From dd61982047cc4e6b5927d7c606807512e2dfed98 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 10:24:23 -0300 Subject: [PATCH 1/5] Add dependabot configuration Add dependency-review workflow Add scorecard workflow --- .github/dependabot.yml | 13 +++++++ .github/workflows/dependency-review.yml | 20 +++++++++++ .github/workflows/scorecard.yml | 47 +++++++++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..9b28445ce0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + # Maintain dependencies for Docker + - package-ecosystem: docker + directory: / + schedule: + interval: daily \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..e513e55f8e --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: read-all + +jobs: + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: 'Checkout Repository' + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + fail-on-severity: high + comment-summary-in-pr: true \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000000..d357502f8f --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 2 * * 2' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + with: + sarif_file: results.sarif From 7564682857c2dbc2469a4079378ba4e13e360437 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 12:33:49 -0300 Subject: [PATCH 2/5] Pin dependencies Bump actions --- .github/workflows/build_and_test.yml | 54 ++++++++++++++-------------- .github/workflows/codeql.yml | 10 +++--- .github/workflows/docker.yml | 8 ++--- .github/workflows/rit.yml | 2 +- Dockerfile | 4 +-- 5 files changed, 39 insertions(+), 39 deletions(-) diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index 7dfcd15668..3847327638 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -14,10 +14,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' @@ -28,7 +28,7 @@ jobs: curl -sSL https://secchannel.rsk.co/SUPPORT.asc | gpg2 --import - gpg2 --verify SHA256SUMS.asc && sha256sum --check SHA256SUMS.asc - - uses: actions/cache@v4 + - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Cache Gradle Wrapper id: cache-gradle-wrapper with: @@ -46,7 +46,7 @@ jobs: ./gradlew --no-daemon --stacktrace build -x test - name: Archive build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: build-files path: | @@ -56,18 +56,18 @@ jobs: needs: unit-tests-java17 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 with: fetch-depth: 0 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -76,21 +76,21 @@ jobs: fail-on-cache-miss: true - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: build-files path: | rskj-core/build - name: Download test results - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: test-results path: | rskj-core/build/test-results/ - name: Download test reports - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: test-reports path: | @@ -153,17 +153,17 @@ jobs: options: --name bitcoind2 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4 with: node-version: '12.x' - name: Check Node.js version run: node --version - name: Checkout Mining Integration Tests Repository - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 with: repository: rsksmart/mining-integration-tests ref: ${{ secrets.MINING_INTEGRATION_TESTS_REF }} @@ -186,13 +186,13 @@ jobs: node --unhandled-rejections=strict generateBtcBlocks.js - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -201,7 +201,7 @@ jobs: fail-on-cache-miss: true - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: build-files path: | @@ -236,16 +236,16 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -258,14 +258,14 @@ jobs: ./gradlew --no-daemon --stacktrace test - name: Persist test results for sonar - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: test-results path: | rskj-core/build/test-results/ - name: Persist test reports for sonar - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: test-reports path: | @@ -275,16 +275,16 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '21' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -300,16 +300,16 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 637f0af13e..bf2f5d53d2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,11 +24,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java JDK if: ${{ matrix.language == 'java' }} - uses: actions/setup-java@v3 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' @@ -38,15 +38,15 @@ jobs: run: ./configure.sh - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a05727d7ed..e340db36d0 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -13,11 +13,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Docker meta id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1 with: images: rsksmart/rskj tags: | @@ -28,13 +28,13 @@ jobs: type=match,pattern=(\w+-\d+)\.\d+\.\d+.