diff --git a/.circleci/config.yml b/.circleci/config.yml index 7b2153184c..4175da6cfe 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,411 +1,26 @@ +# Use the latest 2.1 version of CircleCI pipeline process engine. +# See: https://circleci.com/docs/configuration-reference version: 2.1 -orbs: - windows: circleci/windows@2.4.0 - -commands: - check_windows: - description: "Runs cargo check on Windows" - parameters: - workspace_member: - type: string - steps: - - checkout - - restore_cache: - key: cargo-cache-{{ arch }}-{{ checksum "Cargo.lock" }} - - run: - name: "Install Rust and run cargo check" - command: | - $ProgressPreference = "SilentlyContinue" - Invoke-WebRequest -Uri "https://win.rustup.rs/" -OutFile "C:\rustup-init.exe" - & C:\rustup-init.exe -y --default-toolchain "stable-x86_64-pc-windows-msvc" --no-modify-path --profile minimal - choco install llvm -y - refreshenv - $env:Path += ";C:\Users\circleci\.cargo\bin" - rustc -Vv - cargo --version - rustc --version | Out-File -FilePath "rust-version" - if (!(Test-Path "Cargo.lock" -PathType Leaf)) { - cargo generate-lockfile - } - cd << parameters.workspace_member >> - cargo check --examples --benches --tests - - save_cache: - paths: - - C:\Users\circleci\.cargo\registry - - C:\Users\circleci\.cargo\git - - target - key: cargo-cache-{{ arch }}-{{ checksum "rust-version" }}-{{ checksum "Cargo.lock" }} - - setup_environment: - description: "Setup testing environment" - parameters: - cache_key: - type: string - default: snarkos-stable-cache - steps: - - run: set -e - - setup_remote_docker - - run: - name: Prepare environment and install dependencies - command: | - export SCCACHE_CACHE_SIZE=200M - export WORK_DIR="$CIRCLE_WORKING_DIRECTORY/.cache/sccache" - export SCCACHE_DIR="$CIRCLE_WORKING_DIRECTORY/.cache/sccache" - mkdir -p "$CIRCLE_WORKING_DIRECTORY/.bin" - wget https://github.com/mozilla/sccache/releases/download/v0.3.0/sccache-v0.3.0-x86_64-unknown-linux-musl.tar.gz - tar -C "$CIRCLE_WORKING_DIRECTORY/.bin" -xvf sccache-v0.3.0-x86_64-unknown-linux-musl.tar.gz - mv $CIRCLE_WORKING_DIRECTORY/.bin/sccache-v0.3.0-x86_64-unknown-linux-musl/sccache $CIRCLE_WORKING_DIRECTORY/.bin/sccache - export PATH="$PATH:$CIRCLE_WORKING_DIRECTORY/.bin" - export RUSTC_WRAPPER="sccache" - rm -rf "$CIRCLE_WORKING_DIRECTORY/.cargo/registry" - DEBIAN_FRONTEND=noninteractive sudo apt-get update - DEBIAN_FRONTEND=noninteractive sudo apt-get dist-upgrade -y -o DPkg::Options::=--force-confold - DEBIAN_FRONTEND=noninteractive sudo apt-get install -y --no-install-recommends clang llvm-dev llvm pkg-config xz-utils make libssl-dev libssl-dev - - restore_cache: - keys: - - << parameters.cache_key >> - - clear_environment: - description: "Clear environment" - parameters: - cache_key: - type: string - default: snarkos-stable-cache - steps: - - run: (sccache -s||true) - - run: set +e - - save_cache: - key: << parameters.cache_key >> - paths: - - .cache/sccache - - .cargo - - run_serial: - description: "Build and run tests" - parameters: - workspace_member: - type: string - cache_key: - type: string - flags: - type: string - default: "" - steps: - - checkout - - setup_environment: - cache_key: << parameters.cache_key >> - - run: - no_output_timeout: 30m - command: cd << parameters.workspace_member >> && RUST_MIN_STACK=67108864 cargo test << parameters.flags >> - - clear_environment: - cache_key: << parameters.cache_key >> - - run_serial_long: - description: "Build and run long running tests" - parameters: - workspace_member: - type: string - cache_key: - type: string - flags: - type: string - default: "" - steps: - - checkout - - setup_environment: - cache_key: << parameters.cache_key >> - - run: - no_output_timeout: 300m - command: cd << parameters.workspace_member >> && RUST_MIN_STACK=67108864 cargo test << parameters.flags >> - - clear_environment: - cache_key: << parameters.cache_key >> - - run_parallel: - description: "Build and run tests (in parallel)" - parameters: - workspace_member: - type: string - cache_key: - type: string - flags: - type: string - default: "" - steps: - - checkout - - setup_environment: - cache_key: << parameters.cache_key >> - - run: - no_output_timeout: 45m - command: | - cd << parameters.workspace_member >> - cargo