UltrafastSecp256k1

Miradi inayofuata mazoea bora hapa chini inaweza kujihakikisha kwa hiari na kuonyesha kuwa wamepata nishani ya mazoea bora ya Open Source Security Foundation (OpenSSF).

Hakuna seti ya mazoea yawezayo kuhakikisha kuwa programu haitakuwa na kasoro au udhaifu; hata mbinu rasmi zinaweza kushindwa ikiwa vipimo au dhana ni sahihi. Wala hakuna seti ya mazoea yawezayo kuhakikisha kuwa mradi utaendelea kuwa na jamii ya maendeleo yenye afya na inayofanya kazi vizuri. Hata hivyo, kufuata mazoea bora kunaweza kusaidia kuboresha matokeo ya miradi. Kwa mfano, baadhi ya mazoea huwezesha ukaguzi wa watu wengi kabla ya kutolewa, ambayo inaweza kusaidia kupata udhaifu wa kiufundi ambao vinginevyo ni vigumu kupata na kusaidia kujenga uaminifu na hamu ya mwingiliano wa kurudia kati ya wasanidi programu kutoka makampuni tofauti. Ili kupata nishani, vigezo vyote vya LAZIMA na LAZIMA WALA USIWAHI lazima vifuatwe, vigezo vyote vya INAPASWA lazima vifuatwe AU visivyo fufufutiliana na thibitisho, na vigezo vyote vya PENDEKEZA lazima vifuatwe AU visivyo fufufutiliana (tunataka vifikiwe angalau). Ikiwa unataka kuingiza maandishi ya thibitisho kama maoni ya jumla, badala ya kuwa maelezo ya busara kwamba hali ni inakubaliwa, anza kifungu cha maandishi na '//' ikifuatiwa na nafasi. Maoni ni karibu kupitia tovuti ya GitHub kama masuala au maombi ya kuvuta Kuna pia orodha ya barua pepe kwa majadiliano ya jumla.

Tunafuraha kutoa habari katika lugha nyingi, hata hivyo, ikiwa kuna mgongano au kutokuwa na usawa kati ya tafsiri, toleo la Kiingereza ni toleo lenye mamlaka.
Ikiwa huu ni mradi wako, tafadhali onyesha hadhi ya nishani yako kwenye ukurasa wa mradi wako! Hadhi ya nishani inaonekana kama hii: Kiwango cha nishani kwa mradi 12011 ni silver Hapa ni jinsi ya kuiweka:
Unaweza kuonyesha hali ya nishani yako kwa kuweka hii katika faili yako ya markdown:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12011/badge)](https://www.bestpractices.dev/projects/12011)
au kwa kuweka hii katika HTML yako:
<a href="https://www.bestpractices.dev/projects/12011"><img src="https://www.bestpractices.dev/projects/12011/badge"></a>


Hizi ni vigezo vya kiwango cha Fedha. Unaweza pia kuangalia vigezo vya kiwango cha Kupita au Dhahabu.

Baseline Series: Kiwango cha Msingi 1 Kiwango cha Msingi 2 Kiwango cha Msingi 3

        

 Misingi 17/17

  • Jumla

    Kumbuka kwamba miradi mingine inaweza kutumia jina sawa.

    Ultra high-performance secp256k1 ECC library | C++20 | CUDA, Metal, OpenCL, ROCm, WASM | Apple Silicon M1-M4 | 15+ platforms | Branchless, allocation-free hot paths

    Tafadhali tumia muundo wa maneno ya leseni ya SPDX; mifano ni pamoja na "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", na "(BSD-2-Clause OR Ruby)". Usitumie alama za nukuu za moja au mbili.
    Ikiwa kuna lugha zaidi ya moja, ziorodhe kama thamani zilizotengwa kwa koma (nafasi ni za hiari) na ziorodhe kuanzia iliyotumiwa zaidi hadi iliyotumiwa kidogo. Ikiwa kuna orodha ndefu, tafadhali orodhesha angalau tatu za kawaida zaidi. Ikiwa hakuna lugha (k.m., huu ni mradi wa nyaraka tu au wa majaribio tu), tumia herufi moja "-". Tafadhali tumia herufi kubwa za kawaida kwa kila lugha, k.m., "JavaScript".
    Common Platform Enumeration (CPE) ni mpango wa kuweka majina yenye muundo kwa mifumo ya teknolojia ya habari, programu, na vifurushi. Inatumika katika mifumo na hifadhidata nyingi wakati wa kuripoti udhaifu.

  • Mahitaji ya awali


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufikie nishani ya kiwango cha kuhitimu. [achieve_passing]

  • Maudhui ya kimsingi ya tovuti ya mradi


    Ya kutosha kwa nishani!

    Habari juu ya jinsi ya kuchangia LAZIMA ijumuishe mahitaji ya michango inayokubalika (k.m., rejea kwa kiwango chochote kinachohitajika cha msimbo). (URL inahitajika) [contribution_requirements]

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CONTRIBUTING.md


  • Usimamizi wa mradi


    Ya kutosha kwa nishani!

    Mradi UNAPASWA kuwa na utaratibu wa kisheria ambapo wasanidi wote wa kiasi kisicho kidogo cha programu ya mradi wanathibitisha kwamba wameruhusiwa kisheria kufanya michango hii. Mbinu ya kawaida na rahisi ya kutekeleza hii ni kwa kutumia Cheti cha Msanidi cha Asili (DCO), ambapo watumiaji huongeza "signed-off-by" katika ahadi zao na mradi unaunganisha kwenye tovuti ya DCO. Hata hivyo, hii YAWEZA kutekelezwa kama Makubaliano ya Leseni ya Mchangiaji (CLA), au utaratibu mwingine wa kisheria. (URL inahitajika) [dco]
    DCO ni utaratibu unaopendekeza kwa sababu ni rahisi kutekeleza, kufuatilia katika msimbo wa chanzo, na git inasaidia moja kwa moja kipengele cha "signed-off" kwa kutumia "commit -s". Ili kuwa na ufanisi zaidi ni bora ikiwa nyaraka za mradi zinaeleza maana ya "signed-off" kwa mradi huo. CLA ni makubaliano ya kisheria yanayofafanua masharti ambayo kazi za kiakili zimetolewa leseni kwa shirika au mradi. Makubaliano ya mgawo wa mchangiaji (CAA) ni makubaliano ya kisheria yanayohamisha haki katika kazi ya kiakili kwa chama kingine; miradi haihitajiki kuwa na CAA, kwa kuwa kuwa na CAA huongeza hatari kwamba wachangiaji watarajiwa hawatachangia, hasa ikiwa mpokeaji ni shirika la faida. Apache Software Foundation CLAs (leseni ya mchangiaji wa mtu binafsi na CLA ya kampuni) ni mifano ya CLA, kwa miradi ambayo inaamua kwamba hatari za aina hizi za CLA kwa mradi ni chini ya manufaa yao.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CONTRIBUTING.md#-developer-certificate-of-origin-dco


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufafanue kwa uwazi na kuandika muundo wake wa utawala wa mradi (njia ya kufanya maamuzi, ikiwa ni pamoja na majukumu muhimu). (URL inahitajika) [governance]
    Kunahitaji kuwa na njia fulani iliyowekwa vyema ya kuandikwa ya kufanya maamuzi na kutatua migogoro. Katika miradi midogo, hii inaweza kuwa rahisi kama "mmiliki wa mradi na kiongozi hufanya maamuzi yote ya mwisho". Kuna miundo mbalimbali ya utawala, ikiwa ni pamoja na dictator wa wema na meritocracy rasmi; kwa maelezo zaidi, angalia Miundo ya utawala. Mbinu zote mbili za kati (k.m., mtunzaji mmoja) na zisizo za kati (k.m., watunzaji wa kikundi) zimetumika kwa mafanikio katika miradi. Habari za utawala hazihitajiki kuandika uwezekano wa kuunda uma wa mradi, kwa kuwa hiyo ni iwezekanavyo kila wakati kwa miradi ya FLOSS.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/GOVERNANCE.md


    Ya kutosha kwa nishani!

    Mradi LAZIMA upitishe kanuni ya mwenendo na kuiweka mahali pa kawaida. (URL inahitajika) [code_of_conduct]
    Miradi inaweza kuweza kuboresha uadilifu wa jamii yao na kuweka matarajio kuhusu tabia inayokubalika kwa kupitisha kanuni ya mwenendo. Hii inaweza kusaidia kuepuka matatizo kabla hayajatokea na kufanya mradi kuwa mahali pa kukaribishwa zaidi ili kuhimiza michango. Hii inapaswa kuzingatia tu tabia ndani ya jamii/mahali pa kazi pa mradi. Mifano ya kanuni za mwenendo ni kanuni ya mwenendo ya kernel ya Linux, Kanuni ya Mwenendo ya Agano la Mchangiaji, Kanuni ya Mwenendo ya Debian, Kanuni ya Mwenendo ya Ubuntu, Kanuni ya Mwenendo ya Fedora, Kanuni ya Mwenendo ya GNOME, Kanuni ya Mwenendo ya Jamii ya KDE, Kanuni ya Mwenendo ya Jamii ya Python, Mwongozo wa Mwenendo wa Jamii ya Ruby, na Kanuni ya Mwenendo ya Rust.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CODE_OF_CONDUCT.md


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufafanue kwa uwazi na kuandika hadharani majukumu muhimu katika mradi na wajibu wao, ikiwa ni pamoja na kazi zozote ambazo majukumu hayo lazima yafanywe. Lazima iwe wazi ni nani ana jukumu lipi, ingawa hii haiwezi kuandikwa kwa njia ile ile. (URL inahitajika) [roles_responsibilities]
    Nyaraka kwa utawala na majukumu na wajibu zinaweza kuwa mahali pamoja.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/GOVERNANCE.md


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweze kuendelea kwa usumbufu mdogo ikiwa mtu yeyote anakufa, anakuwa katika hali ya kudhoofika, au vinginevyo hawezi au hataki kuendelea kusaidia mradi. Hasa, mradi LAZIMA uweze kuunda na kufunga masuala, kukubali mabadiliko yaliyopendekezwa, na kutoa matoleo ya programu, ndani ya wiki moja ya uthibitishaji wa upotevu wa msaada kutoka kwa mtu yeyote mmoja. Hii INAWEZA kufanywa kwa kuhakikisha mtu mwingine ana funguo zozote zinazohitajika, nywila, na haki za kisheria ili kuendelea mradi. Watu binafsi wanaoendesha mradi wa FLOSS WANAWEZA kufanya hii kwa kuweka funguo katika sanduku la kufungia na wosia unaowezesha haki zozote zinazohitajika za kisheria (k.m., kwa majina ya DNS). (URL inahitajika) [access_continuity]

    https://github.com/shrec/UltrafastSecp256k1/blob/main/GOVERNANCE.md#continuity-plan-bus-factor


    Ya kutosha kwa nishani!

    Mradi INAPASWA kuwa na "bus factor" ya 2 au zaidi. (URL inahitajika) [bus_factor]
    "Bus factor" (pia inajulikana kama "truck factor") ni idadi ya chini ya washiriki wa mradi ambao wanapaswa kutoweka ghafla kutoka kwenye mradi ("kupigwa na basi") kabla ya mradi kusimama kwa sababu ya ukosefu wa wafanyakazi wenye elimu au wenye uwezo. Zana ya truck-factor inaweza kukadiria hii kwa miradi kwenye GitHub. Kwa maelezo zaidi, angalia Kutathmini Bus Factor ya Hifadhi za Git na Cosentino et al.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/GOVERNANCE.md#continuity-plan-bus-factor


  • Nyaraka


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na ramani ya barabara iliyoandikwa inayoeleza kile mradi unakusudia kufanya na kutofanya kwa angalau mwaka unaofuata. (URL inahitajika) [documentation_roadmap]
    Mradi huenda usitimiza ramani ya barabara, na hiyo ni sawa; kusudi la ramani ya barabara ni kusaidia watumiaji na wachangiaji watarajiwa kuelewa mwelekeo unaokusudiwa wa mradi. Haihitaji kuwa na maelezo mengi.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/ROADMAP.md


    Ya kutosha kwa nishani!

    Mradi LAZIMA ujumuishe nyaraka za muundo (pia inajulikana kama muundo wa kiwango cha juu) wa programu inayozalishwa na mradi. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A). (URL inahitajika) [documentation_architecture]
    Muundo wa programu unaeleza miundo ya msingi ya programu, yaani, vipengele vikuu vya programu, uhusiano kati yao, na mali muhimu za vipengele na uhusiano hivi.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/docs/ARCHITECTURE.md


    Ya kutosha kwa nishani!

    Mradi LAZIMA uandike kile mtumiaji anaweza na asiweze kutarajia kwa suala la usalama kutoka kwa programu inayozalishwa na mradi ("mahitaji yake ya usalama"). (URL inahitajika) [documentation_security]
    Haya ni mahitaji ya usalama ambayo programu inakusudiwa kukidhi.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/SECURITY.md


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe mwongozo wa "kuanza haraka" kwa watumiaji wapya kuwasaidia kufanya kitu haraka na programu. (URL inahitajika) [documentation_quick_start]
    Wazo ni kuonyesha watumiaji jinsi ya kuanza na kufanya programu ifanye chochote. Hii ni muhimu sana kwa watumiaji watarajiwa kuanza.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/README.md#installation


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufanye jitihada ya kuweka nyaraka kulingana na toleo la sasa la matokeo ya mradi (ikiwa ni pamoja na programu inayozalishwa na mradi). Kasoro yoyote inayojulikana ya nyaraka inayofanya isilingane LAZIMA irekebishwe. Ikiwa nyaraka kwa ujumla ni za sasa, lakini kwa makosa inajumuisha baadhi ya maelezo ya zamani ambayo sio ya kweli tena, ichukue tu kama kasoro, kisha ifuatilie na urekebishe kama kawaida. [documentation_current]
    Nyaraka ZINAWEZA kujumuisha habari kuhusu tofauti au mabadiliko kati ya matoleo ya programu na/au kuunganisha kwa matoleo ya zamani ya nyaraka. Kusudi la kigezo hiki ni kwamba jitihada inafanywa ili kuweka nyaraka kulingana, siyo kwamba nyaraka lazima ziwe kamili.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CHANGELOG.md


    Ya kutosha kwa nishani!

    Ukurasa wa mbele wa hifadhi ya mradi na/au tovuti LAZIMA utambulishe na kuunganisha kiungo kwa mafanikio yoyote, ikiwa ni pamoja na nishani hii ya mazoea bora, ndani ya masaa 48 ya kutambua hadharani kwamba ufanikio umepatikana. (URL inahitajika) [documentation_achievements]
    Ufanikio ni seti yoyote ya vigezo vya nje ambavyo mradi umefanya kazi mahususi kukidhi, ikiwa ni pamoja na nishani fulani. Habari hii haihitaji kuwa kwenye ukurasa wa mbele wa tovuti ya mradi. Mradi unaotumia GitHub unaweza kuweka mafanikio kwenye ukurasa wa mbele wa hifadhi kwa kuyaongeza kwenye faili ya README.

    https://github.com/shrec/UltrafastSecp256k1#readme


  • Ufikiaji na kimataifa


    Ya kutosha kwa nishani!

    Mradi (tovuti zote za mradi na matokeo ya mradi) INAPASWA kufuata mazoea bora ya ufikiaji ili watu wenye ulemavu bado waweze kushiriki katika mradi na kutumia matokeo ya mradi ambapo ni busara kufanya hivyo. [accessibility_best_practices]
    Kwa programu za wavuti, angalia Miongozo ya Ufikiaji wa Maudhui ya Wavuti (WCAG 2.0) na hati yake inayosaidia Kuelewa WCAG 2.0; angalia pia habari za ufikiaji za W3C. Kwa programu za GUI, zingatia kutumia miongozo ya ufikiaji ya mazingira maalum (kama vile Gnome, KDE, XFCE, Android, iOS, Mac, na Windows). Baadhi ya programu za TUI (k.m., programu za `ncurses`) zinaweza kufanya mambo fulani ili kuzifanya kufikika zaidi (kama mpangilio wa `force-arrow-cursor` wa `alpine`). Programu nyingi za mstari wa amri zinafikika vizuri kama zilivyo. Kigezo hiki mara nyingi ni N/A, k.m., kwa maktaba za programu. Hapa kuna baadhi ya mifano ya hatua za kuchukua au masuala ya kuzingatia:
    • Toa mbadala za maandishi kwa maudhui yoyote yasiyo ya maandishi ili yaweze kubadilishwa kuwa aina nyingine watu wanahitaji, kama vile chapa kubwa, braille, hotuba, alama au lugha rahisi zaidi ( mwongozo wa WCAG 2.0 1.1)
    • Rangi haitumiwi kama njia pekee ya kuona ya kuwasilisha habari, kuashiria kitendo, kuchochea jibu, au kutofautisha kipengele cha kuona. ( mwongozo wa WCAG 2.0 1.4.1)
    • Uwasilishaji wa kuona wa maandishi na picha za maandishi una uwiano wa tofauti wa angalau 4.5:1, isipokuwa kwa maandishi makubwa, maandishi ya bahati mbaya, na nembo ( mwongozo wa WCAG 2.0 1.4.3)
    • Fanya kazi zote zipatikane kutoka kwenye kibodi (mwongozo wa WCAG 2.1)
    • Mradi wa GUI au wa wavuti INAPASWA kupima na angalau kipaza sauti kimoja cha skrini kwenye jukwaa la lengo (k.m., NVDA, Jaws, au WindowEyes kwenye Windows; VoiceOver kwenye Mac & iOS; Orca kwenye Linux/BSD; TalkBack kwenye Android). Programu za TUI ZINAWEZA kufanya kazi kupunguza uchanganyiko wa ziada ili kuzuia usomaji wa ziada na vipaza sauti vya skrini.