*,group=1 - name: DockerHub login - uses: docker/login-action@v2 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 #v6.9.0 with: context: . push: true diff --git a/.github/workflows/rit.yml b/.github/workflows/rit.yml index 487767549f..0b7d1d88c2 100644 --- a/.github/workflows/rit.yml +++ b/.github/workflows/rit.yml @@ -24,7 +24,7 @@ jobs: timeout-minutes: 60 steps: - name: Checkout Repository # Step needed to access the PR description using github CLI - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Set Branch Variables id: set-branch-variables diff --git a/Dockerfile b/Dockerfile index 8d75e05395..7a04f37d8e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM eclipse-temurin:17-jdk AS build +FROM eclipse-temurin:17-jdk@sha256:08295ab0f5007a37cbcc6679a8447a7278d9403f9f82acd80ed08cd10921e026 AS build RUN apt-get update -y && \ apt-get install -y git curl gnupg @@ -19,7 +19,7 @@ RUN gpg --keyserver https://secchannel.rsk.co/SUPPORT.asc --recv-keys 1DC9157991 modifier=$(sed -n 's/^modifier=//p' "$file" | tr -d "\"'") && \ cp "rskj-core/build/libs/rskj-core-$version_number-$modifier-all.jar" rsk.jar -FROM eclipse-temurin:17-jre +FROM eclipse-temurin:17-jre@sha256:f1515395c0695910a3ca665e973cc11013d1f50d265e61cb8c9156e999d914b4 LABEL org.opencontainers.image.authors="ops@iovlabs.org" RUN useradd -ms /sbin/nologin -d /var/lib/rsk rsk From 9d7fb7e2974f44136d880272b699e10c1fc85786 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 13:22:24 -0300 Subject: [PATCH 3/5] Fix workflows permissions --- .github/workflows/build_and_test.yml | 3 +++ .github/workflows/codeql.yml | 5 +++-- .github/workflows/docker.yml | 3 +++ .github/workflows/rit.yml | 3 +++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index 3847327638..a40d4e4690 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -10,6 +10,9 @@ on: branches: - "**" +# Declare default permissions as read only. +permissions: read-all + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bf2f5d53d2..9f17a02c85 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,13 +8,14 @@ on: schedule: - cron: "0 0 * * *" +# Declare default permissions as read only. +permissions: read-all + jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write strategy: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index e340db36d0..24642b3453 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,6 +7,9 @@ on: tags: - '*' +# Declare default permissions as read only. +permissions: read-all + jobs: docker: runs-on: ubuntu-20.04 diff --git a/.github/workflows/rit.yml b/.github/workflows/rit.yml index 0b7d1d88c2..98e6c8dfb7 100644 --- a/.github/workflows/rit.yml +++ b/.github/workflows/rit.yml @@ -17,6 +17,9 @@ on: required: false default: 'master' +# Declare default permissions as read only. +permissions: read-all + jobs: rootstock-integration-tests: name: Rootstock Integration Tests From e92e40913babe4d187e8da26f0e877cce96023d8 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 14:55:54 -0300 Subject: [PATCH 4/5] Upgrade codeql actions version --- .github/workflows/codeql.yml | 6 +++--- Dockerfile | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9f17a02c85..5fefc04bd2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,15 +39,15 @@ jobs: run: ./configure.sh - name: Initialize CodeQL - uses: github/codeql-action/init@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 + uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 + uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 + uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 with: category: "/language:${{ matrix.language }}" diff --git a/Dockerfile b/Dockerfile index 7a04f37d8e..729d3c76a4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN gpg --keyserver https://secchannel.rsk.co/SUPPORT.asc --recv-keys 1DC9157991 cp "rskj-core/build/libs/rskj-core-$version_number-$modifier-all.jar" rsk.jar FROM eclipse-temurin:17-jre@sha256:f1515395c0695910a3ca665e973cc11013d1f50d265e61cb8c9156e999d914b4 -LABEL org.opencontainers.image.authors="ops@iovlabs.org" +LABEL org.opencontainers.image.authors="ops@rootstocklabs.com"" RUN useradd -ms /sbin/nologin -d /var/lib/rsk rsk USER rsk From 611613e46fe6bccb7ef1271ceef904caa9cb2fdc Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 14:58:54 -0300 Subject: [PATCH 5/5] Add scorecard badge --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9888c7efdd..a671b8378e 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![Rootstock Integration Tests](https://github.com/rsksmart/rskj/actions/workflows/rit.yml/badge.svg)](https://github.com/rsksmart/rskj/actions/workflows/rit.yml) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=rskj&metric=alert_status)](https://sonarcloud.io/dashboard?id=rskj) [![CodeQL](https://github.com/rsksmart/rskj/workflows/CodeQL/badge.svg)](https://github.com/rsksmart/rskj/actions?query=workflow%3ACodeQL) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rsksmart/rskj/badge)](https://scorecard.dev/viewer/?uri=github.com/rsksmart/rskj) # About RskJ is a Java implementation of the Rootstock node. For more information about Rootstock, visit [rootstock.io](https://rootstock.io/). The [Rootstock white paper](https://rootstock.io/rsk-white-paper-updated.pdf) provides a complete conceptual overview of the platform.