test -- --list --format terse | sed 's/: test//' > test_names.txt - TEST_NAMES=$(circleci tests split test_names.txt) - for i in $(echo $TEST_NAMES | sed "s/ / /g") - do - RUST_MIN_STACK=67108864 cargo test $i << parameters.flags >> - done - - clear_environment: - cache_key: << parameters.cache_key >> - - install_rust_nightly: - description: "Install Rust nightly toolchain" - steps: - - run: rustup toolchain install nightly-x86_64-unknown-linux-gnu - +# Define a job to be invoked later in a workflow. +# See: https://circleci.com/docs/configuration-reference/#jobs jobs: - integration: - docker: - - image: cimg/rust:1.71.1 - resource_class: 2xlarge - steps: - - run_serial_long: - workspace_member: .integration - cache_key: snarkos-integration-cache - - snarkos: - docker: - - image: cimg/rust:1.71.1 - resource_class: 2xlarge - steps: - - run_serial: - workspace_member: . - cache_key: snarkos-stable-cache - - account: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: account - cache_key: snarkos-account-cache - - cli: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: cli - cache_key: snarkos-cli-cache - - display: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: display - cache_key: snarkos-display-cache - - node: - docker: - - image: cimg/rust:1.71.1 - resource_class: 2xlarge - steps: - - run_serial: - workspace_member: node - cache_key: snarkos-node-cache - - node-cdn: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/cdn - cache_key: snarkos-node-cdn-cache - - node-consensus: + say-hello: + # Specify the execution environment. You can specify an image from Docker Hub or use one of our convenience images from CircleCI's Developer Hub. + # See: https://circleci.com/docs/configuration-reference/#executor-job docker: - - image: cimg/rust:1.71.1 - resource_class: 2xlarge - steps: - - run_serial: - workspace_member: node/consensus - cache_key: snarkos-node-consensus-cache - - node-narwhal: - docker: - - image: cimg/rust:1.71.1 - resource_class: 2xlarge - steps: - - run_serial: - workspace_member: node/narwhal - cache_key: snarkos-node-narwhal-cache - - node-narwhal-events: - docker: - - image: cimg/rust:1.71.1 - resource_class: 2xlarge - steps: - - run_serial: - workspace_member: node/narwhal/events - cache_key: snarkos-node-narwhal-events-cache - - node-narwhal-ledger-service: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/narwhal/ledger-service - cache_key: snarkos-node-narwhal-ledger-service-cache - - node-rest: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/rest - cache_key: snarkos-node-rest-cache - - node-router: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/router - cache_key: snarkos-node-router-cache - - node-router-messages: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/router/messages - cache_key: snarkos-node-router-messages-cache - - node-sync: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/sync - cache_key: snarkos-node-sync-cache - - node-sync-communication-service: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/sync/communication-service - cache_key: snarkos-node-sync-communication-service-cache - - node-sync-locators: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/sync/locators - cache_key: snarkos-node-sync-locators-cache - - node-tcp: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - run_serial: - workspace_member: node/tcp - cache_key: snarkos-node-tcp-cache - - check-fmt: - docker: - - image: cimg/rust:1.71.1 - resource_class: xlarge - steps: - - checkout - - install_rust_nightly - - setup_environment: - cache_key: snarkos-fmt-cache - - run: - name: Check style - no_output_timeout: 35m - command: cargo +nightly fmt --all -- --check - - clear_environment: - cache_key: snarkos-fmt-cache - - check-clippy: - docker: - - image: cimg/rust:1.71.1 - resource_class: 2xlarge + - image: cimg/base:stable + # Add steps to the job + # See: https://circleci.com/docs/configuration-reference/#steps steps: - checkout - - setup_environment: - cache_key: snarkos-clippy-cache - run: - name: Check lint - no_output_timeout: 35m - command: | - cargo clippy --workspace --all-targets -- -D warnings - cargo clippy --workspace --all-targets --all-features -- -D warnings - - clear_environment: - cache_key: snarkos-clippy-cache - - verify-windows: - executor: - name: windows/default - size: xlarge - environment: - CARGO_NET_GIT_FETCH_WITH_CLI: "true" - parameters: - workspace_member: - type: string - steps: - - check_windows: - workspace_member: << parameters.workspace_member >> + name: "Say hello" + command: "echo Hello, World!" +# Orchestrate jobs using workflows +# See: https://circleci.com/docs/configuration-reference/#workflows workflows: - version: 2 - - main-workflow: - jobs: - - snarkos - - account - - cli - - display - - node - - node-cdn - - node-consensus - - node-narwhal - - node-narwhal-events - - node-narwhal-ledger-service - - node-rest - - node-router - - node-router-messages - - node-sync - - node-sync-communication-service - - node-sync-locators - - node-tcp - - check-fmt - - check-clippy - - windows-workflow: - jobs: - - verify-windows: - matrix: - parameters: - workspace_member: [ - account, - cli, - display, - node - ] - - scheduled-workflow: - triggers: - - schedule: - cron: "0 0,12 * * *" - filters: - branches: - only: - - testnet3 + say-hello-workflow: jobs: - - integration + - say-hello diff --git a/.github/workflows/apisec-scan.yml b/.github/workflows/apisec-scan.yml new file mode 100644 index 0000000000..d5c756f5c7 --- /dev/null +++ b/.github/workflows/apisec-scan.yml @@ -0,0 +1,85 @@ +This workflow uses actions +that are not certified by GitHub. +They are provided by a third-party +and are governed by + separate terms of service + privacy policy and support + + ** documentation ** + APIsec addresses the critical + need to secure APIs before they + reach production APIsec provides the + industry’s only automated and continuous + API testing platform that uncovers security + vulnerabilities and logic flaws in APIs +Clients rely on APIsec to evaluate every +update and release +ensuring that no APIs go to production with vulnerabilities +How to Get Started with APIsec.ai +1. Schedule a demo at +("https://www.apisec.ai/request-a-demo) +2. Register your account at +("https://cloud.apisec.ai/#/signup) +3. Register your API See the video +("https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +4. Get GitHub Actions scan attributes +from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +apisec-run-scan +This action triggers the on-demand +scans for projects registered in APIsec +If your GitHub account allows code +scanning alerts +you can then upload the sarif file generated +by this action to show the scan findings + Else you can view the scan results from + the project home page in APIsec Platform + The link to view the scan results is also + displayed on the console on successful + completion of action + +This is a starter workflow +to help you get started with +APIsec-Scan Actions + +name:APIsec + +Controls when the workflowwill run +//Triggers the workflow on push or pull request events but only for the "testnet3" branch,Customize trigger events based on your DevSecOps processes. + push:[ "testnet3" ] + branches:[ "testnet3" ] + schedule: every Tuesday + Allows you to run this workflow manually + from the Actions tab + + workflow_dispatch: + + +permissions: + contents: read + +jobs: + + Trigger_APIsec_scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@025432089674a28ba8fb55f8ab06c10215e772ea + with: + # The APIsec username with which the scans will be executed + apisec-username: + ${{ apetree100122 }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: + ${{ v=MK3Xo9Dbvac}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + - name: Import results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./apisec-results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..cfe9469790 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,82 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "testnet3" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "testnet3" ] + schedule: + - cron: '22 19 * * 6' + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ ] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/Codecov.yaml b/Codecov.yaml new file mode 100644 index 0000000000..e420c7d44d --- /dev/null +++ b/Codecov.yaml @@ -0,0 +1,4 @@ +- name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..034e848032 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc.