Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
384 changes: 194 additions & 190 deletions README.md

Large diffs are not rendered by default.

59 changes: 59 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Security Policy

## Supported Versions

We actively support and provide security patches for the following versions of Boss:

| Version | Supported |
| ------- | ------------------ |
| latest | ✅ Yes |
| < 2.0 | ❌ No |

## Reporting a Vulnerability

**Please do not open a public GitHub issue for security vulnerabilities.**

To report a security issue, please use one of the following methods:

1. **GitHub Private Vulnerability Reporting** (preferred):
Navigate to the [Security Advisories](https://github.com/HashLoad/boss/security/advisories/new) page
and submit a private advisory.

2. **Email**: Send details to `security@hashload.com` with the subject line:
`[SECURITY] Boss - <brief description>`

### What to include

- Description of the vulnerability and its potential impact
- Steps to reproduce or proof-of-concept
- Affected version(s) and environment (OS, Delphi version)
- Any suggested mitigation or fix

### Response Timeline

| Stage | Target SLA |
| ----------------- | ----------------- |
| Acknowledgement | ≤ 3 business days |
| Initial triage | ≤ 7 business days |
| Fix / Advisory | ≤ 90 days |

We will keep you informed throughout the process and credit you in the release notes
(unless you prefer to remain anonymous).

## Scope

This policy covers the **Boss CLI binary** (`boss.exe` / `boss`) and the Go source code
in this repository. It does **not** cover:

- Third-party packages installed via `boss install` (report those to their respective maintainers)
- The PubPascal portal (report to `security@pubpascal.dev`)

## CRA Compliance

Boss ships a machine-readable **Software Bill of Materials (SBOM)** with every release
and maintains this vulnerability-disclosure policy in accordance with the
[EU Cyber Resilience Act (CRA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2847)
Article 14 (active vulnerability management) and Annex I Part II (secure development).

The SBOM is published as `sbom.cdx.json` (CycloneDX 1.6) at each
[GitHub release](https://github.com/HashLoad/boss/releases).
217 changes: 87 additions & 130 deletions go.mod

Large diffs are not rendered by default.

363 changes: 2 additions & 361 deletions go.sum

Large diffs are not rendered by default.

87 changes: 87 additions & 0 deletions internal/adapters/primary/cli/cmd_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ func TestRootCommand(t *testing.T) {
t.Run("register commands", func(t *testing.T) {
// These should not panic
versionCmdRegister(root)
pubpascalCmdRegister(root)

// Verify command was added
if root.Commands() == nil {
Expand Down Expand Up @@ -117,6 +118,8 @@ func TestCommandHelp(t *testing.T) {
// Register all commands
versionCmdRegister(root)
installCmdRegister(root)
pubpascalCmdRegister(root)
craCmdRegister(root)

for _, cmd := range root.Commands() {
t.Run(cmd.Use, func(t *testing.T) {
Expand Down Expand Up @@ -160,3 +163,87 @@ func TestRootHelp(t *testing.T) {
t.Error("Root command should produce help output")
}
}

// TestPubPascalCommands tests that the PubPascal commands are registered correctly.
func TestPubPascalCommands(t *testing.T) {
root := &cobra.Command{Use: "boss"}
pubpascalCmdRegister(root)

// Check workspace command
var workspaceCmd *cobra.Command
for _, cmd := range root.Commands() {
if cmd.Name() == "workspace" {
workspaceCmd = cmd
break
}
}
if workspaceCmd == nil {
t.Fatal("Workspace command not found")
}

// Check workspace subcommands
expectedWorkspaceSubcmds := map[string]bool{
"clone": false,
"status": false,
"update": false,
"push": false,
}
for _, cmd := range workspaceCmd.Commands() {
if _, ok := expectedWorkspaceSubcmds[cmd.Name()]; ok {
expectedWorkspaceSubcmds[cmd.Name()] = true
}
}
for cmd, found := range expectedWorkspaceSubcmds {
if !found {
t.Errorf("Workspace subcommand '%s' not found", cmd)
}
}

// Check pkg command and root commands
var pkgCmd *cobra.Command
var sbomCmd *cobra.Command
var scanCmd *cobra.Command
var publishSbomCmd *cobra.Command
for _, cmd := range root.Commands() {
switch cmd.Name() {
case "pkg":
pkgCmd = cmd
case "sbom":
sbomCmd = cmd
case "scan":
scanCmd = cmd
case "publish-sbom":
publishSbomCmd = cmd
}
}
if pkgCmd == nil {
t.Fatal("Pkg command not found")
}
if sbomCmd == nil {
t.Error("Root command 'sbom' not found")
}
if scanCmd == nil {
t.Error("Root command 'scan' not found")
}
if publishSbomCmd == nil {
t.Error("Root command 'publish-sbom' not found")
}

// Check pkg subcommands
expectedPkgSubcmds := map[string]bool{
"spec": false,
"pack": false,
"sign": false,
"verify": false,
}
for _, cmd := range pkgCmd.Commands() {
if _, ok := expectedPkgSubcmds[cmd.Name()]; ok {
expectedPkgSubcmds[cmd.Name()] = true
}
}
for cmd, found := range expectedPkgSubcmds {
if !found {
t.Errorf("Pkg subcommand '%s' not found", cmd)
}
}
}
Loading
Loading