From 369ff50b25689a8857285aec7857d8ee734dbf68 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 13:15:35 -0300 Subject: [PATCH 1/5] Add dependabot configuration Add scorecard workflow Add codeql workflow Add dependency-check workflow --- .github/dependabot.yml | 13 ++++ .github/workflows/codeql.yml | 91 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 20 ++++++ .github/workflows/scorecard.yml | 47 +++++++++++++ 4 files changed, 171 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..9b28445ce --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + # Maintain dependencies for Docker + - package-ecosystem: docker + directory: / + schedule: + interval: daily \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..35e9c7c64 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,91 @@ +name: "CodeQL" + +on: + push: + branches: [ "master", "*-rc" ] + pull_request: + branches: [ "master", "*-rc" ] + schedule: + - cron: "0 0 * * *" + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ java ] + + steps: + - name: Checkout + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + + - name: Setup Java JDK + if: ${{ matrix.language == 'java' }} + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 + with: + java-version: '17' + distribution: 'temurin' + + - name: Checkout RSKj repo + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + with: + repository: rsksmart/rskj + token: ${{ secrets.GITHUB_TOKEN }} + path: rskj + fetch-depth: 0 + + - name: Check out appropriate rskj reference + if: ${{ matrix.language == 'java' }} + working-directory: rskj + env: + CHECKOUT_REF: ${{ github.head_ref }} + run: | + git switch "$CHECKOUT_REF" + + - name: Set DONT-COMMIT-settings.gradle + if: ${{ matrix.language == 'java' }} + run: | + cat <<'EOF' >DONT-COMMIT-settings.gradle + includeBuild('./rskj') { + dependencySubstitution { + all { DependencySubstitution dependency -> + if (dependency.requested instanceof ModuleComponentSelector + && dependency.requested.group == 'co.rsk' + && dependency.requested.module == 'rskj-core' + && (dependency.requested.version.endsWith('SNAPSHOT') || dependency.requested.version.endsWith('RC'))) { + def targetProject = project(":${dependency.requested.module}") + if (targetProject != null) { + println('---- USING LOCAL ' + dependency.requested.displayName + ' PROJECT ----') + dependency.useTarget targetProject + } + } + } + } + } + EOF + + - name: Before Index (java) + if: ${{ matrix.language == 'java' }} + run: ./configure.sh + + - name: Initialize CodeQL + uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..e513e55f8 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: read-all + +jobs: + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: 'Checkout Repository' + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + fail-on-severity: high + comment-summary-in-pr: true \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..d357502f8 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 2 * * 2' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + with: + sarif_file: results.sarif From d59368e74672fd503235089f6bc51a9fb10d98d9 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 15:34:12 -0300 Subject: [PATCH 2/5] Pin dependencies Bump actions --- .github/workflows/build-push-docker.yml | 12 +++--- .github/workflows/build_and_test.yml | 57 ++++++++++++------------- .github/workflows/reproducible.yml | 4 +- .github/workflows/rit.yml | 2 +- Dockerfile | 4 +- 5 files changed, 38 insertions(+), 41 deletions(-) diff --git a/.github/workflows/build-push-docker.yml b/.github/workflows/build-push-docker.yml index 94cdaf4d5..00e39d677 100644 --- a/.github/workflows/build-push-docker.yml +++ b/.github/workflows/build-push-docker.yml @@ -16,7 +16,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Set version id: vars @@ -24,7 +24,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1 with: images: | ${{ env.DOCKERHUB_REPO }} @@ -36,12 +36,12 @@ jobs: type=match,pattern=(\w+-\d+)\.\d+\.\d+.*,group=1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1 with: driver: docker - name: Build Docker Image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 #v6.9.0 with: context: . tags: ${{ steps.meta.outputs.tags }} @@ -49,13 +49,13 @@ jobs: build-args: RSK_RELEASE=${{ steps.vars.outputs.tag }} - name: DockerHub login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: GitHub container registry login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index 56ed6b6d9..d20fa4b83 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -6,10 +6,7 @@ on: - master - "*-rc" pull_request: - types: - - opened - - synchronize - - reopened + types: [ opened, synchronize, reopened] branches: - "**" @@ -21,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup run: | @@ -37,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout RSKj repo - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 with: repository: rsksmart/rskj token: ${{ secrets.GITHUB_TOKEN }} @@ -84,7 +81,7 @@ jobs: git switch "$CHECKOUT_REF" - name: Persist RSKJ - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: rskj path: rskj @@ -95,24 +92,24 @@ jobs: needs: clone_rskj_repo steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 with: fetch-depth: 0 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - name: Download rskj - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: rskj path: rskj - - uses: actions/cache@v4 + - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Cache Gradle Wrapper id: cache-gradle-wrapper with: @@ -151,7 +148,7 @@ jobs: ./gradlew --no-daemon --stacktrace clean build -x test - name: Persist Build files - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: build_files path: | @@ -164,28 +161,28 @@ jobs: needs: build_federator_node steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - name: Download Build files - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: build_files path: ./ - name: Download rskj - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: rskj path: rskj - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -198,7 +195,7 @@ jobs: ./gradlew --no-daemon --stacktrace test - name: Persist test results for sonar - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: test-results path: | @@ -206,7 +203,7 @@ jobs: retention-days: 7 - name: Persist test reports for sonar - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: test-reports path: | @@ -218,28 +215,28 @@ jobs: needs: build_federator_node steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '21' distribution: 'temurin' cache: 'gradle' - name: Download Build files - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: build_files path: ./ - name: Download rskj - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: rskj path: rskj - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -256,38 +253,38 @@ jobs: needs: federator-tests-java17 steps: - name: Download Build files - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: build_files - name: Download rskj - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: rskj path: rskj - name: Download test results - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: test-results path: | build/test-results/ - name: Download test reports - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: test-reports path: | build/reports/ - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | diff --git a/.github/workflows/reproducible.yml b/.github/workflows/reproducible.yml index 327b39078..3f87ae2e1 100644 --- a/.github/workflows/reproducible.yml +++ b/.github/workflows/reproducible.yml @@ -16,7 +16,7 @@ jobs: apt-get update -y && apt-get install -y git curl gnupg - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Set version id: vars @@ -44,7 +44,7 @@ jobs: cat build/libs/SHA256SUMS - name: Export artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: ${{ steps.vars.outputs.tag }} path: build/libs/ diff --git a/.github/workflows/rit.yml b/.github/workflows/rit.yml index 147e060bc..a39477453 100644 --- a/.github/workflows/rit.yml +++ b/.github/workflows/rit.yml @@ -22,7 +22,7 @@ jobs: timeout-minutes: 60 steps: - name: Checkout Repository # Step needed to access the PR description using github CLI - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Set Branch Variables id: set-branch-variables diff --git a/Dockerfile b/Dockerfile index b2c8df5b4..4ed5208b2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM eclipse-temurin:17-jdk AS build +FROM eclipse-temurin:17-jdk@sha256:08295ab0f5007a37cbcc6679a8447a7278d9403f9f82acd80ed08cd10921e026 AS build ARG RSK_RELEASE ENV RSK_VERSION $RSK_RELEASE @@ -20,7 +20,7 @@ RUN gpg --keyserver https://secchannel.rsk.co/SUPPORT.asc --recv-keys 1DC9157991 ./gradlew --no-daemon clean build -x test && \ cp "build/libs/federate-node-$RSK_VERSION-all.jar" rsk.jar -FROM eclipse-temurin:17-jre + FROM eclipse-temurin:17-jre@sha256:f1515395c0695910a3ca665e973cc11013d1f50d265e61cb8c9156e999d914b4 LABEL org.opencontainers.image.authors="ops@rootstocklabs.com" RUN useradd -ms /sbin/nologin -d /var/lib/rsk rsk From 3f3a01293168620ce9479c5e3bd7d78e6396d4ee Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 15:35:04 -0300 Subject: [PATCH 3/5] Add Scorecard badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b358bd4ff..78e866e53 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Welcome to RskJ Powpeg Node - +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rsksmart/powpeg-node/badge)](https://scorecard.dev/viewer/?uri=github.com/rsksmart/powpeg-node) ## About From 591fbd80e6235941501996a05b31eca844a08570 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 15:37:48 -0300 Subject: [PATCH 4/5] Fix workflows permissions --- .github/workflows/build-push-docker.yml | 3 +++ .github/workflows/build_and_test.yml | 4 ++-- .github/workflows/dependency-review.yml | 1 + .github/workflows/reproducible.yml | 7 +++++-- .github/workflows/rit.yml | 3 +++ 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-push-docker.yml b/.github/workflows/build-push-docker.yml index 00e39d677..203e4b9c9 100644 --- a/.github/workflows/build-push-docker.yml +++ b/.github/workflows/build-push-docker.yml @@ -4,6 +4,9 @@ on: tags: - '*' +# Declare default permissions as read only. +permissions: read-all + env: GHCR_REPO: "ghcr.io/rsksmart/powpeg-node" DOCKERHUB_REPO: "rsksmart/powpeg-node" diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index d20fa4b83..0ac49e8c6 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -10,8 +10,8 @@ on: branches: - "**" -permissions: - contents: read +# Declare default permissions as read only. +permissions: read-all jobs: verify_files: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e513e55f8..809fb49d5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,6 +1,7 @@ name: 'Dependency Review' on: [pull_request] +# Declare default permissions as read only. permissions: read-all jobs: diff --git a/.github/workflows/reproducible.yml b/.github/workflows/reproducible.yml index 3f87ae2e1..3f1a179ff 100644 --- a/.github/workflows/reproducible.yml +++ b/.github/workflows/reproducible.yml @@ -1,8 +1,11 @@ name: Reproducible build on: release: - type: - - created + types: + - created + +# Declare default permissions as read only. +permissions: read-all jobs: build: diff --git a/.github/workflows/rit.yml b/.github/workflows/rit.yml index a39477453..9dc567b13 100644 --- a/.github/workflows/rit.yml +++ b/.github/workflows/rit.yml @@ -15,6 +15,9 @@ on: required: false default: 'master' +# Declare default permissions as read only. +permissions: read-all + jobs: rootstock-integration-tests: name: Rootstock Integration Tests From 2c0182b8d003c86be386c4683b271cfa0a297207 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Mon, 28 Oct 2024 15:45:35 -0300 Subject: [PATCH 5/5] add LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000..d98df10c0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 RootstockLabs + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file