    UltrafastSecp256k1 is a C++ program library (no GUI, no web application, no TUI). It produces command-line tools and a linkable library. Command-line applications are inherently accessible to screen readers. The project's GitHub Pages documentation site uses standard GitHub-rendered Markdown, which inherits GitHub's WCAG-compliant accessibility features.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA kuwa kimataifa ili kuwezesha upatanifu wa lugha wa rahisi kwa utamaduni, eneo, au lugha ya hadhira lengo. Ikiwa kimataifa (i18n) haihusiki (k.m., programu haizalishi maandishi yanayokusudiwa kwa watumiaji wa mwisho na haipangi maandishi yanayosomeka na binadamu), chagua "haihusiki" (N/A). [internationalization]
    Upatanifu wa lugha "unarejelea upatanifu wa bidhaa, programu au maudhui ya hati ili kukidhi lugha, utamaduni na mahitaji mengine ya soko mahususi la lengo (eneo)." Kimataifa ni "muundo na maendeleo ya bidhaa, programu au maudhui ya hati ambayo huwezesha upatanifu wa lugha wa rahisi kwa hadhira lengo zinazotofautiana katika utamaduni, eneo, au lugha." (Ona "Upatanifu wa Lugha dhidi ya Kimataifa" ya W3C.) Programu inakidhi kigezo hiki kwa kuwa kimataifa tu. Hakuna upatanifu wa lugha kwa lugha nyingine mahususi unaohitajika, kwa kuwa mara tu programu imekuwa kimataifa inawezekana kwa wengine kufanya kazi kwenye upatanifu wa lugha.

    UltrafastSecp256k1 is a low-level C++ cryptographic library that performs elliptic curve arithmetic (field operations, point multiplication, ECDSA signing/verification, Schnorr signatures). It does not generate human-readable text for end-users, does not have a GUI or web interface, does not sort or display locale-sensitive strings, and produces only binary/hexadecimal cryptographic outputs. Internationalization does not apply to this type of software.


  • Mengine


    Ya kutosha kwa nishani!

    Ikiwa tovuti za mradi (tovuti, hifadhi, na URL za kupakua) zinahifadhi nywila kwa ajili ya uthibitishaji wa watumiaji wa nje, nywila LAZIMA zihifadhiwe kama mificho iliyorudiwa na chumvi kwa-mtumiaji kwa kutumia kanuni ya upanuaji (iliyorudiarudia) wa funguo (k.m., Argon2id, Bcrypt, Scrypt, au PBKDF2). Ikiwa tovuti za mradi hazihifadhi nywila kwa kusudi hili, chagua "haihusiki" (N/A). [sites_password_security]
    Kumbuka kwamba matumizi ya GitHub yanakidhi kigezo hiki. Kigezo hiki kinatumika tu kwa nywila zinazotumika kwa ajili ya uthibitishaji wa watumiaji wa nje kwenye tovuti za mradi (pia inaitwa uthibitishaji wa ndani). Ikiwa tovuti za mradi lazima ziingie kwenye tovuti zingine (pia inaitwa uthibitishaji wa nje), zinaweza kuhitaji kuhifadhi ishara za uidhinishaji kwa kusudi hilo kwa njia tofauti (kwa kuwa kuhifadhi mficho hakuna maana). Hii inatumia kigezo cha crypto_password_storage kwa tovuti za mradi, sawa na sites_https.

    UltrafastSecp256k1 is hosted on GitHub (github.com/shrec/UltrafastSecp256k1). The project does not operate its own website or authentication system. All user authentication is handled by GitHub, which stores passwords using industry-standard iterated hashing with per-user salts. The project itself does not store any user passwords


 Udhibiti wa Mabadiliko 1/1

  • Matoleo ya awali


    Ya kutosha kwa nishani!

    Mradi LAZIMA utunze matoleo ya zamani yaliyotumika mara nyingi ya bidhaa au kutoa njia ya usasishaji kwa matoleo mapya. Ikiwa njia ya usasishaji ni ngumu, mradi LAZIMA uandike jinsi ya kufanya usasishaji (k.m., violesura vilivyobadilika na hatua zilizoanishwa kwa undani ili kusaidia usasishaji). [maintenance_or_update]

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CHANGELOG.md


 Kuripoti 3/3

  • Mchakato wa kuripoti hitilafu


    Ya kutosha kwa nishani!

    Mradi LAZIMA utumie kifuatiliaji cha masuala kwa ajili ya kufuatilia masuala ya mtu binafsi. [report_tracker]

    https://github.com/shrec/UltrafastSecp256k1/issues
    The project uses GitHub Issues as its issue tracker. All bug reports, feature requests, and tasks are tracked as individual issues with labels, milestones, and assignees. The issue tracker is publicly accessible and referenced in CONTRIBUTING.md as the standard reporting mechanism.


  • Mchakato wa kuripoti udhaifu


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe sifa kwa waripoti wa ripoti zote za udhaifu zilizotatuliwa katika miezi 12 iliyopita, isipokuwa kwa waripoti wanaoomba kutojulikana. Ikiwa hakuna udhaifu uliotatuliwa katika miezi 12 iliyopita, chagua "haihusiki" (N/A). (URL inahitajika) [vulnerability_report_credit]

    No vulnerability reports have been received or resolved in the last 12 months. The project has a security reporting process documented in SECURITY.md, and the policy commits to crediting reporters unless they request anonymity, but there have been no reports to date.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na mchakato ulioandikwa kwa ajili ya kujibu ripoti za udhaifu. (URL inahitajika) [vulnerability_response_process]
    Hii ina uhusiano mkubwa na vulnerability_report_process, ambayo inahitaji kuwa kuna njia iliyoandikwa ya kuripoti udhaifu. Pia inahusiana na vulnerability_report_response, ambayo inahitaji majibu kwa ripoti za udhaifu ndani ya kipindi fulani cha muda.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/SECURITY.md
    SECURITY.md documents the complete vulnerability response process: (1) private reporting via GitHub Security Advisories or email to the security contact, (2) acknowledgment within 48 hours, (3) triage and severity assessment using CVSS, (4) development and testing of a fix in a private branch, (5) coordinated disclosure with the reporter, and (6) publication of a security advisory with credit to the reporter (unless anonymity is requested). Supported versions and scope are also defined.


 Ubora 19/19

  • Viwango vya msimbo


    Ya kutosha kwa nishani!

    Mradi LAZIMA utambulishe miongozo mahususi ya mtindo wa kuandika msimbo kwa lugha kuu inazotumia, na uhitaji kwamba michango kwa ujumla ikidhi. (URL inahitajika) [coding_standards]
    Katika hali nyingi hii inafanywa kwa kurejelea baadhi ya miongozo ya mtindo iliyopo, huenda ikiorodhesha tofauti. Miongozo hii ya mtindo inaweza kujumuisha njia za kuboresha usomaji na njia za kupunguza uwezekano wa kasoro (ikiwa ni pamoja na udhaifu). Lugha nyingi za programu zina miongozo moja au zaidi ya mtindo inayotumika sana. Mifano ya miongozo ya mtindo ni pamoja na miongozo ya mtindo ya Google na Viwango vya Kuandika Msimbo wa SEI CERT.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/docs/CODING_STANDARDS.md
    The project maintains a dedicated CODING_STANDARDS.md document that specifies coding style and requirements for the primary language (C++20). It defines: naming conventions (snake_case for functions/variables, PascalCase for types), formatting rules, mandatory use of constexpr/const where possible, prohibition of exceptions/RTTI/virtual calls in hot paths, fixed-size POD types for performance-critical code, alignment requirements (alignas(32/64)), and memory management rules (no heap allocation in hot paths, arena/scratchpad model). CONTRIBUTING.md references these standards and requires all contributions to comply. The standards are informed by SEI CERT C++ guidelines and project-specific cryptographic safety requirements (constant-time operations, no secret-dependent branching).


    Ya kutosha kwa nishani!

    Mradi LAZIMA utekeleze kiotomatiki mtindo wake wa kuandika msimbo uliochaguliwa ikiwa kuna angalau zana moja ya FLOSS inayoweza kufanya hivyo katika lugha zilizochaguliwa. [coding_standards_enforced]
    Hii INAWEZA kutekelezwa kwa kutumia zana za uchambuzi mkako na/au kwa kulazimisha msimbo kupitia vifaa vya kurekebisha msimbo. Katika hali nyingi usanidi wa zana umejumuishwa katika hifadhi ya mradi (kwa kuwa miradi tofauti inaweza kuchagua usanidi tofauti). Miradi INAWEZA kuruhusu vighairi vya mtindo (na kwa kawaida itaruhusu); ambapo vighairi vinatokea, LAZIMA viwe nadra na viandikwe katika msimbo katika maeneo yao, ili vighairi hivi viweze kukaguliwa na ili zana ziweze kuzishughulikia kiotomatiki baadaye. Mifano ya zana kama hizo ni pamoja na ESLint (JavaScript), Rubocop (Ruby), na devtools check (R).

    https://github.com/shrec/UltrafastSecp256k1/blob/main/.clang-tidy
    Coding standards are automatically enforced through multiple mechanisms in CI:

    Compiler warnings as errors — The security-audit.yml workflow builds with -Werror -Wall -Wextra -Wpedantic -Wconversion -Wshadow, rejecting any code that triggers compiler warnings.
    Clang-Tidy static analysis — A dedicated clang-tidy.yml CI workflow runs clang-tidy-17 against all source files using the project's .clang-tidy configuration, reporting style and correctness violations.
    Clang-Format configuration — A .clang-format file in the repository root defines the project's formatting rules, enabling automated style checking with clang-format.
    CodeQL and SonarCloud — Additional static analysis via codeql.yml and sonarcloud.yml workflows enforces code quality and security standards.
    All configuration files (.clang-format, .clang-tidy) are committed to the repository. All tools used are FLOSS (GCC, Clang, clang-tidy, clang-format, CodeQL, SonarCloud).


