot of file changes! That's on me for updating the linting and adding more checks in main and not yet fixing.
For now I think it's big but fine to push through.
I want to add two tickets for near term changes:
-
I see the apps have:
"@robmoffat/fdc3": "2.2.2-beta.3",
"@robmoffat/fdc3-security": "3.0.0-alpha.5",
Just to confirm that these apps are to be moved out in the near future into the FDC3 repo I just want to make sure it's noted so we update these npm packages when they changed to official packages. -
The other one is to move back to the CI value in CI github action workflow. I know it's strict but it's needed to make sure we don't have package mismatches etc.
Apart from that all looks good.
SeeWhatsOn
approved these changes
Apr 9, 2026
SeeWhatsOn
added a commit
to SeeWhatsOn/FDC3-Sail
that referenced
this pull request
Apr 26, 2026
* Sail security demo (finos#234) * Fixing build, creating fdc3-example-apps folder * Fixed example-apps running * Moved all apps to separate folder and updated them to work * Fixed all the icons * Removed old app directories * Fixing imports * Created signing sender and receiver * Tidying up ports, icons * Old Security Demo now working * Removed jwt send to app2 * FIxed icon locations, using published fdc3-security. * Reinstated app directories. Set default app directories correctly * Converted to temporary group for fdc3-example-apps until the 2.2.2 release occurs * Converted properly to @robmoffat ns * Added copilot rate limit suggestion * Moved directory files into fdc3-example-apps * removed old package lock * no package lock in electron * relaxing build requirement a bit to avoid failures * Ran prettier * Potential fix for pull request finding 'CodeQL / Cross-window communication with unrestricted target origin' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * prettier fix * fix for lodash cve * Update index.html to use HTML5 doctype and add language attribute * Update vite to version 6.4.2 to fix CVE --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: SeeWhatsOn <cwatson1988@gmail.com> * Update README.md to enhance badge display and improve alignment (finos#239) * Update README.md to enhance badge display and improve alignment - Replaced HTML paragraph tags with a div for better alignment of badges. - Updated badge links to reflect the correct project and added a Semgrep badge for CI integration. * Update README.md to improve badge organization and add new badges - Corrected the closing tag for the main header. - Added new badges for GitHub Release, Repo stars, CI, and Node.js CVE scanning. - Enhanced the layout with divs for better alignment and readability. * Add osps-baseline-action (finos#267) ### OSPS-Baseline Integration & Workflow Enhancements #### Documentation & UI * **README Improvements:** Enhanced badge display and alignment by replacing HTML paragraph tags with div containers. * **New Badges:** Added badges for GitHub Release, Repo stars, CI status, Semgrep integration, and Node.js CVE scanning. #### OSPS Security Assessment Workflow * **New Workflow:** Introduced a GitHub Actions workflow for Open Source Project Security Assessment (OSPS). * **Schedule:** Runs weekly (Mondays at 9 AM UTC) and supports manual triggers. * **Artifacts:** Configured to upload assessment results with a 30-day retention period. * **Refactor & Fixes:** * Standardized catalog name to osps-baseline. * Corrected upload-sarif values to string format. * Enabled/configured building the OSPS scanner from source. #### Maintenance & Versioning * **GitHub Actions Updates:** * Updated actions/checkout to **v6.0.0**. * Updated actions/upload-artifact to **v7.0.0**. * **OSPS Tooling Updates:** * Iteratively updated osps-baseline-action to **v1.3.2**. * Updated scanner-source-ref through multiple versions, concluding at **v0.22.1**. * Migrated OSPS action to use a new repository and specific commit pins for improved stability. * Update GitHub workflows to enhance permissions and improve security practices - Added permissions for `contents`, `actions`, and `security-events` in multiple workflow files to ensure proper access levels. - Updated `ci.yml`, `cve-scanning.yml`, `OSPS.yml`, `ql.yml`, and `semgrep.yml` to reflect these changes, promoting better security and functionality across workflows. * Update GitHub workflows to pin specific action versions for stability and consistency - Changed `actions/checkout` to a specific commit version across multiple workflow files for improved