chore: import upstream snapshot with attribution
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 13:08:55 +08:00
commit 7a0da7932b
2985 changed files with 1049377 additions and 0 deletions
+193
View File
@@ -0,0 +1,193 @@
# Local CodeQL Analysis Guide
This guide explains how to set up and use CodeQL for local security analysis of the Local Deep Research project, covering both Python backend and JavaScript frontend code.
## Prerequisites
1. **CodeQL CLI**
- Download the latest CodeQL bundle from [GitHub](https://github.com/github/codeql-action/releases)
- Extract it to a permanent location (e.g., `C:\codeql` on Windows or `/opt/codeql` on Linux)
- Add the CodeQL executable to your system PATH
2. **Ollama**
- Install Ollama from [ollama.ai](https://ollama.ai)
- Pull the required model: `ollama pull deepseek-r1:32b`
3. **Analysis Scripts**
- Copy the appropriate analysis script from `docs/security/` to your project root:
- Windows: `analyze_sarif.ps1`
- Linux/Mac: `analyze_sarif.sh`
## Setup Instructions
### Windows
1. **Install CodeQL**
```powershell
# Download and extract CodeQL bundle
Invoke-WebRequest -Uri "https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-win64.tar.gz" -OutFile "codeql.zip"
tar -xvzf codeql.zip -C C:\codeql
# Add to PATH (run as administrator)
[Environment]::SetEnvironmentVariable("Path", "$env:Path;C:\codeql\codeql", "Machine")
```
2. **Create CodeQL Databases**
```powershell
# Navigate to project root/src (src is recommended for codeql analysis, to avoid analyzing venv folder)
cd path/to/local-deep-research/src
# Create Python database
codeql database create --language=python --source-root . ./python-db
# Create JavaScript database (for frontend code)
codeql database create --language=javascript --source-root . ./js-db
```
3. **Run Analysis**
```powershell
# Run Python CodeQL analysis
codeql database analyze ./python-db python-security-and-quality.qls --format=sarif-latest --output=python-results.sarif
# Run JavaScript CodeQL analysis
codeql database analyze ./js-db javascript-security-extended.qls --format=sarif-latest --output=js-results.sarif
# Merge results (optional)
codeql dataset merge --output=combined-db --source=python-db --source=js-db
codeql database analyze ./combined-db --format=sarif-latest --output=combined-results.sarif
# Analyze results with Ollama
.\analyze_sarif.ps1
```
### Linux/Mac
1. **Install CodeQL**
```bash
# Download and extract CodeQL bundle
wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz
tar -xvzf codeql-bundle-linux64.tar.gz -C /opt/codeql
# Add to PATH (add to ~/.bashrc or ~/.zshrc)
export PATH=$PATH:/opt/codeql/codeql
```
2. **Create CodeQL Databases**
```bash
# Navigate to project root/src
cd path/to/local-deep-research/src
# Create Python database
codeql database create --language=python --source-root . ./python-db
# Create JavaScript database
codeql database create --language=javascript --source-root . ./js-db
```
3. **Run Analysis**
```bash
# Make script executable
chmod +x analyze_sarif.sh
# Run Python CodeQL analysis
codeql database analyze ./python-db python-security-and-quality.qls --format=sarif-latest --output=python-results.sarif
# Run JavaScript CodeQL analysis
codeql database analyze ./js-db javascript-security-extended.qls --format=sarif-latest --output=js-results.sarif
# Merge results (optional)
codeql dataset merge --output=combined-db --source=python-db --source=js-db
codeql database analyze ./combined-db --format=sarif-latest --output=combined-results.sarif
# Analyze results with Ollama
./analyze_sarif.sh
```
## Important Queries
The following CodeQL queries are particularly relevant for our project:
1. **Python Security**
- `python-security-and-quality.qls`: General security and code quality
- `python/sql-injection`: SQL injection vulnerabilities
- `python/hardcoded-credentials`: Hardcoded secrets
- `python/unsafe-deserialization`: Insecure deserialization
2. **JavaScript Security**
- `javascript-security-extended.qls`: Comprehensive security checks
- `javascript/xss`: Cross-site scripting vulnerabilities