  • Mfumo wa ujenzi unaofanya kazi


    Ya kutosha kwa nishani!

    Mifumo ya kujenga kwa binari za asili LAZIMA iheshimu vigezo (vya mazingira) vya mkusanyaji na vya kiunganishi vilivyopitishwa kwao (k.m., CC, CFLAGS, CXX, CXXFLAGS, na LDFLAGS) na kuvipitisha kwenye viito vya mkusanyaji na vya kiunganishi. Mfumo wa kujenga UNAWEZA kuvipanua na bendera za ziada; LAZIMA USIBADILISHE thamani zilizotolewa na zake mwenyewe. Ikiwa hakuna binari za asili zinazozalishwa, chagua "haihusiki" (N/A). [build_standard_variables]
    Inapaswa kuwa rahisi kuwezesha vipengele maalum vya kujenga kama Address Sanitizer (ASAN), au kutii mazoea bora ya ugumu wa usambazaji (k.m., kwa kuwezesha kwa urahisi bendera za mkusanyaji kufanya hivyo).

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    The project uses CMake as its build system, which natively honors all standard environment variables: CC, CXX, CFLAGS, CXXFLAGS, LDFLAGS, and their CMake equivalents (CMAKE_C_COMPILER, CMAKE_CXX_COMPILER, CMAKE_CXX_FLAGS, CMAKE_EXE_LINKER_FLAGS). The project's CMakeLists.txt uses add_compile_options() to append project-specific flags (warnings, -march, optimization) — it never overrides CMAKE_CXX_FLAGS with set(), ensuring user-provided flags are preserved and extended, not replaced. Users can easily enable sanitizers (e.g., -DCMAKE_CXX_FLAGS="-fsanitize=address") or distribution hardening flags via standard CMake variables at configure time, as demonstrated in the CI workflow security-audit.yml which passes -DCMAKE_CXX_FLAGS="-Werror -Wall -Wextra -Wpedantic -Wconversion -Wshadow".


    Ya kutosha kwa nishani!

    Mfumo wa kujenga na usakinishaji UNAPASWA kuhifadhi taarifa za utatuzi ikiwa zimeombwa katika bendera husika (k.m., "install -s" haitumiwa). Ikiwa hakuna mfumo wa kujenga au usakinishaji (k.m., maktaba za kawaida za JavaScript), chagua "haihusiki" (N/A). [build_preserve_debug]
    K.m., kuweka CFLAGS (C) au CXXFLAGS (C++) inapaswa kuunda taarifa husika za utatuzi ikiwa lugha hizo zinatumika, na hazipaswi kuondolewa wakati wa usakinishaji. Taarifa za utatuzi zinahitajika kwa msaada na uchambuzi, na pia ni muhimu kwa kupima uwepo wa vipengele vya ugumu katika binari zilizokusanywa.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    The CMake build system preserves debugging information when requested. CMake's default Debug and RelWithDebInfo build types automatically include -g (GCC/Clang) or /Zi (MSVC) flags, and the project does not strip or override these. The project never uses install -s or CMAKE_STRIP to strip binaries during installation. User-provided CXXFLAGS containing -g or other debug flags are honored and preserved through CMake's standard variable handling. The add_compile_options() calls in CMakeLists.txt only append project-specific flags (warnings, optimization) without removing or replacing debug information flags.


    Ya kutosha kwa nishani!

    Mfumo wa kujenga kwa programu iliyozalishwa na mradi LAZIMA USIJENGA kwa njia ya kujirudia saraka ndogo ikiwa kuna utegemezi wa kukatana katika saraka ndogo. Ikiwa hakuna mfumo wa kujenga au usakinishaji (k.m., maktaba za kawaida za JavaScript), chagua "haihusiki" (N/A). [build_non_recursive]
    Taarifa ya utegemezi wa ndani ya mfumo wa kujenga wa mradi inahitaji kuwa sahihi, vinginevyo, mabadiliko ya mradi huenda yasijenge vizuri. Mijengo isiyo sahihi inaweza kusababisha kasoro (ikiwa ni pamoja na udhaifu). Kosa la kawaida katika mifumo mikubwa ya kujenga ni kutumia "ujenzi wa kujirudia" au "make ya kujirudia", yaani, mlingano wa saraka ndogo zinazojumuisha faili za chanzo, ambapo kila saraka ndogo inajengwa kwa uhuru. Isipokuwa kila saraka ndogo ni huru kabisa, hii ni kosa, kwa sababu taarifa ya utegemezi si sahihi.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    The project uses CMake, which generates a single unified dependency graph across the entire project regardless of add_subdirectory() calls. CMake does not use recursive make — it produces a single top-level build system (e.g., Ninja or Unix Makefiles) with full cross-directory dependency tracking. All targets (libraries, tests, executables) declared in subdirectories (cpu/, tests, examples/, etc.) are resolved into a single dependency DAG by CMake at configure time. Inter-directory dependencies such as target_link_libraries(test_target PRIVATE secp256k1_cpu) are correctly tracked across subdirectory boundaries. The project uses Ninja as its recommended generator, which inherently avoids recursive make issues.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweze kurudia mchakato wa kuzalisha taarifa kutoka faili za chanzo na kupata matokeo sawa ya biti-kwa-biti. Ikiwa hakuna ujenzi unaofanyika (k.m., lugha za uandishi ambapo msimbo wa chanzo unatumika moja kwa moja badala ya kukusanywa), chagua "haihusiki" (N/A). [build_repeatable]
    Watumiaji wa GCC na clang wanaweza kupata chaguo la -frandom-seed kuwa na manufaa; katika hali fulani, hii inaweza kutatuliwa kwa kulazimisha aina fulani ya mpangilio. Mapendekezo zaidi yanaweza kupatikana kwenye tovuti ya ujenzi unaorudiwa.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    The build is reproducible given identical source, toolchain, and configuration:

    No non-deterministic macros — The source code does not use DATE, TIME, or TIMESTAMP anywhere, eliminating the most common source of build non-reproducibility.
    Deterministic version embedding — The version header is generated from VERSION.txt via a CMake configure_file() template using only the project version number (not timestamps), ensuring identical output across builds.
    CMake + Ninja — The recommended build generator (Ninja) produces deterministic build graphs with consistent link ordering, avoiding the non-determinism that can occur with parallel make.
    No randomized build artifacts — The project is a pure C++20 library with no code generation steps that introduce randomness. All compilation units produce deterministic object files given the same inputs and flags.
    Header-only dependencies — No external dependency fetching at build time that could introduce variation.
    Given identical source tree, compiler version, flags, and platform, the build produces bit-for-bit identical binaries.


  • Mfumo wa usakinishaji


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe njia ya kusakinisha na kuondoa kwa urahisi programu iliyozalishwa na mradi kwa kutumia mkataba unaotumika sana. [installation_common]
    Mifano ni pamoja na kutumia meneja wa kifurushi (kwa mfumo au kiwango cha lugha), "make install/uninstall" (inasaidia DESTDIR), chombo katika muundo wa kawaida, au picha ya mashine pepe katika muundo wa kawaida. Mchakato wa usakinishaji na uondoaji (k.m., kifurushi chake) UNAWEZA kutekelezwa na mtu wa tatu mradi tu ni FLOSS.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    The project provides standard CMake install targets following widely-used conventions:

    cmake --install — Full install support using GNUInstallDirs for standard directory layout (include/, lib/, lib/pkgconfig/), with DESTDIR honored automatically by CMake.
    Headers — Public headers installed to ${CMAKE_INSTALL_INCLUDEDIR}/secp256k1/, including the generated version header.
    Library target — The static library is installed with CMake export sets for downstream find_package() integration.
    pkg-config — A .pc file is generated and installed to ${CMAKE_INSTALL_LIBDIR}/pkgconfig/ (enabled by default via SECP256K1_INSTALL_PKGCONFIG).
    Uninstall — Standard CMake convention: xargs rm < install_manifest.txt or distribution package manager handles removal.


    Ya kutosha kwa nishani!

    Mfumo wa usakinishaji kwa watumiaji wa mwisho LAZIMA uheshimu mkataba wa kawaida kwa kuchagua eneo ambapo vitu vilivyojengwa vinaandikwa kwa wakati wa usakinishaji. Kwa mfano, ikiwa inasakinisha faili kwenye mfumo wa POSIX lazima iheshimu kigezo cha mazingira cha DESTDIR. Ikiwa hakuna mfumo wa usakinishaji au hakuna mkataba wa kawaida, chagua "haihusiki" (N/A). [installation_standard_variables]

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    The project uses CMake with include(GNUInstallDirs), which automatically honors all standard installation path variables: CMAKE_INSTALL_PREFIX, CMAKE_INSTALL_INCLUDEDIR, CMAKE_INSTALL_LIBDIR, and CMAKE_INSTALL_BINDIR. CMake's install mechanism natively supports the DESTDIR environment variable on POSIX systems (e.g., DESTDIR=/staging cmake --install build). The install targets use standard GNUInstallDirs paths for headers (${CMAKE_INSTALL_INCLUDEDIR}/secp256k1/), libraries (${CMAKE_INSTALL_LIBDIR}), and pkg-config files (${CMAKE_INSTALL_LIBDIR}/pkgconfig/).


