Add CMake and CI Pipeline for ModSecurityIIS in ModSecurity V2

[A13501350]

What

• Added CMake build scripts for IIS components
• Implemented Windows CI pipeline (GitHub Actions) using CMake builds
• Used vcpkg for dependencies
• Modified WiX Toolset scripts for MSI package installer

Why

• Enables building newer versions of ModSecurity IIS via CI

Note:

• These changes still require additional testing verification.
• ssdeep support exists in the original Makefile but is not enabled by default, as it requires msys2 environment and runtime dependencies

[airween]

Hi @A13501350,

first of all, many thanks for this PR.

Note:

• These changes still require additional testing verification.

What kind of testing you think about? Do you want to add them before the merge (I mean are you still working on it?)?

• ssdeep support exists in the original Makefile but is not enabled by default, as it requires msys2 environment and runtime dependencies

A readme would be grateful, I would add that into our Wiki that describe how to make module for IIS on Windows. That could contain these dependencies too.

What do you think?

[airween]

And one more thing: could you pick up your last PR (#3443) into this PR? I think a rebase from v2/master would be enough. Just see it works as we expect. Thanks!

[airween]

@A13501350, please take a look at the SonarCloud issues:
https://sonarcloud.io/project/security_hotspots?id=owasp-modsecurity_ModSecurity&pullRequest=3452&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true

[A13501350]

Run msys2/setup-msys2@847bbebdb774c27cd90b723718456dd14637b641
  with:
    msystem: UCRT64
    update: true
    install: git make autoconf automake libtool mingw-w64-ucrt-x86_64-gcc mingw-w64-ucrt-x86_64-pkg-config
  
    path-type: minimal
    pacboy: false
    release: true
    location: RUNNER_TEMP
    platform-check-severity: fatal
    cache: true
  env:
    APACHE_ROOT: C:\tools\Apache24
Error: File not found: 'D:\a\_actions\msys2\setup-msys2\847bbebdb774c27cd90b723718456dd14637b641\index.js'

I tried using the full commit hash msys2/setup-msys2@847bbeb, but it didn't work. Also, since this dependency updates frequently, I'm not sure if pinning to a specific commit is the best approach.

[airween]

I tried using the full commit hash msys2/setup-msys2@847bbeb, but it didn't work. Also, since this dependency updates frequently, I'm not sure if pinning to a specific commit is the best approach.

No worries, at this time it would be enough to add a stable IIS build on Windows. Just make those lines as comment. Probably the Sonar issues will disappear too.

[A13501350]

I noticed ssdeep was disabled in commit b02256c, but after testing, ssdeep appears to compile and link normally with no apparent functionality impact, so I've re-enabled it.

[A13501350]

Though it does require msys2 for compilation

[airween]

Though it does require msys2 for compilation

I see. Then let's see how can you solve that (it would be nice to disappear the Sonar issue).

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[A13501350]

Done. However, there are other actions using tags instead of SHA hashes, and I believe the best practice is to use a bot like Dependabot to check for updates.

[airween]

Thanks! I think that's excellent now!

I believe the best practice is to use a bot like Dependabot to check for updates.

yes, you're right, we should involve that.