- `javascript/prototype-pollution`: Prototype pollution issues
- `javascript/express-misconfigured-cors`: CORS misconfigurations
- `javascript/unsafe-dynamic-import`: Unsafe dynamic imports
- `javascript/unsafe-eval`: Unsafe eval() usage
3. **Custom Queries**
- Logging injection vulnerabilities
- Uninitialized variables
- API security issues
- Frontend security best practices
## Analysis Script Features
The analysis scripts (`analyze_sarif.ps1` and `analyze_sarif.sh`) provide:
1. **Input Validation**
- Checks if Ollama is running
- Validates SARIF file format
- Verifies required dependencies
2. **Error Handling**
- Graceful error messages
- Color-coded output
- Detailed error reporting
3. **Output**
- Human-readable analysis
- Prioritized findings
- Recommended fixes
- Language-specific recommendations
## Troubleshooting
1. **Ollama Connection Issues**
- Ensure Ollama is running: `ollama serve`
- Check if the model is pulled: `ollama list`
- Verify the endpoint in the script matches your setup
2. **CodeQL Database Creation**
- Clean previous databases: `rm -rf ./python-db ./js-db`
- Ensure dependencies are installed (Python and Node.js)
- Check for sufficient disk space
- For JavaScript: Ensure node_modules is present
3. **Analysis Script Issues**
- Verify script permissions (Linux/Mac)
- Check PowerShell execution policy (Windows)
- Ensure all required tools are installed
## Best Practices
1. **Regular Analysis**
- Run analysis before major commits
- Schedule regular security scans
- Review and address findings promptly
- Run both frontend and backend scans
2. **Database Management**
- Clean old databases regularly
- Keep CodeQL CLI updated
- Use appropriate query suites
- Consider using RAM disk for large projects
3. **Results Handling**
- Document resolved issues
- Track false positives
- Share findings with the team
- Prioritize critical frontend and backend issues
## Additional Resources
- [CodeQL Documentation](https://codeql.github.com/docs/)
- [Python CodeQL Queries](https://github.com/github/codeql/tree/main/python/ql/src)
- [JavaScript CodeQL Queries](https://github.com/github/codeql/tree/main/javascript/ql/src)
- [Ollama Documentation](https://ollama.ai/docs)
+111
View File
@@ -0,0 +1,111 @@
#!/bin/bash
# CodeQL SARIF Analysis Script for Unix/Linux
# This script analyzes CodeQL SARIF results using Ollama for human-readable explanations
# Configuration
SARIF_PATH="python-results.sarif"
OUTPUT_PATH="codeql_analysis_results.txt"
OLLAMA_ENDPOINT="http://localhost:11434/api/generate"
MODEL="deepseek-r1:32b"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# Function to check if Ollama is running
check_ollama() {
echo -n "Checking Ollama connection... "
if curl -s "$OLLAMA_ENDPOINT" > /dev/null; then
echo -e "${GREEN}OK${NC}"
return 0
else
echo -e "${RED}FAILED${NC}"
echo -e "${RED}Error: Ollama is not running. Please start Ollama first.${NC}"
return 1
fi
}
# Function to validate SARIF file
validate_sarif() {
echo -n "Validating SARIF file... "
if [ ! -f "$SARIF_PATH" ]; then
echo -e "${RED}FAILED${NC}"
echo -e "${RED}Error: SARIF file not found at: $SARIF_PATH${NC}"
return 1
fi
if jq empty "$SARIF_PATH" 2>/dev/null; then
echo -e "${GREEN}OK${NC}"
return 0
else
echo -e "${RED}FAILED${NC}"
echo -e "${RED}Error: Invalid SARIF file format${NC}"
return 1
fi
}
# Main script
echo -e "${CYAN}CodeQL SARIF Analysis Tool${NC}"
echo -e "${CYAN}=========================${NC}"
# Check if required tools are installed
command -v curl >/dev/null 2>&1 || { echo -e "${RED}Error: curl is required but not installed.${NC}"; exit 1; }
command -v jq >/dev/null 2>&1 || { echo -e "${RED}Error: jq is required but not installed.${NC}"; exit 1; }
# Check if Ollama is running
check_ollama || exit 1
# Validate SARIF file
validate_sarif || exit 1
# Read SARIF content
echo -n "Reading SARIF file... "
if SARIF_CONTENT=$(cat "$SARIF_PATH"); then
echo -e "${GREEN}OK${NC}"
else
echo -e "${RED}FAILED${NC}"
echo -e "${RED}Error: Failed to read SARIF file${NC}"
exit 1
fi
# Prepare the prompt
PROMPT="Please analyze these security findings from CodeQL analysis.