reliability. - Updated `actions/setup-node`, `actions/setup-python`, and `github/codeql-action` to specific commit versions to ensure compatibility and enhance security practices. - These updates aim to standardize the workflow configurations and reduce potential issues with action updates. * Add lint-staged configuration and update pre-commit hook for improved code quality checks - Introduced a new `lint-staged.config.mjs` file to define formatting and linting rules for various file types. - Updated `package.json` to include `vitest` as a dependency. - Modified the pre-commit hook to run `lint-staged` with the `--concurrent false` option for better performance during commits. * Update package dependencies and enhance CI configuration with fuzzy testing - Added `vitest` as a dependency in `package.json` and `package-lock.json` for testing purposes. - Updated CI workflow to include a new job for running property tests on the common package. - Introduced a `test` script in the common package's `package.json` to facilitate testing with `vitest`. - Created a new configuration file for `vitest` to define testing environment and include test files. - Implemented a new utility function `normalizeIdentityUrl` and corresponding tests to ensure proper URL normalization. * Refactor CI workflow to simplify test execution - Changed the job name from "Property tests (common)" to "Test" for clarity. - Updated the test command to run all tests instead of targeting a specific package, streamlining the testing process. * Update package-lock.json to reflect dependency upgrades and removals - Upgraded `brace-expansion` to version 2.1.0 across multiple modules. - Updated `picomatch` to version 4.0.4 in relevant modules. - Upgraded `minimatch` to version 9.0.9 in the TypeScript ESLint module. - Updated `axios` to version 1.15.2 and its dependencies for improved functionality. - Upgraded `basic-ftp` to version 5.3.0. - Updated `body-parser` to version 1.20.5 and its dependencies for better performance. - Removed outdated `minimatch` entries from the lock file to streamline dependencies. These changes enhance the project's dependency management and ensure compatibility with the latest versions. * Update GitHub workflows for consistency and formatting - Ensured consistent formatting in the cve-scanning.yml file by removing an unnecessary space in the setup-node action version. - Added a newline at the end of the OSPS.yml file to adhere to best practices for file formatting. These changes improve the readability and maintainability of the workflow files. * Enhance README with meeting details for FDC3 Sail - Added links for joining and registering for FDC3 Sail meetings to improve accessibility for participants. - Updated formatting for clarity and consistency in the meeting section. These changes aim to facilitate community engagement and streamline meeting participation. --------- Co-authored-by: Rob Moffat <rob.moffat@finos.org> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces updates to the monorepo's workspace and build tooling to support a new structure for example apps. The most significant changes are the addition of a dedicated build script for example apps, and enhancements to the root project configuration for improved development workflow.
Monorepo tooling and workspace improvements:
package.jsonto add the newpackages/fdc3-example-appsworkspace, new scripts for running and building example apps, and additional dependencies for development and build tooling (such asvite,tsx,nodemon,pino, andvite-express). Thestartscript now launches the example apps alongside the main web and electron apps for easier parallel development.New Security Demo Apps
As well as adding the IDP / Price Request / Response apps from OSFF New York, adds several new demo apps which show broadcasting and receiving encrypted or signed contexts.
In order to see the full list, you'll probably need to recreate client state. In the browser do:
So that it reloads the default app directory list.
Use of @robmoffat/fdc3-security
This is a
3.0.0-alpha.1release offdc3-securityfor the purposes of the demonstration. This code is designed to work backwards-compatibly with FDC3 2.0 (including FDC3-Sail). Which is nice.Still To Do
I can't really deploy this onto sail.fdc3.finos.org. All these apps are likely to keep crashing and perhaps bring down the server. It may work, but since they're also all on different ports, there's probably a bunch of AWS stuff that'll need to be set up.