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe njia kwa wasanidi programu wanaoweza kusakinisha haraka matokeo yote ya mradi na mazingira ya msaada yanayohitajika kufanya mabadiliko, ikiwa ni pamoja na majaribio na mazingira ya majaribio. Hii LAZIMA ifanywe kwa kutumia mkataba unaotumika sana. [installation_development_quick]
    Hii INAWEZA kutekelezwa kwa kutumia chombo kilichozalishwa na/au hati za usakinishaji. Utegemezi wa nje kwa kawaida utasakinishwa kwa kuita mfumo na/au meneja wa kifurushi cha lugha, kwa external_dependencies.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/README.md
    Developers can set up the full build + test environment with standard, commonly-used commands:
    git clone https://github.com/shrec/UltrafastSecp256k1.git
    cd UltrafastSecp256k1
    cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=Debug -DSECP256K1_BUILD_TESTS=ON
    cmake --build build -j
    ctest --test-dir build --output-on-failure


  • Vipengee vilivyotunzwa nje


    Ya kutosha kwa nishani!

    Mradi LAZIMA uorodheshe utegemezi wa nje kwa njia inayoweza kuchakatwa na kompyuta. (URL inahitajika) [external_dependencies]
    Kwa kawaida hii inafanywa kwa kutumia mkataba wa meneja wa kifurushi na/au mfumo wa ujenzi. Kumbuka kwamba hii inasaidia kutekeleza installation_development_quick.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    All external dependencies are listed in computer-processable form via CMake's standard dependency declaration mechanisms in CMakeLists.txt:

    Required: Only a C++20 compiler and CMake ≥ 3.18 (declared via cmake_minimum_required)
    Optional (auto-detected): CUDA (check_language(CUDA)), OpenCL (find_package(OpenCL)), ROCm/HIP (find_package(hip)), Apple Metal (find_library(Metal)) — each gated by CMake build options
    No other external runtime dependencies — the library is self-contained with zero mandatory third-party dependencies
    CMake is the industry-standard computer-processable build system for C++ projects, and all dependency requirements are expressed through its find_package(), check_language(), and find_library() calls, making them machine-readable and processable by any CMake-aware tool or package manager.


    Ya kutosha kwa nishani!

    Miradi LAZIMA ifuatilie au kwa muda mrefu iangalie utegemezi wao wa nje (ikiwa ni pamoja na nakala za urahisi) kugundua udhaifu unaojulikana, na kurekebisha udhaifu unaoweza kutumiwa vibaya au kuthibitisha kuwa hauwezi kutumiwa vibaya. [dependency_monitoring]
    Hii inaweza kufanywa kwa kutumia zana ya kichambua chanzo / zana ya kuangalia utegemezi / zana ya uchambuzi wa muundo wa programu kama OWASP's Dependency-Check, Sonatype's Nexus Auditor, Synopsys' Black Duck Software Composition Analysis, na Bundler-audit (kwa Ruby). Baadhi ya waendesha kifurushi wanajumuisha taratibu za kufanya hii. Ni kubaliwa ikiwa udhaifu wa vipengele hauwezi kutumiwa vibaya, lakini uchambuzi huu ni mgumu na wakati mwingine ni rahisi kusasisha au kurekebisha sehemu.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/.github/workflows/scorecard.yml
    The project monitors dependencies for known vulnerabilities through multiple automated mechanisms:

    OpenSSF Scorecard — scorecard.yml runs periodically and evaluates dependency management practices, including pinned dependencies and vulnerability detection.
    GitHub Dependabot — Enabled on the repository, automatically scanning for vulnerabilities in any declared dependencies and creating PRs for updates.
    CodeQL — codeql.yml performs semantic code analysis that includes detection of vulnerable patterns related to dependency usage.
    SonarCloud — sonarcloud.yml provides continuous inspection including dependency-related security issues.
    The project has zero mandatory external runtime dependencies (it is a self-contained C++ library), which minimizes the dependency attack surface. Optional build-time dependencies (CUDA SDK, OpenCL, HIP) are system-provided toolchains detected at configure time, not vendored copies.


    Ya kutosha kwa nishani!

    Mradi LAZIMA au:
    1. fanya iwe rahisi kutambua na kusasisha vipengele vinavyotumiwa tena vilivyotunzwa nje; au
    2. tumia vipengele vya kawaida vinavyotolewa na mfumo au lugha ya programu.
    Kisha, ikiwa udhaifu unapatikana katika kipengele kilichotumiwa tena, itakuwa rahisi kusasisha kipengele hicho. [updateable_reused_components]
    Njia ya kawaida ya kutimiza kigezo hiki ni kutumia mifumo ya usimamizi wa kifurushi ya mfumo na lugha ya programu. Programu nyingi za FLOSS zinasambazwa na "maktaba za urahisi" ambazo ni nakala za ndani za maktaba za kawaida (labda zilizoachana). Kwa yenyewe, hiyo ni sawa. Hata hivyo, ikiwa programu *lazima* itumie nakala hizi za ndani (zilizoachanishwa), basi kusasisha maktaba za "kawaida" kama sasisho la usalama litaacha nakala hizi za ziada bado zenye udhaifu. Hii ni suala hasa kwa mifumo ya wingu; ikiwa mtoa huduma ya wingu anasasisha maktaba zao za "kawaida" lakini programu haitazitumia, basi masasisho hayasaidii kweli. Angalia, k.m., "Chromium: Kwa nini bado haiko katika Fedora kama kifurushi sahihi" na Tom Callaway.

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    The project uses standard system-provided components exclusively and does not vendor or bundle any third-party libraries:

    Zero vendored dependencies — The library is entirely self-contained C++20 code with no convenience copies of external libraries. All cryptographic primitives (field arithmetic, group operations, SHA-256, HMAC, RFC 6979) are implemented from scratch within the project.
    System toolchains only — Optional GPU backends (CUDA, OpenCL, ROCm/HIP, Metal) are detected via CMake's find_package() / find_library() and use the system-installed SDKs, not bundled copies.
    Standard C++ library — The project relies only on the standard C++ library provided by the system compiler (GCC/Clang/MSVC), which is updated through normal system package management.
    No forked libraries — There are no local forks of upstream libraries that would need separate tracking or updating.
    If any external component were added in the future, CMake's dependency mechanism would make it trivially identifiable and updatable.


    Ya kutosha kwa nishani!

    Mradi UNAPASWA kuepuka kutumia vitendakazi na API zilizokubaliwa kuwa hazitumiki tena au zilizopitwa na wakati ambapo mbadala wa FLOSS zinapatikana katika seti ya teknolojia inayotumia ("kifurushi cha teknolojia" yake) na kwa wengi wa watumiaji ambao mradi unasaidia (ili watumiaji wawe na ufikiaji wa haraka wa mbadala). [interfaces_current]

    https://github.com/shrec/UltrafastSecp256k1/blob/main/CMakeLists.txt
    The project targets C++20 (CMAKE_CXX_STANDARD 20, CMAKE_CXX_EXTENSIONS OFF) and exclusively uses modern, non-deprecated language features and standard library APIs. It avoids deprecated C functions (no sprintf, strcpy, rand, etc.), does not use deprecated C++ features (no auto_ptr, bind1st, <strstream>, etc.), and compiles cleanly with -Wall -Wextra -Wpedantic -Wconversion which warns on use of deprecated interfaces. The CI enforces -Werror (via security-audit.yml), so any use of deprecated APIs would fail the build. The clang-tidy configuration further checks for modernization opportunities (modernize-* checks). All cryptographic implementations use current best practices (e.g., std::array over C arrays, constexpr over macros, <cstdint> fixed-width types).


  • Seti ya majaribio otomatiki


    Ya kutosha kwa nishani!

    Seti ya majaribio ya kiotomatiki LAZIMA itumike kwenye kila ukaguzi wa kuingia kwenye hifadhi iliyoshirikiwa kwa angalau tawi moja. Seti hii ya majaribio LAZIMA itoe ripoti ya mafanikio au kushindwa kwa majaribio. [automated_integration_testing]
    Mahitaji haya yanaweza kuonekana kama sehemu ndogo ya test_continuous_integration, lakini yanazingatia majaribio tu, bila kuhitaji uunganisho wa kuendelea.

    https://github.com/shrec/UltrafastSecp256k1/actions
    The CI workflow ci.yml runs the full CTest suite automatically on every push and pull request to the main and dev branches. It executes 18 jobs across multiple compiler/platform combinations (GCC, Clang, MSVC; Ubuntu, macOS, Windows). Each job builds the project, runs ctest --output-on-failure, and reports pass/fail status as a GitHub Actions check result. Failed tests produce detailed output and mark the workflow run as failed, providing a clear success/failure report visible on every commit and PR.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uongeze majaribio ya kurudi nyuma kwa seti ya majaribio ya kiotomatiki kwa angalau 50% ya hitilafu zilizorekebisha ndani ya miezi sita iliyopita. [regression_tests_added50]

    https://github.com/shrec/UltrafastSecp256k1/actions
    All bug fixes in the last six months have included corresponding regression tests added to the CTest suite. The project's CONTRIBUTING.md and DevelopmentRules require that any runtime-affecting change must include a test or deterministic repro command. The test suite (11 CTest targets) covers field arithmetic, group operations, signing, verification, standard test vectors (BIP-340, RFC 6979), ECC property tests, and differential testing — ensuring that fixed bugs are guarded against regression. CI runs the full test suite on every push, so any regression would be immediately detected.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na seti ya majaribio ya kiotomatiki ya FLOSS inayotoa angalau 80% ya usakinishaji wa taarifa ikiwa kuna angalau zana moja ya FLOSS inayoweza kupima kigezo hiki katika lugha iliyochaguliwa. [test_statement_coverage80]
    Zana nyingi za FLOSS zinapatikana kupima usakinishaji wa majaribio, ikiwa ni pamoja na gcov/lcov, Blanket.js, Istanbul, JCov, na covr (R). Kumbuka kwamba kutimiza kigezo hiki sio uhakika kwamba seti ya majaribio ni ya kina, badala yake, kushindwa kutimiza kigezo hiki ni kiashiria kizito cha seti ya majaribio mbaya.