Focus on:
1. Critical vulnerabilities
2. High priority issues
3. Potential impact
4. Recommended fixes
Here is the analysis data:
$SARIF_CONTENT"
# Prepare the request body
REQUEST_BODY=$(jq -n \
--arg model "$MODEL" \
--arg prompt "$PROMPT" \
'{"model": $model, "prompt": $prompt}')
# Make the request to Ollama and process the streaming response
echo -n "Analyzing results with Ollama... "
if curl -s -X POST "$OLLAMA_ENDPOINT" \
-H "Content-Type: application/json" \
-d "$REQUEST_BODY" | \
while IFS= read -r line; do
if [ -n "$line" ]; then
echo "$line" | jq -r '.response // empty'
fi
done > "$OUTPUT_PATH"; then
echo -e "${GREEN}OK${NC}"
else
echo -e "${RED}FAILED${NC}"
echo -e "${RED}Error: Failed to analyze with Ollama${NC}"
exit 1
fi
echo -e "\n${GREEN}Analysis complete!${NC}"
echo -e "${YELLOW}Results saved to: $OUTPUT_PATH${NC}"
echo -e "${YELLOW}You can view the results by opening: $OUTPUT_PATH${NC}"
+92
View File
@@ -0,0 +1,92 @@
# Database Backup System
Local Deep Research includes an automatic database backup system that creates encrypted backups of your user database after each successful login.
## Overview
- **Automatic**: Backups run in the background after login without blocking the UI
- **Encrypted**: Backups use the same encryption as your main database
- **Safe**: Uses SQLCipher's `sqlcipher_export()` for atomic backups that work correctly with WAL mode
- **Configurable**: Enable/disable and configure retention via settings
- **Pre-migration**: A backup is automatically created before any database schema migration
## How It Works
1. When you log in successfully, a background backup is scheduled
2. Only one backup per calendar day is created — subsequent logins the same day are skipped to prevent a corrupted database from overwriting all good backups
3. The backup runs in a separate thread (non-blocking)
4. Uses `sqlcipher_export()` to create an encrypted copy preserving all cipher settings
5. Old backups are automatically cleaned up based on your retention settings
6. Before database migrations, a backup is always created regardless of the daily limit
## Backup Location
Backups are stored in:
```
{data_directory}/encrypted_databases/backups/{user_hash}/
```
Where `{user_hash}` is the first 16 hex characters of the SHA-256 hash of your username.
Each backup file is named with a timestamp:
```
ldr_backup_20250125_143022.db
```
## Settings
Configure backup behavior in Settings > Backup:
| Setting | Default | Description |
|---------|---------|-------------|
| **Enable Auto-Backup** | `true` | Enable/disable automatic backups on login. Disable if disk space is limited. |
| **Max Backups** | `1` | Maximum number of backup files to keep (1-30) |
| **Backup Retention (days)** | `7` | Delete backups older than this many days |
**Note**: Each backup is a full encrypted copy of your database and cannot be compressed. With the default of 1 backup, disk usage equals your database size. Users with large databases (e.g., containing uploaded PDFs) should monitor disk usage and can reduce the backup count or disable backups entirely via the **Enable Auto-Backup** setting if disk space is limited.
## Why sqlcipher_export()?
We use SQLCipher's `sqlcipher_export()` instead of `VACUUM INTO` or simple file copy because:
1. **Encryption Preservation**: `VACUUM INTO` does not preserve SQLCipher encryption settings. `sqlcipher_export()` correctly copies data while maintaining the same encryption key and cipher configuration
2. **WAL Safety**: Regular file copy can corrupt databases using WAL (Write-Ahead Logging) mode
3. **Atomic Operation**: The backup uses ATTACH + export + DETACH, and is written to a temporary file then atomically renamed
4. **Integrity Verification**: Each backup is verified with `PRAGMA quick_check` before being finalized
## Restoring from Backup
To restore from a backup:
1. Stop the application
2. Locate your backup in the backup directory
3. Copy it to replace your current database file (keep the `.salt` file alongside it)
4. Restart the application
**Important**: The backup uses the same password as when it was created. If you've changed your password since the backup, you'll need to use the old password to access it.
## Troubleshooting
### Backups not being created
1. Check if backups are enabled in Settings
2. Check the logs for backup-related errors
3. Verify sufficient disk space (requires 2x database size)
### Disk space issues
The system checks for available disk space before creating a backup. If you see "Insufficient disk space" errors:
1. Free up disk space
2. Reduce the max backup count setting
3. Reduce the retention days setting
### Backup verification failed
If you see "Backup verification failed" in logs, the backup may be corrupted. This can happen if:
1. The disk ran out of space during backup
2. There was a system crash during backup
3. The source database is corrupted
In this case, the corrupted backup file is automatically deleted.