From aa70e1dc94b8c32d615073da94d2ca5fb5be01ac Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivani@oisf.net>
Date: Mon, 15 Jan 2024 12:39:34 +0530
Subject: [PATCH 1/3] util/streaming-buffer: remove unneeded fn param

StreamingBuffer is not required to find the intersecting regions, so,
don't pass it as a param to the fn.
---
 src/util-streaming-buffer.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/util-streaming-buffer.c b/src/util-streaming-buffer.c
index 6ff4f438a40a..b396ef04c765 100644
--- a/src/util-streaming-buffer.c
+++ b/src/util-streaming-buffer.c
@@ -123,7 +123,7 @@ StreamingBufferBlock *SBB_RB_FIND_INCLUSIVE(struct SBB *head, StreamingBufferBlo
  *  \brief does data region intersect with list region 'r'
  *  Takes the max gap into account.
  */
-static inline bool RegionsIntersect(const StreamingBuffer *sb, const StreamingBufferConfig *cfg,
+static inline bool RegionsIntersect(const StreamingBufferConfig *cfg,
         const StreamingBufferRegion *r, const uint64_t offset, const uint64_t re)
 {
     /* create the data range for the region, adding the max gap */
@@ -158,7 +158,7 @@ static StreamingBufferRegion *FindFirstRegionForOffset(const StreamingBuffer *sb
 
     StreamingBufferRegion *p = NULL;
     for (; r != NULL; r = r->next) {
-        if (RegionsIntersect(sb, cfg, r, offset, data_re) == true) {
+        if (RegionsIntersect(cfg, r, offset, data_re) == true) {
             *prev = p;
             return r;
         }
@@ -182,7 +182,7 @@ static StreamingBufferRegion *FindLargestRegionForOffset(const StreamingBuffer *
         SCLogDebug("checking: %p/%" PRIu64 "/%" PRIu64 ", offset %" PRIu64 "/%" PRIu64, r,
                 r->stream_offset, reg_re, offset, data_re);
 #endif
-        if (!RegionsIntersect(sb, cfg, r, offset, data_re))
+        if (!RegionsIntersect(cfg, r, offset, data_re))
             return candidate;
 
         if (r->buf_size > candidate->buf_size) {
@@ -200,7 +200,7 @@ static StreamingBufferRegion *FindRightEdge(const StreamingBuffer *sb,
     const uint64_t data_re = offset + len;
     StreamingBufferRegion *candidate = r;
     for (; r != NULL; r = r->next) {
-        if (!RegionsIntersect(sb, cfg, r, offset, data_re)) {
+        if (!RegionsIntersect(cfg, r, offset, data_re)) {
             SCLogDebug(
                     "r %p is out of scope: %" PRIu64 "/%u/%" PRIu64, r, offset, len, offset + len);
             return candidate;
@@ -1433,11 +1433,11 @@ static StreamingBufferRegion *BufferInsertAtRegion(StreamingBuffer *sb,
             data_offset + data_len);
     ListRegions(sb);
 
-    if (RegionsIntersect(sb, cfg, &sb->region, data_offset, data_offset + data_len)) {
+    if (RegionsIntersect(cfg, &sb->region, data_offset, data_offset + data_len)) {
         SCLogDebug("data_offset %" PRIu64 ", data_len %u intersects with main region (next %p)",
                 data_offset, data_len, sb->region.next);
         if (sb->region.next == NULL ||
-                !RegionsIntersect(sb, cfg, sb->region.next, data_offset, data_offset + data_len)) {
+                !RegionsIntersect(cfg, sb->region.next, data_offset, data_offset + data_len)) {
             SCLogDebug(
                     "data_offset %" PRIu64
                     ", data_len %u intersects with main region, no next or way before next region",

From ad48175ac95e06ceb86ce878ec88d7dcb7ea5fa2 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Tue, 30 Jan 2024 19:58:16 +0100
Subject: [PATCH 2/3] Revert "detect: do not store state without flags"

This reverts commit 2fb50598f23b112f14ec15330e11c40b74caa35f.

Logic is incorrect, a shown by failing tests.
---
 src/detect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/detect.c b/src/detect.c
index 72e40eaff3fd..659f96441b29 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1218,7 +1218,7 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
         } else if ((inspect_flags & DE_STATE_FLAG_FULL_INSPECT) == 0 && mpm_in_progress) {
             TRACE_SID_TXS(s->id, tx, "no need to store no-match sig, "
                     "mpm will revisit it");
-        } else if (inspect_flags != 0 || file_no_match != 0) {
+        } else {
             TRACE_SID_TXS(s->id, tx, "storing state: flags %08x", inspect_flags);
             DetectRunStoreStateTx(scratch->sgh, f, tx->tx_ptr, tx->tx_id, s,
                     inspect_flags, flow_flags, file_no_match);

From 2e3d4e65ff61618d08dd42822cf652ac413b1bdd Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 30 Jan 2024 20:42:16 +0100
Subject: [PATCH 3/3] ci: update scorecard analysis workflow

---
 .github/workflows/scorecards-analysis.yml | 29 ++++++++++-------------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
index 3b6612849206..07d4eda8121f 100644
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis.yml
@@ -17,39 +17,36 @@ jobs:
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
-      actions: read
-      contents: read
+      id-token: write
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v3.5.3
-        with:
-          persist-credentials: false
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v1.0.1
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
-          # Read-only PAT token. To create it,
-          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
           repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
-          # Publish the results to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories, `publish_results` will automatically be set to `false`,
-          # regardless of the value entered here.
+          # Scorecard team runs a weekly scan of public GitHub repos,
+          # see https://github.com/ossf/scorecard#public-data.
+          # Setting `publish_results: true` helps us scale by leveraging your workflow to
+          # extract the results instead of relying on our own infrastructure to run scans.
+          # And it's free for you!
           publish_results: true
 
-      # Upload the results as artifacts (optional).
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      # Optional.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2 # v1.0.26
+      - name: "Upload SARIF results"
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v1
         with:
           sarif_file: results.sarif