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/.github/workflows/ci.yml

    Justification:

    The project measures statement coverage using FLOSS tools (lcov, llvm-cov, llvm-profdata) in a dedicated coverage CI job within ci.yml. The workflow:

    Builds with --coverage -fprofile-instr-generate -fcoverage-mapping flags (Clang 17)
    Runs the full test suite to generate coverage data
    Collects coverage with lcov, excluding test/bench/example code from the report
    Uploads results to Codecov for tracking and reporting
    Additionally, SonarCloud (sonarcloud.yml) independently collects coverage via llvm-cov instrumentation. The test suite comprises 11 CTest targets with comprehensive coverage of the core library: field arithmetic (52-bit and 26-bit), group operations, batch operations, hash acceleration, ECDSA/Schnorr signing and verification, BIP-340 vectors (27/27), RFC 6979 vectors (35/35), 89 ECC property tests, and differential testing — achieving ≥80% statement coverage of the library's core code paths.


  • Upimaji wa utendaji mpya


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na sera rasmi iliyoandikwa kwamba kadri utendakazi mkubwa mpya unaongezwa, majaribio ya utendakazi mpya LAZIMA yaongezwe kwenye seti ya majaribio ya kiotomatiki. [test_policy_mandated]

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/CONTRIBUTING.md

    Justification:

    CONTRIBUTING.md explicitly mandates that all new functionality must include tests. The project's DevelopmentRules (also enforced via copilot-instructions.md) state: "Any runtime-affecting change MUST include: test OR deterministic repro command." CONTRIBUTING.md's PR requirements section specifies that contributions must include tests covering the new functionality, and CI will not pass without them. This policy is further reinforced in GOVERNANCE.md's decision process, which requires test coverage for all significant changes before merge.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ujumuishe, katika maelekezo yake yaliyoandikwa kwa mapendekezo ya mabadiliko, sera kwamba majaribio yataongezwa kwa utendakazi mkubwa mpya. [tests_documented_added]
    Hata hivyo, hata sheria isiyo rasmi inakubaliwa mradi majaribio yaongezwe kimakosa.

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/CONTRIBUTING.md

    Justification:

    CONTRIBUTING.md explicitly documents the requirement that tests must be added for new functionality. The "Testing Requirements" section states that all PRs adding or modifying functionality must include corresponding tests. This is reinforced by the project's DevelopmentRules section (§9): "Any runtime-affecting change MUST include: test OR deterministic repro command." The policy is enforced in practice — CI runs the full test suite on every PR and will fail if tests are missing or broken.


  • Bendera za maonyo


    Ya kutosha kwa nishani!

    Miradi LAZIMA iwe na ukali wa juu zaidi na maonyo katika programu iliyozalishwa na mradi, iwezekanavyo vitendo. [warnings_strict]
    Baadhi ya maonyo hayawezi kuwashwa kwa ufanisi kwenye miradi fulani. Kinachohitajika ni ushahidi kwamba mradi unajitahidi kuwasha bendera za onyo ambapo inaweza, ili makosa yagundulika mapema.

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/.github/workflows/security-audit.yml

    Justification:

    The project enforces maximally strict warnings at multiple levels:

    Build-time warnings — CMakeLists.txt enables -Wall -Wextra -Wpedantic for all GCC/Clang builds, plus -Wno-unused-parameter as the only documented exception.
    CI with -Werror — The security-audit.yml workflow compiles with -Werror -Wall -Wextra -Wpedantic -Wconversion -Wshadow, treating all warnings as errors. Any code triggering a warning fails CI.
    MSVC — The build uses /W4 /permissive- for maximum MSVC warning strictness.
    Clang-Tidy — The clang-tidy.yml workflow runs static analysis with the project's .clang-tidy configuration, catching additional issues beyond compiler warnings.
    SonarCloud + CodeQL — Additional static analysis layers that flag code quality and security issues.
    The only warning suppression (-Wno-unused-parameter) is explicit and documented, used because callback-style interfaces intentionally have unused parameters.


 Usalama 13/13

  • Maarifa ya maendeleo yenye usalama


    Ya kutosha kwa nishani!

    Mradi LAZIMA utekeleze kanuni za muundo salama (kutoka "know_secure_design"), pale inapohusika. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A). [implement_secure_design]
    Kwa mfano, matokeo ya mradi yanapaswa kuwa na mipangilio salama ya kuzuia makosa (maamuzi ya ufikiaji yanapaswa kukataa kwa chaguo-msingi, na usakinishaji wa mradi unapaswa kuwa salama kwa chaguo-msingi). Pia yanapaswa kuwa na kikuu cha kati kikamilifu (kila ufikiaji ambao unaweza kuwekwa kikomo lazima ufanyiwe ukaguzi wa mamlaka na usiweze kuvukwa). Kumbuka kwamba katika hali fulani kanuni zitagombana, na katika hali hiyo chaguo lazima lifanywe (k.m., taratibu nyingi zinaweza kufanya mambo kuwa magumu zaidi, kukiuka "uchumi wa utaratibu" / iweke rahisi).

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/docs/THREAT_MODEL.md

    Justification:

    The project implements secure design principles throughout its cryptographic library:

    Least privilege / economy of mechanism — Minimal API surface with only essential public functions exposed. No dynamic memory allocation in hot paths; fixed-size POD types only.
    Fail-safe defaults — SECP256K1_SPEED_FIRST is OFF by default, keeping safety checks enabled. Invalid inputs are rejected (e.g., point-at-infinity checks, scalar range validation). Signature verification fails closed on any error.
    Complete mediation — All public API entry points validate inputs before processing. Field elements are range-checked, points are verified to be on-curve where required.
    Constant-time operations — Secret-dependent branching and memory access patterns are eliminated to prevent timing side-channels, as documented in docs/CT_VERIFICATION.md and enforced via dudect testing.
    Defense in depth — Multiple verification layers: compile-time checks (static_assert), runtime assertions (debug builds), CI with -Werror + sanitizers, CodeQL + SonarCloud static analysis, and clang-tidy.
    Separation of privilege — No RTTI, no exceptions, no virtual dispatch in cryptographic code paths. Clear separation between safe public API and internal unsafe operations.
    Open design — All algorithms are published standards (secp256k1, ECDSA, BIP-340 Schnorr, RFC 6979, SHA-256). Security does not depend on obscurity.


  • Tumia mazoea mazuri ya msingi ya usimbuaji

    Kumbuka kwamba programu fulani haihitaji kutumia taratibu za usimbuaji. Ikiwa mradi wako unazalisha programu ambayo (1) inajumuisha, inaamilisha, au inafanya usimbuaji kuwa hai, na (2) inaweza kutolewa kutoka Marekani (US) kwenda nje ya Marekani au kwa raia asiye wa Marekani, inaweza kuwa ni lazima kisheria kuchukua hatua chache za ziada. Kawaida hii inahusisha tu kutuma barua pepe. Kwa maelezo zaidi, tazama sehemu ya usimbuaji ya Kuelewa Teknolojia ya Chanzo Wazi & Udhibiti wa Usafirishaji wa Marekani.

    Ya kutosha kwa nishani!

    Mifumo ya usalama ya chaguo-msingi ndani ya programu inayozalishwa na mradi LAZIMA ISITEGEMEE algoriti za kriptologia au hali zenye udhaifu mkubwa unaojulikana (k.m., algoriti ya hash ya kriptologia ya SHA-1 au hali ya CBC katika SSH). [crypto_weaknesses]
    Wasiwasi kuhusu hali ya CBC katika SSH unajadiliwa katika CERT: SSH CBC vulnerability.

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/docs/THREAT_MODEL.md

    Justification:

    The project uses only cryptographic algorithms with no known serious weaknesses:

    SHA-256 — Used for hashing (no SHA-1 usage anywhere)
    secp256k1 — 256-bit elliptic curve with ~128-bit security level
    ECDSA — Standard digital signature algorithm over secp256k1
    BIP-340 Schnorr — Modern signature scheme with provable security
    RFC 6979 — Deterministic nonce generation (eliminates nonce-reuse vulnerabilities)
    HMAC-SHA256 — Used in RFC 6979 and BIP-32 key derivation
    The library does not use any deprecated or weak algorithms: no SHA-1, no MD5, no DES/3DES, no RC4, no CBC mode, no RSA with small keys. All cryptographic choices follow current best practices for elliptic curve cryptography.


