Please report security issues privately using GitHub's private vulnerability reporting feature for this repository:
Open a private security advisory
Do not file public issues for security vulnerabilities.
This project is maintained on a best-effort basis by a single maintainer. There is no SLA for triage or fixes. I will acknowledge reports when I am able and prioritize based on severity and exploitability.
Only the latest released version receives security fixes. Older versions are not patched.
In scope:
- The
kustologyPython package and its public API - Build, release, and CI workflows in this repository
- The bundled
Kusto.Language.dllinsofar as how this package loads or wraps it
Out of scope:
- Vulnerabilities in upstream
Kusto.Languageitself — report those to Microsoft - Vulnerabilities in transitive Python dependencies — report to their respective maintainers
Every release pins Kusto.Language.dll to a specific
Microsoft.Azure.Kusto.Language NuGet version with a SHA-256 hash. The
pin lives in src/kustology/bin/VERSION.txt and pyproject.toml under
[tool.kustology] kusto_language_version.
Two verification paths, both run in CI on every push:
- Offline hash check:
shasum -a 256 src/kustology/bin/Kusto.Language.dllmust match thesha256field inbin/VERSION.txt. - NuGet re-fetch:
python scripts/verify_dll.pydownloads the pinned NuGet package, hashes everyKusto.Language.dllinside, and confirms one is byte-identical to the bundled file. Pure Python — nodotnetrequired. This converts "trust the maintainer" into "trust Microsoft + you can verify offline."
If your policy requires NuGet's signed-package signature, run
nuget verify -All <path-to-nupkg> against a freshly fetched package.
If you'd rather use a DLL you fetched yourself:
python scripts/refresh_dll.py # uses the pinned version
python scripts/refresh_dll.py --version 12.3.2 --pinThis requires dotnet 8.0+, runs dotnet publish against a temporary
.csproj, copies the resulting Kusto.Language.dll into bin/, and
updates VERSION.txt.