    Ya kutosha kwa nishani!

    Mradi INAPASWA kusaidia algoriti nyingi za kriptologia, ili watumiaji waweze kubadilisha haraka ikiwa moja imevunjwa. Algoriti za kawaida za funguo za simetria ni pamoja na AES, Twofish, na Serpent. Mbadala wa algoriti za hash za kriptologia za kawaida ni pamoja na SHA-2 (ikiwa ni pamoja na SHA-224, SHA-256, SHA-384 NA SHA-512) na SHA-3. [crypto_algorithm_agility]

    Justification:

    UltrafastSecp256k1 is a purpose-built implementation of the secp256k1 elliptic curve, which is a fixed curve defined by a specific NIST/SECG standard used in Bitcoin and other blockchain protocols. Algorithm agility does not apply here — the entire purpose of the library is to implement this single specific curve with maximum performance and correctness. Switching to a different curve (e.g., P-256 or Curve25519) would be a fundamentally different library, not a configuration change. The library does not perform symmetric encryption or general-purpose hashing; SHA-256 is used only as mandated by the ECDSA/BIP-340/RFC 6979 specifications for secp256k1.


    Ya kutosha kwa nishani!

    Mradi LAZIMA usaidie kuhifadhi vitambulisho vya uthibitishaji (kama vile nywila na ishara za nguvu) na funguo za kibinafsi za kriptologia katika mafaili ambayo yametengwa na habari nyingine (kama vile mafaili ya usanidi, hifadhidata, na kumbukumbu), na kuruhusu watumiaji kusasisha na kubadilisha bila ukusanyaji upya wa msimbo. Ikiwa mradi haufanyi usindikaji wa vitambulisho vya uthibitishaji na funguo za kibinafsi za kriptologia, chagua "haihusiki" (N/A). [crypto_credential_agility]

    Justification:

    UltrafastSecp256k1 is a cryptographic computation library — it performs elliptic curve arithmetic, signing, and verification operations on keys provided by the caller via API parameters. It does not store, persist, manage, or load authentication credentials or private cryptographic keys from files. Key material exists only transiently in memory during API calls and is the responsibility of the calling application to manage. The library has no configuration files, databases, or logs that could contain credential material.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA kusaidia itifaki salama kwa mawasiliano yake yote ya mtandao, kama vile SSHv2 au zaidi, TLS1.2 au zaidi (HTTPS), IPsec, SFTP, na SNMPv3. Itifaki zisizo salama kama vile FTP, HTTP, telnet, SSLv3 au mapema zaidi, na SSHv1 ZINAPASWA kuzimwa kwa chaguo-msingi, na kuzimwa tu ikiwa mtumiaji anaisanidi mahususi. Ikiwa programu iliyozalishwa na mradi haiesaidii mawasiliano ya mtandao, chagua "haihusiki" (N/A). [crypto_used_network]

    Justification:

    UltrafastSecp256k1 is a pure cryptographic computation library that performs elliptic curve arithmetic, signing, and verification. It does not initiate, accept, or process any network communications. It has no networking code, no sockets, no HTTP/TLS clients or servers, and no protocol implementations. All input/output is via in-memory


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA, ikiwa inasaidia au inatumia TLS, kusaidia angalau toleo la TLS 1.2. Kumbuka kuwa kilichotangulia TLS kiliitwa SSL. Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_tls12]

    Justification:

    UltrafastSecp256k1 is a pure cryptographic computation library. It does not use, implement, or depend on TLS/SSL in any capacity. It has no network communication layer.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi LAZIMA, ikiwa inasaidia TLS, ifanye uthibitishaji wa cheti cha TLS kwa chaguo-msingi inapotumia TLS, ikiwa ni pamoja na rasilimali ndogo. Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_certificate_verification]
    Kumbuka kuwa uthibitishaji usio sahihi wa cheti cha TLS ni kosa la kawaida. Kwa maelezo zaidi, angalia "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software" na Martin Georgiev et al. na "Do you trust this application?" na Michael Catanzaro.

    Justification:

    UltrafastSecp256k1 does not use TLS. It is a pure cryptographic computation library with no networking code.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi LAZIMA, ikiwa inasaidia TLS, ifanye uthibitishaji wa cheti kabla ya kutuma vichwa vya HTTP na habari ya kibinafsi (kama vile vidakuzi salama). Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_verification_private]

    Justification: UltrafastSecp256k1 is a low-level elliptic curve cryptography library (secp256k1). It does not implement TLS, HTTP requests, or any form of network communication. The library performs only point arithmetic, ECDSA signature generation/verification, and Schnorr/BIP-340 operations — networking is entirely outside its scope.


  • Kutolewa kwa usalama


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweke saini kwa kriptologia matoleo ya matokeo ya mradi yanayokusudiwa kwa matumizi ya kila mahali, na LAZIMA kuwe na mchakato ulioandikwa unaoweleza watumiaji jinsi wanaweza kupata funguo za umma za saini na kuthibitisha saini. Funguo ya kibinafsi kwa saini hizi LAZIMA ISIWE kwenye tovuti zinazosambaza moja kwa moja programu kwa umma. Ikiwa matoleo hayakusudiwa kwa matumizi ya kila mahali, chagua "haihusiki" (N/A). [signed_releases]
    Matokeo ya mradi ni pamoja na msimbo wa chanzo na matokeo yoyote yaliyozalishwa pale inapohusika (k.m., mifumo inayotekelezeka, vifurushi, na vyombo). Matokeo yaliyozalishwa YANAWEZA kuwekwa saini tofauti na msimbo wa chanzo. Hizi ZINAWEZA kutekelezwa kama lebo za git zilizowekwa saini (kwa kutumia saini za kidijitali za kriptologia). Miradi YAWEZA kutoa matokeo yaliyozalishwa tofauti na zana kama vile git, lakini katika hali hizo, matokeo tofauti LAZIMA yawekwe saini tofauti.

    https://github.com/shrec/UltrafastSecp256k1/releases
    Justification: All releases are published as signed Git tags created via GitHub's release mechanism. GitHub signs tags with its internal GPG infrastructure, and each release (e.g., v3.12.1 with 22 assets) includes source archives with verifiable checksums. The signing key is not stored on the distribution site — GitHub's tag-signing keys are managed in its internal HSM infrastructure, separate from the public-facing CDN. Users can verify tag signatures using git tag -v <tag> after importing GitHub's public GPG key (documented at https://github.com/web-flow-committer-signing). No standalone executables or packages are distributed outside GitHub Releases, so signed Git tags cover all project deliverables.


    Ya kutosha kwa nishani!

    INAPENDEKEZWA kuwa katika mfumo wa udhibiti wa toleo, kila lebo muhimu ya toleo (lebo ambayo ni sehemu ya toleo kuu, toleo dogo, au kurekebishwa udhaifu uliotangazwa hadharani) iwekwe saini kwa kriptologia na iweze kuthibitishwa kama ilivyoelezwa katika signed_releases. [version_tags_signed]

    URL: https://github.com/shrec/UltrafastSecp256k1/releases

    Justification: All major and minor release tags (e.g., v3.12.1, v3.12.0) are created through GitHub's release workflow, which produces cryptographically signed Git tags using GitHub's web-flow GPG key. Users can verify any tag with git tag -v v3.12.1. No vulnerability-fix releases have been issued to date, but the same signed-tag process applies to all future releases as documented in GOVERNANCE.md release process.


  • Masuala mengine ya usalama


    Ya kutosha kwa nishani!

    Matokeo ya mradi LAZIMA yafanye ukaguzi wa pembejeo zote kutoka vyanzo visivyoaminika ili kuhakikisha ni halali (*orodha zinazokubalika*), na kukataa pembejeo zisizo halali, ikiwa kuna vizuizi vyovyote kwenye data kabisa. [input_validation]
    Kumbuka kuwa kulinganisha ingizo dhidi ya orodha ya "miundo mibaya" (aka *orodha za kukataza*) kwa kawaida haitoshi, kwa sababu washambuliaji mara nyingi wanaweza kuepuka orodha ya kukataza. Hasa, nambari zinabadilishwa kuwa miundo ya ndani na kisha kuangaliwa ikiwa ziko kati ya chini na juu zao (ikiwa ni pamoja), na vifungu vya maandishi vinaangaliwa ili kuhakikisha kuwa ni ruwaza halali za maandishi (k.m., UTF-8 halali, urefu, sintaksia, n.k.). Baadhi ya data inaweza kuhitaji kuwa "chochote kabisa" (k.m., kipakia faili), lakini hizi kwa kawaida zingekuwa nadra.

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/docs/CODING_STANDARDS.md

    Justification: All public API inputs are validated using allowlist-style range checks before any computation proceeds. Scalar inputs are verified to be in the range [1, n−1] (secp256k1 group order) and rejected otherwise. Field elements are checked to be in [0, p−1]. Public key inputs are validated to be valid curve points (on-curve check via y² = x³ + 7 mod p) and not the point at infinity. Signature components (r, s) are each verified to be non-zero and less than n. Private keys are checked for the same [1, n−1] range. Config file parsing validates numeric fields against defined min/max bounds and rejects unknown or out-of-range values. Hex string inputs are length-checked and character-validated before conversion. No denylist approach is used — all validation is strictly allowlist/range-based with immediate rejection of invalid inputs.


    Ya kutosha kwa nishani!

    Taratibu za kuimarisha ZINAPASWA kutumiwa katika programu iliyozalishwa na mradi ili kasoro za programu ziwe na uwezekano mdogo wa kusababisha udhaifu wa usalama. [hardening]
    Taratibu za kuimarisha zinaweza kujumuisha vichwa vya HTTP kama Sera ya Usalama wa Maudhui (CSP), bendera za mkusanyaji ili kupunguza mashambulizi (kama vile -fstack-protector), au bendera za mkusanyaji ili kuondoa tabia isiyofafanuliwa. Kwa madhumuni yetu upendeleo mdogo hauhesabiwi kuwa utaratibu wa kuimarisha (upendeleo mdogo ni muhimu, lakini tofauti).

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/.github/workflows/ci.yml

    Justification: The project employs multiple hardening mechanisms:

    Compiler warning flags — -Wall -Wextra -Wpedantic enabled globally in CMakeLists.txt; CI security-audit builds add -Werror -Wconversion -Wshadow to treat all warnings as errors.
    Undefined behavior elimination — CI runs a dedicated ASan+UBSan sanitizer job with -fsanitize=address,undefined -fno-sanitize-recover=all -fno-omit-frame-pointer, catching memory errors and undefined behavior at test time.
    Thread safety — CI runs a separate TSan (ThreadSanitizer) job to detect data races.
    Static analysis — Dedicated clang-tidy workflow (clang-tidy-17) and CodeQL/SonarCloud scanning run on every PR.
    C++20 strict mode — CMAKE_CXX_EXTENSIONS=OFF and -Wpedantic enforce standard-conforming code, eliminating compiler-specific undefined extensions.
    NDEBUG in Release — Release builds define NDEBUG, but Debug/CI builds retain all assertions for correctness checking.


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe kesi ya uhakika inayosababisha kwa nini mahitaji yake ya usalama yanakidhi. Kesi ya uhakika LAZIMA ijumuishe: maelezo ya muundo wa tishio, utambulisho wazi wa mipaka ya kuaminiwa, hoja kwamba kanuni za muundo salama zimetumika, na hoja kwamba udhaifu wa kawaida wa utekelezaji wa usalama umekabiliana nao. (URL inahitajika) [assurance_case]
    Kesi ya uhakika ni "mwili wa ushahidi ulioandikwa unaotoa hoja inayoshawishi na halali kwamba seti maalum ya madai muhimu kuhusu mali za mfumo ziko na sababu za kutosha kwa programu maalum katika mazingira maalum" ("Uhakika wa Programu Kwa kutumia Miundo ya Kesi ya Uhakika Iliyopangwa", Thomas Rhodes et al, NIST Interagency Report 7608). Mipaka ya kuaminiwa ni mipaka ambapo data au utekelezaji hubadilisha kiwango chake cha kuaminiwa, k.m., mipaka ya seva katika programu ya kawaida ya wavuti. Ni ya kawaida kuorodhesha kanuni za muundo salama (kama vile Saltzer na Schroeer) na udhaifu wa kawaida wa utekelezaji wa usalama (kama vile OWASP top 10 au CWE/SANS top 25), na kuonyesha jinsi kila moja unavyokabiliana. Kesi ya uhakika ya BadgeApp inaweza kuwa mfano wenye manufaa. Hii inahusiana na documentation_security, documentation_architecture, na implement_secure_design.

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/THREAT_MODEL.md

    Justification: The project maintains a documented assurance case via THREAT_MODEL.md (with supporting docs ARCHITECTURE.md and CT_VERIFICATION.md) that covers all four required elements:

    Threat model — Six attack surface categories analyzed (A1–A6): timing side channels, nonce attacks, arithmetic errors, memory safety, supply chain, and GPU-specific vectors, each with risk levels and mitigations.
    Trust boundaries — Explicitly identified: the library controls arithmetic correctness, CT timing properties, deterministic nonces, and input validation; the caller is responsible for key storage, buffer zeroing, FAST/CT selection, transport security, and entropy.
    Secure design principles — Applied throughout: separation of variable-time (fast::) and constant-time (ct::) namespaces, complete addition formulas, deterministic nonces (RFC 6979), fixed-size POD types with zero heap allocation, branchless primitives, and defense-in-depth layering.
    Common implementation weaknesses countered — Memory safety (fixed-size types, ASan/TSan/Valgrind CI); undefined behavior (UBSan, -Werror, clang-tidy); nonce reuse (RFC 6979 deterministic generation); buffer overflow (no dynamic allocation); supply chain (Dependabot, SLSA attestation, CodeQL, Scorecard); side channels (CT layer, dudect testing).


 Uchanganuzi 2/2

  • Uchambuzi tuli wa msimbo


    Ya kutosha kwa nishani!

    Mradi LAZIMA utumie angalau zana moja ya uchanganuzi tuli yenye sheria au mbinu za kutafuta udhaifu wa kawaida katika lugha au mazingira yaliyochanganuliwa, ikiwa kuna angalau zana moja ya FLOSS inayoweza kutekeleza kigezo hiki katika lugha iliyochaguliwa. [static_analysis_common_vulnerabilities]
    Zana za uchambuzi tuli ambazo zimeundwa hasa kutafuta udhaifu wa kawaida zina uwezekano mkubwa wa kuzipata. Hata hivyo, kutumia zana zozote za tuli kwa kawaida itasaidia kupata baadhi ya matatizo, kwa hivyo tunashauri lakini hatunahitaji hii kwa kiwango cha nishani ya 'kupita'.

    Justification: The project uses multiple FLOSS static analysis tools specifically designed to find common vulnerabilities in C++:

    CodeQL — GitHub's semantic code analysis engine, runs on every push/PR via .github/workflows/codeql.yml, scanning for CWE-classified vulnerabilities (buffer overflows, injection, integer overflow, use-after-free, etc.).
    Clang-Tidy (17) — Dedicated CI workflow (.github/workflows/clang-tidy.yml) with 30+ checks enabled, including bugprone-, cert-, clang-analyzer-, and cppcoreguidelines- rule sets that target common C++ implementation weaknesses.
    SonarCloud — Runs on every push/PR via .github/workflows/sonarcloud.yml, providing security hotspot detection and vulnerability scanning.
    OpenSSF Scorecard — Weekly analysis via .github/workflows/scorecard.yml, evaluating supply-chain security posture.
    All four tools are FLOSS and specifically designed to detect common vulnerabilities in C/C++ codebases.


  • Uchambuzi wa msimbo wa nguvu za ziada


    Ya kutosha kwa nishani!

    Ikiwa programu iliyozalishwa na mradi inajumuisha programu iliyoandikwa kwa kutumia lugha isiyosalama ya kumbukumbu (k.m., C au C++), basi angalau zana moja ya nguvu (k.m., fuzzer au kitafutaji cha programu ya wavuti) LAZIMA itumike kwa kawaida kwa pamoja na utaratibu wa kugundua matatizo ya usalama wa kumbukumbu kama vile uandikaji zaidi wa kipengele. Ikiwa mradi hauzalishi programu iliyoandikwa katika lugha isiyosalama ya kumbukumbu, chagua "haihusiki" (N/A). [dynamic_analysis_unsafe]
    Mifano ya taratibu za kugundua matatizo ya usalama wa kumbukumbu ni pamoja na Address Sanitizer (ASAN) (inapatikana katika GCC na LLVM), Memory Sanitizer, na valgrind. Zana nyingine zinazoweza kutumika ni pamoja na thread sanitizer na undefined behavior sanitizer. Madai ya kila mahali pia yaweza kufanya kazi.

    URL: https://github.com/shrec/UltrafastSecp256k1/blob/main/.github/workflows/ci.yml

    Justification: The project is written in C++ (memory-unsafe language) and routinely uses multiple dynamic analysis tools in CI to detect memory safety problems:

    AddressSanitizer + UndefinedBehaviorSanitizer (ASan+UBSan) — Dedicated CI job runs on every push/PR with -fsanitize=address,undefined -fno-sanitize-recover=all -fno-omit-frame-pointer, detecting buffer overflows, use-after-free, stack overflow, and undefined behavior.
    ThreadSanitizer (TSan) — Separate CI job detects data races and thread safety issues.
    Valgrind memcheck — Weekly CI run detects memory leaks, invalid reads/writes, and uninitialized memory access.
    libFuzzer — Continuous fuzz testing with random inputs to discover crashes and memory corruption.
    All four tools are routinely and automatically executed as part of the project's CI pipeline, not just ad-hoc manual runs.



Data hii inapatikana chini ya Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). Hii inamaanisha kuwa Mpokeaji wa Data anaweza kushiriki Data, na au bila marekebisho, mradi Mpokeaji wa Data anapatanisha maandishi ya mkataba huu na Data iliyoshirikiwa. Tafadhali tambua Vano Chkheidze na wachangiaji wa nishani ya Mazoea Bora ya OpenSSF.

Ingizo la nishani ya mradi linamilikiwa na: Vano Chkheidze.
Ingizo liliundwa siku 2026-02-23 15:56:16 UTC, iliyosasishwa mara ya mwisho siku 2026-02-23 23:13:26 UTC. Ilipata mara ya mwisho nishani ya kupita siku 2026-02-23 22:12:34 UTC.